Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe/rpcss malware, revisited


  • This topic is locked This topic is locked
48 replies to this topic

#1 LemonLime7

LemonLime7

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 13 April 2014 - 10:41 AM

I have had a reoccurrence of the malware originally removed in my post of February 10, linked here

http://www.bleepingcomputer.com/forums/t/523876/trojan-disinfected-desktop-and-key-programs-not-working-in-xp/#entry3285341

 

My computer was working fine, until about 1 week ago, when svchost.exe starting taking up 100 pct of my CPU resources. I tried all the Microsoft updates and patches, nothing seemed to resolve it. I did some research, and ran MB Antirootkit, and it found malware under rpcss process, I cleaned the file, and it was gone(this was Friday). The svchost problem was gone, and the computer ran great, even faster than before.

 

Overnite, I ran my AVG scanner, and later got prompted to reboot my syatem to clean remaining issues. On reboot, Im stuck w exactly the same issues I had when I originally posted my first post around Feb 4. Somehow the same malware got reintroduced to my system, after the reboot. However, this time, the malware was called 'Trojan.Zekos.PatchedXP3'(before I had cleaned it) and the regular AVG scans/MBAM did not detect it, it was only MB Anti-rootkit that found it, cleaned it; and AFTER the cleaning, the AVG scan found it on the overnite scan. I rebooted to finish removal, as prompted; I fear I accidentally unleashed something from a quarantine/system restore point, yet the only system restore I did was the MB antirootkit, when while/
after cleaning, it prompted me to create a new one.

 

OK, here are the DDS logs, as requested; later, I will add the FRST scan logs, as per step 12 in the original removal process, trying to save some time, I hope I am not going too fast, too soon
 

DDS.txt

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.51.2
Run by Owner at 10:22:50 on 2014-04-12
.
============== Running Processes ================
.
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: HP View: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hewlett-packard\digital imaging\bin\hpdtlk02.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} -
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe"  -osboot
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe
mRun: [Iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe
mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_7_700_224_ActiveX.exe -update activex
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.1/jinstall-1_4_1_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{C984AE28-2489-4B10-8188-DFDCD49144B1} : DHCPNameServer = 75.75.75.75 75.75.76.76
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dll
.
============= SERVICES / DRIVERS ===============
.
R? avg9emc;AVG Free E-mail Scanner
R? CodeMeter.exe;CodeMeter Runtime Server
R? hitmanpro35;Hitman Pro 3.5 Support Driver
R? mrtRate;mrtRate
R? Secunia PSI Agent;Secunia PSI Agent
S? avg9wd;AVG Free WatchDog
S? AvgLdx86;AVG Free AVI Loader Driver x86
S? AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86
S? AvgTdiX;AVG Free Network Redirector
S? mbamchameleon;mbamchameleon
S? MBAMSwissArmy;MBAMSwissArmy
S? Secunia Update Agent;Secunia Update Agent
.
=============== Created Last 30 ================
.
2014-04-11 18:04:25 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)
2014-04-11 18:04:24 40776 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-10 16:25:43 -------- d-----w- C:\000progs041014
2014-04-09 19:16:21 -------- d-----w- C:\46b287ed135d4f37bb5b5495aa1147
2014-03-21 18:34:55 -------- d-----w- c:\documents and settings\owner\local settings\application data\Sun
2014-03-21 18:06:22 -------- d-----w- C:\AdwCleaner
.
==================== Find3M  ====================
.
2014-04-12 13:35:17 52312 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-03-21 18:30:53 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-03-06 17:59:23 920064 ----a-w- c:\windows\system32\wininet.dll
2014-03-06 17:59:22 43520 ----a-w- c:\windows\system32\licmgr10.dll
2014-03-06 17:59:22 18944 ----a-w- c:\windows\system32\corpol.dll
2014-03-06 17:59:22 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2014-03-06 00:46:54 385024 ----a-w- c:\windows\system32\html.iec
2014-02-26 01:59:05 13312 ------w- c:\windows\system32\xp_eos.exe
2014-02-19 05:26:33 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys.bak
2014-02-19 04:50:44 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys.dump
2014-02-07 02:01:37 1879040 ----a-w- c:\windows\system32\win32k.sys
2014-02-05 08:55:04 562688 ----a-w- c:\windows\system32\qedit.dll
2014-01-16 19:34:28 3038 ----a-w- C:\fix_svchost.bat
.
============= FINISH: 10:24:58.50 ===============

 

DDS Attach.txt

Attached File  attach.txt   13.07KB   2 downloads

 

 

Next, FRST logs

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-04-2014 01
Ran by Owner (administrator) on YOUR-XHTR8HVC4P on 12-04-2014 14:38:34
Running from K:\tools 4-11-14
Microsoft Windows XP Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Iomega Corporation) C:\Program Files\Iomega\System32\AppServices.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
() C:\Program Files\Softex\OmniPass\Omniserv.exe
(Secunia) C:\Program Files\Secunia\PSI\sua.exe
(America Online, Inc.) C:\WINDOWS\wanmpsvc.exe
(Iomega Corporation) C:\Program Files\Iomega\AutoDisk\ADService.exe
() C:\Program Files\Softex\OmniPass\OPXPApp.exe
(Hewlett-Packard Company) C:\windows\system\hpsysdrv.exe
(Intel Corporation) C:\WINDOWS\System32\hkcmd.exe
(Hewlett-Packard Company) C:\HP\KBD\KBD.EXE
(Realtek Semiconductor Corp.) C:\WINDOWS\ALCXMNTR.EXE
(RealNetworks, Inc.) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
(Iomega Corporation) C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
(Iomega) C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe
(Hewlett-Packard Co.) C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
(interMute, Inc.) C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgwdsvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgcsrvx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgchsvx.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [hpsysdrv] - c:\windows\system\hpsysdrv.exe [52736 1998-05-07] (Hewlett-Packard Company)
HKLM\...\Run: [KBD] - C:\HP\KBD\KBD.EXE [61440 2003-02-11] (Hewlett-Packard Company)
HKLM\...\Run: [Recguard] - C:\WINDOWS\SMINST\RECGUARD.EXE [212992 2002-09-13] ()
HKLM\...\Run: [nwiz] - nwiz.exe /installquiet /keeploaded /nodetect
HKLM\...\Run: [Sunkist2k] - C:\Program Files\Multimedia Card Reader\shwicon2k.exe [139264 2003-08-09] (Alcor Micro, Corp.)
HKLM\...\Run: [AlcxMonitor] - C:\WINDOWS\ALCXMNTR.EXE [57344 2004-09-07] (Realtek Semiconductor Corp.)
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [37296 2011-09-07] (Adobe Systems Incorporated)
HKLM\...\Run: [TkBellExe] - C:\Program Files\Common Files\Real\Update_OB\realsched.exe [202256 2010-09-04] (RealNetworks, Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [ADUserMon] - C:\Program Files\Iomega\AutoDisk\ADUserMon.exe [147456 2002-09-24] (Iomega Corporation)
HKLM\...\Run: [Iomega Drive Icons] - C:\Program Files\Iomega\DriveIcons\ImgIcon.exe [86016 2002-08-13] (Iomega)
HKLM\...\Run: [Deskup] - C:\Program Files\Iomega\DriveIcons\deskup.exe [32768 2002-07-16] (Iomega)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-08-27] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\qttask.exe [421888 2012-10-25] (Apple Inc.)
Winlogon\Notify\avgrsstarter: C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
Winlogon\Notify\OPXPGina: C:\Program Files\Softex\OmniPass\opxpgina.dll ()
HKU\.DEFAULT\...\RunOnce: [FlashPlayerUpdate] - C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe [814472 2013-06-17] (Adobe Systems Incorporated)
HKU\S-1-5-21-980271276-481220816-41620543-1003\...\Run: [NVIEW] - rundll32.exe nview.dll,nViewLoadHook
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
ShortcutTarget: spamsubtract.lnk -> C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (interMute, Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search
SearchScopes: HKCU - {EA7A303C-50FB-4CBE-8009-CCA658A7C19C} URL = http://search.yahoo.com/search?p={searchterms}&ei=UTF-8&fr=w3i&type=W3i_DS,136,0_0,Search,20120623,6901,0,8,0
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU - HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll (Hewlett-Packard Company)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.4.1/jinstall-1_4_1_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

FireFox:
========
FF Plugin: @adobe.com/ShockwavePlayer - C:\WINDOWS\system32\Adobe\Director\np32dsw_1202122.dll (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @divx.com/DivX Browser Plugin,version=1.0.0 - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @java.com/DTPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @real.com/nppl3260;version=6.0.12.775 - c:\program files\real\realone player\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprjplug;version=1.0.3.775 - c:\program files\real\realone player\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprphtml5videoshim;version=1.0.0.0 - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpjplug;version=6.0.12.775 - c:\program files\real\realone player\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF Extension: RealPlayer Browser Record Plugin - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010-09-04]
FF HKLM\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010-09-08]
FF HKLM\...\Firefox\Extensions: [{23fcfd51-4958-4f00-80a3-ae97e717ed8b}] - C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF Extension: DivX Plus Web Player HTML5 &lt;video&gt; - C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2011-12-28]
FF HKCU\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010-09-08]

