Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit & Email is Sending out Thousands of Emails Hourly


  • This topic is locked This topic is locked
11 replies to this topic

#1 thetshirtguys

thetshirtguys

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 13 December 2013 - 01:03 PM

My email has been blacklisted and flagged for sending out spam and I think I might have a rootkit of some kind. Here is my DDS log.

 

Thanks for any help you can offer me.

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.45.2
Run by Darin at 11:38:23 on 2013-12-13
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2036.718 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ================
.
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\NCR\Passport Web Edition\pwecsrvc.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\Program Files\Dell Printers\Additional Color Laser Software\Updater\DLUPDR.EXE
C:\Program Files\Dell Printers\Additional Color Laser Software\Launcher\DLQLU.EXE
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Intuit\QuickBooks 2006\QBW32.EXE
C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Application Data\Dropbox\bin\Dropbox.exe
C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.usatoday.com/
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - c:\program files\mcafee security scan\3.8.130\McAfeeMSS_IE.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Passport Web Edition Client] c:\program files\ncr\passport web edition\pwecsrvc.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe  startup
mRun: [DLPSP] "c:\program files\dell printers\additional color laser software\status monitor\DLPSP.EXE"
mRun: [DLUPDR] "c:\program files\dell printers\additional color laser software\updater\DLUPDR.EXE"
mRun: [DLQLU] "c:\program files\dell printers\additional color laser software\launcher\DLQLU.EXE" /S
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\darin~1.use\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\darin.user-4d5fd8d5ec\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\intuit~1.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.8.130\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\intuit\quickbooks 2006\QBW32.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1342574463938
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 66.180.96.12 64.238.96.12
TCP: Interfaces\{6EABB81A-0E83-4C20-B2D9-2EB3329C06A0} : DHCPNameServer = 66.180.96.12 64.238.96.12
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - c:\program files\intuit\quickbooks 2006\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\31.0.1650.63\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\darin.user-4d5fd8d5ec\application data\mozilla\firefox\profiles\2g9gs5tr.default\
FF - prefs.js: browser.startup.homepage - GOOGLE.COM
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mcafee security scan\3.8.130\npMcAfeeMSS.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1205146.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_170.dll
FF - ExtSQL: !HIDDEN! 2010-10-08 16:35; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 214696]
R1 MpKsl99d0553e;MpKsl99d0553e;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{93bd6da8-6f27-4a51-a998-5f67e8ac9f43}\MpKsl99d0553e.sys [2013-12-13 40392]
R2 DLSDB;Dell Printer Status Database;c:\program files\dell printers\additional color laser software\status monitor\dlsdbnt.exe [2012-8-20 226696]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-12 375120]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 13624]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-11-13 47640]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2013-2-28 36600]
R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2012-3-14 1248256]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2013-10-3 1817560]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2013-10-3 1033688]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-12-13 51416]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-12-13 104664]
R3 TSUSB2;Driver for TellerScan Device;c:\windows\system32\drivers\TSUSB2.sys [2010-3-1 54016]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2013-10-3 171928]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.8.130\McCHSvc.exe [2013-9-6 235216]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== File Associations ===============
.
ShellExec: Foxit Reader.exe: print="c:\program files\foxit software\foxit reader\Foxit Reader.exe"/p "%1"
ShellExec: Foxit Reader.exe: printto="c:\program files\foxit software\foxit reader\Foxit Reader.exe"/t "%1" "%2" "%3" "%4"
.
=============== Created Last 30 ================
.
2013-12-13 17:25:22    --------    d-----w-    c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)
2013-12-13 16:59:46    40392    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{93bd6da8-6f27-4a51-a998-5f67e8ac9f43}\MpKsl99d0553e.sys
2013-12-13 16:43:54    --------    d-sha-r-    C:\cmdcons
2013-12-13 16:43:06    51416    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-12-13 16:41:31    256000    ----a-w-    c:\windows\PEV.exe
2013-12-13 16:41:31    208896    ----a-w-    c:\windows\MBR.exe
2013-12-13 16:41:30    98816    ----a-w-    c:\windows\sed.exe
2013-12-13 16:32:36    104664    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2013-12-13 09:36:06    7772552    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{93bd6da8-6f27-4a51-a998-5f67e8ac9f43}\mpengine.dll
2013-12-12 09:35:39    7772552    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-11-14 04:17:39    53248    ----a-w-    c:\windows\system32\zlib.dll
.
==================== Find3M  ====================
.
2013-12-11 00:36:39    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-11 00:36:39    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-11-19 10:21:30    230048    ------w-    c:\windows\system32\MpSigStub.exe
2013-11-13 02:59:42    150528    ----a-w-    c:\windows\system32\imagehlp.dll
2013-11-07 05:38:51    591360    ----a-w-    c:\windows\system32\rpcrt4.dll
2013-11-06 01:03:31    7168    ----a-w-    c:\windows\system32\xpsp4res.dll
2013-10-30 02:26:17    1879040    ----a-w-    c:\windows\system32\win32k.sys
2013-10-29 07:57:34    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-10-29 07:57:33    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-10-29 07:57:33    18944    ----a-w-    c:\windows\system32\corpol.dll
2013-10-29 07:57:33    1469440    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-10-29 00:45:02    385024    ----a-w-    c:\windows\system32\html.iec
2013-10-23 23:45:49    172032    ----a-w-    c:\windows\system32\scrrun.dll
2013-10-12 15:56:19    278528    ----a-w-    c:\windows\system32\oakley.dll
2013-10-09 13:12:48    287744    ----a-w-    c:\windows\system32\gdi32.dll
2013-10-08 12:50:41    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-10-08 12:29:36    145408    ----a-w-    c:\windows\system32\javacpl.cpl
2013-10-07 10:59:21    603136    ----a-w-    c:\windows\system32\crypt32.dll
2013-09-27 15:53:06    214696    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2009-02-11 17:31:00    18577512    ----a-w-    c:\program files\SAGEOnlineSetup.exe
.
============= FINISH: 11:40:44.85 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:41 PM

Posted 18 December 2013 - 01:05 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/517363 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 thetshirtguys

thetshirtguys
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 18 December 2013 - 01:30 PM

My computer is still sending out spam messages and now it has started to restart by itself. I've run nothing so far in terms of scanners and I DO NOT have my original Windows CD.

 

Thanks!

 

Here is my new Log

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.45.2
Run by Darin at 12:26:54 on 2013-12-18
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2036.928 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ================
.
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\NCR\Passport Web Edition\pwecsrvc.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\Program Files\Dell Printers\Additional Color Laser Software\Updater\DLUPDR.EXE
C:\Program Files\Dell Printers\Additional Color Laser Software\Launcher\DLQLU.EXE
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Intuit\QuickBooks 2006\QBW32.EXE
C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Application Data\Dropbox\bin\Dropbox.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.usatoday.com/
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Passport Web Edition Client] c:\program files\ncr\passport web edition\pwecsrvc.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe  startup
mRun: [DLPSP] "c:\program files\dell printers\additional color laser software\status monitor\DLPSP.EXE"
mRun: [DLUPDR] "c:\program files\dell printers\additional color laser software\updater\DLUPDR.EXE"
mRun: [DLQLU] "c:\program files\dell printers\additional color laser software\launcher\DLQLU.EXE" /S
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\darin~1.use\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\darin.user-4d5fd8d5ec\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\intuit~1.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\intuit\quickbooks 2006\QBW32.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1342574463938
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_45-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0017-0000-0045-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_45-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_45-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 66.180.96.12 64.238.96.12
TCP: Interfaces\{6EABB81A-0E83-4C20-B2D9-2EB3329C06A0} : DHCPNameServer = 66.180.96.12 64.238.96.12
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - c:\program files\intuit\quickbooks 2006\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\31.0.1650.63\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\darin.user-4d5fd8d5ec\application data\mozilla\firefox\profiles\2g9gs5tr.default\
FF - prefs.js: browser.startup.homepage - GOOGLE.COM
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1205146.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1207148.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_170.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: !HIDDEN! 2010-10-08 16:35; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 214696]
R1 MpKsl082cc458;MpKsl082cc458;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b23002d2-d2c7-4b8d-85ec-ff50bf2487fa}\MpKsl082cc458.sys [2013-12-18 40392]
R2 DLSDB;Dell Printer Status Database;c:\program files\dell printers\additional color laser software\status monitor\dlsdbnt.exe [2012-8-20 226696]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-12 375120]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 13624]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-11-13 47640]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2013-2-28 36600]
R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2012-3-14 1248256]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2013-10-3 1817560]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2013-10-3 1033688]
R3 TSUSB2;Driver for TellerScan Device;c:\windows\system32\drivers\TSUSB2.sys [2010-3-1 54016]
RUnknown MpKsl2ba5cea1;MpKsl2ba5cea1; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2013-10-3 171928]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== File Associations ===============
.
ShellExec: Foxit Reader.exe: print="c:\program files\foxit software\foxit reader\Foxit Reader.exe"/p "%1"
ShellExec: Foxit Reader.exe: printto="c:\program files\foxit software\foxit reader\Foxit Reader.exe"/t "%1" "%2" "%3" "%4"
.
=============== Created Last 30 ================
.
2013-12-18 16:41:07    40392    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b23002d2-d2c7-4b8d-85ec-ff50bf2487fa}\MpKsl082cc458.sys
2013-12-18 16:11:43    40392    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b23002d2-d2c7-4b8d-85ec-ff50bf2487fa}\MpKsl2ba5cea1.sys
2013-12-18 05:35:55    40392    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b23002d2-d2c7-4b8d-85ec-ff50bf2487fa}\MpKsl28c7dfec.sys
2013-12-18 05:34:07    7760024    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b23002d2-d2c7-4b8d-85ec-ff50bf2487fa}\mpengine.dll
2013-12-18 04:02:37    772504    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-12-18 04:02:37    687504    ----a-w-    c:\windows\system32\deployJava1.dll
2013-12-17 19:52:23    7760024    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-12-13 17:25:22    --------    d-----w-    c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)
2013-12-13 16:43:54    --------    d-sha-r-    C:\cmdcons
2013-12-13 16:43:06    51416    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-12-13 16:41:31    256000    ----a-w-    c:\windows\PEV.exe
2013-12-13 16:41:31    208896    ----a-w-    c:\windows\MBR.exe
2013-12-13 16:41:30    98816    ----a-w-    c:\windows\sed.exe
.
==================== Find3M  ====================
.
2013-12-18 01:46:21    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-18 01:46:21    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-12-13 14:16:05    86888    ----a-w-    c:\windows\system32\LMIRfsClientNP.dll
2013-12-13 14:16:05    53064    ----a-w-    c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2013-12-13 14:16:04    85832    ----a-w-    c:\windows\system32\LMIinit.dll
2013-12-13 14:16:04    31560    ----a-w-    c:\windows\system32\LMIport.dll
2013-11-19 10:21:30    230048    ------w-    c:\windows\system32\MpSigStub.exe
2013-11-14 04:17:39    53248    ----a-w-    c:\windows\system32\zlib.dll
2013-11-13 02:59:42    150528    ----a-w-    c:\windows\system32\imagehlp.dll
2013-11-07 05:38:51    591360    ----a-w-    c:\windows\system32\rpcrt4.dll
2013-11-06 01:03:31    7168    ----a-w-    c:\windows\system32\xpsp4res.dll
2013-10-30 02:26:17    1879040    ----a-w-    c:\windows\system32\win32k.sys
2013-10-29 07:57:34    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-10-29 07:57:33    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-10-29 07:57:33    18944    ----a-w-    c:\windows\system32\corpol.dll
2013-10-29 07:57:33    1469440    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-10-29 00:45:02    385024    ----a-w-    c:\windows\system32\html.iec
2013-10-23 23:45:49    172032    ----a-w-    c:\windows\system32\scrrun.dll
2013-10-12 15:56:19    278528    ----a-w-    c:\windows\system32\oakley.dll
2013-10-09 13:12:48    287744    ----a-w-    c:\windows\system32\gdi32.dll
2013-10-08 12:50:41    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-10-08 12:29:36    145408    ----a-w-    c:\windows\system32\javacpl.cpl
2013-10-07 10:59:21    603136    ----a-w-    c:\windows\system32\crypt32.dll
2013-09-27 15:53:06    214696    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2009-02-11 17:31:00    18577512    ----a-w-    c:\program files\SAGEOnlineSetup.exe
.
============= FINISH: 12:27:55.18 ===============
 



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,761 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:41 AM

Posted 20 December 2013 - 08:06 PM

Greetings thetshirtguys and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please run this program for me.

