Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP - Still not right after malware infection


  • This topic is locked This topic is locked
24 replies to this topic

#1 mawelsh

mawelsh

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 25 June 2013 - 04:15 PM

Original symptom was a "scareware" antivirus.  Unfortunately I didn't document which one.  I removed it (maybe) by running System Restore in Safe Mode.  Also ran MalwareBytes and CCleaner.
 
Currently, Windows Update will not run (tried all of Microsoft's FixIts on the subject).  Also Microsoft Security Essentials is damaged and will not run.  Logs attached, thanks in advance.
 
___
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702
Run by Kevin at 17:10:31 on 2013-06-25
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\DOCUME~1\Kevin\LOCALS~1\Temp\TeamViewer\Version8\TeamViewer.exe
C:\DOCUME~1\Kevin\LOCALS~1\Temp\TeamViewer\Version8\tv_w32.exe
C:\WINDOWS\system32\rundll32.exe
c:\docume~1\kevin\locals~1\temp\teamviewer\version8\TeamViewer_Desktop.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: DisallowRun = dword:1
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1372101715406
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1302621190015
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 208.67.222.222 208.67.220.220 8.8.8.8
TCP: Interfaces\{FE25EC13-40A4-4C60-A577-BAF5D63FFD93} : DHCPNameServer = 208.67.222.222 208.67.220.220 8.8.8.8
Notify: igfxcui - igfxdev.dll
SSODL: CDBurn - <orphaned>
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\27.0.1453.116\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2013-06-25 12:50:44 -------- d-----w- C:\3334edfc0a2766a5030baaaf
2013-06-25 12:24:09 -------- d-----w- c:\program files\ESET
2013-06-25 12:22:19 -------- d-----w- C:\f7a6afa41c14f2a31d04c5dbb4167416
2013-06-25 12:17:42 -------- d-----w- c:\program files\CCleaner
2013-06-25 12:16:18 -------- d-----w- C:\dfccea5f097acacba64b9aa02855ae44
2013-06-24 16:47:24 -------- d-----w- c:\documents and settings\all users\application data\20E42BAEB9D9CAED000020E40ACDCE0C
2013-06-21 13:48:24 -------- d-----w- c:\program files\Browny02
2013-06-21 13:48:15 -------- d-----w- c:\program files\Brother
2013-06-21 13:47:07 -------- d-----w- c:\documents and settings\all users\application data\Brother
.
==================== Find3M  ====================
.
2013-05-03 17:57:23 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-03 17:57:23 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-04 18:50:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-02 10:33:22 237088 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 17:10:45.87 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
.
==== Disk Partitions =========================
.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.7)
Adobe Shockwave Player 11.5
bpd_scan_ent
CCleaner
Enterprise
ESET Online Scanner v3
Google Chrome
Google Earth Plug-in
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HP Officejet Pro 8500 A909 Series Corporate Edition 12.0
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections 12.1.12.0
Java Auto Updater
Java™ 6 Update 31
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2742597)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Basic 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Network
PCmover Enterprise
PowerDVD
Realtek High Definition Audio Driver
Roxio Activation Module
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler 3
Roxio Update Manager
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2792100)
Security Update for Windows Internet Explorer 8 (KB2797052)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows Internet Explorer 8 (KB2809289)
Security Update for Windows Internet Explorer 8 (KB2817183)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2482017)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2753842)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2778344)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2799494)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB2808735)
Security Update for Windows XP (KB2813170)
Security Update for Windows XP (KB2813345)
Security Update for Windows XP (KB2820917)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Sonic CinePlayer Decoder Pack
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
.
==== End Of File ===========================

Attached Files


Edited by Oh My, 29 June 2013 - 08:45 PM.
Posted Attach log


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,718 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:13 PM

Posted 29 June 2013 - 08:49 PM

Greetings mawelsh and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. I have a step for you to take but I must first advise you of the following.

===================================================

BACKDOOR WARNING!

--------------------

One or more of the identified infections is a Backdoor Trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Please let me know if you have already noticed evidences of financial institution irregularities.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

===================================================

ComboFix Windows XP

--------------------

For a more detailed explanation on running Combofix and the prompts you will be following please see here.
  • Please download ComboFix from one of these locations and save it to your desktop:

Bleepingcomputer

ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista/Windows 7, ComboFix will skip the below Recovery Console pop ups and continue its malware removal procedure.

Query_RC.gif

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

  • Click on Yes, to continue scanning for malware
----------

Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.
  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue

----------

If Combofix fails to run properly using the above instructions please attempt the following:
  • Right click on the Combofix icon on your desktop and select Delete
  • Download a new copy but rename it to freshcopy.exe first, then save it to your desktop
  • Now download RKill.exe (or RKill renamed as iExplore.exe if the first one doesn't work properly) and save it to your desktop
  • Restart your computer in Safe Mode
  • Right click on RKill (or iExplore) and select Run as Administrator. If you are using Windows XP simply double click the icon
  • A black DOS screen should flash and disappear. If not, try to launch the program with the second file. If neither works please stop and let me know
  • When RKill is finished running you will be presented with a text file and a copy will be saved on your desktop. Copy and paste the contents of this report in your reply
  • Do not reboot your computer
  • Double click the freshcopy.exe icon (renamed Combofix file)
  • When finished, it will produce a log. Please copy and paste the C:\Combofix.txt log information in your next reply
  • If you disabled your antivirus please enable it again. If you uninstalled it please wait for instructions to reinstall it
===================================================

Farbar's Service Scanner

--------------------
  • Please download Farbar Service Scanner, save it to your desktop, and run it.
  • Make sure the following options are checked:

Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other Services

  • Press Scan
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Combofix log
  • FSS log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 mawelsh

mawelsh
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 01 July 2013 - 07:36 AM

Hi Gary, thank you for the response!   I'm eager to get started tonight after work.



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,718 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:13 PM

Posted 01 July 2013 - 07:56 AM

Very good.  Glad we finally connected.  Look forward to working on it together.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 mawelsh

mawelsh
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 01 July 2013 - 08:33 PM

So, no update tonight.  The story is I'm fixing this remotely for free (the computer is used by a non-profit food pantry).

