Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Check Malware Removal Help Needed


  • This topic is locked This topic is locked
23 replies to this topic

#1 Stephscraz

Stephscraz

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 28 January 2012 - 10:19 AM

My computer is/was infected with the System Check Malware. I wasn't real sure what to do at first, so I had booted into Safemode with Networking and downloaded AVG. After scanning with AVG, I downloaded and scanned with Spybot. After that I downloaded and ran Microsoft Security Scanner. It seems after I ran the Microsoft Security Scanner, and restarted my computer, I lost all internet access, and ability to access Windows Firewall, as well as some other important things (i.e. Administrative Tools). Since the infection was first noticed, I was not able to do a System Restore or access it. I have followed the preparation guide as best as I could (minus turning on firewall since I am unable to access it, and I am unable to update Malwarebyte's due to being unable to connect to the internet on that computer presently (all other computers on my network are still able to access the internet).

For starters I am trying to backup my C drive first using Corbian Backup, however it has some errors I thought maybe someone could help me with. Here is the log so far,(it is taking forever).

1-27 16:22 This might be only a fragment of the log file. To see the whole log file, select Log-Open log files
2012-01-27 16:22 *** A new backup has begun. Number of tasks in queue: 1 ***
2012-01-27 16:22 Preventing the system from entering Sleep mode
2012-01-27 16:22 Applying parameters to the task "Backup 1"
2012-01-27 16:22 ** Starting backup for the task "Backup 1" **
2012-01-27 16:22 Calculating the number of files to backup for the task "Backup 1"
2012-01-27 16:23 If your unpacker cannot handle the zip archives created by Cobian Backup 10, see the FAQ
2012-01-27 16:23 Starting the Volume Shadow Copy snapshot for the drives: C:\
2012-01-27 16:23 The Volume Shadow Copy snapshot set has been created successfully
2012-01-27 16:55 Getting version information from the server
ERR 2012-01-27 16:55 Error while checking for new versions: Could not bind socket. Address and port are already in use.
2012-01-27 17:22 Pausing the current operation
2012-01-27 17:28 Resuming the paused operation
2012-01-27 17:55 Getting version information from the server
ERR 2012-01-27 17:55 Error while checking for new versions: Could not bind socket. Address and port are already in use.
2012-01-27 18:52 Pausing the current operation
2012-01-27 18:55 Getting version information from the server
ERR 2012-01-27 18:55 Error while checking for new versions: Could not bind socket. Address and port are already in use.
2012-01-27 19:25 Resuming the paused operation
2012-01-27 19:55 Getting version information from the server
ERR 2012-01-27 19:55 Error while checking for new versions: Could not bind socket. Address and port are already in use.


DDS.txt log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by Administrator at 20:41:43 on 2012-01-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3454.2147 [GMT -7:00]
.
AV: AVG Internet Security 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe
C:\Program Files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMTray.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Program Files\Cobian Backup 10\Cobian.exe
C:\Program Files\Cobian Backup 10\cbInterface.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Defender BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: PC Tools Browser Defender: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Akamai NetSession Interface] "c:\documents and settings\administrator\local settings\application data\akamai\netsession_win.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MoneyBackgoundBanking] "c:\program files\microsoft money plus\mnycorefiles\mnybbsvc.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [SteelSeries World of Warcraft MMO Gaming Mouse] c:\program files\steelseries\world of warcraft mmo gaming mouse\WoWMHID.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [ATIModeChange] Ati2mdxx.exe
dPolicies-explorer: NoDesktop = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250627315156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://qb.webex.com/client/v_mywebex-qb20/ra/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\i5djlkpn.default\
FF - prefs.js: browser.startup.homepage - hxxp://xfinity.comcast.net/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Be6e672a6-27ca-4d34-90db-6306c24552eb%7D&mid=9dc98c9478a447d1a0e3d15696cc8777-0b7fe46fe2efd4faf97d2fee8b782e13322d5601&ds=AVG&v=9.0.0.23&lang=en&pr=pr&d=2012-01-24%2008%3A08%3A43&sap=ku&q=
FF - component: c:\program files\adobe\acrobat 10.0\acrobat\browser\wcfirefoxextn\components\WCFirefoxExtn.dll
FF - plugin: c:\documents and settings\administrator\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071706000001.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\i5djlkpn.default\extensions\{38ab6a6c-cc4c-4f9e-a3dd-3c5681ef18a1}\plugins\npsoe.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\i5djlkpn.default\extensions\{38ab6a6c-cc4c-4f9e-a3dd-3c5681ef18a1}\plugins\npsoeact.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\i5djlkpn.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-5-21 331880]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2012-1-24 342168]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2012-1-24 909728]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [2012-1-24 185560]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-5-21 546768]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2012-1-27 67584]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-6-9 20968]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2008-9-23 80392]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-29 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-3-18 47640]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-26 366152]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-11-14 632792]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [2009-11-20 22016]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-15 24652]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-26 22216]
R3 Mo3Fltr;MMO Mouse;c:\windows\system32\drivers\Mo3Fltr.sys [2009-9-21 11136]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2010-7-27 100712]
R3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\drivers\PCTBD.sys [2012-1-24 56840]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-12-24 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-9-26 1684736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-12-24 136176]
S3 JmtFltr;n52te;c:\windows\system32\drivers\jmtfltr.sys --> c:\windows\system32\drivers\JmtFltr.sys [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver 06/04/2010,1.12.1.0;c:\windows\system32\drivers\libusb0.sys [2011-5-18 21120]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [2009-11-20 29440]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2009-11-20 17536]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2012-1-24 402336]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2012-1-24 1117624]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 QuickBooksDB19;QuickBooksDB19;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb19 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB19 [?]
UnknownUnknown ynbemrva;ynbemrva; [x]
.
=============== Created Last 30 ================
.
2012-01-27 23:18:24 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Safe mirror
2012-01-27 23:18:04 -------- d-----w- c:\program files\Cobian Backup 10
2012-01-27 22:04:40 -------- d-----w- c:\program files\Cobian Backup 8
2012-01-27 05:24:59 94720 -c----w- c:\windows\system32\dllcache\umaxud32.dll
2012-01-27 05:23:57 714762 -c----w- c:\windows\system32\dllcache\r2mdmkxx.sys
2012-01-27 05:22:59 15232 -c----w- c:\windows\system32\dllcache\mpe.sys
2012-01-27 05:21:59 9759 -c----w- c:\windows\system32\dllcache\hsf_inst.dll
2012-01-27 05:20:59 980034 -c----w- c:\windows\system32\dllcache\cicap.sys
2012-01-27 05:19:57 66048 -c----w- c:\windows\system32\dllcache\s3legacy.dll
2012-01-27 00:16:24 -------- d-----w- c:\documents and settings\administrator\.exe
2012-01-27 00:00:09 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2012-01-27 00:00:01 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-01-26 23:59:57 22216 ------w- c:\windows\system32\drivers\mbam.sys
2012-01-26 23:59:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-26 02:26:47 -------- d-----w- c:\documents and settings\administrator\application data\isoburnerdata
2012-01-25 21:29:49 -------- d-----w- c:\windows\system32\MpEngineStore
2012-01-25 15:42:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-01-25 15:42:14 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-01-24 19:48:28 56840 ------w- c:\windows\system32\drivers\PCTBD.sys
2012-01-24 19:48:08 909728 ------w- c:\windows\system32\drivers\pctEFA.sys
2012-01-24 19:48:08 342168 ------w- c:\windows\system32\drivers\pctDS.sys
2012-01-24 19:48:03 185560 ------w- c:\windows\system32\drivers\PCTSD.sys
2012-01-24 19:48:03 17848 ------w- c:\windows\system32\drivers\pctBTFix.sys
2012-01-24 19:47:20 -------- d-----w- c:\documents and settings\administrator\application data\TestApp
2012-01-24 18:20:15 -------- d-----w- c:\documents and settings\administrator\application data\AVG
2012-01-24 15:21:02 -------- d-----w- C:\$AVG
2012-01-24 15:18:36 -------- d-----w- c:\documents and settings\administrator\application data\AVG2012
2012-01-24 15:07:04 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2012-01-24 15:06:34 -------- d-----w- c:\program files\AVG
2012-01-24 15:04:36 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2012-01-17 13:35:48 -------- d-----w- c:\documents and settings\administrator\local settings\application data\appPathTask
2012-01-03 17:43:16 626688 ------w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-03 17:43:16 548864 ------w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-03 17:43:16 479232 ------w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-03 17:43:16 43992 ------w- c:\program files\mozilla firefox\mozutils.dll
2012-01-03 13:10:44 182672 ------w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2012-01-03 13:10:44 182672 ------w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2012-01-27 18:00:23 16608 ------w- c:\windows\gdrv.sys
2012-01-16 23:28:50 149456 ------w- c:\windows\SGDetectionTool.dll0146.old
2012-01-16 23:28:50 149456 ------w- c:\windows\SGDetectionTool.dll
2012-01-16 23:28:48 2246608 ------w- c:\windows\PCTBDCore.dll0146.old
2012-01-16 23:28:48 2246608 ------w- c:\windows\PCTBDCore.dll
2012-01-16 23:28:48 1681360 ------w- c:\windows\PCTBDRes.dll
2012-01-16 23:28:28 767952 ------w- c:\windows\BDTSupport.dll0146.old
2012-01-16 23:28:28 767952 ------w- c:\windows\BDTSupport.dll
2012-01-11 23:19:24 70536 ------w- c:\windows\system32\drivers\pctplsg.sys
2012-01-11 23:14:30 253352 ------w- c:\windows\system32\drivers\pctgntdi.sys
2011-11-25 21:57:19 293376 ------w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ------w- c:\windows\system32\win32k.sys
2011-11-18 23:44:39 414368 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-18 12:35:08 60416 ------w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ------w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ------w- c:\windows\system32\schannel.dll
2011-11-14 22:12:26 331880 ------w- c:\windows\system32\drivers\PCTCore.sys
2011-11-14 22:12:24 162584 ------w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-11-04 19:20:51 916992 ------w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
2011-11-03 15:28:36 386048 ------w- c:\windows\system32\qdvd.dll
2011-11-03 15:28:36 1292288 ------w- c:\windows\system32\quartz.dll
2011-11-01 16:07:10 1288704 ------w- c:\windows\system32\ole32.dll
.
============= FINISH: 20:42:43.84 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:56 AM

