Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

persistent trojan.0access remains after doing battle with a very sick laptop


  • This topic is locked This topic is locked
55 replies to this topic

#1 testoc

testoc

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:28 PM

Posted 23 July 2014 - 12:35 PM

I have a Dell Latitude D530 running Win XP Pro. This is a family PC that my kids  and my wife use (no telling where its been). It was presented to me this weekend with exasperated looks and a plea to fix it...

 

It was highly polluted with all grades of adware, malware, etc. I have attempted to clean it up using MBAM, Spy Bot SD, SAS, ComboFix, TDSKiller, MBAR, etc and am to the point where only two registry keys referencing trojan.0access remain but they persist all MBAM and MBAR attempts to remove. I currently have the wifi disabled.

 

Thanks in advance and I really appreciate any help you can give...

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.25.2
Run by coit at 9:25:23 on 2014-07-23
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2038.1435 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mmc.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - <orphaned>
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.9012.1008\swg.dll
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - <orphaned>
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNTE0NDE4MzMyLVQxLVU4NSsxLUJBKzEtS1YzKzctWEwrMS1VQ0FMTCsxLUJBUjhHKzEtVUNBTEwyKzItVEI4KzItRkwrOC1RSVgxKzQtWDIwMTArMi1GMTBNMTBEKzItTElDKzItRkwxMCsxLVNQMSsxLVNVUCs0LVRVRyszLVNQMVM0KzEtRERUKzA"&"prod=90"&"ver=10.0.1392
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.4.0/GarminAxControl_32.CAB
DPF: {000F1EA4-5E08-4564-A29B-29076F63A37A} - hxxp://launch.soe.com/plugin/web/SOEWebInstaller.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1345249255812
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: gemsafe - c:\program files\gemplus\gemsafe libraries\bin\WLEventNotify.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 231960]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-5-26 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-9-24 116608]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2007-6-20 79168]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-8-11 5120]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
S1 fpuzdics;fpuzdics;\??\c:\windows\system32\drivers\fpuzdics.sys --> c:\windows\system32\drivers\fpuzdics.sys [?]
S1 fzdycofm;fzdycofm;\??\c:\windows\system32\drivers\fzdycofm.sys --> c:\windows\system32\drivers\fzdycofm.sys [?]
S1 mlvkmjri;mlvkmjri;\??\c:\windows\system32\drivers\mlvkmjri.sys --> c:\windows\system32\drivers\mlvkmjri.sys [?]
S1 ntirmuoi;ntirmuoi;\??\c:\windows\system32\drivers\ntirmuoi.sys --> c:\windows\system32\drivers\ntirmuoi.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-12-28 16512]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-11 14336]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 12872]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-11 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
S4 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\mcafee security scan\2.0.181\mcchsvc.exe" --> c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [?]
S4 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\roxio creator 2009\digital home 11\roxioupnprenderer11.exe" --> c:\program files\roxio creator 2009\digital home 11\RoxioUPnPRenderer11.exe [?]
.
=============== Created Last 30 ================
.
2014-07-22 16:49:37 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)
2014-07-22 14:31:24 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-07-22 14:30:53 -------- d-----w- c:\windows\pss
2014-07-22 10:08:51 8217224 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0aa1ca58-fa8b-463a-9b1d-ae45c30e4b44}\mpengine.dll
2014-07-22 06:21:13 8217224 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-07-21 22:54:35 -------- d-----w- c:\windows\ERUNT
2014-07-21 22:49:22 536576 ------w- c:\windows\system32\sqlite3.dll
2014-07-21 22:48:38 -------- d-----w- C:\AdwCleaner
2014-07-21 19:54:54 -------- d-----w- C:\TDSSKiller_Quarantine
2014-07-21 18:09:26 401408 ------w- c:\windows\system32\rpcss.dll
2014-07-21 17:36:40 54232 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-07-21 17:36:40 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-07-19 20:22:38 -------- d-----w- c:\documents and settings\all users\application data\UnobOtax
.
==================== Find3M  ====================
.
.
============= FINISH:  9:28:11.79 ===============

 

Attached File  attach.zip   7.67KB   1 downloads
 



BC AdBot (Login to Remove)

 


#2 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:02:28 AM

Posted 24 July 2014 - 11:07 AM

Hello testoc

I'm Seedy21 and I will be helping you with your issues.

Please note the following information about the malware forum:

  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by me
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • Please reply within 48 hours, if you are going to be away for longer please let us know or the topic will be closed for been inactive
  • If you are using Cracked or Illegal software your thread will be closed
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close.

Combofix is a powerful tool intended by its creator to be used under the direction of an expert. It is NOT for private use. You should NOT use Combofix unless a Malware Removal Expert has told you to. Improper use of this tool can seriously damage your operating system and may even prevent it from starting again. Please read Combofix's Disclaimer.
Plus, if it is run without be asked for by a 'helper', the creator will offer no help if anything goes wrong.

Step 1

I would like to see your last TDSSKiller and Combofix logs
TDSSkiller log
C:\ directory in the style of "TDSSKiller.[Version]_[Date]_[Time]_log.txt"
Combofix log
C:\ComboFix.txt

Step 2

Download RogueKiller and save it to your desktop.

  • Close all the running processes
  • Double click RogueKiller icon to run the program
    Vista/Win7 users should right click the icon and select Run as Administrator.
  • Wait for the Prescan to finish.
  • Now click the Scan button.
  • Please copy and paste the report in your next reply.

A copy of the RKreport.txt can be found on your desktop.

Note:
If RogueKiller is blocked, do not hesitate to try running it again.
If it still fails to run, right click on the downloaded icon and select 'Rename'.....rename it to winlogon and try again.

Step 3


Please download Farbar Recovery Scan Tool and save it to your Desktop.

  • Double-click the downloaded icon to run the tool.

    frsticon_zpsdc3cbdc3.png
  • When the tool opens click Yes to disclaimer.

    frstdis_zps7f598f12.png
  • Press Scan button.

    newfrst_zpsa63ffa3d.png
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please copy and paste it to your reply also.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#3 testoc

testoc
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:28 PM

Posted 24 July 2014 - 06:36 PM

Hello Seedy21,

Thank you for your prompt response. Understood regarding all bullet points and the disclaimer, you have complete control of the PC. Many thanks for the assistance. I had to zip the TDS log.

 

Step 1 - Last TDSKiller log:

 

Attached File  TDSSKiller.3.0.0.40_22.07.2014_11.58.25_log.txt.zip   92.91KB   1 downloads

 

Step 1 - Last Combofix log:

ComboFix 14-07-20.02 - lisa 07/21/2014   0:45.10.2 - x86
Running from: c:\documents and settings\lisa\My Documents\My Downloads\ComboFix.exe
.
.
(((((((((((((((((((((((((   Files Created from 2014-06-21 to 2014-07-21  )))))))))))))))))))))))))))))))
.
.
2014-07-21 04:46 . 2014-07-21 04:46 49088 ----a-w- c:\windows\system32\drivers\fpuzdics.sys
2014-07-21 04:35 . 2014-07-21 04:35 49088 ----a-w- c:\windows\system32\drivers\ntirmuoi.sys
2014-07-21 04:34 . 2014-07-21 04:34 49088 ----a-w- c:\windows\system32\drivers\mlvkmjri.sys
2014-07-21 04:33 . 2014-07-21 04:33 49088 ----a-w- c:\windows\system32\drivers\fzdycofm.sys
2014-07-21 04:30 . 2014-07-21 04:30 49088 ----a-w- c:\windows\system32\drivers\shfrgfga.sys
2014-07-21 03:58 . 2014-07-21 03:58 39464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{427EDFB7-B00B-4459-AE0E-3B769C30F174}\MpKsl421cde7e.sys
2014-07-21 03:24 . 2014-07-21 03:24 39464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{427EDFB7-B00B-4459-AE0E-3B769C30F174}\MpKslcc3da8d0.sys
2014-07-21 03:19 . 2014-07-21 03:55 62576 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{427EDFB7-B00B-4459-AE0E-3B769C30F174}\offreg.dll
2014-07-21 03:15 . 2014-07-02 03:11 8217224 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{427EDFB7-B00B-4459-AE0E-3B769C30F174}\mpengine.dll
2014-07-20 03:50 . 2014-07-02 03:11 8217224 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-07-19 20:26 . 2010-08-25 12:39 433190 ----a-w- c:\windows\system32\ezreyn.exe
2014-07-19 20:26 . 2014-07-20 02:35 -------- d-----w- c:\documents and settings\lisa\Application Data\Itziyvcy
2014-07-19 20:22 . 2014-07-21 04:26 -------- d-----w- C:\0a5fa98
2014-07-19 20:22 . 2014-07-19 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\UnobOtax
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-07-21 03:55 . 2008-06-04 04:07 0 ----a-w- c:\documents and settings\lisa\Local Settings\Application Data\WavXMapDrive.bat
2014-05-20 18:59 . 2008-06-04 04:23 0 ----a-w- c:\documents and settings\coit jr\Local Settings\Application Data\WavXMapDrive.bat
2014-04-26 22:10 . 2008-06-04 04:32 0 ----a-w- c:\documents and settings\lane\Local Settings\Application Data\WavXMapDrive.bat
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\ERDNT\cache\rpcss.dll
[-] 2009-02-09 . 9C1579C9E0E648EF49E29F51347DA646 . 402432 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll
[-] 2009-02-09 . BC7F898CC8A85AE5E9FE7B77567C8666 . 402432 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\rpcss.dll
[7] 2009-02-09 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[7] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\rpcss.dll
[7] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\rpcss.dll
[-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . c:\windows\$NtServicePackUninstall$\rpcss.dll
[-] 2005-07-26 . C369DF215D352B6F3A0B8C3469AA34F8 . 398336 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll
[-] 2005-04-28 . DA383FB39A6F1C445F3AFC94B3EB1248 . 396288 . . [5.1.2600.2665] . . c:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll
[-] 2005-04-28 . C8061F289E000703E7672916B7FE1571 . 395776 . . [5.1.2600.2665] . . c:\windows\$NtUninstallKB902400$\rpcss.dll
[7] 2004-08-04 . 5C83A4408604F737717AB96371201680 . 395776 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB894391$\rpcss.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE" [2013-06-28 4760816]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2013-03-16 39408]
"UnobOtax"="c:\documents and settings\All Users\Application Data\UnobOtax\UnobOtax.dat" [2014-07-19 302032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-10 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-10 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-10 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-10 137752]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"SigmatelSysTrayApp"="stsystra.exe" [2007-09-14 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe" [2008-08-14 240112]
"CPMonitor"="c:\program files\Roxio Creator 2009\5.0\CPMonitor.exe" [2009-04-20 84464]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 951576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNTE0NDE4MzMyLVQxLVU4NSsxLUJBKzEtS1YzKzctWEwrMS1VQ0FMTCsxLUJBUjhHKzEtVUNBTEwyKzItVEI4KzItRkwrOC1RSVgxKzQtWDIwMTArMi1GMTBNMTBEKzItTElDKzItRkwxMCsxLVNQMSsxLVNVUCs0LVRVRyszLVNQMVM0KzEtRERUKzA&prod=90&ver=10.0.1392
" [?]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-12 113024]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 20:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"\\??\\c:\\WINDOWS\\system32\\winlogon.exe"=
.
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2012-12-06 116608]
S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2007-06-20 79168]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-02 97536]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL421CDE7E
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ    getPlusHelper
nosGetPlusHelper REG_MULTI_SZ    nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2014-07-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-22 20:57]
.
2014-07-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-22 20:57]
.
2014-07-21 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2014-03-11 14:13]
.
2014-07-21 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-10 01:59]
.
2014-07-09 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-10 01:59]
.
2014-07-21 c:\windows\Tasks\Plus-HD-7.8-firefoxinstaller.job
- c:\documents and settings\lane\Local Settings\Application Data\Plus-HD-7.8-BrowserExtensionUninstall\Plus-HD-7.8-firefoxinstaller.exe [2014-03-09 20:03]
.
2014-07-21 c:\windows\Tasks\Plus-HD-7.8-validator.job
- c:\documents and settings\lane\Local Settings\Application Data\Plus-HD-7.8-BrowserExtensionUninstall\Plus-HD-7.8-validator.exe [2014-03-09 20:02]
.
2008-06-04 c:\windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-06-04 19:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.4.0/GarminAxControl_32.CAB
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2014-07-21 00:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
@DACL=(02 0000)
"DWQueuedReporting"="\"c:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"
"octolie"="rundll32 \"c:\\WINDOWS\\system32\\config\\systemprofile\\Local Settings\\Application Data\\octolie.dll\",octolie"
.
[HKEY_USERS\S-1-5-21-2382356700-4236744799-1302342617-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b4,f3,d7,43,52,d2,8d,43,a7,45,c3,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b4,f3,d7,43,52,d2,8d,43,a7,45,c3,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\*]
@Allowed: (Read) (Administrators)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2564)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
.
Completion time: 2014-07-21  01:04:17
ComboFix-quarantined-files.txt  2014-07-21 05:04
ComboFix2.txt  2014-07-21 02:22
ComboFix3.txt  2013-06-28 23:40
ComboFix4.txt  2013-04-24 01:41
ComboFix5.txt  2014-07-21 04:41
.
Pre-Run: 16,397,074,432 bytes free
Post-Run: 16,732,839,936 bytes free
.
- - End Of File - - AA6C7E8CBD2CBBC09C477A08D65C43D8
8F558EB6672622401DA993E1E865C861

Step 2 - RogueKiller log:

RogueKiller V9.2.3.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : coit [Admin rights]
Mode : Scan -- Date : 07/24/2014  19:00:39

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 9 ¤¤¤
[Suspicious.Path] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | octolie : rundll32 "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\octolie.dll",octolie  -> FOUND
[Suspicious.Path] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run | octolie : rundll32 "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\octolie.dll",octolie  -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme -> FOUND
[PUM.Policies] HKEY_USERS\S-1-5-21-2382356700-4236744799-1302342617-1005\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.Policies] HKEY_USERS\S-1-5-21-2382356700-4236744799-1302342617-1005\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 1 (Driver: LOADED) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\00000087 : \Driver\Imapi @ Unknown (\SystemRoot\system32\DRIVERS\serial.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9120823ASG +++++
--- User ---
[MBR] 93125df63deb4605f13a6559037d0a4c
[BSP] 11d467b9f31927f29d49c85858b51038 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 128520 | Size: 114408 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic Flash Disk USB Device +++++
--- User ---
[MBR] ef60cf702d63cfe9afd146bb10c2d6d2
[BSP] adaed49079477dc31abab74dd42cb0ce : Unknown MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0xb) [VISIBLE] Offset (sectors): 736 | Size: 3899 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

============================================
RKreport_SCN_07232014_125729.log - RKreport_SCN_07232014_125854.log

Step 3 - FRTS.txt:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:23-07-2014 01
Ran by coit (administrator) on ST-MOBILE2 on 24-07-2014 19:06:14
Running from C:\Documents and Settings\coit\My Documents\My Downloads\FRST
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/

Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Intel Corporation ) C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
(SEIKO EPSON CORPORATION) C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
(Broadcom Corporation) C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
() C:\WINDOWS\system32\PSIService.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
(SigmaTel, Inc.) C:\WINDOWS\system32\stacsv.exe
(Wave Systems Corp.) C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
(Microsoft Corporation) C:\WINDOWS\system32\dllhost.exe
(Intel® Corporation) C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
(Microsoft Corporation) C:\WINDOWS\system32\dllhost.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
(Wave Systems Corp.) C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
(Wave Systems Corp.) C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
(SigmaTel, Inc.) C:\WINDOWS\stsystra.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
(SEIKO EPSON CORPORATION) C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Macrovision Corporation) C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

HKLM\...\RunOnce: [AvgUninstallURL] => cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRC (the data entry has 253 more characters).
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\avg8 <====== ATTENTION
Winlogon\Notify\gemsafe: C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll (Gemplus)
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\ <*>] <===== ATTENTION
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKU\S-1-5-21-2382356700-4236744799-1302342617-1005\...\Run: [ISUSPM] => C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [205480 2007-08-30] (Macrovision Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

SearchScopes: HKLM - DefaultScope {80c554b9-c7f8-4a21-9471-06d606da78a2} URL = http://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE

SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search
SearchScopes: HKLM - {80c554b9-c7f8-4a21-9471-06d606da78a2} URL = http://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKLM - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL = http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKCU - {80c554b9-c7f8-4a21-9471-06d606da78a2} URL =
SearchScopes: HKCU - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL =
BHO: No Name -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} ->  No File
BHO: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: No Name -> {A3BC75A2-1F87-4686-AA43-5347D756017C} ->  No File
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO: CBrowserHelperObject Object -> {CA6319C0-31B7-401E-A518-A07C3DB8F777} -> C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO: No Name -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} ->  No File
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - No Name - {A057A204-BACC-4D26-9990-79A187E2698E} -  No File
DPF: {000F1EA4-5E08-4564-A29B-29076F63A37A} http://launch.soe.com/plugin/web/SOEWebInstaller.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} http://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [113024 2011-08-12] (SuperAdBlocker.com)
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [147456] (Apple Inc.)