 

Anyway I had TeamViewer running and ComboFix either hung or restarted the machine, so I lost contact...kind of like a Mars rover or something.

 

I'll speak with them in the morning to see where we're at.

 

Thanks

Michael


Edited by mawelsh, 01 July 2013 - 08:33 PM.


#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,718 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:13 PM

Posted 01 July 2013 - 09:07 PM

Thanks for letting me know Michael.  See you when you get back up and running.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 mawelsh

mawelsh
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 02 July 2013 - 12:15 PM

Hi Gary - Got back in, using LogMeIn now, it seems more reliable through these restarts.  Logs attached, thanks...Michael
 
____
 
ComboFix 13-07-02.03 - Kevin 07/02/2013  12:55:50.1.2 - x86
Running from: c:\documents and settings\Kevin\Desktop\ComboFix.exe
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Kevin\Media
c:\documents and settings\Kevin\Media\CANYON.MID
c:\documents and settings\Kevin\Media\CHIMES.WAV
c:\documents and settings\Kevin\Media\CHORD.WAV
c:\documents and settings\Kevin\Media\DING.WAV
c:\documents and settings\Kevin\Media\Jungle Asterisk.wav
c:\documents and settings\Kevin\Media\Jungle Close.wav
c:\documents and settings\Kevin\Media\Jungle Critical Stop.wav
c:\documents and settings\Kevin\Media\Jungle Default.wav
c:\documents and settings\Kevin\Media\Jungle Error.wav
c:\documents and settings\Kevin\Media\Jungle Exclamation.wav
c:\documents and settings\Kevin\Media\Jungle Maximize.wav
c:\documents and settings\Kevin\Media\Jungle Menu Command.wav
c:\documents and settings\Kevin\Media\Jungle Menu Popup.wav
c:\documents and settings\Kevin\Media\Jungle Minimize.wav
c:\documents and settings\Kevin\Media\Jungle Open.wav
c:\documents and settings\Kevin\Media\Jungle Question.wav
c:\documents and settings\Kevin\Media\Jungle Recycle.wav
c:\documents and settings\Kevin\Media\Jungle Restore Down.wav
c:\documents and settings\Kevin\Media\Jungle Restore Up.wav
c:\documents and settings\Kevin\Media\Jungle Windows Exit.wav
c:\documents and settings\Kevin\Media\Jungle Windows Start.wav
c:\documents and settings\Kevin\Media\LOGOFF.WAV
c:\documents and settings\Kevin\Media\Microsoft Office 2000\APPLAUSE.WAV
c:\documents and settings\Kevin\Media\Microsoft Office 2000\CAMERA.WAV
c:\documents and settings\Kevin\Media\Microsoft Office 2000\CARBRAKE.WAV
c:\documents and settings\Kevin\Media\Microsoft Office 2000\CASHREG.WAV
c:\documents and settings\Kevin\Media\Microsoft Office 2000\CHIMES.WAV
c:\documents and settings\Kevin\Media\Microsoft Office 2000\CLAP.WAV
c:\documents and settings\Kevin\Media\Microsoft Office 2000\DRIVEBY.WAV
c:\documents and settings\Kevin\Media\Microsoft Office 2000\DRUMROLL.WAV
c:\documents and settings\Kevin\Media\Microsoft Office 2000\EXPLODE.WAV
c:\documents and settings\Kevin\Media\Microsoft Office 2000\GLASS.WAV
c:\documents and settings\Kevin\Media\Microsoft Office 2000\GUNSHOT.WAV
c:\documents and settings\Kevin\Media\Microsoft Office 2000\LASER.WAV
c:\documents and settings\Kevin\Media\Microsoft Office 2000\PROJCTOR.WAV
c:\documents and settings\Kevin\Media\Microsoft Office 2000\RICOCHET.WAV
c:\documents and settings\Kevin\Media\Microsoft Office 2000\TYPE.WAV
c:\documents and settings\Kevin\Media\Microsoft Office 2000\WHOOSH.WAV
c:\documents and settings\Kevin\Media\Musica Asterisk.wav
c:\documents and settings\Kevin\Media\Musica Close.wav
c:\documents and settings\Kevin\Media\Musica Critical Stop.wav
c:\documents and settings\Kevin\Media\Musica Default.wav
c:\documents and settings\Kevin\Media\Musica Error.wav
c:\documents and settings\Kevin\Media\Musica Exclamation.wav
c:\documents and settings\Kevin\Media\Musica Maximize.wav
c:\documents and settings\Kevin\Media\Musica Menu Command.wav
c:\documents and settings\Kevin\Media\Musica Menu Popup.wav
c:\documents and settings\Kevin\Media\Musica Minimize.wav
c:\documents and settings\Kevin\Media\Musica Open.wav
c:\documents and settings\Kevin\Media\Musica Question.wav
c:\documents and settings\Kevin\Media\Musica Recycle.wav
c:\documents and settings\Kevin\Media\Musica Restore Down.wav
c:\documents and settings\Kevin\Media\Musica Restore Up.wav
c:\documents and settings\Kevin\Media\Musica Windows Exit.wav
c:\documents and settings\Kevin\Media\Musica Windows Start.wav
c:\documents and settings\Kevin\Media\NOTIFY.WAV
c:\documents and settings\Kevin\Media\PASSPORT.MID
c:\documents and settings\Kevin\Media\RECYCLE.WAV
c:\documents and settings\Kevin\Media\Robotz Asterisk.wav
c:\documents and settings\Kevin\Media\Robotz Close.wav
c:\documents and settings\Kevin\Media\Robotz Critical Stop.wav
c:\documents and settings\Kevin\Media\Robotz Default.wav
c:\documents and settings\Kevin\Media\Robotz Error.wav
c:\documents and settings\Kevin\Media\Robotz Exclamation.wav
c:\documents and settings\Kevin\Media\Robotz Maximize.wav
c:\documents and settings\Kevin\Media\Robotz Menu Command.wav
c:\documents and settings\Kevin\Media\Robotz Menu Popup.wav
c:\documents and settings\Kevin\Media\Robotz Minimize.wav
c:\documents and settings\Kevin\Media\Robotz Open.wav
c:\documents and settings\Kevin\Media\Robotz Question.wav
c:\documents and settings\Kevin\Media\Robotz Recycle.wav
c:\documents and settings\Kevin\Media\Robotz Restore Down.wav
c:\documents and settings\Kevin\Media\Robotz Restore Up.wav
c:\documents and settings\Kevin\Media\Robotz Windows Exit.wav
c:\documents and settings\Kevin\Media\Robotz Windows Start.wav
c:\documents and settings\Kevin\Media\START.WAV
c:\documents and settings\Kevin\Media\TADA.WAV
c:\documents and settings\Kevin\Media\The Microsoft Sound.wav
c:\documents and settings\Kevin\Media\Utopia Asterisk.wav
c:\documents and settings\Kevin\Media\Utopia Close.wav
c:\documents and settings\Kevin\Media\Utopia Critical Stop.wav
c:\documents and settings\Kevin\Media\Utopia Default.wav
c:\documents and settings\Kevin\Media\Utopia Error.wav
c:\documents and settings\Kevin\Media\Utopia Exclamation.wav
