Jump to content

Persistent XP Internet Security 2012 infection


Recommended Posts

I have an XP Internet Security 2012 infection that has been resistant to numerous attempts to remove with Malwarbyte's Anti-Malware. Any help would greatly be a appreciated.

Here is the malware log from the last attempt.

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8370

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/14/2011 1:41:21 PM

mbam-log-2011-12-14 (13-41-18).txt

Scan type: Quick scan

Objects scanned: 333693

Time elapsed: 24 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> No action taken.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\mcneese72.MARTIN\Local Settings\Application Data\nyq.exe" -a "iexplore.exe) Good: (iexplore.exe) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\Temp\nnnv0.38063081204955684.exe (Trojan.Dropper) -> No action taken.

c:\WINDOWS\Temp\nnnv0.5737253372689203.exe (Trojan.Dropper) -> No action taken.

c:\WINDOWS\Temp\opre0.5063891606838069.exe (Trojan.Dropper) -> No action taken.

c:\WINDOWS\Temp\opre0.9553528552963106.exe (Trojan.Dropper) -> No action taken.

The dds.txt:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by mcneese72 at 13:57:24 on 2011-12-14

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2002.1243 [GMT -6:00]

.

AV: AVG Internet Security Network Edition *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Intel\AMT\atchksrv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Intel\IDU\awServ.exe

C:\PROGRA~1\AVG\AVG8\avgam.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\Program Files\Common Files\Trophy\Services\RVGNetworkConfiguration\RVGNetworkConfiguration.exe

C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Intel\AMT\UNS.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\TightVNC\WinVNC.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Intel\AMT\atchk.exe

C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe

C:\PVSW\bin\w3dbsmgr.exe

C:\Documents and Settings\mcneese72.MARTIN\Local Settings\Application Data\nyq.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Documents and Settings\mcneese72.MARTIN\Start Menu\Programs\Startup\Printkey.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Documents and Settings\mcneese72.MARTIN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Intel\IDU\iptray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\igfxtray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\TW\KDSDriverInstallMonitor.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\ping.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.geauxcowboys.com/homepage.asp

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [Google Update] "c:\documents and settings\mcneese72.martin\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe

mRun: [atchk] "c:\program files\intel\amt\atchk.exe"

mRun: [WinVNC] "c:\program files\tightvnc\WinVNC.exe" -servicehelper

mRun: [ipTray.exe] "c:\program files\intel\idu\iptray.exe"

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [<NO NAME>]

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [KDSDriverInstallMonitor] c:\tw\KDSDriverInstallMonitor.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

StartupFolder: c:\docume~1\mcnees~1.mar\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\mcnees~1.mar\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

StartupFolder: c:\docume~1\mcnees~1.mar\startm~1\programs\startup\pervas~1.lnk - c:\pvsw\bin\w3dbsmgr.exe

StartupFolder: c:\documents and settings\mcneese72.martin\start menu\programs\startup\Printkey.exe

StartupFolder: c:\docume~1\mcnees~1.mar\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

StartupFolder: c:\docume~1\mcnees~1.mar\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pervas~1.lnk - c:\pvsw\bin\w3dbsmgr.exe

StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Printkey.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

mPolicies-system: disablecad = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://practiceworks.centra.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab

DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://134.250.150.60/SysCamInst.cab

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213390822906

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213390894000

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: Interfaces\{BB876675-C682-48A9-AD6A-582B79B100A9} : NameServer = 10.1.1.10

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

.

============= SERVICES / DRIVERS ===============

.

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-1-19 12552]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-19 335240]

R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-19 27784]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-19 108552]

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2011-5-16 98392]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2010-1-19 908056]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2010-1-19 297752]

R2 AWService;Admin Works Agent X8;c:\program files\intel\idu\awServ.exe [2006-12-27 74520]

R2 RVGNetworkConfigurationService;RVG Network Configuration Service;c:\program files\common files\trophy\services\rvgnetworkconfiguration\RVGNetworkConfiguration.exe [2010-4-9 40960]

R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite xii.sp2c\RpcAgentSrv.exe [2008-6-13 98488]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2008-6-13 2525720]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-20 24652]

S2 NetworkLog;NetworkLog;c:\windows\svcs.exe [2011-12-14 508928]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg8\toolbar\ToolbarBroker.exe [2010-10-26 1025352]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

.

