Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No internet, blocked cmd line & USB drivers


  • This topic is locked This topic is locked
17 replies to this topic

#1 jhoybs

jhoybs

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 21 August 2013 - 08:03 PM

A friend asked me to look at his computer and it appears to really be infected.  These are the things I've noticed so far:

 

- No internet access (browser just states there is a connection problem)

- USB key driver installation is being blocked

- From the command line, anything you type comes back as an unrecognized command

- SuperAntispyware blocked

- Malwarebytes scans (nothing really found) but can't update

- DDS.COM appears to run, but the text files never pop up - the program just terminates after several minutes

 

The computer is running Windows XP SP3 and a disabled MS Security Essentials

 

Help!

 

 

 

 

 



BC AdBot (Login to Remove)

 


#2 jhoybs

jhoybs
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 24 August 2013 - 10:15 PM

After many tools getting blocked, I finaly was able to run Malwarebytes AntiRootkit in safe mode.  It detected and cleaned:

 

1) Rootkit.Harbinger.MBR

2) Trojan.Tracur.srdGen

3) Trojan.Agent

4) Trojan.Email.EPX

5) Broken.OpenCommand

6) Forged physical sector

 

Booted back into XP (normal mode) and ran Malwarebytes AntiMalware and ESet online scanner.  AM found nothing and ESet found another Trojan (forget the name).  The system appears to be running fine:  internet is accessable, cmd line is working, USB drive driver install isn't blocked and all programs starting without prompts (forgot to mention that all running apps displayed a Run/Cancel dialog.

 

I can also run dds:

 

dds.txt:

--------------------------

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 1.6.0_17
Run by jmorris at 21:42:49 on 2013-08-24
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1378 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\HP Photosmart 6520 series\Bin\ScanToPCActivationApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\WINDOWS\SYSTEM32\RunDll32.exe
C:\Program Files\Microsoft\BingBar\7.1.391.0\SeaPort.exe
C:\Program Files\HP\HP Photosmart 6520 series\Bin\HPNetworkCommunicatorCom.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://mlswis.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\microsoft\bingbar\7.1.391.0\BingExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [HP Photosmart 6520 series (NET)] "c:\program files\hp\hp photosmart 6520 series\bin\ScanToPCActivationApp.exe" -deviceID "CN31E350D805XP:NW" -scfn "HP Photosmart 6520 series (NET)" -AutoStart 1
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0379.0\mswinext.exe"
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\jmorris\startm~1\programs\startup\monito~1.lnk - c:\windows\system32\RunDll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\BK.CMD
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoCDBurning = dword:1
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/7/0/7/707a44ad-52ad-49af-b7ef-e21b6b0656e4/VirtualEarth3D.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://rmgis.ruekert-mielke.com/Download/mgaxctrl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {82E5DF24-51E8-47CD-864A-F4BD5005AA73} - hxxps://www.icloud.com/system/iCloud.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{2665D33B-263D-49B8-838F-E8D5C5607D2A} : DHCPNameServer = 209.18.47.61 209.18.47.62
Notify: crypt32chain - <no file>
Notify: cryptnet - <no file>
Notify: cscdll - <no file>
Notify: dimsntfy - <no file>
Notify: igfxcui - <no file>
Notify: ScCertProp - <no file>
Notify: Schedule - <no file>
Notify: sclgntfy - <no file>
Notify: SensLogn - <no file>
Notify: termsrv - <no file>
Notify: wlballoon - <no file>
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\29.0.1547.57\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jmorris\application data\mozilla\firefox\profiles\2cmtnggw.default\
FF - prefs.js: browser.search.selectedEngine - Produtools Maps Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3042917&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\documents and settings\jmorris\application data\mozilla\firefox\profiles\2cmtnggw.default\extensions\{575bddf5-790a-4d01-a37d-2863dec1c085}\plugins\np-mswmp.dll
FF - plugin: c:\documents and settings\jmorris\application data\mozilla\plugins\np-mswmp.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_180.dll
FF - ExtSQL: !HIDDEN! 2009-09-02 12:21; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2013-5-23 119056]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R3 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.1.391.0\SeaPort.EXE [2012-6-11 240208]
RUnknown MpKsl43f07578;MpKsl43f07578; [x]
S2 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.1.391.0\BBSvc.EXE [2012-6-11 193616]
.
=============== Created Last 30 ================
.
2013-08-25 00:53:40    --------    d-----w-    c:\program files\ESET
2013-08-24 19:44:52    60872    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{31be9e53-8095-4e4a-9afe-ad7e1a0d7989}\offreg.dll
2013-08-24 19:25:18    7166848    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{31be9e53-8095-4e4a-9afe-ad7e1a0d7989}\mpengine.dll
2013-08-24 15:33:12    --------    d-----w-    c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)
2013-08-21 11:35:44    --------    d-----w-    c:\documents and settings\jmorris\application data\SUPERAntiSpyware.com
2013-08-21 11:35:10    --------    d-----w-    c:\program files\SUPERAntiSpyware
2013-08-21 11:35:10    --------    d-----w-    c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2013-08-21 00:48:32    --------    d-----w-    c:\documents and settings\jmorris\application data\Malwarebytes
2013-08-21 00:48:13    --------    d-----w-    c:\documents and settings\all users\application data\Malwarebytes
2013-08-21 00:48:10    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-08-21 00:48:10    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-08-16 04:26:48    --------    d-----w-    c:\documents and settings\jmorris\application data\ConsumerSoft
2013-08-16 04:11:12    --------    d-----w-    c:\program files\ConsumerSoft
2013-08-16 01:55:43    --------    d-----w-    c:\documents and settings\jmorris\application data\Wise Registry Cleaner
2013-08-16 01:54:42    --------    d-----w-    c:\program files\Wise
.
==================== Find3M  ====================
.
2013-08-24 20:30:08    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-24 20:30:08    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
.
============= FINISH: 21:43:01.85 ===============
 