c:\documents and settings\Kevin\Media\Utopia Maximize.wav
c:\documents and settings\Kevin\Media\Utopia Menu Command.wav
c:\documents and settings\Kevin\Media\Utopia Menu Popup.wav
c:\documents and settings\Kevin\Media\Utopia Minimize.wav
c:\documents and settings\Kevin\Media\Utopia Open.wav
c:\documents and settings\Kevin\Media\Utopia Question.wav
c:\documents and settings\Kevin\Media\Utopia Recycle.wav
c:\documents and settings\Kevin\Media\Utopia Restore Down.wav
c:\documents and settings\Kevin\Media\Utopia Restore Up.wav
c:\documents and settings\Kevin\Media\Utopia Windows Exit.wav
c:\documents and settings\Kevin\Media\Utopia Windows Start.wav
C:\install.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-02 to 2013-07-02  )))))))))))))))))))))))))))))))
.
.
2013-07-02 16:35 . 2013-07-02 16:35 -------- d-----w- c:\windows\LastGood
2013-07-02 16:21 . 2013-07-02 16:21 -------- d-----w- c:\documents and settings\LogMeInRemoteUser
2013-07-02 16:17 . 2013-07-02 16:17 -------- d-----w- c:\documents and settings\Kevin\Local Settings\Application Data\LogMeIn
2013-07-02 16:17 . 2013-06-08 03:28 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2013-07-02 16:17 . 2013-06-08 03:28 53064 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2013-07-02 16:17 . 2013-06-08 03:28 31560 ----a-w- c:\windows\system32\LMIport.dll
2013-07-02 16:17 . 2013-04-30 14:57 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2013-07-02 16:17 . 2013-06-08 03:28 92488 ----a-w- c:\windows\system32\LMIinit.dll
2013-07-02 16:17 . 2013-07-02 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\LogMeIn
2013-07-02 16:16 . 2013-07-02 16:21 -------- d-----w- c:\program files\LogMeIn
2013-06-26 01:12 . 2013-06-26 01:12 -------- d-----w- c:\documents and settings\Kevin\Application Data\TuneUp Software
2013-06-26 01:11 . 2013-06-26 01:24 -------- d-----w- c:\program files\TuneUp Utilities 2013
2013-06-26 01:11 . 2013-06-26 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2013-06-26 01:10 . 2013-06-26 01:18 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{C4ABDBC8-1C81-42C9-BFFC-4A68511E9E4F}
2013-06-26 01:10 . 2013-06-26 01:10 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2013-06-25 12:24 . 2013-06-25 12:24 -------- d-----w- c:\program files\ESET
2013-06-25 12:17 . 2013-06-25 12:17 -------- d-----w- c:\program files\CCleaner
2013-06-24 16:47 . 2013-06-24 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\20E42BAEB9D9CAED000020E40ACDCE0C
2013-06-21 13:48 . 2013-06-24 19:05 -------- d-----w- c:\program files\Browny02
2013-06-21 13:48 . 2013-06-24 19:05 -------- d-----w- c:\program files\Brother
2013-06-21 13:47 . 2013-06-24 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-03 17:57 . 2012-04-10 12:50 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-03 17:57 . 2012-04-10 12:50 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-30 14:56 . 2013-04-30 14:56 25248 ----a-w- c:\windows\system32\lmimirr.dll
2013-04-30 14:56 . 2013-04-30 14:56 11552 ----a-w- c:\windows\system32\lmimirr2.dll
2013-04-30 14:56 . 2013-04-30 14:56 10144 ----a-w- c:\windows\system32\drivers\lmimirr.sys
2013-04-10 03:08 . 2013-05-02 12:22 6906960 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7B35F5F4-629E-4932-A3E4-657D6E124314}\mpengine.dll
2013-04-10 03:08 . 2013-05-01 12:22 6906960 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-04-04 18:50 . 2013-01-14 13:51 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 16132608]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-16 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-16 138008]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2013-04-30 63048]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2013-06-08 03:28 92488 ----a-w- c:\windows\system32\LMIinit.dll
.
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2013-06-08 375120]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2013-04-30 13624]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - BITS
*NewlyCreated* - WINMGMT
*NewlyCreated* - WS2IFSL
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ   HPSLPSVC
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-25 12:47 1165776 ----a-w- c:\program files\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 17:57]
.
2013-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-17 16:43]
.
2013-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-17 16:43]
.
2013-07-02 c:\windows\Tasks\User_Feed_Synchronization-{46867DAF-C05D-429A-BA3D-3E0EB8646820}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
TCP: DhcpNameServer = 208.67.222.222 208.67.220.220 8.8.8.8
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-tvncontrol - c:\program files\TightVNC\tvnserver.exe
SafeBoot-MsMpSvc
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-02 13:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@DACL=(02 0011)
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
@DACL=(02 0011)
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@DACL=(02 0011)
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@DACL=(02 0011)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@DACL=(02 0011)
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@DACL=(02 0011)
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@DACL=(02 0011)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2013-07-02  13:04:16
ComboFix-quarantined-files.txt  2013-07-02 17:04
.
Pre-Run: 57,778,704,384 bytes free
Post-Run: 59,504,033,792 bytes free
.
- - End Of File - - F6DC342F94865358478EA60112115BE2
8F558EB6672622401DA993E1E865C861
 

____________

 

Farbar Service Scanner Version: 27-06-2013
Ran by Kevin (administrator) on 02-07-2013 at 13:13:43
Running from "C:\Documents and Settings\Kevin\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.
Checking LEGACY_sharedaccess: ATTENTION!=====> Unable to open LEGACY_sharedaccess\0000 registry key. The key does not exist.
 
winmgmt Service is not running. Checking service configuration:
The start type of winmgmt service is OK.
The ImagePath of winmgmt service is OK.
The ServiceDll of winmgmt service is OK.
 