FireFox:
========
FF Plugin: @adobe.com/ShockwavePlayer - C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @google.com/npPicasa2,version=2.0.0 - C:\Program Files\Picasa2\npPicasa2.dll No File
FF Plugin: @google.com/npPicasa3,version=3.0.0 - C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin: @java.com/DTPlugin,version=10.25.2 - C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @nosltd.com/getPlus+®,version=1.6.2.91 - C:\Program Files\NOS\bin\np_gp.dll (NOS Microsystems Ltd.)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-08-31]

Chrome:
=======
CHR HomePage: hxxp://www.google.com
CHR HKLM\...\Chrome\Extension: [kpionmjnkbpcdpcflammlgllecmejgjj] - C:\Program Files\vShare.tv plugin\vshareplg.crx []

========================== Services (Whitelisted) =================

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [116608 2012-12-06] (SUPERAntiSpyware.com) [File not signed]
R2 Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [132424 2008-11-07] (Apple Inc.)
R2 ASFIPmon; C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [79168 2007-06-20] (Broadcom Corporation)
R2 EpsonBidirectionalService; C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe [94208 2006-12-19] (SEIKO EPSON CORPORATION) [File not signed]
R2 EvtEng; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [647168 2007-07-25] (Intel Corporation) [File not signed]
S3 getPlusHelper; C:\Program Files\NOS\bin\getPlus_Helper.dll [68000 2010-03-29] (NOS Microsystems Ltd.)
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182184 2013-06-28] (Oracle Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2014-03-11] (Microsoft Corporation)
R2 NICCONFIGSVC; C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe [475136 2008-02-22] (Dell Inc.) [File not signed]
R2 ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [174656 2006-11-02] () [File not signed]
R2 RegSrvc; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [327680 2007-07-25] (Intel Corporation) [File not signed]
R2 S24EventMonitor; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [987136 2007-07-25] (Intel Corporation ) [File not signed]
S3 SecureStorageService; C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [486400 2007-08-31] (Wave Systems Corp.) [File not signed]
R2 STacSV; C:\WINDOWS\system32\StacSV.exe [94208 2007-09-13] (SigmaTel, Inc.)
R2 tcsd_win32.exe; C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1552384 2007-11-08] () [File not signed]
R2 TdmService; C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe [737280 2007-09-07] (Wave Systems Corp.) [File not signed]
R2 Wave UCSPlus; C:\WINDOWS\system32\dllhost.exe [5120 2008-04-13] (Microsoft Corporation)
S3 WaveEnrollmentService; C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe [192512 2007-09-13] (Wave Systems Corp.) [File not signed]
R2 WLANKEEPER; C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe [294912 2007-07-25] (Intel® Corporation) [File not signed]
S4 McComponentHostService; "C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe" [X]
S4 Roxio UPnP Renderer 11; "C:\Program Files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe" [X]
S4 SupportSoft RemoteAssist; C:\Program Files\Common Files\supportsoft\bin\ssrc.exe [X]

==================== Drivers (Whitelisted) ====================

S3 61883; C:\WINDOWS\System32\DRIVERS\61883.sys [48128 2008-04-13] (Microsoft Corporation)
S4 abp480n5; C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
R2 AegisP; C:\WINDOWS\System32\DRIVERS\AegisP.sys [21393 2008-05-28] (Cisco Systems, Inc.)
R1 APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [16128 2005-08-12] (Dell Inc) [File not signed]
S3 ASPI; C:\WINDOWS\System32\DRIVERS\ASPI32.sys [16512 2002-07-17] (Adaptec) [File not signed]
R2 BASFND; C:\Program Files\Broadcom\ASFIPMon\BASFND.sys [10480 2007-06-20] (Broadcom Corporation) [File not signed]
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
R3 HSFHWAZL; C:\WINDOWS\System32\DRIVERS\HSFHWAZL.sys [211200 2007-12-02] (Conexant Systems, Inc.)
R3 HSF_DPV; C:\WINDOWS\System32\DRIVERS\HSF_DPV.sys [989952 2007-12-02] (Conexant Systems, Inc.)
R0 MpFilter; C:\WINDOWS\System32\DRIVERS\MpFilter.sys [231960 2014-01-25] (Microsoft Corporation)
R1 MpKsl562a00bc; c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0AA1CA58-FA8B-463A-9B1D-AE45C30E4B44}\MpKsl562a00bc.sys [39464 2014-07-24] (Microsoft Corporation)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
R3 NETw4x32; C:\WINDOWS\System32\DRIVERS\NETw4x32.sys [2211456 2007-08-12] (Intel Corporation)
R0 PBADRV; C:\WINDOWS\System32\DRIVERS\PBADRV.sys [26608 2007-09-07] (Dell Inc)
R2 s24trans; C:\WINDOWS\System32\DRIVERS\s24trans.sys [12416 2007-05-29] (Intel Corporation) [File not signed]
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-08-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 SASENUM; C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [12872 2010-02-19] ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [67664 2011-08-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1222840 2007-09-13] (SigmaTel, Inc.)
R3 WaveFDE; C:\WINDOWS\System32\DRIVERS\WaveFDE.sys [18176 2007-09-06] (Windows ® Codename Longhorn DDK provider) [File not signed]
R2 WavxDMgr; C:\WINDOWS\System32\DRIVERS\WavxDMgr.sys [161280 2007-09-10] (Wave Systems Corp.) [File not signed]
S3 catchme; \??\C:\DOCUME~1\lisa\LOCALS~1\Temp\catchme.sys [X]
S1 fpuzdics; \??\C:\WINDOWS\system32\drivers\fpuzdics.sys [X]
S1 fzdycofm; \??\C:\WINDOWS\system32\drivers\fzdycofm.sys [X]
S1 mlvkmjri; \??\C:\WINDOWS\system32\drivers\mlvkmjri.sys [X]
S1 ntirmuoi; \??\C:\WINDOWS\system32\drivers\ntirmuoi.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U5 Sdbus; C:\Windows\System32\Drivers\Sdbus.sys [79232 2008-04-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-07-24 19:05 - 2014-07-24 19:06 - 00000000 ____D () C:\FRST
2014-07-23 12:38 - 2014-07-23 12:38 - 00090112 _____ () C:\WINDOWS\Minidump\Mini072314-02.dmp
2014-07-23 12:24 - 2014-07-23 12:23 - 00090112 _____ () C:\WINDOWS\Minidump\Mini072314-01.dmp
2014-07-23 12:20 - 2014-07-24 18:41 - 00029160 _____ () C:\WINDOWS\system32\Drivers\TrueSight.sys
2014-07-23 12:20 - 2014-07-23 12:20 - 04770904 _____ () C:\Documents and Settings\coit\Desktop\RogueKiller.exe
2014-07-23 12:20 - 2014-07-23 12:20 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\RogueKiller
2014-07-22 12:49 - 2014-07-23 07:46 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-07-22 10:31 - 2014-07-22 23:31 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-07-22 10:30 - 2014-07-22 10:43 - 00000000 ____D () C:\WINDOWS\pss
2014-07-22 08:04 - 2014-07-24 18:36 - 00008722 _____ () C:\WINDOWS\setupapi.log
2014-07-22 07:58 - 2014-07-22 10:25 - 00018248 _____ () C:\WINDOWS\FaxSetup.log
2014-07-22 07:58 - 2014-07-22 08:04 - 00006562 _____ () C:\WINDOWS\iis6.log
2014-07-22 07:58 - 2014-07-22 08:04 - 00006186 _____ () C:\WINDOWS\ocgen.log
2014-07-22 07:58 - 2014-07-22 08:04 - 00005880 _____ () C:\WINDOWS\msmqinst.log
2014-07-22 07:58 - 2014-07-22 08:04 - 00004833 _____ () C:\WINDOWS\tsoc.log
2014-07-22 07:58 - 2014-07-22 08:04 - 00002495 _____ () C:\WINDOWS\comsetup.log
2014-07-22 07:58 - 2014-07-22 08:04 - 00001917 _____ () C:\WINDOWS\imsins.log
2014-07-22 07:58 - 2014-07-22 08:04 - 00001805 _____ () C:\WINDOWS\ntdtcsetup.log
2014-07-22 07:58 - 2014-07-22 08:04 - 00001592 _____ () C:\WINDOWS\netfxocm.log
2014-07-22 07:58 - 2014-07-22 08:04 - 00000719 _____ () C:\WINDOWS\MedCtrOC.log
2014-07-22 07:58 - 2014-07-22 08:04 - 00000479 _____ () C:\WINDOWS\msgsocm.log
2014-07-22 07:58 - 2014-07-22 08:04 - 00000469 _____ () C:\WINDOWS\ocmsn.log
2014-07-22 07:58 - 2014-07-22 08:04 - 00000311 _____ () C:\WINDOWS\tabletoc.log
2014-07-22 07:54 - 2014-07-22 08:21 - 00000180 _____ () C:\WINDOWS\setupact.log
2014-07-22 07:54 - 2014-07-22 07:54 - 00000000 _____ () C:\WINDOWS\setuperr.log
2014-07-21 23:32 - 2014-07-21 23:32 - 00000737 _____ () C:\Documents and Settings\coit\Desktop\JRT.txt
2014-07-21 18:54 - 2014-07-21 18:54 - 00000000 ____D () C:\WINDOWS\ERUNT
2014-07-21 18:49 - 2010-08-30 08:34 - 00536576 ____N (SQLite Development Team) C:\WINDOWS\system32\sqlite3.dll
2014-07-21 18:48 - 2014-07-21 18:49 - 00000000 ____D () C:\AdwCleaner
2014-07-21 16:18 - 2014-07-21 16:18 - 00000000 ____D () C:\WINDOWS\CSC
2014-07-21 15:54 - 2014-07-21 15:54 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-07-21 14:09 - 2009-02-09 08:10 - 00401408 ____N (Microsoft Corporation) C:\WINDOWS\system32\rpcss.dll
2014-07-21 13:37 - 2014-07-21 22:24 - 00000777 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-07-21 13:37 - 2014-07-21 22:24 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-07-21 13:36 - 2014-07-23 07:38 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-07-21 13:36 - 2014-07-22 21:40 - 00054232 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-07-21 11:27 - 2014-07-21 11:27 - 00000000 ____D () C:\Documents and Settings\lisa\Application Data\Malwarebytes
2014-07-21 01:05 - 2014-07-21 01:08 - 00005754 _____ () C:\Documents and Settings\lisa\Desktop\Rkill.txt
2014-07-21 01:04 - 2014-07-24 19:06 - 00000000 ____D () C:\Documents and Settings\coit\Local Settings\temp
2014-07-21 01:04 - 2014-07-24 18:44 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2014-07-21 01:04 - 2014-07-21 01:04 - 00013490 _____ () C:\ComboFix.txt
2014-07-21 01:04 - 2014-07-21 01:04 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp
2014-07-21 01:04 - 2014-07-21 01:04 - 00000000 ____D () C:\Documents and Settings\lane\Local Settings\temp
2014-07-21 01:04 - 2014-07-21 01:04 - 00000000 ____D () C:\Documents and Settings\coit jr\Local Settings\temp
2014-07-21 01:04 - 2014-07-21 01:04 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp
2014-07-19 22:36 - 2014-07-21 12:14 - 00000000 ____D () C:\Documents and Settings\lisa\Local Settings\temp
2014-07-19 16:26 - 2014-07-19 22:35 - 00000000 ____D () C:\Documents and Settings\lisa\Application Data\Itziyvcy
2014-07-19 16:22 - 2014-07-22 23:15 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\UnobOtax

