Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware taking over my computer - Help


  • This topic is locked This topic is locked
21 replies to this topic

#1 mrdrifter

mrdrifter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 PM

Posted 16 November 2014 - 12:54 PM

My computer is infected with ransomware ("Police Report").  I'm running WinXP Pro (SP3).  At the bottom of this post is a FRST scan.

Background: The malware first manifested when booting up 2 days ago.  All is normal until the user account is selected, then after some moments the background turns gray, momentarily a tab on the task bar displays "Police Report" (sometimes), then a system error message appears: "Generic Host Process for Win32 Services has encountered a problem and needs to close. Etc."  Then the gray background and error message disapear.  A few seconds later, the same thing happens again (sans "Police Report" tab name).  And again and again.

Despite the malware activity, I can run applications (Photoshop Elements, MS Office, etc.) normally - leaving aside the flickering/flashing of the malware.  But taskmgr, msconfig & regedit are blocked.  Taskmgr actually pops up for a fraction of a second when I press alt-ctrl-del, not long enough to read, but capturable with print screen:

 

0Ud40NM.jpg

In Safe Mode, the malware locks up the system, giving the conventional splash screen with threats.  But the only way to get into Safe Mode is to modify the Registry using Kaspersky or another tool so that Safe Mode isn't blocked by the malware.

Even though I can run regular applications in normal mode, DDS.com seems to be blocked, and rkill and tdsskiller don't seem to have any effect.  A scan with HitmanPro run in normal mode (with malware popping up every few seconds) found nothing.  It is not possible to run HitmanPro Kickstart due to a "Failed to boot!" error.  Scans with AVG and Kaspersky run from rescue disks found nothing.

I'm hoping you guys can help me fix this problem.  Many thanks!

Here is a FRST scan run after booting up with the Ultimate Boot CD 4 Win:
===================================================================
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-11-2014 01
Ran by SYSTEM on MININT-JVC on 16-11-2014 08:23:24
Running from E:\
Platform: Microsoft Windows XP Service Pack 2 (X86) OS Language: Georgian
Internet Explorer Version 7
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDCPL] => C:\Windows\RTHDCPL.EXE [16380416 2007-07-05] (Realtek Semiconductor Corp.)
HKLM\...\Run: [Alcmtr] => C:\Windows\ALCMTR.EXE [69632 2005-05-03] (Realtek Semiconductor Corp.)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [nwiz] => nwiz.exe /install
HKLM\...\Run: [WinSys2] => C:\WINDOWS\system32\winsys2.exe [208896 2006-04-29] ()
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [NeroFilterCheck] => C:\WINDOWS\system32\NeroCheck.exe [155648 2006-01-13] (Nero AG)
HKLM\...\Run: [nmctxth] => C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe [451896 2007-10-02] (Pure Networks, Inc.)
HKLM\...\Run: [BluetoothAuthenticationAgent] => rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [1461080 2009-10-07] (ESET)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [BrStsWnd] => C:\Program Files\Brownie\BrstsWnd.exe [3618104 2009-08-19] (brother)
HKLM\...\Run: [PowerPanel Personal Edition User Interaction] => C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe [350184 2012-08-03] (Cyber Power Systems, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [271744 2014-09-27] (Oracle Corporation)
HKU\Arthur\...\Run: [NVIDIA nTune] => C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe [81920 2007-06-26] (NVIDIA)
HKU\Arthur\...\Run: [EPSON WorkForce 1100 Series] => C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFEA.EXE [199680 2009-01-07] (SEIKO EPSON CORPORATION)
HKU\Arthur\...\Run: [Akamai NetSession Interface] => C:\Documents and Settings\Arthur\Local Settings\Application Data\Akamai\netsession_win.exe [4673432 2014-10-30] (Akamai Technologies, Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
ShortcutTarget: Adobe Gamma Loader.lnk -> C:\PROGRAMS\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (No File)

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 AdobeActiveFileMonitor; C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [98304 2004-10-20] ()
S3 EhttpSrv; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [20680 2009-10-07] (ESET)
S2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [472280 2009-10-07] (ESET)
S2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-10-17] (Oracle Corporation)
S3 nmraapache; C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe [12800 2007-10-30] (Pure Networks, Inc.)
S2 nmservice; C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe [451896 2007-10-02] (Pure Networks, Inc.)
S2 PhotoshopElementsDeviceConnect; C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [118784 2004-10-20] ()
S2 ppped; C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe [1017832 2012-08-04] (Cyber Power Systems, Inc.)
S3 Serviio; C:\Program Files\Serviio\bin\ServiioService.exe [327680 2013-12-20] ()

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 eamon; C:\Windows\System32\DRIVERS\eamon.sys [40824 2009-10-07] (ESET)
S1 easdrv; C:\Windows\System32\DRIVERS\easdrv.sys [54184 2009-10-07] (ESET)
S1 epfwtdir; C:\Windows\System32\DRIVERS\epfwtdir.sys [35168 2009-10-07] ()
S3 GcKernel; C:\Windows\System32\DRIVERS\GcKernel.sys [59136 2008-04-14] (Microsoft Corporation)
S0 giveio; C:\Windows\System32\giveio.sys [5248 1996-04-03] ()
S3 HIDSwvd; C:\Windows\System32\DRIVERS\HIDSwvd.sys [2688 2001-08-17] (Microsoft Corporation)
S3 n558; C:\Windows\System32\Drivers\n558.sys [9600 2007-08-15] ()
S0 nvatabus; C:\Windows\System32\drivers\nvatabus.sys [105472 2006-10-18] (NVIDIA Corporation)
S3 NVENETFD; C:\Windows\System32\DRIVERS\NVENETFD.sys [62592 2006-11-19] (NVIDIA Corporation)
S3 nvnetbus; C:\Windows\System32\DRIVERS\nvnetbus.sys [19968 2006-11-19] (NVIDIA Corporation)
S2 pnarp; C:\Windows\System32\DRIVERS\pnarp.sys [23864 2007-09-20] (Pure Networks, Inc.)
S2 purendis; C:\Windows\System32\DRIVERS\purendis.sys [24888 2007-09-20] (Pure Networks, Inc.)
S0 Si3531; C:\Windows\System32\DRIVERS\Si3531.sys [210224 2006-11-17] (Silicon Image, Inc)
S0 SiFilter; C:\Windows\System32\DRIVERS\SiWinAcc.sys [10368 2004-11-01] (Silicon Image, Inc.)
S0 SiRemFil; C:\Windows\System32\DRIVERS\SiRemFil.sys [5504 2006-10-18] (Silicon Image, Inc.)
S0 speedfan; C:\Windows\System32\speedfan.sys [5248 2006-09-24] (Windows ® 2000 DDK provider)
S3 GMSIPCI; \??\G:\INSTALL\GMSIPCI.SYS [X]
S4 IntelIde; No ImagePath
S5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-14] (Microsoft Corporation)
S1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-16 00:57 - 2014-11-16 00:57 - 00156160 _____ () C:\Documents and Settings\Arthur\Desktop\ErrorMessages1.ppt
2014-11-16 00:30 - 2014-11-16 00:43 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HitmanPro
2014-11-16 00:29 - 2014-11-15 22:35 - 10284408 _____ (SurfRight B.V.) C:\Documents and Settings\Arthur\Desktop\HitmanPro.exe
2014-11-15 12:49 - 2014-11-15 22:13 - 00000000 ____D () C:\FRST
2014-11-15 00:11 - 2014-11-15 00:43 - 00013654 _____ () C:\Documents and Settings\Arthur\Desktop\Rkill.txt
2014-11-14 21:19 - 2014-11-15 12:20 - 00000000 ____D () C:\Kaspersky Rescue Disk 10.0
2014-11-14 16:25 - 2014-11-14 16:25 - 00000000 ____D () C:\Windows\pss
2014-11-14 16:07 - 2014-11-14 23:50 - 00000000 ____D () C:\Documents and Settings\Arthur\Desktop\RKill
2014-11-14 16:07 - 2014-11-14 23:48 - 04184008 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\Arthur\Desktop\tdsskiller.exe
2014-11-14 16:07 - 2014-11-14 23:47 - 01944824 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Arthur\Desktop\rkill.com
2014-11-14 16:07 - 2014-11-14 23:46 - 01944824 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Arthur\Desktop\rkill.exe
2014-11-14 16:07 - 2014-11-14 23:46 - 01944824 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Arthur\Desktop\iExplore.exe
2014-11-14 02:57 - 2014-11-14 02:58 - 02748387 _____ () C:\Documents and Settings\Arthur\Desktop\03 Track 3.wma
2014-11-14 02:57 - 2014-11-14 02:57 - 03632835 _____ () C:\Documents and Settings\Arthur\Desktop\02 Track 2.wma
2014-11-11 03:31 - 2014-11-11 03:31 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-10-17 14:04 - 2014-10-17 14:03 - 00272808 _____ (Oracle Corporation) C:\Windows\System32\javaws.exe
2014-10-17 14:04 - 2014-10-17 14:03 - 00175528 _____ (Oracle Corporation) C:\Windows\System32\javaw.exe
2014-10-17 14:04 - 2014-10-17 14:03 - 00175528 _____ (Oracle Corporation) C:\Windows\System32\java.exe
2014-10-17 14:04 - 2014-10-17 14:03 - 00096680 _____ (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-16 05:35 - 2007-11-26 17:37 - 00000278 ___SH () C:\Documents and Settings\Arthur\ntuser.ini
2014-11-16 05:35 - 2007-11-26 17:31 - 01057833 _____ () C:\Windows\WindowsUpdate.log
2014-11-16 05:35 - 2007-07-27 12:00 - 00013756 _____ () C:\Windows\System32\wpa.dbl
2014-11-16 01:04 - 2007-11-26 17:37 - 00000000 ____D () C:\Documents and Settings\Arthur\Local Settings\Temp
2014-11-16 01:04 - 2007-11-26 17:35 - 00032654 _____ () C:\Windows\SchedLgU.Txt
2014-11-16 01:04 - 2007-11-26 09:26 - 00000275 _____ () C:\Windows\wiadebug.log
2014-11-16 01:04 - 2007-11-26 09:26 - 00000050 _____ () C:\Windows\wiaservc.log
2014-11-16 01:02 - 2013-11-29 15:16 - 00000000 ____D () C:\Program Files\CyberPower PowerPanel Personal Edition
2014-11-16 00:50 - 2007-07-27 12:00 - 00000709 _____ () C:\Windows\win.ini
2014-11-14 15:06 - 2007-11-26 17:31 - 00000000 ____D () C:\Windows\System32\Restore
2014-11-14 03:20 - 2012-08-18 00:06 - 00000000 ____D () C:\Documents and Settings\Arthur\Desktop\NewsClips
2014-11-14 03:04 - 2008-08-06 22:10 - 00000000 ____D () C:\Program Files\Nancy Drew
2014-11-14 03:04 - 2007-11-27 02:54 - 00000000 ___HD () C:\Program Files\InstallShield Installation Information
2014-11-14 02:35 - 2012-11-22 15:31 - 00000000 ____D () C:\Documents and Settings\Arthur\Local Settings\Application Data\Akamai
2014-11-13 16:06 - 2014-10-05 23:32 - 00008463 _____ () C:\Windows\wmsetup.log
2014-11-12 03:04 - 2013-08-15 23:31 - 00000000 ____D () C:\Windows\System32\MRT
2014-11-12 03:01 - 2007-11-29 04:10 - 100445232 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-11-11 20:23 - 2012-04-27 20:41 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-11-11 16:54 - 2007-11-29 15:27 - 00000234 _____ () C:\Windows\Brownie.ini
2014-11-10 02:59 - 2007-12-02 04:06 - 00000000 ____D () C:\Documents and Settings\Arthur\Application Data\foobar2000
2014-11-09 18:15 - 2007-11-30 00:38 - 00000000 ____D () C:\Documents and Settings\Arthur\My Documents\arc
2014-11-09 01:46 - 2008-03-26 01:01 - 00000000 ____D () C:\Documents and Settings\Arthur\My Documents\Scanner
2014-11-08 00:12 - 2007-11-29 15:27 - 00000426 _____ () C:\Windows\BRWMARK.INI
2014-11-05 05:04 - 2012-08-01 02:10 - 00000000 ____D () C:\Documents and Settings\Arthur\Desktop\Medieval
2014-11-02 13:39 - 2007-11-26 09:25 - 00576486 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-10-19 14:22 - 2014-08-16 13:05 - 00000000 ____D () C:\Documents and Settings\Arthur\Local Settings\Application Data\Adobe
2014-10-19 14:21 - 2012-05-02 12:44 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2014-10-19 14:21 - 2011-05-18 13:13 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2014-10-19 14:17 - 2007-11-27 03:06 - 00000000 __SHD () C:\Documents and Settings\Arthur\UserData
2014-10-17 14:04 - 2008-02-07 04:27 - 00000000 ____D () C:\Program Files\Common Files\Java
2014-10-17 14:03 - 2008-02-07 04:27 - 00145408 _____ (Oracle Corporation) C:\Windows\System32\javacpl.cpl