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Security Center:
============
 
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.
 
winmgmt Service is not running. Checking service configuration:
The start type of winmgmt service is OK.
The ImagePath of winmgmt service is OK.
The ServiceDll of winmgmt service is OK.
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
 
Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) 
0x0700000005000000010000000200000003000000040000000600000007000000
IpSec Tag value is correct.
 
**** End of log ****


#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,718 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:13 PM

Posted 02 July 2013 - 12:57 PM

Hi Michael,

Thanks for working through the remote access issue. Sometimes that can be quite frustating.

Please do this for me.

===================================================

Manually Importing a Registry Key (.reg) File

-------------------
  • Download the following file(s) and save it to your desktop

LEGACY_SHAREDACCESS.reg
LEGACY_WSCSVC.reg

  • Right click on the file and select Merge
  • Once you receive confirmation the information was successfully merged reboot your computer
  • Check the status of Windows Update and Microsoft Security Essentials
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Did the registry keys import properly?
  • Status of Windows Update and Microsoft Security Essentials
  • How is the computer running. Any other issues arise?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 mawelsh

mawelsh
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 02 July 2013 - 02:00 PM

Thanks, those merged and Windows Update is now running and the PC is 100% updated on critical patches.

 

MS Security Essentials now has its system tray icon.  However, the associated service will not start.  The error when I click "Start Now" from within Security Essentials is "Couldn't start the Security Essentials service".  The specified service does not exist as an installed service.   Click Help for more information about this problem.  Error code: 0x80070424  

 

There is no entry in Add/Remove Programs for MS Security Essentials


Edited by mawelsh, 02 July 2013 - 02:01 PM.


#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,718 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:13 PM

Posted 02 July 2013 - 02:07 PM

Hi Michael,

Let use Revo Uninstaller and see if it recognizes the program. If so then we will do a thorough cleaning and reinstall. If not, then try to reinstall MSSE over the "existing" installation.

===================================================

Uninstalling Programs Using Revo Uninstaller Free

--------------------

Revo Uninstaller is more thorough in deleting programs on your computer than using the Add/Remove option in Windows. Since it is a more powerful tool, please be sure to follow the instructions carefully.
Please note there is a chance when you look for this program to uninstall through Revo it might not be listed because of a previous uninstall. If that is the case simply stop and let me know.
  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on the listed program(s), or anything similar, to remove it (if it exists)
Microsoft Security Essentials
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • When the built-in uninstaller is finished click on Next
  • Once the program has searched for leftovers click Next.
  • Check the items in bold only on the list then click Delete. You may have to expand some folders by clicking the "+" mark.
  • When prompted click on Yes and then on Next.
  • Click on Select all then click Delete
  • When prompted select Yes then Next
  • Once done click Finish.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Did the program(s) uninstall properly?
  • Were you able to successfully install MSSE?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 mawelsh

mawelsh
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 02 July 2013 - 02:48 PM

Gary, thanks...we're getting close now.  Revo didn't see it, but then I reinstalled MSSE ontop, it's now green-light.  I ran a scan and it came back clean.



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,718 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:13 PM

Posted 02 July 2013 - 02:58 PM

Very nice!

Since you had a Backdoor Trojan and Combofix took out lots of stuff I would like to continue to scan your computer with a few programs. I would feel better if we went the extra mile.

If you don't mind......

===================================================

AdwCleaner by Xplode - Delete Adware

-------------------
  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browser
  • Double click on AdwCleaner.exe, select OK, then Run
  • Click on Delete
  • Confirm each time with OK
  • Your computer will be rebooted automatically. A text file will open after the restart
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[S1].txt
===================================================

Junkware Removal Tool by thisisu

-------------------
  • Please download Junkware Removal Tool and save it to your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply
===================================================

screen317's Security Check

--------------------
  • Please download screen317's Security Check to your desktop
  • Double-click icon to launch the program
  • Click OK
  • Select Run
  • Press any key to start the program
  • Allow the program to run
  • A Notepad document will open on your desktop. Please copy and paste the contents in your reply
===================================================

OTL

--------------------
  • Please download OTL and save it to your desktop
  • Double click on the otlicon.png icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the runscan.png button.
  • Copy and paste the two reports in your next reply.

OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized


===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • AdwCleaner log
  • Junkware log
  • Security Check log
  • OTL log
  • Extra log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 mawelsh

mawelsh
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 02 July 2013 - 07:39 PM

All righty thanks again and here we go

 

# AdwCleaner v2.303 - Logfile created 07/02/2013 at 16:09:56
# Updated 08/06/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Kevin - PC3
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.IE5\V37060M1\adwcleaner[1].exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

File Deleted : C:\WINDOWS\system32\conduitEngine.tmp

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F72841F0-4EF1-4DF5-BCE5-B3AC8ACF5478}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F72841F0-4EF1-4DF5-BCE5-B3AC8ACF5478}
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\Software\Conduit

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Google Chrome v27.0.1453.116

File : C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1345 octets] - [02/07/2013 16:09:56]

########## EOF - C:\AdwCleaner[S1].txt - [1405 octets] ##########

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Microsoft Windows XP x86
Ran by Kevin on Tue 07/02/2013 at 16:20:20.45
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{FF9C8D1E-9B3F-4544-98E4-D6ED2B520840}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{597b1823-7ff0-4cd3-8095-9d8cba514992}