========================== Services (Whitelisted) =================

S2 avg9emc; C:\Program Files\AVG\AVG9\avgemc.exe [921952 2010-08-24] (AVG Technologies CZ, s.r.o.)
R2 avg9wd; C:\Program Files\AVG\AVG9\avgwdsvc.exe [308136 2010-08-24] (AVG Technologies CZ, s.r.o.)
S2 CodeMeter.exe; C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe [2571704 2012-12-03] (WIBU-SYSTEMS AG)
S3 hpqcxs08; C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqcxs08.dll [253568 2009-11-18] (Hewlett-Packard Co.)
S2 hpqddsvc; C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqddsvc.dll [137344 2009-11-18] (Hewlett-Packard Co.)
R2 Iomega App Services; C:\Program Files\Iomega\System32\AppServices.exe [73728 2002-09-04] (Iomega Corporation)
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-03-21] (Oracle Corporation)
R2 omniserv; C:\Program Files\Softex\OmniPass\Omniserv.exe [68704 2003-02-21] ()
S3 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [1227800 2013-04-18] (Secunia)
R2 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [659992 2013-04-18] (Secunia)
R2 WANMiniportService; C:\WINDOWS\wanmpsvc.exe [65536 2003-05-01] (America Online, Inc.)
R2 _IOMEGA_ACTIVE_DISK_SERVICE_; C:\Program Files\Iomega\AutoDisk\ADService.exe [151552 2002-09-24] (Iomega Corporation)
S2 DcomLaunch; %SystemRoot%\system32\rpcss.dll [X]
S4 Iomega Activity Disk2; "" [X]
S2 RpcSs; %SystemRoot%\System32\rpcss.dll [X]

==================== Drivers (Whitelisted) ====================

R1 AFS2K; C:\WINDOWS\system32\Drivers\AFS2K.sys [35840 2004-10-07] (Oak Technology Inc.)
R3 ALCXWDM; C:\WINDOWS\System32\drivers\ALCXWDM.SYS [2279424 2004-10-01] (Realtek Semiconductor Corp.)
R1 AvgLdx86; C:\WINDOWS\System32\Drivers\avgldx86.sys [226016 2013-01-15] (AVG Technologies CZ, s.r.o.)
R1 AvgMfx86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [29712 2011-09-13] (AVG Technologies CZ, s.r.o.)
R1 AvgTdiX; C:\WINDOWS\System32\Drivers\avgtdix.sys [243152 2011-05-06] (AVG Technologies CZ, s.r.o.)
S3 BCM42RLY; C:\WINDOWS\System32\BCM42RLY.SYS [17992 2005-02-01] (Broadcom Corporation)
S3 GTNDIS5; C:\WINDOWS\system32\GTNDIS5.SYS [15872 2003-09-25] (Printing Communications Assoc., Inc. (PCAUSA))
S3 hitmanpro35; C:\WINDOWS\system32\drivers\hitmanpro35.sys [16968 2011-04-11] ()
S3 HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [49920 2009-08-26] (HP)
S3 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [16496 2009-08-26] (HP)
S3 HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [21568 2009-08-26] (HP)
R0 iomdisk; C:\WINDOWS\System32\DRIVERS\iomdisk.sys [30258 2002-09-04] (Iomega Corporation)
R3 ltmodem5; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [625537 2003-03-31] (LT)
R1 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [52312 2014-04-12] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\mbamswissarmy.sys [40776 2014-04-12] (Malwarebytes Corporation)
R0 nv_agp; C:\WINDOWS\System32\DRIVERS\nv_agp.sys [18688 2003-03-20] (NVIDIA Corporation)
R3 pfc; C:\WINDOWS\System32\drivers\pfc.sys [9856 2002-10-01] (Padus, Inc.)
R0 ppa3; C:\WINDOWS\System32\DRIVERS\ppa3.sys [17664 2008-04-13] (Microsoft Corporation)
R3 rtl8139; C:\WINDOWS\System32\DRIVERS\R8139n51.SYS [46976 2002-10-04] (Realtek Semiconductor Corporation       )
S3 S3Psddr; C:\WINDOWS\System32\DRIVERS\s3gnbm.sys [166912 2004-08-04] (S3 Graphics, Inc.)
S3 SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [394752 2003-05-06] (Silicon Integrated Systems Corporation)
R1 SiSkp; C:\WINDOWS\System32\DRIVERS\srvkp.sys [10624 2003-04-11] (Silicon Integrated Systems Corporation)
R3 SunkFilt; C:\WINDOWS\System32\Drivers\sunkfilt.sys [40228 2003-08-11] (Alcor Micro Corp.)
R0 viaagp1; C:\WINDOWS\System32\DRIVERS\viaagp1.sys [26880 2002-12-27] (VIA Technologies, Inc.)
R3 WUSB54GPV4SRV; C:\WINDOWS\System32\DRIVERS\rt2500usb.sys [245376 2005-11-17] (Ralink Technology Inc.)
S3 {6080A529-897E-4629-A488-ABA0C29B635E}; C:\WINDOWS\System32\drivers\ialmsbw.sys [113504 2003-04-15] (Intel Corporation)
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}; C:\WINDOWS\System32\drivers\ialmkchw.sys [78752 2003-04-15] (Intel Corporation)
S3 catchme; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys [X]
S2 MCSTRM; No ImagePath
S2 mrtRate; No ImagePath
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S3 Sunkfiltp; \??\C:\WINDOWS\System32\Drivers\sunkfiltp.sys [X]
U3 TlntSvr;
U3 mbr; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\mbr.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-04-12 14:35 - 2014-04-12 14:38 - 00000000 ____D () C:\FRST
2014-04-12 14:34 - 2014-04-12 14:34 - 00000381 _____ () C:\Documents and Settings\Owner\Desktop\Shortcut to FRST.lnk
2014-04-12 10:24 - 2014-04-12 10:24 - 00013379 _____ () C:\Documents and Settings\Owner\Desktop\attach.txt
2014-04-12 10:24 - 2014-04-12 10:24 - 00007809 _____ () C:\Documents and Settings\Owner\Desktop\dds.txt
2014-04-12 10:04 - 2014-04-12 10:04 - 00000000 _____ () C:\Documents and Settings\Owner\Desktop\New Text Document.txt
2014-04-11 15:39 - 2014-04-11 15:17 - 00688992 ____R (Swearware) C:\Documents and Settings\Owner\Desktop\dds.com
2014-04-11 13:04 - 2014-04-12 10:06 - 00040776 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-04-11 13:04 - 2014-04-12 10:03 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-04-10 16:54 - 2014-04-10 16:54 - 00000000 ____S () C:\WINDOWS\system32\ujkqe.owl
2014-04-10 11:35 - 2014-04-10 20:27 - 00000649 _____ () C:\Documents and Settings\Owner\Desktop\Rc0410AQ Th.txt
2014-04-10 11:25 - 2014-04-12 12:38 - 00000000 ____D () C:\000progs041014
2014-04-09 16:02 - 2014-04-09 16:08 - 00011992 _____ () C:\WINDOWS\KB2936068-IE8.log
2014-04-09 15:39 - 2014-04-09 15:39 - 00000000 ____S () C:\WINDOWS\system32\fufb.kvr
2014-04-09 14:35 - 2014-04-09 14:35 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2922229$
2014-04-09 14:16 - 2014-04-09 14:30 - 00000000 ____D () C:\46b287ed135d4f37bb5b5495aa1147
2014-04-09 14:01 - 2014-04-09 14:35 - 00010007 _____ () C:\WINDOWS\KB2922229.log
2014-04-09 11:33 - 2014-04-09 14:24 - 00000572 _____ () C:\Documents and Settings\Owner\Desktop\Rc0409AQ Wed.txt
2014-04-08 15:18 - 2014-04-08 15:18 - 00000000 ____S () C:\WINDOWS\system32\chmsa.wei
2014-04-07 14:56 - 2014-04-07 14:56 - 00000000 ____S () C:\WINDOWS\system32\cryuu.egc
2014-04-06 14:32 - 2014-04-06 14:32 - 00000000 ____S () C:\WINDOWS\system32\rhbnd.urr
2014-04-05 12:07 - 2014-04-05 12:08 - 00000000 ____D () C:\Documents and Settings\Owner\Desktop\siding
2014-04-04 11:23 - 2014-04-06 19:44 - 00000000 ____D () C:\Documents and Settings\Owner\Desktop\Rc 14 04
2014-04-04 11:23 - 2014-04-04 12:33 - 00001979 _____ () C:\Documents and Settings\Owner\Desktop\Rc0404.txt
2014-04-03 09:42 - 2014-04-03 09:43 - 00000000 ____D () C:\Documents and Settings\Owner\Desktop\Rc 14 03
2014-04-03 09:33 - 2014-04-11 16:19 - 00000077 _____ () C:\WINDOWS\system32\utjt.bbr
2014-04-03 09:20 - 2014-04-03 09:20 - 00000064 _____ () C:\WINDOWS\system32\wugl.uki
2014-04-03 09:20 - 2014-04-03 09:20 - 00000000 _____ () C:\WINDOWS\system32\lfjsbda.wmj
2014-04-03 09:02 - 2014-04-03 09:02 - 00299344 ____S () C:\WINDOWS\system32\cpsyv.yax
2014-03-25 10:59 - 2014-03-25 10:59 - 01487154 _____ () C:\Documents and Settings\Owner\Desktop\Replacement Battery Dell L top COM12073.mht
2014-03-22 10:01 - 2014-04-03 10:59 - 00002059 _____ () C:\Documents and Settings\Owner\Desktop\ADD STOCKS.txt
2014-03-21 13:34 - 2014-03-21 13:34 - 00000000 ____D () C:\Documents and Settings\Owner\Local Settings\Application Data\Sun
2014-03-21 13:25 - 2014-03-21 13:25 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Java
2014-03-21 13:06 - 2014-03-21 13:08 - 00000000 ____D () C:\AdwCleaner
2014-03-16 11:33 - 2014-04-11 16:16 - 00000000 ____D () C:\Documents and Settings\Owner\Desktop\Mkts0316on
2014-03-15 11:53 - 2014-04-08 15:00 - 00000216 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2014-03-15 10:37 - 2014-03-15 10:39 - 00014468 _____ () C:\WINDOWS\KB2925418-IE8.log
2014-03-15 10:36 - 2014-03-15 10:36 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2930275$
2014-03-15 10:36 - 2014-03-15 10:36 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2929961$
2014-03-13 10:12 - 2014-03-15 10:36 - 00014888 _____ () C:\WINDOWS\KB2929961.log
2014-03-13 10:11 - 2014-03-15 10:36 - 00016357 _____ () C:\WINDOWS\KB2930275.log