 

attach.txt:

--------------------------

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 2/8/2005 2:16:52 PM
System Uptime: 8/24/2013 1:53:24 PM (8 hours ago)
.
Motherboard: Dell Computer Corp. |  | 0N6381
Processor:               Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2793/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 72 GiB total, 32.89 GiB free.
D: is CDROM (CDFS)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1520: 1/31/2013 5:31:41 AM - System Checkpoint
RP1521: 2/1/2013 9:03:33 AM - System Checkpoint
RP1522: 2/2/2013 9:38:35 AM - System Checkpoint
RP1523: 2/3/2013 11:22:13 AM - System Checkpoint
RP1524: 2/4/2013 1:21:06 PM - System Checkpoint
RP1525: 2/5/2013 3:14:23 PM - System Checkpoint
RP1526: 2/7/2013 1:05:46 PM - System Checkpoint
RP1527: 2/8/2013 1:35:28 PM - System Checkpoint
RP1528: 2/9/2013 2:48:29 PM - System Checkpoint
RP1529: 2/11/2013 10:50:45 AM - System Checkpoint
RP1530: 2/12/2013 11:28:55 AM - System Checkpoint
RP1531: 2/13/2013 12:35:26 PM - System Checkpoint
RP1532: 2/13/2013 4:00:22 PM - Software Distribution Service 3.0
RP1533: 2/14/2013 7:30:08 PM - System Checkpoint
RP1534: 2/15/2013 7:31:03 PM - System Checkpoint
RP1535: 2/17/2013 1:01:43 PM - System Checkpoint
RP1536: 2/18/2013 8:51:46 PM - System Checkpoint
RP1537: 2/19/2013 9:11:00 PM - System Checkpoint
RP1538: 2/20/2013 9:17:59 PM - System Checkpoint
RP1539: 2/21/2013 10:11:30 PM - System Checkpoint
RP1540: 2/22/2013 11:05:33 PM - System Checkpoint
RP1541: 2/23/2013 11:59:28 PM - System Checkpoint
RP1542: 2/25/2013 12:53:35 AM - System Checkpoint
RP1543: 2/26/2013 1:46:47 AM - System Checkpoint
RP1544: 2/27/2013 2:41:04 AM - System Checkpoint
RP1545: 2/28/2013 3:34:31 AM - System Checkpoint
RP1546: 3/1/2013 4:26:16 AM - System Checkpoint
RP1547: 3/2/2013 5:20:16 AM - System Checkpoint
RP1548: 3/3/2013 6:14:23 AM - System Checkpoint
RP1549: 3/4/2013 7:07:22 AM - System Checkpoint
RP1550: 3/5/2013 8:00:54 AM - System Checkpoint
RP1551: 3/6/2013 12:19:35 PM - System Checkpoint
RP1552: 3/6/2013 10:21:30 PM - Removed Symantec Endpoint Protection.
RP1553: 3/7/2013 4:00:18 PM - Software Distribution Service 3.0
RP1554: 3/8/2013 4:01:46 PM - System Checkpoint
RP1555: 3/9/2013 2:06:00 PM - Software Distribution Service 3.0
RP1556: 3/9/2013 2:45:32 PM - Software Distribution Service 3.0
RP1557: 3/10/2013 2:37:39 AM - Software Distribution Service 3.0
RP1558: 3/11/2013 7:18:29 AM - Software Distribution Service 3.0
RP1559: 3/14/2013 1:51:53 PM - Software Distribution Service 3.0
RP1560: 3/14/2013 7:43:34 PM - Software Distribution Service 3.0
RP1561: 3/15/2013 9:20:25 PM - Software Distribution Service 3.0
RP1562: 3/17/2013 9:18:23 AM - Software Distribution Service 3.0
RP1563: 3/17/2013 8:52:55 PM - Software Distribution Service 3.0
RP1564: 3/18/2013 9:25:15 AM - Software Distribution Service 3.0
RP1565: 3/19/2013 9:55:52 AM - System Checkpoint
RP1566: 3/19/2013 7:25:23 PM - Software Distribution Service 3.0
RP1567: 3/20/2013 7:28:27 PM - Software Distribution Service 3.0
RP1568: 3/21/2013 10:00:56 PM - System Checkpoint
RP1569: 3/22/2013 7:16:24 AM - Software Distribution Service 3.0
RP1570: 3/23/2013 9:04:41 AM - System Checkpoint
RP1571: 3/24/2013 1:33:08 AM - Software Distribution Service 3.0
RP1572: 3/25/2013 2:02:52 AM - System Checkpoint
RP1573: 3/25/2013 6:40:14 AM - Software Distribution Service 3.0
RP1574: 3/26/2013 7:49:33 AM - Software Distribution Service 3.0
RP1575: 3/27/2013 8:04:49 AM - Software Distribution Service 3.0
RP1576: 3/28/2013 8:55:49 AM - System Checkpoint
RP1577: 3/28/2013 12:33:16 PM - Software Distribution Service 3.0
RP1578: 3/29/2013 12:55:58 PM - System Checkpoint
RP1579: 3/30/2013 12:15:34 PM - Software Distribution Service 3.0
RP1580: 3/31/2013 1:51:34 AM - Software Distribution Service 3.0
RP1581: 4/1/2013 2:43:33 AM - System Checkpoint
RP1582: 4/1/2013 12:03:10 PM - Software Distribution Service 3.0
RP1583: 4/2/2013 12:52:39 PM - System Checkpoint
RP1584: 4/3/2013 7:39:22 AM - Software Distribution Service 3.0
RP1585: 4/4/2013 7:52:24 AM - System Checkpoint
RP1586: 4/5/2013 7:20:53 AM - Software Distribution Service 3.0
RP1587: 4/6/2013 7:24:47 AM - Software Distribution Service 3.0
RP1588: 4/7/2013 8:28:48 AM - Software Distribution Service 3.0
RP1589: 4/8/2013 9:14:47 AM - System Checkpoint
RP1590: 8/15/2013 9:27:49 PM - ARO 2013 - Before Installation
RP1591: 8/15/2013 9:29:01 PM - ARO 2013 - FIRST RUN
RP1592: 8/24/2013 2:22:53 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Photoshop Elements 3.0
Adobe Reader XI (11.0.03)
Adobe® Photoshop® Album Starter Edition 3.2
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft Software Suite
Banctec Service Agreement
Bing Bar
Bonjour
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
CutePDF Writer 2.8
Dell Driver Reset Tool
Dell Support Center (Support Software)
Dell System Restore
DellSupport
First Weber - Metro eGuide®
Form Viewer
Google Calendar Sync
Google Chrome
Google Earth
Google Earth Plug-in
Google Update Helper
H&R Block Tax Offer
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Photo Creations
HP Photosmart 6520 series Basic Device Software
HP Photosmart 6520 series Help
HP Photosmart 6520 series Product Improvement Study
HP Update
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections
Internet Explorer Default Page
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_06
Java™ 6 Update 17
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
LiveUpdate 3.3 (Symantec Corporation)
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2742597)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Disc 2