=============== File Associations ===============

.

.exe=5o

.

=============== Created Last 30 ================

.

.

==================== Find3M ====================

.

2011-11-17 15:42:36 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

.

============= FINISH: 13:58:24.37 ===============

The attach.txt:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 5/5/2010 2:27:39 PM

System Uptime: 12/14/2011 1:42:44 PM (0 hours ago)

.

Motherboard: Intel Corporation | | DQ35JO

Processor: Intel Pentium III Xeon processor | J1PR | 2657/333mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 75 GiB total, 24.501 GiB free.

D: is Removable

E: is Removable

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Intel® 82566DM-2 Gigabit Network Connection

Device ID: PCI\VEN_8086&DEV_10BD&SUBSYS_00018086&REV_02\3&61AAA01&0&C8

Manufacturer: Intel

Name: Intel® 82566DM-2 Gigabit Network Connection

PNP Device ID: PCI\VEN_8086&DEV_10BD&SUBSYS_00018086&REV_02\3&61AAA01&0&C8

Service: e1express

.

Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}

Description: CD-ROM Drive

Device ID: USBSTOR\CDROM&VEN_SANDISK&PROD_U3_CRUZER_MICRO&REV_8.01\1101610EF7C2E6CE&1

Manufacturer: (Standard CD-ROM drives)

Name: SanDisk U3 Cruzer Micro USB Device

PNP Device ID: USBSTOR\CDROM&VEN_SANDISK&PROD_U3_CRUZER_MICRO&REV_8.01\1101610EF7C2E6CE&1

Service: cdrom

.

Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}

Description: CD-ROM Drive

Device ID: IDE\CDROMDVDROM_PATA_16X48X______________________HA31____\6&19E3BCC4&0&0.0.0

Manufacturer: (Standard CD-ROM drives)

Name: DVDROM PATA 16X48X

PNP Device ID: IDE\CDROMDVDROM_PATA_16X48X______________________HA31____\6&19E3BCC4&0&0.0.0

Service: cdrom

.

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description:

Device ID: ACPI\WEC1000\4&376E3BFF&0

Manufacturer:

Name:

PNP Device ID: ACPI\WEC1000\4&376E3BFF&0

Service:

.

==== System Restore Points ===================

.