Files to move or delete:
====================
C:\Documents and Settings\Arthur\jagex_cl_runescape_LIVE.dat
C:\Documents and Settings\Arthur\jagex_runescape_preferences.dat
C:\Documents and Settings\Arthur\jagex_runescape_preferences2.dat
C:\Documents and Settings\Arthur\jagex__preferences3.dat


Some content of TEMP:
====================
C:\Documents and Settings\Arthur\Local Settings\Temp\AdobeUpdater12345.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\Install_PDFR_Pro_v250.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-6u14-windows-i586-iftw-rv.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-6u15-windows-i586-iftw.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-6u16-windows-i586-iftw.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-6u17-windows-i586-iftw-rv.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-6u18-windows-i586-iftw-rv.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-6u20-windows-i586-iftw-rv.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-6u21-windows-i586-iftw-rv_6f82dccf.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-6u22-windows-i586-iftw-rv.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-6u23-windows-i586-iftw-rv.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-6u29-windows-i586-iftw-rv.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-6u31-windows-i586-iftw-rv.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-6u33-windows-i586-iftw.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-6u35-windows-i586-iftw.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-6u37-windows-i586-iftw.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-6u39-windows-i586-iftw.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-7u15-windows-i586-iftw.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-7u17-windows-i586-iftw.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-7u21-windows-i586-iftw.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-7u25-windows-i586-iftw.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-7u45-windows-i586-iftw.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-7u51-windows-i586-iftw.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-7u55-windows-i586-iftw.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-7u65-windows-i586-iftw.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-7u67-windows-i586-iftw.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\jre-7u71-windows-i586-iftw.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\_is1.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\_is12.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\_is13.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\_is1641.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\_is168.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\_is185.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\_is1C4.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\_is2.exe
C:\Documents and Settings\Arthur\Local Settings\Temp\_isEAF.exe
C:\Documents and Settings\Robert\Local Settings\Temp\setup_wm.exe


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points (XP) =====================

RP: -> 2014-11-14 15:06 - 028672 _restore{6EE7D457-6DD7-444B-A646-52C4E6DFE286}\RP1


==================== Memory info ===========================

Percentage of memory in use: 23%
Total physical RAM: 3071.28 MB
Available physical RAM: 2336.89 MB
Total Pagefile: 2896 MB
Available Pagefile: 2365.31 MB
Total Virtual: 2047.88 MB
Available Virtual: 1999.86 MB

==================== Drives ================================

Drive b: (RAMDisk) (Fixed) (Total:0.5 GB) (Free:0.5 GB) FAT
Drive c: (ARC3_C) (Fixed) (Total:298.08 GB) (Free:24.67 GB) NTFS
Drive e: () (Removable) (Total:1.88 GB) (Free:1.71 GB) FAT
Drive x: (UBCD4Windows) (CDROM) (Total:0.63 GB) (Free:0 GB) CDFS
Drive y: (ARC3_D) (Fixed) (Total:465.76 GB) (Free:308.78 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 1.9 GB) (Disk ID: C96CC96C)
Partition 1: (Active) - (Size=1.9 GB) - (Type=0E)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 298.1 GB) (Disk ID: 164F164E)
Partition 1: (Active) - (Size=298.1 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 465.8 GB) (Disk ID: 36260964)
Partition 1: (Not Active) - (Size=465.8 GB) - (Type=07 NTFS)

==================== End Of Log ============================



BC AdBot (Login to Remove)

 


m

#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:59 PM

Posted 21 November 2014 - 12:55 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/556421 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 mrdrifter

mrdrifter
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 PM

Posted 21 November 2014 - 08:32 PM

The basic facts and circumstances of my problem are given in the original post from 5 days ago.  Here are the developments since then:
1. DDS.com didn't run successfuly (the program starts, but doesn't display a message and never terminates)
2. Tried removing start-up programs, but this didn't eliminate the problem.
3. Made a copy of taskmgr.exe with a different name.  This enabled me to run task manager, but otherwise offered no clues.
4. Found entries in the log generated by dwwin.exe (Dr Watson) for the successive terminations of the malware process and have extracted a series of 3 examples which I can post if they would help.
5. I have the original Windows XP Pro CD.
6. I have run FRST.exe in normal mode and generated log files (the log file in the original post was generated using a bootable CD as explained above).  FRST.txt is posted in the next post.  The Addition.txt is here:

=========================
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 13-11-2014 01
Ran by Axxxx at 2014-11-21 17:02:18
Running from C:\Documents and Settings\Axxxx\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: ESET NOD32 Antivirus 3.0 (Disabled - Up to date) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 4.57 (HKLM\...\7-Zip) (Version:  - )
A3 2400S Scanner V1.2 (HKLM\...\InstallShield_{5EEF818B-96A0-4315-9DFC-FC91CD9DCAC9}) (Version: 1.2.0.3 - Mustek Systems Inc.)
A3 2400S Scanner V1.2 (Version: 1.2.0.3 - Mustek Systems Inc.) Hidden
ABBYY FineReader 6.0 Sprint (HKLM\...\{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}) (Version: 6.00.1395.4512 - ABBYY Software House)
Adobe Flash Player 12 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 12.0.0.70 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 15.0.0.189 - Adobe Systems Incorporated)
Adobe Photoshop Elements 3.0 (HKLM\...\{851C67EF-068A-4060-9EF5-2E3DDCD68382}) (Version: 003.000.0000 - Adobe Systems Inc.)
Adobe Reader X (10.1.11) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.11 - Adobe Systems Incorporated)
AnswerWorks 4.0 Runtime - English (HKLM\...\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}) (Version: 4.0.101 - Vantage Software Technologies)
AnswerWorks 5.0 English Runtime (HKLM\...\{9E5A03E3-6246-4920-9630-0527D5DA9B07}) (Version: 008.000.0003 - Vantage Linguistics)
Audacity 1.2.6 (HKLM\...\Audacity_is1) (Version:  - )
AutoHotkey 1.0.48.05 (HKLM\...\AutoHotkey) (Version: 1.0.48.05 - Chris Mallett)
Brother HL-5250DN (HKLM\...\{694E7A6D-5F64-4955-86C6-DD378715E657}) (Version: 1.00 - Brother)
Brother HL-5370DW (HKLM\...\{E3A5D3E5-BA26-4A7B-9D4F-C08D7C79CC38}) (Version: 1.00 - Brother)
CCleaner (HKLM\...\CCleaner) (Version: 4.00 - Piriform)
Citrix Presentation Server Client (HKLM\...\{42ACCB45-3363-47E0-94E9-F0074CC8BC56}) (Version: 10.150.58643 - Citrix Systems, Inc.)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
ConvertXtoDVD 3.3.2.100 (HKLM\...\{76C24F39-B161-498F-BD8B-C64789812D13}_is1) (Version: 3.3.2.100 - )
Critical Update for Windows Media Player 11 (KB959772) (HKLM\...\KB959772_WM11) (Version:  - Microsoft Corporation)
CyberPower PowerPanel Personal Edition 1.3.4 (HKLM\...\{612DBD6B-D073-43A9-8A26-D89DDF835137}) (Version: 1.3.4 - Cyber Power Systems, Inc.)
DVD Decrypter (Remove Only) (HKLM\...\DVD Decrypter) (Version:  - )
DVD Shrink 3.2 (HKLM\...\DVD Shrink_is1) (Version:  - DVD Shrink)
EPSON Copy Utility 3 (HKLM\...\{67EDD823-135A-4D59-87BD-950616D6E857}) (Version: 3.2.0.0 - )
EPSON Perf V700-V750 Guide (HKLM\...\Silent Package Run-Time Sample) (Version:  - )
EPSON Scan (HKLM\...\EPSON Scanner) (Version:  - )
EPSON WorkForce 1100 Series Printer Uninstall (HKLM\...\EPSON WorkForce 1100 Series) (Version:  - SEIKO EPSON Corporation)
ESET NOD32 Antivirus (HKLM\...\{C10D6AB8-05BB-422D-AAE3-36D6E0381487}) (Version: 3.0.695.0 - ESET, spol s r. o.)
Exact Audio Copy 0.99pb5 (HKLM\...\Exact Audio Copy) (Version: 0.99pb5 - Andre Wiethoff)
Font Xplorer 1.2.2  (HKLM\...\Font Xplorer) (Version:  - )
foobar2000 v0.9.4.5 (HKLM\...\foobar2000) (Version: 0.9.4.5 - Peter Pawlowski)
FreeSpace 2 (HKLM\...\FreeSpace2) (Version:  - )
GIMP 2.6.3 (HKLM\...\WinGimp-2.0_is1) (Version:  - )
HashCalc 2.02 (HKLM\...\HashCalc_is1) (Version:  - SlavaSoft Inc.)
High Definition Audio Driver Package - KB888111 (HKLM\...\KB888111WXPSP2) (Version: 20040219.000000 - Microsoft Corporation)
High-Logic FontCreator 6.5 (HKLM\...\FontCreator6_is1) (Version:  - High-Logic B.V.)
Jane's Combat Simulations WWII Fighters (HKLM\...\WWII Fighters) (Version:  - )
Java 7 Update 71 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217071FF}) (Version: 7.0.710 - Oracle)
Java™ 6 Update 4 (HKLM\...\{3248F0A8-6813-11D6-A77B-00B0D0160040}) (Version: 1.6.0.40 - Sun Microsystems, Inc.)
Java™ 6 Update 5 (HKLM\...\{3248F0A8-6813-11D6-A77B-00B0D0160050}) (Version: 1.6.0.50 - Sun Microsystems, Inc.)
Java™ 6 Update 7 (HKLM\...\{3248F0A8-6813-11D6-A77B-00B0D0160070}) (Version: 1.6.0.70 - Sun Microsystems, Inc.)
LilyPond (HKLM\...\LilyPond) (Version:  - )
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB979906) (HKLM\...\M979906) (Version:  - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Professional Edition 2003 (HKLM\...\{91110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Mozilla Firefox 33.1 (x86 en-US) (HKLM\...\Mozilla Firefox 33.1 (x86 en-US)) (Version: 33.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 29.0 - Mozilla)
MPC-HC 1.7.3 (HKLM\...\{2624B969-7135-4EB1-B0F6-2D8C397B45F7}_is1) (Version: 1.7.3 - MPC-HC Team)
MSXML 4.0 SP2 (KB936181) (HKLM\...\{C04E32E0-0416-434D-AFB9-6969D703A9EF}) (Version: 4.20.9848.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
MSXML 6 Service Pack 2 (KB973686) (HKLM\...\{56EA8BC0-3751-4B93-BC9D-6651CC36E5AA}) (Version: 6.20.2003.0 - Microsoft Corporation)
Nero 6 Ultra Edition (HKLM\...\Nero - Burning Rom!UninstallKey) (Version:  - )
Nero Digital (HKLM\...\NeroVision!UninstallKey) (Version:  - )
Network Magic (HKLM\...\Network MagicUninstall) (Version: 4.6.7324.0 - Pure Networks)
Network Magic (Version: 4.6.7324.0 - Pure Networks) Hidden
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version:  - )
NVIDIA nTune (HKLM\...\InstallShield_{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}) (Version: 1.00.0000 - NVIDIA Corporation)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0 - Microsoft Corporation) Hidden
OpenAL (HKLM\...\OpenAL) (Version:  - )
PDF reDirect (remove only) (HKLM\...\PDF reDirect) (Version: v2.5.0 - EXP Systems LLC)
PDFCreator (HKLM\...\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}) (Version: 1.7.0 - pdfforge)
POF Constructor Suite 2.0.2 (HKLM\...\POF Constructor Suite) (Version: 2.0.2 - Kazan & Bobboau)
Pure Networks Platform (Version: 4.5.7324.0 - Pure Networks) Hidden
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 5.10.0.5449 - Realtek Semiconductor Corp.)
Red Alert Windows 95 (HKLM\...\Red Alert) (Version:  - )
Sauerbraten (HKLM\...\Sauerbraten) (Version:  - )
Serviio (HKLM\...\Serviio) (Version:  - )
SideWinder Precision 2 (HKLM\...\SideWinder Precision 2) (Version:  - )
SpeedFan (remove only) (HKLM\...\SpeedFan) (Version:  - )
Spelling Dictionaries Support For Adobe Reader 8 (HKLM\...\{AC76BA86-7AD7-5464-3428-800000000003}) (Version: 8.0.0 - Adobe Systems)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1) (Version: 1.6.2 - Safer Networking Limited)
SupportSoft Assisted Service (HKLM\...\{5A3F6A80-7913-475E-8B96-477A952CFA43}) (Version: 15 - SupportSoft)
TerraForm (HKLM\...\{EB3F6083-2209-4134-ADC9-1ADDB667EEC9}) (Version: 1.0.0.0 - )
The Babylon Project v3.4b (HKLM\...\The Babylon Project v3.4b) (Version:  - )
TurboTax 2005 (HKLM\...\TurboTax 2005) (Version:  - )
TurboTax 2008 (HKLM\...\TurboTax 2008) (Version:  - )
TurboTax 2009 (HKLM\...\TurboTax 2009) (Version:  - Intuit, Inc)
TurboTax 2010 (HKLM\...\TurboTax 2010) (Version:  - Intuit, Inc)
TurboTax 2011 (HKLM\...\TurboTax 2011) (Version:  - Intuit, Inc)
TurboTax 2012 (HKLM\...\TurboTax 2012) (Version: 2012.0 - Intuit, Inc)
TurboTax 2013 (HKLM\...\TurboTax 2013) (Version: 2013.0 - Intuit, Inc)
TurboTax Deluxe 2007 (HKLM\...\TurboTax Deluxe 2007) (Version:  - )
TurboTax Deluxe Deduction Maximizer 2006 (HKLM\...\TurboTax Deluxe Deduction Maximizer 2006) (Version:  - )
TurboTax ItsDeductible 2005 (HKLM\...\{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}) (Version: 9.05.0000 - Intuit)
TurboTax ItsDeductible 2006 (HKLM\...\{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}) (Version: 10.00.0000 - Intuit)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Welcome to the Catholic Church (HKLM\...\{B746F0A5-39B5-4EA2-8CEF-0C13006900F1}) (Version: 4.01.0540 - )
WexTech AnswerWorks (HKLM\...\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}) (Version: 1.00.000 - )
Windows Driver Package - Pure Networks, Inc. Pure Networks Device Discovery Driver (08/24/2007 4.6.7236.0) (HKLM\...\EBA03E8208F5C2C69DE38D5BAC4D99ED64267EB5) (Version: 08/24/2007 4.6.7236.0 - Pure Networks, Inc.)
Windows Driver Package - Pure Networks, Inc. Pure Networks Wireless Driver (08/24/2007 4.6.7236.0) (HKLM\...\8198C7AC51A3DF27EC59783566CCDD4B6E6F1A1D) (Version: 08/24/2007 4.6.7236.0 - Pure Networks, Inc.)
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Imaging Component (HKLM\...\WIC) (Version: 3.0.0.0 - Microsoft Corporation)
Windows Internet Explorer 7 (HKLM\...\ie7) (Version: 20070813.185237 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)
WinRAR archiver (HKLM\...\WinRAR archiver) (Version:  - )
xplorer² lite (HKLM\...\xplorer2l) (Version: 1.7 L - Zabkat)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{0000002F-0000-0000-C000-000000000046}\InprocServer32 -> C:\windows\system32\oleaut32.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 -> C:\windows\system32\oleaut32.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32 -> C:\windows\system32\oleaut32.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32 -> C:\windows\system32\oleaut32.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32 -> C:\windows\system32\oleaut32.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 -> C:\windows\system32\oleaut32.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32 -> C:\windows\system32\oleaut32.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{01329177-32B9-43A7-A4DE-98C73B23B340}\InprocServer32 -> C:\Program Files\ItsDeductible2005\DPDF_Gen98.dll (ceTe, Inc.)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{05EC5C13-D255-4592-9CCB-98615172F0D6}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{07B27DE3-0C8C-4F21-B249-ED5BDC5AFF6F}\InprocServer32 -> C:\Program Files\ItsDeductible2005\DPDF_Gen98.dll (ceTe, Inc.)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{08D1779E-7D4B-4B64-8F9F-AA29DE48DAA3}\InprocServer32 -> C:\Program Files\ItsDeductible2005\DPDF_Gen98.dll (ceTe, Inc.)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{0ADF9C35-0D5E-4B75-88DD-B64868907E17}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> C:\windows\system32\oleaut32.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> C:\windows\system32\oleaut32.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{123FAF7F-3FB1-4B8F-AD18-0047401D436A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{1704815D-0A03-44ff-8646-1AE1FE84E313}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2008\qbw32.exe No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{1B3210AF-E236-46D4-83EF-6421F2FF543C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{1B52ECE0-8483-101C-933E-0000C005958C}\InprocServer32 -> C:\Program Files\ItsDeductible2005\SPR32X30.ocx (FarPoint Technologies, Inc.)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{1B52ECE1-8483-101C-933E-0000C005958C}\InprocServer32 -> C:\Program Files\ItsDeductible2005\SPR32X30.ocx (FarPoint Technologies, Inc.)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{1B52ECE2-8483-101C-933E-0000C005958C}\InprocServer32 -> C:\Program Files\ItsDeductible2005\SPR32X30.ocx (FarPoint Technologies, Inc.)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{1E78DD72-771E-42BF-8B4B-363CEB18E07B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\MSCOMCTL.OCX (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\WINDOWS\system32\MSCOMCT2.OCX (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{22664BE2-0806-4BA4-8643-DE40C9149176}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\WINDOWS\system32\MSCOMCT2.OCX (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{275DBBA0-805A-11CF-91F7-C2863C385E30}\InprocServer32 -> C:\WINDOWS\system32\msflxgrd.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{2A9EBDB5-0600-4E8C-B910-4001BEB2DD8C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{2B11E9B0-9F09-11D0-9484-00A0C91110ED}\InprocServer32 -> C:\WINDOWS\system32\msstdfmt.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\MSCOMCTL.OCX (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{32D32337-1511-4416-85C5-FD96C99322A0}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{349D777D-F7A2-4AAE-967F-A54F05A7FF3B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBFinder.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\MSCOMCTL.OCX (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{37A2FC00-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{37A2FC02-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{38F58721-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\COMObjectFactory.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{38F58742-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{38F58743-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{38F58744-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{3928D252-6BB4-4C0D-BE70-1E03AF93D464}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{3A2B370C-BA0A-11D1-B137-0000F8753F5D}\InprocServer32 -> C:\WINDOWS\system32\mschrt20.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32 -> C:\WINDOWS\system32\comdlg32.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}\InprocServer32 -> C:\WINDOWS\system32\comdlg32.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\InprocServer32 -> C:\WINDOWS\system32\comdlg32.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}\InprocServer32 -> C:\windows\system32\oleaut32.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{4716D3CE-55DB-4D2A-818C-87D912895890}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{4844F3F7-2161-4AC4-B219-B3B4311782AA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32 -> C:\WINDOWS\system32\msinet.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32 -> C:\WINDOWS\system32\msinet.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32 -> C:\WINDOWS\system32\msinet.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{4CAD92F0-D7C4-11D0-BCF7-00C04FC2FB86}\InprocServer32 -> C:\WINDOWS\system32\msdatgrd.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{4D2ACF01-745F-11CF-8BC4-00AA00B42B7C}\InprocServer32 -> C:\Program Files\ItsDeductible2005\SPR32X30.ocx (FarPoint Technologies, Inc.)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{4E5E74B5-8EB5-4859-A335-837EED412620}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{5249684A-D7A2-4DBE-94F4-B90923A7BC64}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{5428A9ED-6CD8-11D6-9C8A-0001023DCAA2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{547C8F00-5567-4AE3-8BB0-CC3CE2AB9070}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{57D590F1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{596801D8-2C9D-4627-9C67-195CB81B655A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{5B7331FA-8910-4748-A8A4-60B445041F28}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\WINDOWS\system32\MSCOMCT2.OCX (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{62022DB3-AEBA-4E84-9D13-4F4AEDD8FCBA}\InprocServer32 -> C:\Program Files\ItsDeductible2005\DPDF_Gen98.dll (ceTe, Inc.)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{6262D3A0-531B-11CF-91F6-C2863C385E30}\InprocServer32 -> C:\WINDOWS\system32\msflxgrd.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{6319EEA0-531B-11CF-91F6-C2863C385E30}\InprocServer32 -> C:\WINDOWS\system32\msflxgrd.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{664E2200-24DB-11D2-9A82-444553540000}\InprocServer32 -> C:\Program Files\ItsDeductible2005\SPR32X30.ocx (FarPoint Technologies, Inc.)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\MSCOMCTL.OCX (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{699DDBCC-DC7E-11D0-BCF7-00C04FC2FB86}\InprocServer32 -> C:\WINDOWS\system32\msstdfmt.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{6D835690-900B-11D0-9484-00A0C91110ED}\InprocServer32 -> C:\WINDOWS\system32\msstdfmt.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{70478C56-E77F-4134-B3E3-3B18EE036D71}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32 -> C:\WINDOWS\system32\comdlg32.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32 -> C:\WINDOWS\system32\comdlg32.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{7BB7994B-5297-49B3-A42C-4812B51D8331}\InprocServer32 -> C:\Program Files\ItsDeductible2005\DPDF_Gen98.dll (ceTe, Inc.)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{7C3194FC-D942-11D0-BCF7-00C04FC2FB86}\InprocServer32 -> C:\WINDOWS\system32\msdatgrd.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{7DBF8260-30AD-4D1B-876A-8032B87B809F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{8034BBB8-2145-4159-9A34-51E21A0A981F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{828E5386-74CF-4019-B356-C857CD028A7D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{82CC31B3-53B4-4161-A4E9-6B4F1290A6C8}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{8572570D-12D9-4F2C-8BB8-EB8848178B94}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{8D0A8460-D87E-11D0-BCF7-00C04FC2FB86}\InprocServer32 -> C:\WINDOWS\system32\msdatgrd.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\MSCOMCTL.OCX (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{8E590317-1329-11D1-B70B-00805F29CD16}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2008\qbw32.exe No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{8FEDE364-AB37-4551-80C9-6D468E222AB2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\InprocServer32 -> C:\WINDOWS\system32\msstdfmt.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{9D9B61F2-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{9D9B61F3-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{9D9B61F4-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{9D9B61F5-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{9D9B61F6-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{9D9B61F7-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{A28E8A2F-75FD-4809-897D-8CEE473E9A72}\InprocServer32 -> C:\Program Files\ItsDeductible2005\DPDF_Gen98.dll (ceTe, Inc.)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{A58C4EAB-2DB8-445E-9CAE-2AE197A5C708}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{A63E42D0-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{A63E42D2-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{AC5D0DDE-BD4C-11D1-B137-0000F8753F5D}\InprocServer32 -> C:\WINDOWS\system32\mschrt20.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{AC5D0DDF-BD4C-11D1-B137-0000F8753F5D}\InprocServer32 -> C:\WINDOWS\system32\mschrt20.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{AC5D0DE0-BD4C-11D1-B137-0000F8753F5D}\InprocServer32 -> C:\WINDOWS\system32\mschrt20.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{AC5D0DE1-BD4C-11D1-B137-0000F8753F5D}\InprocServer32 -> C:\WINDOWS\system32\mschrt20.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{AC5D0DE2-BD4C-11D1-B137-0000F8753F5D}\InprocServer32 -> C:\WINDOWS\system32\mschrt20.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{AC5D0DE3-BD4C-11D1-B137-0000F8753F5D}\InprocServer32 -> C:\WINDOWS\system32\mschrt20.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{AC5D0DE4-BD4C-11D1-B137-0000F8753F5D}\InprocServer32 -> C:\WINDOWS\system32\mschrt20.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{AC5D0DE5-BD4C-11D1-B137-0000F8753F5D}\InprocServer32 -> C:\WINDOWS\system32\mschrt20.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{AF5E0A13-CEAB-47CE-991D-77E82CD1BF3F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\WINDOWS\system32\MSCOMCT2.OCX (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32 -> C:\windows\system32\oleaut32.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{B47C6567-880B-40F7-989D-F944BDE4E446}\InprocServer32 -> C:\Program Files\ItsDeductible2005\DPDF_Gen98.dll (ceTe, Inc.)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{B66F2BF1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{BAB5D6C9-3634-4D96-88CF-5A8B10C1996C}\InprocServer32 -> C:\Program Files\ItsDeductible2005\DPDF_Gen98.dll (ceTe, Inc.)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{BCD594EA-15C3-4FD8-B92B-114BB9694537}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBCtrIPMDS2.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\MSCOMCTL.OCX (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\MSCOMCTL.OCX (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{C75C4FE5-848D-11CE-AF28-861BF46909CC}\InprocServer32 -> C:\Program Files\ItsDeductible2005\SPR32X30.ocx (FarPoint Technologies, Inc.)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{C9047280-848F-101C-933E-0000C005958C}\InprocServer32 -> C:\Program Files\ItsDeductible2005\SPR32X30.ocx (FarPoint Technologies, Inc.)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{C9047281-848F-101C-933E-0000C005958C}\InprocServer32 -> C:\Program Files\ItsDeductible2005\SPR32X30.ocx (FarPoint Technologies, Inc.)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{CDE57A43-8B86-11D0-B3C6-00A0C90AEA82}\InprocServer32 -> C:\WINDOWS\system32\msdatgrd.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{CDE57A44-8B86-11D0-B3C6-00A0C90AEA82}\InprocServer32 -> C:\WINDOWS\system32\msdatgrd.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{CE18240D-F3F8-43AE-9EA0-A0DC85A95375}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{D14FD6B3-6A9F-4537-9460-07B836707127}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{D4A12AAF-E15E-470B-A6B6-63032186F91F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InprocServer32 -> C:\WINDOWS\system32\MSVBVM60.DLL (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{D9B9C060-0954-11D3-9E07-00104BD2BE34}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSource.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{D9BC6F81-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{D9BC6F84-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{D9BC6F87-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{D9BC6FA1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{D9BC6FA6-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{D9BC6FB2-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\StorageClasses.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{D9BC6FC1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{DCB2B478-EFF6-48F6-B718-13E98876854E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\MSCOMCTL.OCX (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{DFD0AF10-B86C-4AF3-B609-1348D513E565}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{E1A173E1-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{E1A173E3-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{E2454650-4D87-11D2-B8B2-0000C00A958C}\InprocServer32 -> C:\Program Files\ItsDeductible2005\SPR32X30.ocx (FarPoint Technologies, Inc.)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{E6E4DF8B-17CE-43ED-B2C7-2CE10457552D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{E7D2D0F6-B754-438D-B5C9-BF848D311A0F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{E9D00F06-D948-11D0-BCF7-00C04FC2FB86}\InprocServer32 -> C:\WINDOWS\system32\msdatgrd.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{EADA914E-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{EAEF733D-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\MSCOMCTL.OCX (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{F19F9A95-7A43-4A93-80B0-C9C1FF6F63F9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32 -> C:\WINDOWS\system32\comdlg32.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{F9EF917A-E55E-4242-B205-E778395AC313}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{FAC93D42-FFC2-11d1-9DEB-0008C7A08EBA}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2008\qbw32.exe No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{FB17915F-06D1-4214-A902-CC5EE05186E9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll No File
CustomCLSID: HKU\S-1-5-21-1177238915-1275210071-839522115-1003_Classes\CLSID\{FE38753A-44A3-11D1-B5B7-0000C09000C4}\InprocServer32 -> C:\WINDOWS\system32\MSCOMCT2.OCX (Microsoft Corporation)