==================== One Month Modified Files and Folders =======

2014-07-24 19:06 - 2014-07-24 19:05 - 00000000 ____D () C:\FRST
2014-07-24 19:06 - 2014-07-21 01:04 - 00000000 ____D () C:\Documents and Settings\coit\Local Settings\temp
2014-07-24 18:44 - 2014-07-21 01:04 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2014-07-24 18:44 - 2012-08-17 17:38 - 01122840 _____ () C:\WINDOWS\WindowsUpdate.log
2014-07-24 18:42 - 2014-04-02 15:46 - 00000384 ____H () C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2014-07-24 18:41 - 2014-07-23 12:20 - 00029160 _____ () C:\WINDOWS\system32\Drivers\TrueSight.sys
2014-07-24 18:36 - 2014-07-22 08:04 - 00008722 _____ () C:\WINDOWS\setupapi.log
2014-07-24 18:36 - 2008-12-28 18:00 - 00000000 ____D () C:\MDT
2014-07-24 18:36 - 2008-06-03 16:18 - 00000000 _____ () C:\Documents and Settings\coit\Local Settings\Application Data\WavXMapDrive.bat
2014-07-24 18:35 - 2014-03-11 10:19 - 00000220 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2014-07-24 18:35 - 2012-03-22 16:57 - 00000878 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-07-24 18:33 - 2004-08-11 18:11 - 00000000 ____D () C:\WINDOWS\Registration
2014-07-24 18:32 - 2008-06-14 07:42 - 00000157 _____ () C:\WINDOWS\wiadebug.log
2014-07-24 18:32 - 2008-06-14 07:42 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2014-07-24 18:32 - 2008-05-28 03:48 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\Application Data\NTRU Cryptosystems
2014-07-24 18:31 - 2004-08-11 18:20 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-07-24 18:31 - 2004-08-11 18:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-07-23 17:01 - 2008-06-03 16:18 - 00000278 ___SH () C:\Documents and Settings\coit\ntuser.ini
2014-07-23 17:01 - 2004-08-11 18:20 - 00032514 _____ () C:\WINDOWS\SchedLgU.Txt
2014-07-23 16:12 - 2012-03-22 16:57 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-07-23 12:48 - 2004-08-11 18:02 - 00000000 ____D () C:\WINDOWS\Help
2014-07-23 12:38 - 2014-07-23 12:38 - 00090112 _____ () C:\WINDOWS\Minidump\Mini072314-02.dmp
2014-07-23 12:38 - 2008-09-08 12:36 - 00000000 ____D () C:\WINDOWS\Minidump
2014-07-23 12:23 - 2014-07-23 12:24 - 00090112 _____ () C:\WINDOWS\Minidump\Mini072314-01.dmp
2014-07-23 12:20 - 2014-07-23 12:20 - 04770904 _____ () C:\Documents and Settings\coit\Desktop\RogueKiller.exe
2014-07-23 12:20 - 2014-07-23 12:20 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\RogueKiller
2014-07-23 07:46 - 2014-07-22 12:49 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-07-23 07:44 - 2011-07-16 00:52 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2541763$
2014-07-23 07:43 - 2004-08-11 18:00 - 00000624 _____ () C:\WINDOWS\win.ini
2014-07-23 07:43 - 2004-08-11 18:00 - 00000327 __RSH () C:\boot.ini
2014-07-23 07:43 - 2004-08-11 18:00 - 00000227 _____ () C:\WINDOWS\system.ini
2014-07-23 07:38 - 2014-07-21 13:36 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-07-22 23:31 - 2014-07-22 10:31 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-07-22 23:24 - 2008-06-03 16:18 - 00000000 ____D () C:\Documents and Settings\coit
2014-07-22 23:17 - 2011-10-20 00:33 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2592799$
2014-07-22 23:15 - 2014-07-19 16:22 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\UnobOtax
2014-07-22 21:40 - 2014-07-21 13:36 - 00054232 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-07-22 12:46 - 2008-06-03 19:44 - 00000000 ____D () C:\Documents and Settings\coit\Application Data\Adobe
2014-07-22 10:43 - 2014-07-22 10:30 - 00000000 ____D () C:\WINDOWS\pss
2014-07-22 10:26 - 2008-05-28 04:05 - 00072952 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2014-07-22 10:25 - 2014-07-22 07:58 - 00018248 _____ () C:\WINDOWS\FaxSetup.log
2014-07-22 10:21 - 2008-05-28 03:57 - 00072952 _____ () C:\Documents and Settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2014-07-22 10:17 - 2004-08-11 18:06 - 00274968 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2014-07-22 10:14 - 2009-08-31 23:26 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB973507$
2014-07-22 08:40 - 2008-11-16 17:06 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2014-07-22 08:35 - 2008-05-28 04:03 - 00000623 _____ () C:\WINDOWS\system32\ROXECDC6Inst.log
2014-07-22 08:32 - 2008-05-28 04:02 - 00000000 ____D () C:\Program Files\Common Files\Sonic Shared
2014-07-22 08:32 - 2008-05-28 04:02 - 00000000 ____D () C:\Program Files\Common Files\Roxio Shared
2014-07-22 08:25 - 2008-05-28 04:03 - 00001365 _____ () C:\WINDOWS\wininit.ini
2014-07-22 08:22 - 2008-11-16 17:06 - 00000000 ____D () C:\Program Files\Roxio Creator 2009
2014-07-22 08:21 - 2014-07-22 07:54 - 00000180 _____ () C:\WINDOWS\setupact.log
2014-07-22 08:18 - 2008-11-16 17:08 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Roxio
2014-07-22 08:04 - 2014-07-22 07:58 - 00006562 _____ () C:\WINDOWS\iis6.log
2014-07-22 08:04 - 2014-07-22 07:58 - 00006186 _____ () C:\WINDOWS\ocgen.log
2014-07-22 08:04 - 2014-07-22 07:58 - 00005880 _____ () C:\WINDOWS\msmqinst.log
2014-07-22 08:04 - 2014-07-22 07:58 - 00004833 _____ () C:\WINDOWS\tsoc.log
2014-07-22 08:04 - 2014-07-22 07:58 - 00002495 _____ () C:\WINDOWS\comsetup.log
2014-07-22 08:04 - 2014-07-22 07:58 - 00001917 _____ () C:\WINDOWS\imsins.log
2014-07-22 08:04 - 2014-07-22 07:58 - 00001805 _____ () C:\WINDOWS\ntdtcsetup.log
2014-07-22 08:04 - 2014-07-22 07:58 - 00001592 _____ () C:\WINDOWS\netfxocm.log
2014-07-22 08:04 - 2014-07-22 07:58 - 00000719 _____ () C:\WINDOWS\MedCtrOC.log
2014-07-22 08:04 - 2014-07-22 07:58 - 00000479 _____ () C:\WINDOWS\msgsocm.log
2014-07-22 08:04 - 2014-07-22 07:58 - 00000469 _____ () C:\WINDOWS\ocmsn.log
2014-07-22 08:04 - 2014-07-22 07:58 - 00000311 _____ () C:\WINDOWS\tabletoc.log
2014-07-22 07:54 - 2014-07-22 07:54 - 00000000 _____ () C:\WINDOWS\setuperr.log
2014-07-21 23:32 - 2014-07-21 23:32 - 00000737 _____ () C:\Documents and Settings\coit\Desktop\JRT.txt
2014-07-21 23:23 - 2008-06-03 23:21 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2014-07-21 22:24 - 2014-07-21 13:37 - 00000777 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-07-21 22:24 - 2014-07-21 13:37 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-07-21 21:28 - 2013-06-28 20:35 - 00002347 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader XI.lnk
2014-07-21 21:26 - 2013-06-28 20:35 - 00000000 ____D () C:\Program Files\Common Files\Adobe
2014-07-21 20:52 - 2009-11-26 00:11 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB975025$
2014-07-21 20:48 - 2014-02-18 22:08 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\webasave
2014-07-21 18:54 - 2014-07-21 18:54 - 00000000 ____D () C:\WINDOWS\ERUNT
2014-07-21 18:49 - 2014-07-21 18:48 - 00000000 ____D () C:\AdwCleaner
2014-07-21 18:25 - 2009-05-27 00:00 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2014-07-21 16:18 - 2014-07-21 16:18 - 00000000 ____D () C:\WINDOWS\CSC
2014-07-21 15:54 - 2014-07-21 15:54 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-07-21 13:36 - 2010-03-14 14:29 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-07-21 12:28 - 2008-06-03 16:18 - 00000000 ____D () C:\Documents and Settings\coit\Local Settings\Application Data\Google
2014-07-21 12:15 - 2009-08-31 23:27 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB961371-v2$
2014-07-21 12:15 - 2008-06-04 00:07 - 00000278 ___SH () C:\Documents and Settings\lisa\ntuser.ini
2014-07-21 12:14 - 2014-07-19 22:36 - 00000000 ____D () C:\Documents and Settings\lisa\Local Settings\temp
2014-07-21 11:27 - 2014-07-21 11:27 - 00000000 ____D () C:\Documents and Settings\lisa\Application Data\Malwarebytes
2014-07-21 10:02 - 2008-06-04 00:07 - 00000000 _____ () C:\Documents and Settings\lisa\Local Settings\Application Data\WavXMapDrive.bat
2014-07-21 02:00 - 2004-08-11 18:20 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2014-07-21 01:37 - 2012-01-21 04:38 - 00000664 ____N () C:\WINDOWS\system32\d3d9caps.dat
2014-07-21 01:25 - 2008-05-28 04:02 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Sonic
2014-07-21 01:21 - 2014-03-09 12:59 - 00000081 ____N () C:\WINDOWS\system32\yjafr.gxb
2014-07-21 01:08 - 2014-07-21 01:05 - 00005754 _____ () C:\Documents and Settings\lisa\Desktop\Rkill.txt
2014-07-21 01:04 - 2014-07-21 01:04 - 00013490 _____ () C:\ComboFix.txt
2014-07-21 01:04 - 2014-07-21 01:04 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp
2014-07-21 01:04 - 2014-07-21 01:04 - 00000000 ____D () C:\Documents and Settings\lane\Local Settings\temp
2014-07-21 01:04 - 2014-07-21 01:04 - 00000000 ____D () C:\Documents and Settings\coit jr\Local Settings\temp
2014-07-21 01:04 - 2014-07-21 01:04 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp
2014-07-21 01:04 - 2011-08-21 12:05 - 00000000 ____D () C:\Qoobox
2014-07-20 23:07 - 2008-06-04 00:07 - 00000000 ____D () C:\Documents and Settings\lisa
2014-07-19 22:39 - 2004-08-11 13:06 - 50593792 ____N () C:\WINDOWS\system32\config\SOFTWARE.bak
2014-07-19 22:39 - 2004-08-11 13:06 - 07864320 ____N () C:\WINDOWS\system32\config\SYSTEM.bak
2014-07-19 22:39 - 2004-08-11 13:06 - 05242880 ____N () C:\WINDOWS\system32\config\DEFAULT.bak
2014-07-19 22:39 - 2004-08-11 13:06 - 00065536 ____N () C:\WINDOWS\system32\config\SECURITY.bak
2014-07-19 22:39 - 2004-08-11 13:06 - 00028672 ____N () C:\WINDOWS\system32\config\SAM.bak
2014-07-19 22:38 - 2010-12-12 21:27 - 00131072 ____N () C:\WINDOWS\system32\config\WindowsPowerShell.evt
2014-07-19 22:37 - 2011-08-21 13:02 - 00008192 ____N () C:\WINDOWS\system32\config\SECURITY.tmp.LOG
2014-07-19 22:37 - 2011-08-21 12:18 - 00000000 ____D () C:\WINDOWS\ERDNT
2014-07-19 22:35 - 2014-07-19 16:26 - 00000000 ____D () C:\Documents and Settings\lisa\Application Data\Itziyvcy
2014-07-12 10:44 - 2014-03-07 13:44 - 00000102 ____N () C:\WINDOWS\system32\wffwjtv.qgz
2014-07-10 23:00 - 2013-07-30 00:25 - 00000000 ____D () C:\WINDOWS\system32\MRT
2014-07-10 22:57 - 2008-06-04 18:06 - 93585272 ____N (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2014-07-08 21:54 - 2014-03-11 10:19 - 00000214 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job

Files to move or delete:
====================
C:\Documents and Settings\coit\jagex_runescape_preferences.dat
C:\Documents and Settings\coit\jagex_runescape_preferences2.dat
C:\Documents and Settings\coit\jagex__preferences3.dat
C:\Documents and Settings\coit jr\jagex_runescape_preferences.dat
C:\Documents and Settings\coit jr\jagex_runescape_preferences2.dat
C:\Documents and Settings\coit jr\jagex__preferences3.dat
C:\Documents and Settings\lisa\jagex_runescape_preferences.dat
C:\Documents and Settings\lisa\jagex_runescape_preferences2.dat
C:\Documents and Settings\lisa\jagex__preferences3.dat

Some content of TEMP:
====================
C:\Documents and Settings\coit\Local Settings\temp\{A8D873C0-D398-4289-AC57-89992EA5CBBF}.exe

==================== Bamital & volsnap Check =================

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

Step 3 - Additional.txt:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:23-07-2014 01
Ran by coit (administrator) on ST-MOBILE2 on 24-07-2014 19:06:14
Running from C:\Documents and Settings\coit\My Documents\My Downloads\FRST
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/

Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Intel Corporation ) C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
(SEIKO EPSON CORPORATION) C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
(Broadcom Corporation) C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
() C:\WINDOWS\system32\PSIService.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
(SigmaTel, Inc.) C:\WINDOWS\system32\stacsv.exe
(Wave Systems Corp.) C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
(Microsoft Corporation) C:\WINDOWS\system32\dllhost.exe
(Intel® Corporation) C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
(Microsoft Corporation) C:\WINDOWS\system32\dllhost.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
(Wave Systems Corp.) C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
(Wave Systems Corp.) C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
(SigmaTel, Inc.) C:\WINDOWS\stsystra.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
(SEIKO EPSON CORPORATION) C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Macrovision Corporation) C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

HKLM\...\RunOnce: [AvgUninstallURL] => cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRC (the data entry has 253 more characters).
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\avg8 <====== ATTENTION
Winlogon\Notify\gemsafe: C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll (Gemplus)
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\ <*>] <===== ATTENTION
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKU\S-1-5-21-2382356700-4236744799-1302342617-1005\...\Run: [ISUSPM] => C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [205480 2007-08-30] (Macrovision Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

SearchScopes: HKLM - DefaultScope {80c554b9-c7f8-4a21-9471-06d606da78a2} URL = http://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE

SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search
SearchScopes: HKLM - {80c554b9-c7f8-4a21-9471-06d606da78a2} URL = http://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKLM - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL = http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKCU - {80c554b9-c7f8-4a21-9471-06d606da78a2} URL =
SearchScopes: HKCU - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL =
BHO: No Name -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} ->  No File
BHO: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: No Name -> {A3BC75A2-1F87-4686-AA43-5347D756017C} ->  No File
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO: CBrowserHelperObject Object -> {CA6319C0-31B7-401E-A518-A07C3DB8F777} -> C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO: No Name -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} ->  No File
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - No Name - {A057A204-BACC-4D26-9990-79A187E2698E} -  No File
DPF: {000F1EA4-5E08-4564-A29B-29076F63A37A} http://launch.soe.com/plugin/web/SOEWebInstaller.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} http://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [113024 2011-08-12] (SuperAdBlocker.com)
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [147456] (Apple Inc.)

FireFox:
========
FF Plugin: @adobe.com/ShockwavePlayer - C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @google.com/npPicasa2,version=2.0.0 - C:\Program Files\Picasa2\npPicasa2.dll No File
FF Plugin: @google.com/npPicasa3,version=3.0.0 - C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin: @java.com/DTPlugin,version=10.25.2 - C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @nosltd.com/getPlus+®,version=1.6.2.91 - C:\Program Files\NOS\bin\np_gp.dll (NOS Microsystems Ltd.)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-08-31]

Chrome:
=======
CHR HomePage: hxxp://www.google.com
CHR HKLM\...\Chrome\Extension: [kpionmjnkbpcdpcflammlgllecmejgjj] - C:\Program Files\vShare.tv plugin\vshareplg.crx []

========================== Services (Whitelisted) =================

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [116608 2012-12-06] (SUPERAntiSpyware.com) [File not signed]
R2 Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [132424 2008-11-07] (Apple Inc.)
R2 ASFIPmon; C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [79168 2007-06-20] (Broadcom Corporation)
R2 EpsonBidirectionalService; C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe [94208 2006-12-19] (SEIKO EPSON CORPORATION) [File not signed]
R2 EvtEng; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [647168 2007-07-25] (Intel Corporation) [File not signed]
S3 getPlusHelper; C:\Program Files\NOS\bin\getPlus_Helper.dll [68000 2010-03-29] (NOS Microsystems Ltd.)
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182184 2013-06-28] (Oracle Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2014-03-11] (Microsoft Corporation)
R2 NICCONFIGSVC; C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe [475136 2008-02-22] (Dell Inc.) [File not signed]
R2 ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [174656 2006-11-02] () [File not signed]
R2 RegSrvc; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [327680 2007-07-25] (Intel Corporation) [File not signed]
R2 S24EventMonitor; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [987136 2007-07-25] (Intel Corporation ) [File not signed]
S3 SecureStorageService; C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [486400 2007-08-31] (Wave Systems Corp.) [File not signed]
R2 STacSV; C:\WINDOWS\system32\StacSV.exe [94208 2007-09-13] (SigmaTel, Inc.)
R2 tcsd_win32.exe; C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1552384 2007-11-08] () [File not signed]
R2 TdmService; C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe [737280 2007-09-07] (Wave Systems Corp.) [File not signed]
R2 Wave UCSPlus; C:\WINDOWS\system32\dllhost.exe [5120 2008-04-13] (Microsoft Corporation)
S3 WaveEnrollmentService; C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe [192512 2007-09-13] (Wave Systems Corp.) [File not signed]
R2 WLANKEEPER; C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe [294912 2007-07-25] (Intel® Corporation) [File not signed]
S4 McComponentHostService; "C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe" [X]
S4 Roxio UPnP Renderer 11; "C:\Program Files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe" [X]
S4 SupportSoft RemoteAssist; C:\Program Files\Common Files\supportsoft\bin\ssrc.exe [X]