==================== One Month Modified Files and Folders =======

2014-04-12 14:38 - 2014-04-12 14:35 - 00000000 ____D () C:\FRST
2014-04-12 14:34 - 2014-04-12 14:34 - 00000381 _____ () C:\Documents and Settings\Owner\Desktop\Shortcut to FRST.lnk
2014-04-12 12:38 - 2014-04-10 11:25 - 00000000 ____D () C:\000progs041014
2014-04-12 10:24 - 2014-04-12 10:24 - 00013379 _____ () C:\Documents and Settings\Owner\Desktop\attach.txt
2014-04-12 10:24 - 2014-04-12 10:24 - 00007809 _____ () C:\Documents and Settings\Owner\Desktop\dds.txt
2014-04-12 10:06 - 2014-04-11 13:04 - 00040776 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-04-12 10:04 - 2014-04-12 10:04 - 00000000 _____ () C:\Documents and Settings\Owner\Desktop\New Text Document.txt
2014-04-12 10:03 - 2014-04-11 13:04 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-04-12 10:03 - 2014-02-18 10:56 - 00000000 ____D () C:\Documents and Settings\Owner\Desktop\mbar
2014-04-12 08:35 - 2014-02-18 10:56 - 00052312 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-04-12 08:34 - 2010-08-24 09:25 - 00000000 ____D () C:\WINDOWS\system32\Drivers\Avg
2014-04-12 08:30 - 2004-01-19 15:21 - 00001465 _____ () C:\WINDOWS\system\hpsysdrv.dat
2014-04-12 08:29 - 2009-11-24 10:08 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\avg9
2014-04-12 08:28 - 2011-05-20 08:56 - 01215387 _____ () C:\WINDOWS\WindowsUpdate.log
2014-04-12 08:25 - 2010-09-21 19:05 - 00000216 _____ () C:\WINDOWS\wiadebug.log
2014-04-12 08:25 - 2003-08-23 07:56 - 00032446 _____ () C:\WINDOWS\SchedLgU.Txt
2014-04-12 08:25 - 2003-08-23 07:56 - 00000278 ___SH () C:\Documents and Settings\Owner\ntuser.ini
2014-04-12 08:25 - 2003-08-23 07:53 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-04-11 16:22 - 2011-04-10 11:14 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-04-11 16:19 - 2014-04-03 09:33 - 00000077 _____ () C:\WINDOWS\system32\utjt.bbr
2014-04-11 16:18 - 2014-01-31 01:47 - 00000286 _____ () C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-980271276-481220816-41620543-1003.job
2014-04-11 16:18 - 2014-01-31 01:47 - 00000278 _____ () C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-980271276-481220816-41620543-1003.job
2014-04-11 16:16 - 2014-03-16 11:33 - 00000000 ____D () C:\Documents and Settings\Owner\Desktop\Mkts0316on
2014-04-11 15:59 - 2013-07-10 22:50 - 00000280 _____ () C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-18.job
2014-04-11 15:59 - 2010-09-21 19:05 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2014-04-11 15:17 - 2014-04-11 15:39 - 00688992 ____R (Swearware) C:\Documents and Settings\Owner\Desktop\dds.com
2014-04-10 20:28 - 2004-08-15 17:37 - 00000000 ____D () C:\Documents and Settings\Owner\Desktop\Hijack This
2014-04-10 20:27 - 2014-04-10 11:35 - 00000649 _____ () C:\Documents and Settings\Owner\Desktop\Rc0410AQ Th.txt
2014-04-10 16:54 - 2014-04-10 16:54 - 00000000 ____S () C:\WINDOWS\system32\ujkqe.owl
2014-04-10 11:36 - 2010-05-20 17:02 - 00000000 ____D () C:\Documents and Settings\Owner\My Documents\StreamTransport
2014-04-10 11:32 - 2014-01-14 11:21 - 00001083 _____ () C:\Documents and Settings\Owner\Desktop\Stocklist 040414.txt
2014-04-09 17:46 - 2005-07-29 19:51 - 00000000 ____D () C:\Program Files\PokerStars.NET
2014-04-09 16:08 - 2014-04-09 16:02 - 00011992 _____ () C:\WINDOWS\KB2936068-IE8.log
2014-04-09 16:08 - 2014-01-16 14:08 - 00178169 _____ () C:\WINDOWS\tsoc.log
2014-04-09 16:08 - 2014-01-16 14:08 - 00025777 _____ () C:\WINDOWS\ocmsn.log
2014-04-09 16:08 - 2014-01-16 14:08 - 00023311 _____ () C:\WINDOWS\msgsocm.log
2014-04-09 16:08 - 2014-01-16 14:08 - 00001355 _____ () C:\WINDOWS\imsins.log
2014-04-09 16:08 - 2014-01-16 14:07 - 00469325 _____ () C:\WINDOWS\FaxSetup.log
2014-04-09 16:08 - 2014-01-16 14:07 - 00218709 _____ () C:\WINDOWS\ocgen.log
2014-04-09 16:08 - 2014-01-16 14:07 - 00153715 _____ () C:\WINDOWS\comsetup.log
2014-04-09 16:08 - 2014-01-16 14:07 - 00093552 _____ () C:\WINDOWS\ntdtcsetup.log
2014-04-09 16:08 - 2014-01-16 14:07 - 00073828 _____ () C:\WINDOWS\iis6.log
2014-04-09 16:07 - 2011-05-20 08:56 - 00398110 _____ () C:\WINDOWS\setupapi.log
2014-04-09 16:06 - 2014-01-16 14:06 - 00021973 _____ () C:\WINDOWS\updspapi.log
2014-04-09 15:39 - 2014-04-09 15:39 - 00000000 ____S () C:\WINDOWS\system32\fufb.kvr
2014-04-09 14:35 - 2014-04-09 14:35 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2922229$
2014-04-09 14:35 - 2014-04-09 14:01 - 00010007 _____ () C:\WINDOWS\KB2922229.log
2014-04-09 14:35 - 2014-01-16 14:08 - 00001355 _____ () C:\WINDOWS\imsins.BAK
2014-04-09 14:30 - 2014-04-09 14:16 - 00000000 ____D () C:\46b287ed135d4f37bb5b5495aa1147
2014-04-09 14:30 - 2014-02-19 19:39 - 00000000 ____D () C:\WINDOWS\system32\MRT
2014-04-09 14:24 - 2014-04-09 11:33 - 00000572 _____ () C:\Documents and Settings\Owner\Desktop\Rc0409AQ Wed.txt
2014-04-09 14:17 - 2010-08-23 22:31 - 88028728 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2014-04-09 12:14 - 2013-05-22 13:04 - 00000284 _____ () C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2014-04-08 15:18 - 2014-04-08 15:18 - 00000000 ____S () C:\WINDOWS\system32\chmsa.wei
2014-04-08 15:00 - 2014-03-15 11:53 - 00000216 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2014-04-08 11:42 - 2009-09-22 11:43 - 00000472 _____ () C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
2014-04-08 03:23 - 2013-07-10 22:50 - 00000288 _____ () C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
2014-04-07 23:59 - 2014-02-25 18:03 - 00011087 _____ () C:\Documents and Settings\Owner\Desktop\Pkr0407 running bad, getting pissed, tired, and bleep away another stack later to a donkshover.txt
2014-04-07 14:56 - 2014-04-07 14:56 - 00000000 ____S () C:\WINDOWS\system32\cryuu.egc
2014-04-06 19:44 - 2014-04-04 11:23 - 00000000 ____D () C:\Documents and Settings\Owner\Desktop\Rc 14 04
2014-04-06 19:39 - 2014-01-16 13:17 - 00000000 ____D () C:\Documents and Settings\Owner\Desktop\aaafrom DT 0116
2014-04-06 19:38 - 2013-03-10 02:27 - 00000000 ____D () C:\Documents and Settings\Owner\Desktop\Meditation and mindfulness
2014-04-06 14:32 - 2014-04-06 14:32 - 00000000 ____S () C:\WINDOWS\system32\rhbnd.urr
2014-04-05 19:30 - 2003-08-23 07:56 - 00000000 ____D () C:\Documents and Settings\Owner
2014-04-05 12:08 - 2014-04-05 12:07 - 00000000 ____D () C:\Documents and Settings\Owner\Desktop\siding
2014-04-05 08:17 - 2014-01-05 22:02 - 00000000 ____D () C:\Documents and Settings\Owner\Desktop\Rc14
2014-04-04 12:33 - 2014-04-04 11:23 - 00001979 _____ () C:\Documents and Settings\Owner\Desktop\Rc0404.txt
2014-04-03 10:59 - 2014-03-22 10:01 - 00002059 _____ () C:\Documents and Settings\Owner\Desktop\ADD STOCKS.txt
2014-04-03 09:43 - 2014-04-03 09:42 - 00000000 ____D () C:\Documents and Settings\Owner\Desktop\Rc 14 03
2014-04-03 09:20 - 2014-04-03 09:20 - 00000064 _____ () C:\WINDOWS\system32\wugl.uki
2014-04-03 09:20 - 2014-04-03 09:20 - 00000000 _____ () C:\WINDOWS\system32\lfjsbda.wmj
2014-04-03 09:02 - 2014-04-03 09:02 - 00299344 ____S () C:\WINDOWS\system32\cpsyv.yax
2014-03-31 18:12 - 2011-01-19 18:47 - 00000000 ____D () C:\000all
2014-03-25 10:59 - 2014-03-25 10:59 - 01487154 _____ () C:\Documents and Settings\Owner\Desktop\Replacement Battery Dell L top COM12073.mht
2014-03-21 13:34 - 2014-03-21 13:34 - 00000000 ____D () C:\Documents and Settings\Owner\Local Settings\Application Data\Sun
2014-03-21 13:30 - 2003-08-23 22:42 - 00094632 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2014-03-21 13:25 - 2014-03-21 13:25 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Java
2014-03-21 13:23 - 2004-01-19 15:45 - 00000000 ____D () C:\Program Files\Java
2014-03-21 13:08 - 2014-03-21 13:06 - 00000000 ____D () C:\AdwCleaner
2014-03-21 11:12 - 2012-08-17 14:19 - 00000000 ____D () C:\Documents and Settings\Owner\.FBReader
2014-03-21 08:54 - 2014-01-01 02:16 - 00000000 ____D () C:\Documents and Settings\Owner\Desktop\Bks cp
2014-03-15 11:58 - 2003-08-23 00:46 - 00445630 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-03-15 11:50 - 2003-08-23 00:46 - 00240736 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2014-03-15 10:39 - 2014-03-15 10:37 - 00014468 _____ () C:\WINDOWS\KB2925418-IE8.log
2014-03-15 10:36 - 2014-03-15 10:36 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2930275$
2014-03-15 10:36 - 2014-03-15 10:36 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2929961$
2014-03-15 10:36 - 2014-03-13 10:12 - 00014888 _____ () C:\WINDOWS\KB2929961.log
2014-03-15 10:36 - 2014-03-13 10:11 - 00016357 _____ () C:\WINDOWS\KB2930275.log