Posted 31 January 2012 - 01:09 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Stephscraz

Stephscraz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 31 January 2012 - 09:33 AM

Thank you for your help Gringo. No problems were encountered doing as you asked. Following is a copy of the dds.txt and attach.txt from the new scan.

I do want to note however, that AVG, PC Tools Spyware Doctor, and Spybot were all previously uninstalled before I ran this scan, the only thing I have not uninstalled is Malwarebytes however, I exited this program before running the scan.

Also, the computer with the issues lost internet access at some point with the infection, unable to perform system restore, and unable to access windows firewall. I have used Rkill and also unhide.exe previously, and quite a few of my programs still are showing as empty in the Start menu (even though the names are there). I had previously followed all of the instructions on the System Check removal page.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by Administrator at 7:26:24 on 2012-01-31
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3454.2852 [GMT -7:00]
.
AV: AVG Internet Security 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe
C:\Program Files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMTray.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Akamai NetSession Interface] "c:\documents and settings\administrator\local settings\application data\akamai\netsession_win.exe"
uRun: [MoneyBackgoundBanking] "c:\program files\microsoft money plus\mnycorefiles\mnybbsvc.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [SteelSeries World of Warcraft MMO Gaming Mouse] c:\program files\steelseries\world of warcraft mmo gaming mouse\WoWMHID.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [ATIModeChange] Ati2mdxx.exe
dPolicies-explorer: NoDesktop = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250627315156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://qb.webex.com/client/v_mywebex-qb20/ra/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\i5djlkpn.default\
FF - prefs.js: browser.startup.homepage - hxxp://xfinity.comcast.net/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Be6e672a6-27ca-4d34-90db-6306c24552eb%7D&mid=9dc98c9478a447d1a0e3d15696cc8777-0b7fe46fe2efd4faf97d2fee8b782e13322d5601&ds=AVG&v=9.0.0.23&lang=en&pr=pr&d=2012-01-24%2008%3A08%3A43&sap=ku&q=
FF - component: c:\program files\adobe\acrobat 10.0\acrobat\browser\wcfirefoxextn\components\WCFirefoxExtn.dll
FF - plugin: c:\documents and settings\administrator\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071706000001.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\i5djlkpn.default\extensions\{38ab6a6c-cc4c-4f9e-a3dd-3c5681ef18a1}\plugins\npsoe.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\i5djlkpn.default\extensions\{38ab6a6c-cc4c-4f9e-a3dd-3c5681ef18a1}\plugins\npsoeact.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\i5djlkpn.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2012-1-27 67584]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-6-9 20968]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2008-9-23 80392]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-29 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-3-18 47640]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-26 366152]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-11-14 632792]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [2009-11-20 22016]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-15 24652]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-26 22216]
R3 Mo3Fltr;MMO Mouse;c:\windows\system32\drivers\Mo3Fltr.sys [2009-9-21 11136]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2010-7-27 100712]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-12-24 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-9-26 1684736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-12-24 136176]
S3 JmtFltr;n52te;c:\windows\system32\drivers\jmtfltr.sys --> c:\windows\system32\drivers\JmtFltr.sys [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver 06/04/2010,1.12.1.0;c:\windows\system32\drivers\libusb0.sys [2011-5-18 21120]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [2009-11-20 29440]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2009-11-20 17536]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 QuickBooksDB19;QuickBooksDB19;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb19 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB19 [?]
.
=============== Created Last 30 ================
.
2012-01-27 23:18:24 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Safe mirror
2012-01-27 23:18:04 -------- d-----w- c:\program files\Cobian Backup 10
2012-01-27 22:04:40 -------- d-----w- c:\program files\Cobian Backup 8
2012-01-27 05:24:59 94720 -c----w- c:\windows\system32\dllcache\umaxud32.dll
2012-01-27 05:23:57 714762 -c----w- c:\windows\system32\dllcache\r2mdmkxx.sys
2012-01-27 05:22:59 15232 -c----w- c:\windows\system32\dllcache\mpe.sys
2012-01-27 05:21:59 9759 -c----w- c:\windows\system32\dllcache\hsf_inst.dll
2012-01-27 05:20:59 980034 -c----w- c:\windows\system32\dllcache\cicap.sys
2012-01-27 05:19:57 66048 -c----w- c:\windows\system32\dllcache\s3legacy.dll
2012-01-27 00:16:24 -------- d-----w- c:\documents and settings\administrator\.exe
2012-01-27 00:00:09 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2012-01-27 00:00:01 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-01-26 23:59:57 22216 ------w- c:\windows\system32\drivers\mbam.sys
2012-01-26 23:59:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-26 02:26:47 -------- d-----w- c:\documents and settings\administrator\application data\isoburnerdata
2012-01-25 21:29:49 -------- d-----w- c:\windows\system32\MpEngineStore
2012-01-25 15:42:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-01-25 15:42:14 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-01-24 19:47:20 -------- d-----w- c:\documents and settings\administrator\application data\TestApp
2012-01-24 18:20:15 -------- d-----w- c:\documents and settings\administrator\application data\AVG
2012-01-24 15:21:02 -------- d-----w- C:\$AVG
2012-01-24 15:18:36 -------- d-----w- c:\documents and settings\administrator\application data\AVG2012
2012-01-24 15:07:04 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2012-01-24 15:06:34 -------- d-----w- c:\program files\AVG
2012-01-24 15:04:36 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2012-01-17 13:35:48 -------- d-----w- c:\documents and settings\administrator\local settings\application data\appPathTask
2012-01-03 17:43:16 626688 ------w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-03 17:43:16 548864 ------w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-03 17:43:16 479232 ------w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-03 17:43:16 43992 ------w- c:\program files\mozilla firefox\mozutils.dll
2012-01-03 13:10:44 182672 ------w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2012-01-03 13:10:44 182672 ------w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2012-01-31 14:22:24 16608 ----a-w- c:\windows\gdrv.sys
2012-01-16 23:28:50 149456 ------w- c:\windows\SGDetectionTool.dll0146.old
2012-01-16 23:28:48 2246608 ------w- c:\windows\PCTBDCore.dll0146.old
2012-01-16 23:28:28 767952 ------w- c:\windows\BDTSupport.dll0146.old
2011-11-25 21:57:19 293376 ------w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ------w- c:\windows\system32\win32k.sys
2011-11-18 23:44:39 414368 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-18 12:35:08 60416 ------w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ------w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ------w- c:\windows\system32\schannel.dll
2011-11-04 19:20:51 916992 ------w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
2011-11-03 15:28:36 386048 ------w- c:\windows\system32\qdvd.dll
2011-11-03 15:28:36 1292288 ------w- c:\windows\system32\quartz.dll
.
============= FINISH: 7:27:16.32 ===============