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft UI Engine
Microsoft User-Mode Driver Framework Feature Pack 1.0
MobileMe Control Panel
Mozilla Firefox 10.0 (x86 en-US)
Musicmatch® Jukebox
Nikon Message Center
OpenOffice.org Installer 1.0
Photo Notifier and Animation Creator
QuickTime
Real Estate Transaction Viewer
Safari
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2792100)
Security Update for Windows Internet Explorer 8 (KB2797052)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows Internet Explorer 8 (KB2809289)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2753842)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2778344)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2799494)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SUPERAntiSpyware
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VNC 4.0
VSO Image Resizer 2.0.0.15
WebCyberCoach 3.2 Dell
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3
Wise Registry Cleaner 7.83
WordPerfect Office 12
.
==== Event Viewer Messages From Past Week ========
.
8/24/2013 2:42:26 PM, error: Windows Update Agent [20]  - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.157.330.0).
8/24/2013 2:34:09 PM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.     New Signature Version:      Previous Signature Version: 1.157.333.0     Update Source: Microsoft Malware Protection Center     Update Stage: Install     Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.9302.0&avdelta=1.147.1264.0&asdelta=1.147.1264.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094     Signature Type: AntiVirus     Update Type: Full     User: NT AUTHORITY\NETWORK SERVICE     Current Engine Version:      Previous Engine Version: 1.1.9800.0     Error code: 0x8050a003     Error description: This package does not contain up-to-date definition files for this program. For more information, see Help and Support.
8/24/2013 2:34:09 PM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.     New Signature Version:      Previous Signature Version: 1.157.333.0     Update Source: Microsoft Malware Protection Center     Update Stage: Install     Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.9302.0&avdelta=1.147.1264.0&asdelta=1.147.1264.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094     Signature Type: AntiSpyware     Update Type: Full     User: NT AUTHORITY\NETWORK SERVICE     Current Engine Version:      Previous Engine Version: 1.1.9800.0     Error code: 0x8050a003     Error description: This package does not contain up-to-date definition files for this program. For more information, see Help and Support.
8/24/2013 2:25:58 PM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.     New Signature Version:      Previous Signature Version: 1.147.1264.0     Update Source: Microsoft Update Server     Update Stage: Install     Source Path: http://www.microsoft.com     Signature Type: AntiVirus     Update Type: Full     User: NT AUTHORITY\SYSTEM     Current Engine Version:      Previous Engine Version: 1.1.9302.0     Error code: 0x80070643     Error description: Fatal error during installation.
8/24/2013 2:25:51 PM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.     New Signature Version:      Previous Signature Version:      Update Source: User     Update Stage: Install     Source Path:      Signature Type:      Update Type:      User: NT AUTHORITY\SYSTEM     Current Engine Version:      Previous Engine Version:      Error code: 0x80070652     Error description: Another installation is already in progress.  Complete that installation before proceeding with this install.
8/24/2013 2:01:53 PM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.     New Signature Version:      Previous Signature Version: 1.147.1264.0     Update Source: Microsoft Update Server     Update Stage: Search     Source Path: http://www.microsoft.com     Signature Type: AntiVirus     Update Type: Full     User: NT AUTHORITY\SYSTEM     Current Engine Version:      Previous Engine Version: 1.1.9302.0     Error code: 0x8024402c     Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
8/24/2013 2:01:53 PM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.     New Signature Version:      Previous Signature Version: 1.147.1264.0     Update Source: Microsoft Malware Protection Center     Update Stage: Search     Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.9302.0&avdelta=1.147.1264.0&asdelta=1.147.1264.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094     Signature Type: AntiVirus     Update Type: Full     User: NT AUTHORITY\NETWORK SERVICE     Current Engine Version:      Previous Engine Version: 1.1.9302.0     Error code: 0x80072ee7     Error description: The server name or address could not be resolved
8/24/2013 2:01:53 PM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.     New Signature Version:      Previous Signature Version: 1.147.1264.0     Update Source: Microsoft Malware Protection Center     Update Stage: Search     Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.9302.0&avdelta=1.147.1264.0&asdelta=1.147.1264.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094     Signature Type: AntiSpyware     Update Type: Full     User: NT AUTHORITY\NETWORK SERVICE     Current Engine Version:      Previous Engine Version: 1.1.9302.0     Error code: 0x80072ee7     Error description: The server name or address could not be resolved
8/24/2013 1:58:26 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde
.
==== End Of File ===========================
 