Files to move or delete:
====================
C:\Documents and Settings\Owner\java.exe
C:\Documents and Settings\Owner\jqs.exe

==================== Bamital & volsnap Check =================

C:\WINDOWS\explorer.exe => MD5 is legit
C:\WINDOWS\system32\winlogon.exe => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\User32.dll => MD5 is legit
C:\WINDOWS\system32\userinit.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll IS MISSING <==== ATTENTION!.
C:\WINDOWS\system32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

 

 

Finally, FRST Addition.txt

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 12-04-2014 01
Ran by Owner at 2014-04-12 14:39:44
Running from K:\tools 4-11-14
Boot Mode: Normal
==========================================================

==================== Security Center ========================

==================== Installed Programs ======================

32 Bit HP CIO Components Installer (Version: 6.1.2 - Hewlett-Packard) Hidden
3ivx MPEG-4 5.0.2 (remove only) (HKLM\...\3ivx MPEG-4 5.0.2) (Version: 5.0.2 - 3ivx Technologies, Pty. Ltd.)
7-Zip 9.20 (HKLM\...\7-Zip) (Version:  - )
AC3Filter 1.63b (HKLM\...\AC3Filter_is1) (Version: 1.63b - Alexander Vigovsky)
Active Disk (HKLM\...\Active Disk) (Version:  - )
Adobe AIR (HKLM\...\Adobe AIR) (Version: 3.7.0.1860 - Adobe Systems Incorporated)
Adobe AIR (Version: 3.7.0.1860 - Adobe Systems Incorporated) Hidden
Adobe Flash Player 11 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 11.7.700.224 - Adobe Systems Incorporated)
Adobe Reader 9.4.6 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A94000000001}) (Version: 9.4.6 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.0 (HKLM\...\Adobe Shockwave Player) (Version: 12.0.2.122 - Adobe Systems, Inc.)
Apple Application Support (HKLM\...\{63EC2120-1742-4625-AA47-C6A8AEC9C64C}) (Version: 2.2.2 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}) (Version: 3.2.0.47 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Applet (HKCU\...\Applet) (Version:  - Applet)
ArcSoft ShowBiz 2 (HKLM\...\{791B20D4-AE59-4DE9-B45F-BA01F3D0A493}) (Version:  - )
AVG Free 9.0 (HKLM\...\AVG9Uninstall) (Version:  - AVG Technologies)
BitZipper 2010 (HKLM\...\BitZipper_is1) (Version:  - Bitberry Software)
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
Bounce from Hewlett-Packard Desktops (remove only) (HKLM\...\D11F7128-8CBD-408B-8BF8-034604DEDD42) (Version:  - )
BrainWave Generator (HKLM\...\BrainWave Generator) (Version:  - )
BufferChm (Version: 140.0.212.000 - Hewlett-Packard) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 3.10 - Piriform)
CreativeProjects (Version: 5.30.0.136 - Hewlett-Packard) Hidden
D1600 (Version: 140.0.690.000 - Hewlett-Packard) Hidden
DeviceDiscovery (Version: 140.0.212.000 - Hewlett-Packard) Hidden
DivX Setup (HKLM\...\DivX Setup) (Version: 2.6.1.3 - DivX, LLC)
DJ_SF_06_D1600_SW_Min (Version: 140.0.690.000 - Hewlett-Packard) Hidden
FBReader for Windows (HKLM\...\FBReader for Windows) (Version:  - )
File Splitter and Joiner (FFSJ v3.3) (HKLM\...\File Splitter and Joiner_is1) (Version:  - Le Minh Hoang)
File Type Assistant (HKLM\...\Trusted Software Assistant_is1) (Version:  - Trusted Software) <==== ATTENTION
Foxit Reader (HKLM\...\Foxit Reader) (Version: 4.1.1.805 - Foxit Software Company)
GPBaseService2 (Version: 140.0.211.000 - Hewlett-Packard) Hidden
HijackThis 2.0.2 (HKLM\...\HijackThis) (Version: 2.0.2 - TrendMicro)
HP Customer Participation Program 14.0 (HKLM\...\HPExtendedCapabilities) (Version: 14.0 - HP)
HP Deskjet D1600 Printer Driver Software 14.0 Rel. 6 (HKLM\...\{96178C0A-BAF9-4E49-A2A5-CDE76722105B}) (Version: 14.0 - HP)
HP Deskjet Preloaded Printer Drivers (HKLM\...\{F419D20A-7719-4639-8E30-C073A040D878}) (Version: 8.3.3.0 - Hewlett-Packard Company)
HP Imaging Device Functions 14.0 (HKLM\...\HP Imaging Device Functions) (Version: 14.0 - HP)
HP Instant Support (HKLM\...\HP Instant Support) (Version:  - )
HP Organize (HKLM\...\{D0122362-6333-4DE4-93F6-A5A2F3CC101A}) (Version:  - )
HP Photo & Imaging 3.0 (HKLM\...\HP Photo & Imaging) (Version: 3.0 - HP)
HP Photo and Imaging 2.0 - Photosmart Cameras (HKLM\...\{5D7F0A0E-369E-46C0-9F99-FAB21A064781}) (Version: 2.0.0000 - {&Tahoma8}Hewlett-Packard)
HP Photo Creations (HKLM\...\HP Photo Creations) (Version: 1.0.0.2024 - HP Photo Creations Powered by RocketLife)
HP Smart Web Printing 4.60 (HKLM\...\HP Smart Web Printing) (Version: 4.60 - HP)
HP Solution Center 14.0 (HKLM\...\HP Solution Center & Imaging Support Tools) (Version: 14.0 - HP)
HP Update (HKLM\...\{74DC0593-6BC6-4001-AD5F-D810AFB68D86}) (Version: 5.002.002.002 - Hewlett-Packard)
HPImageZone (Version: 1.03.00 - Hewlett-Packard) Hidden
HPIZ Fix2 (Version: 1.00.01 - Hewlett-Packard) Hidden
hpmdtab (Version: 2.0.464.1592 - Hewlett-Packard) Hidden
HPProductAssistant (Version: 140.0.212.000 - Hewlett-Packard) Hidden
HpSdpAppCoreApp (Version: 2.00.0000 - Hewlett-Packard) Hidden
HPSSupply (Version: 140.0.211.000 - Hewlett-Packard) Hidden
HPSystemDiagnostics (Version: 1.4.0.0 - Your Company Name) Hidden
iCare Data Recovery 5.0 (HKLM\...\iCare Data Recovery_is1) (Version:  - iCare Software)
InstantShare (Version: 3.0.0.10 - Hewlett-Packard) Hidden
Intel® Extreme Graphics 2 Driver (HKLM\...\{8A708DD8-A5E6-11D4-A706-000629E95E20}) (Version:  - )
IntelliMover Data Transfer Demo (HKLM\...\{14589F05-C658-4594-9429-D437BA688686}) (Version:  - )
InterVideo WinDVD Player (HKLM\...\{98E8A2EF-4EAE-43B8-A172-74842B764777}) (Version: 4.0-B11.389 - InterVideo Inc.)
IomegaWare 4.0.2 (HKLM\...\IomegaWare) (Version:  - )
iTunes (HKLM\...\{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}) (Version: 10.0.1.22 - Apple Inc.)
IZArc 4.1.8 (HKLM\...\{97C82B44-D408-4F14-9252-47FC1636D23E}_is1) (Version: 4.1.8 - Ivan Zahariev)
Java 2 Runtime Environment, SE v1.4.1_02 (HKLM\...\{EFCE5837-FC21-11D6-9D24-00010240CE95}) (Version:  - )
Java Web Start (HKLM\...\Java Web Start) (Version:  - )
Java™ 6 Update 45 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216045FF}) (Version: 6.0.450 - Oracle)
KBD (HKLM\...\KBD) (Version:  - )
LiveReg (Symantec Corporation) (HKLM\...\LiveReg) (Version: 2.2.5.1678 - Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation) (HKLM\...\LiveUpdate) (Version: 1.80.19.0 - Symantec Corporation)
Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
MarketResearch (Version: 140.0.212.000 - Hewlett-Packard) Hidden
Memories Disc Creator 2.0 (HKLM\...\{2E132061-C78A-48D4-A899-1D13B9D189FA}) (Version: 2.0.464.1592 - Memories Disc Creator 2.0)
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 (Version: 1.1.4322 - Microsoft) Hidden
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB979906) (HKLM\...\M979906) (Version:  - )
Microsoft Internationalized Domain Names Mitigation APIs (Version:  - Microsoft Corporation) Hidden
Microsoft Money 2003 (HKLM\...\{01F9D88C-3C86-4E82-840A-101A3221F67A}) (Version: 11.0.50 - Microsoft)
Microsoft Money 2003 System Pack (HKLM\...\{02B42D23-10F2-4862-ADA4-3DF1EA0021B2}) (Version: 11.0.80 - Microsoft)
Microsoft National Language Support Downlevel APIs (Version:  - Microsoft Corporation) Hidden