Copy of the attach.txt log

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/24/2008 1:28:19 PM
System Uptime: 1/31/2012 7:19:42 AM (0 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | EP45-DS3R
Processor: Intel Pentium III Xeon processor | Socket 775 | 2999/333mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 596 GiB total, 480.19 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP927: 10/26/2011 12:38:59 PM - System Checkpoint
RP928: 10/27/2011 12:50:46 PM - System Checkpoint
RP929: 10/27/2011 8:41:42 PM - Removed Avery Wizard 3.1.
RP930: 10/27/2011 8:43:02 PM - Installed Avery Wizard 4.0.
RP931: 10/28/2011 9:00:14 PM - System Checkpoint
RP932: 10/29/2011 9:05:52 PM - System Checkpoint
RP933: 10/31/2011 11:37:01 AM - System Checkpoint
RP934: 11/1/2011 11:48:34 AM - System Checkpoint
RP935: 11/2/2011 12:14:19 PM - System Checkpoint
RP936: 11/3/2011 12:35:14 PM - System Checkpoint
RP937: 11/4/2011 1:22:46 PM - System Checkpoint
RP938: 11/7/2011 4:10:12 PM - System Checkpoint
RP939: 11/8/2011 4:13:59 PM - System Checkpoint
RP940: 11/8/2011 9:57:21 PM - Software Distribution Service 3.0
RP941: 11/10/2011 8:19:55 AM - System Checkpoint
RP942: 11/11/2011 8:23:04 AM - System Checkpoint
RP943: 11/11/2011 10:00:14 AM - Software Distribution Service 3.0
RP944: 11/12/2011 10:20:49 AM - System Checkpoint
RP945: 11/13/2011 10:56:58 AM - System Checkpoint
RP946: 11/14/2011 11:38:21 AM - System Checkpoint
RP947: 11/15/2011 12:38:15 PM - System Checkpoint
RP948: 11/16/2011 3:58:16 PM - System Checkpoint
RP949: 11/17/2011 4:51:27 PM - System Checkpoint
RP950: 11/18/2011 5:14:02 PM - System Checkpoint
RP951: 11/18/2011 6:34:39 PM - DriverRobot restore point
RP952: 11/19/2011 7:23:31 PM - System Checkpoint
RP953: 11/20/2011 9:40:24 AM - Install LG UNITED Drivers
RP954: 11/21/2011 1:04:08 PM - System Checkpoint
RP955: 11/22/2011 1:42:00 PM - System Checkpoint
RP956: 11/23/2011 1:59:02 PM - System Checkpoint
RP957: 11/24/2011 2:08:39 PM - System Checkpoint
RP958: 11/25/2011 2:49:05 PM - System Checkpoint
RP959: 11/26/2011 4:08:17 PM - System Checkpoint
RP960: 11/27/2011 4:58:40 PM - System Checkpoint
RP961: 11/28/2011 5:22:08 PM - System Checkpoint
RP962: 11/29/2011 5:39:04 PM - System Checkpoint
RP963: 11/30/2011 5:49:36 PM - System Checkpoint
RP964: 12/1/2011 6:45:42 PM - System Checkpoint
RP965: 12/2/2011 7:19:06 PM - System Checkpoint
RP966: 12/3/2011 7:33:50 PM - System Checkpoint
RP967: 12/5/2011 9:43:18 AM - System Checkpoint
RP968: 12/6/2011 10:25:37 AM - System Checkpoint
RP969: 12/7/2011 10:49:58 AM - System Checkpoint
RP970: 12/8/2011 11:11:05 AM - System Checkpoint
RP971: 12/9/2011 11:20:08 AM - System Checkpoint
RP972: 12/11/2011 8:57:21 AM - System Checkpoint
RP973: 12/12/2011 5:40:36 PM - System Checkpoint
RP974: 12/13/2011 5:58:08 PM - System Checkpoint
RP975: 12/14/2011 6:22:49 PM - System Checkpoint
RP976: 12/14/2011 10:34:42 PM - Software Distribution Service 3.0
RP977: 12/16/2011 10:08:27 AM - System Checkpoint
RP978: 12/17/2011 10:10:36 AM - System Checkpoint
RP979: 12/18/2011 10:29:20 AM - System Checkpoint
RP980: 12/19/2011 10:57:15 AM - System Checkpoint
RP981: 12/20/2011 1:40:54 PM - System Checkpoint
RP982: 12/21/2011 2:15:46 PM - System Checkpoint
RP983: 12/22/2011 3:40:31 PM - System Checkpoint
RP984: 12/23/2011 4:41:16 PM - System Checkpoint
RP985: 12/24/2011 6:39:25 PM - System Checkpoint
RP986: 12/26/2011 5:30:03 PM - System Checkpoint
RP987: 12/27/2011 7:21:32 PM - System Checkpoint
RP988: 12/28/2011 8:26:03 PM - System Checkpoint
RP989: 12/30/2011 9:39:28 AM - System Checkpoint
RP990: 12/31/2011 10:50:06 AM - System Checkpoint
RP991: 1/1/2012 6:31:05 PM - System Checkpoint
RP992: 1/2/2012 8:45:48 PM - System Checkpoint
RP993: 1/4/2012 8:58:02 AM - System Checkpoint
RP994: 1/5/2012 9:47:34 AM - System Checkpoint
RP995: 1/6/2012 10:04:56 AM - System Checkpoint
RP996: 1/7/2012 10:19:48 AM - System Checkpoint
RP997: 1/8/2012 1:02:09 PM - System Checkpoint
RP998: 1/9/2012 1:32:57 PM - System Checkpoint
RP999: 1/10/2012 2:12:12 PM - System Checkpoint
RP1000: 1/11/2012 10:00:17 AM - Software Distribution Service 3.0
RP1001: 1/12/2012 12:20:51 PM - System Checkpoint
RP1002: 1/13/2012 12:30:22 PM - System Checkpoint
RP1003: 1/14/2012 1:03:47 PM - System Checkpoint
RP1004: 1/15/2012 2:10:20 PM - System Checkpoint
RP1005: 1/16/2012 2:54:25 PM - System Checkpoint
RP1006: 1/17/2012 3:01:49 PM - System Checkpoint
RP1007: 1/18/2012 3:25:33 PM - System Checkpoint
RP1008: 1/18/2012 9:33:32 PM - Software Distribution Service 3.0
RP1009: 1/20/2012 7:12:36 AM - System Checkpoint
RP1010: 1/21/2012 9:46:41 AM - System Checkpoint
RP1011: 1/22/2012 10:06:57 AM - System Checkpoint
RP1012: 1/23/2012 11:09:04 AM - System Checkpoint
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Media Player
Adobe Reader X (10.1.2)
AIM 7
AIO_Scan
Apple Application Support
Apple Software Update
ArcSoft Print Creations
ArcSoft Print Creations - Album Page
ArcSoft Print Creations - Funhouse
ArcSoft Print Creations - Greeting Card
ArcSoft Print Creations - Photo Book
ArcSoft Print Creations - Photo Calendar
ArcSoft Print Creations - Scrapbook
ArcSoft Print Creations - Slimline Card
ATI Problem Report Wizard
Avery Wizard 3.1
Avery Wizard 4.0
Browser Configuration Utility
BufferChm
C6200
C6200_Help
Cards_Calendar_OrderGift_DoMorePlugout
Catalyst Control Center InstallProxy
CCScore
Cisco Connect
Cobian Backup 10
Copy
CPUID CPU-Z 1.54
Destination Component
DeviceDiscovery
DeviceManagementQFolder
Diagnostic Utility
DocProc
DocProcQFolder
Download Updater (AOL LLC)
Driver Robot
Driver Sweeper 2.1.0
Energy Saver Advance B8.0711.1
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSTOOLS
essvatgt
eSupportQFolder
EverQuest II Extended
EverQuest II Extended (2)
Facebook Plug-In
Fax
File Uploader
Google Earth
Google Update Helper
GPBaseService
GPBaseService2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Imaging Device Functions 10.0
HP Photosmart All-In-One Driver Software 10.0 Rel .2
HP Photosmart Essential 3.5
HP Solution Center 13.0
HP Update
HP_Network_UserGuide
HPPhotoSmartDiscLabel_PaperLabel