 

 



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:43 AM

Posted 26 August 2013 - 10:29 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please restart the computer before running this security check..

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#4 jhoybs

jhoybs
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 26 August 2013 - 08:29 PM

nasdaq - Thanks for the help!

 

Here are the logs that you requested:

 

===============================

 

# AdwCleaner v3.001 - Report created 26/08/2013 at 19:34:42
# Updated 24/08/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : jmorris - HOME
# Running from : C:\Documents and Settings\jmorris\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\jmorris\IECompatCache
Folder Deleted : C:\Documents and Settings\jmorris\Application Data\Mozilla\Firefox\Profiles\2cmtnggw.default\Smartbar
Folder Deleted : C:\Documents and Settings\jmorris\Application Data\Mozilla\Firefox\Profiles\2cmtnggw.default\CT3042917
Folder Deleted : C:\Documents and Settings\jmorris\Application Data\Mozilla\Firefox\Profiles\2cmtnggw.default\Extensions\{575bddf5-790a-4d01-a37d-2863dec1c085}
File Deleted : C:\Documents and Settings\jmorris\Application Data\Mozilla\Firefox\Profiles\2cmtnggw.default\searchplugins\MyStart Search.xml
File Deleted : C:\Documents and Settings\jmorris\Application Data\Mozilla\Firefox\Profiles\2cmtnggw.default\user.js

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\ImInstaller
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\Software\ImInstaller
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1AE46C09-2AB8-4EE5-88FB-08CD0FF7F2DF}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{1AE46C09-2AB8-4EE5-88FB-08CD0FF7F2DF}

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v10.0 (en-US)

[ File : C:\Documents and Settings\jmorris\Application Data\Mozilla\Firefox\Profiles\2cmtnggw.default\prefs.js ]