==================== Restore Points  =========================

14-11-2014 15:06:58 System Checkpoint
16-11-2014 17:45:00 System Checkpoint
18-11-2014 14:03:09 System Checkpoint
21-11-2014 03:21:43 System Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2007-07-27 04:00 - 2007-07-27 04:00 - 00000734 ____N C:\windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe

==================== Loaded Modules (whitelisted) =============

2010-06-06 06:20 - 2010-06-06 06:20 - 00065344 _____ () C:\windows\system32\PDFreDirectMonNT.dll
2004-10-20 04:47 - 2004-10-20 04:47 - 00098304 _____ () C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
2004-10-20 04:47 - 2004-10-20 04:47 - 00147456 _____ () C:\Program Files\Adobe\Photoshop Elements 3.0\platform.dll
2009-04-13 11:44 - 2009-04-13 11:44 - 00755712 _____ () C:\windows\assembly\GAC_32\System.Data.SQLite\1.0.56.0__28c9bcd4dddc48a1\System.Data.SQLite.dll
2009-04-13 11:51 - 2009-04-13 11:51 - 00471040 _____ () C:\windows\assembly\GAC_MSIL\Intuit.Spc.Map.Reporter\4.0.114.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Reporter.dll
2010-04-14 19:02 - 2010-04-14 19:02 - 00854016 _____ () C:\windows\assembly\GAC_32\System.Data.SQLite\1.0.61.0__db937bc2d44ff139\System.Data.SQLite.dll
2010-04-14 19:02 - 2010-04-14 19:02 - 00471040 _____ () C:\windows\assembly\GAC_MSIL\Intuit.Spc.Map.Reporter\5.0.104.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Reporter.dll
2011-03-31 06:56 - 2011-03-31 06:56 - 00476520 _____ () C:\windows\assembly\GAC_MSIL\Intuit.Spc.Map.Reporter\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Reporter.dll
2004-10-20 03:40 - 2004-10-20 03:40 - 00118784 _____ () C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
2007-06-28 08:43 - 2007-06-28 08:43 - 00466944 _____ () C:\WINDOWS\system32\nvshell.dll
2007-09-20 10:21 - 2007-09-20 10:21 - 00040496 _____ () C:\Program Files\Common Files\Pure Networks Shared\Platform\CFireWallCOM.dll
2007-09-20 10:21 - 2007-09-20 10:21 - 00104496 _____ () C:\Program Files\Common Files\Pure Networks Shared\Platform\CAntiVirusCOM.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot => "AlternateShell"=""

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-1177238915-1275210071-839522115-500 - Administrator - Enabled)
Axxxx (S-1-5-21-1177238915-1275210071-839522115-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Axxxx
ASPNET (S-1-5-21-1177238915-1275210071-839522115-1005 - Limited - Enabled)
Guest (S-1-5-21-1177238915-1275210071-839522115-501 - Limited - Enabled)
HelpAssistant (S-1-5-21-1177238915-1275210071-839522115-1000 - Limited - Disabled)
Rxxxxx (S-1-5-21-1177238915-1275210071-839522115-1004 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Rxxxxx
SUPPORT_388945a0 (S-1-5-21-1177238915-1275210071-839522115-1002 - Limited - Disabled)

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (11/21/2014 05:02:21 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x7ff926f4.
Processing media-specific event for [svchost.exe!ws!]

Error: (11/21/2014 05:02:13 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x7ff926f4.
Processing media-specific event for [svchost.exe!ws!]

Error: (11/21/2014 05:02:05 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x7ff926f4.
Processing media-specific event for [svchost.exe!ws!]

Error: (11/21/2014 05:01:57 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x7ff926f4.
Processing media-specific event for [svchost.exe!ws!]

Error: (11/21/2014 05:01:48 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x7ff926f4.
Processing media-specific event for [svchost.exe!ws!]

Error: (11/21/2014 05:01:40 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x7ff926f4.
Processing media-specific event for [svchost.exe!ws!]

Error: (11/21/2014 05:01:32 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x7ff926f4.
Processing media-specific event for [svchost.exe!ws!]

Error: (11/21/2014 05:01:24 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x7ff926f4.
Processing media-specific event for [svchost.exe!ws!]

Error: (11/21/2014 05:01:13 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x7ff926f4.
Processing media-specific event for [svchost.exe!ws!]

Error: (11/21/2014 05:01:05 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x7ff926f4.
Processing media-specific event for [svchost.exe!ws!]


System errors:
=============
Error: (11/21/2014 04:18:14 PM) (Source: Windows Update Agent) (EventID: 16) (User: )
Description: Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Error: (11/18/2014 07:45:04 PM) (Source: Windows Update Agent) (EventID: 16) (User: )
Description: Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Error: (11/15/2014 09:35:46 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (11/15/2014 09:35:44 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AFD
easdrv
epfwtdir
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip

Error: (11/15/2014 09:35:44 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Error: (11/15/2014 09:35:44 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:
%%31

Error: (11/15/2014 09:35:44 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31

Error: (11/15/2014 09:35:44 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:
%%31

Error: (11/15/2014 09:35:37 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (11/15/2014 01:56:23 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}


Microsoft Office Sessions:
=========================
Error: (11/21/2014 05:02:21 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: svchost.exe5.1.2600.5512unknown0.0.0.07ff926f4

Error: (11/21/2014 05:02:13 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: svchost.exe5.1.2600.5512unknown0.0.0.07ff926f4

Error: (11/21/2014 05:02:05 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: svchost.exe5.1.2600.5512unknown0.0.0.07ff926f4

Error: (11/21/2014 05:01:57 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: svchost.exe5.1.2600.5512unknown0.0.0.07ff926f4

Error: (11/21/2014 05:01:48 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: svchost.exe5.1.2600.5512unknown0.0.0.07ff926f4

Error: (11/21/2014 05:01:40 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: svchost.exe5.1.2600.5512unknown0.0.0.07ff926f4

Error: (11/21/2014 05:01:32 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: svchost.exe5.1.2600.5512unknown0.0.0.07ff926f4

Error: (11/21/2014 05:01:24 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: svchost.exe5.1.2600.5512unknown0.0.0.07ff926f4

Error: (11/21/2014 05:01:13 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: svchost.exe5.1.2600.5512unknown0.0.0.07ff926f4

Error: (11/21/2014 05:01:05 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: svchost.exe5.1.2600.5512unknown0.0.0.07ff926f4


==================== Memory info ===========================

Processor: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz
Percentage of memory in use: 18%
Total physical RAM: 3071.28 MB
Available physical RAM: 2514.99 MB
Total Pagefile: 4956.77 MB
Available Pagefile: 4523.77 MB
Total Virtual: 2047.88 MB
Available Virtual: 1935.94 MB

==================== Drives ================================

Drive c: (ARC3_C) (Fixed) (Total:298.08 GB) (Free:18.58 GB) NTFS
Drive d: (ARC3_D) (Fixed) (Total:465.76 GB) (Free:308.78 GB) NTFS
Drive i: () (Removable) (Total:1.88 GB) (Free:1.7 GB) FAT

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 298.1 GB) (Disk ID: 164F164E)
Partition 1: (Active) - (Size=298.1 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 465.8 GB) (Disk ID: 36260964)
Partition 1: (Not Active) - (Size=465.8 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 1.9 GB) (Disk ID: C96CC96C)
Partition 1: (Active) - (Size=1.9 GB) - (Type=0E)

==================== End Of Log ============================



#4 mrdrifter

mrdrifter
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 PM

Posted 21 November 2014 - 08:34 PM

Here is the FRST.txt log that accompanied the Addition.txt file in the preceding post.
======================================
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-11-2014 01
Ran by Axxxxx (administrator) on ARC3 on 21-11-2014 17:01:13
Running from C:\Documents and Settings\Axxxxx\Desktop
Loaded Profile: Axxxxx (Available profiles: Axxxxx & Rxxxxx)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 7
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
() C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
(Cyber Power Systems, Inc.) C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
(Pure Networks, Inc.) C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(Pure Networks, Inc.) C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Cyber Power Systems, Inc.) C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(SEIKO EPSON CORPORATION) C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIFEA.EXE
(Akamai Technologies, Inc.) C:\Documents and Settings\Axxxxx\Local Settings\Application Data\Akamai\netsession_win.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(Akamai Technologies, Inc.) C:\Documents and Settings\Axxxxx\Local Settings\Application Data\Akamai\netsession_win.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDCPL] => C:\windows\RTHDCPL.EXE [16380416 2007-07-05] (Realtek Semiconductor Corp.)
HKLM\...\Run: [Alcmtr] => C:\windows\ALCMTR.EXE [69632 2005-05-03] (Realtek Semiconductor Corp.)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [nwiz] => nwiz.exe /install
HKLM\...\Run: [WinSys2] => C:\WINDOWS\system32\winsys2.exe [208896 2006-04-28] ()
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [NeroFilterCheck] => C:\WINDOWS\system32\NeroCheck.exe [155648 2006-01-12] (Nero AG)
HKLM\...\Run: [nmctxth] => C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe [451896 2007-10-01] (Pure Networks, Inc.)
HKLM\...\Run: [BluetoothAuthenticationAgent] => rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [1461080 2009-10-07] (ESET)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [BrStsWnd] => C:\Program Files\Brownie\BrstsWnd.exe [3618104 2009-08-19] (brother)
HKLM\...\Run: [PowerPanel Personal Edition User Interaction] => C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe [350184 2012-08-03] (Cyber Power Systems, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
HKU\S-1-5-21-1177238915-1275210071-839522115-1003\...\Run: [NVIDIA nTune] => C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe [81920 2007-06-26] (NVIDIA)
HKU\S-1-5-21-1177238915-1275210071-839522115-1003\...\Run: [EPSON WorkForce 1100 Series] => C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFEA.EXE [199680 2009-01-06] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-1177238915-1275210071-839522115-1003\...\Run: [Akamai NetSession Interface] => C:\Documents and Settings\Axxxxx\Local Settings\Application Data\Akamai\netsession_win.exe [4673432 2014-10-29] (Akamai Technologies, Inc.)
HKU\S-1-5-21-1177238915-1275210071-839522115-1003\...\MountPoints2: I - I:\LaunchU3.exe -a
HKU\S-1-5-18\...\Policies\Explorer: [NoDriveTypeAutoRun] 0x91000000
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
SearchScopes: HKCU - DefaultScope {3F29B8F3-B1B1-4372-AA14-3B732494428D} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKCU - {3F29B8F3-B1B1-4372-AA14-3B732494428D} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp3.dll (Pure Networks, Inc.)
Tcpip\..\Interfaces\{18EFE0A7-C317-4AE1-B99C-D9F49EC22A49}: [NameServer] 8.8.8.8,8.8.4.4