HPPhotoSmartDiscLabel_PrintOnDisc
HPPhotoSmartDiscLabelContent1
hpphotosmartdisclabelplugin
HPPhotosmartEssential
HPPhotoSmartPhotobookWebPack1
HPProductAssistant
HPSSupply
Java Auto Updater
Java™ 6 Update 24
Jawbone Updater
Junk Mail filter update
Kodak EasyShare software
LG United Mobile Drivers
LogMeIn
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money Plus
Microsoft Money Shared Libraries
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Live Add-in 1.3
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFCLOC_x86
Move Media Player
Mozilla Firefox 9.0.1 (x86 en-US)
MSVCRT
MSVCSetup
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Nero Suite
netbrdg
Nikon Message Center
Nikon RAW Codec
Nikon Transfer
NVIDIA Control Panel 260.99
NVIDIA Graphics Driver 260.99
NVIDIA HD Audio Driver 1.1.9.0
NVIDIA Install Application
NVIDIA nView 135.36
NVIDIA nView Desktop Manager
NVIDIA PhysX
NVIDIA PhysX System Software 9.10.0514
OCR Software by I.R.I.S. 10.0
OfotoXMI
OGA Notifier 2.0.0048.0
PanoStandAlone
ParetoLogic PC Health Advisor
Picture Control Utility
PS_AIO_02_ProductContext
PS_AIO_02_Software
PS_AIO_02_Software_Min
PSSWCORE
QuickBooks
QuickBooks Pro 2009
QuickBooks Remote Access
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Registry Mechanic 10.0
Rift BETA Patcher
Scan
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB923789)
Segoe UI
SFR
SHASTA
Shop for HP Supplies
skin0001
SKINXSDK
Skype Click to Call
Skype™ 5.6
SolutionCenter
staticcr
Status
SupportSoft Assisted Service
Toolbox
TrayApp
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596686) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update Manager B08.0515.1
VideoToolkit01
ViewNX
Viewpoint Media Player
VPRINTOL
WebEx Meeting Manager for Mozilla Firefox/Netscape Navigator
WebFldrs XP
WebReg
WinAce Archiver
Winamp
Winamp Detector Plug-in
Windows Driver Package - SteelSeries (HidUsb) HIDClass (11/06/2008 1.0.0.0)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WIRELESS
Works Suite OS Pack
World of Warcraft
World of Warcraft MMO Gaming Mouse
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
1/25/2012 9:14:44 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/25/2012 8:13:23 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm PCTSD
1/25/2012 8:13:09 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
1/25/2012 7:33:22 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
1/25/2012 7:30:18 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avgldx86 Avgmfx86 Fips intelppm PCTSD
1/25/2012 7:23:27 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
1/25/2012 6:56:09 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgldx86 Avgmfx86 Avgtdix Fips intelppm IPSec MRxSmb NetBIOS NetBT PCTSD RasAcd Rdbss Tcpip
1/25/2012 6:56:09 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
1/25/2012 6:56:09 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/25/2012 6:56:09 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
1/25/2012 6:47:26 PM, error: PCTCore [280] -
1/25/2012 6:42:24 PM, error: Service Control Manager [7001] - The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: The dependency service does not exist or has been marked for deletion.
1/25/2012 6:42:23 PM, error: Service Control Manager [7003] - The TCP/IP Protocol Driver service depends on the following nonexistent service: IPSec
1/25/2012 4:43:05 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Tcpip
1/25/2012 4:43:05 PM, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
1/25/2012 4:41:39 PM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The system cannot find the file specified.
1/25/2012 4:41:39 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: Access is denied.
1/25/2012 4:41:39 PM, error: Service Control Manager [7003] - The IPSEC Services service depends on the following nonexistent service: IPSec
1/25/2012 4:41:39 PM, error: Service Control Manager [7001] - The Windows Media Player Network Sharing Service service depends on the Universal Plug and Play Device Host service which failed to start because of the following error: The dependency service or group failed to start.
1/25/2012 4:41:39 PM, error: Service Control Manager [7001] - The Universal Plug and Play Device Host service depends on the SSDP Discovery Service service which failed to start because of the following error: The operation completed successfully.
1/25/2012 4:41:39 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/25/2012 4:41:39 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/25/2012 4:41:31 PM, error: SRService [104] - The System Restore initialization process failed.
1/25/2012 4:39:15 PM, error: NetBT [4311] - Initialization failed because the driver device could not be created.
1/25/2012 2:36:18 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
1/25/2012 12:08:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
1/25/2012 12:08:32 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/25/2012 11:05:10 AM, error: WMPNetworkSvc [14344] - A new media server was not initialized because WMCreateDeviceRegistration() encountered error '0x80070057'. The Windows Media DRM components on your computer might be corrupted. Verify that protected files play correctly in Windows Media Player, and then restart the WMPNetworkSvc service.
.
==== End Of File ===========================

Edited by Stephscraz, 31 January 2012 - 09:41 AM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:56 AM

Posted 31 January 2012 - 01:20 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Stephscraz

Stephscraz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 31 January 2012 - 01:42 PM

I am trying to run Combofix, but have a pop up that says "Combofix has detected the real time scanner to be active AVG Internet Security 2012".

I have looked in program files, and under control panel Add Remove Programs, as well as nothing running in the taskbar and there is nothing AVG related in any of those areas in order for me to "disable" it.

Any advice? I do not want to proceed until I know this is disabled.

Thanks.