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Professional Edition 2003 (HKLM\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Plus! Digital Media Edition (HKLM\...\{C6A7AF96-4EB1-4AAE-8318-1AB393C64F88}) (Version: 1.00.00.2301 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual J# .NET Redistributable Package 1.1 (HKLM\...\{1A655D51-1423-48A3-B748-8F5A0BE294C8}) (Version: 1.1.4322 - Microsoft)
Microsoft Works 7.0 (HKLM\...\{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}) (Version: 07.02.0620 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Multimedia Card Reader (HKLM\...\InstallShield_{E05895C5-FE97-4334-8D73-B0089FD07CE3}) (Version: 6.06 - )
Multimedia Card Reader (Version: 6.06 - ) Hidden
Musicmatch® Jukebox (HKLM\...\{85D3CC30-8859-481A-9654-FD9B74310BEF}) (Version: 10.00.3030 - )
NVIDIA Gart Driver (HKLM\...\NVIDIA Gart Driver) (Version:  - )
NVIDIA Windows 2000/XP Display Drivers (HKLM\...\NVIDIA) (Version:  - )
OmniPass (HKLM\...\{F4E57F49-84B4-4CF2-B0A1-8CA1752BDF7E}) (Version:  - )
Orbital from Hewlett-Packard Desktops (remove only) (HKLM\...\62067F4C-84A9-45B9-8573-B90468B0A3EF) (Version:  - )
Otto from Hewlett-Packard Desktops (remove only) (HKLM\...\BFBCBAE3-8293-4215-9C4F-C2402C118EDB) (Version:  - )
PC-Doctor for Windows (HKLM\...\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}) (Version:  - )
PhotoGallery (Version: 5.30.0.136 - Hewlett-Packard) Hidden
Photosmart 140,240,7200,7600,7700,7900 Series (HKLM\...\{45B6180B-DCAB-4093-8EE8-6164457517F0}) (Version: 2.0 - Hewlett-Packard)
PokerStars.net (HKLM\...\PokerStars.net) (Version:  - PokerStars.net)
Polar Bowler from Hewlett-Packard Desktops (remove only) (HKLM\...\36317AE4-57EC-4F3E-B828-009A3DD96BE8) (Version:  - )
PrintScreen (Version: 5.30.0.131 - Hewlett-Packard) Hidden
PS2 (HKLM\...\PS2) (Version:  - )
PSShortcutsP (Version: 1.00.0000 - Hewlett-Packard) Hidden
Python 2.2 combined Win32 extensions (HKLM\...\Python 2.2 combined Win32 extensions) (Version:  - )
Python 2.2.1 (HKLM\...\Python 2.2.1) (Version: 2.2.1 - PythonLabs at Zope Corporation)
QFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden
Quicken 2003 New User Edition (HKLM\...\InstallShield_{F61F2821-694C-475F-99AB-6AF2EFDF40FD}) (Version: 12.00.0000 - Intuit)
Quicken 2003 New User Edition (Version: 12.00.0000 - Intuit) Hidden
QuickPar 0.9 (HKLM\...\QuickPar) (Version: 0.9 - Peter B. Clements)
QuickProjects (Version: 5.30.0.131 - Hewlett-Packard) Hidden
QuickTime (HKLM\...\{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}) (Version: 7.73.80.64 - Apple Inc.)
RAR Recovery Toolbox 1.1 (HKLM\...\RAR Recovery Toolbox_is1) (Version:  - Recovery ToolBox)
RealPlayer (HKLM\...\RealPlayer 12.0) (Version:  - RealNetworks)
RealUpgrade 1.0 (Version: 1.0.0 - RealNetworks, Inc.) Hidden
RecordNow! (HKLM\...\{9541FED0-327F-4DF0-8B96-EF57EF622F19}) (Version: 6.0.0 - Hewlett-Packard)
S3Display (HKLM\...\S3Display) (Version:  - )
S3Gamma2 (HKLM\...\S3Gamma2) (Version:  - )
S3Info2 (HKLM\...\S3Info2) (Version:  - )
S3Overlay (HKLM\...\S3Overlay) (Version:  - )
Secunia PSI (3.0.0.7009) (HKLM\...\Secunia PSI) (Version: 3.0.0.7009 - Secunia)
Shop for HP Supplies (HKLM\...\Shop for HP Supplies) (Version: 14.0 - HP)
SkinsHP1 (Version: 5.30.0.131 - Hewlett-Packard) Hidden
SkinsHP2 (Version: 5.30.0.136 - Hewlett-Packard) Hidden
Slyder from Hewlett-Packard Desktops (remove only) (HKLM\...\5F804D2B-A66D-4F0A-B64E-FBDA3F52E3F8) (Version:  - )
SmartWebPrinting (Version: 140.0.186.000 - Hewlett-Packard) Hidden
SolutionCenter (Version: 140.0.213.000 - Hewlett-Packard) Hidden
Sonic Update Manager (HKLM\...\{09DA4F91-2A09-4232-AB8C-6BC740096DE3}) (Version: 2.80 - Sonic Solutions)
SpamSubtract (HKLM\...\SpamSubtract) (Version:  - interMute, Inc.)
Status (Version: 140.0.212.000 - Hewlett-Packard) Hidden
StreamTransport version: 1.0.2.2171 (HKLM\...\{FA0BBB87-91A1-4BFD-9005-EB058BBA0E14}_is1) (Version:  - )
STX from Hewlett-Packard Desktops (remove only) (HKLM\...\342970EF-F8DF-4E9B-8477-A1A03E3E15E1) (Version:  - )
Sumatra PDF reader (HKLM\...\SumatraPDF) (Version:  - )
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Toolbox (Version: 140.0.428.000 - Hewlett-Packard) Hidden
toolkit (HKLM\...\HPTOOLKIT) (Version:  - )
TrayApp (Version: 140.0.212.000 - Hewlett-Packard) Hidden
Trojan Remover 6.8.2 (HKLM\...\Trojan Remover_is1) (Version: 6.8.2 - Simply Super Software)
Tweaking.com - Windows Repair (All in One) (HKLM\...\Tweaking.com - Windows Repair (All in One)) (Version: 2.3.0 - Tweaking.com)
Unload (Version: 3.0.0 - Hewlett-Packard) Hidden
Update for Windows Internet Explorer 8 (KB2447568) (HKLM\...\KB2447568-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows Internet Explorer 8 (KB976662) (HKLM\...\KB976662-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2141007) (HKLM\...\KB2141007) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2345886) (HKLM\...\KB2345886) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2467659) (HKLM\...\KB2467659) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2749655) (HKLM\...\KB2749655) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2904266) (HKLM\...\KB2904266) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2934207) (HKLM\...\KB2934207) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB951978) (HKLM\...\KB951978) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB955759) (HKLM\...\KB955759) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB967715) (HKLM\...\KB967715) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB968389) (HKLM\...\KB968389) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971029) (HKLM\...\KB971029) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971737) (HKLM\...\KB971737) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973687) (HKLM\...\KB973687) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973815) (HKLM\...\KB973815) (Version: 1 - Microsoft Corporation)
Updates from HP (HKLM\...\BackWeb-137903 Uninstaller) (Version:  - )
VC80CRTRedist - 8.0.50727.6195 (Version: 1.2.0 - DivX, Inc) Hidden
Virtual Hypnotist 5.8 (HKLM\...\Virtual Hypnotist) (Version: 5.8 - FollowTheWatch Software)
Virtual Warfare from Hewlett-Packard Desktops (remove only) (HKLM\...\4F0AE1FB-4082-4A27-8363-05D292D92FB0) (Version:  - )
Visual C++ 2008 x86 Runtime - (v9.0.30729) (Version: 9.0.30729 - Microsoft Corporation) Hidden
Visual C++ 2008 x86 Runtime - v9.0.30729.01 (HKLM\...\{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01) (Version: 9.0.30729.01 - Microsoft Corporation)
WebFldrs XP (Version: 9.50.6513 - Microsoft Corporation) Hidden
Weblink (HKLM\...\{4FCC384C-18EA-4E25-9281-A06AE006D219}) (Version:  - )
WebReg (Version: 140.0.212.017 - Hewlett-Packard) Hidden
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 7 (Version: 20070813.185237 - Microsoft Corporation) Hidden
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Media Format Runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)
Yahoo! Detect (HKLM\...\YTdetect) (Version:  - )
Zero Assumption Recovery Version 9 (HKLM\...\Zero Assumption Recovery_is1) (Version:  - )

==================== Restore Points  =========================

Could not list Restore Points. Check "winmgmt" service or repair WMI.