===================================================

Run TDSSKiller by Kaspersky on XP

--------------------
  • Please download Kaspersky's TDSSKiller and save it to your Desktop. <-Important!!!
  • If you desire you may print out and follow the instructions for performing a scan.
  • Double-click on TDSSKiller.exe.
  • When the program opens, click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • Any objects found, will show in the Scan results - Select action for found objects and offer three options.
  • If an infected file is detected, the default action will be Cure...do not change it.


tdss2.png


  • Click Continue > Reboot now to finish the cleaning process.<- Important!!


tdss4.png


  • If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer or to perform the scan in "safe mode".

===================================================

Obtaining Current ComboFix.txt

--------------------

Please copy and paste the contents of the following file in your reply.


C:\ComboFix.txt


===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • TDSSKiller log
  • Combofix log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 thetshirtguys

thetshirtguys
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 23 December 2013 - 12:02 PM

Here is the ComboFix log and the TDSKiller did not find any threats so there was no log.

 

ComboFix 13-12-17.02 - Darin 12/17/2013  22:42:34.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2036.1277 [GMT -6:00]
Running from: c:\documents and settings\Darin.USER-4D5FD8D5EC\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((   Files Created from 2013-11-18 to 2013-12-18  )))))))))))))))))))))))))))))))
.
.
2013-12-18 04:10 . 2013-12-18 04:10    40392    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2EB2A681-35F3-4D16-9ED8-AD441B6BCC4A}\MpKslf2bb3ae3.sys
2013-12-18 04:02 . 2012-05-05 00:29    772504    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-12-18 04:02 . 2012-05-05 00:29    687504    ----a-w-    c:\windows\system32\deployJava1.dll
2013-12-18 01:39 . 2013-12-04 02:57    7760024    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2EB2A681-35F3-4D16-9ED8-AD441B6BCC4A}\mpengine.dll
2013-12-17 19:52 . 2013-12-04 02:57    7760024    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-12-13 17:25 . 2013-12-13 19:57    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-12-13 16:43 . 2013-12-13 17:25    51416    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-18 01:46 . 2012-04-19 01:13    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-12-18 01:46 . 2011-05-17 22:55    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-13 14:16 . 2008-11-13 22:23    53064    ----a-w-    c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2013-12-13 14:16 . 2008-11-13 22:23    86888    ----a-w-    c:\windows\system32\LMIRfsClientNP.dll
2013-12-13 14:16 . 2008-11-13 22:23    31560    ----a-w-    c:\windows\system32\LMIport.dll
2013-12-13 14:16 . 2008-11-13 22:23    85832    ----a-w-    c:\windows\system32\LMIinit.dll
2013-11-19 10:21 . 2010-01-22 03:26    230048    ------w-    c:\windows\system32\MpSigStub.exe
2013-11-14 04:17 . 2013-11-14 04:17    53248    ----a-w-    c:\windows\system32\zlib.dll
2013-11-13 02:59 . 2008-04-14 12:00    150528    ----a-w-    c:\windows\system32\imagehlp.dll
2013-11-07 05:38 . 2008-04-14 12:00    591360    ----a-w-    c:\windows\system32\rpcrt4.dll
2013-11-06 01:03 . 2009-04-16 11:30    7168    ----a-w-    c:\windows\system32\xpsp4res.dll
2013-10-30 02:26 . 2008-04-14 12:00    1879040    ----a-w-    c:\windows\system32\win32k.sys
2013-10-29 07:57 . 2008-04-14 12:00    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-10-29 07:57 . 2008-04-14 12:00    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-10-29 07:57 . 2008-04-14 12:00    18944    ----a-w-    c:\windows\system32\corpol.dll
2013-10-29 07:57 . 2008-04-14 12:00    1469440    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-10-29 00:45 . 2008-04-14 12:00    385024    ----a-w-    c:\windows\system32\html.iec
2013-10-23 23:45 . 2008-04-14 12:00    172032    ----a-w-    c:\windows\system32\scrrun.dll
2013-10-12 15:56 . 2008-04-14 12:00    278528    ----a-w-    c:\windows\system32\oakley.dll
2013-10-09 13:12 . 2008-04-14 12:00    287744    ----a-w-    c:\windows\system32\gdi32.dll
2013-10-08 12:50 . 2013-10-21 02:36    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-10-08 12:29 . 2008-11-13 21:35    145408    ----a-w-    c:\windows\system32\javacpl.cpl
2013-10-07 10:59 . 2008-04-14 12:00    603136    ----a-w-    c:\windows\system32\crypt32.dll
2013-09-27 15:53 . 2011-04-18 18:18    214696    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2009-02-11 17:31 . 2009-02-11 17:30    18577512    ----a-w-    c:\program files\SAGEOnlineSetup.exe
2006-01-31 15:21 . 2013-11-18 16:06    40960    ----a-w-    c:\program files\mozilla firefox\plugins\formback.dll
2006-01-31 15:21 . 2013-11-18 16:06    53248    ----a-w-    c:\program files\mozilla firefox\plugins\formcal.dll
2006-01-31 15:21 . 2013-11-18 16:06    86016    ----a-w-    c:\program files\mozilla firefox\plugins\formclok.dll
2006-01-31 15:21 . 2013-11-18 16:06    65536    ----a-w-    c:\program files\mozilla firefox\plugins\formfade.dll
2006-01-31 15:21 . 2013-11-18 16:06    77824    ----a-w-    c:\program files\mozilla firefox\plugins\formfile.dll
2006-01-31 15:22 . 2013-11-18 16:06    143360    ----a-w-    c:\program files\mozilla firefox\plugins\formflds.dll
2006-01-31 15:22 . 2013-11-18 16:06    53248    ----a-w-    c:\program files\mozilla firefox\plugins\formgif.dll
2006-01-31 15:22 . 2013-11-18 16:06    167936    ----a-w-    c:\program files\mozilla firefox\plugins\formgrid.dll
2006-01-31 15:22 . 2013-11-18 16:06    45056    ----a-w-    c:\program files\mozilla firefox\plugins\formhpic.dll
2006-01-31 15:22 . 2013-11-18 16:06    57344    ----a-w-    c:\program files\mozilla firefox\plugins\formicon.dll
2006-01-31 15:23 . 2013-11-18 16:06    53248    ----a-w-    c:\program files\mozilla firefox\plugins\forminfo.dll
2006-01-31 15:23 . 2013-11-18 16:06    147456    ----a-w-    c:\program files\mozilla firefox\plugins\formjpeg.dll
2006-01-31 15:23 . 2013-11-18 16:06    49152    ----a-w-    c:\program files\mozilla firefox\plugins\formlink.dll
2006-01-31 15:23 . 2013-11-18 16:06    45056    ----a-w-    c:\program files\mozilla firefox\plugins\formmarq.dll
2006-01-31 15:24 . 2013-11-18 16:06    143360    ----a-w-    c:\program files\mozilla firefox\plugins\formmask.dll
2006-01-31 15:24 . 2013-11-18 16:06    61440    ----a-w-    c:\program files\mozilla firefox\plugins\formport.dll
2006-01-31 15:24 . 2013-11-18 16:06    106496    ----a-w-    c:\program files\mozilla firefox\plugins\formpri.dll
2006-01-31 15:24 . 2013-11-18 16:06    49152    ----a-w-    c:\program files\mozilla firefox\plugins\formprog.dll
2006-01-31 15:24 . 2013-11-18 16:06    77824    ----a-w-    c:\program files\mozilla firefox\plugins\formqt3.dll
2006-01-31 15:24 . 2013-11-18 16:06    49152    ----a-w-    c:\program files\mozilla firefox\plugins\formroll.dll
2006-01-31 15:24 . 2013-11-18 16:06    45056    ----a-w-    c:\program files\mozilla firefox\plugins\formsbar.dll
2006-01-31 15:24 . 2013-11-18 16:06    53248    ----a-w-    c:\program files\mozilla firefox\plugins\formslid.dll
2006-01-31 15:25 . 2013-11-18 16:06    65536    ----a-w-    c:\program files\mozilla firefox\plugins\formtbar.dll
2006-01-31 15:25 . 2013-11-18 16:06    36864    ----a-w-    c:\program files\mozilla firefox\plugins\formtile.dll
2006-01-31 15:25 . 2013-11-18 16:06    45056    ----a-w-    c:\program files\mozilla firefox\plugins\formtime.dll
2006-01-31 15:25 . 2013-11-18 16:06    40960    ----a-w-    c:\program files\mozilla firefox\plugins\formtran.dll
2006-01-31 15:25 . 2013-11-18 16:06    77824    ----a-w-    c:\program files\mozilla firefox\plugins\formtree.dll
2006-01-31 15:25 . 2013-11-18 16:06    45056    ----a-w-    c:\program files\mozilla firefox\plugins\formwash.dll
2005-10-05 19:03 . 2013-11-18 16:06    122880    ----a-w-    c:\program files\mozilla firefox\plugins\orfc.dll
2006-01-31 15:28 . 2013-11-18 16:06    200704    ----a-w-    c:\program files\mozilla firefox\plugins\orfcexec.dll
2006-01-31 15:20 . 2013-11-18 16:06    245760    ----a-w-    c:\program files\mozilla firefox\plugins\orfcgui.dll
2006-01-31 15:21 . 2013-11-18 16:06    249856    ----a-w-    c:\program files\mozilla firefox\plugins\orfcmain.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09    131248    ----a-w-    c:\documents and settings\Darin.USER-4D5FD8D5EC\Application Data\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09    131248    ----a-w-    c:\documents and settings\Darin.USER-4D5FD8D5EC\Application Data\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09    131248    ----a-w-    c:\documents and settings\Darin.USER-4D5FD8D5EC\Application Data\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09    131248    ----a-w-    c:\documents and settings\Darin.USER-4D5FD8D5EC\Application Data\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-18 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-18 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-18 131072]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-18 16859648]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-25 63048]
"Passport Web Edition Client"="c:\program files\NCR\Passport Web Edition\pwecsrvc.exe" [2010-03-09 20579]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-23 948440]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2013-11-08 2829624]
"DLPSP"="c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [2010-06-01 886152]
"DLUPDR"="c:\program files\Dell Printers\Additional Color Laser Software\Updater\DLUPDR.EXE" [2010-06-01 566680]
"DLQLU"="c:\program files\Dell Printers\Additional Color Laser Software\Launcher\DLQLU.EXE" [2010-06-01 1127744]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Darin.USER-4D5FD8D5EC\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Darin.USER-4D5FD8D5EC\Application Data\Dropbox\bin\Dropbox.exe /systemstartup [2013-11-1 29769432]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe /Startup [2013-11-8 6282040]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2013-11-8 1176904]
QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks 2006\QBW32.EXE -silent [2013-11-8 1182024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2013-12-13 14:16    85832    ----a-w-    c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Darin.USER-4D5FD8D5EC^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Darin.USER-4D5FD8D5EC\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Darin.USER-4D5FD8D5EC^Start Menu^Programs^Startup^SAGEim.lnk]
path=c:\documents and settings\Darin.USER-4D5FD8D5EC\Start Menu\Programs\Startup\SAGEim.lnk
backup=c:\windows\pss\SAGEim.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06    958576    ----a-w-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2007-05-15 23:55    1057328    ----a-w-    c:\program files\Nero\Nero 7\InCD\InCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-10-02 00:57    289576    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-06 06:55    54832    ----a-w-    c:\program files\CyberLink\PowerDVD\Language\Language.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 23:57    153136    ----a-w-    c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 21:09    413696    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 23:10    56928    ------w-    c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
2007-05-15 23:55    1628208    ----a-w-    c:\program files\Nero\Nero 7\InCD\NBHGui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-07-02 14:16    254336    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\NCR\\Passport Web Edition\\pwecsrvc.exe"=
"c:\\Documents and Settings\\Darin.USER-4D5FD8D5EC\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"2530:UDP"= 2530:UDP:UDP 2530
"7097:TCP"= 7097:TCP:TCP 7097
.
R1 MpKslf2bb3ae3;MpKslf2bb3ae3;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2EB2A681-35F3-4D16-9ED8-AD441B6BCC4A}\MpKslf2bb3ae3.sys [12/17/2013 10:10 PM 40392]
R2 DLSDB;Dell Printer Status Database;c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe [8/20/2012 9:43 AM 226696]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/12/2010 6:04 PM 375120]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 8:46 PM 13624]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2/28/2013 7:48 PM 36600]
R2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [3/14/2012 4:06 AM 1248256]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [10/3/2013 11:02 AM 1817560]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [10/3/2013 11:02 AM 1033688]
R3 TSUSB2;Driver for TellerScan Device;c:\windows\system32\drivers\TSUSB2.sys [3/1/2010 10:00 AM 54016]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [10/3/2013 11:02 AM 171928]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - LMIGUARDIANSVC
*NewlyCreated* - LMIMAINT
*NewlyCreated* - MPKSLF2BB3AE3
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-12-05 07:37    1210320    ----a-w-    c:\program files\Google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-12-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-19 01:46]
.
2013-12-18 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-10-03 15:58]
.
2013-12-17 c:\windows\Tasks\CloneVVPtoOffsite.job
- c:\documents and settings\Darin.USER-4D5FD8D5EC\CloneVVPtoOffsite.bat [2008-12-05 02:04]
.
2010-11-05 c:\windows\Tasks\darin-daily-group_1_every_1_days.job
- c:\documents and settings\Darin.USER-4D5FD8D5EC\darin-daily-group_1_every_1_days.bat [2008-12-04 05:37]
.
2010-11-05 c:\windows\Tasks\darin-daily-group_1_every_35_days.job
- c:\documents and settings\Darin.USER-4D5FD8D5EC\darin-daily-group_1_every_35_days.bat [2008-12-04 05:37]
.
2010-11-05 c:\windows\Tasks\darin-daily-group_1_every_7_days.job
- c:\documents and settings\Darin.USER-4D5FD8D5EC\darin-daily-group_1_every_7_days.bat [2008-12-04 05:37]
.
2010-11-05 c:\windows\Tasks\darin-daily-group_2_every_1_days.job
- c:\documents and settings\Darin.USER-4D5FD8D5EC\darin-daily-group_2_every_1_days.bat [2008-12-05 02:08]
.
2010-11-05 c:\windows\Tasks\darin-daily-group_2_every_35_days.job
- c:\documents and settings\Darin.USER-4D5FD8D5EC\darin-daily-group_2_every_35_days.bat [2008-12-05 02:08]
.
2010-11-05 c:\windows\Tasks\darin-daily-group_2_every_7_days.job
- c:\documents and settings\Darin.USER-4D5FD8D5EC\darin-daily-group_2_every_7_days.bat [2008-12-05 02:08]
.
2013-12-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-06 01:50]
.
2013-12-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-06 01:50]
.
2013-12-18 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-10-23 21:01]
.
2013-12-11 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-10-03 15:57]
.
2013-11-01 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-10-03 15:58]
.
2013-12-17 c:\windows\Tasks\SyncBack Darin Desktop.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2011-05-18 20:42]
.
2013-12-17 c:\windows\Tasks\SyncBack Darin Documents.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2011-05-18 20:42]
.
2013-12-17 c:\windows\Tasks\SyncBack Darin Favorites.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2011-05-18 20:42]
.
2013-12-18 c:\windows\Tasks\SyncBack QB Bup.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2011-05-18 20:42]
.
2013-01-17 c:\windows\Tasks\SyncToyCmd.job
- c:\program files\SyncToy 2.1\SyncToyCmd.exe [2009-10-19 07:58]
.
2013-01-17 c:\windows\Tasks\SyncToyDropbox.job
- c:\program files\SyncToy 2.1\SyncToyCmd.exe [2009-10-19 07:58]
.
2013-12-18 c:\windows\Tasks\User_Feed_Synchronization-{FE0EDA90-3C20-4601-B08E-D4B4F611FA7B}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.usatoday.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 66.180.96.12 64.238.96.12
FF - ProfilePath - c:\documents and settings\Darin.USER-4D5FD8D5EC\Application Data\Mozilla\Firefox\Profiles\2g9gs5tr.default\
FF - prefs.js: browser.startup.homepage - GOOGLE.COM
FF - ExtSQL: !HIDDEN! 2010-10-08 16:35; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-12-17 22:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'explorer.exe'(3488)
c:\windows\system32\WININET.dll
c:\documents and settings\Darin.USER-4D5FD8D5EC\Application Data\Dropbox\bin\DropboxExt.22.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-12-17  22:49:47
ComboFix-quarantined-files.txt  2013-12-18 04:49
ComboFix2.txt  2013-12-13 17:13
.
Pre-Run: 65,402,757,120 bytes free
Post-Run: 65,639,505,920 bytes free
.
- - End Of File - - 27F80D3A5E6D85E57873DBDD069F54C5
8F558EB6672622401DA993E1E865C861
 