#6 Stephscraz

Stephscraz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 31 January 2012 - 02:07 PM

I ended up using AVG Remover (32bit)2012. Combofix did not give me the option to cancel the process to restart the computer to make sure that the Remover removed AVG Internet Security 2012. I hit the red X on the warning window from Combofix to close it and it proceeded to issue another warning saying that AVG Internet Security 2012 was still active to proceed at my own risk.

It proceeded to run Combofix, and is now asking me to install Microsoft Windows Recovery Console and to click yes to have Combofix install it. But it says under "Note" that this requires an active internet connection. That computer does not currently have an active internet connection.

What should I do now?

Edited by Stephscraz, 31 January 2012 - 02:08 PM.


#7 Stephscraz

Stephscraz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 31 January 2012 - 02:50 PM

I just went ahead and followed your above directions to hit "Yes" to install Windows Recovery. It proceeded to run, and a pop up that said:

ComboFix-ZeroAccess
You are infected with Rootkit.ZeroAccess. It has inserted itself into the TCP/IP stack. This is a particularly difficult infection. If for any reason you're unable to connect to the internet after running combofix a restart may be needed...

At that point Combofix had me restart the computer. It restarted and began running Combofix again. It restarted a few more times, and then produced the log below.

-I am now able to access the internet.
-I am now able to access the Windows Firewall (which is ON)
-Security Center is reporting that I have Virus Protection ON, and that AVG Internet Security 2012 is up to date and virus scanning is on. This is frustrating, as I uninstalled AVG a few days ago, and also used the AVG Remover...there is nothing concerning AVG at all in the Add/Remove program files and nothing showing in the taskbar to provide me with a way to disable/uninstall.


ComboFix 12-01-30.02 - Administrator 01/31/2012 12:20:03.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3454.3047 [GMT -7:00]
Running from: F:\ComboFix.exe
AV: AVG Internet Security 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Local Settings\Application Data\assembly\tmp
c:\documents and settings\All Users\Application Data\~mz4gSn4aBW2tvd
c:\documents and settings\All Users\Application Data\~mz4gSn4aBW2tvdr
c:\documents and settings\All Users\Application Data\~WK34A4y1JCzqtW
c:\documents and settings\All Users\Application Data\~WK34A4y1JCzqtWr
c:\documents and settings\All Users\Application Data\mz4gSn4aBW2tvd
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP
c:\documents and settings\All Users\Application Data\WK34A4y1JCzqtW
c:\windows\$NtUninstallKB19720$
c:\windows\$NtUninstallKB19720$\1231553632\@
c:\windows\$NtUninstallKB19720$\1231553632\bckfg.tmp
c:\windows\$NtUninstallKB19720$\1231553632\cfg.ini
c:\windows\$NtUninstallKB19720$\1231553632\Desktop.ini
c:\windows\$NtUninstallKB19720$\1231553632\keywords
c:\windows\$NtUninstallKB19720$\1231553632\kwrd.dll
c:\windows\$NtUninstallKB19720$\1231553632\L\teggjhoe
c:\windows\$NtUninstallKB19720$\1231553632\lsflt7.ver
c:\windows\$NtUninstallKB19720$\1231553632\U\00000001.@
c:\windows\$NtUninstallKB19720$\1231553632\U\00000002.@
c:\windows\$NtUninstallKB19720$\1231553632\U\00000004.@
c:\windows\$NtUninstallKB19720$\1231553632\U\80000000.@
c:\windows\$NtUninstallKB19720$\1231553632\U\80000004.@
c:\windows\$NtUninstallKB19720$\1231553632\U\80000032.@
c:\windows\$NtUninstallKB19720$\516784381
c:\windows\system32\AutoRun.inf
c:\windows\system32\SET97.tmp
c:\windows\system32\SET9F.tmp
c:\windows\system32\SETA1.tmp
c:\windows\system32\SETBC.tmp
c:\windows\system32\SETBE.tmp
c:\windows\system32\SETCC.tmp
.
c:\windows\system32\drivers\ipsec.sys was missing
Restored copy from - c:\windows\system32\dllcache\ipsec.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-31 )))))))))))))))))))))))))))))))
.
.
2012-01-31 19:27 . 2008-04-13 19:19 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
2012-01-31 19:27 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-01-27 23:18 . 2012-01-27 23:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Safe mirror
2012-01-27 23:18 . 2012-01-27 23:18 -------- d-----w- c:\program files\Cobian Backup 10
2012-01-27 22:04 . 2012-01-27 23:17 -------- d-----w- c:\program files\Cobian Backup 8
2012-01-27 05:21 . 2001-08-18 05:36 9759 -c----w- c:\windows\system32\dllcache\hsf_inst.dll
2012-01-27 05:20 . 2001-08-17 19:13 980034 -c----w- c:\windows\system32\dllcache\cicap.sys
2012-01-27 00:16 . 2012-01-27 00:16 -------- d-----w- c:\documents and settings\Administrator\.exe
2012-01-27 00:00 . 2012-01-27 00:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-01-27 00:00 . 2012-01-27 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-26 23:59 . 2012-01-27 00:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-26 23:59 . 2011-09-01 00:00 22216 ------w- c:\windows\system32\drivers\mbam.sys
2012-01-26 02:26 . 2012-01-26 02:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\isoburnerdata
2012-01-25 21:29 . 2012-01-27 20:05 -------- d-----w- c:\windows\system32\MpEngineStore
2012-01-25 15:42 . 2012-01-31 14:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-01-25 15:42 . 2012-01-31 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-01-24 21:36 . 2012-01-24 21:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\SanctionedMedia
2012-01-24 19:47 . 2012-01-24 19:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\TestApp
2012-01-24 18:20 . 2012-01-24 18:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG
2012-01-24 15:21 . 2012-01-24 15:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2012-01-24 15:21 . 2012-01-24 15:21 -------- d-----w- C:\$AVG
2012-01-24 15:07 . 2012-01-31 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-01-24 15:06 . 2012-01-24 19:14 -------- d-----w- c:\program files\AVG
2012-01-17 13:35 . 2012-01-24 15:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\appPathTask
2012-01-03 17:43 . 2012-01-03 17:43 626688 ------w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-03 17:43 . 2012-01-03 17:43 548864 ------w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-03 17:43 . 2012-01-03 17:43 479232 ------w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-03 17:43 . 2012-01-03 17:43 43992 ------w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-03 13:10 . 2012-01-03 13:10 182672 ------w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 13:10 . 2012-01-03 13:10 182672 ------w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 19:30 . 2008-09-24 06:13 16608 ----a-w- c:\windows\gdrv.sys