==================== Drivers (Whitelisted) ====================

S3 61883; C:\WINDOWS\System32\DRIVERS\61883.sys [48128 2008-04-13] (Microsoft Corporation)
S4 abp480n5; C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
R2 AegisP; C:\WINDOWS\System32\DRIVERS\AegisP.sys [21393 2008-05-28] (Cisco Systems, Inc.)
R1 APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [16128 2005-08-12] (Dell Inc) [File not signed]
S3 ASPI; C:\WINDOWS\System32\DRIVERS\ASPI32.sys [16512 2002-07-17] (Adaptec) [File not signed]
R2 BASFND; C:\Program Files\Broadcom\ASFIPMon\BASFND.sys [10480 2007-06-20] (Broadcom Corporation) [File not signed]
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
R3 HSFHWAZL; C:\WINDOWS\System32\DRIVERS\HSFHWAZL.sys [211200 2007-12-02] (Conexant Systems, Inc.)
R3 HSF_DPV; C:\WINDOWS\System32\DRIVERS\HSF_DPV.sys [989952 2007-12-02] (Conexant Systems, Inc.)
R0 MpFilter; C:\WINDOWS\System32\DRIVERS\MpFilter.sys [231960 2014-01-25] (Microsoft Corporation)
R1 MpKsl562a00bc; c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0AA1CA58-FA8B-463A-9B1D-AE45C30E4B44}\MpKsl562a00bc.sys [39464 2014-07-24] (Microsoft Corporation)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
R3 NETw4x32; C:\WINDOWS\System32\DRIVERS\NETw4x32.sys [2211456 2007-08-12] (Intel Corporation)
R0 PBADRV; C:\WINDOWS\System32\DRIVERS\PBADRV.sys [26608 2007-09-07] (Dell Inc)
R2 s24trans; C:\WINDOWS\System32\DRIVERS\s24trans.sys [12416 2007-05-29] (Intel Corporation) [File not signed]
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-08-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 SASENUM; C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [12872 2010-02-19] ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [67664 2011-08-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1222840 2007-09-13] (SigmaTel, Inc.)
R3 WaveFDE; C:\WINDOWS\System32\DRIVERS\WaveFDE.sys [18176 2007-09-06] (Windows ® Codename Longhorn DDK provider) [File not signed]
R2 WavxDMgr; C:\WINDOWS\System32\DRIVERS\WavxDMgr.sys [161280 2007-09-10] (Wave Systems Corp.) [File not signed]
S3 catchme; \??\C:\DOCUME~1\lisa\LOCALS~1\Temp\catchme.sys [X]
S1 fpuzdics; \??\C:\WINDOWS\system32\drivers\fpuzdics.sys [X]
S1 fzdycofm; \??\C:\WINDOWS\system32\drivers\fzdycofm.sys [X]
S1 mlvkmjri; \??\C:\WINDOWS\system32\drivers\mlvkmjri.sys [X]
S1 ntirmuoi; \??\C:\WINDOWS\system32\drivers\ntirmuoi.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U5 Sdbus; C:\Windows\System32\Drivers\Sdbus.sys [79232 2008-04-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-07-24 19:05 - 2014-07-24 19:06 - 00000000 ____D () C:\FRST
2014-07-23 12:38 - 2014-07-23 12:38 - 00090112 _____ () C:\WINDOWS\Minidump\Mini072314-02.dmp
2014-07-23 12:24 - 2014-07-23 12:23 - 00090112 _____ () C:\WINDOWS\Minidump\Mini072314-01.dmp
2014-07-23 12:20 - 2014-07-24 18:41 - 00029160 _____ () C:\WINDOWS\system32\Drivers\TrueSight.sys
2014-07-23 12:20 - 2014-07-23 12:20 - 04770904 _____ () C:\Documents and Settings\coit\Desktop\RogueKiller.exe
2014-07-23 12:20 - 2014-07-23 12:20 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\RogueKiller
2014-07-22 12:49 - 2014-07-23 07:46 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-07-22 10:31 - 2014-07-22 23:31 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-07-22 10:30 - 2014-07-22 10:43 - 00000000 ____D () C:\WINDOWS\pss
2014-07-22 08:04 - 2014-07-24 18:36 - 00008722 _____ () C:\WINDOWS\setupapi.log
2014-07-22 07:58 - 2014-07-22 10:25 - 00018248 _____ () C:\WINDOWS\FaxSetup.log
2014-07-22 07:58 - 2014-07-22 08:04 - 00006562 _____ () C:\WINDOWS\iis6.log
2014-07-22 07:58 - 2014-07-22 08:04 - 00006186 _____ () C:\WINDOWS\ocgen.log
2014-07-22 07:58 - 2014-07-22 08:04 - 00005880 _____ () C:\WINDOWS\msmqinst.log
2014-07-22 07:58 - 2014-07-22 08:04 - 00004833 _____ () C:\WINDOWS\tsoc.log
2014-07-22 07:58 - 2014-07-22 08:04 - 00002495 _____ () C:\WINDOWS\comsetup.log
2014-07-22 07:58 - 2014-07-22 08:04 - 00001917 _____ () C:\WINDOWS\imsins.log
2014-07-22 07:58 - 2014-07-22 08:04 - 00001805 _____ () C:\WINDOWS\ntdtcsetup.log
2014-07-22 07:58 - 2014-07-22 08:04 - 00001592 _____ () C:\WINDOWS\netfxocm.log
2014-07-22 07:58 - 2014-07-22 08:04 - 00000719 _____ () C:\WINDOWS\MedCtrOC.log
2014-07-22 07:58 - 2014-07-22 08:04 - 00000479 _____ () C:\WINDOWS\msgsocm.log
2014-07-22 07:58 - 2014-07-22 08:04 - 00000469 _____ () C:\WINDOWS\ocmsn.log
2014-07-22 07:58 - 2014-07-22 08:04 - 00000311 _____ () C:\WINDOWS\tabletoc.log
2014-07-22 07:54 - 2014-07-22 08:21 - 00000180 _____ () C:\WINDOWS\setupact.log
2014-07-22 07:54 - 2014-07-22 07:54 - 00000000 _____ () C:\WINDOWS\setuperr.log
2014-07-21 23:32 - 2014-07-21 23:32 - 00000737 _____ () C:\Documents and Settings\coit\Desktop\JRT.txt
2014-07-21 18:54 - 2014-07-21 18:54 - 00000000 ____D () C:\WINDOWS\ERUNT
2014-07-21 18:49 - 2010-08-30 08:34 - 00536576 ____N (SQLite Development Team) C:\WINDOWS\system32\sqlite3.dll
2014-07-21 18:48 - 2014-07-21 18:49 - 00000000 ____D () C:\AdwCleaner
2014-07-21 16:18 - 2014-07-21 16:18 - 00000000 ____D () C:\WINDOWS\CSC
2014-07-21 15:54 - 2014-07-21 15:54 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-07-21 14:09 - 2009-02-09 08:10 - 00401408 ____N (Microsoft Corporation) C:\WINDOWS\system32\rpcss.dll
2014-07-21 13:37 - 2014-07-21 22:24 - 00000777 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-07-21 13:37 - 2014-07-21 22:24 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-07-21 13:36 - 2014-07-23 07:38 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-07-21 13:36 - 2014-07-22 21:40 - 00054232 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-07-21 11:27 - 2014-07-21 11:27 - 00000000 ____D () C:\Documents and Settings\lisa\Application Data\Malwarebytes
2014-07-21 01:05 - 2014-07-21 01:08 - 00005754 _____ () C:\Documents and Settings\lisa\Desktop\Rkill.txt
2014-07-21 01:04 - 2014-07-24 19:06 - 00000000 ____D () C:\Documents and Settings\coit\Local Settings\temp
2014-07-21 01:04 - 2014-07-24 18:44 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2014-07-21 01:04 - 2014-07-21 01:04 - 00013490 _____ () C:\ComboFix.txt
2014-07-21 01:04 - 2014-07-21 01:04 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp
2014-07-21 01:04 - 2014-07-21 01:04 - 00000000 ____D () C:\Documents and Settings\lane\Local Settings\temp
2014-07-21 01:04 - 2014-07-21 01:04 - 00000000 ____D () C:\Documents and Settings\coit jr\Local Settings\temp
2014-07-21 01:04 - 2014-07-21 01:04 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp
2014-07-19 22:36 - 2014-07-21 12:14 - 00000000 ____D () C:\Documents and Settings\lisa\Local Settings\temp
2014-07-19 16:26 - 2014-07-19 22:35 - 00000000 ____D () C:\Documents and Settings\lisa\Application Data\Itziyvcy
2014-07-19 16:22 - 2014-07-22 23:15 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\UnobOtax

==================== One Month Modified Files and Folders =======

2014-07-24 19:06 - 2014-07-24 19:05 - 00000000 ____D () C:\FRST
2014-07-24 19:06 - 2014-07-21 01:04 - 00000000 ____D () C:\Documents and Settings\coit\Local Settings\temp
2014-07-24 18:44 - 2014-07-21 01:04 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2014-07-24 18:44 - 2012-08-17 17:38 - 01122840 _____ () C:\WINDOWS\WindowsUpdate.log
2014-07-24 18:42 - 2014-04-02 15:46 - 00000384 ____H () C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2014-07-24 18:41 - 2014-07-23 12:20 - 00029160 _____ () C:\WINDOWS\system32\Drivers\TrueSight.sys
2014-07-24 18:36 - 2014-07-22 08:04 - 00008722 _____ () C:\WINDOWS\setupapi.log
2014-07-24 18:36 - 2008-12-28 18:00 - 00000000 ____D () C:\MDT
2014-07-24 18:36 - 2008-06-03 16:18 - 00000000 _____ () C:\Documents and Settings\coit\Local Settings\Application Data\WavXMapDrive.bat
2014-07-24 18:35 - 2014-03-11 10:19 - 00000220 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2014-07-24 18:35 - 2012-03-22 16:57 - 00000878 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-07-24 18:33 - 2004-08-11 18:11 - 00000000 ____D () C:\WINDOWS\Registration
2014-07-24 18:32 - 2008-06-14 07:42 - 00000157 _____ () C:\WINDOWS\wiadebug.log
2014-07-24 18:32 - 2008-06-14 07:42 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2014-07-24 18:32 - 2008-05-28 03:48 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\Application Data\NTRU Cryptosystems
2014-07-24 18:31 - 2004-08-11 18:20 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-07-24 18:31 - 2004-08-11 18:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-07-23 17:01 - 2008-06-03 16:18 - 00000278 ___SH () C:\Documents and Settings\coit\ntuser.ini
2014-07-23 17:01 - 2004-08-11 18:20 - 00032514 _____ () C:\WINDOWS\SchedLgU.Txt
2014-07-23 16:12 - 2012-03-22 16:57 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-07-23 12:48 - 2004-08-11 18:02 - 00000000 ____D () C:\WINDOWS\Help
2014-07-23 12:38 - 2014-07-23 12:38 - 00090112 _____ () C:\WINDOWS\Minidump\Mini072314-02.dmp
2014-07-23 12:38 - 2008-09-08 12:36 - 00000000 ____D () C:\WINDOWS\Minidump
2014-07-23 12:23 - 2014-07-23 12:24 - 00090112 _____ () C:\WINDOWS\Minidump\Mini072314-01.dmp
2014-07-23 12:20 - 2014-07-23 12:20 - 04770904 _____ () C:\Documents and Settings\coit\Desktop\RogueKiller.exe
2014-07-23 12:20 - 2014-07-23 12:20 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\RogueKiller
2014-07-23 07:46 - 2014-07-22 12:49 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-07-23 07:44 - 2011-07-16 00:52 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2541763$
2014-07-23 07:43 - 2004-08-11 18:00 - 00000624 _____ () C:\WINDOWS\win.ini
2014-07-23 07:43 - 2004-08-11 18:00 - 00000327 __RSH () C:\boot.ini
2014-07-23 07:43 - 2004-08-11 18:00 - 00000227 _____ () C:\WINDOWS\system.ini
2014-07-23 07:38 - 2014-07-21 13:36 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-07-22 23:31 - 2014-07-22 10:31 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-07-22 23:24 - 2008-06-03 16:18 - 00000000 ____D () C:\Documents and Settings\coit
2014-07-22 23:17 - 2011-10-20 00:33 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2592799$
2014-07-22 23:15 - 2014-07-19 16:22 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\UnobOtax
2014-07-22 21:40 - 2014-07-21 13:36 - 00054232 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-07-22 12:46 - 2008-06-03 19:44 - 00000000 ____D () C:\Documents and Settings\coit\Application Data\Adobe
2014-07-22 10:43 - 2014-07-22 10:30 - 00000000 ____D () C:\WINDOWS\pss
2014-07-22 10:26 - 2008-05-28 04:05 - 00072952 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2014-07-22 10:25 - 2014-07-22 07:58 - 00018248 _____ () C:\WINDOWS\FaxSetup.log
2014-07-22 10:21 - 2008-05-28 03:57 - 00072952 _____ () C:\Documents and Settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2014-07-22 10:17 - 2004-08-11 18:06 - 00274968 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2014-07-22 10:14 - 2009-08-31 23:26 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB973507$
2014-07-22 08:40 - 2008-11-16 17:06 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2014-07-22 08:35 - 2008-05-28 04:03 - 00000623 _____ () C:\WINDOWS\system32\ROXECDC6Inst.log
2014-07-22 08:32 - 2008-05-28 04:02 - 00000000 ____D () C:\Program Files\Common Files\Sonic Shared
2014-07-22 08:32 - 2008-05-28 04:02 - 00000000 ____D () C:\Program Files\Common Files\Roxio Shared
2014-07-22 08:25 - 2008-05-28 04:03 - 00001365 _____ () C:\WINDOWS\wininit.ini
2014-07-22 08:22 - 2008-11-16 17:06 - 00000000 ____D () C:\Program Files\Roxio Creator 2009
2014-07-22 08:21 - 2014-07-22 07:54 - 00000180 _____ () C:\WINDOWS\setupact.log
2014-07-22 08:18 - 2008-11-16 17:08 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Roxio
2014-07-22 08:04 - 2014-07-22 07:58 - 00006562 _____ () C:\WINDOWS\iis6.log
2014-07-22 08:04 - 2014-07-22 07:58 - 00006186 _____ () C:\WINDOWS\ocgen.log
2014-07-22 08:04 - 2014-07-22 07:58 - 00005880 _____ () C:\WINDOWS\msmqinst.log
2014-07-22 08:04 - 2014-07-22 07:58 - 00004833 _____ () C:\WINDOWS\tsoc.log
2014-07-22 08:04 - 2014-07-22 07:58 - 00002495 _____ () C:\WINDOWS\comsetup.log
2014-07-22 08:04 - 2014-07-22 07:58 - 00001917 _____ () C:\WINDOWS\imsins.log
2014-07-22 08:04 - 2014-07-22 07:58 - 00001805 _____ () C:\WINDOWS\ntdtcsetup.log
2014-07-22 08:04 - 2014-07-22 07:58 - 00001592 _____ () C:\WINDOWS\netfxocm.log
2014-07-22 08:04 - 2014-07-22 07:58 - 00000719 _____ () C:\WINDOWS\MedCtrOC.log
2014-07-22 08:04 - 2014-07-22 07:58 - 00000479 _____ () C:\WINDOWS\msgsocm.log
2014-07-22 08:04 - 2014-07-22 07:58 - 00000469 _____ () C:\WINDOWS\ocmsn.log
2014-07-22 08:04 - 2014-07-22 07:58 - 00000311 _____ () C:\WINDOWS\tabletoc.log
2014-07-22 07:54 - 2014-07-22 07:54 - 00000000 _____ () C:\WINDOWS\setuperr.log
2014-07-21 23:32 - 2014-07-21 23:32 - 00000737 _____ () C:\Documents and Settings\coit\Desktop\JRT.txt
2014-07-21 23:23 - 2008-06-03 23:21 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2014-07-21 22:24 - 2014-07-21 13:37 - 00000777 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-07-21 22:24 - 2014-07-21 13:37 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-07-21 21:28 - 2013-06-28 20:35 - 00002347 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader XI.lnk
2014-07-21 21:26 - 2013-06-28 20:35 - 00000000 ____D () C:\Program Files\Common Files\Adobe
2014-07-21 20:52 - 2009-11-26 00:11 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB975025$
2014-07-21 20:48 - 2014-02-18 22:08 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\webasave
2014-07-21 18:54 - 2014-07-21 18:54 - 00000000 ____D () C:\WINDOWS\ERUNT
2014-07-21 18:49 - 2014-07-21 18:48 - 00000000 ____D () C:\AdwCleaner
2014-07-21 18:25 - 2009-05-27 00:00 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2014-07-21 16:18 - 2014-07-21 16:18 - 00000000 ____D () C:\WINDOWS\CSC
2014-07-21 15:54 - 2014-07-21 15:54 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-07-21 13:36 - 2010-03-14 14:29 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-07-21 12:28 - 2008-06-03 16:18 - 00000000 ____D () C:\Documents and Settings\coit\Local Settings\Application Data\Google
2014-07-21 12:15 - 2009-08-31 23:27 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB961371-v2$
2014-07-21 12:15 - 2008-06-04 00:07 - 00000278 ___SH () C:\Documents and Settings\lisa\ntuser.ini
2014-07-21 12:14 - 2014-07-19 22:36 - 00000000 ____D () C:\Documents and Settings\lisa\Local Settings\temp
2014-07-21 11:27 - 2014-07-21 11:27 - 00000000 ____D () C:\Documents and Settings\lisa\Application Data\Malwarebytes
2014-07-21 10:02 - 2008-06-04 00:07 - 00000000 _____ () C:\Documents and Settings\lisa\Local Settings\Application Data\WavXMapDrive.bat
2014-07-21 02:00 - 2004-08-11 18:20 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2014-07-21 01:37 - 2012-01-21 04:38 - 00000664 ____N () C:\WINDOWS\system32\d3d9caps.dat
2014-07-21 01:25 - 2008-05-28 04:02 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Sonic
2014-07-21 01:21 - 2014-03-09 12:59 - 00000081 ____N () C:\WINDOWS\system32\yjafr.gxb
2014-07-21 01:08 - 2014-07-21 01:05 - 00005754 _____ () C:\Documents and Settings\lisa\Desktop\Rkill.txt
2014-07-21 01:04 - 2014-07-21 01:04 - 00013490 _____ () C:\ComboFix.txt
2014-07-21 01:04 - 2014-07-21 01:04 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp
2014-07-21 01:04 - 2014-07-21 01:04 - 00000000 ____D () C:\Documents and Settings\lane\Local Settings\temp
2014-07-21 01:04 - 2014-07-21 01:04 - 00000000 ____D () C:\Documents and Settings\coit jr\Local Settings\temp
2014-07-21 01:04 - 2014-07-21 01:04 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp
2014-07-21 01:04 - 2011-08-21 12:05 - 00000000 ____D () C:\Qoobox
2014-07-20 23:07 - 2008-06-04 00:07 - 00000000 ____D () C:\Documents and Settings\lisa
2014-07-19 22:39 - 2004-08-11 13:06 - 50593792 ____N () C:\WINDOWS\system32\config\SOFTWARE.bak
2014-07-19 22:39 - 2004-08-11 13:06 - 07864320 ____N () C:\WINDOWS\system32\config\SYSTEM.bak
2014-07-19 22:39 - 2004-08-11 13:06 - 05242880 ____N () C:\WINDOWS\system32\config\DEFAULT.bak
2014-07-19 22:39 - 2004-08-11 13:06 - 00065536 ____N () C:\WINDOWS\system32\config\SECURITY.bak
2014-07-19 22:39 - 2004-08-11 13:06 - 00028672 ____N () C:\WINDOWS\system32\config\SAM.bak
2014-07-19 22:38 - 2010-12-12 21:27 - 00131072 ____N () C:\WINDOWS\system32\config\WindowsPowerShell.evt
2014-07-19 22:37 - 2011-08-21 13:02 - 00008192 ____N () C:\WINDOWS\system32\config\SECURITY.tmp.LOG
2014-07-19 22:37 - 2011-08-21 12:18 - 00000000 ____D () C:\WINDOWS\ERDNT
2014-07-19 22:35 - 2014-07-19 16:26 - 00000000 ____D () C:\Documents and Settings\lisa\Application Data\Itziyvcy
2014-07-12 10:44 - 2014-03-07 13:44 - 00000102 ____N () C:\WINDOWS\system32\wffwjtv.qgz
2014-07-10 23:00 - 2013-07-30 00:25 - 00000000 ____D () C:\WINDOWS\system32\MRT
2014-07-10 22:57 - 2008-06-04 18:06 - 93585272 ____N (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2014-07-08 21:54 - 2014-03-11 10:19 - 00000214 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job

Files to move or delete:
====================
C:\Documents and Settings\coit\jagex_runescape_preferences.dat
C:\Documents and Settings\coit\jagex_runescape_preferences2.dat
C:\Documents and Settings\coit\jagex__preferences3.dat
C:\Documents and Settings\coit jr\jagex_runescape_preferences.dat
C:\Documents and Settings\coit jr\jagex_runescape_preferences2.dat
C:\Documents and Settings\coit jr\jagex__preferences3.dat
C:\Documents and Settings\lisa\jagex_runescape_preferences.dat
C:\Documents and Settings\lisa\jagex_runescape_preferences2.dat
C:\Documents and Settings\lisa\jagex__preferences3.dat

Some content of TEMP:
====================
C:\Documents and Settings\coit\Local Settings\temp\{A8D873C0-D398-4289-AC57-89992EA5CBBF}.exe

==================== Bamital & volsnap Check =================

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 



#4 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:02:28 AM

Posted 25 July 2014 - 05:20 PM

Hi testoc

You posted the FRST.txt file twice instead of the Addition.txt. This should be in your My Downloads folder. Please copy the contents of this file in your next reply.