Line Deleted : user_pref("CT3042917.1000082.currentList", "[{\"stationId\":\"9962\",\"url\":\"hxxp://feedlive.net/california.asx\",\"description\":\"California Rock\",\"text\":\"Californi...\",\"type\":\"STREAM\"},{[...]
Line Deleted : user_pref("CT3042917.1000082.isPlayDisplay", "true");
Line Deleted : user_pref("CT3042917.1000082.localStations", "[{\"stationId\":\"9942\",\"url\":\"hxxp://1.fm/wm/energycountry32k.asx\",\"description\":\"1.FM (Country)\",\"text\":\"1.FM (Cou...\",\"type\":\"STREAM\"}[...]
Line Deleted : user_pref("CT3042917.1000082.nowPlaying", "{\"stationId\":\"9962\",\"url\":\"hxxp://feedlive.net/california.asx\",\"description\":\"California Rock\",\"text\":\"Californi...\",\"type\":\"STREAM\"}");
Line Deleted : user_pref("CT3042917.1000082.publisherStations", "[{\"stationId\":\"9962\",\"url\":\"hxxp://feedlive.net/california.asx\",\"description\":\"California Rock\",\"text\":\"Californi...\",\"type\":\"STREA[...]
Line Deleted : user_pref("CT3042917.1000082.state", "{\"state\":\"stopped\",\"text\":\"Californi...\",\"description\":\"California Rock\"}");
Line Deleted : user_pref("CT3042917.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3042917.ENABLE_RETURN_WEB_SEARCH_ON_THE_PAGE", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3042917.enableAlerts", "always");
Line Deleted : user_pref("CT3042917.firstTimeDialogOpened", "{\"dataType\":\"boolean\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3042917.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3042917.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"false\"}");
Line Deleted : user_pref("CT3042917.isWelcomPage", "{\"dataType\":\"boolean\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3042917.keyword", true);
Line Deleted : user_pref("CT3042917.personalApps", "{\"dataType\":\"object\",\"data\":\"[\\\"BROWSER_COMPONENT\\\"]\"}");
Line Deleted : user_pref("CT3042917.search.searchAppId", "129538334471724607");
Line Deleted : user_pref("CT3042917.search.searchCount", "1");
Line Deleted : user_pref("CT3042917.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"4\"}");
Line Deleted : user_pref("CT3042917.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"data\":\"CT3042917\"}");
Line Deleted : user_pref("CT3042917.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"string\",\"data\":\"hxxp://ProdutoolsMaps.OurToolbar.com//xpi\"}");
Line Deleted : user_pref("CT3042917.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"string\",\"data\":\"Produtools Maps\"}");
Line Deleted : user_pref("CT3042917.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3042917.serviceLayer_service_usage_toolbarUsageCount", "{\"dataType\":\"number\",\"data\":\"2\"}");
Line Deleted : user_pref("CT3042917.serviceLayer_services_appTrackingFirstTime_lastUpdate", "1377562888458");
Line Deleted : user_pref("CT3042917.serviceLayer_services_appsMetadata_lastUpdate", "1377562768233");
Line Deleted : user_pref("CT3042917.serviceLayer_services_gottenAppsContextMenu_lastUpdate", "1377562888228");
Line Deleted : user_pref("CT3042917.serviceLayer_services_login_lastUpdate", "1377562768593");
Line Deleted : user_pref("CT3042917.serviceLayer_services_menu_769c590835a76d075fe33b9a87a87786_lastUpdate", "1377562890837");
Line Deleted : user_pref("CT3042917.serviceLayer_services_otherAppsContextMenu_lastUpdate", "1377562888304");
Line Deleted : user_pref("CT3042917.serviceLayer_services_serviceMap_lastUpdate", "1377562768085");
Line Deleted : user_pref("CT3042917.serviceLayer_services_toolbarContextMenu_lastUpdate", "1377562888130");
Line Deleted : user_pref("CT3042917.serviceLayer_services_toolbarGrouping_lastUpdate", "1362677489639");
Line Deleted : user_pref("CT3042917.serviceLayer_services_toolbarSettings_lastUpdate", "1377562768784");
Line Deleted : user_pref("CT3042917.serviceLayer_services_translation_lastUpdate", "1377562768222");
Line Deleted : user_pref("CT3042917.smartbar.CTID", "CT3042917");
Line Deleted : user_pref("CT3042917.smartbar.Uninstall", "0");
Line Deleted : user_pref("CT3042917.smartbar.homepage", true);
Line Deleted : user_pref("CT3042917.smartbar.toolbarName", "Produtools Maps ");
Line Deleted : user_pref("CT3042917.smartbar.userID", "UN70575128825659433");
Line Deleted : user_pref("CT3042917.toolbarBornServerTime", "24-10-2011");
Line Deleted : user_pref("CT3042917browser.search.defaultthis.engineName", true);
Line Deleted : user_pref("browser.search.defaultenginename", "MyStart Search");
Line Deleted : user_pref("browser.search.selectedEngine", "Produtools Maps Customized Web Search");
Line Deleted : user_pref("browser.startup.homepage", "hxxp://search.conduit.com/?ctid=CT3042917&SearchSource=13");

-\\ Google Chrome v29.0.1547.57

[ File : C:\Documents and Settings\jmorris\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [7314 octets] - [26/08/2013 19:23:46]
AdwCleaner[R1].txt - [7374 octets] - [26/08/2013 19:33:03]
AdwCleaner[S0].txt - [7421 octets] - [26/08/2013 19:34:42]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [7481 octets] ##########
 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.5.4 (08.22.2013:1)
OS: Microsoft Windows XP x86
Ran by jmorris on Mon 08/26/2013 at 19:39:21.15
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Emptied folder: C:\Documents and Settings\jmorris\Application Data\mozilla\firefox\profiles\2cmtnggw.default\minidumps [23 files]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 08/26/2013 at 19:49:18.43
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

 

 