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,761 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:41 AM

Posted 23 December 2013 - 02:15 PM

Thank you for the information. Do you recognize this? 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7097:TCP"= 7097:TCP:TCP 7097


===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should
  • Double click the icon
  • Click Yes to the disclaimer
  • Make sure Addition.txt is checked
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply
===================================================

TCPView

--------------
  • Please download TCPView and save it to your desktop
  • Unzip the contents
  • Double click Tcpview.exe (not Tcpvcon.exe), select Run, then Agree
  • A report will open
  • Click File, Save As..., then select Desktop on the left side
  • Type TCPView in the File name: box then click Save
  • Please attach this report to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Farbar logs (2)
  • TCPView log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 thetshirtguys

thetshirtguys
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 23 December 2013 - 02:26 PM

I don't recognize what you quoted in your reply, BTW.

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 23-12-2013
Ran by Darin at 2013-12-23 13:23:06
Running from C:\Documents and Settings\Darin.USER-4D5FD8D5EC\My Documents\Downloads
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AV: Microsoft Security Essentials (Disabled - Up to date) {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials (Disabled - Up to date) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

==================== Installed Programs ======================

Adobe Acrobat 5.0 (Version: 5.0)
Adobe AIR (Version: 1.0.4990)
Adobe AIR (Version: 1.0.8.4990)
Adobe Flash Player 11 ActiveX (Version: 11.9.900.170)
Adobe Flash Player 11 Plugin (Version: 11.9.900.170)
Adobe Reader X (10.1.8) (Version: 10.1.8)
Adobe Shockwave Player 12.0 (Version: 12.0.7.148)
Apple Software Update (Version: 2.1.1.116)
Areca
Avery Template (Version: 2.0.0.0)
Belarc Advisor 7.2
Bonjour (Version: 1.0.105)
BurnInTest v3.2 Standard (Version: 3.2)
CCleaner (Version: 4.08)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
Critical Update for Windows Media Player 11 (KB959772)
CryptoPrevent v4.1.0
Dell Printer Software (Version: 1.00.000)
Dropbox (HKCU Version: 2.4.10)
DVD Suite (Version: 5.0.1319)
Foxit PDF Editor
Foxit Reader (Version: 6.0.6.722)
Google Chrome (Version: 31.0.1650.63)
Google Update Helper (Version: 1.3.22.3)
Intel® Graphics Media Accelerator Driver
Intel® Network Connections 12.4.38.0 (Version: 12.4.38.0)
iTunes (Version: 8.0.1.11)
Java 7 Update 45 (Version: 7.0.450)
Java Auto Updater (Version: 2.1.9.8)
LogMeIn (Version: 4.0.784)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Primary Interop Assemblies (Version: 11.0.6553.0)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Small Business Edition 2003 (Version: 11.0.8173.0)
Microsoft Security Client (Version: 4.4.0304.0)
Microsoft Security Essentials (Version: 4.4.304.0)
Microsoft Silverlight (Version: 5.1.20913.0)
Microsoft Sync Framework 2.0 Core Components (x86) ENU  (Version: 2.0.1578.0)
Microsoft Sync Framework 2.0 Provider Services (x86) ENU  (Version: 2.0.1578.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual Studio 2005 Tools for Office Runtime (Version: 8.0.60940.0)
Mozilla Firefox 26.0 (x86 en-US) (Version: 26.0)
Mozilla Maintenance Service (Version: 26.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
Nero 7 Essentials (Version: 7.02.8507)
neroxml (Version: 1.0.0)
Nmap 6.40
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
PassportWebClient (Version: 3.01.00.05)
PowerDVD (Version: 7.0.2414.0)
PowerProducer
QuickBooks (Version: 22.0.4015.2206)
QuickBooks Pro 2012 (Version: 22.0.4015.2206)
QuickTime (Version: 7.55.90.70)
Realtek High Definition Audio Driver (Version: 5.10.0.5548)
SAGEim (Version: 1.00.0000)
SAGE-Online (Version: 5.00.0000)
Spybot - Search & Destroy (Version: 2.1.21)
swMSM (Version: 12.0.0.1)
SyncBack
SyncToy 2.1 (x86) (Version: 2.1.0)
TreeSize Free V2.7 (Version: 2.7)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2836939) (Version: 1)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2362765) (Version: 1)
Update for Windows Internet Explorer 8 (KB2447568) (Version: 1)
Update for Windows Internet Explorer 8 (KB2598845) (Version: 1)
Update for Windows Internet Explorer 8 (KB2632503) (Version: 1)
Update for Windows Internet Explorer 8 (KB969497) (Version: 1)
Update for Windows Internet Explorer 8 (KB971180) (Version: 1)
Update for Windows Internet Explorer 8 (KB972636) (Version: 1)
Update for Windows Internet Explorer 8 (KB973874) (Version: 1)
Update for Windows Internet Explorer 8 (KB975364) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update for Windows Internet Explorer 8 (KB976749) (Version: 1)
Update for Windows Internet Explorer 8 (KB978506) (Version: 1)
Update for Windows Internet Explorer 8 (KB980182) (Version: 1)
Update for Windows Internet Explorer 8 (KB980302) (Version: 1)
Update for Windows Internet Explorer 8 (KB982632) (Version: 1)
Update for Windows Internet Explorer 8 (KB982664) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2492386) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB2736233) (Version: 1)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB2808679) (Version: 1)
Update for Windows XP (KB2863058) (Version: 1)
Update for Windows XP (KB2904266) (Version: 1)
Update for Windows XP (KB898461) (Version: 1)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
Visual Studio 2005 Tools for Office Second Edition Runtime
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Management Framework Core
Windows Media Format 11 runtime
Windows PowerShell™ 1.0 MUI pack (Version: 2)
Windows Resource Kit Tools (Version: 5.2.3790)
WinPcap 4.1.3 (Version: 4.1.0.2980)
Wireshark 1.10.2 (32-bit) (Version: 1.10.2)