We need to do a search with Farbar's Recovery Scan Tool

Open up Farbar's Recovery Scan Tool

Type the following in the edit box after "Search:".

rpcss.dll

Note: The file names should be separated by semicolon (;)

It then should look like:

Search: rpcss.dll

Click Search button and post the log (Search.txt) it makes to your reply.
 


“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#5 testoc

testoc
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:28 PM

Posted 25 July 2014 - 07:01 PM

Hello seedy21,

 

My apologies for the file redundancy. There are two Search buttons in FRST so I pressed both and am posting SearchFile and SearchReg txt files.

 

 

Step 3 - FRST Additional.txt:

Additional scan result of Farbar Recovery Scan Tool (x86) Version:23-07-2014 01
Ran by coit at 2014-07-24 19:07:01
Running from C:\Documents and Settings\coit\My Documents\My Downloads\FRST
Boot Mode: Normal
==========================================================

==================== Security Center ========================

AV: Microsoft Security Essentials (Disabled - Up to date) {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

==================== Installed Programs ======================

7-Zip 4.65 (HKLM\...\7-Zip) (Version:  - )
ABBYY FineReader 6.0 Sprint (HKLM\...\{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}) (Version: 6.00.1990.41618 - ABBYY Software House)
Acrobat.com (HKLM\...\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 2.0.0.0 - Adobe Systems Incorporated)
Acrobat.com (Version: 2.0.0 - Adobe Systems Incorporated) Hidden
Adobe AIR (HKLM\...\Adobe AIR) (Version: 1.5.3.9130 - Adobe Systems Inc.)
Adobe AIR (Version: 1.5.3.9130 - Adobe Systems Inc.) Hidden
Adobe Download Manager (HKLM\...\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}) (Version: 1.6.2.91 - NOS Microsystems Ltd.)
Adobe Flash Player 11 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 11.1.102.55 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.07) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.07 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.5 (HKLM\...\Adobe Shockwave Player) (Version: 11.5.6.606 - Adobe Systems, Inc.)
Apple Mobile Device Support (HKLM\...\{EC4455AB-F155-4CC1-A4C5-88F3777F9886}) (Version: 2.1.2.7 - Apple Inc.)
Apple Software Update (HKLM\...\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}) (Version: 2.1.1.116 - Apple Inc.)
AuthenTec Fingerprint Sensor Minimum Install (Version: 7.8.1.0 - AuthenTec, Inc.) Hidden
biolsp patch (Version: 01.00.02.0005 - Wave Systems Corp) Hidden
Bluetooth Stack for Windows by Toshiba (HKLM\...\{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}) (Version: v4.31.02.6(D) - )
Bonjour (HKLM\...\{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}) (Version: 1.0.105 - Apple Inc.)
Broadcom ASF Management Applications (HKLM\...\{E56D5DC8-4C73-44B1-B650-AAD75C7A2701}) (Version: 10.16.02 - Broadcom Corporation)
Broadcom Management Programs (HKLM\...\{177D1318-3E4B-4A7C-A300-AC4E21BE090B}) (Version: 10.20.03 - Broadcom Corporation)
Browser Address Error Redirector (HKLM\...\{62230596-37E5-4618-A329-0D21F529A86F}) (Version: 1.00.0000 - Dell)
CCleaner (HKLM\...\CCleaner) (Version: 4.12 - Piriform)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Conexant HDA D330 MDC V.92 Modem (HKLM\...\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F) (Version:  - )
Critical Update for Windows Media Player 11 (KB959772) (HKLM\...\KB959772_WM11) (Version:  - Microsoft Corporation)
Dell Drivers MSI (Version: 01.00.00.0010 - Wave Systems Corp) Hidden
Dell Embassy Trust Suite by Wave Systems (Version: 02.01.00.026 - Wave Systems Corp) Hidden
Dell Touchpad (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version: 7.1.102.7 - Alps Electric)
Digital Line Detect (HKLM\...\{E646DCF0-5A68-11D5-B229-002078017FBF}) (Version: 1.21 - BVRP Software, Inc)
Document Manager Lite (Version: 06.06.00.066 - Your Company Name) Hidden
EMBASSY Security Center (Version: 03.06.00.031 - Wave Systems Corp) Hidden
EMBASSY Security Setup (Version: 03.06.00.027 - Wave Systems Corp) Hidden
EMBASSY Trust Suite by Wave Systems (HKLM\...\{F1802FA6-54E9-4B24-BD2A-B50866819795}) (Version: 02.01.01.25 - Wave Systems Corp)
Epson Event Manager (HKLM\...\{48F22622-1CC2-4A83-9C1E-644DD96F832D}) (Version: 2.30.01 - SEIKO EPSON Corporation)
EPSON Scan (HKLM\...\EPSON Scanner) (Version:  - )
EPSON WorkForce 610 Series Printer Uninstall (HKLM\...\EPSON WorkForce 610 Series) (Version:  - SEIKO EPSON Corporation)
EpsonNet Print (HKLM\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.4i - SEIKO EPSON CORPORATION)
EpsonNet Setup (HKLM\...\{FFFAE01B-466F-4C07-9821-A94FD753BDDA}) (Version: 3.1c - SEIKO EPSON CORPORATION)
ESC Home Page Plugin (Version: 03.01.00.018 - Wave Systems Corp) Hidden
Garmin City Navigator NorthAmerica NT 2013.30 Update (HKLM\...\{45C4E2EC-53D5-4190-B1A5-02B9BA732C3A}) (Version: 16.30.0.0 - Garmin Ltd or its subsidiaries)
Gemalto (Version: 01.00.00.0010 - Wave Systems Corp) Hidden
GemSafe Standard Edition 5.1 (Version: 5.10.000.007 - GEMPLUS) Hidden
Google Toolbar for Internet Explorer (HKLM\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.5111.1712 - Google Inc.)
Google Toolbar for Internet Explorer (Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.24.15 - Google Inc.) Hidden
High Definition Audio Driver Package - KB835221 (HKLM\...\KB835221WXP) (Version: 20040219.000000 - Microsoft Corporation)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version:  - )
Intel® PROSet/Wireless Software (HKLM\...\ProInst) (Version: 11.01.0000 - Intel Corporation)
iTunes (HKLM\...\{318AB667-3230-41B5-A617-CB3BF748D371}) (Version: 8.0.2.20 - Apple Inc.)
Java 7 Update 25 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217025FF}) (Version: 7.0.250 - Oracle)
Java Auto Updater (Version: 2.1.9.5 - Sun Microsystems, Inc.) Hidden
Java™ 6 Update 5 (HKLM\...\{3248F0A8-6813-11D6-A77B-00B0D0160050}) (Version: 1.6.0.50 - Sun Microsystems, Inc.)
Java™ 6 Update 7 (HKLM\...\{3248F0A8-6813-11D6-A77B-00B0D0160070}) (Version: 1.6.0.70 - Sun Microsystems, Inc.)
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
mCore (Version: 9.24.0000 - Intel Corporation) Hidden
mDrWiFi (Version: 9.24.0000 - Intel Corporation) Hidden
mHlpDell (Version: 9.24.0000 - Intel) Hidden
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 (Version: 1.1.4322 - Microsoft) Hidden
Microsoft .NET Framework 1.1 Security Update (KB2698023) (HKLM\...\M2698023) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB979906) (HKLM\...\M979906) (Version:  - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6012.5000 - Microsoft Corporation) Hidden
Microsoft Base Smart Card Cryptographic Service Provider Package (HKLM\...\KB909520) (Version:  - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Internationalized Domain Names Mitigation APIs (Version:  - Microsoft Corporation) Hidden
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 (Version:  - Microsoft Corporation) Hidden
Microsoft National Language Support Downlevel APIs (Version:  - Microsoft Corporation) Hidden
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Publisher 2003 (HKLM\...\{91190409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Office XP Professional (HKLM\...\{91110409-6000-11D3-8CFE-0050048383C9}) (Version: 10.0.6626.0 - Microsoft Corporation)
Microsoft Security Client (Version: 4.5.0216.0 - Microsoft Corporation) Hidden
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.5.216.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
mIWA (Version: 9.24.0000 - Intel Corporation) Hidden
mLogView (Version: 9.24.0000 - Intel Corporation) Hidden
mMHouse (Version: 9.24.0000 - Intel Corporation) Hidden
Modem Diagnostic Tool (HKLM\...\{F63A3748-B93D-4360-9AD4-B064481A5C7B}) (Version: 1.0.20.0 - Dell)
mPfMgr (Version: 9.24.0000 - Intel Corporation) Hidden
mPfWiz (Version: 9.24.0000 - Intel Corporation) Hidden
mProSafe (Version: 9.00.0000 - Intel) Hidden
mSCfg (Version: 9.24.0000 - Intel Corporation) Hidden
mSSO (Version: 9.24.0000 - Intel Corporation) Hidden
MSXML 4.0 SP2 (KB936181) (HKLM\...\{C04E32E0-0416-434D-AFB9-6969D703A9EF}) (Version: 4.20.9848.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 6.0 Parser (KB933579) (HKLM\...\{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}) (Version: 6.10.1200.0 - Microsoft Corporation)
muvee autoProducer 5.0 (HKLM\...\{64367D02-ADA8-4FA0-B348-27F25C60BC7B}) (Version: 5.00.050 - muvee Technologies)
mWlsSafe (Version: 9.00.0000 - Intel) Hidden
mWMI (Version: 9.24.0000 - Intel Corporation) Hidden
mZConfig (Version: 9.24.0000 - Intel Corporation) Hidden
NetWaiting (HKLM\...\{3F92ABBB-6BBF-11D5-B229-002078017FBF}) (Version: 2.5.44 - BVRP Software, Inc)
NTRU TCG Software Stack (Version: 2.1.25 - NTRU Cryptosystems) Hidden
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0 - Microsoft Corporation) Hidden
Picasa 3 (HKLM\...\Picasa 3) (Version: 3.9 - Google, Inc.)
PowerDVD (HKLM\...\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}) (Version: 7.0 - Dell)
Preboot Manager (Version: 2.0.1.2 - Wave Systems Corp.) Hidden
Private Information Manager (Version: 06.01.00.023 - Your Company Name) Hidden
QuickSet (HKLM\...\{C5074CC4-0E26-4716-A307-960272A90040}) (Version: 8.3.17 - Dell Computer Corporation)
QuickTime (HKLM\...\{8DC42D05-680B-41B0-8878-6C14D24602DB}) (Version: 7.55.90.70 - Apple Inc.)
Secure Update (Version: 05.04.00.010 - Your Company Name) Hidden
Security Wizards (Version: 01.04.00.014 - Your Company Name) Hidden
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1) (Version: 1.6.2 - Safer Networking Limited)
SUPERAntiSpyware Free Edition (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 4.26.0.1004 - SUPERAntiSpyware.com)
Trusted Drive Manager (Version: 2.1.1.2 - Wave Systems Corp.) Hidden
tsp patch (Version: 01.00.00.0000 - Wave Systems Corp) Hidden
TWC Customer Controls (HKLM\...\{F8722041-B63A-47FB-82A8-5F0977E1CF45}) (Version: 7 - SupportSoft)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2468871) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2533523) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2600217) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2836939) (Version: 1 - Microsoft Corporation)
Update for Microsoft Windows (KB971513) (HKLM\...\KB971513) (Version:  - Microsoft Corporation)
Update for Windows Internet Explorer 8 (KB2447568) (HKLM\...\KB2447568-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows Internet Explorer 8 (KB2598845) (HKLM\...\KB2598845-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows Internet Explorer 8 (KB2632503) (HKLM\...\KB2632503-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows Internet Explorer 8 (KB973874) (HKLM\...\KB973874-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows Internet Explorer 8 (KB976662) (HKLM\...\KB976662-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows Internet Explorer 8 (KB976749) (HKLM\...\KB976749-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows Internet Explorer 8 (KB980182) (HKLM\...\KB980182-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2141007) (HKLM\...\KB2141007) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2345886) (HKLM\...\KB2345886) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2467659) (HKLM\...\KB2467659) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2492386) (HKLM\...\KB2492386) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2541763) (HKLM\...\KB2541763) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2607712) (HKLM\...\KB2607712) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2616676-v2) (HKLM\...\KB2616676-v2) (Version: 2 - Microsoft Corporation)
Update for Windows XP (KB2641690) (HKLM\...\KB2641690) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2661254-v2) (HKLM\...\KB2661254-v2) (Version: 2 - Microsoft Corporation)
Update for Windows XP (KB2718704) (HKLM\...\KB2718704) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2736233) (HKLM\...\KB2736233) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2749655) (HKLM\...\KB2749655) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2808679) (HKLM\...\KB2808679) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2863058) (HKLM\...\KB2863058) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2904266) (HKLM\...\KB2904266) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2934207) (HKLM\...\KB2934207) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB951072-v2) (HKLM\...\KB951072-v2) (Version: 2 - Microsoft Corporation)
Update for Windows XP (KB951978) (Version: 1 - Microsoft Corporation) Hidden
Update for Windows XP (KB955759) (HKLM\...\KB955759) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB955839) (HKLM\...\KB955839) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB967715) (HKLM\...\KB967715) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB968389) (HKLM\...\KB968389) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971029) (HKLM\...\KB971029) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971737) (HKLM\...\KB971737) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973687) (HKLM\...\KB973687) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973815) (HKLM\...\KB973815) (Version: 1 - Microsoft Corporation)
upekmsi (Version: 02.00.03.0000 - Wave Systems Corp) Hidden
Wave Infrastructure Installer (Version: 05.00.01.0050 - Wave Systems Corp) Hidden
Wave Support Software (Version: 05.07.00.026 - Wave Systems Corp) Hidden
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray (HKLM\...\KB952011) (Version: 1.0 - Microsoft Corporation)
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Installer 3.1 (KB893803) (HKLM\...\KB893803v2) (Version:  - Microsoft Corporation)
Windows Internet Explorer 7 (Version: 20070813.185237 - Microsoft Corporation) Hidden
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Management Framework Core (HKLM\...\KB968930) (Version:  - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Format 11 runtime (Version:  - Microsoft Corporation) Hidden
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
Windows Media Player 11 (Version:  - Microsoft Corporation) Hidden
Windows Search 4.0 (HKLM\...\KB940157) (Version: 04.00.6001.503 - Microsoft Corporation)
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)
XML Paper Specification Shared Components Pack 1.0 (Version:  - Microsoft Corporation) Hidden
Yahoo! Detect (HKLM\...\YTdetect) (Version:  - )