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Axxxxx\Application Data\Mozilla\Firefox\Profiles\bagby20l.default
FF Homepage: hxxp://my.yahoo.com/
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF32_15_0_0_189.dll ()
FF Plugin: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\cgpcfg.dll (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\CgpCore.dll ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\confmgr.dll ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\ctxmui.dll (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\icafile.dll (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\icalogon.dll (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\logging.dll ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npicaN.dll ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\sslsdk_b.dll (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\TcpPServ.dll ()
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\ddg.xml
FF Extension: Locationbar&#178; - C:\Documents and Settings\Axxxxx\Application Data\Mozilla\Firefox\Profiles\bagby20l.default\Extensions\locationbar2@design-noir.de [2011-03-02]
FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\Axxxxx\Application Data\Mozilla\Firefox\Profiles\bagby20l.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010-11-28]
FF Extension: New Tab Homepage - C:\Documents and Settings\Axxxxx\Application Data\Mozilla\Firefox\Profiles\bagby20l.default\Extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467} [2011-01-04]
FF Extension: Adblock Plus - C:\Documents and Settings\Axxxxx\Application Data\Mozilla\Firefox\Profiles\bagby20l.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-11-12]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2014-11-10]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2014-11-10]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} [2014-11-10]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-04-14]

Chrome:
=======

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AdobeActiveFileMonitor; C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [98304 2004-10-20] () [File not signed]
S3 EhttpSrv; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [20680 2009-10-07] (ESET)
R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [472280 2009-10-07] (ESET)
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-10-17] (Oracle Corporation)
S3 nmraapache; C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe [12800 2007-10-29] (Pure Networks, Inc.) [File not signed]
R2 nmservice; C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe [451896 2007-10-01] (Pure Networks, Inc.)
R2 NVSvc; C:\windows\system32\nvsvc32.exe [155716 2007-06-28] (NVIDIA Corporation) [File not signed]
R2 PhotoshopElementsDeviceConnect; C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [118784 2004-10-20] () [File not signed]
R2 ppped; C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe [1017832 2012-08-03] (Cyber Power Systems, Inc.)
S3 Serviio; C:\Program Files\Serviio\bin\ServiioService.exe [327680 2013-12-20] () [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 BrPar; C:\windows\System32\drivers\BrPar.sys [19537 2000-07-24] (Brother Industries Ltd.) [File not signed]
R2 eamon; C:\windows\System32\DRIVERS\eamon.sys [40824 2009-10-07] (ESET)
R1 easdrv; C:\windows\System32\DRIVERS\easdrv.sys [54184 2009-10-07] (ESET)
R1 epfwtdir; C:\windows\System32\DRIVERS\epfwtdir.sys [35168 2009-10-07] ()
S3 GcKernel; C:\windows\System32\DRIVERS\GcKernel.sys [59136 2008-04-13] (Microsoft Corporation)
R0 giveio; C:\windows\System32\giveio.sys [5248 1996-04-03] () [File not signed]
S3 HIDSwvd; C:\windows\System32\DRIVERS\HIDSwvd.sys [2688 2001-08-17] (Microsoft Corporation)
S3 n558; C:\windows\System32\Drivers\n558.sys [9600 2007-08-15] ()
R3 nv; C:\windows\System32\DRIVERS\nv4_mini.sys [6807328 2007-06-28] (NVIDIA Corporation) [File not signed]
R0 nvatabus; C:\windows\System32\drivers\nvatabus.sys [105472 2006-10-18] (NVIDIA Corporation)
R3 NVENETFD; C:\windows\System32\DRIVERS\NVENETFD.sys [62592 2006-11-19] (NVIDIA Corporation)
R3 nvnetbus; C:\windows\System32\DRIVERS\nvnetbus.sys [19968 2006-11-19] (NVIDIA Corporation)
R3 pcouffin; C:\windows\System32\Drivers\pcouffin.sys [47360 2008-12-24] (VSO Software) [File not signed]
R2 pnarp; C:\windows\System32\DRIVERS\pnarp.sys [23864 2007-09-20] (Pure Networks, Inc.)
R2 purendis; C:\windows\System32\DRIVERS\purendis.sys [24888 2007-09-20] (Pure Networks, Inc.)
R0 PxHelp20; C:\windows\System32\Drivers\PxHelp20.sys [20176 2007-11-29] (Sonic Solutions) [File not signed]
R0 Si3531; C:\windows\System32\DRIVERS\Si3531.sys [210224 2006-11-17] (Silicon Image, Inc)
R0 SiFilter; C:\windows\System32\DRIVERS\SiWinAcc.sys [10368 2004-10-31] (Silicon Image, Inc.)
R0 SiRemFil; C:\windows\System32\DRIVERS\SiRemFil.sys [5504 2006-10-17] (Silicon Image, Inc.)
R0 speedfan; C:\windows\System32\speedfan.sys [5248 2006-09-24] (Windows ® 2000 DDK provider) [File not signed]
S3 GMSIPCI; \??\G:\INSTALL\GMSIPCI.SYS [X]
S4 IntelIde; No ImagePath
U5 ScsiPort; C:\windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-21 17:01 - 2014-11-21 17:01 - 00015219 _____ () C:\Documents and Settings\Axxxxx\Desktop\FRST.txt
2014-11-21 17:00 - 2014-11-15 11:55 - 01108480 _____ (Farbar) C:\Documents and Settings\Axxxxx\Desktop\FRST.exe
2014-11-21 16:28 - 2014-11-16 08:44 - 00688992 _____ (Swearware) C:\Documents and Settings\Axxxxx\Desktop\Copy of dds.com
2014-11-20 18:53 - 2014-11-20 19:11 - 03789557 _____ () C:\arc3-hashes.xml
2014-11-20 10:47 - 2014-11-20 19:11 - 00005546 _____ () C:\fciv.err
2014-11-20 10:47 - 2004-05-13 05:26 - 00084784 _____ () C:\fciv.exe
2014-11-18 04:49 - 2008-04-14 04:42 - 00135680 _____ (Microsoft Corporation) C:\windows\system32\jose.exe
2014-11-16 08:50 - 2014-11-16 08:44 - 00688992 _____ (Swearware) C:\Documents and Settings\Axxxxx\Desktop\dds.com
2014-11-15 16:57 - 2014-11-16 09:23 - 00204288 _____ () C:\Documents and Settings\Axxxxx\Desktop\ErrorMessages1.ppt
2014-11-15 16:30 - 2014-11-15 16:43 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HitmanPro
2014-11-15 16:29 - 2014-11-15 14:35 - 10284408 _____ (SurfRight B.V.) C:\Documents and Settings\Axxxxx\Desktop\HitmanPro.exe
2014-11-15 04:49 - 2014-11-21 17:01 - 00000000 ____D () C:\FRST
2014-11-14 16:11 - 2014-11-14 16:43 - 00013654 _____ () C:\Documents and Settings\Axxxxx\Desktop\Rkill.txt
2014-11-14 13:19 - 2014-11-15 04:20 - 00000000 ____D () C:\Kaspersky Rescue Disk 10.0
2014-11-14 08:25 - 2014-11-14 08:25 - 00000000 ____D () C:\windows\pss
2014-11-14 08:07 - 2014-11-14 15:50 - 00000000 ____D () C:\Documents and Settings\Axxxxx\Desktop\RKill
2014-11-14 08:07 - 2014-11-14 15:48 - 04184008 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\Axxxxx\Desktop\tdsskiller.exe
2014-11-14 08:07 - 2014-11-14 15:47 - 01944824 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Axxxxx\Desktop\rkill.com
2014-11-14 08:07 - 2014-11-14 15:46 - 01944824 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Axxxxx\Desktop\rkill.exe
2014-11-14 08:07 - 2014-11-14 15:46 - 01944824 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Axxxxx\Desktop\iExplore.exe
2014-11-13 18:57 - 2014-11-13 18:58 - 02748387 _____ () C:\Documents and Settings\Axxxxx\Desktop\03 Track 3.wma
2014-11-13 18:57 - 2014-11-13 18:57 - 03632835 _____ () C:\Documents and Settings\Axxxxx\Desktop\02 Track 2.wma
2014-11-10 19:31 - 2014-11-10 19:31 - 00000000 ____D () C:\Program Files\Mozilla Firefox

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-21 17:02 - 2007-11-26 09:37 - 00000000 ____D () C:\Documents and Settings\Axxxxx\Local Settings\Temp
2014-11-21 16:59 - 2007-11-26 09:31 - 01258801 _____ () C:\windows\WindowsUpdate.log
2014-11-21 16:58 - 2007-07-27 04:00 - 00013756 _____ () C:\windows\system32\wpa.dbl
2014-11-21 16:57 - 2014-03-22 05:18 - 00000224 _____ () C:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2014-11-21 16:57 - 2013-11-29 07:16 - 00000000 ____D () C:\Program Files\CyberPower PowerPanel Personal Edition
2014-11-21 16:57 - 2007-11-26 09:35 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2014-11-21 16:57 - 2007-11-26 01:26 - 00000159 _____ () C:\windows\wiadebug.log
2014-11-21 16:57 - 2007-11-26 01:26 - 00000050 _____ () C:\windows\wiaservc.log
2014-11-21 16:56 - 2007-11-26 09:35 - 00032654 _____ () C:\windows\SchedLgU.Txt
2014-11-20 18:51 - 2007-12-06 09:55 - 00000000 ____D () C:\Program Files\DOSBox-0.72
2014-11-17 05:51 - 2007-11-29 16:38 - 00000000 ____D () C:\Documents and Settings\Axxxxx\My Documents\arc
2014-11-16 09:01 - 2007-07-27 04:00 - 00000709 _____ () C:\windows\win.ini
2014-11-15 21:35 - 2007-11-26 09:37 - 00000278 ___SH () C:\Documents and Settings\Axxxxx\ntuser.ini
2014-11-15 16:45 - 2007-11-30 07:40 - 00002483 _____ () C:\Documents and Settings\Axxxxx\Start Menu\PowerPoint 2003.lnk
2014-11-14 07:06 - 2007-11-26 09:31 - 00000000 ____D () C:\windows\system32\Restore
2014-11-13 19:20 - 2012-08-17 16:06 - 00000000 ____D () C:\Documents and Settings\Axxxxx\Desktop\NewsClips
2014-11-13 19:04 - 2008-08-06 14:10 - 00000000 ____D () C:\Program Files\Nancy Drew
2014-11-13 19:04 - 2007-11-26 18:54 - 00000000 ___HD () C:\Program Files\InstallShield Installation Information
2014-11-13 18:35 - 2012-11-22 07:31 - 00000000 ____D () C:\Documents and Settings\Axxxxx\Local Settings\Application Data\Akamai
2014-11-13 08:06 - 2014-10-05 15:32 - 00008463 _____ () C:\windows\wmsetup.log
2014-11-11 19:04 - 2013-08-15 15:31 - 00000000 ____D () C:\windows\system32\MRT
2014-11-11 19:01 - 2007-11-28 20:10 - 100445232 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2014-11-11 12:23 - 2012-04-27 12:41 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-11-11 08:54 - 2007-11-29 07:27 - 00000234 _____ () C:\windows\Brownie.ini
2014-11-10 09:10 - 2011-10-29 04:42 - 00002497 _____ () C:\Documents and Settings\Axxxxx\Start Menu\Word 2003.lnk
2014-11-09 18:59 - 2007-12-01 20:06 - 00000000 ____D () C:\Documents and Settings\Axxxxx\Application Data\foobar2000
2014-11-09 07:58 - 2008-11-27 09:27 - 00002467 _____ () C:\Documents and Settings\All Users\Start Menu\ABBYY FineReader 6.0 Sprint.lnk
2014-11-08 17:46 - 2008-03-25 17:01 - 00000000 ____D () C:\Documents and Settings\Axxxxx\My Documents\Scanner
2014-11-08 15:00 - 2014-03-22 05:18 - 00000218 _____ () C:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2014-11-07 16:12 - 2007-11-29 07:27 - 00000426 _____ () C:\windows\BRWMARK.INI
2014-11-04 21:04 - 2012-07-31 18:10 - 00000000 ____D () C:\Documents and Settings\Axxxxx\Desktop\Medieval
2014-11-02 05:39 - 2007-11-26 01:25 - 00576486 _____ () C:\windows\system32\PerfStringBackup.INI
2014-10-27 06:30 - 2007-11-30 07:40 - 00002495 _____ () C:\Documents and Settings\Axxxxx\Start Menu\Excel 2003.lnk