ComboFix 13-08-25.01 - jmorris 08/26/2013  19:57:05.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1583 [GMT -5:00]
Running from: c:\documents and settings\jmorris\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-07-27 to 2013-08-27  )))))))))))))))))))))))))))))))
.
.
2013-08-27 00:39 . 2013-08-27 00:39    --------    d-----w-    c:\windows\ERUNT
2013-08-27 00:23 . 2013-08-27 00:34    --------    d-----w-    C:\AdwCleaner
2013-08-25 00:53 . 2013-08-25 00:53    --------    d-----w-    c:\program files\ESET
2013-08-21 11:35 . 2013-08-21 11:35    --------    d-----w-    c:\documents and settings\jmorris\Application Data\SUPERAntiSpyware.com
2013-08-21 11:35 . 2013-08-27 00:17    --------    d-----w-    c:\program files\SUPERAntiSpyware
2013-08-21 11:35 . 2013-08-21 11:35    --------    d-----w-    c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2013-08-21 00:48 . 2013-08-21 00:48    --------    d-----w-    c:\documents and settings\jmorris\Application Data\Malwarebytes
2013-08-21 00:48 . 2013-08-21 00:48    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2013-08-21 00:48 . 2013-08-21 00:48    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-08-21 00:48 . 2013-04-04 19:50    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-08-16 04:26 . 2013-08-16 04:26    --------    d-----w-    c:\documents and settings\jmorris\Application Data\ConsumerSoft
2013-08-16 04:11 . 2013-08-20 22:48    --------    d-----w-    c:\program files\ConsumerSoft
2013-08-16 01:55 . 2013-08-16 02:18    --------    d-----w-    c:\documents and settings\jmorris\Application Data\Wise Registry Cleaner
2013-08-16 01:54 . 2013-08-16 01:54    --------    d-----w-    c:\program files\Wise
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-24 20:30 . 2012-04-09 15:48    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-08-24 20:30 . 2011-06-16 12:56    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-29 15:55 . 2012-02-07 00:08    134104    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Photosmart 6520 series (NET)"="c:\program files\HP\HP Photosmart 6520 series\Bin\ScanToPCActivationApp.exe" [2012-10-17 1837672]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2013-08-12 5703408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
.
c:\documents and settings\jmorris\Start Menu\Programs\Startup\
Monitor Ink Alerts - HP Photosmart 6520 series (Network).lnk - c:\windows\SYSTEM32\RunDll32.exe "c:\program files\HP\HP Photosmart 6520 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=CN31E350D805XP;CONNECTION=NW;MONITOR=1; [2004-8-4 33280]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664]
BK.CMD [2011-7-11 786]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2013-05-07 115440]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [5/23/2013 3:11 PM 119056]
R3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.1.391.0\SeaPort.EXE [6/11/2012 4:22 PM 240208]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 4:47 AM 98304]
S2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.1.391.0\BBSvc.EXE [6/11/2012 4:22 PM 193616]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-08-24 19:28    1177552    ----a-w-    c:\program files\Google\Chrome\Application\29.0.1547.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 20:30]
.
2013-04-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2013-04-08 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Photosmart 6520 series\Bin\HPCustPartic.exe [2012-10-17 09:15]
.
2013-08-25 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Photosmart 6520 series\Bin\HPCustPartic.exe [2012-10-17 09:15]
.
2013-08-24 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Photosmart 6520 series\Bin\HPCustPartic.exe [2012-10-17 09:15]
.
2013-08-24 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Photosmart 6520 series\Bin\HPCustPartic.exe [2012-10-17 09:15]
.
2013-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-11 18:03]
.
2013-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-11 18:03]
.
2013-08-27 c:\windows\Tasks\User_Feed_Synchronization-{51117926-0B8F-4CB1-876A-E6A9A12527F2}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://mlswis.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\jmorris\Application Data\Mozilla\Firefox\Profiles\2cmtnggw.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - ExtSQL: !HIDDEN! 2009-09-02 12:21; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-MSN Toolbar - c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
HKLM-Run-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-08-26 20:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@DACL=(02 0000)
@="Wireless"
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@DACL=(02 0000)
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=expand:"fdeploy.dll"
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@DACL=(02 0000)
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@="802.3 Group Policy"
"DisplayName"=expand:"@dot3gpclnt.dll,-100"
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=expand:"dot3gpclnt.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@DACL=(02 0000)
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@DACL=(02 0000)
@=""
"DLLName"="igfxdev.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=expand:"sclgntfy.dll"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2212)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-08-26  20:08:35
ComboFix-quarantined-files.txt  2013-08-27 01:08
.
Pre-Run: 40,410,746,880 bytes free
Post-Run: 43,311,009,792 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 63764E5CECEDCF9E307CAA313697A29E
B16A2359F4962B0C622D81A1C1F4B703
 

 

 

 