==================== Restore Points  =========================

27-09-2013 04:14:22 Software Distribution Service 3.0
27-09-2013 08:00:16 Software Distribution Service 3.0
27-09-2013 21:38:27 Software Distribution Service 3.0
30-09-2013 13:09:52 Software Distribution Service 3.0
01-10-2013 08:00:13 Software Distribution Service 3.0
01-10-2013 13:11:54 Software Distribution Service 3.0
02-10-2013 08:00:17 Software Distribution Service 3.0
02-10-2013 13:12:05 Software Distribution Service 3.0
03-10-2013 08:00:19 Software Distribution Service 3.0
03-10-2013 13:12:08 Software Distribution Service 3.0
04-10-2013 08:00:20 Software Distribution Service 3.0
04-10-2013 13:19:34 Software Distribution Service 3.0
05-10-2013 08:00:20 Software Distribution Service 3.0
05-10-2013 13:20:22 Software Distribution Service 3.0
06-10-2013 07:06:51 Software Distribution Service 3.0
06-10-2013 08:00:17 Software Distribution Service 3.0
06-10-2013 13:20:09 Software Distribution Service 3.0
07-10-2013 08:00:17 Software Distribution Service 3.0
07-10-2013 13:20:06 Software Distribution Service 3.0
08-10-2013 08:00:22 Software Distribution Service 3.0
08-10-2013 13:23:22 Software Distribution Service 3.0
09-10-2013 08:00:25 Software Distribution Service 3.0
09-10-2013 13:26:29 Software Distribution Service 3.0
09-10-2013 16:55:12 Printer Driver Foxit Reader PDF Printer Driver Installed
10-10-2013 08:01:14 Software Distribution Service 3.0
11-10-2013 08:00:21 Software Distribution Service 3.0
11-10-2013 09:22:14 Software Distribution Service 3.0
12-10-2013 08:00:19 Software Distribution Service 3.0
12-10-2013 09:38:04 Software Distribution Service 3.0
13-10-2013 08:00:18 Software Distribution Service 3.0
13-10-2013 09:28:41 Software Distribution Service 3.0
14-10-2013 08:00:18 Software Distribution Service 3.0
14-10-2013 09:21:02 Software Distribution Service 3.0
15-10-2013 08:00:18 Software Distribution Service 3.0
15-10-2013 09:23:44 Software Distribution Service 3.0
16-10-2013 08:00:21 Software Distribution Service 3.0
17-10-2013 08:00:22 Software Distribution Service 3.0
17-10-2013 08:19:02 Software Distribution Service 3.0
18-10-2013 08:00:19 Software Distribution Service 3.0
18-10-2013 08:12:29 Software Distribution Service 3.0
19-10-2013 08:00:21 Software Distribution Service 3.0
19-10-2013 08:13:23 Software Distribution Service 3.0
20-10-2013 07:31:02 Software Distribution Service 3.0
20-10-2013 08:00:17 Software Distribution Service 3.0
20-10-2013 08:13:10 Software Distribution Service 3.0
21-10-2013 02:35:28 Installed Java 7 Update 45
21-10-2013 02:40:33 Software Distribution Service 3.0
21-10-2013 08:00:38 Software Distribution Service 3.0
22-10-2013 02:59:18 Software Distribution Service 3.0
22-10-2013 08:00:20 Software Distribution Service 3.0
23-10-2013 02:59:11 Software Distribution Service 3.0
23-10-2013 08:00:20 Software Distribution Service 3.0
24-10-2013 02:58:56 Software Distribution Service 3.0
24-10-2013 08:00:19 Software Distribution Service 3.0
25-10-2013 02:58:55 Software Distribution Service 3.0
25-10-2013 08:00:17 Software Distribution Service 3.0
25-10-2013 23:15:31 Software Distribution Service 3.0
28-10-2013 13:28:46 Software Distribution Service 3.0
29-10-2013 08:00:20 Software Distribution Service 3.0
29-10-2013 14:16:22 Software Distribution Service 3.0
30-10-2013 08:00:18 Software Distribution Service 3.0
30-10-2013 14:16:20 Software Distribution Service 3.0
31-10-2013 08:00:20 Software Distribution Service 3.0
31-10-2013 14:16:54 Software Distribution Service 3.0
01-11-2013 08:00:18 Software Distribution Service 3.0
01-11-2013 14:15:46 Software Distribution Service 3.0
01-11-2013 21:34:15 Software Distribution Service 3.0
04-11-2013 14:21:19 Software Distribution Service 3.0
05-11-2013 09:00:19 Software Distribution Service 3.0
05-11-2013 14:19:53 Software Distribution Service 3.0
06-11-2013 09:00:18 Software Distribution Service 3.0
06-11-2013 14:19:58 Software Distribution Service 3.0
07-11-2013 09:00:18 Software Distribution Service 3.0
07-11-2013 14:20:05 Software Distribution Service 3.0
08-11-2013 01:24:29 Installed Microsoft Fix it 51004
08-11-2013 09:00:18 Software Distribution Service 3.0
08-11-2013 22:31:31 Software Distribution Service 3.0
11-11-2013 14:19:32 Software Distribution Service 3.0
12-11-2013 09:00:18 Software Distribution Service 3.0
12-11-2013 14:18:33 Software Distribution Service 3.0
13-11-2013 09:00:24 Software Distribution Service 3.0
14-11-2013 02:46:03 Software Distribution Service 3.0
14-11-2013 09:00:18 Software Distribution Service 3.0
15-11-2013 04:31:40 Software Distribution Service 3.0
15-11-2013 09:00:17 Software Distribution Service 3.0
15-11-2013 22:27:21 Software Distribution Service 3.0
18-11-2013 14:22:47 Software Distribution Service 3.0
19-11-2013 09:00:19 Software Distribution Service 3.0
19-11-2013 14:15:44 Software Distribution Service 3.0
20-11-2013 09:00:18 Software Distribution Service 3.0
20-11-2013 14:15:24 Software Distribution Service 3.0
21-11-2013 09:00:20 Software Distribution Service 3.0
21-11-2013 14:15:20 Software Distribution Service 3.0
22-11-2013 09:00:18 Software Distribution Service 3.0
22-11-2013 14:15:29 Software Distribution Service 3.0
22-11-2013 22:01:38 Software Distribution Service 3.0
25-11-2013 14:26:05 Software Distribution Service 3.0
26-11-2013 09:00:22 Software Distribution Service 3.0
26-11-2013 14:22:56 Software Distribution Service 3.0
27-11-2013 09:00:19 Software Distribution Service 3.0
27-11-2013 14:25:23 Software Distribution Service 3.0
27-11-2013 21:20:25 Software Distribution Service 3.0
02-12-2013 14:30:40 Software Distribution Service 3.0
03-12-2013 09:00:20 Software Distribution Service 3.0
03-12-2013 14:26:13 Software Distribution Service 3.0
04-12-2013 09:00:17 Software Distribution Service 3.0
04-12-2013 14:26:11 Software Distribution Service 3.0
05-12-2013 09:00:19 Software Distribution Service 3.0
05-12-2013 14:26:22 Software Distribution Service 3.0
06-12-2013 09:00:21 Software Distribution Service 3.0
06-12-2013 14:24:59 Software Distribution Service 3.0
07-12-2013 09:00:16 Software Distribution Service 3.0
07-12-2013 14:25:54 Software Distribution Service 3.0
08-12-2013 08:17:50 Software Distribution Service 3.0
08-12-2013 09:00:16 Software Distribution Service 3.0
08-12-2013 14:26:02 Software Distribution Service 3.0
09-12-2013 09:00:16 Software Distribution Service 3.0
09-12-2013 14:23:34 Software Distribution Service 3.0
10-12-2013 09:00:17 Software Distribution Service 3.0
10-12-2013 14:24:11 Software Distribution Service 3.0
11-12-2013 09:00:24 Software Distribution Service 3.0
12-12-2013 09:00:20 Software Distribution Service 3.0
12-12-2013 09:35:36 Software Distribution Service 3.0
13-12-2013 09:00:18 Software Distribution Service 3.0
13-12-2013 09:35:54 Software Distribution Service 3.0
13-12-2013 22:29:12 Software Distribution Service 3.0
16-12-2013 14:55:46 Software Distribution Service 3.0
16-12-2013 15:14:18 Software Distribution Service 3.0
17-12-2013 09:00:22 Software Distribution Service 3.0
17-12-2013 19:51:53 Software Distribution Service 3.0
18-12-2013 01:38:01 Software Distribution Service 3.0
18-12-2013 04:00:25 Removed Java™ 6 Update 7
18-12-2013 04:01:04 Removed Java™ 6 Update 31
18-12-2013 04:02:28 Removed JavaFX 2.1.1
18-12-2013 04:17:20 Printer Driver LogMeIn Printer Driver Installed
18-12-2013 09:00:17 Software Distribution Service 3.0
19-12-2013 09:00:20 Software Distribution Service 3.0
19-12-2013 20:10:20 Software Distribution Service 3.0
20-12-2013 09:00:17 Software Distribution Service 3.0
20-12-2013 20:09:57 Software Distribution Service 3.0
20-12-2013 22:26:22 Software Distribution Service 3.0
23-12-2013 15:05:19 Software Distribution Service 3.0

==================== Hosts content: ==========================

2008-04-14 06:00 - 2013-12-13 11:00 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\Check for updates (Spybot - Search & Destroy).job => C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe
Task: C:\WINDOWS\Tasks\CloneVVPtoOffsite.job => ?
Task: C:\WINDOWS\Tasks\darin-daily-group_1_every_1_days.job => ?
Task: C:\WINDOWS\Tasks\darin-daily-group_1_every_35_days.job => ?
Task: C:\WINDOWS\Tasks\darin-daily-group_1_every_7_days.job => ?
Task: C:\WINDOWS\Tasks\darin-daily-group_2_every_1_days.job => ?
Task: C:\WINDOWS\Tasks\darin-daily-group_2_every_35_days.job => ?
Task: C:\WINDOWS\Tasks\darin-daily-group_2_every_7_days.job => ?
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job => C:\Program Files\Microsoft Security Client\MpCmdRun.exe
Task: C:\WINDOWS\Tasks\Refresh immunization (Spybot - Search & Destroy).job => C:\Program Files\Spybot - Search & Destroy 2\SDImmunize.exe
Task: C:\WINDOWS\Tasks\Scan the system (Spybot - Search & Destroy).job => C:\Program Files\Spybot - Search & Destroy 2\SDScan.exe
Task: C:\WINDOWS\Tasks\SyncBack Darin Desktop.job => C:\Program Files\2BrightSparks\SyncBackDarinTask created by SyncBack.exe
Task: C:\WINDOWS\Tasks\SyncBack Darin Documents.job => C:\Program Files\2BrightSparks\SyncBackDarinTask created by SyncBack.exe
Task: C:\WINDOWS\Tasks\SyncBack Darin Favorites.job => C:\Program Files\2BrightSparks\SyncBackDarinTask created by SyncBack.exe
Task: C:\WINDOWS\Tasks\SyncBack QB Bup.job => C:\Program Files\2BrightSparks\SyncBackDarinTask created by SyncBack.exe
Task: C:\WINDOWS\Tasks\SyncToyCmd.job => C:\Program Files\SyncToy 2.1\SyncToyCmd.exe
Task: C:\WINDOWS\Tasks\SyncToyDropbox.job => C:\Program Files\SyncToy 2.1\SyncToyCmd.exe
Task: C:\WINDOWS\Tasks\User_Feed_Synchronization-{FE0EDA90-3C20-4601-B08E-D4B4F611FA7B}.job => C:\WINDOWS\system32\msfeedssync.exe