RP486: 10/3/2011 1:32:59 PM - System Checkpoint

RP487: 10/4/2011 5:11:39 PM - System Checkpoint

RP488: 10/5/2011 6:12:52 PM - System Checkpoint

RP489: 10/6/2011 6:28:15 PM - System Checkpoint

RP490: 10/7/2011 7:09:36 PM - System Checkpoint

RP491: 10/8/2011 8:04:21 PM - System Checkpoint

RP492: 10/9/2011 8:28:15 PM - System Checkpoint

RP493: 10/10/2011 9:28:15 PM - System Checkpoint

RP494: 10/12/2011 2:19:02 AM - System Checkpoint

RP495: 10/12/2011 3:00:17 AM - Software Distribution Service 3.0

RP496: 10/13/2011 3:30:39 AM - System Checkpoint

RP497: 10/14/2011 6:12:15 AM - System Checkpoint

RP498: 10/15/2011 6:34:52 AM - System Checkpoint

RP499: 10/16/2011 7:06:59 AM - System Checkpoint

RP500: 10/17/2011 7:56:20 AM - System Checkpoint

RP501: 10/17/2011 9:53:12 AM - Avg8 Update

RP502: 10/18/2011 11:50:04 AM - System Checkpoint

RP503: 10/19/2011 1:48:33 PM - System Checkpoint

RP504: 10/20/2011 2:20:01 PM - System Checkpoint

RP505: 10/21/2011 3:18:56 PM - System Checkpoint

RP506: 10/22/2011 3:19:05 PM - System Checkpoint

RP507: 10/23/2011 4:18:57 PM - System Checkpoint

RP508: 10/24/2011 5:12:05 PM - System Checkpoint

RP509: 10/25/2011 5:19:38 PM - System Checkpoint

RP510: 10/26/2011 6:19:34 PM - System Checkpoint

RP511: 10/27/2011 10:19:08 PM - System Checkpoint

RP512: 10/29/2011 5:13:41 AM - System Checkpoint

RP513: 10/30/2011 5:18:57 AM - System Checkpoint

RP514: 10/31/2011 6:18:57 AM - System Checkpoint

RP515: 11/1/2011 4:26:09 PM - System Checkpoint

RP516: 11/2/2011 5:59:58 PM - System Checkpoint

RP517: 11/3/2011 8:53:24 PM - System Checkpoint

RP518: 11/4/2011 9:17:14 PM - System Checkpoint

RP519: 11/5/2011 9:17:14 PM - System Checkpoint

RP520: 11/6/2011 10:17:14 PM - System Checkpoint

RP521: 11/7/2011 11:17:18 PM - System Checkpoint

RP522: 11/9/2011 5:18:44 AM - System Checkpoint

RP523: 11/10/2011 3:00:17 AM - Software Distribution Service 3.0

RP524: 11/11/2011 3:00:17 AM - Software Distribution Service 3.0

RP525: 11/12/2011 3:22:15 AM - System Checkpoint

RP526: 11/13/2011 3:51:15 AM - System Checkpoint

RP527: 11/14/2011 4:46:17 AM - System Checkpoint

RP528: 11/15/2011 8:31:43 AM - System Checkpoint

RP529: 11/16/2011 9:29:37 AM - System Checkpoint

RP530: 11/17/2011 9:29:26 AM - Software Distribution Service 3.0

RP531: 11/18/2011 3:00:17 AM - Software Distribution Service 3.0

RP532: 11/19/2011 4:24:09 AM - System Checkpoint

RP533: 11/20/2011 5:38:35 AM - System Checkpoint

RP534: 11/21/2011 6:17:15 AM - System Checkpoint

RP535: 11/22/2011 9:24:28 AM - System Checkpoint

RP536: 11/23/2011 8:31:58 AM - Software Distribution Service 3.0

RP537: 11/24/2011 8:35:06 AM - System Checkpoint

RP538: 11/25/2011 8:47:41 AM - System Checkpoint

RP539: 11/26/2011 10:07:23 AM - System Checkpoint

RP540: 11/27/2011 10:55:14 AM - System Checkpoint

RP541: 11/28/2011 12:05:56 PM - System Checkpoint

RP542: 11/29/2011 12:24:42 PM - System Checkpoint

RP543: 11/30/2011 12:58:19 PM - System Checkpoint

RP544: 12/1/2011 11:40:14 AM - Printer Driver Amyuni Document Converter 400 Installed

RP545: 12/2/2011 12:07:47 PM - System Checkpoint

RP546: 12/3/2011 2:31:54 PM - System Checkpoint

RP547: 12/4/2011 3:08:14 PM - System Checkpoint

RP548: 12/5/2011 3:25:15 PM - System Checkpoint

RP549: 12/6/2011 5:22:31 PM - System Checkpoint

RP550: 12/7/2011 6:17:48 PM - System Checkpoint

RP551: 12/8/2011 9:09:02 PM - System Checkpoint

RP552: 12/9/2011 10:45:05 PM - System Checkpoint

RP553: 12/11/2011 6:06:34 AM - System Checkpoint

RP554: 12/12/2011 12:00:20 PM - System Checkpoint

RP555: 12/13/2011 9:06:31 AM - Restore Operation

RP556: 12/13/2011 10:30:04 AM - Restore Operation

.

==== Installed Programs ======================

.

.