 

~~~ Files

Successfully deleted: [File] C:\eula.1028.txt
Successfully deleted: [File] C:\eula.1031.txt
Successfully deleted: [File] C:\eula.1033.txt
Successfully deleted: [File] C:\eula.1036.txt
Successfully deleted: [File] C:\eula.1040.txt
Successfully deleted: [File] C:\eula.1041.txt
Successfully deleted: [File] C:\eula.1042.txt
Successfully deleted: [File] C:\eula.2052.txt
Successfully deleted: [File] C:\install.res.1028.dll
Successfully deleted: [File] C:\install.res.1031.dll
Successfully deleted: [File] C:\install.res.1033.dll
Successfully deleted: [File] C:\install.res.1036.dll
Successfully deleted: [File] C:\install.res.1040.dll
Successfully deleted: [File] C:\install.res.1041.dll
Successfully deleted: [File] C:\install.res.1042.dll
Successfully deleted: [File] C:\install.res.2052.dll
Successfully deleted: [File] C:\install.res.3082.dll

 

~~~ Folders

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 07/02/2013 at 16:22:41.20
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 Results of screen317's Security Check version 0.99.68 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Enabled! 
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 CCleaner    
 Java™ 6 Update 31 
 Java version out of Date!
 Adobe Flash Player  11.7.700.169 
 Adobe Reader 10.1.7 Adobe Reader out of Date! 
 Google Chrome 27.0.1453.116 
````````Process Check: objlist.exe by Laurent```````` 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 8%
````````````````````End of Log``````````````````````
 

OTL logfile created on: 7/2/2013 8:34:31 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\Kevin\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1.99 Gb Total Physical Memory | 1.40 Gb Available Physical Memory | 70.15% Memory free
3.83 Gb Paging File | 3.22 Gb Available in Paging File | 83.98% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 55.04 Gb Free Space | 73.85% Space Free | Partition Type: NTFS
 
Computer Name: PC3 | User Name: Kevin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2013/07/02 20:34:07 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kevin\Desktop\OTL.exe
PRC - [2013/06/07 23:28:12 | 000,202,576 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2013/06/07 23:28:10 | 000,375,120 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
PRC - [2013/04/30 10:57:02 | 000,390,528 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2013/04/30 10:57:02 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2013/01/27 11:11:46 | 000,020,456 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2013/01/27 11:11:06 | 000,947,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2008/04/14 06:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2007/07/23 16:04:46 | 000,068,080 | ---- | M] () -- C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\dlaapi_w.dll
 
 
========== Services (SafeList) ==========
 
SRV - [2013/06/07 23:28:12 | 000,202,576 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\ramaint.exe -- (LMIMaint)
SRV - [2013/06/07 23:28:10 | 000,375,120 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2013/05/03 13:57:23 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/04/30 10:57:02 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2013/01/27 11:11:46 | 000,020,456 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Kevin\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2013/06/07 23:28:24 | 000,086,888 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2013/04/30 10:57:02 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2013/04/30 10:57:02 | 000,013,624 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2007/05/02 16:21:22 | 004,403,712 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080528
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080528
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
 
 
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =
 
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =
 
IE - HKU\S-1-5-21-3133161906-2901881573-4017412212-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-3133161906-2901881573-4017412212-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-3133161906-2901881573-4017412212-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-3133161906-2901881573-4017412212-1005\..\SearchScopes,DefaultScope = {A836E4BF-F5E7-4569-B5FB-F90246F7A491}
IE - HKU\S-1-5-21-3133161906-2901881573-4017412212-1005\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-3133161906-2901881573-4017412212-1005\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-3133161906-2901881573-4017412212-1005\..\SearchScopes\{A836E4BF-F5E7-4569-B5FB-F90246F7A491}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
IE - HKU\S-1-5-21-3133161906-2901881573-4017412212-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-21-3133161906-2901881573-4017412212-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-3133161906-2901881573-4017412212-1006\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-21-3133161906-2901881573-4017412212-1006\..\SearchScopes\{A836E4BF-F5E7-4569-B5FB-F90246F7A491}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
IE - HKU\S-1-5-21-3133161906-2901881573-4017412212-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
========== FireFox ==========
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_169.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=13: C:\Program Files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=8: C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll (Google Inc.)
 
 
 
========== Chrome  ==========
 
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR - homepage: http://www.google.com/
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.116\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.116\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.116\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll
CHR - plugin: Java™ Platform SE 6 U31 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_169.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: Google Docs = C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0\
CHR - Extension: Google Drive = C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\
CHR - Extension: YouTube = C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: Google Search = C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: Gmail = C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\
 