==================== Loaded Modules (whitelisted) =============

2013-10-03 11:02 - 2013-05-16 09:55 - 00113496 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2013-10-03 11:02 - 2013-05-16 09:55 - 00416600 _____ () C:\Program Files\Spybot - Search & Destroy 2\DEC150.bpl
2013-10-03 11:02 - 2013-05-16 09:55 - 00161112 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2013-10-03 11:02 - 2012-08-23 09:38 - 00574840 _____ () C:\Program Files\Spybot - Search & Destroy 2\sqlite3.dll
2013-10-03 11:02 - 2012-04-03 16:06 - 00565640 _____ () C:\Program Files\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2010-03-01 10:00 - 2010-03-08 22:58 - 00159841 _____ () C:\Program Files\NCR\Passport Web Edition\zipfiles.dll
2010-03-01 10:00 - 2006-10-19 13:49 - 00003072 _____ () C:\Program Files\NCR\Passport Web Edition\Ranger\DigitalCheck\SoftLockResource.dll
2013-11-08 07:48 - 2013-11-08 07:48 - 00269128 _____ () C:\Program Files\Intuit\QuickBooks 2006\boost_regex-vc90-mt-p-1_33.dll
2013-11-08 07:48 - 2013-11-08 07:48 - 00021320 _____ () C:\Program Files\Intuit\QuickBooks 2006\QBCompressor.dll
2012-03-14 04:06 - 2012-03-14 04:06 - 00059904 _____ () C:\Program Files\Intuit\QuickBooks 2006\zlib1.dll
2013-11-08 07:48 - 2013-11-08 07:48 - 00380744 _____ () C:\Program Files\Intuit\QuickBooks 2006\BackupLib.dll
2013-11-08 07:48 - 2013-11-08 07:48 - 00138568 _____ () C:\Program Files\Intuit\QuickBooks 2006\QBMAPILibrary.dll
2013-11-08 07:48 - 2013-11-08 07:48 - 00176968 _____ () C:\Program Files\Intuit\QuickBooks 2006\boost_serialization-vc90-mt-p-1_33.dll
2013-11-08 07:48 - 2013-11-08 07:48 - 00042824 _____ () C:\Program Files\Intuit\QuickBooks 2006\mbpopup.dll
2013-11-08 07:48 - 2013-11-08 07:48 - 00400200 _____ () C:\Program Files\Intuit\QuickBooks 2006\FeaturesBridge.dll
2013-11-08 07:49 - 2013-11-08 07:49 - 00110920 _____ () C:\Program Files\Intuit\QuickBooks 2006\Webification.dll
2013-11-08 07:48 - 2013-11-08 07:48 - 00083272 _____ () C:\Program Files\Intuit\QuickBooks 2006\IPDWidgetBridge.dll
2013-11-08 07:48 - 2013-11-08 07:48 - 00093512 _____ () C:\Program Files\Intuit\QuickBooks 2006\IPDWidgetInterop.dll
2013-11-08 07:49 - 2013-11-08 07:49 - 00121672 _____ () C:\Program Files\Intuit\QuickBooks 2006\ReportBridge.dll
2013-11-08 07:48 - 2013-11-08 07:48 - 00070472 _____ () C:\Program Files\Intuit\QuickBooks 2006\QB2WPFBridge.dll
2013-08-23 13:01 - 2013-08-23 13:01 - 25100288 _____ () C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Application Data\Dropbox\bin\libcef.dll
2013-12-19 21:31 - 2013-12-19 21:31 - 03559024 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========


==================== Safe Mode (whitelisted) ===================


==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (12/23/2013 09:20:54 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks Pro 2012":
Unexpected empty payment txn data element encountered - merchAccnt#=, CTI=, clrStatus=cleared, txnID=B9528-1387484932, lineTxnId=B9529-1387484932

Error: (12/23/2013 09:20:54 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks Pro 2012":
Unexpected empty payment txn data element encountered - merchAccnt#=, CTI=, clrStatus=cleared, txnID=B93CA-1387378689, lineTxnId=B93CB-1387378689

Error: (12/23/2013 09:20:54 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks Pro 2012":
Unexpected empty payment txn data element encountered - merchAccnt#=, CTI=, clrStatus=cleared, txnID=B9393-1387294739, lineTxnId=B9394-1387294739

Error: (12/23/2013 09:20:54 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks Pro 2012":
Unexpected empty payment txn data element encountered - merchAccnt#=, CTI=, clrStatus=cleared, txnID=B917B-1386883057, lineTxnId=B917C-1386883057

Error: (12/23/2013 09:20:54 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks Pro 2012":
Unexpected empty payment txn data element encountered - merchAccnt#=, CTI=, clrStatus=cleared, txnID=B9030-1386714773, lineTxnId=B9031-1386714773

Error: (12/23/2013 09:20:54 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks Pro 2012":
Unexpected empty payment txn data element encountered - merchAccnt#=, CTI=, clrStatus=uncleared, txnID=B95EF-1387561223, lineTxnId=B95F0-1387561223

Error: (12/23/2013 08:56:51 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (12/23/2013 08:56:51 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (12/23/2013 08:56:51 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (12/20/2013 04:28:07 PM) (Source: HotFixInstaller) (User: )
Description: EventType visualstudio8setup, P1 microsoft .net framework 2.0-kb2742596, P2 1033, P3 1603, P4 msi, P5 f, P6 9.0.40215.0, P7 install, P8 x86, P9 visualstudio8setup0, P10 visualstudio8setup1.


System errors:
=============
Error: (12/23/2013 08:55:36 AM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Security Center Service service failed to start due to the following error:
%%1053

Error: (12/23/2013 08:55:36 AM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the Spybot-S&D 2 Security Center Service service to connect.

Error: (12/20/2013 04:28:08 PM) (Source: Windows Update Agent) (User: )
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2742596).

Error: (12/20/2013 04:28:01 PM) (Source: Windows Update Agent) (User: )
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 3.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2756918).

Error: (12/20/2013 04:27:50 PM) (Source: Windows Update Agent) (User: )
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2833941).

Error: (12/20/2013 04:27:38 PM) (Source: Windows Update Agent) (User: )
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2863239).

Error: (12/20/2013 04:27:33 PM) (Source: Windows Update Agent) (User: )
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2604092).

Error: (12/20/2013 04:27:24 PM) (Source: Windows Update Agent) (User: )
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2656352).

Error: (12/20/2013 04:27:17 PM) (Source: Windows Update Agent) (User: )
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2833940).

Error: (12/20/2013 04:27:10 PM) (Source: Windows Update Agent) (User: )
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Microsoft .NET Framework 3.5 SP1 Update for Windows Server 2003 and Windows XP x86 (KB982168).


Microsoft Office Sessions:
=========================
Error: (12/23/2013 09:20:54 AM) (Source: QuickBooks)(User: )
Description: QuickBooks Pro 2012Unexpected empty payment txn data element encountered - merchAccnt#=, CTI=, clrStatus=cleared, txnID=B9528-1387484932, lineTxnId=B9529-1387484932

Error: (12/23/2013 09:20:54 AM) (Source: QuickBooks)(User: )
Description: QuickBooks Pro 2012Unexpected empty payment txn data element encountered - merchAccnt#=, CTI=, clrStatus=cleared, txnID=B93CA-1387378689, lineTxnId=B93CB-1387378689

Error: (12/23/2013 09:20:54 AM) (Source: QuickBooks)(User: )
Description: QuickBooks Pro 2012Unexpected empty payment txn data element encountered - merchAccnt#=, CTI=, clrStatus=cleared, txnID=B9393-1387294739, lineTxnId=B9394-1387294739

Error: (12/23/2013 09:20:54 AM) (Source: QuickBooks)(User: )
Description: QuickBooks Pro 2012Unexpected empty payment txn data element encountered - merchAccnt#=, CTI=, clrStatus=cleared, txnID=B917B-1386883057, lineTxnId=B917C-1386883057

Error: (12/23/2013 09:20:54 AM) (Source: QuickBooks)(User: )
Description: QuickBooks Pro 2012Unexpected empty payment txn data element encountered - merchAccnt#=, CTI=, clrStatus=cleared, txnID=B9030-1386714773, lineTxnId=B9031-1386714773

Error: (12/23/2013 09:20:54 AM) (Source: QuickBooks)(User: )
Description: QuickBooks Pro 2012Unexpected empty payment txn data element encountered - merchAccnt#=, CTI=, clrStatus=uncleared, txnID=B95EF-1387561223, lineTxnId=B95F0-1387561223

Error: (12/23/2013 08:56:51 AM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (12/23/2013 08:56:51 AM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (12/23/2013 08:56:51 AM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (12/20/2013 04:28:07 PM) (Source: HotFixInstaller)(User: )
Description: visualstudio8setupmicrosoft .net framework 2.0-kb274259610331603msif9.0.40215.0installx86xp2721


==================== Memory info ===========================

Percentage of memory in use: 61%
Total physical RAM: 2035.95 MB
Available physical RAM: 793.89 MB
Total Pagefile: 3928.89 MB
Available Pagefile: 2619.7 MB
Total Virtual: 2047.88 MB
Available Virtual: 1940.66 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:149.04 GB) (Free:60.22 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: () (Fixed) (Total:465.75 GB) (Free:10.72 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 149 GB) (Disk ID: 085C085C)
Partition 1: (Active) - (Size=149 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 466 GB) (Disk ID: 08A108A1)
Partition 1: (Not Active) - (Size=466 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