2012-01-16 23:28 . 2010-05-21 16:46 149456 ------w- c:\windows\SGDetectionTool.dll0146.old
2012-01-16 23:28 . 2010-05-21 16:46 2246608 ------w- c:\windows\PCTBDCore.dll0146.old
2012-01-16 23:28 . 2010-05-21 16:46 767952 ------w- c:\windows\BDTSupport.dll0146.old
2011-11-25 21:57 . 2004-08-03 23:56 293376 ------w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-03 22:17 1859584 ------w- c:\windows\system32\win32k.sys
2011-11-18 23:44 . 2011-05-25 15:58 414368 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-18 12:35 . 2004-08-03 23:56 60416 ------w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2004-08-03 23:56 354816 ------w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2004-08-03 23:56 152064 ------w- c:\windows\system32\schannel.dll
2011-11-04 19:20 . 2004-08-03 23:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 19:20 . 2004-08-03 23:56 916992 ------w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-03 23:56 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 11:23 . 2004-08-03 21:59 385024 ------w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2004-08-03 23:56 386048 ------w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2004-08-03 23:56 1292288 ------w- c:\windows\system32\quartz.dll
2008-10-27 08:54 . 2008-10-27 08:54 44360 ------w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-10-27 08:54 . 2008-10-27 08:54 107920 ------w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-10-27 08:48 . 2008-10-27 08:48 49152 ------w- c:\program files\mozilla firefox\plugins\atmccli.dll
2012-01-03 17:43 . 2011-05-11 19:02 121816 ------w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-01-30 204288]
"MoneyBackgoundBanking"="c:\program files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe" [2008-02-19 53264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"SteelSeries World of Warcraft MMO Gaming Mouse"="c:\program files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe" [2009-05-13 414720]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-14 18702336]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-12-16 479232]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-12-22 1092872]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-10-07 01:24 87424 ------w- c:\windows\system32\LMIinit.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [1/27/2012 4:18 PM 67584]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [6/9/2010 11:06 AM 20968]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [9/23/2008 11:14 PM 80392]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/29/2010 12:02 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 11:41 AM 12856]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/26/2012 5:00 PM 366152]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [11/14/2010 11:08 AM 632792]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [11/20/2009 9:27 AM 22016]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/15/2008 2:03 PM 24652]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/26/2012 4:59 PM 22216]
R3 Mo3Fltr;MMO Mouse;c:\windows\system32\drivers\Mo3Fltr.sys [9/21/2009 10:47 AM 11136]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [7/27/2010 4:12 PM 100712]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2011 4:26 PM 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/26/2009 4:43 PM 1684736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2011 4:26 PM 136176]
S3 JmtFltr;n52te;c:\windows\system32\Drivers\JmtFltr.sys --> c:\windows\system32\Drivers\JmtFltr.sys [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver 06/04/2010,1.12.1.0;c:\windows\system32\drivers\libusb0.sys [5/18/2011 8:32 PM 21120]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [11/20/2009 9:27 AM 29440]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [11/20/2009 9:27 AM 17536]
S4 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - IPFILTERDRIVER
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
2012-01-27 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\Driver Robot.lnk [2011-11-18 06:25]
.
2012-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-24 23:26]
.
2012-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-24 23:26]
.
2012-01-30 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2011-03-29 23:17]
.
2011-06-27 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2011-03-29 23:17]
.
2011-10-07 c:\windows\Tasks\PC Health Advisor Defrag.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2011-03-29 23:17]
.
2012-01-28 c:\windows\Tasks\PC Health Advisor.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2011-03-29 23:17]
.
2012-01-31 c:\windows\Tasks\RMSmartUpdate.job
- c:\program files\Registry Mechanic\Update.exe [2010-11-14 18:26]
.
2012-01-31 c:\windows\Tasks\User_Feed_Synchronization-{09910F4A-8693-466B-A0D0-719FA7096554}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 10:31]
.
.
------- Supplementary Scan -------
.
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\i5djlkpn.default\
FF - prefs.js: browser.startup.homepage - hxxp://xfinity.comcast.net/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Be6e672a6-27ca-4d34-90db-6306c24552eb%7D&mid=9dc98c9478a447d1a0e3d15696cc8777-0b7fe46fe2efd4faf97d2fee8b782e13322d5601&ds=AVG&v=9.0.0.23&lang=en&pr=pr&d=2012-01-24%2008%3A08%3A43&sap=ku&q=
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-Akamai NetSession Interface - c:\documents and settings\Administrator\Local Settings\Application Data\Akamai\netsession_win.exe
HKLM-Run-ATIModeChange - Ati2mdxx.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-31 12:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-436374069-1417001333-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4d,ad,91,90,36,01,39,47,a9,5c,04,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e8,ec,ce,16,31,1f,8a,44,84,c3,60,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,cf,dc,4a,5d,e8,48,a0,45,ba,5b,81,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(972)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(2768)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMTray.exe
.
**************************************************************************
.
Completion time: 2012-01-31 12:36:57 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-31 19:36
.
Pre-Run: 515,558,686,720 bytes free
Post-Run: 515,970,555,904 bytes free
.
- - End Of File - - 420D68B7863D211F94E029D08B332BD5