 Results of screen317's Security Check version 0.99.73  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 SUPERAntiSpyware     
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Wise Registry Cleaner 7.83  
 Java™ 6 Update 17  
 Java™ SE Runtime Environment 6 Update 1
 Java™ 6 Update 7  
 Java 2 Runtime Environment, SE v1.4.2_03
 Java 2 Runtime Environment, SE v1.4.2_06
 Java version out of Date!
 Adobe Flash Player     11.8.800.94  
 Adobe Reader XI  
 Mozilla Firefox 10.0 Firefox out of Date!  
 Google Chrome 26.0.1410.43  
 Google Chrome 29.0.1547.57  
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 9%
````````````````````End of Log``````````````````````
 

 

==========================

 

In terms of the system functioning, everything seemed to be running OK until I tried to bring up Firefox to access bleepingcomputer.com.  I think I released something since now I'm getting a cmd-line popup on every bootup stating:

 

Netowrk connection not found, Net help message 2250 & error 53

 

I also uninstalled MS security essentials before I began the logging process.  I've purchased a copy of Norton IS to install, but I wanted to wait until I get the OK from you before installing.  Until then, I've shutdown this computer.

 

Thanks again!



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:43 AM

Posted 27 August 2013 - 09:00 AM

Can you navigate to this registry key.
http://social.technet.microsoft.com/Forums/windows/en-US/1f22d98f-e150-4a54-9967-1641fa86dbc5/windows-7-disconnected-network-drives-that-work-but-noway-of-disconnecting-the-mapping

From the Start run box execute
Regedit.exe

Check the key.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]

p.s. MountPoints2 is most like the key for you USB.

If the mapping is \\Eblaptop\F (for example) will show a registry subkey named as ##Eblaptop#F
you can delete it.
Restart the computer normally.

If not found but you have some other entries please copy them and post the results in your next reply.

If at any time you need help please ask before proceeing.

#6 jhoybs

jhoybs
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 28 August 2013 - 05:50 AM

nasdaq,

 

Here is that registry node - it looks fairly normal:

 

======================================

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0a93ef80-7a06-11d9-9da4-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0a93ef81-7a06-11d9-9da4-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,01,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
  ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
  ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
  ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,e0,00,00,00,09,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6d1fa286-0d32-11e3-a6e8-001111a9496a}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0a93ef80-7a06-11d9-9da4-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
  47,00,45,00,23,00,56,00,6f,00,6c,00,75,00,6d,00,65,00,23,00,31,00,26,00,33,\
  00,30,00,61,00,39,00,36,00,35,00,39,00,38,00,26,00,30,00,26,00,53,00,69,00,\
  67,00,6e,00,61,00,74,00,75,00,72,00,65,00,34,00,31,00,41,00,42,00,32,00,33,\
  00,31,00,36,00,4f,00,66,00,66,00,73,00,65,00,74,00,31,00,46,00,36,00,30,00,\
  38,00,30,00,30,00,4c,00,65,00,6e,00,67,00,74,00,68,00,31,00,31,00,45,00,44,\
  00,44,00,43,00,32,00,34,00,30,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,\
  36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,\
  00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,\
  39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
  65,00,7b,00,30,00,61,00,39,00,33,00,65,00,66,00,38,00,30,00,2d,00,37,00,61,\
  00,30,00,36,00,2d,00,31,00,31,00,64,00,39,00,2d,00,39,00,64,00,61,00,34,00,\
  2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
  00,7d,00,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,4e,00,\
  54,00,46,00,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,08,00,00,00,01,10,00,\
  00,ff,00,07,00,ff,00,00,00,16,00,00,00,50,aa,28,bc,00,00,00,00,00,00,00,30,\
  00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
  00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0a93ef81-7a06-11d9-9da4-806d6172696f}]
"Data"=hex:36,0b,00,00,5c,00,5c,00,3f,00,5c,00,49,00,44,00,45,00,23,00,43,00,\
  64,00,52,00,6f,00,6d,00,53,00,41,00,4d,00,53,00,55,00,4e,00,47,00,5f,00,43,\
  00,44,00,2d,00,52,00,23,00,52,00,57,00,5f,00,53,00,57,00,2d,00,32,00,35,00,\
  32,00,53,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,\
  00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,52,00,39,00,30,00,32,00,5f,00,5f,00,\
  5f,00,5f,00,23,00,35,00,26,00,31,00,34,00,35,00,61,00,30,00,61,00,38,00,66,\
  00,26,00,30,00,26,00,30,00,2e,00,30,00,2e,00,30,00,23,00,7b,00,35,00,33,00,\
  66,00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,\
  00,31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,\
  30,00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
  65,00,7b,00,30,00,61,00,39,00,33,00,65,00,66,00,38,00,31,00,2d,00,37,00,61,\
  00,30,00,36,00,2d,00,31,00,31,00,64,00,39,00,2d,00,39,00,64,00,61,00,34,00,\
  2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
  00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
  6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,2f,00,00,00,01,00,00,00,10,00,00,00,0f,01,00,\
  00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
  00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"Generation"=dword:00000004
 

======================================

 

The computer is acting a little "odd" from time-to-time, but my friemd had run some registry cleaners which may have changed normal windows functioning.  For example, I believe the previous issue (Netowrk connection not found, Net help message 2250 & error 53) appears only when I disconnect the system from the network.

 

I did load Norton IS onto the system.  I started performing Windows updates and I will also make sure other apps such as browsers and Java are up-to-date. 



#7 jhoybs

jhoybs
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 28 August 2013 - 05:55 AM

The computer just "finished" installing Windows updates, all 35 critical & important updates failed:  "A problem on your computer is preventing updates from being downloaded or installed".  So either something is legitimately corrupted or some malware is still preventing updates.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:43 AM

Posted 28 August 2013 - 09:42 AM

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


#9 jhoybs

jhoybs
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 28 August 2013 - 07:07 PM

nasdaq,

 

Here are the results:

 

Farbar Service Scanner Version: 28-08-2013
Ran by jmorris (administrator) on 28-08-2013 at 17:58:50
Running from "C:\Documents and Settings\jmorris\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) SYMTDI(8) Tcpip(3)
0x080000000400000001000000020000000300000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

 

 

I updated Firefox and Java.  When I tried to update Java via control panel, I got an error.  I manuualy downloaded the update and it appeared to install although I did get a "GetDefaultBrowsing: 2" error.  Windows updates also did install when I did a "shutdown".