FRST log

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-12-2013
Ran by Darin (administrator) on DARIN-2008 on 23-12-2013 13:22:16
Running from C:\Documents and Settings\Darin.USER-4D5FD8D5EC\My Documents\Downloads
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Dell Inc.) C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe
(Nero AG) C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\ramaint.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
(Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
() C:\Program Files\CyberLink\Shared Files\RichVideo.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
(Intel Corporation) C:\WINDOWS\system32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
(NCR Corporation) C:\Program Files\NCR\Passport Web Edition\pwecsrvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Dell Inc.) C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpsp.exe
(Dell Inc.) C:\Program Files\Dell Printers\Additional Color Laser Software\Updater\dlupdr.exe
(Dell Inc.) C:\Program Files\Dell Printers\Additional Color Laser Software\Launcher\DLQLU.EXE
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(Intuit Inc.) C:\Program Files\Intuit\QuickBooks 2006\QBW32.EXE
(Dropbox, Inc.) C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Application Data\Dropbox\bin\Dropbox.exe
(Dell Inc.) C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeIn.exe
(Intuit, Inc.) C:\Program Files\Intuit\QuickBooks 2006\QBDBMgr.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
(iAnywhere Solutions, Inc.) C:\Program Files\Intuit\QuickBooks 2006\dbextclr11.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [HotKeysCmds] - C:\WINDOWS\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [RTHDCPL] - C:\WINDOWS\RTHDCPL.exe [16859648 2008-03-17] (Realtek Semiconductor Corp.)
HKLM\...\Run: [LogMeIn GUI] - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [63048 2008-07-24] (LogMeIn, Inc.)
HKLM\...\Run: [Passport Web Edition Client] - C:\Program Files\NCR\Passport Web Edition\pwecsrvc.exe [20579 2010-03-08] (NCR Corporation)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [948440 2013-10-23] (Microsoft Corporation)
HKLM\...\Run: [Intuit SyncManager] - C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [2829624 2013-11-08] (Intuit Inc. All rights reserved.)
HKLM\...\Run: [DLPSP] - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpsp.exe [886152 2010-06-01] (Dell Inc.)
HKLM\...\Run: [DLUPDR] - C:\Program Files\Dell Printers\Additional Color Laser Software\Updater\dlupdr.exe [566680 2010-06-01] (Dell Inc.)
HKLM\...\Run: [DLQLU] - C:\Program Files\Dell Printers\Additional Color Laser Software\Launcher\DLQLU.EXE [1127744 2010-06-01] (Dell Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [SDTray] - C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [5624784 2013-07-25] (Safer-Networking Ltd.)
HKLM Group Policy restriction on software: *.ppt.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.pif <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xls.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pub.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.docx.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.doc.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.7z.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pub.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Local Settings\Application Data\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.docx.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.zip.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.avi.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pub.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.zip.pif <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Local Settings\Application Data\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *‮* <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.png.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg.scr <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Application Data\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xls.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xls.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf.com <====== ATTENTION
HKLM Group Policy restriction on software: *.docx.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wma.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.png.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.divx.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wav.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Local Settings\Application Data\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xls.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wav.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Local Settings\Application Data\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rar.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.zip.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.doc.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.divx.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg.com <====== ATTENTION
HKLM Group Policy restriction on software: *.avi.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.doc.com <====== ATTENTION
HKLM Group Policy restriction on software: *.png.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wma.com <====== ATTENTION
HKLM Group Policy restriction on software: *.avi.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.txt.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.7z.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Application Data\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv.com <====== ATTENTION
HKLM Group Policy restriction on software: *.txt.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.divx.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.7z.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wma.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pub.com <====== ATTENTION
HKLM Group Policy restriction on software: *.png.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Application Data\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wav.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.zip.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.doc.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.divx.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Application Data\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt.com <====== ATTENTION
Winlogon\Notify\LMIinit: C:\Windows\system32\LMIinit.dll (LogMeIn, Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Intuit Data Protect.lnk
ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files\Intuit\QuickBooks 2006\QBW32.EXE (Intuit Inc.)
Startup: C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
BootExecute: autocheck autochk * sdnclean.exe

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usatoday.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_45-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0017-0000-0045-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_45-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_45-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - C:\Program Files\Intuit\QuickBooks 2006\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation)
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [147456] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 66.180.96.12 64.238.96.12

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Application Data\Mozilla\Firefox\Profiles\2g9gs5tr.default
FF user.js: detected! => C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Application Data\Mozilla\Firefox\Profiles\2g9gs5tr.default\user.js
FF Homepage: GOOGLE.COM
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_9_900_170.dll ()
FF Plugin: @adobe.com/ShockwavePlayer - C:\WINDOWS\system32\Adobe\Director\np32dsw_1207148.dll (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf - C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf - C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin: @java.com/DTPlugin,version=10.5.1 - C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.45.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\answers.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Application Data\Mozilla\Firefox\Profiles\2g9gs5tr.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

Chrome:
=======
CHR HomePage: hxxp://www.google.com
CHR RestoreOnStartup: "hxxp://www.google.com"
CHR DefaultSearchURL: {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\25.0.1364.152\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\25.0.1364.152\pdf.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\25.0.1364.152\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 7.0.40.255) - C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
CHR Plugin: (Omnis Unicode RCC Plugin) - C:\Program Files\Mozilla Firefox\plugins\np_orfc.dll ()
CHR Plugin: (QuickTime Plug-in 7.5.5) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.5.5) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.5.5) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.5.5) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.5.5) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.5.5) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.5.5) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Microsoft\u00AE DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation)
CHR Plugin: (Microsoft\u00AE DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation)
CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.))
CHR Plugin: (Foxit Reader Plugin for Mozilla) - C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Windows Presentation Foundation) - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Plugin: (Shockwave for Director) - C:\WINDOWS\system32\Adobe\Director\np32dsw.dll No File
CHR Extension: (YouTube) - C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_1
CHR Extension: (Google Search) - C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_1
CHR Extension: (Gmail) - C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1

========================== Services (Whitelisted) =================

R2 InCDsrv; C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe [1550896 2007-05-15] (Nero AG)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-10-23] (Microsoft Corporation)
R2 QBVSS; C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2012-03-14] (Intuit Inc.)
R2 RichVideo; C:\Program Files\CyberLink\Shared Files\RichVideo.exe [167936 2005-08-07] ()
R2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1817560 2013-05-16] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [1033688 2013-05-16] (Safer-Networking Ltd.)
S2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2013-05-15] (Safer-Networking Ltd.)
R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf"
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [x]

==================== Drivers (Whitelisted) ====================

R1 BANTExt; C:\Windows\System32\Drivers\BANTExt.sys [3840 2008-02-27] ()
R4 InCDfs; C:\Windows\System32\drivers\InCDFs.sys [118576 2007-05-15] (Nero AG)
R1 InCDPass; C:\Windows\System32\drivers\InCDPass.sys [37040 2007-05-15] (Nero AG)
U1 InCDrec; C:\Windows\System32\Drivers\InCDrec.sys [16304 2007-05-15] (Nero AG)
R1 incdrm; C:\Windows\System32\drivers\InCDRm.sys [38576 2007-05-15] (Nero AG)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [214696 2013-09-27] (Microsoft Corporation)
R1 MpKslafbf9384; c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{779B3B14-AC15-4487-9EF8-F8ABD0F151BC}\MpKslafbf9384.sys [40392 2013-12-23] (Microsoft Corporation)
S3 NAL; C:\WINDOWS\system32\Drivers\iqvw32.sys [30816 2007-12-20] (Intel Corporation )
R2 NPF; C:\Windows\System32\drivers\npf.sys [36600 2013-02-28] (Riverbed Technology, Inc.)
R3 TSUSB2; C:\Windows\System32\DRIVERS\TSUSB2.sys [54016 2007-01-19] (HTL)
S3 catchme; \??\C:\DOCUME~1\DARIN~1.USE\LOCALS~1\Temp\catchme.sys [x]
S4 IntelIde; No ImagePath
S4 LMIRfsClientNP; No ImagePath
S3 USBAAPL; System32\Drivers\usbaapl.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-12-23 13:22 - 2013-12-23 13:22 - 00000000 ____D C:\FRST
2013-12-19 21:31 - 2013-12-19 21:31 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-12-17 22:49 - 2013-12-17 22:49 - 00022538 _____ C:\ComboFix.txt
2013-12-17 22:06 - 2013-12-17 22:06 - 00060706 _____ C:\Documents and Settings\Darin.USER-4D5FD8D5EC\My Documents\cc_20131217_220614.reg
2013-12-17 22:02 - 2012-05-04 18:29 - 00772504 _____ (Oracle Corporation) C:\WINDOWS\system32\npDeployJava1.dll
2013-12-17 22:02 - 2012-05-04 18:29 - 00687504 _____ (Oracle Corporation) C:\WINDOWS\system32\deployJava1.dll
2013-12-17 21:59 - 2013-12-17 21:59 - 00000682 _____ C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
2013-12-13 11:58 - 2013-12-13 11:58 - 00005725 _____ C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Desktop\attach.zip
2013-12-13 11:41 - 2013-12-18 12:27 - 00035415 _____ C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Desktop\attach.txt
2013-12-13 11:41 - 2013-12-18 12:27 - 00014559 _____ C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Desktop\dds.txt
2013-12-13 11:25 - 2013-12-13 13:57 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-12-13 10:44 - 2013-10-03 15:20 - 00000245 _____ C:\Boot.bak
2013-12-13 10:43 - 2013-12-13 11:25 - 00051416 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2013-12-13 10:43 - 2013-12-13 10:44 - 00000000 _RSHD C:\cmdcons
2013-12-13 10:43 - 2004-08-03 23:00 - 00260272 __RSH C:\cmldr
2013-12-13 10:42 - 2013-12-13 13:57 - 00000000 ____D C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Desktop\mbar
2013-12-13 10:41 - 2011-06-26 00:45 - 00256000 _____ C:\WINDOWS\PEV.exe
2013-12-13 10:41 - 2010-11-07 11:20 - 00208896 _____ C:\WINDOWS\MBR.exe
2013-12-13 10:41 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2013-12-13 10:41 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2013-12-13 10:41 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2013-12-13 10:41 - 2000-08-30 18:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2013-12-13 10:41 - 2000-08-30 18:00 - 00098816 _____ C:\WINDOWS\sed.exe
2013-12-13 10:41 - 2000-08-30 18:00 - 00080412 _____ C:\WINDOWS\grep.exe
2013-12-13 10:41 - 2000-08-30 18:00 - 00068096 _____ C:\WINDOWS\zip.exe
2013-12-13 10:40 - 2013-12-17 22:49 - 00000000 ____D C:\Qoobox
2013-12-13 10:37 - 2013-12-13 11:10 - 00000000 ____D C:\WINDOWS\erdnt
2013-12-11 03:06 - 2013-12-11 03:06 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2904266$
2013-12-11 03:06 - 2013-12-11 03:06 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2898715$
2013-12-11 03:03 - 2013-12-11 03:03 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2893984$
2013-12-11 03:03 - 2013-12-11 03:03 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2893294$
2013-12-11 03:02 - 2013-12-11 03:02 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2892075$