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:56 AM

Posted 31 January 2012 - 05:37 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Stephscraz

Stephscraz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 31 January 2012 - 05:58 PM

-Was able to download Microsoft Recovery Console this time in ComboFix.
-Still unable to disable or remove AVG Internet Security 2012 due to not seeing the program anywhere on the computer, as ComboFix requested before running it. But ran ComboFix anyway.

ComboFix 12-01-30.02 - Administrator 01/31/2012 15:51:19.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3454.2696 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: F:\CFScript.txt
AV: AVG Internet Security 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-31 )))))))))))))))))))))))))))))))
.
.
2012-01-31 19:27 . 2008-04-13 19:19 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
2012-01-31 19:27 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-01-27 23:18 . 2012-01-27 23:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Safe mirror
2012-01-27 23:18 . 2012-01-27 23:18 -------- d-----w- c:\program files\Cobian Backup 10
2012-01-27 22:04 . 2012-01-27 23:17 -------- d-----w- c:\program files\Cobian Backup 8
2012-01-27 05:24 . 2001-08-18 05:36 94720 -c----w- c:\windows\system32\dllcache\umaxud32.dll
2012-01-27 05:23 . 2001-08-17 20:51 19584 -c----w- c:\windows\system32\dllcache\rasirda.sys
2012-01-27 05:22 . 2008-04-13 18:46 15232 -c----w- c:\windows\system32\dllcache\mpe.sys
2012-01-27 05:21 . 2001-08-18 05:36 9759 -c----w- c:\windows\system32\dllcache\hsf_inst.dll
2012-01-27 05:20 . 2001-08-17 19:13 980034 -c----w- c:\windows\system32\dllcache\cicap.sys
2012-01-27 05:19 . 2001-08-17 21:56 66048 -c----w- c:\windows\system32\dllcache\s3legacy.dll
2012-01-27 00:16 . 2012-01-27 00:16 -------- d-----w- c:\documents and settings\Administrator\.exe
2012-01-27 00:00 . 2012-01-27 00:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-01-27 00:00 . 2012-01-27 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-26 23:59 . 2012-01-27 00:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-26 23:59 . 2011-09-01 00:00 22216 ------w- c:\windows\system32\drivers\mbam.sys
2012-01-26 02:26 . 2012-01-26 02:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\isoburnerdata
2012-01-25 21:29 . 2012-01-27 20:05 -------- d-----w- c:\windows\system32\MpEngineStore
2012-01-25 15:42 . 2012-01-31 14:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-01-25 15:42 . 2012-01-31 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-01-24 21:36 . 2012-01-24 21:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\SanctionedMedia
2012-01-24 19:47 . 2012-01-24 19:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\TestApp
2012-01-24 18:20 . 2012-01-24 18:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG
2012-01-24 15:21 . 2012-01-24 15:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2012-01-24 15:21 . 2012-01-24 15:21 -------- d-----w- C:\$AVG
2012-01-24 15:07 . 2012-01-31 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-01-24 15:06 . 2012-01-24 19:14 -------- d-----w- c:\program files\AVG
2012-01-17 13:35 . 2012-01-24 15:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\appPathTask
2012-01-03 17:43 . 2012-01-03 17:43 626688 ------w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-03 17:43 . 2012-01-03 17:43 548864 ------w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-03 17:43 . 2012-01-03 17:43 479232 ------w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-03 17:43 . 2012-01-03 17:43 43992 ------w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-03 13:10 . 2012-01-03 13:10 182672 ------w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 13:10 . 2012-01-03 13:10 182672 ------w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 19:30 . 2008-09-24 06:13 16608 ----a-w- c:\windows\gdrv.sys
2012-01-16 23:28 . 2010-05-21 16:46 149456 ------w- c:\windows\SGDetectionTool.dll0146.old
2012-01-16 23:28 . 2010-05-21 16:46 2246608 ------w- c:\windows\PCTBDCore.dll0146.old
2012-01-16 23:28 . 2010-05-21 16:46 767952 ------w- c:\windows\BDTSupport.dll0146.old
2011-11-25 21:57 . 2004-08-03 23:56 293376 ------w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-03 22:17 1859584 ------w- c:\windows\system32\win32k.sys
2011-11-18 23:44 . 2011-05-25 15:58 414368 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-18 12:35 . 2004-08-03 23:56 60416 ------w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2004-08-03 23:56 354816 ------w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2004-08-03 23:56 152064 ------w- c:\windows\system32\schannel.dll
2011-11-04 19:20 . 2004-08-03 23:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 19:20 . 2004-08-03 23:56 916992 ------w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-03 23:56 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 11:23 . 2004-08-03 21:59 385024 ------w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2004-08-03 23:56 386048 ------w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2004-08-03 23:56 1292288 ------w- c:\windows\system32\quartz.dll
2008-10-27 08:54 . 2008-10-27 08:54 44360 ------w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-10-27 08:54 . 2008-10-27 08:54 107920 ------w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-10-27 08:48 . 2008-10-27 08:48 49152 ------w- c:\program files\mozilla firefox\plugins\atmccli.dll
2012-01-03 17:43 . 2011-05-11 19:02 121816 ------w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-01-30 204288]
"MoneyBackgoundBanking"="c:\program files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe" [2008-02-19 53264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"SteelSeries World of Warcraft MMO Gaming Mouse"="c:\program files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe" [2009-05-13 414720]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-14 18702336]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-12-16 479232]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-12-22 1092872]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-10-07 01:24 87424 ------w- c:\windows\system32\LMIinit.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [1/27/2012 4:18 PM 67584]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [6/9/2010 11:06 AM 20968]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [9/23/2008 11:14 PM 80392]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/29/2010 12:02 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 11:41 AM 12856]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/26/2012 5:00 PM 366152]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [11/14/2010 11:08 AM 632792]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [11/20/2009 9:27 AM 22016]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/15/2008 2:03 PM 24652]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/26/2012 4:59 PM 22216]
R3 Mo3Fltr;MMO Mouse;c:\windows\system32\drivers\Mo3Fltr.sys [9/21/2009 10:47 AM 11136]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [7/27/2010 4:12 PM 100712]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2011 4:26 PM 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/26/2009 4:43 PM 1684736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2011 4:26 PM 136176]
S3 JmtFltr;n52te;c:\windows\system32\Drivers\JmtFltr.sys --> c:\windows\system32\Drivers\JmtFltr.sys [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver 06/04/2010,1.12.1.0;c:\windows\system32\drivers\libusb0.sys [5/18/2011 8:32 PM 21120]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [11/20/2009 9:27 AM 29440]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [11/20/2009 9:27 AM 17536]
S4 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - IPFILTERDRIVER
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
2012-01-27 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\Driver Robot.lnk [2011-11-18 06:25]
.
2012-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-24 23:26]
.
2012-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-24 23:26]
.
2012-01-30 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2011-03-29 23:17]
.
2011-06-27 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2011-03-29 23:17]
.
2011-10-07 c:\windows\Tasks\PC Health Advisor Defrag.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2011-03-29 23:17]
.
2012-01-28 c:\windows\Tasks\PC Health Advisor.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2011-03-29 23:17]
.
2012-01-31 c:\windows\Tasks\RMSmartUpdate.job
- c:\program files\Registry Mechanic\Update.exe [2010-11-14 18:26]
.
2012-01-31 c:\windows\Tasks\User_Feed_Synchronization-{09910F4A-8693-466B-A0D0-719FA7096554}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 10:31]
.
.
------- Supplementary Scan -------
.
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\i5djlkpn.default\
FF - prefs.js: browser.startup.homepage - hxxp://xfinity.comcast.net/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Be6e672a6-27ca-4d34-90db-6306c24552eb%7D&mid=9dc98c9478a447d1a0e3d15696cc8777-0b7fe46fe2efd4faf97d2fee8b782e13322d5601&ds=AVG&v=9.0.0.23&lang=en&pr=pr&d=2012-01-24%2008%3A08%3A43&sap=ku&q=
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-31 15:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-436374069-1417001333-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4d,ad,91,90,36,01,39,47,a9,5c,04,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e8,ec,ce,16,31,1f,8a,44,84,c3,60,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,cf,dc,4a,5d,e8,48,a0,45,ba,5b,81,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(972)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2012-01-31 15:55:02
ComboFix-quarantined-files.txt 2012-01-31 22:55
ComboFix2.txt 2012-01-31 19:36
.
Pre-Run: 515,955,666,944 bytes free
Post-Run: 515,929,628,672 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 87FFA99EB7CBE0C205270096D506371C

Edited by Stephscraz, 31 January 2012 - 06:01 PM.


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:56 AM

Posted 31 January 2012 - 06:53 PM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

KillAll::

SecCenter::
AV: AVG Internet Security 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Stephscraz

Stephscraz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 31 January 2012 - 07:36 PM

-AVG Internet Security is now gone :)

Below is the log from the last Combofix.