==================== Hosts content: ==========================

2014-02-19 15:11 - 2014-02-19 15:11 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

Task: C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job => C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
Task: C:\WINDOWS\Tasks\AppleSoftwareUpdate.job => C:\Program Files\Apple Software Update\SoftwareUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-18.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
Task: C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-980271276-481220816-41620543-1003.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
Task: C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-18.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
Task: C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-980271276-481220816-41620543-1003.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
Task: C:\WINDOWS\Tasks\ReclaimerResumeInstall_Owner.job => C:\Documents and Settings\Owner\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.70\agent\rnupgagent.exe
Task: C:\WINDOWS\Tasks\Symantec NetDetect.job => C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

==================== Loaded Modules (whitelisted) =============

2003-08-28 22:17 - 2003-02-21 05:50 - 00040960 _____ () C:\Program Files\Softex\OmniPass\opxpgina.dll
2003-08-28 22:17 - 2003-02-21 06:07 - 00068704 _____ () C:\Program Files\Softex\OmniPass\Omniserv.exe
2003-08-28 22:17 - 2003-02-21 05:50 - 00053248 _____ () C:\Program Files\Softex\OmniPass\OPXPApp.exe
2003-08-28 22:17 - 2003-02-21 05:49 - 00061440 _____ () C:\Program Files\Softex\OmniPass\GINASTUB.dll
2002-07-16 12:56 - 2002-07-16 10:55 - 00081920 _____ () C:\Program Files\Iomega\Common\IoATLDrv.dll
2012-08-27 21:33 - 2012-08-27 21:33 - 00087912 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2012-08-27 21:33 - 2012-08-27 21:33 - 01242512 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2006-09-04 20:03 - 2006-08-05 11:34 - 00126464 _____ () C:\Program Files\WinRAR\rarext.dll
2003-08-28 22:17 - 2003-02-21 05:49 - 00172032 _____ () C:\Program Files\Softex\OmniPass\OPComm.dll
2013-07-07 08:04 - 2012-07-20 14:42 - 00652800 _____ () C:\Program Files\IZArc\IZArcCM.dll
2013-07-07 07:35 - 2008-07-20 21:11 - 00247808 _____ () C:\WINDOWS\system32\FFSJ\FFSJSHL.dll

==================== Alternate Data Streams (whitelisted) =========

==================== Safe Mode (whitelisted) ===================

==================== Disabled items from MSCONFIG ==============

==================== Faulty Device Manager Devices =============

Could not list Devices. Check "winmgmt" service or repair WMI.

==================== Event log errors: =========================

Application errors:
==================
Error: (02/17/2014 03:39:13 PM) (Source: WinMgmt) (User: )
Description: Failed to load MOF C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\ASPNET.MOF while recovering repository file.

Error: (12/21/2013 08:54:16 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 4908188

Error: (12/21/2013 08:54:16 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 4908188

Error: (12/21/2013 08:54:16 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (12/15/2013 10:52:06 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved

Error: (12/15/2013 10:37:59 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved

Error: (12/15/2013 10:21:57 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved

System errors:
=============
Error: (04/11/2014 04:03:00 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the SharedAccess service.

Error: (04/11/2014 04:02:13 PM) (Source: Service Control Manager) (User: )
Description: The IMAPI CD-Burning COM Service service failed to start due to the following error:
%%1053

Error: (04/11/2014 04:02:13 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.

Error: (04/11/2014 04:00:44 PM) (Source: Service Control Manager) (User: )
Description: The mrtRate service failed to start due to the following error:
%%2

Error: (04/11/2014 04:00:44 PM) (Source: Service Control Manager) (User: )
Description: The MCSTRM service failed to start due to the following error:
%%2

Error: (04/11/2014 06:37:32 AM) (Source: Service Control Manager) (User: )
Description: The mrtRate service failed to start due to the following error:
%%2

Error: (04/11/2014 06:37:32 AM) (Source: Service Control Manager) (User: )
Description: The MCSTRM service failed to start due to the following error:
%%2

Error: (04/10/2014 09:21:53 PM) (Source: 0) (User: )
Description: \Device\LanmanServer

Error: (04/10/2014 09:06:10 PM) (Source: BROWSER) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{C984AE28-2489-4B10-8188-DFDCD49144B1}.
The backup browser is stopping.

Error: (04/10/2014 08:48:51 AM) (Source: Service Control Manager) (User: )
Description: The mrtRate service failed to start due to the following error:
%%2

Microsoft Office Sessions:
=========================
Error: (02/17/2014 03:39:13 PM) (Source: WinMgmt)(User: )
Description: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\ASPNET.MOF

Error: (12/21/2013 08:54:16 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 4908188

Error: (12/21/2013 08:54:16 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 4908188

Error: (12/21/2013 08:54:16 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (12/15/2013 10:52:06 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe server name or address could not be resolved

Error: (12/15/2013 10:37:59 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe server name or address could not be resolved

Error: (12/15/2013 10:21:57 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe server name or address could not be resolved

==================== Memory info ===========================

Percentage of memory in use: 27%
Total physical RAM: 1527.3 MB
Available physical RAM: 1113.19 MB
Total Pagefile: 3426.91 MB
Available Pagefile: 3040.29 MB
Total Virtual: 2047.88 MB
Available Virtual: 1960.79 MB

==================== Drives ================================

Drive c: (HP_PAVILION) (Fixed) (Total:106.22 GB) (Free:9.06 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (HP_RECOVERY) (Fixed) (Total:5.55 GB) (Free:0.73 GB) FAT32 ==>[Drive with boot components (Windows XP)]
Drive k: (USB DISK) (Fixed) (Total:1.86 GB) (Free:1.74 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 112 GB) (Disk ID: D0C4B2EF)

Partition: GPT Partition Type.

========================================================
Disk: 5 (Size: 2 GB) (Disk ID: 0A81461E)

Partition: GPT Partition Type.

==================== End Of Log ============================


Edited by LemonLime7, 13 April 2014 - 12:02 PM.


BC AdBot (Login to Remove)

 


m

#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:44 AM

Posted 13 April 2014 - 12:13 PM



Hello LemonLime7,

I need to find out some more information about one of the files on the computer

Please run FRST like you did before but this time I would like you to

Type the following in the edit box after "Search:".

rpcss.dll

It then should look like:

Search: rpcss.dll

Click Search button and post the log (Search.txt) it makes to your reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 LemonLime7

LemonLime7
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 13 April 2014 - 02:52 PM

OK, here is the search log, as requested

 

Farbar Recovery Scan Tool (x86) Version: 12-04-2014 01
Ran by Owner at 2014-04-13 14:32:41
Running from K:\tools 4-11-14
Boot Mode: Normal

================== Search: "rpcss.dll" ===================

C:\WINDOWS\ServicePackFiles\i386\rpcss.dll
[2007-07-22 15:02] - [2008-04-13 19:12] - 0399360 ____A (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509

C:\WINDOWS\erdnt\cache\rpcss.dll
[2014-02-19 15:14] - [2008-04-13 19:12] - 0399360 ____A (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509

C:\WINDOWS\$NtUninstallKB956572_0$\rpcss.dll
[2009-04-16 08:27] - [2005-01-14 03:55] - 0395776 ___AC (Microsoft Corporation) 419899803ca479b73b02390318c787c0

C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll
[2010-08-24 18:36] - [2008-04-13 19:12] - 0399360 ___AC (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509

C:\WINDOWS\$NtUninstallKB902400_0$\rpcss.dll
[2007-07-22 13:22] - [2003-08-25 13:53] - 0260608 ___AC (Microsoft Corporation) 7a6f20eeac4b2168451878af9054396f

C:\WINDOWS\$NtUninstallKB902400$\rpcss.dll
[2007-07-22 15:49] - [2003-08-25 13:53] - 0260608 ___AC (Microsoft Corporation) 7a6f20eeac4b2168451878af9054396f

C:\WINDOWS\$NtUninstallKB873333$\rpcss.dll
[2010-08-24 08:30] - [2004-08-04 02:56] - 0395776 ___AC (Microsoft Corporation) 5c83a4408604f737717ab96371201680

C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll
[2004-08-16 16:24] - [2003-08-25 13:53] - 0260608 ___AC (Microsoft Corporation) 7a6f20eeac4b2168451878af9054396f

C:\WINDOWS\$NtUninstallKB824146$\rpcss.dll
[2004-01-19 15:46] - [2002-08-29 07:00] - 0260608 ___AC (Microsoft Corporation) 493fcbed180dcacf0b5d4c8c29949ca9

C:\WINDOWS\$NtServicePackUninstall$\rpcss.dll
[2010-08-24 18:08] - [2009-02-09 05:20] - 0399360 ___AC (Microsoft Corporation) 01095febf33beea00c2a0730b9b3ec28

C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[2009-04-15 05:45] - [2009-02-09 05:56] - 0401408 ____A (Microsoft Corporation) 9222562d44021b988b9f9f62207fb6f2

C:\WINDOWS\$hf_mig$\KB956572\SP3GDR\rpcss.dll
[2010-08-24 09:40] - [2009-02-09 07:10] - 0401408 ____A (Microsoft Corporation) 6b27a5c03dfb94b4245739065431322c

C:\WINDOWS\$hf_mig$\KB956572\SP2QFE\rpcss.dll
[2010-08-24 09:40] - [2009-02-09 05:01] - 0401408 ____A (Microsoft Corporation) 24b5d53b9accc1e2edcf0a878d6659d4

C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\rpcss.dll
[2007-07-22 13:11] - [2005-07-25 23:20] - 0398336 ____A (Microsoft Corporation) c369df215d352b6f3a0b8c3469aa34f8

C:\WINDOWS\$hf_mig$\KB902400\SP2GDR\rpcss.dll
[2007-07-22 13:11] - [2005-07-25 23:39] - 0397824 ____A (Microsoft Corporation) ce94a2bd25e3e9f4d46a7373ff455c6d

C:\WINDOWS\$hf_mig$\KB873333\SP2QFE\rpcss.dll
[2005-01-14 00:07] - [2005-01-14 00:07] - 0395776 ____A (Microsoft Corporation) 94456045beb4545b5ebe1dcc85951afa

=== End Of Search ===



#4 LemonLime7

LemonLime7
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 13 April 2014 - 06:08 PM

I just wanted to mention that I had NOT run the tool 'Windows Repair' as was mentioned in the original Malware post, in step 5, from

back in February, before posting the DDS and FRST tool logs. Just an FYI, since it didn't seem to have corrected the problem the first time. Let me know if that tool should be run, too, or not.

 

Thanks again.



#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:44 AM

Posted 13 April 2014 - 08:42 PM

Hello LemonLime7



I need you to download this script I have made for you --> Attached File  fixlist.txt   513bytes   5 downloads

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

Run FRST again but this time press the Fix button just once and wait.


When finished, it will make a log (fixlog.txt) next to FRST. Please copy and paste the content of this file to your reply.