==================== One Month Modified Files and Folders =======

2013-12-23 13:22 - 2013-12-23 13:22 - 00000000 ____D C:\FRST
2013-12-23 13:15 - 2009-07-23 18:03 - 00000422 ____H C:\WINDOWS\Tasks\User_Feed_Synchronization-{FE0EDA90-3C20-4601-B08E-D4B4F611FA7B}.job
2013-12-23 12:42 - 2012-06-05 19:50 - 00000884 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2013-12-23 12:36 - 2012-04-18 19:13 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2013-12-23 10:49 - 2012-09-27 13:26 - 00000027 _____ C:\WINDOWS\BRPP2KA.INI
2013-12-23 10:49 - 2011-11-02 14:10 - 00000419 _____ C:\WINDOWS\BRWMARK.INI
2013-12-23 10:39 - 2011-01-13 19:22 - 00000000 ____D C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Application Data\Dropbox
2013-12-23 10:30 - 2008-11-06 02:53 - 00032626 _____ C:\WINDOWS\SchedLgU.Txt
2013-12-23 10:02 - 2009-04-07 13:16 - 00000000 ____D C:\Documents and Settings\Darin.USER-4D5FD8D5EC\My Documents\QB Data
2013-12-23 09:18 - 2012-04-26 07:19 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-12-23 09:11 - 2008-11-06 02:50 - 01132591 _____ C:\WINDOWS\WindowsUpdate.log
2013-12-23 09:04 - 2013-11-13 20:59 - 00000384 ____H C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2013-12-23 08:55 - 2013-10-03 11:03 - 00000644 _____ C:\WINDOWS\Tasks\Check for updates (Spybot - Search & Destroy).job
2013-12-23 08:55 - 2012-06-05 19:50 - 00000880 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2013-12-23 08:55 - 2008-11-13 16:23 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\LogMeIn
2013-12-23 08:55 - 2008-04-14 06:00 - 00012598 _____ C:\WINDOWS\system32\wpa.dbl
2013-12-23 08:54 - 2008-11-06 02:53 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-12-20 16:28 - 2013-10-03 11:02 - 00131072 _____ C:\WINDOWS\system32\config\SpybotSD.evt
2013-12-20 16:28 - 2012-05-11 02:37 - 00305984 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-2176411917-2823643465-274661821-1005-0.dat
2013-12-20 16:28 - 2012-05-11 02:37 - 00269582 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2013-12-20 16:26 - 2008-11-07 13:13 - 00000278 ___SH C:\Documents and Settings\Darin.USER-4D5FD8D5EC\ntuser.ini
2013-12-20 16:26 - 2008-11-07 13:13 - 00000000 ____D C:\Documents and Settings\Darin.USER-4D5FD8D5EC
2013-12-20 04:01 - 2012-08-29 19:51 - 00000440 _____ C:\WINDOWS\Tasks\SyncBack Darin Documents.job
2013-12-20 04:00 - 2012-08-29 19:52 - 00000440 _____ C:\WINDOWS\Tasks\SyncBack Darin Favorites.job
2013-12-20 04:00 - 2012-08-29 19:51 - 00000436 _____ C:\WINDOWS\Tasks\SyncBack Darin Desktop.job
2013-12-20 03:10 - 2008-12-04 20:10 - 00000390 _____ C:\WINDOWS\Tasks\CloneVVPtoOffsite.job
2013-12-19 21:31 - 2013-12-19 21:31 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-12-19 21:01 - 2013-10-15 13:24 - 00000422 _____ C:\WINDOWS\Tasks\SyncBack QB Bup.job
2013-12-18 13:33 - 2011-01-13 19:22 - 00000000 ____D C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Start Menu\Programs\Dropbox
2013-12-18 12:27 - 2013-12-13 11:41 - 00035415 _____ C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Desktop\attach.txt
2013-12-18 12:27 - 2013-12-13 11:41 - 00014559 _____ C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Desktop\dds.txt
2013-12-18 08:00 - 2013-10-03 11:03 - 00000616 _____ C:\WINDOWS\Tasks\Refresh immunization (Spybot - Search & Destroy).job
2013-12-17 23:35 - 2008-11-06 02:52 - 00000000 __SHD C:\Documents and Settings\NetworkService
2013-12-17 22:49 - 2013-12-17 22:49 - 00022538 _____ C:\ComboFix.txt
2013-12-17 22:49 - 2013-12-13 10:40 - 00000000 ____D C:\Qoobox
2013-12-17 22:48 - 2008-04-14 06:00 - 00000227 _____ C:\WINDOWS\system.ini
2013-12-17 22:17 - 2008-11-13 16:23 - 00000719 _____ C:\Documents and Settings\All Users\Start Menu\Programs\LogMeIn.lnk
2013-12-17 22:16 - 2008-12-03 20:03 - 00000178 ___SH C:\Documents and Settings\LogMeInRemoteUser\ntuser.ini
2013-12-17 22:16 - 2008-11-13 16:23 - 00000000 ____D C:\Program Files\LogMeIn
2013-12-17 22:06 - 2013-12-17 22:06 - 00060706 _____ C:\Documents and Settings\Darin.USER-4D5FD8D5EC\My Documents\cc_20131217_220614.reg
2013-12-17 22:01 - 2008-11-13 15:34 - 00000000 ____D C:\Program Files\Java
2013-12-17 22:00 - 2008-11-13 15:34 - 00000000 ____D C:\Program Files\Common Files\Java
2013-12-17 21:59 - 2013-12-17 21:59 - 00000682 _____ C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
2013-12-17 21:59 - 2012-06-05 19:53 - 00000000 ____D C:\Program Files\CCleaner
2013-12-17 19:48 - 2008-11-13 15:33 - 00000000 ____D C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Application Data\Adobe
2013-12-17 19:46 - 2012-04-18 19:13 - 00692616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2013-12-17 19:46 - 2011-05-17 16:55 - 00071048 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2013-12-17 19:46 - 2008-11-13 15:32 - 00000000 ____D C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Local Settings\Application Data\Adobe
2013-12-17 19:44 - 2011-08-10 19:39 - 00002315 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
2013-12-13 13:57 - 2013-12-13 11:25 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-12-13 13:57 - 2013-12-13 10:42 - 00000000 ____D C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Desktop\mbar
2013-12-13 11:58 - 2013-12-13 11:58 - 00005725 _____ C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Desktop\attach.zip
2013-12-13 11:25 - 2013-12-13 10:43 - 00051416 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2013-12-13 11:10 - 2013-12-13 10:37 - 00000000 ____D C:\WINDOWS\erdnt
2013-12-13 10:44 - 2013-12-13 10:43 - 00000000 _RSHD C:\cmdcons
2013-12-13 10:44 - 2008-11-05 18:43 - 00000355 __RSH C:\boot.ini
2013-12-13 08:16 - 2008-11-13 16:23 - 00086888 _____ (LogMeIn, Inc.) C:\WINDOWS\system32\LMIRfsClientNP.dll
2013-12-13 08:16 - 2008-11-13 16:23 - 00085832 _____ (LogMeIn, Inc.) C:\WINDOWS\system32\LMIinit.dll
2013-12-13 08:16 - 2008-11-13 16:23 - 00031560 _____ (LogMeIn, Inc.) C:\WINDOWS\system32\LMIport.dll
2013-12-11 03:24 - 2008-11-05 18:43 - 00276560 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2013-12-11 03:06 - 2013-12-11 03:06 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2904266$
2013-12-11 03:06 - 2013-12-11 03:06 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2898715$
2013-12-11 03:06 - 2008-11-10 05:00 - 00491552 _____ C:\WINDOWS\system32\TZLog.log
2013-12-11 03:05 - 2013-07-23 19:09 - 00000000 ____D C:\WINDOWS\system32\MRT
2013-12-11 03:03 - 2013-12-11 03:03 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2893984$
2013-12-11 03:03 - 2013-12-11 03:03 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2893294$
2013-12-11 03:03 - 2008-11-09 09:25 - 88123800 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2013-12-11 03:02 - 2013-12-11 03:02 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2892075$
2013-11-26 07:49 - 2009-04-07 13:09 - 00000090 _____ C:\WINDOWS\QBChanUtil_Trigger.ini

Files to move or delete:
====================
C:\Documents and Settings\Darin.USER-4D5FD8D5EC\backup_darin-daily-group_1.bat
C:\Documents and Settings\Darin.USER-4D5FD8D5EC\backup_darin-daily-group_2.bat
C:\Documents and Settings\Darin.USER-4D5FD8D5EC\CloneVVPtoOffsite.bat
C:\Documents and Settings\Darin.USER-4D5FD8D5EC\darin-daily-group_1_every_1_days.bat
C:\Documents and Settings\Darin.USER-4D5FD8D5EC\darin-daily-group_1_every_35_days.bat
C:\Documents and Settings\Darin.USER-4D5FD8D5EC\darin-daily-group_1_every_7_days.bat
C:\Documents and Settings\Darin.USER-4D5FD8D5EC\darin-daily-group_2_every_1_days.bat
C:\Documents and Settings\Darin.USER-4D5FD8D5EC\darin-daily-group_2_every_35_days.bat
C:\Documents and Settings\Darin.USER-4D5FD8D5EC\darin-daily-group_2_every_7_days.bat


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

 

TCP View Log

 

[System Process]    0    TCP    DARIN-2008    4433    localhost    21322    TIME_WAIT                                        
[System Process]    0    TCP    DARIN-2008    4434    localhost    21322    TIME_WAIT                                        
[System Process]    0    TCP    DARIN-2008    4435    localhost    21322    TIME_WAIT                                        
[System Process]    0    TCP    DARIN-2008    4436    localhost    21322    TIME_WAIT                                        
[System Process]    0    TCP    DARIN-2008    4438    localhost    21322    TIME_WAIT                                        
[System Process]    0    TCP    DARIN-2008    4439    localhost    21322    TIME_WAIT                                        
[System Process]    0    TCP    DARIN-2008    4440    localhost    21322    TIME_WAIT                                        
[System Process]    0    TCP    DARIN-2008    4441    localhost    21322    TIME_WAIT                                        
[System Process]    0    TCP    darin-2008    4414    oa-in-f101.1e100.net    http    TIME_WAIT                                        
[System Process]    0    TCP    DARIN-2008    4443    localhost    21322    TIME_WAIT                                        
[System Process]    0    TCP    DARIN-2008    4444    localhost    21322    TIME_WAIT                                        
[System Process]    0    TCP    DARIN-2008    4445    localhost    21322    TIME_WAIT                                        
[System Process]    0    TCP    DARIN-2008    4429    localhost    21322    TIME_WAIT                                        
[System Process]    0    TCP    DARIN-2008    4431    localhost    21322    TIME_WAIT                                        
[System Process]    0    TCP    darin-2008    4413    dfw06s38-in-f5.1e100.net    http    TIME_WAIT                                        
[System Process]    0    TCP    DARIN-2008    4432    localhost    21322    TIME_WAIT                                        
[System Process]    0    TCP    DARIN-2008    4446    localhost    21322    TIME_WAIT                                        
[System Process]    0    TCP    DARIN-2008    4447    localhost    21322    TIME_WAIT                                        
[System Process]    0    TCP    DARIN-2008    4448    localhost    21322    TIME_WAIT                                        
[System Process]    0    TCP    DARIN-2008    4449    localhost    21322    TIME_WAIT                                        
[System Process]    0    TCP    DARIN-2008    4450    localhost    21322    TIME_WAIT                                        
[System Process]    0    TCP    DARIN-2008    4451    localhost    21322    TIME_WAIT                                        
[System Process]    0    TCP    DARIN-2008    4452    localhost    21322    TIME_WAIT                                        
[System Process]    0    TCP    DARIN-2008    4453    localhost    21322    TIME_WAIT                                        
[System Process]    0    TCP    DARIN-2008    4454    localhost    21322    TIME_WAIT                                        
alg.exe    2620    TCP    DARIN-2008    1044    DARIN-2008    0    LISTENING                                        
dlpwdnt.exe    2820    TCP    DARIN-2008    1032    DARIN-2008    0    LISTENING                                        
Dropbox.exe    2440    TCP    darin-2008    1224    snt-re3-6b.sjc.dropbox.com    http    ESTABLISHED    1    329    1    179                        
Dropbox.exe    2440    TCP    darin-2008    1780    neil    17500    ESTABLISHED    1    90    2    148                        
Dropbox.exe    2440    TCP    DARIN-2008    1057    localhost    19872    ESTABLISHED                                        
Dropbox.exe    2440    TCP    DARIN-2008    19872    localhost    1057    ESTABLISHED                                        
Dropbox.exe    2440    TCP    darin-2008    17500    nathan-pc    49731    ESTABLISHED    6    542    18    2,162                        
Dropbox.exe    2440    TCP    darin-2008    1782    nathan-pc    17500    ESTABLISHED    2    180    4    296                        
Dropbox.exe    2440    TCP    darin-2008    1779    art-dt    17500    ESTABLISHED    1    90    2    148                        
Dropbox.exe    2440    TCP    darin-2008    1783    stan-dt7-syx    17500    ESTABLISHED    2    180    4    296                        
Dropbox.exe    2440    TCP    darin-2008    17500    stan-dt7-syx    49335    ESTABLISHED    2    148    1    90                        
Dropbox.exe    2440    TCP    DARIN-2008    17500    DARIN-2008    0    LISTENING                                        
Dropbox.exe    2440    UDP    DARIN-2008    17500    *    *                                            
firefox.exe    240    TCP    DARIN-2008    1374    localhost    1375    ESTABLISHED                                        
firefox.exe    240    TCP    DARIN-2008    1375    localhost    1374    ESTABLISHED                                        
jqs.exe    532    TCP    DARIN-2008    5152    DARIN-2008    0    LISTENING                                        
LogMeIn.exe    3040    TCP    DARIN-2008    2002    localhost    1041    ESTABLISHED                                        
LogMeIn.exe    3040    TCP    darin-2008    1039    63.251.34.146    https    ESTABLISHED    1    37    1    37                        
LogMeIn.exe    3040    TCP    DARIN-2008    2002    DARIN-2008    0    LISTENING                                        
LogMeInSystray.exe    1556    TCP    DARIN-2008    1041    localhost    2002    ESTABLISHED                                        
lsass.exe    784    UDP    DARIN-2008    isakmp    *    *                                            
lsass.exe    784    UDP    DARIN-2008    4500    *    *                                            
mDNSResponder.exe    1964    TCP    DARIN-2008    5354    DARIN-2008    0    LISTENING                                        
mDNSResponder.exe    1964    UDP    darin-2008    5353    *    *                                            
mDNSResponder.exe    1964    UDP    DARIN-2008    1025    *    *                                            
mDNSResponder.exe    1964    UDP    DARIN-2008    56702    *    *                                            
OUTLOOK.EXE    404    TCP    darin-2008    1345    secure.emailsrvr.com    993    ESTABLISHED                                        
OUTLOOK.EXE    404    UDP    DARIN-2008    1360    *    *                                            
pwecsrvc.exe    1720    TCP    DARIN-2008    http    DARIN-2008    0    LISTENING                                        
QBCFMonitorService.exe    1772    TCP    DARIN-2008    8019    DARIN-2008    0    LISTENING                                        
QBW32.EXE    2428    UDP    DARIN-2008    1435    *    *                                            
SDFSSvc.exe    460    TCP    DARIN-2008    21322    DARIN-2008    0    LISTENING                                        
SDFSSvc.exe    460    TCP    DARIN-2008    21323    DARIN-2008    0    LISTENING                                        
SDFSSvc.exe    460    TCP    DARIN-2008    21320    DARIN-2008    0    LISTENING                                        
SDFSSvc.exe    460    UDP    DARIN-2008    1031    *    *                                            
SDFSSvc.exe    460    UDP    DARIN-2008    21328    *    *                                            
SDUpdSvc.exe    2836    TCP    DARIN-2008    21321    DARIN-2008    0    LISTENING                                        
svchost.exe    1024    TCP    DARIN-2008    epmap    DARIN-2008    0    LISTENING                                        
svchost.exe    1156    UDP    darin-2008    ntp    *    *                                            
svchost.exe    1320    UDP    darin-2008    1900    *    *                                            
svchost.exe    1156    UDP    DARIN-2008    ntp    *    *                                            
svchost.exe    1320    UDP    DARIN-2008    1900    *    *                                            
System    4    TCP    DARIN-2008    microsoft-ds    DARIN-2008    0    LISTENING                                        
System    4    TCP    darin-2008    netbios-ssn    DARIN-2008    0    LISTENING                                        
System    4    UDP    darin-2008    netbios-ns    *    *        13    650    11    350        100        2        
System    4    UDP    DARIN-2008    microsoft-ds    *    *                                            
System    4    UDP    darin-2008    netbios-dgm    *    *                                            
 