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:43 AM

Posted 29 August 2013 - 07:23 AM


Download the Java uninstaller and run the tool.

http://www.java.com/en/download/faq/uninstaller_toolinfo.xml

Restart the computer normally.

Close all windows and browsers, disconnect from the internet.

Run the Downloaded update programs you used previously to re install the application.

Restart the computer normally.

Connect to the internet and open the browsers and windows you need.

Keep me posted.

#11 jhoybs

jhoybs
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 30 August 2013 - 07:17 PM

There were roughly 8 versions of Java installed.  I tried many times to use the uninstall applet, but couldn't get it to work (turns out that Firefox was blocking the required plug-in).  I manualy uninstalled each one with Revo Uninstaller before finally getting the tool to run in IE.  When it did run, it stated that there was an error and to remove it manaully.  The manual instructions simply stated to uninstall everything via the control panel.

 

Everything seems to be running OK despite seeing some strange things from time-to-time.  As I mentioned, it is probably something that was broken with the multiple registry cleaners.

 

Thanks,

Jim



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:43 AM

Posted 31 August 2013 - 08:17 AM

Everything seems to be running OK despite seeing some strange things from time-to-time

Any error message that could give us some lead.

#13 jhoybs

jhoybs
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 31 August 2013 - 09:01 AM

Well, I spoke too soon.  Norton Internnet Security's tray icon is randomly disappearing.  When its gone and you try to start the GUI from the Start menu, it never comes up.  I ran Norton's removal tool, rebooted and then reinstalled it; the behavior is the same.  Here is a list of the things I'm still seeing that are out-of-the-ordinary:

 

1) Norton GUI/tray icon randomly disappearing

2) Hardware found wizard pops up every boot trying to find a driver for an "Unknown" device - driver can't be found

3) Random DOS box error with "network connection not found", "type NET HELPMSG 2250", system error network path not found & system error "53"

 

Here are the things I've tried within the last 3 days:

1) Full Noton (IS 2013) scan - nothing found

2) Malwarebytes Anti-Rootkit scan- nothing found

3) Kaspersky TDSSKiller scan- nothing found

4) Junkware Removal Tool- nothing found

5) Norton Power Eraser - found 3 threats:

 

#1___________________________
____________________________
Developers Amazon Services LLC
Version 1.4.1.2
Identified 8/24/2013 at 10:17:51 PM
Last Used 8/31/2013 at 7:44:12 AM
Startup Item No
____________________________
____________________________
UNKNOWN
Number of users in the Norton Community that have used this file: Unknown
____________________________
UNKNOWN
This file release is currently not known.
____________________________
UNPROVEN
There is not enough information about this file to recommend it.
____________________________
____________________________
Threat Details
File Location
File:c:\documents and settings\jmorris\desktop\Norton_Internet_Security_2013_1_User_3_PC_Downloader JFTY38QMPPD8J6GV3C26VJHQD.exe
____________________________

File Thumbprint - SHA:
A720FC7D7DA978A753776B35F58D8D954A97F4322BD6FB77D406D524E3A5A7C5
____________________________

#2____________________________
Registry Key:HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\""
____________________________
____________________________
Registry Key:HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\""
____________________________

File Thumbprint - SHA:
Not Available
____________________________

#3____________________________
Registry Key:HKEY_USERS\S-1-5-21-16920479-93785806-3794411583-1005\SOFTWARE\Microsoft\Internet Explorer\Download\"RunInvalidSignatures"
____________________________
____________________________
Registry Key:HKEY_USERS\S-1-5-21-16920479-93785806-3794411583-1005\SOFTWARE\Microsoft\Internet Explorer\Download\"RunInvalidSignatures"
____________________________

File Thumbprint - SHA:
Not Available
____________________________
 



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:43 AM

Posted 31 August 2013 - 10:13 AM

Developers Amazon Services LLC
Version 1.4.1.2
Identified 8/24/2013 at 10:17:51 PM
Last Used 8/31/2013 at 7:44:12 AM
Startup Item No


Do you use this service or have you used it in the past?
https://developer.amazon.com/
===

Delete the file in bold. Leave it in your Recycle bin. It Norton needs it you will be prompter that it's missing. You can then restore it.
File:c:\documents and settings\jmorris\desktop\Norton_Internet_Security_2013_1_User_3_PC_Downloader JFTY38QMPPD8J6GV3C26VJHQD.exe
===

Badly formed key for Firefox. If you have any problems with Firefox reinstall the application.
Registry Key:HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\""
I suggest you remove Firefox using the Add/Remove programs.
Restart the computer normally.
Reinstall the application.
===

HKEY_USERS\S-1-5-21-16920479-93785806-3794411583-1005\SOFTWARE\Microsoft\Internet Explorer\Download\"RunInvalidSignatures"

Allow software to run or install even if the signature is invalid.
===

Hardware found wizard pops up every boot trying to find a driver for an "Unknown" device - driver can't be found

This might be the culprit.

Please run Notepad and copy the following text into a new file:

sc config MpKsl43f07578 start= disabled
sc stop MpKsl43f07578
sc delete MpKsl43f07578


Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files". Locate remove.bat on the Desktop and double-click on it to run it. A DOS box will open and close, that is normal.
If any errors errors encountered please post.
When done you can delete the remove.bat file.

p.s. On a Vista/Windows7 Operating System run the remove.bat file as Administrator.
=========

Hardware found wizard pops up every boot trying to find a driver for an "Unknown" device - driver can't be found


Try this fix.

http://uk.support.tomtom.com/app/answers/detail/a_id/7046/~/vista-cant-find-device-drivers.-what-should-i-do%3F

#15 jhoybs

jhoybs
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 31 August 2013 - 11:57 AM

I failed to mention that Norton Power Eraser did state that it was successful removing the 3 previously posted threats.

 

I ran the remove.bat from the desktop, but the window closed so fast I couldn't read any results.  I reran the batch file from within a command line window and got 3 "the service does not exist" messages.  The "NET HELPMSG 2250" sequence still appears on every bootup.

 

I followed the "tomtom" instructions and it didn't work.  No driver was found whether I pointed to windows/system32 or to Windows Update.  Previously I had tried to delete the device and rescan and it always came back.  This time I tried to uninstall the unknown device and it seems to have disappeared and not come back.  It no longer pops up on bootup.

 

I (again) used the Norton removal tool, removed NIS and reinstalled it.  So far I've performed 3 system restarts with no "new device founds" popping up and Norton's icon is consistently in the system tray (& GUI comes up).






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users