O1 HOSTS File: ([2013/07/02 13:03:03 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SoftwareSASGeneration = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3133161906-2901881573-4017412212-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3133161906-2901881573-4017412212-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3133161906-2901881573-4017412212-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3133161906-2901881573-4017412212-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-3133161906-2901881573-4017412212-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3133161906-2901881573-4017412212-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1372101715406 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1372790400082 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.67.222.222 208.67.220.220 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FE25EC13-40A4-4C60-A577-BAF5D63FFD93}: DhcpNameServer = 208.67.222.222 208.67.220.220 8.8.8.8
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Kevin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Kevin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/04/12 10:29:47 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/07/02 20:34:06 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Kevin\Desktop\OTL.exe
[2013/07/02 16:20:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2013/07/02 16:20:15 | 000,000,000 | ---D | C] -- C:\JRT
[2013/07/02 16:17:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\Desktop\New
[2013/07/02 15:40:00 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2013/07/02 15:18:11 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2013/07/02 13:12:56 | 000,356,397 | ---- | C] (Farbar) -- C:\Documents and Settings\Kevin\Desktop\FSS.exe
[2013/07/02 12:27:17 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2013/07/02 12:24:17 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013/07/02 12:24:17 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013/07/02 12:24:17 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013/07/02 12:24:17 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013/07/02 12:17:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\Local Settings\Application Data\LogMeIn
[2013/07/02 12:17:23 | 000,086,888 | ---- | C] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIRfsClientNP.dll
[2013/07/02 12:17:23 | 000,047,640 | ---- | C] (LogMeIn, Inc.) -- C:\WINDOWS\System32\drivers\LMIRfsDriver.sys
[2013/07/02 12:17:23 | 000,031,560 | ---- | C] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIport.dll
[2013/07/02 12:17:13 | 000,092,488 | ---- | C] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIinit.dll
[2013/07/02 12:17:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2013/07/02 12:16:58 | 000,000,000 | ---D | C] -- C:\Program Files\LogMeIn
[2013/07/02 12:07:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\My Documents\Downloads
[2013/07/01 16:11:42 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/07/01 16:11:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2013/07/01 16:10:23 | 005,084,414 | R--- | C] (Swearware) -- C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
[2013/06/25 21:12:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\Application Data\TuneUp Software
[2013/06/25 21:11:52 | 000,000,000 | ---D | C] -- C:\Program Files\TuneUp Utilities 2013
[2013/06/25 21:11:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
[2013/06/25 21:10:09 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\{C4ABDBC8-1C81-42C9-BFFC-4A68511E9E4F}
[2013/06/25 21:10:09 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2013/06/25 17:10:31 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Kevin\My Documents\My Videos
[2013/06/25 17:10:31 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Kevin\My Documents\My Pictures
[2013/06/25 17:10:03 | 000,688,992 | R--- | C] (Swearware) -- C:\Documents and Settings\Kevin\Desktop\dds.com
[2013/06/25 08:47:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
[2013/06/25 08:26:41 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Kevin\Recent
[2013/06/25 08:24:09 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2013/06/25 08:17:42 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2013/06/24 15:17:20 | 003,890,224 | ---- | C] (TeamViewer) -- C:\Documents and Settings\Kevin\Desktop\TeamViewer.exe
[2013/06/24 15:00:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2013/06/24 12:47:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\20E42BAEB9D9CAED000020E40ACDCE0C
[2013/06/21 09:48:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Brother
[2013/06/21 09:48:24 | 000,000,000 | ---D | C] -- C:\Program Files\Browny02
[2013/06/21 09:48:15 | 000,000,000 | ---D | C] -- C:\Program Files\Brother
[2013/06/21 09:47:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Brother
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Kevin\*.tmp files -> C:\Documents and Settings\Kevin\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013/07/02 20:36:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/07/02 20:35:00 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{46867DAF-C05D-429A-BA3D-3E0EB8646820}.job
[2013/07/02 20:34:07 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kevin\Desktop\OTL.exe
[2013/07/02 20:30:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/07/02 20:30:00 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/07/02 16:57:37 | 000,000,366 | -H-- | M] () -- C:\WINDOWS\tasks\MpIdleTask.job
[2013/07/02 16:21:41 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/07/02 16:17:09 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/07/02 16:11:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/07/02 15:21:10 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2013/07/02 14:34:06 | 000,267,008 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/07/02 14:29:22 | 000,506,024 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/07/02 14:29:22 | 000,089,362 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/07/02 14:21:51 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/07/02 13:12:57 | 000,356,397 | ---- | M] (Farbar) -- C:\Documents and Settings\Kevin\Desktop\FSS.exe
[2013/07/02 13:03:03 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2013/07/02 12:27:21 | 000,000,530 | RHS- | M] () -- C:\boot.ini
[2013/07/02 12:23:52 | 005,084,414 | R--- | M] (Swearware) -- C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
[2013/07/02 12:17:12 | 000,001,024 | ---- | M] () -- C:\.rnd
[2013/07/02 08:51:59 | 000,000,334 | ---- | M] () -- C:\WINDOWS\BRCALIB.INI
[2013/07/01 13:45:01 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\Microsoft Office Word 2007.lnk
[2013/06/27 08:27:13 | 000,001,841 | ---- | M] () -- C:\Documents and Settings\Kevin\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/06/25 17:09:10 | 000,688,992 | R--- | M] (Swearware) -- C:\Documents and Settings\Kevin\Desktop\dds.com
[2013/06/25 08:47:48 | 000,001,823 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2013/06/25 08:21:26 | 000,231,966 | ---- | M] () -- C:\Documents and Settings\Kevin\My Documents\cc_20130625_082121.reg
[2013/06/25 08:17:42 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2013/06/24 15:11:24 | 000,000,794 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/06/07 23:28:24 | 000,086,888 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIRfsClientNP.dll
[2013/06/07 23:28:18 | 000,031,560 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIport.dll
[2013/06/07 23:28:16 | 000,092,488 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIinit.dll
[2013/06/07 11:58:22 | 000,094,560 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\May 2013 Breakdown of income and expense.pdf
[2013/06/07 11:57:59 | 000,094,393 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\May 2013 Breakdown of income and expense adjusted.pdf
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Kevin\*.tmp files -> C:\Documents and Settings\Kevin\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013/07/02 15:31:04 | 000,000,384 | -H-- | C] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/07/02 15:31:03 | 000,000,366 | -H-- | C] () -- C:\WINDOWS\tasks\MpIdleTask.job
[2013/07/02 15:21:05 | 000,001,708 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2013/07/02 14:21:24 | 000,001,355 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2013/07/02 12:27:21 | 000,000,413 | ---- | C] () -- C:\Boot.bak
[2013/07/02 12:27:18 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2013/07/02 12:24:17 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013/07/02 12:24:17 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013/07/02 12:24:17 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013/07/02 12:24:17 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013/07/02 12:24:17 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013/07/02 12:17:11 | 000,001,024 | ---- | C] () -- C:\.rnd
[2013/07/02 12:17:05 | 000,000,729 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\LogMeIn.lnk
[2013/06/26 10:04:00 | 000,000,334 | ---- | C] () -- C:\WINDOWS\BRCALIB.INI
[2013/06/25 08:47:48 | 000,001,841 | ---- | C] () -- C:\Documents and Settings\Kevin\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/06/25 08:47:48 | 000,001,823 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2013/06/25 08:21:23 | 000,231,966 | ---- | C] () -- C:\Documents and Settings\Kevin\My Documents\cc_20130625_082121.reg
[2013/06/25 08:17:42 | 000,000,692 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2013/06/21 09:48:18 | 000,000,050 | ---- | C] () -- C:\WINDOWS\System32\BRADC10A.DAT
[2013/06/07 11:58:22 | 000,094,560 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\May 2013 Breakdown of income and expense.pdf
[2013/06/07 11:57:59 | 000,094,393 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\May 2013 Breakdown of income and expense adjusted.pdf
[2013/05/03 11:42:57 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/02/12 11:13:54 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Kevin\Application Data\bibstats
[2012/04/11 12:10:31 | 000,006,763 | ---- | C] () -- C:\WINDOWS\hpwscr22.dat
[2012/04/11 12:06:04 | 000,100,484 | ---- | C] () -- C:\WINDOWS\hpwins22.dat.temp
[2012/04/11 12:06:04 | 000,001,075 | ---- | C] () -- C:\WINDOWS\hpwmdl22.dat.temp
[2012/04/10 08:37:06 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2008/06/12 12:49:00 | 000,036,182 | ---- | C] () -- C:\Documents and Settings\Kevin\Metal Links.bmp
[2008/06/12 12:49:00 | 000,032,854 | ---- | C] () -- C:\Documents and Settings\Kevin\Sandstone.bmp
[2008/06/12 12:49:00 | 000,032,850 | ---- | C] () -- C:\Documents and Settings\Kevin\Gold Weave.bmp
[2008/06/12 12:49:00 | 000,002,754 | ---- | C] () -- C:\Documents and Settings\Kevin\Red Blocks.bmp
[2008/06/12 12:49:00 | 000,000,590 | ---- | C] () -- C:\Documents and Settings\Kevin\Straw Mat.bmp
[2008/06/12 12:49:00 | 000,000,582 | ---- | C] () -- C:\Documents and Settings\Kevin\Carved Stone.bmp
[2008/06/12 12:49:00 | 000,000,578 | ---- | C] () -- C:\Documents and Settings\Kevin\Pinstripe.bmp
[2008/06/12 12:49:00 | 000,000,470 | ---- | C] () -- C:\Documents and Settings\Kevin\Houndstooth.bmp
[2008/06/12 12:49:00 | 000,000,198 | ---- | C] () -- C:\Documents and Settings\Kevin\Triangles.bmp
[2008/06/12 12:49:00 | 000,000,194 | ---- | C] () -- C:\Documents and Settings\Kevin\Blue Rivets.bmp
[2008/06/12 12:49:00 | 000,000,182 | ---- | C] () -- C:\Documents and Settings\Kevin\Black Thatch.bmp
[2008/06/12 12:48:53 | 000,308,280 | ---- | C] () -- C:\Documents and Settings\Kevin\Setup.bmp
[2008/06/12 12:48:53 | 000,307,514 | ---- | C] () -- C:\Documents and Settings\Kevin\Clouds.bmp
[2008/06/12 12:48:53 | 000,066,146 | ---- | C] () -- C:\Documents and Settings\Kevin\Forest.bmp
[2008/06/12 12:48:53 | 000,004,678 | ---- | C] () -- C:\Documents and Settings\Kevin\Stitches.bmp
[2008/06/12 12:48:53 | 000,002,118 | ---- | C] () -- C:\Documents and Settings\Kevin\Bubbles.bmp
[2008/06/12 12:48:53 | 000,001,518 | ---- | C] () -- C:\Documents and Settings\Kevin\1STBOOT.BMP
[2008/06/12 12:48:53 | 000,000,578 | ---- | C] () -- C:\Documents and Settings\Kevin\Tiles.bmp
[2008/06/12 12:48:53 | 000,000,190 | ---- | C] () -- C:\Documents and Settings\Kevin\Waves.bmp
[2008/06/12 12:48:53 | 000,000,190 | ---- | C] () -- C:\Documents and Settings\Kevin\Circles.bmp
[2008/06/12 12:45:32 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Kevin\Local Settings\Application Data\FASTWiz.html
[2000/09/26 09:31:00 | 000,481,137 | ---- | C] () -- C:\Documents and Settings\Kevin\Plus!.bmp
 