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,761 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:41 AM

Posted 23 December 2013 - 02:50 PM

Greetings,

May I assume you intentionally created the HKLM Group Policy restrictions on software (example below).

HKLM Group Policy restriction on software: *.ppt.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.pif <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*.scr <====== ATTENTION


Are these legitimate?

C:\Documents and Settings\Darin.USER-4D5FD8D5EC\backup_darin-daily-group_1.bat
C:\Documents and Settings\Darin.USER-4D5FD8D5EC\backup_darin-daily-group_2.bat
C:\Documents and Settings\Darin.USER-4D5FD8D5EC\CloneVVPtoOffsite.bat
C:\Documents and Settings\Darin.USER-4D5FD8D5EC\darin-daily-group_1_every_1_days.bat
C:\Documents and Settings\Darin.USER-4D5FD8D5EC\darin-daily-group_1_every_35_days.bat
C:\Documents and Settings\Darin.USER-4D5FD8D5EC\darin-daily-group_1_every_7_days.bat
C:\Documents and Settings\Darin.USER-4D5FD8D5EC\darin-daily-group_2_every_1_days.bat
C:\Documents and Settings\Darin.USER-4D5FD8D5EC\darin-daily-group_2_every_35_days.bat
C:\Documents and Settings\Darin.USER-4D5FD8D5EC\darin-daily-group_2_every_7_days.bat


I am not familiar with Quickbooks but there are some error entries that caught my attention. Have you experienced any irregularities with Quickbooks or any of your financial institutions?

Error: (12/23/2013 09:20:54 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks Pro 2012":
Unexpected empty payment txn data element encountered - merchAccnt#=, CTI=, clrStatus=cleared, txnID=B9393-1387294739, lineTxnId=B9394-1387294739


Please do these things for me.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7097:TCP"=-
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Run GETxPUD CD with MBR Report and Driver Search

--------------------
  • From a clean computer download GETxPUD.exe to the desktop of your computer
  • Launch GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image
  • Click on Start and follow the prompts to burn the image to a CD.
  • Please format your USB then download driver.sh to your USB device
  • Remove the USB device and insert it into the infected computer
  • Boot your computer with the GETxPUD CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 while booting to go into Setup and change Boot Sequence to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 or sdc1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?) If it is not there remove the USB device for 5 seconds then reinsert
  • Click Tool at the top
  • Choose Open Terminal
  • Now please type the following and press Enter. Makes sure there is a space between the different colors.

dd if=/dev/sda of=mbr.zip bs=512 count=1

  • After it has finished a file will be located on your USB drive named mbr.zip
  • In the terminal window type bash driver.sh and press Enter
  • After it has finished a report will be located on your USB device named report.txt
  • Now type bash driver.sh -af and press Enter
  • You will be prompted to input a file name. Please type the following then press Enter:

Winlogon.exe

  • After the search is completed please type the following then press Enter:

volsnap.sys

  • After the search is completed please type the following then press Enter:

svchost.exe

  • After the search is completed please type the following then press Enter:

explorer.exe

  • After the search is completed please type the following then press Enter:

Userinit.exe

  • After the search is complete please type Exit and press Enter
  • A report will be located in the USB drive as filefind.txt
  • Remove the USB drive, insert it back in your working computer
  • Copy and paste the contents of filefind.txt in your reply
  • Please zip and attach report.txt to your reply
  • Please attach mbr.zip to your reply
===================================================

Things I would like to see in your next reply. :thumbsup2:
  • Questions
  • Fixlog
  • filefind.txt
  • report.zip
  • mbr.zip

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 thetshirtguys

thetshirtguys
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 23 December 2013 - 03:45 PM

Alright, I was in the middle of doing step "A Welcome to xPUD screen will appear..." and I got this error on my screen and I didn't know where to go after that. It's attached as a .jpg screen shot.

 

Can you help me through this?
 
Here is my Fixlog.txt text below...
 
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 23-12-2013
Ran by Darin at 2013-12-23 13:57:57 Run:1
Running from C:\Documents and Settings\Darin.USER-4D5FD8D5EC\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7097:TCP"=-
*****************


==== End of Fixlog ====

Attached Files



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,761 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:41 AM

Posted 23 December 2013 - 04:06 PM

That error is related to your video and is a common error.

It doesn't look like the registry was modified. Please do these things.

===================================================

Registry Fix

-------------------
  • Press windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type Notepad and press Enter
  • Copy/paste the following text inside the code box into a new notepad document.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts]
"7097:TCP"=-
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.reg.
  • Click Save.
  • Double click fix.reg and answer Yes to the prompts. You should receive the message that the entries have been successfully merged. If not, post back with the error message.
  • Delete fix.reg after use.
  • Reboot your computer
===================================================

Ubuntu MRB and Driver Report Using a USB

--------------
  • You will need a USB device with at least 2 GB of space. Warning: During this process all information will be removed from your USB device.
  • Download Ubuntu Live Ubuntu 12.04 LTS (either 64 or 32 bit) and save it to your desktop. This is a large file so allow it some time to download.
  • Download Pen Drive Linux's USB Installer and save it to your desktop
  • Double click the Universal-USB-Installer icon, select Run, then I Agree
  • On the dropdown list under Step 1 select Ubuntu 12.04 Desktop you downloaded to your desktop

create-usb-windows-1-12.png

  • Select the Browse button under Step 2, locate, and double click the Ubuntu file you downloaded to your desktop

create-usb-windows-2-12.png
create-usb-windows-3.png

  • Select your USB device under Step 3

create-usb-windows-4-12.png

  • Place a check mark in the Format (your USB drive letter, i.e E):\ Drive (Erases Content) box
  • Disregard Step 4
  • Click Create, then Yes
  • Once the process has completed click Close
  • Download udriver.sh to your USB device
  • With the USB device inserted into the infected computer restart your computer
  • If your computer does not automatically boot from the USB device please see here
  • Select Run from USB device
  • Please allow the program to automatically load to the Ubuntu desktop
  • Select English, then click Try Ubuntu
  • Click on the Dash Home icon located just underneath the Ubuntu Desktop title bar at the top
  • Type terminal in the search box then press Enter
  • A command prompt window will open
  • Now please type the following and press Enter. Makes sure there is a space between the different colors.

sudo dd if=/dev/sda of=mbr.txt bs=512 count=1

  • A mbr.txt file will be created in your Home folder
  • Type Exit then press Enter
  • Click on the Home Folder which is most likely the third icon down on the left
  • Under Devices please click the USB device (if that is not present remove the USB device and plug it back in)
  • Locate the udriver.sh icon listed in the USB contents window, right click, select Move to, then click Home
  • Close any open windows
  • Click the Dash Home icon (1st icon on left)
  • Select the Terminal icon
  • Type the following at the prompt and hit Enter

sudo bash udriver.sh

  • Wait until report.txt pops up or the command line indicates the search is finished. This can take a while, so please be patient!
  • The report.txt file will be located in the Home folder (same folder as mbr.txt)
  • Type the following at the prompt and hit Enter

sudo bash udriver.sh -af

  • You will be prompted to input a file name. Please type the following then press Enter:

Winlogon.exe

  • After the search is completed please type the following then press Enter:

volsnap.sys

  • After the search is completed please type the following then press Enter:

explorer.exe

  • After the search is completed please type the following then press Enter:

Userinit.exe

  • After the last search is complete please type Exit and press Enter
  • Click the Home Folder
  • Right click on filefind.txt, and select Send to...
  • Click the drop down list next to Send as:, select Removable disks and shares, click the USB device (may be there by default), then click Send
  • Repeat these steps for report.txt
  • Remove the USB device from your computer
  • In the upper right hand corner of your screen select the icon just to the right of the time
  • Click Shut down..., then Restart
  • Your computer should reboot into Windows
  • Insert the USB device back into your computer
  • Zip the report.txt file and attach it to your reply. Attach but do not zip the mbr.txt and filefind.txt files.
===================================================

Things I would like to see in your next reply. :thumbsup2:
  • Did the registry key import properly?
  • report.zip
  • mbr.txt
  • filefind.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,761 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:41 AM

Posted 29 December 2013 - 09:47 AM

Greetings,

===================================================

3 Day Bump

It has been more than 3 days since my last post.
  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,761 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:41 AM

Posted 01 January 2014 - 06:43 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users