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 LemonLime7

LemonLime7
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 13 April 2014 - 09:41 PM

Alright, here are the Fixlog.txt contents -

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 12-04-2014 01
Ran by Owner at 2014-04-13 21:36:33 Run:1
Running from K:\tools 4-11-14
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
2014-04-03 09:33 - 2014-04-11 16:19 - 00000077 _____ () C:\WINDOWS\system32\utjt.bbr
2014-04-03 09:20 - 2014-04-03 09:20 - 00000064 _____ () C:\WINDOWS\system32\wugl.uki
2014-04-03 09:20 - 2014-04-03 09:20 - 00000000 _____ () C:\WINDOWS\system32\lfjsbda.wmj
2014-04-03 09:02 - 2014-04-03 09:02 - 00299344 ____S () C:\WINDOWS\system32\cpsyv.yax
C:\Documents and Settings\Owner\java.exe
C:\Documents and Settings\Owner\jqs.exe
Replace: C:\WINDOWS\ServicePackFiles\i386\rpcss.dll  C:\WINDOWS\system32\rpcss.dll
*****************

C:\WINDOWS\system32\utjt.bbr => Moved successfully.
C:\WINDOWS\system32\wugl.uki => Moved successfully.
C:\WINDOWS\system32\lfjsbda.wmj => Moved successfully.
C:\WINDOWS\system32\cpsyv.yax => Moved successfully.
C:\Documents and Settings\Owner\java.exe => Moved successfully.
C:\Documents and Settings\Owner\jqs.exe => Moved successfully.
Could not find C:\WINDOWS\system32\rpcss.dll
C:\WINDOWS\ServicePackFiles\i386\rpcss.dll  copied successfully to C:\WINDOWS\system32\rpcss.dll

==== End of Fixlog ====



#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:44 AM

Posted 15 April 2014 - 06:16 AM



Hello LemonLime7

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 LemonLime7

LemonLime7
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 15 April 2014 - 12:29 PM

Hello Gringo

 

Here are the AdwCleaner and JRT logs:

 

# AdwCleaner v3.019 - Report created 15/04/2014 at 11:15:29
# Updated 17/02/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Owner - YOUR-XHTR8HVC4P
# Running from : C:\Documents and Settings\Owner\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

*************************

AdwCleaner[R0].txt - [657 octets] - [21/03/2014 13:06:27]
AdwCleaner[R1].txt - [716 octets] - [15/04/2014 11:12:07]
AdwCleaner[S0].txt - [638 octets] - [15/04/2014 11:15:29]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [697 octets] ##########

 

 

JRT file:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Microsoft Windows XP x86
Ran by Owner on Tue 04/15/2014 at 11:34:43.84
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 04/15/2014 at 11:40:21.70
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Ok, things seem to running well, I have my taskbar-start button back, all the files open, cut-paste, video, mp3, sound, etc are fine...

There were a few things on the JRT when it was running, saying 'Access denied' or something like that, and nothing like that came

out in the log-not sure what that meant...



#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:44 AM

Posted 15 April 2014 - 09:17 PM


Hello LemonLime7

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 LemonLime7

LemonLime7
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 16 April 2014 - 08:12 AM

Hi gringo,

 

I ran ComboFix and here is the log, things seem to be running fine; although I noticed in the Task Manager, that a program called

CodeMeter.exe was taking up a larger than usual amount of memory, although its not affecting performance percentage-wise. Is this normal/OK ? Anyhow, here is the CF resulting log.

 

ComboFix 14-04-12.01 - Owner 04/16/2014   6:44.2.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1527.491 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
(((((((((((((((((((((((((   Files Created from 2014-03-16 to 2014-04-16  )))))))))))))))))))))))))))))))
.
.
2014-04-14 02:36 . 2008-04-14 00:12 399360 -c--a-w- c:\windows\system32\dllcache\rpcss.dll
2014-04-14 02:36 . 2008-04-14 00:12 399360 ----a-w- c:\windows\system32\rpcss.dll
2014-04-12 19:35 . 2014-04-14 02:36 -------- d-----w- C:\FRST
2014-04-11 18:04 . 2014-04-12 15:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-04-11 18:04 . 2014-04-12 15:06 40776 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-10 16:25 . 2014-04-15 16:11 -------- d-----w- C:\000progs041014
2014-04-09 19:16 . 2014-04-09 19:30 -------- d-----w- C:\46b287ed135d4f37bb5b5495aa1147
2014-04-03 14:31 . 2014-04-03 14:33 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2014-03-21 18:34 . 2014-03-21 18:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sun
2014-03-21 18:06 . 2014-04-15 16:15 -------- d-----w- C:\AdwCleaner
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-04-12 13:35 . 2014-02-18 15:56 52312 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-03-21 18:30 . 2003-08-24 03:42 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-03-06 17:59 . 2006-06-23 16:33 920064 ----a-w- c:\windows\system32\wininet.dll
2014-03-06 17:59 . 2003-08-08 16:23 43520 ----a-w- c:\windows\system32\licmgr10.dll
2014-03-06 17:59 . 2003-08-08 16:18 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2014-03-06 17:59 . 2003-08-08 16:18 18944 ----a-w- c:\windows\system32\corpol.dll
2014-03-06 00:46 . 2010-08-24 03:10 385024 ----a-w- c:\windows\system32\html.iec
2014-02-26 01:59 . 2014-03-06 10:27 13312 ------w- c:\windows\system32\xp_eos.exe
2014-02-19 05:26 . 2014-02-19 05:26 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys.bak
2014-02-19 04:50 . 2014-02-19 04:50 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys.dump
2014-02-13 22:24 . 2014-02-13 20:53 181064 ----a-w- c:\windows\PSEXESVC.EXE
2014-02-07 02:01 . 2003-08-08 15:35 1879040 ----a-w- c:\windows\system32\win32k.sys
2014-02-05 08:55 . 2002-12-12 14:14 562688 ----a-w- c:\windows\system32\qedit.dll
2014-01-16 19:34 . 2014-01-16 19:34 3038 ----a-w- C:\fix_svchost.bat
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-05-03 835654]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 118784]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"nwiz"="nwiz.exe" [2003-05-03 323584]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2003-08-09 139264]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-09-05 202256]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-10-25 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe" [2013-06-17 814472]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - c:\program files\interMute\SpamSubtract\SpamSubtract.exe -q [2003-8-28 552960]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-08-24 16:38 12536 ----a-w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/24/2010 9:25 AM 226016]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/24/2010 9:25 AM 243152]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [8/24/2010 11:37 AM 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [8/24/2010 11:38 AM 308136]
R2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files\CodeMeter\Runtime\bin\CodeMeter.exe [2/24/2013 1:09 PM 2571704]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [4/18/2013 8:56 AM 659992]
S2 mrtRate;mrtRate; [x]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [4/11/2011 10:27 AM 16968]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [4/11/2014 1:04 PM 40776]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [4/18/2013 8:56 AM 1227800]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mbamchameleon
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ    hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2014-04-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2014-04-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-06 01:59]
.
2014-04-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]
.
2014-04-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-980271276-481220816-41620543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]
.
2014-04-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]
.
2014-04-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-980271276-481220816-41620543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]
.
2010-08-24 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-29 23:04]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
Trusted Zone: musicmatch.com\online
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-HijackThis - c:\documents and settings\Owner\Desktop\HijackThis.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-04-16 07:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
? [33240]
? [33616]
? [22516]
? [47476]
? [59572]
? [64748]
? [64716]
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f8,36,6a,fe,57,15,a3,46,a2,04,f7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f8,36,6a,fe,57,15,a3,46,a2,04,f7,\
.
[HKEY_USERS\S-1-5-21-1715567821-73586283-725345543-1003_Classes\CLSID]
@DACL=(02 0000)
@SACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(824)
c:\program files\Softex\OmniPass\opxpgina.dll
.
- - - - - - - > 'explorer.exe'(321716)
c:\windows\system32\WININET.dll
c:\program files\Iomega\DriveIcons\IMGHOOK.DLL
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2014-04-16  07:21:35
ComboFix-quarantined-files.txt  2014-04-16 12:21
.
Pre-Run: 9,287,340,032 bytes free
Post-Run: 9,526,353,920 bytes free
.
- - End Of File - - C0E1139F1D9A23B3FC10EBE873413F4D
B716B775FCBDABF0E2DDFF76F15C6790
 



#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:44 AM

Posted 16 April 2014 - 11:31 AM


Hello LemonLime7

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 LemonLime7

LemonLime7
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 16 April 2014 - 01:12 PM

Hello gringo

 

Here is the resulting ComboFix log as requested:

 