Files to move or delete:
====================
C:\Documents and Settings\Axxxxx\jagex_cl_runescape_LIVE.dat
C:\Documents and Settings\Axxxxx\jagex_runescape_preferences.dat
C:\Documents and Settings\Axxxxx\jagex_runescape_preferences2.dat
C:\Documents and Settings\Axxxxx\jagex__preferences3.dat


Some content of TEMP:
====================
C:\Documents and Settings\Axxxxx\Local Settings\Temp\AdobeUpdater12345.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\Install_PDFR_Pro_v250.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u14-windows-i586-iftw-rv.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u15-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u16-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u17-windows-i586-iftw-rv.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u18-windows-i586-iftw-rv.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u20-windows-i586-iftw-rv.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u21-windows-i586-iftw-rv_6f82dccf.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u22-windows-i586-iftw-rv.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u23-windows-i586-iftw-rv.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u29-windows-i586-iftw-rv.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u31-windows-i586-iftw-rv.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u33-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u35-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u37-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u39-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-7u15-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-7u17-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-7u21-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-7u25-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-7u45-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-7u51-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-7u55-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-7u65-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-7u67-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-7u71-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\_is1.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\_is12.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\_is13.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\_is1641.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\_is168.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\_is185.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\_is1C4.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\_is2.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\_isEAF.exe
C:\Documents and Settings\Rxxxxx\Local Settings\Temp\setup_wm.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\windows\explorer.exe => File is digitally signed
C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================



#5 mrdrifter

mrdrifter
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 PM

Posted 25 November 2014 - 10:03 PM

Major progress!  We stopped the recycling malware process termination.  Here's what we did (but this didn't clean the system):

 

Using MD5, we checked the hashes of the dll files that the Dr Watwon log said were loaded when Dr Watson terminated the svchost.exe process.  In our review, kernel32.dll raised suspicion because its hash (using MD5) was different from our what we saw on our 2 reference systems.  We copied kernel32.dll from one of the reference systems to the c:\windows\system32 and the c:\windows\system32\dllcache directories.  Rebooting in normal mode, the malware did not initiate.  Also, we are now able to boot in safe mode.

 

Please help us take the right steps to purge the computer of the remants of this malware.  Many thanks for your help!



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,242 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:59 PM

Posted 26 November 2014 - 09:12 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.
 
If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===
 
Please run the Farbar tool in normal mode and post a fresh log for my review.
 
Wait for further instructions.


#7 mrdrifter

mrdrifter
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 PM

Posted 26 November 2014 - 10:08 AM

Many thanks for your help, nasdaq.  Here's the FRST scan:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-11-2014 01 (ATTENTION: ====> FRST version is 13 days old and could be outdated)
Ran by Axxxxx (administrator) on ARC3 on 26-11-2014 06:56:45
Running from C:\Documents and Settings\Axxxxx\Desktop
Loaded Profile: Axxxxx (Available profiles: Axxxxx & Rxxxxx)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 7
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
() C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
(Cyber Power Systems, Inc.) C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
(Pure Networks, Inc.) C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(Pure Networks, Inc.) C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Cyber Power Systems, Inc.) C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(SEIKO EPSON CORPORATION) C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIFEA.EXE
(Akamai Technologies, Inc.) C:\Documents and Settings\Axxxxx\Local Settings\Application Data\Akamai\netsession_win.exe
(Akamai Technologies, Inc.) C:\Documents and Settings\Axxxxx\Local Settings\Application Data\Akamai\netsession_win.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDCPL] => C:\windows\RTHDCPL.EXE [16380416 2007-07-05] (Realtek Semiconductor Corp.)
HKLM\...\Run: [Alcmtr] => C:\windows\ALCMTR.EXE [69632 2005-05-03] (Realtek Semiconductor Corp.)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [nwiz] => nwiz.exe /install
HKLM\...\Run: [WinSys2] => C:\WINDOWS\system32\winsys2.exe [208896 2006-04-28] ()
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [NeroFilterCheck] => C:\WINDOWS\system32\NeroCheck.exe [155648 2006-01-12] (Nero AG)
HKLM\...\Run: [nmctxth] => C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe [451896 2007-10-01] (Pure Networks, Inc.)
HKLM\...\Run: [BluetoothAuthenticationAgent] => rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [1461080 2009-10-07] (ESET)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [BrStsWnd] => C:\Program Files\Brownie\BrstsWnd.exe [3618104 2009-08-19] (brother)
HKLM\...\Run: [PowerPanel Personal Edition User Interaction] => C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe [350184 2012-08-03] (Cyber Power Systems, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
HKU\S-1-5-21-1177238915-1275210071-839522115-1003\...\Run: [NVIDIA nTune] => C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe [81920 2007-06-26] (NVIDIA)
HKU\S-1-5-21-1177238915-1275210071-839522115-1003\...\Run: [EPSON WorkForce 1100 Series] => C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFEA.EXE [199680 2009-01-06] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-1177238915-1275210071-839522115-1003\...\Run: [Akamai NetSession Interface] => C:\Documents and Settings\Axxxxx\Local Settings\Application Data\Akamai\netsession_win.exe [4673432 2014-10-29] (Akamai Technologies, Inc.)
HKU\S-1-5-21-1177238915-1275210071-839522115-1003\...\MountPoints2: I - I:\LaunchU3.exe -a
HKU\S-1-5-18\...\Policies\Explorer: [NoDriveTypeAutoRun] 0x91000000
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
SearchScopes: HKCU - DefaultScope {3F29B8F3-B1B1-4372-AA14-3B732494428D} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKCU - {3F29B8F3-B1B1-4372-AA14-3B732494428D} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp3.dll (Pure Networks, Inc.)
Tcpip\..\Interfaces\{18EFE0A7-C317-4AE1-B99C-D9F49EC22A49}: [NameServer] 8.8.8.8,8.8.4.4

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Axxxxx\Application Data\Mozilla\Firefox\Profiles\bagby20l.default
FF Homepage: hxxp://my.yahoo.com/
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF32_15_0_0_189.dll ()
FF Plugin: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\cgpcfg.dll (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\CgpCore.dll ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\confmgr.dll ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\ctxmui.dll (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\icafile.dll (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\icalogon.dll (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\logging.dll ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npicaN.dll ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\sslsdk_b.dll (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\TcpPServ.dll ()
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\ddg.xml
FF Extension: Locationbar&#178; - C:\Documents and Settings\Axxxxx\Application Data\Mozilla\Firefox\Profiles\bagby20l.default\Extensions\locationbar2@design-noir.de [2011-03-02]
FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\Axxxxx\Application Data\Mozilla\Firefox\Profiles\bagby20l.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010-11-28]
FF Extension: New Tab Homepage - C:\Documents and Settings\Axxxxx\Application Data\Mozilla\Firefox\Profiles\bagby20l.default\Extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467} [2011-01-04]
FF Extension: Adblock Plus - C:\Documents and Settings\Axxxxx\Application Data\Mozilla\Firefox\Profiles\bagby20l.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-11-12]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2014-11-10]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2014-11-10]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} [2014-11-10]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-04-14]

Chrome:
=======

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AdobeActiveFileMonitor; C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [98304 2004-10-20] () [File not signed]
S3 EhttpSrv; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [20680 2009-10-07] (ESET)
R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [472280 2009-10-07] (ESET)
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-10-17] (Oracle Corporation)
S3 nmraapache; C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe [12800 2007-10-29] (Pure Networks, Inc.) [File not signed]
R2 nmservice; C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe [451896 2007-10-01] (Pure Networks, Inc.)
R2 NVSvc; C:\windows\system32\nvsvc32.exe [155716 2007-06-28] (NVIDIA Corporation) [File not signed]
R2 PhotoshopElementsDeviceConnect; C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [118784 2004-10-20] () [File not signed]
R2 ppped; C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe [1017832 2012-08-03] (Cyber Power Systems, Inc.)
S3 Serviio; C:\Program Files\Serviio\bin\ServiioService.exe [327680 2013-12-20] () [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 BrPar; C:\windows\System32\drivers\BrPar.sys [19537 2000-07-24] (Brother Industries Ltd.) [File not signed]
R2 eamon; C:\windows\System32\DRIVERS\eamon.sys [40824 2009-10-07] (ESET)
R1 easdrv; C:\windows\System32\DRIVERS\easdrv.sys [54184 2009-10-07] (ESET)
R1 epfwtdir; C:\windows\System32\DRIVERS\epfwtdir.sys [35168 2009-10-07] ()
S3 GcKernel; C:\windows\System32\DRIVERS\GcKernel.sys [59136 2008-04-13] (Microsoft Corporation)
R0 giveio; C:\windows\System32\giveio.sys [5248 1996-04-03] () [File not signed]
S3 HIDSwvd; C:\windows\System32\DRIVERS\HIDSwvd.sys [2688 2001-08-17] (Microsoft Corporation)
S3 n558; C:\windows\System32\Drivers\n558.sys [9600 2007-08-15] ()
R3 nv; C:\windows\System32\DRIVERS\nv4_mini.sys [6807328 2007-06-28] (NVIDIA Corporation) [File not signed]
R0 nvatabus; C:\windows\System32\drivers\nvatabus.sys [105472 2006-10-18] (NVIDIA Corporation)
R3 NVENETFD; C:\windows\System32\DRIVERS\NVENETFD.sys [62592 2006-11-19] (NVIDIA Corporation)
R3 nvnetbus; C:\windows\System32\DRIVERS\nvnetbus.sys [19968 2006-11-19] (NVIDIA Corporation)
R3 pcouffin; C:\windows\System32\Drivers\pcouffin.sys [47360 2008-12-24] (VSO Software) [File not signed]
R2 pnarp; C:\windows\System32\DRIVERS\pnarp.sys [23864 2007-09-20] (Pure Networks, Inc.)
R2 purendis; C:\windows\System32\DRIVERS\purendis.sys [24888 2007-09-20] (Pure Networks, Inc.)
R0 PxHelp20; C:\windows\System32\Drivers\PxHelp20.sys [20176 2007-11-29] (Sonic Solutions) [File not signed]
R0 Si3531; C:\windows\System32\DRIVERS\Si3531.sys [210224 2006-11-17] (Silicon Image, Inc)
R0 SiFilter; C:\windows\System32\DRIVERS\SiWinAcc.sys [10368 2004-10-31] (Silicon Image, Inc.)
R0 SiRemFil; C:\windows\System32\DRIVERS\SiRemFil.sys [5504 2006-10-17] (Silicon Image, Inc.)
R0 speedfan; C:\windows\System32\speedfan.sys [5248 2006-09-24] (Windows ® 2000 DDK provider) [File not signed]
S3 GMSIPCI; \??\G:\INSTALL\GMSIPCI.SYS [X]
S4 IntelIde; No ImagePath
U5 ScsiPort; C:\windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-26 06:56 - 2014-11-26 06:57 - 00015307 _____ () C:\Documents and Settings\Axxxxx\Desktop\FRST.txt
2014-11-21 17:02 - 2014-11-21 17:09 - 00052845 _____ () C:\Documents and Settings\Axxxxx\Desktop\Addition_Norm_20141121.txt
2014-11-21 17:01 - 2014-11-21 17:09 - 00025442 _____ () C:\Documents and Settings\Axxxxx\Desktop\FRST_Norm_20141121.txt
2014-11-21 17:00 - 2014-11-15 11:55 - 01108480 _____ (Farbar) C:\Documents and Settings\Axxxxx\Desktop\FRST.exe
2014-11-21 16:28 - 2014-11-16 08:44 - 00688992 _____ (Swearware) C:\Documents and Settings\Axxxxx\Desktop\Copy of dds.com
2014-11-20 18:53 - 2014-11-20 19:11 - 03789557 _____ () C:\arc3-hashes.xml
2014-11-20 10:47 - 2014-11-20 19:11 - 00005546 _____ () C:\fciv.err
2014-11-20 10:47 - 2004-05-13 05:26 - 00084784 _____ () C:\fciv.exe
2014-11-18 04:49 - 2008-04-14 04:42 - 00135680 _____ (Microsoft Corporation) C:\windows\system32\jose.exe
2014-11-16 08:50 - 2014-11-16 08:44 - 00688992 _____ (Swearware) C:\Documents and Settings\Axxxxx\Desktop\dds.com
2014-11-15 16:57 - 2014-11-16 09:23 - 00204288 _____ () C:\Documents and Settings\Axxxxx\Desktop\ErrorMessages1.ppt
2014-11-15 16:30 - 2014-11-15 16:43 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HitmanPro
2014-11-15 16:29 - 2014-11-15 14:35 - 10284408 _____ (SurfRight B.V.) C:\Documents and Settings\Axxxxx\Desktop\HitmanPro.exe
2014-11-15 04:49 - 2014-11-26 06:56 - 00000000 ____D () C:\FRST
2014-11-14 16:11 - 2014-11-14 16:43 - 00013654 _____ () C:\Documents and Settings\Axxxxx\Desktop\Rkill.txt
2014-11-14 13:19 - 2014-11-15 04:20 - 00000000 ____D () C:\Kaspersky Rescue Disk 10.0
2014-11-14 08:25 - 2014-11-14 08:25 - 00000000 ____D () C:\windows\pss
2014-11-14 08:07 - 2014-11-14 15:50 - 00000000 ____D () C:\Documents and Settings\Axxxxx\Desktop\RKill
2014-11-14 08:07 - 2014-11-14 15:48 - 04184008 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\Axxxxx\Desktop\tdsskiller.exe
2014-11-14 08:07 - 2014-11-14 15:47 - 01944824 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Axxxxx\Desktop\rkill.com
2014-11-14 08:07 - 2014-11-14 15:46 - 01944824 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Axxxxx\Desktop\rkill.exe
2014-11-14 08:07 - 2014-11-14 15:46 - 01944824 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Axxxxx\Desktop\iExplore.exe
2014-11-13 18:57 - 2014-11-13 18:58 - 02748387 _____ () C:\Documents and Settings\Axxxxx\Desktop\03 Track 3.wma
2014-11-13 18:57 - 2014-11-13 18:57 - 03632835 _____ () C:\Documents and Settings\Axxxxx\Desktop\02 Track 2.wma
2014-11-10 19:31 - 2014-11-10 19:31 - 00000000 ____D () C:\Program Files\Mozilla Firefox