==================== Custom CLSID entries: ==========================

CustomCLSID: HKU\S-1-5-19_Classes\CLSID\{2AF96ED5-02DA-43EC-B585-5DC65B8D2581} -> Orphan?
CustomCLSID: HKU\S-1-5-19_Classes\CLSID\{61BD12C4-01DE-4BF3-8DB7-75CE4D131199} -> Orphan?
CustomCLSID: HKU\S-1-5-20_Classes\CLSID\{2AF96ED5-02DA-43EC-B585-5DC65B8D2581} -> Orphan?
CustomCLSID: HKU\S-1-5-20_Classes\CLSID\{61BD12C4-01DE-4BF3-8DB7-75CE4D131199} -> Orphan?
CustomCLSID: HKU\S-1-5-21-2382356700-4236744799-1302342617-1005_Classes\CLSID\{97090E2F-3062-4459-855B-014F0D3CDBB1}\InprocServer32 -> C:\Program Files\Windows Desktop Search\deskbar.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2382356700-4236744799-1302342617-1005_Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\InprocServer32 -> C:\Program Files\Java\jre7\bin\jp2iexp.dll ()
CustomCLSID: HKU\S-1-5-21-2382356700-4236744799-1302342617-1005_Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBB}\InprocServer32 -> C:\Program Files\Java\jre7\bin\jp2iexp.dll ()
CustomCLSID: HKU\S-1-5-21-2382356700-4236744799-1302342617-1005_Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}\InprocServer32 -> C:\Program Files\Java\jre7\bin\jp2iexp.dll ()
CustomCLSID: HKU\S-1-5-21-2382356700-4236744799-1302342617-1005_Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\InprocServer32 -> C:\Program Files\Java\jre7\bin\jp2iexp.dll ()
CustomCLSID: HKU\S-1-5-21-2382356700-4236744799-1302342617-1005_Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBB}\InprocServer32 -> C:\Program Files\Java\jre7\bin\jp2iexp.dll ()
CustomCLSID: HKU\S-1-5-21-2382356700-4236744799-1302342617-1005_Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}\InprocServer32 -> C:\Program Files\Java\jre7\bin\jp2iexp.dll ()
CustomCLSID: HKU\S-1-5-21-2382356700-4236744799-1302342617-1005_Classes\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\InprocServer32 -> C:\Program Files\Java\jre7\bin\jp2iexp.dll ()
CustomCLSID: HKU\S-1-5-21-2382356700-4236744799-1302342617-1005_Classes\CLSID\{CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA}\InprocServer32 -> C:\Program Files\Java\jre7\bin\jp2iexp.dll ()
CustomCLSID: HKU\S-1-5-21-2382356700-4236744799-1302342617-1005_Classes\CLSID\{CAFEEFAC-0017-0000-0025-ABCDEFFEDCBB}\InprocServer32 -> C:\Program Files\Java\jre7\bin\jp2iexp.dll ()
CustomCLSID: HKU\S-1-5-21-2382356700-4236744799-1302342617-1005_Classes\CLSID\{CAFEEFAC-0017-0000-0025-ABCDEFFEDCBC}\InprocServer32 -> C:\Program Files\Java\jre7\bin\jp2iexp.dll ()
CustomCLSID: HKU\S-1-5-21-2382356700-4236744799-1302342617-1005_Classes\CLSID\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA}\InprocServer32 -> C:\Program Files\Java\jre7\bin\jp2iexp.dll ()

==================== Restore Points  =========================

22-07-2014 12:04:17 Removed Roxio Activation Module
22-07-2014 12:26:28 Removed Roxio Creator Audio
22-07-2014 12:27:40 Removed Roxio Creator BDAV Plugin
22-07-2014 12:29:16 Removed Roxio Creator Copy
22-07-2014 12:30:24 Removed Roxio Creator Data
22-07-2014 12:32:00 Removed Roxio Creator DE
22-07-2014 12:33:56 Removed Roxio Creator Tools
22-07-2014 12:35:46 Removed Roxio Drag-to-Disc
22-07-2014 12:38:26 Removed Roxio Express Labeler 3
22-07-2014 12:40:04 Configured SmartSound Quicktracks Plugin
23-07-2014 03:15:06 Malwarebytes Anti-Rootkit Restore Point
23-07-2014 16:47:56 Removed IntelliSonic Speech Enhancement

==================== Hosts content: ==========================

2008-06-03 23:25 - 2014-07-19 22:40 - 00000027 ____N C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job => c:\Program Files\Microsoft Security Client\MpCmdRun.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Spybot - Search & Destroy -  Scheduled Task.job => C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

==================== Loaded Modules (whitelisted) =============

2007-07-25 17:25 - 2007-07-25 17:25 - 00118784 _____ () C:\Program Files\Intel\Wireless\Bin\IWMSPROV.DLL
2008-06-20 21:09 - 2007-09-17 10:19 - 00045056 ____N () C:\WINDOWS\system32\DLDFPMON.DLL
2008-06-20 21:09 - 2007-05-04 02:23 - 00049152 ____N () C:\WINDOWS\system32\DLDFOEM.DLL
2004-07-20 18:04 - 2004-07-20 18:04 - 00094208 ____N () C:\WINDOWS\system32\TosBtHcrpAPI.dll
2006-11-02 20:40 - 2006-11-02 20:40 - 00174656 ____N () C:\WINDOWS\system32\PSIService.exe
2007-09-10 10:53 - 2007-09-10 10:53 - 00262144 ____N () C:\WINDOWS\system32\wxvault.dll
2012-07-24 21:03 - 2009-03-12 15:45 - 00135168 ____N () C:\Program Files\Epson Software\Event Manager\Assistants\Scan Assistant\ScanEngine.dll
2012-07-24 21:03 - 2008-11-21 13:58 - 00057344 ____N () C:\Program Files\Epson Software\Event Manager\Assistants\Scan Assistant\Satwain.dll

==================== Alternate Data Streams (whitelisted) =========

==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\AppMgmt => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\Base => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\Boot Bus Extender => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\Boot file system => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\CryptSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\DcomLaunch => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\dmadmin => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\dmboot.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\dmio.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\dmload.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\dmserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\EventLog => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\File system => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\Filter => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\HelpSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\MsMpSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\Netlogon => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\PCI Configuration => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\PlugPlay => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\PNP Filter => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\Primary disk => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\RpcSs => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\SCSI Class => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\sermouse.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\sr.sys => ""="FSFilter System Recovery"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\SRService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\System Bus Extender => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\vds => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\vga.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\vgasave.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\WinMgmt => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{36FC9E60-C465-11CF-8056-444553540000} => ""="Universal Serial Bus controllers"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{4D36E965-E325-11CE-BFC1-08002BE10318} => ""="CD-ROM Drive"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{4D36E967-E325-11CE-BFC1-08002BE10318} => ""="DiskDrive"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{4D36E969-E325-11CE-BFC1-08002BE10318} => ""="Standard floppy disk controller"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{4D36E96A-E325-11CE-BFC1-08002BE10318} => ""="Hdc"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{4D36E96B-E325-11CE-BFC1-08002BE10318} => ""="Keyboard"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{4D36E96F-E325-11CE-BFC1-08002BE10318} => ""="Mouse"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{4D36E977-E325-11CE-BFC1-08002BE10318} => ""="PCMCIA Adapters"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{4D36E97B-E325-11CE-BFC1-08002BE10318} => ""="SCSIAdapter"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{4D36E97D-E325-11CE-BFC1-08002BE10318} => ""="System"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{4D36E980-E325-11CE-BFC1-08002BE10318} => ""="Floppy disk drive"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{533C5B84-EC70-11D2-9505-00C04F79DEAF} => ""="Volume shadow copy"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{71A27CDD-812A-11D0-BEC7-08002BE2092F} => ""="Volume"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA} => ""="Human Interface Devices"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\09755636.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\58253894.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\AFD => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\AppMgmt => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Base => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Boot Bus Extender => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Boot file system => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Browser => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\CryptSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\DcomLaunch => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Dhcp => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\dmadmin => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\dmboot.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\dmio.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\dmload.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\dmserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\DnsCache => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\EventLog => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\File system => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Filter => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\HelpSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\ip6fw.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\ipnat.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\LanmanServer => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\LanmanWorkstation => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\LmHosts => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Messenger => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\MsMpSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\NDIS => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\NDIS Wrapper => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Ndisuio => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\NetBIOS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\NetBIOSGroup => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\NetBT => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\NetDDEGroup => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Netlogon => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\NetMan => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Network => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\NetworkProvider => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\NtLmSsp => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\PCI Configuration => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\PlugPlay => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\PNP Filter => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\PNP_TDI => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Primary disk => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\rdpcdd.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\rdpdd.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\rdpwd.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\rdsessmgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\RpcSs => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\SCSI Class => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\sermouse.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\SharedAccess => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\sr.sys => ""="FSFilter System Recovery"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\SRService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Streams Drivers => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\System Bus Extender => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Tcpip => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\TDI => ""="Driver Group"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\tdpipe.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\tdtcp.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\termservice => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\vga.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\vgasave.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\WinMgmt => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\WZCSVC => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{36FC9E60-C465-11CF-8056-444553540000} => ""="Universal Serial Bus controllers"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E965-E325-11CE-BFC1-08002BE10318} => ""="CD-ROM Drive"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E967-E325-11CE-BFC1-08002BE10318} => ""="DiskDrive"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E969-E325-11CE-BFC1-08002BE10318} => ""="Standard floppy disk controller"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E96A-E325-11CE-BFC1-08002BE10318} => ""="Hdc"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E96B-E325-11CE-BFC1-08002BE10318} => ""="Keyboard"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E96F-E325-11CE-BFC1-08002BE10318} => ""="Mouse"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E972-E325-11CE-BFC1-08002BE10318} => ""="Net"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E973-E325-11CE-BFC1-08002BE10318} => ""="NetClient"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E974-E325-11CE-BFC1-08002BE10318} => ""="NetService"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E975-E325-11CE-BFC1-08002BE10318} => ""="NetTrans"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E977-E325-11CE-BFC1-08002BE10318} => ""="PCMCIA Adapters"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E97B-E325-11CE-BFC1-08002BE10318} => ""="SCSIAdapter"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E97D-E325-11CE-BFC1-08002BE10318} => ""="System"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{4D36E980-E325-11CE-BFC1-08002BE10318} => ""="Floppy disk drive"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{71A27CDD-812A-11D0-BEC7-08002BE2092F} => ""="Volume"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA} => ""="Human Interface Devices"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\09755636.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\58253894.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== EXE Association (whitelisted) =============

==================== MSCONFIG/TASK MANAGER disabled items =========

MSCONFIG\startupreg: Dell QuickSet => C:\Program Files\Dell\QuickSet\quickset.exe
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: MSC => "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files\QuickTime\qttask.exe" -atboottime
MSCONFIG\startupreg: SpybotSD TeaTimer => C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
MSCONFIG\startupreg: SUPERAntiSpyware => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (07/24/2014 06:34:03 PM) (Source: Broadcom ASF IP and SMBIOS Mailbox Monitor) (EventID: 0) (User: )
Description: !ERROR 53 Refreshing BMAPI data

Error: (07/23/2014 00:41:38 PM) (Source: COM+) (EventID: 4691) (User: )
Description: The run-time environment was unable to initialize for transactions required to support transactional components. Make sure that MS-DTC is running. (DtcGetTransactionManagerEx(): hr = 0x8004d01b)

Error: (07/23/2014 00:40:44 PM) (Source: MPSampleSubmission) (EventID: 5000) (User: )
Description: EventType mptelemetry, P1 80070490, P2 remediation, P3 remediationfailuretelemetry, P4 1.1.10802.0, P5 mpengine, P6 0, P7 unspecified, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (07/23/2014 00:27:39 PM) (Source: Broadcom ASF IP and SMBIOS Mailbox Monitor) (EventID: 0) (User: )
Description: !ERROR 53 Refreshing BMAPI data

Error: (07/23/2014 00:27:30 PM) (Source: MPSampleSubmission) (EventID: 5000) (User: )
Description: EventType mptelemetry, P1 80070490, P2 remediation, P3 remediationfailuretelemetry, P4 1.1.10802.0, P5 mpengine, P6 0, P7 unspecified, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (07/23/2014 00:27:29 PM) (Source: COM+) (EventID: 4689) (User: )
Description: The run-time environment has detected an inconsistency in its internal state. This indicates a potential instability in the process that could be caused by the custom components running in the COM+ application, the components they make use of, or other factors. Error in f:\xpsp3\com\com1x\src\comsvcs\package\cpackage.cpp(1184), hr = 8007041d: InitEventCollector failed

Error: (07/23/2014 07:50:07 AM) (Source: Broadcom ASF IP and SMBIOS Mailbox Monitor) (EventID: 0) (User: )
Description: !ERROR 53 Refreshing BMAPI data

Error: (07/22/2014 11:23:25 PM) (Source: MPSampleSubmission) (EventID: 5000) (User: )
Description: EventType mptelemetry, P1 80070490, P2 remediation, P3 remediationfailuretelemetry, P4 1.1.10802.0, P5 mpengine, P6 0, P7 unspecified, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (07/22/2014 09:39:01 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application mbam.exe, version 1.0.0.532, faulting module hccutils.dll, version 6.14.10.4859, fault address 0x0000bb49.
Processing media-specific event for [mbam.exe!ws!]

Error: (07/22/2014 05:15:02 PM) (Source: COM+) (EventID: 4689) (User: )
Description: The run-time environment has detected an inconsistency in its internal state. This indicates a potential instability in the process that could be caused by the custom components running in the COM+ application, the components they make use of, or other factors. Error in f:\xpsp3\com\com1x\src\comsvcs\package\cpackage.cpp(1184), hr = 8007041d: InitEventCollector failed

System errors:
=============
Error: (07/24/2014 06:44:48 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

 New Signature Version:

 Previous Signature Version: 1.179.747.0

 Update Source: %NT AUTHORITY59

 Update Stage: 4.5.0216.00

 Source Path: 4.5.0216.01

 Signature Type: %NT AUTHORITY602

 Update Type: %NT AUTHORITY604

 User: NT AUTHORITY\SYSTEM

 Current Engine Version: %NT AUTHORITY605

 Previous Engine Version: %NT AUTHORITY606

 Error code: %NT AUTHORITY607

 Error description: %NT AUTHORITY608

Error: (07/24/2014 06:44:17 PM) (Source: Microsoft Antimalware) (EventID: 2041) (User: )
Description: The support for your operating system has expired. Running %%860 on an out of support operating system is not an adequate solution to protect against threats.

Error: (07/24/2014 06:42:17 PM) (Source: Microsoft Antimalware) (EventID: 2041) (User: )
Description: The support for your operating system has expired. Running %%860 on an out of support operating system is not an adequate solution to protect against threats.

Error: (07/24/2014 06:32:22 PM) (Source: Microsoft Antimalware) (EventID: 2041) (User: )
Description: The support for your operating system has expired. Running %%860 on an out of support operating system is not an adequate solution to protect against threats.

Error: (07/23/2014 04:12:28 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (07/23/2014 03:12:07 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (07/23/2014 02:12:30 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (07/23/2014 01:12:14 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (07/23/2014 00:51:36 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

 New Signature Version:

 Previous Signature Version: 1.179.747.0

 Update Source: %NT AUTHORITY59

 Update Stage: 4.5.0216.00

 Source Path: 4.5.0216.01

 Signature Type: %NT AUTHORITY602

 Update Type: %NT AUTHORITY604

 User: NT AUTHORITY\SYSTEM

 Current Engine Version: %NT AUTHORITY605

 Previous Engine Version: %NT AUTHORITY606

 Error code: %NT AUTHORITY607

 Error description: %NT AUTHORITY608

Error: (07/23/2014 00:51:22 PM) (Source: Microsoft Antimalware) (EventID: 2041) (User: )
Description: The support for your operating system has expired. Running %%860 on an out of support operating system is not an adequate solution to protect against threats.