ComboFix 14-04-12.01 - Owner 04/16/2014  12:11:51.3.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1527.651 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\My Documents\iexplore.exe
.
.
(((((((((((((((((((((((((   Files Created from 2014-03-16 to 2014-04-16  )))))))))))))))))))))))))))))))
.
.
2014-04-14 02:36 . 2008-04-14 00:12 399360 -c--a-w- c:\windows\system32\dllcache\rpcss.dll
2014-04-14 02:36 . 2008-04-14 00:12 399360 ----a-w- c:\windows\system32\rpcss.dll
2014-04-12 19:35 . 2014-04-14 02:36 -------- d-----w- C:\FRST
2014-04-11 18:04 . 2014-04-12 15:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-04-11 18:04 . 2014-04-12 15:06 40776 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-10 16:25 . 2014-04-15 16:11 -------- d-----w- C:\000progs041014
2014-04-09 19:16 . 2014-04-09 19:30 -------- d-----w- C:\46b287ed135d4f37bb5b5495aa1147
2014-04-03 14:31 . 2014-04-03 14:33 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2014-03-21 18:34 . 2014-03-21 18:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sun
2014-03-21 18:06 . 2014-04-15 16:15 -------- d-----w- C:\AdwCleaner
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-04-12 13:35 . 2014-02-18 15:56 52312 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-03-21 18:30 . 2003-08-24 03:42 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-03-06 17:59 . 2006-06-23 16:33 920064 ----a-w- c:\windows\system32\wininet.dll
2014-03-06 17:59 . 2003-08-08 16:23 43520 ----a-w- c:\windows\system32\licmgr10.dll
2014-03-06 17:59 . 2003-08-08 16:18 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2014-03-06 17:59 . 2003-08-08 16:18 18944 ----a-w- c:\windows\system32\corpol.dll
2014-03-06 00:46 . 2010-08-24 03:10 385024 ----a-w- c:\windows\system32\html.iec
2014-02-26 01:59 . 2014-03-06 10:27 13312 ------w- c:\windows\system32\xp_eos.exe
2014-02-19 05:26 . 2014-02-19 05:26 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys.bak
2014-02-19 04:50 . 2014-02-19 04:50 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys.dump
2014-02-13 22:24 . 2014-02-13 20:53 181064 ----a-w- c:\windows\PSEXESVC.EXE
2014-02-07 02:01 . 2003-08-08 15:35 1879040 ----a-w- c:\windows\system32\win32k.sys
2014-02-05 08:55 . 2002-12-12 14:14 562688 ----a-w- c:\windows\system32\qedit.dll
2014-01-16 19:34 . 2014-01-16 19:34 3038 ----a-w- C:\fix_svchost.bat
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-05-03 835654]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 118784]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"nwiz"="nwiz.exe" [2003-05-03 323584]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2003-08-09 139264]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-09-05 202256]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-10-25 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe" [2013-06-17 814472]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - c:\program files\interMute\SpamSubtract\SpamSubtract.exe -q [2003-8-28 552960]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-08-24 16:38 12536 ----a-w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/24/2010 9:25 AM 226016]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/24/2010 9:25 AM 243152]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [8/24/2010 11:37 AM 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [8/24/2010 11:38 AM 308136]
R2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files\CodeMeter\Runtime\bin\CodeMeter.exe [2/24/2013 1:09 PM 2571704]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [4/18/2013 8:56 AM 659992]
S2 mrtRate;mrtRate; [x]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [4/11/2011 10:27 AM 16968]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [4/11/2014 1:04 PM 40776]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [4/18/2013 8:56 AM 1227800]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mbamchameleon
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ    hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2014-04-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2014-04-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-06 01:59]
.
2014-04-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]
.
2014-04-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-980271276-481220816-41620543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]
.
2014-04-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]
.
2014-04-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-980271276-481220816-41620543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]
.
2010-08-24 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-29 23:04]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
Trusted Zone: musicmatch.com\online
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-04-16 12:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
? [33240]
? [33616]
? [22516]
? [3764]
? [1988]
? [41996]
? [54172]
? [54296]
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f8,36,6a,fe,57,15,a3,46,a2,04,f7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f8,36,6a,fe,57,15,a3,46,a2,04,f7,\
.
[HKEY_USERS\S-1-5-21-1715567821-73586283-725345543-1003_Classes\CLSID]
@DACL=(02 0000)
@SACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(824)
c:\program files\Softex\OmniPass\opxpgina.dll
.
Completion time: 2014-04-16  12:37:36
ComboFix-quarantined-files.txt  2014-04-16 17:37
ComboFix2.txt  2014-04-16 12:21
.
Pre-Run: 9,506,553,856 bytes free
Post-Run: 9,494,880,256 bytes free
.
- - End Of File - - E71170FE0391E3963E30AA79482B9E5E
B716B775FCBDABF0E2DDFF76F15C6790

 

My computer seems to be running fine, the amount of memory being used up under CodeMeter.exe has gone down by around 1/3

from its previous level of 269k, if that means anything. I haven't noticed much else going on differently, though all the issues with

the malware seem to be over with, I have internet access, and the programs I have tried seem to be running fine.
 



#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:44 AM

Posted 16 April 2014 - 05:18 PM


Hello LemonLime7

I would like to see a report that combofix makes.

extra combofix report
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok
copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 LemonLime7

LemonLime7
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 16 April 2014 - 07:28 PM

OK, here is the result of the report:

 

C:\Qoobox\Add-Remove Programs.txt [from the Run box] -

 

32 Bit HP CIO Components Installer
3ivx MPEG-4 5.0.2 (remove only)
7-Zip 9.20
AC3Filter 1.63b
Active Disk
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader 9.4.6
Adobe Shockwave Player 12.0
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Applet
ArcSoft ShowBiz 2
AVG Free 9.0
BitZipper 2010
Bonjour
Bounce from Hewlett-Packard Desktops (remove only)
BrainWave Generator
BufferChm
CCleaner
CreativeProjects
D1600
DeviceDiscovery
DivX Setup
DJ_SF_06_D1600_SW_Min
FBReader for Windows
File Splitter and Joiner (FFSJ v3.3)
File Type Assistant
Foxit Reader
GPBaseService2
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB981793)
HP Customer Participation Program 14.0
HP Deskjet D1600 Printer Driver Software 14.0 Rel. 6
HP Deskjet Preloaded Printer Drivers
HP Imaging Device Functions 14.0
HP Instant Support
HP Organize
HP Photo & Imaging 3.0
HP Photo and Imaging 2.0 - Photosmart Cameras
HP Photo Creations
HP Smart Web Printing 4.60
HP Solution Center 14.0
HP Update
HPImageZone
HPIZ Fix2
hpmdtab
HPProductAssistant
HpSdpAppCoreApp
HPSSupply
HPSystemDiagnostics
iCare Data Recovery 5.0
InstantShare
Intel® Extreme Graphics 2 Driver
IntelliMover Data Transfer Demo
InterVideo WinDVD Player
IomegaWare 4.0.2
iTunes
IZArc 4.1.8
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
Java™ 6 Update 45
KBD
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Malwarebytes Anti-Malware version 1.75.0.1300
MarketResearch
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2833941)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Works 7.0
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Multimedia Card Reader
Musicmatch® Jukebox
NVIDIA Gart Driver
NVIDIA Windows 2000/XP Display Drivers
OmniPass
Orbital from Hewlett-Packard Desktops (remove only)
Otto from Hewlett-Packard Desktops (remove only)
PC-Doctor for Windows
PhotoGallery
Photosmart 140,240,7200,7600,7700,7900 Series
PokerStars.net
Polar Bowler from Hewlett-Packard Desktops (remove only)
PrintScreen
PS2
PSShortcutsP
Python 2.2 combined Win32 extensions
Python 2.2.1
QFolder
Quicken 2003 New User Edition
QuickPar 0.9
QuickProjects
QuickTime
RAR Recovery Toolbox 1.1
RealPlayer
RealUpgrade 1.0
RecordNow!
S3Display
S3Gamma2
S3Info2
S3Overlay
Secunia PSI (3.0.0.7009)
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2879017)
Security Update for Windows Internet Explorer 8 (KB2909210)
Security Update for Windows Internet Explorer 8 (KB2909921)
Security Update for Windows Internet Explorer 8 (KB2925418)
Security Update for Windows Internet Explorer 8 (KB2936068)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB2834903-v2)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219-v2)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135-v2)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB2813345)
Security Update for Windows XP (KB2820917)
Security Update for Windows XP (KB2834886)
Security Update for Windows XP (KB2845187)
Security Update for Windows XP (KB2847311)
Security Update for Windows XP (KB2850869)
Security Update for Windows XP (KB2859537)
Security Update for Windows XP (KB2862152)
Security Update for Windows XP (KB2862330)
Security Update for Windows XP (KB2862335)
Security Update for Windows XP (KB2864063)
Security Update for Windows XP (KB2868038)
Security Update for Windows XP (KB2868626)
Security Update for Windows XP (KB2876217)
Security Update for Windows XP (KB2876331)
Security Update for Windows XP (KB2892075)
Security Update for Windows XP (KB2893294)
Security Update for Windows XP (KB2893984)
Security Update for Windows XP (KB2898715)
Security Update for Windows XP (KB2900986)
Security Update for Windows XP (KB2914368)
Security Update for Windows XP (KB2916036)
Security Update for Windows XP (KB2922229)
Security Update for Windows XP (KB2929961)
Security Update for Windows XP (KB2930275)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Shop for HP Supplies
SkinsHP1
SkinsHP2
Slyder from Hewlett-Packard Desktops (remove only)
SmartWebPrinting
SolutionCenter
Sonic Update Manager
SpamSubtract
Status
StreamTransport version: 1.0.2.2171
STX from Hewlett-Packard Desktops (remove only)
Sumatra PDF reader
swMSM
Toolbox
toolkit
TrayApp
Trojan Remover 6.8.2
Tweaking.com - Windows Repair (All in One)
Unload
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2749655)
Update for Windows XP (KB2904266)
Update for Windows XP (KB2934207)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Updates from HP
VC80CRTRedist - 8.0.50727.6195
Virtual Hypnotist 5.8
Virtual Warfare from Hewlett-Packard Desktops (remove only)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Weblink
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format Runtime
Windows XP Service Pack 3
Yahoo! Detect
Zero Assumption Recovery Version 9

 



#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:44 AM

Posted 17 April 2014 - 08:24 AM



Hello

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)
  • Programs to remove

    • Adobe Reader 9.4.6
      Java 2 Runtime Environment, SE v1.4.1_02
      Java Web Start
      Java™ 6 Update 45


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Update Adobe reader
  • Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.
    • If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be careful not to install anything to do with AskBar.

Install Java:

Please go here to install Java
  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close
Clean Out Temp Files
  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here CCleaner
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.
: Malwarebytes' Anti-Malware :


I see You have MBAM installed on the computer - that is great!! it is a very good program! I would like you to run a quick scan for me now
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidentally close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



Download HijackThis
  • Go Here to download HijackThis program
  • Save HijackThis to your desktop.
  • Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
  • Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
  • copy and paste hijackthis report into the topic
"information and logs"
  • In your next post I need the following
    • Log From MBAM
    • report from Hijackthis
    • let me know of any problems you may have had
    • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users