========== ZeroAccess Check ==========
 
[2011/04/12 15:11:04 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2010/12/20 18:15:52 | 001,510,400 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 08:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/14 06:42:10 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >

OTL Extras logfile created on: 7/2/2013 8:34:31 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\Kevin\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1.99 Gb Total Physical Memory | 1.40 Gb Available Physical Memory | 70.15% Memory free
3.83 Gb Paging File | 3.22 Gb Available in Paging File | 83.98% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 55.04 Gb Free Space | 73.85% Space Free | Partition Type: NTFS
 
Computer Name: PC3 | User Name: Kevin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
 
[HKEY_USERS\S-1-5-21-3133161906-2901881573-4017412212-1005\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
 
========== System Restore Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ED8-B104-03393876DFDF}" = Roxio Creator Tools
"{07159635-9DFE-4105-BFC0-2817DB540C68}" = Roxio Activation Module
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0D397393-9B50-4C52-84D5-77E344289F87}" = Roxio Creator Data
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java™ 6 Update 31
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{34B32B70-8081-11E2-89AF-B8AC6F98CCE3}" = Google Earth Plug-in
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{390DD8BB-BB57-4942-A029-2D913E4E9D74}" = Microsoft Security Client
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{47ECCB1F-2811-49C0-B6A7-26778639ABA0}" = 32 Bit HP CIO Components Installer
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{565B7613-1190-433E-B014-4E3E67851496}" = Enterprise
"{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel® PRO Network Connections 12.1.12.0
"{77DF8C50-5BD9-4418-87D9-90C2DDB16A37}" = PCmover Enterprise
"{83FFCFC7-88C6-41C6-8752-958A45325C82}" = Roxio Creator Audio
"{87A9A9A9-FAB7-4224-9328-0FA2058C0FD5}" = Network
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders  (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120000-0013-0000-0000-0000000FF1CE}" = Microsoft Office Basic 2007
"{92DE414C-9B9A-47DF-B03B-81E453E1D371}" = bpd_scan_ent
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9CCCFD9C-248F-47FE-9496-1680E3E5C163}" = Scan
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.7)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB7AF84A-1B7F-4C6B-8A58-EB7CDE48C23A}" = LogMeIn
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F85E7FDF-FE77-429d-90D5-1724B57A822C}" = HP Officejet Pro 8500 A909 Series Corporate Edition 12.0
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"BASICR" = Microsoft Office Basic 2007
"CCleaner" = CCleaner
"ESET Online Scanner" = ESET Online Scanner v3
"Google Chrome" = Google Chrome
"HDMI" = Intel® Graphics Media Accelerator Driver
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"Microsoft .NET Framework 1.1  (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Security Client" = Microsoft Security Essentials
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 7/2/2013 2:20:07 PM | Computer Name = PC3 | Source = Microsoft Security Client | ID = 5000
Description =
 