Microsoft Office Sessions:
=========================
Error: (07/24/2014 06:34:03 PM) (Source: Broadcom ASF IP and SMBIOS Mailbox Monitor) (EventID: 0) (User: )
Description: !ERROR 53 Refreshing BMAPI data

Error: (07/23/2014 00:41:38 PM) (Source: COM+) (EventID: 4691) (User: )
Description: (DtcGetTransactionManagerEx(): hr = 0x8004d01b)

Error: (07/23/2014 00:40:44 PM) (Source: MPSampleSubmission) (EventID: 5000) (User: )
Description: mptelemetry80070490remediationremediationfailuretelemetry1.1.10802.0mpengine0unspecifiedNILNILNIL

Error: (07/23/2014 00:27:39 PM) (Source: Broadcom ASF IP and SMBIOS Mailbox Monitor) (EventID: 0) (User: )
Description: !ERROR 53 Refreshing BMAPI data

Error: (07/23/2014 00:27:30 PM) (Source: MPSampleSubmission) (EventID: 5000) (User: )
Description: mptelemetry80070490remediationremediationfailuretelemetry1.1.10802.0mpengine0unspecifiedNILNILNIL

Error: (07/23/2014 00:27:29 PM) (Source: COM+) (EventID: 4689) (User: )
Description: Error in f:\xpsp3\com\com1x\src\comsvcs\package\cpackage.cpp(1184), hr = 8007041d: InitEventCollector failed

Error: (07/23/2014 07:50:07 AM) (Source: Broadcom ASF IP and SMBIOS Mailbox Monitor) (EventID: 0) (User: )
Description: !ERROR 53 Refreshing BMAPI data

Error: (07/22/2014 11:23:25 PM) (Source: MPSampleSubmission) (EventID: 5000) (User: )
Description: mptelemetry80070490remediationremediationfailuretelemetry1.1.10802.0mpengine0unspecifiedNILNILNIL

Error: (07/22/2014 09:39:01 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: mbam.exe1.0.0.532hccutils.dll6.14.10.48590000bb49

Error: (07/22/2014 05:15:02 PM) (Source: COM+) (EventID: 4689) (User: )
Description: Error in f:\xpsp3\com\com1x\src\comsvcs\package\cpackage.cpp(1184), hr = 8007041d: InitEventCollector failed

==================== Memory info ===========================

Percentage of memory in use: 46%
Total physical RAM: 2038.29 MB
Available physical RAM: 1083.32 MB
Total Pagefile: 3930.92 MB
Available Pagefile: 3424.18 MB
Total Virtual: 2047.88 MB
Available Virtual: 1926.29 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:111.73 GB) (Free:20.49 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive e: () (Removable) (Total:3.8 GB) (Free:3.78 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 112 GB) (Disk ID: 41AB2316)
Partition 1: (Not Active) - (Size=63 MB) - (Type=DE)
Partition 2: (Active) - (Size=112 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 4 GB) (Disk ID: A1823656)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)

==================== End Of Log ============================

 

FRST SearchFile.txt:

 

Farbar Recovery Scan Tool (x86) Version:23-07-2014 01
Ran by coit at 2014-07-25 19:48:51
Running from C:\Documents and Settings\coit\My Documents\My Downloads\FRST
Boot Mode: Normal

================== Search: "rpcss.dll" ===================

C:\WINDOWS\system32\rpcss.dll
[2014-07-21 14:09][2009-02-09 08:10] 0401408 ____N (Microsoft Corporation) 6b27a5c03dfb94b4245739065431322c      [File is signed]

C:\WINDOWS\system32\dllcache\rpcss.dll
[2009-04-27 18:09][2009-02-09 08:10] 0401408 ____N (Microsoft Corporation) 6b27a5c03dfb94b4245739065431322c      [File is signed]

C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\rpcss.dll
[2014-07-21 21:14][2009-02-09 06:56] 0401408 ____A (Microsoft Corporation) 9222562d44021b988b9f9f62207fb6f2      [File is signed]

C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\rpcss.dll
[2014-07-21 21:14][2009-02-09 08:10] 0401408 ____A (Microsoft Corporation) 6b27a5c03dfb94b4245739065431322c      [File is signed]

C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\rpcss.dll
[2014-07-21 21:14][2009-02-09 06:01] 0401408 ____A (Microsoft Corporation) 24b5d53b9accc1e2edcf0a878d6659d4      [File is signed]

C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\rpcss.dll
[2014-07-21 21:14][2009-02-09 06:20] 0399360 ____A (Microsoft Corporation) 01095febf33beea00c2a0730b9b3ec28      [File is signed]

C:\WINDOWS\ServicePackFiles\i386\rpcss.dll
[2008-06-04 18:25][2008-04-13 20:12] 0399360 ____N (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509      [File is signed]

C:\WINDOWS\ERDNT\cache\rpcss.dll
[2011-08-21 13:08][2009-02-09 08:10] 0401408 ____A (Microsoft Corporation) 6b27a5c03dfb94b4245739065431322c      [File is signed]

C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll
[2009-04-30 10:11][2008-04-13 20:12] 0399360 ____C (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509      [File is signed]

C:\WINDOWS\$NtUninstallKB902400$\rpcss.dll
[2008-06-04 01:09][2005-04-28 15:31] 0395776 ____C (Microsoft Corporation) c8061f289e000703e7672916b7fe1571    

C:\WINDOWS\$NtUninstallKB894391$\rpcss.dll
[2008-06-04 01:07][2004-08-04 06:00] 0395776 ____C (Microsoft Corporation) 5c83a4408604f737717ab96371201680      [File is signed]

C:\WINDOWS\$NtServicePackUninstall$\rpcss.dll
[2008-06-04 20:31][2005-07-26 00:39] 0397824 ____C (Microsoft Corporation) ce94a2bd25e3e9f4d46a7373ff455c6d    

C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[2009-04-27 18:09][2009-02-09 06:56] 0401408 ____A (Microsoft Corporation) 9222562d44021b988b9f9f62207fb6f2      [File is signed]

C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\rpcss.dll
[2005-07-26 00:20][2005-07-26 00:20] 0398336 ____A (Microsoft Corporation) c369df215d352b6f3a0b8c3469aa34f8    

C:\WINDOWS\$hf_mig$\KB894391\SP2QFE\rpcss.dll
[2005-04-28 15:35][2005-04-28 15:35] 0396288 ____A (Microsoft Corporation) da383fb39a6f1c445f3afc94b3eb1248    

C:\pebuilder3110a\BartPE\I386\SYSTEM32\RPCSS.DLL
[2009-12-12 17:08][2002-08-29 08:00] 0260608 ____A (Microsoft Corporation) 493fcbed180dcacf0b5d4c8c29949ca9    

C:\i386\rpcss.dll
[2008-06-04 21:15][2008-04-13 20:12] 0399360 ____A (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509      [File is signed]

=== End Of Search ===

 

FRST SearchReg.txt:

 

Farbar Recovery Scan Tool (x86) Version:23-07-2014 01
Ran by coit at 2014-07-25 19:55:23
Running from C:\Documents and Settings\coit\My Documents\My Downloads\FRST
Boot Mode: Normal

================== Search Registry: "rpcss.dll" ===========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB956572\Filelist\20]
"FileName"="rpcss.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB956572\Filelist\33]
"FileName"="rpcss.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB956572\Filelist\7]
"FileName"="rpcss.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DcomLaunch\Parameters]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcSs\Parameters]
"ServiceDll"="%SystemRoot%\System32\rpcss.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DcomLaunch\Parameters]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RpcSs\Parameters]
"ServiceDll"="%SystemRoot%\System32\rpcss.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DcomLaunch\Parameters]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Parameters]
"ServiceDll"="%SystemRoot%\System32\rpcss.dll"

====== End Of Search ======

 



#6 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:02:28 AM

Posted 26 July 2014 - 04:05 AM

my reply

Hi testoc

Step 1

  • Close all the running processes
  • Double click the RogueKiller icon to run the program again.
    Vista/Win7 users should right click the icon and select Run as Administrator.
  • Wait for the Prescan to finish.
  • Now click the Scan button.
  • Make sure only the following are checked:-

[Suspicious.Path] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | octolie : rundll32 "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\octolie.dll",octolie -> FOUND
[Suspicious.Path] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run | octolie : rundll32 "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\octolie.dll",octolie -> FOUND

  • Now click the Delete button.
  • Please copy and paste the report in your next reply.

A copy of the RKreport.txt can be found on your desktop.

Step 2

Open notepad. Please copy the contents of the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it on the Desktop as fixlist.txt



start
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\avg8 <====== ATTENTION
Winlogon\Notify\gemsafe: C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll (Gemplus)
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\ <*>] <===== ATTENTION
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKCU - {80c554b9-c7f8-4a21-9471-06d606da78a2} URL =
SearchScopes: HKCU - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL =
BHO: No Name -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} ->  No File
BHO: No Name -> {A3BC75A2-1F87-4686-AA43-5347D756017C} ->  No File
BHO: No Name -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} ->  No File
Toolbar: HKCU - No Name - {A057A204-BACC-4D26-9990-79A187E2698E} -  No File
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
S4 McComponentHostService; "C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe" [X]
S4 Roxio UPnP Renderer 11; "C:\Program Files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe" [X]
S4 SupportSoft RemoteAssist; C:\Program Files\Common Files\supportsoft\bin\ssrc.exe [X]
S3 catchme; \??\C:\DOCUME~1\lisa\LOCALS~1\Temp\catchme.sys [X]
S1 fpuzdics; \??\C:\WINDOWS\system32\drivers\fpuzdics.sys [X]
S1 fzdycofm; \??\C:\WINDOWS\system32\drivers\fzdycofm.sys [X]
S1 mlvkmjri; \??\C:\WINDOWS\system32\drivers\mlvkmjri.sys [X]
S1 ntirmuoi; \??\C:\WINDOWS\system32\drivers\ntirmuoi.sys [X]
C:\Program Files\McAfee Security Scan\
C:\Program Files\Common Files\supportsoft\
C:\WINDOWS\system32\drivers\fpuzdics.sys
C:\WINDOWS\system32\drivers\fzdycofm.sys
C:\WINDOWS\system32\drivers\mlvkmjri.sys
C:\WINDOWS\system32\drivers\ntirmuoi.sys
C:\Documents and Settings\lisa\Application Data\Itziyvcy
C:\Documents and Settings\All Users\Application Data\UnobOtax
C:\Documents and Settings\coit\Local Settings\Application Data\WavXMapDrive.bat
C:\Documents and Settings\coit\jagex_runescape_preferences.dat
C:\Documents and Settings\coit\jagex_runescape_preferences2.dat
C:\Documents and Settings\coit\jagex__preferences3.dat
C:\Documents and Settings\coit jr\jagex_runescape_preferences.dat
C:\Documents and Settings\coit jr\jagex_runescape_preferences2.dat
C:\Documents and Settings\coit jr\jagex__preferences3.dat
C:\Documents and Settings\lisa\jagex_runescape_preferences.dat
C:\Documents and Settings\lisa\jagex_runescape_preferences2.dat
C:\Documents and Settings\lisa\jagex__preferences3.dat
C:\Documents and Settings\coit\Local Settings\temp\{A8D873C0-D398-4289-AC57-89992EA5CBBF}.exe
CustomCLSID: HKU\S-1-5-19_Classes\CLSID\{2AF96ED5-02DA-43EC-B585-5DC65B8D2581} -> Orphan?
CustomCLSID: HKU\S-1-5-19_Classes\CLSID\{61BD12C4-01DE-4BF3-8DB7-75CE4D131199} -> Orphan?
CustomCLSID: HKU\S-1-5-20_Classes\CLSID\{2AF96ED5-02DA-43EC-B585-5DC65B8D2581} -> Orphan?
CustomCLSID: HKU\S-1-5-20_Classes\CLSID\{61BD12C4-01DE-4BF3-8DB7-75CE4D131199} -> Orphan?
Folder: C:\MDT
end

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST and press the Fix button just once and wait.
The tool will make a log on the desktop (Fixlog.txt) please post it to your reply.

Step 3

  • Please open Malwarebytes Anti-Malware
    MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Please update the database by clicking on the Update Now button as shown below.
    Capture1_zps47821576.jpg
  • Following the update, Click Settings > Detection and Protection and make sure Scan for Rootkits it checked.
    MBAM%20rootkit%20setting.jpg
  • Click on Dashboard, then click on the large green Scan Now button to begin the Threat Scan.

    If Malware or Potentially Unwanted Programs are found you will receive a Prompt so that you can decide what you want to do. I suggest "Quarantine". Click the button: Apply All Actions.
  • A window with an option to view the detailed log will appear. Click on View Detailed Log.
    MBAMThreatScan_zpsc6c6daeb.jpg
    • After viewing the results, please click on the Copy to Clipboard button > OK.
      MBAMScanLog_zps21b494ad.jpg
    • Return to our forum. Paste your log into your next reply.
  • Note: If you lose the Clipboard copy and need to retrieve the log again it can be found by opening Malwarebytes and clicking on History> Application Logs with the date of the scan. Simply double-click on that in order to see the options for Copying to Clipboard or to Export to a .txt file (Notepad). etc.. The .txt file can be saved and posted when you are ready.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#7 testoc

testoc
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:28 PM

Posted 26 July 2014 - 10:33 AM

Hello Seedy21

 

Step 1 RogueKiller:

 

RogueKiller V9.2.3.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : coit [Admin rights]
Mode : Remove -- Date : 07/26/2014  08:33:32

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 9 ¤¤¤
[Suspicious.Path] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | octolie : rundll32 "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\octolie.dll",octolie [x] -> DELETED
[Suspicious.Path] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run | octolie : rundll32 "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\octolie.dll",octolie  -> ERROR [2]
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme -> NOT SELECTED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme -> NOT SELECTED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme -> NOT SELECTED
[PUM.Policies] HKEY_USERS\S-1-5-21-2382356700-4236744799-1302342617-1005\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> NOT SELECTED
[PUM.Policies] HKEY_USERS\S-1-5-21-2382356700-4236744799-1302342617-1005\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> NOT SELECTED
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> NOT SELECTED
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> NOT SELECTED

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 1 (Driver: LOADED) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\00000087 : \Driver\Imapi @ Unknown (\SystemRoot\system32\DRIVERS\serial.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9120823ASG +++++
--- User ---
[MBR] 93125df63deb4605f13a6559037d0a4c
[BSP] 11d467b9f31927f29d49c85858b51038 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 128520 | Size: 114408 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic Flash Disk USB Device +++++
--- User ---
[MBR] ef60cf702d63cfe9afd146bb10c2d6d2
[BSP] adaed49079477dc31abab74dd42cb0ce : Unknown MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0xb) [VISIBLE] Offset (sectors): 736 | Size: 3899 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

============================================
RKreport_SCN_07232014_125729.log - RKreport_SCN_07232014_125854.log - RKreport_SCN_07242014_190039.log - RKreport_SCN_07262014_082927.log

 

Step 2 - FRST fix:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:23-07-2014 01
Ran by coit at 2014-07-26 08:38:42 Run:1
Running from C:\Documents and Settings\coit\My Documents\My Downloads\FRST
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\avg8 <====== ATTENTION
Winlogon\Notify\gemsafe: C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll (Gemplus)
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\ <*>] <===== ATTENTION
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKCU - {80c554b9-c7f8-4a21-9471-06d606da78a2} URL =
SearchScopes: HKCU - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL =
BHO: No Name -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} ->  No File
BHO: No Name -> {A3BC75A2-1F87-4686-AA43-5347D756017C} ->  No File
BHO: No Name -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} ->  No File
Toolbar: HKCU - No Name - {A057A204-BACC-4D26-9990-79A187E2698E} -  No File
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
S4 McComponentHostService; "C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe" [X]
S4 Roxio UPnP Renderer 11; "C:\Program Files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe" [X]
S4 SupportSoft RemoteAssist; C:\Program Files\Common Files\supportsoft\bin\ssrc.exe [X]
S3 catchme; \??\C:\DOCUME~1\lisa\LOCALS~1\Temp\catchme.sys [X]
S1 fpuzdics; \??\C:\WINDOWS\system32\drivers\fpuzdics.sys [X]
S1 fzdycofm; \??\C:\WINDOWS\system32\drivers\fzdycofm.sys [X]
S1 mlvkmjri; \??\C:\WINDOWS\system32\drivers\mlvkmjri.sys [X]
S1 ntirmuoi; \??\C:\WINDOWS\system32\drivers\ntirmuoi.sys [X]
C:\Program Files\McAfee Security Scan\
C:\Program Files\Common Files\supportsoft\
C:\WINDOWS\system32\drivers\fpuzdics.sys
C:\WINDOWS\system32\drivers\fzdycofm.sys
C:\WINDOWS\system32\drivers\mlvkmjri.sys
C:\WINDOWS\system32\drivers\ntirmuoi.sys
C:\Documents and Settings\lisa\Application Data\Itziyvcy
C:\Documents and Settings\All Users\Application Data\UnobOtax
C:\Documents and Settings\coit\Local Settings\Application Data\WavXMapDrive.bat
C:\Documents and Settings\coit\jagex_runescape_preferences.dat
C:\Documents and Settings\coit\jagex_runescape_preferences2.dat
C:\Documents and Settings\coit\jagex__preferences3.dat
C:\Documents and Settings\coit jr\jagex_runescape_preferences.dat
C:\Documents and Settings\coit jr\jagex_runescape_preferences2.dat
C:\Documents and Settings\coit jr\jagex__preferences3.dat
C:\Documents and Settings\lisa\jagex_runescape_preferences.dat
C:\Documents and Settings\lisa\jagex_runescape_preferences2.dat
C:\Documents and Settings\lisa\jagex__preferences3.dat
C:\Documents and Settings\coit\Local Settings\temp\{A8D873C0-D398-4289-AC57-89992EA5CBBF}.exe
CustomCLSID: HKU\S-1-5-19_Classes\CLSID\{2AF96ED5-02DA-43EC-B585-5DC65B8D2581} -> Orphan?
CustomCLSID: HKU\S-1-5-19_Classes\CLSID\{61BD12C4-01DE-4BF3-8DB7-75CE4D131199} -> Orphan?
CustomCLSID: HKU\S-1-5-20_Classes\CLSID\{2AF96ED5-02DA-43EC-B585-5DC65B8D2581} -> Orphan?
CustomCLSID: HKU\S-1-5-20_Classes\CLSID\{61BD12C4-01DE-4BF3-8DB7-75CE4D131199} -> Orphan?
Folder: C:\MDT
end
*****************

HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gemsafe" => Key deleted successfully.
48004B004C004D005C0053006F006600740077006100720065005C0043006C00610073007300650073005C0043004C005300490044005C007B00370033004500370030003900450041002D0035004400390033002D0034004200320045002D0042004200420030002D003900390042003700390033003800440041003900450034007D005C004C006F00630061006C0053006500720076006500720033003200 => Failed to open main key.
[HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\ <*>] => No subkey with invalid name found.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
"HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key not found.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key deleted successfully.
"HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key not found.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{80c554b9-c7f8-4a21-9471-06d606da78a2}" => Key deleted successfully.
"HKCR\CLSID\{80c554b9-c7f8-4a21-9471-06d606da78a2}" => Key not found.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" => Key deleted successfully.
"HKCR\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}" => Key deleted successfully.
"HKCR\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}" => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}" => Key deleted successfully.
"HKCR\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}" => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}" => Key deleted successfully.
"HKCR\CLSID\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}" => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} => value deleted successfully.
"HKCR\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}" => Key not found.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}" => Key deleted successfully.
"HKCR\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}" => Key not found.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}" => Key deleted successfully.
"HKCR\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}" => Key not found.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}" => Key deleted successfully.
"HKCR\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}" => Key not found.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}" => Key deleted successfully.
"HKCR\CLSID\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}" => Key not found.
McComponentHostService => Service deleted successfully.
Roxio UPnP Renderer 11 => Service deleted successfully.
SupportSoft RemoteAssist => Service deleted successfully.
catchme => Service deleted successfully.
fpuzdics => Service deleted successfully.
fzdycofm => Service deleted successfully.
mlvkmjri => Service deleted successfully.
ntirmuoi => Service deleted successfully.
"C:\Program Files\McAfee Security Scan" => File/Directory not found.
"C:\Program Files\Common Files\supportsoft" => File/Directory not found.
"C:\WINDOWS\system32\drivers\fpuzdics.sys" => File/Directory not found.
"C:\WINDOWS\system32\drivers\fzdycofm.sys" => File/Directory not found.
"C:\WINDOWS\system32\drivers\mlvkmjri.sys" => File/Directory not found.
"C:\WINDOWS\system32\drivers\ntirmuoi.sys" => File/Directory not found.
C:\Documents and Settings\lisa\Application Data\Itziyvcy => Moved successfully.
C:\Documents and Settings\All Users\Application Data\UnobOtax => Moved successfully.
Could not move "C:\Documents and Settings\coit\Local Settings\Application Data\WavXMapDrive.bat" => Scheduled to move on reboot.
C:\Documents and Settings\coit\jagex_runescape_preferences.dat => Moved successfully.
C:\Documents and Settings\coit\jagex_runescape_preferences2.dat => Moved successfully.
C:\Documents and Settings\coit\jagex__preferences3.dat => Moved successfully.
C:\Documents and Settings\coit jr\jagex_runescape_preferences.dat => Moved successfully.
C:\Documents and Settings\coit jr\jagex_runescape_preferences2.dat => Moved successfully.
C:\Documents and Settings\coit jr\jagex__preferences3.dat => Moved successfully.
C:\Documents and Settings\lisa\jagex_runescape_preferences.dat => Moved successfully.
C:\Documents and Settings\lisa\jagex_runescape_preferences2.dat => Moved successfully.
C:\Documents and Settings\lisa\jagex__preferences3.dat => Moved successfully.
C:\Documents and Settings\coit\Local Settings\temp\{A8D873C0-D398-4289-AC57-89992EA5CBBF}.exe => Moved successfully.
"HKU\S-1-5-19_Classes\CLSID\{2AF96ED5-02DA-43EC-B585-5DC65B8D2581}" => Key deleted successfully.
"HKU\S-1-5-19_Classes\CLSID\{61BD12C4-01DE-4BF3-8DB7-75CE4D131199}" => Key deleted successfully.
"HKU\S-1-5-20_Classes\CLSID\{2AF96ED5-02DA-43EC-B585-5DC65B8D2581}" => Key deleted successfully.
"HKU\S-1-5-20_Classes\CLSID\{61BD12C4-01DE-4BF3-8DB7-75CE4D131199}" => Key deleted successfully.

========================= Folder: C:\MDT ========================

2008-12-28 18:00 - 2009-12-07 14:15 - 0000994 _____ () C:\MDT\MSetting.ini
2008-12-29 11:38 - 2014-07-26 08:17 - 0000091 _____ () C:\MDT\path.ini
2008-12-28 18:00 - 2009-12-07 14:15 - 0006637 _____ () C:\MDT\Setting.ini

====== End of Folder: ======

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-07-26 08:46:05)<=

C:\Documents and Settings\coit\Local Settings\Application Data\WavXMapDrive.bat => Is moved successfully.

==== End of Fixlog ====

 

Step 3 - MBAM:

 

<?xml version="1.0" encoding="UTF-16" ?>
<mbam-log>
<header>
<date>2014/07/26 08:53:19 -0400</date>
<logfile>mbam-log-2014-07-26 (08-53-16).xml</logfile>
<isadmin>yes</isadmin>
</header>
<engine>
<version>2.00.2.1012</version>
<malware-database>v2014.07.26.05</malware-database>
<rootkit-database>v2014.07.17.01</rootkit-database>
<license>free</license>
<file-protection>disabled</file-protection>
<web-protection>disabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
<system>
<osversion>Windows XP Service Pack 3</osversion>
<arch>x86</arch>
<username>coit</username>
<filesys>NTFS</filesys>
</system>
<summary>
<type>threat</type>
<result>completed</result>
<objects>416067</objects>
<time>6083</time>
<processes>0</processes>
<modules>0</modules>
<keys>2</keys>
<values>0</values>
<datas>0</datas>
<folders>0</folders>
<files>0</files>
<sectors>0</sectors>
</summary>
<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>enabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
<items>
<key><path>HKLM\SOFTWARE\CLASSES\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LOCALSERVER32\</path><vendor>Trojan.0Access</vendor><action>success</action><hash>c9d8a6fa77042e0811ab8e3d9171936d</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}</path><vendor>Trojan.0Access</vendor><action>delete-on-reboot</action><hash>c9d8a6fa77042e0811ab8e3d9171936d</hash></key>
</items>
</mbam-log>

 

I rebooted after the MBAM request to do so to complete its actions.

 

 

 



#8 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:02:28 AM

Posted 26 July 2014 - 11:59 AM


Hi Testoc

Step 1

Open notepad. Please copy the contents of the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it on the Desktop as fixlist.txt
 

start
Reg: reg delete "HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}" /f
REBOOT:
end

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the desktop (Fixlog.txt) please post it to your reply.


Step 2

  • Please open Malwarebytes Anti-Malware
    MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Please update the database by clicking on the Update Now button as shown below.
    Capture1_zps47821576.jpg
  • Following the update, Click Settings > Detection and Protection and make sure Scan for Rootkits it checked.
    MBAM%20rootkit%20setting.jpg
  • Click on Dashboard, then click on the large green Scan Now button to begin the Threat Scan.

    If Malware or Potentially Unwanted Programs are found you will receive a Prompt so that you can decide what you want to do. I suggest "Quarantine". Click the button: Apply All Actions.
  • A window with an option to view the detailed log will appear. Click on View Detailed Log.
    MBAMThreatScan_zpsc6c6daeb.jpg
    • After viewing the results, please click on the Copy to Clipboard button > OK.
      MBAMScanLog_zps21b494ad.jpg
    • Return to our forum. Paste your log into your next reply.
  • Note: If you lose the Clipboard copy and need to retrieve the log again it can be found by opening Malwarebytes and clicking on History> Application Logs with the date of the scan. Simply double-click on that in order to see the options for Copying to Clipboard or to Export to a .txt file (Notepad). etc.. The .txt file can be saved and posted when you are ready.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#9 testoc

testoc
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:28 PM

Posted 26 July 2014 - 03:57 PM

Hi Seedy21

 

I do not have FRST64 installed - I have a 32-bit OS That is what I used. Do I need to install something else?

 

Step 1 - FRST fix #2:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:23-07-2014 01
Ran by coit at 2014-07-26 13:13:42 Run:2
Running from C:\Documents and Settings\coit\My Documents\My Downloads\FRST
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
Reg: reg delete "HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}" /f
REBOOT:
end
*****************

========= reg delete "HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}" /f =========

Error:  The system was unable to find the specified registry key or value

========= End of Reg: =========

 

The system needed a reboot.

==== End of Fixlog ====

 

Step 2 - MBAM scan, quarantine and reboot:

 

<?xml version="1.0" encoding="UTF-16" ?>
<mbam-log>
<header>
<date>2014/07/26 13:30:04 -0400</date>
<logfile>mbam-log-2014-07-26 (13-30-02).xml</logfile>
<isadmin>yes</isadmin>
</header>
<engine>
<version>2.00.2.1012</version>
<malware-database>v2014.07.26.05</malware-database>
<rootkit-database>v2014.07.17.01</rootkit-database>
<license>free</license>
<file-protection>disabled</file-protection>
<web-protection>disabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
<system>
<osversion>Windows XP Service Pack 3</osversion>
<arch>x86</arch>
<username>coit</username>
<filesys>NTFS</filesys>
</system>
<summary>
<type>threat</type>
<result>completed</result>
<objects>415968</objects>
<time>5064</time>
<processes>0</processes>
<modules>0</modules>
<keys>2</keys>
<values>0</values>
<datas>0</datas>
<folders>0</folders>
<files>0</files>
<sectors>0</sectors>
</summary>
<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>enabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
<items>
<key><path>HKLM\SOFTWARE\CLASSES\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LOCALSERVER32\</path><vendor>Trojan.0Access</vendor><action>success</action><hash>e9b81b855625bd796f4da427729049b7</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}</path><vendor>Trojan.0Access</vendor><action>delete-on-reboot</action><hash>e9b81b855625bd796f4da427729049b7</hash></key>
</items>
</mbam-log>

 



#10 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:02:28 AM

Posted 28 July 2014 - 02:52 PM

Hi Testoc
 

I do not have FRST64 installed - I have a 32-bit OS That is what I used. Do I need to install something else?


No, I forgot to remove the 64 from the scripted. You did it correctly.

Step 1


Open notepad. Please copy the contents of the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it on the Desktop as fixlist.txt
 

DeleteKey: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LOCALSERVER32\
REBOOT:

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST and press the Fix button just once and wait.
The tool will make a log on the desktop (Fixlog.txt) please post it to your reply.

Step 2

  • Please open Malwarebytes Anti-Malware
    MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Please update the database by clicking on the Update Now button as shown below.
    Capture1_zps47821576.jpg[/url]
    [/url]
  • click on the large green Scan Now button to begin the Threat Scan.

    If Malware or Potentially Unwanted Programs are found you will receive a Prompt so that you can decide what you want to do. I suggest "Quarantine". Click the button: Apply All Actions.
  • A window with an option to view the detailed log will appear. Click on View Detailed Log.
    MBAMThreatScan_zpsc6c6daeb.jpg
    • After viewing the results, please click on the Copy to Clipboard button > OK.
      MBAMScanLog_zps21b494ad.jpg
    • Return to our forum. Paste your log into your next reply.
  • Note: If you lose the Clipboard copy and need to retrieve the log again it can be found by opening Malwarebytes and clicking on History> Application Logs with the date of the scan. Simply double-click on that in order to see the options for Copying to Clipboard or to Export to a .txt file (Notepad). etc.. The .txt file can be saved and posted when you are ready.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#11 testoc

testoc
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:28 PM

Posted 28 July 2014 - 10:19 PM

Hi Seedy21,

 

Same results it would appear.

 

Step 1 FRST fix #3 and reboot: 

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:23-07-2014 01
Ran by coit at 2014-07-28 21:11:52 Run:3
Running from C:\Documents and Settings\coit\My Documents\My Downloads\FRST
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
DeleteKey: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LOCALSERVER32\
REBOOT:
*****************

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4} => Error deleting key. The key could be protected.
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LOCALSERVER32 => Error deleting key. The key could be protected.

The system needed a reboot.

==== End of Fixlog ====

 

Step 2 - MBAM scan, quarantine, reboot:

 

<?xml version="1.0" encoding="UTF-16" ?>
<mbam-log>
<header>
<date>2014/07/28 21:30:43 -0400</date>
<logfile>mbam-log-2014-07-28 (21-30-43).xml</logfile>
<isadmin>yes</isadmin>
</header>
<engine>
<version>2.00.2.1012</version>
<malware-database>v2014.07.28.07</malware-database>
<rootkit-database>v2014.07.17.01</rootkit-database>
<license>free</license>
<file-protection>disabled</file-protection>
<web-protection>disabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
<system>
<osversion>Windows XP Service Pack 3</osversion>
<arch>x86</arch>
<username>coit</username>
<filesys>NTFS</filesys>
</system>
<summary>
<type>threat</type>
<result>completed</result>
<objects>416972</objects>
<time>4954</time>
<processes>0</processes>
<modules>0</modules>
<keys>2</keys>
<values>0</values>
<datas>0</datas>
<folders>0</folders>
<files>0</files>
<sectors>0</sectors>
</summary>
<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>enabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
<items>
<key><path>HKLM\SOFTWARE\CLASSES\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LOCALSERVER32\</path><vendor>Trojan.0Access</vendor><action>success</action><hash>6a37415f2556270f8f55ac2111f1ce32</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}</path><vendor>Trojan.0Access</vendor><action>delete-on-reboot</action><hash>6a37415f2556270f8f55ac2111f1ce32</hash></key>
</items>
</mbam-log>

 



#12 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:02:28 AM

Posted 29 July 2014 - 03:13 PM

Hi testoc

Please delete your version of Combofix and download the latest Version from one of the following locations:

Please open Notepad (Through Start Menu -> Accessories -> Notepad) and copy/paste this code into notepad, exactly as it is: (DON'T include the 'Quote:')
 

KILLALL::

RegNull:
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}]

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]

JavaClearCache::

Reboot::


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

Make sure your Anti-Virus is disabled while we do this. You can disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, please read this.

CFScriptB-4.gif

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When the scan finished, it will execute the script and reboot your computer automatically. Don't reboot your computer manually, let ComboFix do it.

Once your computer is rebooted, ComboFix will start preparing a log. Please let it do so unhindered. After a few minutes, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#13 testoc

testoc
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:28 PM

Posted 29 July 2014 - 11:13 PM

Hi Seedy21,

I didn't have very good luck this evening. I downloaded CF from the link you provided, created the CFScript and put them on the desktop. I dragged the script to the CF icon and CF ran through, rebooted and then at the login prompt, I logged in and got a Windows popup error for CF28114.3XE like the one attached. After the error, CF did not continue and did not create a log file.

 

I attempted a repeat of the same sequence and had the same results with a CF8189.3XE error the second time through (error attached).

 

 

Attached Files



#14 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:02:28 AM

Posted 30 July 2014 - 12:49 AM

Hi testoc

 

Sorry about this they looked to be a Error with the scripted I gave you.
 

Please open Notepad (Through Start Menu -> Accessories -> Notepad) and copy/paste this code into notepad, exactly as it is: (DON'T include the 'Quote:')
 

KILLALL::

RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}]

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]

ClearJavaCache::

Reboot::


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

Make sure your Anti-Virus is disabled while we do this. You can disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, please read this.

CFScriptB-4.gif

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When the scan finished, it will execute the script and reboot your computer automatically. Don't reboot your computer manually, let ComboFix do it.

Once your computer is rebooted, ComboFix will start preparing a log. Please let it do so unhindered. After a few minutes, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#15 testoc

testoc
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:28 PM

Posted 30 July 2014 - 07:38 AM

Hi Seedy21,

CF is still having issues after reboot where it cannot open a CFxxx.3XE file after login.

 

Attached File  CFerror3.PNG   14.72KB   0 downloads

 

I renamed the file as an exe and it is the CF cmd prompt window. As before the log is all pre-reboot:

 

ComboFix 14-07-29.01 - coit 07/30/2014   7:56:59.13.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2038.1453 [GMT -4:00]
Running from: C:\Documents and Settings\coit\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\coit\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

 

 

When this command prompt doesn't launch, the CF continuation halts...

 

I should have added that when I opened the Services window to halt MSE, I noticed that the extended services window was "blocked" from viewing by a blue area. Just thought that was odd. I can grab a screen shot if you wish.


Edited by testoc, 30 July 2014 - 07:43 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users