ComboFix 12-01-30.02 - Administrator 01/31/2012 17:20:22.3.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3454.2797 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
((((((((((((((((((((((((( Files Created from 2012-01-01 to 2012-02-01 )))))))))))))))))))))))))))))))
.
.
2012-01-31 19:27 . 2008-04-13 19:19 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
2012-01-31 19:27 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-01-27 23:18 . 2012-01-27 23:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Safe mirror
2012-01-27 23:18 . 2012-01-27 23:18 -------- d-----w- c:\program files\Cobian Backup 10
2012-01-27 22:04 . 2012-01-27 23:17 -------- d-----w- c:\program files\Cobian Backup 8
2012-01-27 05:24 . 2001-08-18 05:36 94720 -c----w- c:\windows\system32\dllcache\umaxud32.dll
2012-01-27 05:23 . 2001-08-17 20:51 19584 -c----w- c:\windows\system32\dllcache\rasirda.sys
2012-01-27 05:22 . 2008-04-13 18:46 15232 -c----w- c:\windows\system32\dllcache\mpe.sys
2012-01-27 05:21 . 2001-08-18 05:36 9759 -c----w- c:\windows\system32\dllcache\hsf_inst.dll
2012-01-27 05:20 . 2001-08-17 19:13 980034 -c----w- c:\windows\system32\dllcache\cicap.sys
2012-01-27 05:19 . 2001-08-17 21:56 66048 -c----w- c:\windows\system32\dllcache\s3legacy.dll
2012-01-27 00:16 . 2012-01-27 00:16 -------- d-----w- c:\documents and settings\Administrator\.exe
2012-01-27 00:00 . 2012-01-27 00:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-01-27 00:00 . 2012-01-27 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-26 23:59 . 2012-01-27 00:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-26 23:59 . 2011-09-01 00:00 22216 ------w- c:\windows\system32\drivers\mbam.sys
2012-01-26 02:26 . 2012-01-26 02:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\isoburnerdata
2012-01-25 21:29 . 2012-01-27 20:05 -------- d-----w- c:\windows\system32\MpEngineStore
2012-01-25 15:42 . 2012-01-31 14:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-01-25 15:42 . 2012-01-31 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-01-24 21:36 . 2012-01-24 21:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\SanctionedMedia
2012-01-24 19:47 . 2012-01-24 19:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\TestApp
2012-01-24 18:20 . 2012-01-24 18:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG
2012-01-24 15:21 . 2012-01-24 15:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2012-01-24 15:21 . 2012-01-24 15:21 -------- d-----w- C:\$AVG
2012-01-24 15:07 . 2012-01-31 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-01-24 15:06 . 2012-01-24 19:14 -------- d-----w- c:\program files\AVG
2012-01-17 13:35 . 2012-01-24 15:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\appPathTask
2012-01-03 17:43 . 2012-01-03 17:43 626688 ------w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-03 17:43 . 2012-01-03 17:43 548864 ------w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-03 17:43 . 2012-01-03 17:43 479232 ------w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-03 17:43 . 2012-01-03 17:43 43992 ------w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-03 13:10 . 2012-01-03 13:10 182672 ------w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 13:10 . 2012-01-03 13:10 182672 ------w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-01 00:23 . 2008-09-24 06:13 16608 ----a-w- c:\windows\gdrv.sys
2012-01-16 23:28 . 2010-05-21 16:46 149456 ------w- c:\windows\SGDetectionTool.dll0146.old
2012-01-16 23:28 . 2010-05-21 16:46 2246608 ------w- c:\windows\PCTBDCore.dll0146.old
2012-01-16 23:28 . 2010-05-21 16:46 767952 ------w- c:\windows\BDTSupport.dll0146.old
2011-11-25 21:57 . 2004-08-03 23:56 293376 ------w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-03 22:17 1859584 ------w- c:\windows\system32\win32k.sys
2011-11-18 23:44 . 2011-05-25 15:58 414368 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-18 12:35 . 2004-08-03 23:56 60416 ------w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2004-08-03 23:56 354816 ------w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2004-08-03 23:56 152064 ------w- c:\windows\system32\schannel.dll
2011-11-04 19:20 . 2004-08-03 23:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 19:20 . 2004-08-03 23:56 916992 ------w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-03 23:56 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 11:23 . 2004-08-03 21:59 385024 ------w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2004-08-03 23:56 386048 ------w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2004-08-03 23:56 1292288 ------w- c:\windows\system32\quartz.dll
2008-10-27 08:54 . 2008-10-27 08:54 44360 ------w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-10-27 08:54 . 2008-10-27 08:54 107920 ------w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-10-27 08:48 . 2008-10-27 08:48 49152 ------w- c:\program files\mozilla firefox\plugins\atmccli.dll
2012-01-03 17:43 . 2011-05-11 19:02 121816 ------w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-31_19.32.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-01 00:23 . 2012-02-01 00:23 16384 c:\windows\temp\Perflib_Perfdata_240.dat
+ 2012-02-01 00:25 . 2012-02-01 00:25 16384 c:\windows\temp\Perflib_Perfdata_110.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-01-30 204288]
"MoneyBackgoundBanking"="c:\program files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe" [2008-02-19 53264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"SteelSeries World of Warcraft MMO Gaming Mouse"="c:\program files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe" [2009-05-13 414720]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-14 18702336]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-12-16 479232]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-12-22 1092872]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-10-07 01:24 87424 ------w- c:\windows\system32\LMIinit.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [1/27/2012 4:18 PM 67584]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [6/9/2010 11:06 AM 20968]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [9/23/2008 11:14 PM 80392]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/29/2010 12:02 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 11:41 AM 12856]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/26/2012 5:00 PM 366152]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [11/14/2010 11:08 AM 632792]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [11/20/2009 9:27 AM 22016]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/15/2008 2:03 PM 24652]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/26/2012 4:59 PM 22216]
R3 Mo3Fltr;MMO Mouse;c:\windows\system32\drivers\Mo3Fltr.sys [9/21/2009 10:47 AM 11136]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [7/27/2010 4:12 PM 100712]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2011 4:26 PM 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/26/2009 4:43 PM 1684736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2011 4:26 PM 136176]
S3 JmtFltr;n52te;c:\windows\system32\Drivers\JmtFltr.sys --> c:\windows\system32\Drivers\JmtFltr.sys [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver 06/04/2010,1.12.1.0;c:\windows\system32\drivers\libusb0.sys [5/18/2011 8:32 PM 21120]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [11/20/2009 9:27 AM 29440]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [11/20/2009 9:27 AM 17536]
S4 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
2012-01-27 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\Driver Robot.lnk [2011-11-18 06:25]
.
2012-02-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-24 23:26]
.
2012-02-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-24 23:26]
.
2012-01-30 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2011-03-29 23:17]
.
2011-06-27 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2011-03-29 23:17]
.
2011-10-07 c:\windows\Tasks\PC Health Advisor Defrag.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2011-03-29 23:17]
.
2012-01-28 c:\windows\Tasks\PC Health Advisor.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2011-03-29 23:17]
.
2012-01-31 c:\windows\Tasks\RMSmartUpdate.job
- c:\program files\Registry Mechanic\Update.exe [2010-11-14 18:26]
.
2012-01-31 c:\windows\Tasks\User_Feed_Synchronization-{09910F4A-8693-466B-A0D0-719FA7096554}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 10:31]
.
.
------- Supplementary Scan -------
.
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\i5djlkpn.default\
FF - prefs.js: browser.startup.homepage - hxxp://xfinity.comcast.net/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Be6e672a6-27ca-4d34-90db-6306c24552eb%7D&mid=9dc98c9478a447d1a0e3d15696cc8777-0b7fe46fe2efd4faf97d2fee8b782e13322d5601&ds=AVG&v=9.0.0.23&lang=en&pr=pr&d=2012-01-24%2008%3A08%3A43&sap=ku&q=
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-31 17:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-436374069-1417001333-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4d,ad,91,90,36,01,39,47,a9,5c,04,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e8,ec,ce,16,31,1f,8a,44,84,c3,60,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,cf,dc,4a,5d,e8,48,a0,45,ba,5b,81,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(972)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(3332)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMTray.exe
.
**************************************************************************
.
Completion time: 2012-01-31 17:31:56 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-01 00:31
ComboFix2.txt 2012-01-31 22:55
ComboFix3.txt 2012-01-31 19:36
.
Pre-Run: 515,956,961,280 bytes free
Post-Run: 515,940,401,152 bytes free
.
- - End Of File - - 21AB3320E21E139A5B30B8BEEF25E8D3

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:56 AM

Posted 31 January 2012 - 07:59 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Java™ 6 Update 24 [/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Stephscraz

Stephscraz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 31 January 2012 - 09:34 PM

Computer seems to be running good again :) Only issues I can see is that when I go to the start menu and programs, a lot of the program shortcuts are showing as (empty). Also, is Firefox completely gone also?


Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.01.31.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: STEPHGAMINGCOMP [administrator]

Protection: Disabled

1/31/2012 6:21:59 PM
mbam-log-2012-01-31 (18-21-59).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 211489
Time elapsed: 3 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\Administrator\My Documents\Downloads\MediaPlayerSetup.exe (Adware.Agent) -> Quarantined and deleted successfully.

(end)



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:30:23 PM, on 1/31/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SteelSeries World of Warcraft MMO Gaming Mouse] C:\Program Files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MoneyBackgoundBanking] "C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.clonewarsadventures.com
O15 - Trusted Zone: *.freerealms.com
O15 - Trusted Zone: *.soe.com
O15 - Trusted Zone: *.sony.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250627315156
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://qb.webex.com/client/v_mywebex-qb20/ra/ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Cobian Backup 10 Volume Shadow Copy service (cbVSCService) - CobianSoft, Luis Cobian - C:\Program Files\Cobian Backup 10\cbVSCService.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9836 bytes

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:56 AM

Posted 31 January 2012 - 09:51 PM

Hello


there are things here to try for the start menu - http://www.smartestcomputing.us.com/topic/46010-how-to-restore-start-menu-and-files-hiddendeleted-by-a-virus/


reinstall firefox and let me know how things are



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Stephscraz

Stephscraz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 31 January 2012 - 10:09 PM

In process of doing the above 2 things. I need to ask, what is the best guard against getting infected again? I have a 12 and 9 year old that love to get on my computer unfortunately, and really have very little knowledge in the security area.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users