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-26 06:57 - 2007-11-26 09:37 - 00000000 ____D () C:\Documents and Settings\Axxxxx\Local Settings\Temp
2014-11-26 06:54 - 2014-03-22 05:18 - 00000224 _____ () C:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2014-11-26 06:54 - 2007-07-27 04:00 - 00013756 _____ () C:\windows\system32\wpa.dbl
2014-11-26 06:53 - 2013-11-29 07:16 - 00000000 ____D () C:\Program Files\CyberPower PowerPanel Personal Edition
2014-11-26 06:53 - 2007-11-26 09:35 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2014-11-26 06:53 - 2007-11-26 09:31 - 01362694 _____ () C:\windows\WindowsUpdate.log
2014-11-26 06:53 - 2007-11-26 01:26 - 00000159 _____ () C:\windows\wiadebug.log
2014-11-26 06:53 - 2007-11-26 01:26 - 00000050 _____ () C:\windows\wiaservc.log
2014-11-25 21:27 - 2007-11-26 09:35 - 00032654 _____ () C:\windows\SchedLgU.Txt
2014-11-25 19:44 - 2007-07-27 04:00 - 00000709 _____ () C:\windows\win.ini
2014-11-25 17:51 - 2007-11-26 09:37 - 00000278 ___SH () C:\Documents and Settings\Axxxxx\ntuser.ini
2014-11-25 09:01 - 2011-10-29 04:42 - 00002497 _____ () C:\Documents and Settings\Axxxxx\Start Menu\Word 2003.lnk
2014-11-20 18:51 - 2007-12-06 09:55 - 00000000 ____D () C:\Program Files\DOSBox-0.72
2014-11-17 05:51 - 2007-11-29 16:38 - 00000000 ____D () C:\Documents and Settings\Axxxxx\My Documents\arc
2014-11-15 16:45 - 2007-11-30 07:40 - 00002483 _____ () C:\Documents and Settings\Axxxxx\Start Menu\PowerPoint 2003.lnk
2014-11-14 07:06 - 2007-11-26 09:31 - 00000000 ____D () C:\windows\system32\Restore
2014-11-13 19:20 - 2012-08-17 16:06 - 00000000 ____D () C:\Documents and Settings\Axxxxx\Desktop\NewsClips
2014-11-13 19:04 - 2008-08-06 14:10 - 00000000 ____D () C:\Program Files\Nancy Drew
2014-11-13 19:04 - 2007-11-26 18:54 - 00000000 ___HD () C:\Program Files\InstallShield Installation Information
2014-11-13 18:35 - 2012-11-22 07:31 - 00000000 ____D () C:\Documents and Settings\Axxxxx\Local Settings\Application Data\Akamai
2014-11-13 08:06 - 2014-10-05 15:32 - 00008463 _____ () C:\windows\wmsetup.log
2014-11-11 19:04 - 2013-08-15 15:31 - 00000000 ____D () C:\windows\system32\MRT
2014-11-11 19:01 - 2007-11-28 20:10 - 100445232 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2014-11-11 12:23 - 2012-04-27 12:41 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-11-11 08:54 - 2007-11-29 07:27 - 00000234 _____ () C:\windows\Brownie.ini
2014-11-09 18:59 - 2007-12-01 20:06 - 00000000 ____D () C:\Documents and Settings\Axxxxx\Application Data\foobar2000
2014-11-09 07:58 - 2008-11-27 09:27 - 00002467 _____ () C:\Documents and Settings\All Users\Start Menu\ABBYY FineReader 6.0 Sprint.lnk
2014-11-08 17:46 - 2008-03-25 17:01 - 00000000 ____D () C:\Documents and Settings\Axxxxx\My Documents\Scanner
2014-11-08 15:00 - 2014-03-22 05:18 - 00000218 _____ () C:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2014-11-07 16:12 - 2007-11-29 07:27 - 00000426 _____ () C:\windows\BRWMARK.INI
2014-11-04 21:04 - 2012-07-31 18:10 - 00000000 ____D () C:\Documents and Settings\Axxxxx\Desktop\Medieval
2014-11-02 05:39 - 2007-11-26 01:25 - 00576486 _____ () C:\windows\system32\PerfStringBackup.INI
2014-10-27 06:30 - 2007-11-30 07:40 - 00002495 _____ () C:\Documents and Settings\Axxxxx\Start Menu\Excel 2003.lnk

Files to move or delete:
====================
C:\Documents and Settings\Axxxxx\jagex_cl_runescape_LIVE.dat
C:\Documents and Settings\Axxxxx\jagex_runescape_preferences.dat
C:\Documents and Settings\Axxxxx\jagex_runescape_preferences2.dat
C:\Documents and Settings\Axxxxx\jagex__preferences3.dat


Some content of TEMP:
====================
C:\Documents and Settings\Axxxxx\Local Settings\Temp\AdobeUpdater12345.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\Install_PDFR_Pro_v250.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u14-windows-i586-iftw-rv.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u15-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u16-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u17-windows-i586-iftw-rv.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u18-windows-i586-iftw-rv.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u20-windows-i586-iftw-rv.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u21-windows-i586-iftw-rv_6f82dccf.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u22-windows-i586-iftw-rv.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u23-windows-i586-iftw-rv.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u29-windows-i586-iftw-rv.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u31-windows-i586-iftw-rv.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u33-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u35-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u37-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-6u39-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-7u15-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-7u17-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-7u21-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-7u25-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-7u45-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-7u51-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-7u55-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-7u65-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-7u67-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\jre-7u71-windows-i586-iftw.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\_is1.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\_is12.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\_is13.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\_is1641.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\_is168.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\_is185.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\_is1C4.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\_is2.exe
C:\Documents and Settings\Axxxxx\Local Settings\Temp\_isEAF.exe
C:\Documents and Settings\Rxxxxx\Local Settings\Temp\setup_wm.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\windows\explorer.exe => File is digitally signed
C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================ 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,242 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:59 PM

Posted 26 November 2014 - 10:57 AM

Nothing suspicious was found on your FRST log.
 
Please Download and run the ComboFix tool.
 
How to use ComboFix
 
Follow the instructions on the page.
 
Post the content of the C:\ComboFix.txt file for my review.
 
p.s.
When all is well you can remove the tool by following the Uninstall instructions on the same page.
 
====


#9 mrdrifter

mrdrifter
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 PM

Posted 26 November 2014 - 01:07 PM

Here is the ComboFix log.....

 