32 Bit HP CIO Components Installer

7500_7600_7700_Help

Acrobat.com

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Help Center 2.1

Adobe Photoshop Elements 5.0

Adobe Reader 9.4.5

AIM 7

AIM Toolbar

AnswerWorks 5.0 English Runtime

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Arachnophilia version 4.0

AVG 8.5

Bonjour

BPD_HPSU

BPD_Scan

BPDfax

BPDSoftware

BPDSoftware_Ini

BufferChm

CareCredit CCware Version 4.6.0.0

CCleaner (remove only)

Centra Client

Championship Chess

CustomerResearchQFolder

CuteFTP 5.0 XP

Destinations

DeviceManagementQFolder

DocProc

DocProcQFolder

Download Updater (AOL LLC)

DriverRVG (remove only)

eSupportQFolder

Garmin Communicator Plugin

Google Chrome

Hotfix for Microsoft .NET Framework 3.0 (KB932471)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB915800-v4)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB981793)

HP Customer Participation Program 7.0

hp deskjet 6122

HP Imaging Device Functions 7.0

HP Officejet Pro All-In-One Series

HP Photosmart Essential

hp print screen utility

HP Product Assistant

HP Solution Center 7.0

HP Update

HPPhotoSmartExpress

HPProductAssistant

InstantShareDevicesMFC

Intel® Desktop Utilities

Intel® Graphics Media Accelerator Driver

Intel® Network Connections 13.0.44.0

Intel® SMBus

Intel® Active Management Technology

Intel® Management Engine Interface

Intel® System Defense Utility

iTunes

Java Auto Updater

Java 6 Update 26

Java 6 Update 5

Java 6 Update 7

Karen

KDIS3DModule (remove only)

Kodak Dental Imaging

KODAK PRACTICEWORKS Practice Management Software Workstation

L7600

LightScribe 1.4.136.1

Logicon Caries Detector 4.0

Malwarebytes' Anti-Malware version 1.51.2.1300

MarketResearch

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2572067)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office 2007 Primary Interop Assemblies

Microsoft Office 2007 Service Pack 3 (SP3)

Microsoft Office Access 2007

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office File Validation Add-In

Microsoft Office Home and Student 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft Software Update for Web Folders (English) 12

Microsoft VC9 runtime libraries

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual Studio 2005 Tools for Office Runtime

Move Media Player

MPM

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP2 Parser and SDK

MSXML 4.0 SP3 Parser

MSXML 4.0 SP3 Parser (KB973685)

MSXML 6 Service Pack 2 (KB973686)

Nero 7 Essentials

OCR Software by I.R.I.S 7.0

OGA Notifier 2.0.0048.0

PanoStandAlone

Pervasive System Analyzer

Pervasive.SQL 9 SP2 Workgroup for Windows (9.5)

PokerStars

PokerStars.net

PokerStove version 1.23

PracticeWorks Lights

ProductContext

PWOffice NX Compatibility Update

QuickBooks

QuickBooks Pro 2010

QuickBooks Simple Start 2010 Free Edition

Quicken 2011

QuickPayroll

QuickTime

Realtek High Definition Audio Driver

Scan

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Internet Explorer 7 (KB2183461)

Security Update for Windows Internet Explorer 7 (KB2360131)

Security Update for Windows Internet Explorer 7 (KB2416400)

Security Update for Windows Internet Explorer 7 (KB2482017)

Security Update for Windows Internet Explorer 7 (KB2497640)

Security Update for Windows Internet Explorer 7 (KB2530548)

Security Update for Windows Internet Explorer 7 (KB2544521)

Security Update for Windows Internet Explorer 7 (KB2559049)

Security Update for Windows Internet Explorer 7 (KB2586448)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB982381)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2586448)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player (KB979402)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2510581)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981349)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

SiSoftware Sandra Lite XII.SP2c

SolutionCenter

Status

TightVNC 1.3.9

Toolbox

TrayApp

Unload

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 7 (KB980182)

Update for Windows Internet Explorer 8 (KB2598845)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2607712)

Update for Windows XP (KB2616676)

Update for Windows XP (KB2641690)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Viewpoint Media Player

VLC media player 1.0.5

WebFldrs XP

WebReg

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Media Format 11 runtime

Windows Media Player 11

Windows Presentation Foundation

Windows Resource Kit Tools - SubInAcl.exe

Windows XP Service Pack 3

WinRAR archiver

XML Paper Specification Shared Components Pack 1.0

yDecode 1.63

.

==== Event Viewer Messages From Past Week ========

.

12/9/2011 8:38:26 AM, error: Removable Storage Service [106] - Multisided media 381 could not be identified in library HP Officejet Pro L7 USB Device. RSM attempted to flip the media to identify the second side but could not because the media was in use by another process. This media has been forced into the Unrecognized pool and left in the disabled state. Perform a full inventory or eject the media and re-insert it into the library to fix this situation.