Error - 7/2/2013 2:20:16 PM | Computer Name = PC3 | Source = Microsoft Security Client | ID = 5000
Description =
 
Error - 7/2/2013 2:35:44 PM | Computer Name = PC3 | Source = .NET Runtime Optimization Service | ID = 1103
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
 - Tried to start a service that wasn't the latest version of CLR Optimization service.
 Will shutdown
 
Error - 7/2/2013 2:38:55 PM | Computer Name = PC3 | Source = Microsoft Security Client | ID = 5000
Description =
 
Error - 7/2/2013 2:56:12 PM | Computer Name = PC3 | Source = Microsoft Security Client | ID = 5000
Description =
 
Error - 7/2/2013 2:57:34 PM | Computer Name = PC3 | Source = Microsoft Security Client | ID = 5000
Description =
 
Error - 7/2/2013 3:01:10 PM | Computer Name = PC3 | Source = Microsoft Security Client | ID = 5000
Description =
 
Error - 7/2/2013 3:21:01 PM | Computer Name = PC3 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0x80070003, P2 moac, P3 cachereset, P4 4.2.223.0,
 P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.
 
Error - 7/2/2013 3:21:07 PM | Computer Name = PC3 | Source = Microsoft Security Client | ID = 5000
Description =
 
Error - 7/2/2013 4:19:25 PM | Computer Name = PC3 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 unspecified, P2 hardeningtelemetry, P3 hardeningtelemetrydisablertp,
 P4 4.2.223.0, P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10
 NIL.
 
[ OSession Events ]
Error - 6/5/2012 3:15:42 AM | Computer Name = PC3 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 36402
 seconds with 60 seconds of active time.  This session ended with a crash.
 
[ System Events ]
Error - 7/2/2013 4:31:41 PM | Computer Name = PC3 | Source = DCOM | ID = 10005
Description = DCOM got error "%1083" attempting to start the service winmgmt with
 arguments ""  in order to run the server:  {8BC3F05E-D86B-11D0-A075-00C04FB68820}
 
Error - 7/2/2013 4:31:41 PM | Computer Name = PC3 | Source = DCOM | ID = 10005
Description = DCOM got error "%1083" attempting to start the service winmgmt with
 arguments ""  in order to run the server:  {8BC3F05E-D86B-11D0-A075-00C04FB68820}
 
Error - 7/2/2013 4:31:41 PM | Computer Name = PC3 | Source = DCOM | ID = 10005
Description = DCOM got error "%1083" attempting to start the service winmgmt with
 arguments ""  in order to run the server:  {8BC3F05E-D86B-11D0-A075-00C04FB68820}
 
Error - 7/2/2013 5:54:39 PM | Computer Name = PC3 | Source = DCOM | ID = 10005
Description = DCOM got error "%1083" attempting to start the service winmgmt with
 arguments ""  in order to run the server:  {8BC3F05E-D86B-11D0-A075-00C04FB68820}
 
Error - 7/2/2013 7:52:39 PM | Computer Name = PC3 | Source = DCOM | ID = 10005
Description = DCOM got error "%1083" attempting to start the service winmgmt with
 arguments ""  in order to run the server:  {8BC3F05E-D86B-11D0-A075-00C04FB68820}
 
Error - 7/2/2013 8:33:12 PM | Computer Name = PC3 | Source = DCOM | ID = 10005
Description = DCOM got error "%1083" attempting to start the service winmgmt with
 arguments ""  in order to run the server:  {8BC3F05E-D86B-11D0-A075-00C04FB68820}
 
Error - 7/2/2013 8:33:15 PM | Computer Name = PC3 | Source = DCOM | ID = 10005
Description = DCOM got error "%1083" attempting to start the service winmgmt with
 arguments ""  in order to run the server:  {8BC3F05E-D86B-11D0-A075-00C04FB68820}
 
Error - 7/2/2013 8:33:17 PM | Computer Name = PC3 | Source = DCOM | ID = 10005
Description = DCOM got error "%1083" attempting to start the service winmgmt with
 arguments ""  in order to run the server:  {8BC3F05E-D86B-11D0-A075-00C04FB68820}
 
Error - 7/2/2013 8:33:18 PM | Computer Name = PC3 | Source = DCOM | ID = 10005
Description = DCOM got error "%1083" attempting to start the service winmgmt with
 arguments ""  in order to run the server:  {8BC3F05E-D86B-11D0-A075-00C04FB68820}
 
Error - 7/2/2013 8:33:18 PM | Computer Name = PC3 | Source = DCOM | ID = 10005
Description = DCOM got error "%1083" attempting to start the service winmgmt with
 arguments ""  in order to run the server:  {8BC3F05E-D86B-11D0-A075-00C04FB68820}
 
 
< End of report >
 



#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,718 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:13 PM

Posted 02 July 2013 - 08:14 PM

Hi Michael,

That looks pretty good.There are a few little annoyance entries I would like us to delete.

I would like to caution you about the use of registry cleaners. I noticed a couple programs that can be utilized for that. One wrong step can be the cause of massive problems so that is why BleepingComputer does not recommend their usage.

Please do this.

===================================================

Run OTL Fix

--------------------
  • Double click on the otlicon.png icon on your desktop.
  • Copy and Paste the following code into the customscanfix.png textbox.
:OTL
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search
IE - HKU\S-1-5-21-3133161906-2901881573-4017412212-1005\..\SearchScopes,DefaultScope = {A836E4BF-F5E7-4569-B5FB-F90246F7A491}
IE - HKU\S-1-5-21-3133161906-2901881573-4017412212-1005\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-3133161906-2901881573-4017412212-1005\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=13: C:\Program Files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll File not found
:Commands
[emptytemp]
[emptyjava]
[emptyflash]
  • Push runfix.png
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • OTL log
  • How is your computer running now?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 mawelsh

mawelsh
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 02 July 2013 - 08:36 PM

Thanks Gary...I think maybe the Java or Flash resets killed the LogMeIn session, I'll get an update tomorrow.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users