ComboFix 14-11-25.01 - Axxxxx 11/26/2014   9:51.1.4 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3071.2389 [GMT -8:00]
Running from: c:\documents and settings\Axxxxx\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\data
c:\data\cmdline.cfg
c:\documents and settings\Axxxxx\Application Data\inst.exe
c:\documents and settings\Axxxxx\Application Data\vso_ts_preview.xml
c:\documents and settings\Axxxxx\WINDOWS
c:\windows\$msi31uninstall_kb893803v2$
c:\windows\$msi31uninstall_kb893803v2$\msi.dll
c:\windows\$msi31uninstall_kb893803v2$\msiexec.exe
c:\windows\$msi31uninstall_kb893803v2$\msihnd.dll
c:\windows\$msi31uninstall_kb893803v2$\msimsg.dll
c:\windows\$msi31uninstall_kb893803v2$\msisip.dll
c:\windows\$msi31uninstall_kb893803v2$\reg00013
c:\windows\$msi31uninstall_kb893803v2$\reg00014
c:\windows\$msi31uninstall_kb893803v2$\reg00015
c:\windows\$msi31uninstall_kb893803v2$\reg00016
c:\windows\$msi31uninstall_kb893803v2$\reg00017
c:\windows\$msi31uninstall_kb893803v2$\reg00018
c:\windows\$msi31uninstall_kb893803v2$\reg00019
c:\windows\$msi31uninstall_kb893803v2$\reg00020
c:\windows\$msi31uninstall_kb893803v2$\reg00021
c:\windows\$msi31uninstall_kb893803v2$\reg00022
c:\windows\$msi31uninstall_kb893803v2$\reg00023
c:\windows\$msi31uninstall_kb893803v2$\reg00024
c:\windows\$msi31uninstall_kb893803v2$\reg00025
c:\windows\$msi31uninstall_kb893803v2$\reg00026
c:\windows\$msi31uninstall_kb893803v2$\reg00027
c:\windows\$msi31uninstall_kb893803v2$\reg00028
c:\windows\$msi31uninstall_kb893803v2$\reg00029
c:\windows\$msi31uninstall_kb893803v2$\reg00030
c:\windows\$msi31uninstall_kb893803v2$\reg00031
c:\windows\$msi31uninstall_kb893803v2$\reg00032
c:\windows\$msi31uninstall_kb893803v2$\reg00033
c:\windows\$msi31uninstall_kb893803v2$\reg00034
c:\windows\$msi31uninstall_kb893803v2$\reg00035
c:\windows\$msi31uninstall_kb893803v2$\reg00036
c:\windows\$msi31uninstall_kb893803v2$\reg00037
c:\windows\$msi31uninstall_kb893803v2$\reg00038
c:\windows\$msi31uninstall_kb893803v2$\reg00039
c:\windows\$msi31uninstall_kb893803v2$\reg00040
c:\windows\$msi31uninstall_kb893803v2$\reg00041
c:\windows\$msi31uninstall_kb893803v2$\reg00042
c:\windows\$msi31uninstall_kb893803v2$\reg00043
c:\windows\$msi31uninstall_kb893803v2$\reg00044
c:\windows\$msi31uninstall_kb893803v2$\reg00045
c:\windows\$msi31uninstall_kb893803v2$\reg00046
c:\windows\$msi31uninstall_kb893803v2$\reg00047
c:\windows\$msi31uninstall_kb893803v2$\reg00048
c:\windows\$msi31uninstall_kb893803v2$\reg00051
c:\windows\$msi31uninstall_kb893803v2$\reg00052
c:\windows\$msi31uninstall_kb893803v2$\reg00053
c:\windows\$msi31uninstall_kb893803v2$\reg00054
c:\windows\$msi31uninstall_kb893803v2$\reg00055
c:\windows\$msi31uninstall_kb893803v2$\reg00056
c:\windows\$msi31uninstall_kb893803v2$\reg00057
c:\windows\$msi31uninstall_kb893803v2$\reg00058
c:\windows\$msi31uninstall_kb893803v2$\reg00059
c:\windows\$msi31uninstall_kb893803v2$\reg00060
c:\windows\$msi31uninstall_kb893803v2$\reg00061
c:\windows\$msi31uninstall_kb893803v2$\reg00062
c:\windows\$msi31uninstall_kb893803v2$\reg00063
c:\windows\$msi31uninstall_kb893803v2$\reg00064
c:\windows\$msi31uninstall_kb893803v2$\reg00065
c:\windows\$msi31uninstall_kb893803v2$\reg00066
c:\windows\$msi31uninstall_kb893803v2$\reg00067
c:\windows\$msi31uninstall_kb893803v2$\reg00068
c:\windows\$msi31uninstall_kb893803v2$\reg00069
c:\windows\$msi31uninstall_kb893803v2$\reg00070
c:\windows\$msi31uninstall_kb893803v2$\reg00071
c:\windows\$msi31uninstall_kb893803v2$\reg00072
c:\windows\$msi31uninstall_kb893803v2$\reg00073
c:\windows\$msi31uninstall_kb893803v2$\reg00074
c:\windows\$msi31uninstall_kb893803v2$\reg00075
c:\windows\$msi31uninstall_kb893803v2$\reg00076
c:\windows\$msi31uninstall_kb893803v2$\reg00077
c:\windows\$msi31uninstall_kb893803v2$\reg00078
c:\windows\$msi31uninstall_kb893803v2$\reg00079
c:\windows\$msi31uninstall_kb893803v2$\reg00080
c:\windows\$msi31uninstall_kb893803v2$\reg00081
c:\windows\$msi31uninstall_kb893803v2$\reg00082
c:\windows\$msi31uninstall_kb893803v2$\reg00083
c:\windows\$msi31uninstall_kb893803v2$\reg00084
c:\windows\$msi31uninstall_kb893803v2$\reg00085
c:\windows\$msi31uninstall_kb893803v2$\reg00086
c:\windows\$msi31uninstall_kb893803v2$\reg00087
c:\windows\$msi31uninstall_kb893803v2$\reg00088
c:\windows\$msi31uninstall_kb893803v2$\reg00089
c:\windows\$msi31uninstall_kb893803v2$\reg00090
c:\windows\$msi31uninstall_kb893803v2$\reg00091
c:\windows\$msi31uninstall_kb893803v2$\reg00092
c:\windows\$msi31uninstall_kb893803v2$\reg00093
c:\windows\$msi31uninstall_kb893803v2$\reg00094
c:\windows\$msi31uninstall_kb893803v2$\reg00095
c:\windows\$msi31uninstall_kb893803v2$\reg00096
c:\windows\$msi31uninstall_kb893803v2$\reg00097
c:\windows\$msi31uninstall_kb893803v2$\reg00098
c:\windows\$msi31uninstall_kb893803v2$\reg00099
c:\windows\$msi31uninstall_kb893803v2$\reg00100
c:\windows\$msi31uninstall_kb893803v2$\reg00101
c:\windows\$msi31uninstall_kb893803v2$\reg00102
c:\windows\$msi31uninstall_kb893803v2$\reg00103
c:\windows\$msi31uninstall_kb893803v2$\reg00104
c:\windows\$msi31uninstall_kb893803v2$\reg00105
c:\windows\$msi31uninstall_kb893803v2$\reg00106
c:\windows\$msi31uninstall_kb893803v2$\reg00107
c:\windows\$msi31uninstall_kb893803v2$\reg00108
c:\windows\$msi31uninstall_kb893803v2$\reg00109
c:\windows\$msi31uninstall_kb893803v2$\reg00110
c:\windows\$msi31uninstall_kb893803v2$\reg00111
c:\windows\$msi31uninstall_kb893803v2$\reg00112
c:\windows\$msi31uninstall_kb893803v2$\reg00113
c:\windows\$msi31uninstall_kb893803v2$\reg00114
c:\windows\$msi31uninstall_kb893803v2$\reg00115
c:\windows\$msi31uninstall_kb893803v2$\reg00116
c:\windows\$msi31uninstall_kb893803v2$\spuninst\spuninst.exe
c:\windows\$msi31uninstall_kb893803v2$\spuninst\spuninst.inf
c:\windows\$msi31uninstall_kb893803v2$\spuninst\spuninst.txt
c:\windows\$msi31uninstall_kb893803v2$\spuninst\updspapi.dll
c:\windows\system32\kernel32.sys
c:\windows\system32\SETB17.tmp
c:\windows\system32\SETB1B.tmp
c:\windows\system32\SETB1C.tmp
c:\windows\system32\SETB23.tmp
c:\windows\system32\tmp616.tmp
c:\windows\system32\tmp617.tmp
c:\windows\system32\WinSys.exe
.
.
(((((((((((((((((((((((((   Files Created from 2014-10-26 to 2014-11-26  )))))))))))))))))))))))))))))))
.
.
2014-11-20 18:47 . 2004-05-13 13:26    84784    ----a-w-    C:\fciv.exe
2014-11-18 12:49 . 2008-04-14 12:42    135680    ----a-w-    c:\windows\system32\jose.exe
2014-11-16 00:30 . 2014-11-16 00:43    --------    d-----w-    c:\documents and settings\All Users\Application Data\HitmanPro
2014-11-15 12:49 . 2014-11-26 14:57    --------    d-----w-    C:\FRST
2014-11-14 21:19 . 2014-11-15 12:20    --------    d---a-w-    C:\Kaspersky Rescue Disk 10.0
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-10-19 14:21 . 2012-05-02 12:44    701104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-10-19 14:21 . 2011-05-18 13:13    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2007-11-10 00:10 . 2014-11-11 03:31    30288    ----a-w-    c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-11-09 23:10 . 2014-11-11 03:31    79440    ----a-w-    c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-11-09 23:10 . 2014-11-11 03:31    75344    ----a-w-    c:\program files\mozilla firefox\plugins\confmgr.dll
2007-11-10 00:10 . 2014-11-11 03:31    140880    ----a-w-    c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-11-10 00:10 . 2014-11-11 03:31    42576    ----a-w-    c:\program files\mozilla firefox\plugins\icafile.dll
2007-11-10 00:10 . 2014-11-11 03:31    50768    ----a-w-    c:\program files\mozilla firefox\plugins\icalogon.dll
2007-11-09 23:10 . 2014-11-11 03:31    34384    ----a-w-    c:\program files\mozilla firefox\plugins\logging.dll
2007-11-10 00:11 . 2014-11-11 03:31    685648    ----a-w-    c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-11-09 23:11 . 2014-11-11 03:31    30288    ----a-w-    c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-06-26 81920]
"Akamai NetSession Interface"="c:\documents and settings\Axxxxx\Local Settings\Application Data\Akamai\netsession_win.exe" [2014-10-30 4673432]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16380416]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"nwiz"="nwiz.exe" [2007-06-28 1626112]
"WinSys2"="c:\windows\system32\winsys2.exe" [2006-04-29 208896]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2007-10-02 451896]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-07 1461080]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2009-08-19 3618104]
"PowerPanel Personal Edition User Interaction"="c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe" [2012-08-03 350184]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-20 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 12:42    110592    ----a-w-    c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-13 00:40    155648    ----a-w-    c:\windows\system32\NeroCheck.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Games\\DOOM Collector's Edition\\skulltag-v097d4-3\\skulltag.exe"=
"c:\\Games\\DOOM Collector's Edition\\skulltag-v097d4-3\\IdeSE.exe"=
"c:\\Games\\DOOM Collector's Edition\\Skulltag 97D\\skulltag.exe"=
"c:\\Games\\DOOM Collector's Edition\\Skulltag 97D\\IdeSE.exe"=
"c:\\Games\\DOOM Collector's Edition\\Skulltag 97D RC3\\IdeSE.exe"=
"c:\\Games\\DOOM Collector's Edition\\Skulltag 97D RC3\\skulltag.exe"=
"c:\\Games\\FreeSpace2\\fs2_open_3_6_9.exe"=
"c:\\Games\\FreeSpace2\\fs2_open_3_6_10.exe"=
"c:\\Games\\The Babylon Project\\fs2_open_3_6_9.exe"=
"c:\\Games\\The Babylon Project\\fs2_open_3_6_9_INF.exe"=
"c:\\Games\\The Babylon Project\\fs2_open_3_6_10.exe"=
"c:\\Games\\FreeSpace2\\fs2_open_3_6_10_debug.exe"=
"c:\\Games\\FreeSpace2\\fs2_open_3_6_10r-20081010_r4871.exe"=
"c:\\Games\\FreeSpace2\\fs2_open_3_6_10d-20081010_r4871.exe"=
"c:\\Games\\DOOM Collector's Edition\\Skulltag 97D2\\skulltag.exe"=
"c:\\Games\\DOOM Collector's Edition\\Skulltag 97D2\\IdeSE.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\Documents and Settings\\Axxxxx\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Serviio\\bin\\ServiioService.exe"=
"c:\\Program Files\\Serviio\\bin\\ServiioConsole.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"1094:TCP"= 1094:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\drivers\Si3531.sys [11/26/2007 6:53 PM 210224]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [11/14/2007 3:06 PM 35168]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [10/7/2009 9:16 AM 472280]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [6/28/2013 4:48 PM 14624]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [12/24/2008 12:14 PM 47360]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/20/2004 4:47 AM 98304]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/20/2004 3:40 AM 118784]
S3 Serviio;Serviio;c:\program files\Serviio\bin\ServiioService.exe [12/20/2013 12:52 AM 327680]
.
Contents of the 'Scheduled Tasks' folder
.
2014-11-26 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-22 01:59]
.
2014-11-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-22 01:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 68.94.156.1 68.94.157.1
TCP: Interfaces\{18EFE0A7-C317-4AE1-B99C-D9F49EC22A49}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\documents and settings\Axxxxx\Application Data\Mozilla\Firefox\Profiles\bagby20l.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - ExtSQL: !HIDDEN! 2010-04-16 21:10; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-11-26 09:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1177238915-1275210071-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_70_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_70_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2014-11-26  09:58:53
ComboFix-quarantined-files.txt  2014-11-26 17:58
.
Pre-Run: 21,875,740,672 bytes free
Post-Run: 25,109,688,320 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
.
- - End Of File - - 45309D3062AB3CA4CFA62E19A26C31AF
8F558EB6672622401DA993E1E865C861
 



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,242 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:59 PM

Posted 26 November 2014 - 02:10 PM

What issues are still pending?



#11 mrdrifter

mrdrifter
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 PM

Posted 26 November 2014 - 02:22 PM

Nasdaq, at this point there are no signs of the original infection.  Should I be concerned about other potentially infected system files?



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,242 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:59 PM

Posted 26 November 2014 - 02:28 PM

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  • p.s.
    If the SecurityCheck program fails to run for any reason, run it as an Administrator.
     
    If the site is busy or not available use this mirror site:
     
     
    ======


    #13 mrdrifter

    mrdrifter
    • Topic Starter

    • Members
    • 12 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:07:59 PM

    Posted 26 November 2014 - 03:16 PM

     Results of screen317's Security Check version 0.99.90  
     Windows XP Service Pack 3 x86   
     Internet Explorer 7 Out of date!
    ``````````````Antivirus/Firewall Check:``````````````
     Windows Firewall Enabled!  
    ESET NOD32 Antivirus 3.0   
     Antivirus up to date!  
    `````````Anti-malware/Other Utilities Check:`````````
     Spybot - Search & Destroy
     CCleaner     
     Adobe Flash Player     15.0.0.189  
     Adobe Reader 8 Adobe Reader out of Date!
     Adobe Reader 10.1.11 Adobe Reader out of Date!  
     Mozilla Firefox (33.1)
    ````````Process Check: objlist.exe by Laurent````````  
     ESET NOD32 Antivirus egui.exe  
     ESET NOD32 Antivirus ekrn.exe  
    `````````````````System Health check`````````````````
     Total Fragmentation on Drive C:: 5%
    ````````````````````End of Log``````````````````````
     



    #14 nasdaq

    nasdaq

    • Malware Response Team
    • 38,242 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:10:59 PM

    Posted 27 November 2014 - 09:18 AM

    Get the latest version of the Adobe Reader.
    Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.
     
    When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
    <<<>>>
     
    Critical vulnerabilities have been identified in old version of Adobe Flash Player please get the latest version.
     
    Flash test site:
    Install the new version or if you have the latest close the windows.
     
    Flash Player Help / Find version
     
    ===
     
    If all is well.
     
    To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
    ===


    #15 mrdrifter

    mrdrifter
    • Topic Starter

    • Members
    • 12 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:07:59 PM

    Posted 28 November 2014 - 10:08 PM

    I have updated the several Adobe aps as you advise.  Also, in the course of conducting searches of files on my computer I found a graphic file (pic.png) and an html file with a form for making ransom payments.  These were both in the directory

    C:\Documents and Settings\All Users\Documents\Report\

    I have deleted them.

     

    I have installed Chrome (as an alternative to Firefox) and have instructed other potential users of the computer to avoid using Internet Explorer on this and any other machine running Win XP.

     

    My remaining concern is that other system files besides kernel32.dll may have been hijacked by the malware.  Did the combofix.exe tool canvass all of these possibilities?  Or is the machine fundamentally compromised and requires a clean reinstall of the operating system?  (It's connected to the internet, but I am handling all activity involving passwords, email, forums, etc. using machines on other networks.)






    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users