12/9/2011 8:35:15 AM, error: Removable Storage Service [106] - Multisided media 380 could not be identified in library HP Officejet Pro L7 USB Device. RSM attempted to flip the media to identify the second side but could not because the media was in use by another process. This media has been forced into the Unrecognized pool and left in the disabled state. Perform a full inventory or eject the media and re-insert it into the library to fix this situation.

12/8/2011 9:09:30 AM, error: Service Control Manager [7016] - The RVG Network Configuration Service service has reported an invalid current state 128.

12/14/2011 7:45:27 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.

12/14/2011 12:29:35 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Cdrom Fips intelppm NetworkX ohci1394

12/14/2011 10:19:08 AM, error: Service Control Manager [7000] - The MBAMSwissArmy service failed to start due to the following error: The system cannot find the file specified.

12/14/2011 10:02:17 AM, error: Service Control Manager [7023] - The MicroSoft Team Helper service terminated with the following error: Access is denied.

12/13/2011 11:17:21 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Cdrom Fips intelppm NetworkX

12/12/2011 9:00:00 AM, error: Schedule [7901] - The At34.job command failed to start due to the following error: %%2147942402

12/12/2011 9:00:00 AM, error: Schedule [7901] - The At10.job command failed to start due to the following error: %%2147942402

12/12/2011 8:00:00 AM, error: Schedule [7901] - The At9.job command failed to start due to the following error: %%2147942402

12/12/2011 8:00:00 AM, error: Schedule [7901] - The At33.job command failed to start due to the following error: %%2147942402

12/12/2011 7:00:00 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: %%2147942402

12/12/2011 7:00:00 AM, error: Schedule [7901] - The At32.job command failed to start due to the following error: %%2147942402

12/12/2011 6:33:29 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

12/12/2011 6:00:00 AM, error: Schedule [7901] - The At7.job command failed to start due to the following error: %%2147942402

12/12/2011 6:00:00 AM, error: Schedule [7901] - The At31.job command failed to start due to the following error: %%2147942402

12/12/2011 5:00:00 AM, error: Schedule [7901] - The At6.job command failed to start due to the following error: %%2147942402

12/12/2011 5:00:00 AM, error: Schedule [7901] - The At30.job command failed to start due to the following error: %%2147942402

12/12/2011 4:49:39 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

12/12/2011 4:47:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

12/12/2011 4:47:11 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

12/12/2011 4:46:31 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Cdrom Fips intelppm IPSec MRxSmb NetBIOS NetBT NetworkX RasAcd Rdbss Tcpip

12/12/2011 4:46:31 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

12/12/2011 4:46:31 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

12/12/2011 4:46:31 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

12/12/2011 4:46:31 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

12/12/2011 4:46:31 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

12/12/2011 4:46:31 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

12/12/2011 4:17:30 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Cdrom

12/12/2011 4:16:48 PM, error: Removable Storage Service [111] - RSM could not load media in drive Drive 0 of library SanDisk U3 Cruzer Micro USB Device.

12/12/2011 4:16:38 PM, error: Removable Storage Service [111] - RSM could not load media in drive Drive 0 of library HP Officejet Pro L7 USB Device.

12/12/2011 4:00:00 PM, error: Schedule [7901] - The At41.job command failed to start due to the following error: %%2147942402

12/12/2011 4:00:00 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402

12/12/2011 4:00:00 AM, error: Schedule [7901] - The At5.job command failed to start due to the following error: %%2147942402

12/12/2011 4:00:00 AM, error: Schedule [7901] - The At29.job command failed to start due to the following error: %%2147942402

12/12/2011 3:00:00 PM, error: Schedule [7901] - The At40.job command failed to start due to the following error: %%2147942402

12/12/2011 3:00:00 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error: %%2147942402

12/12/2011 3:00:00 AM, error: Schedule [7901] - The At4.job command failed to start due to the following error: %%2147942402

12/12/2011 3:00:00 AM, error: Schedule [7901] - The At28.job command failed to start due to the following error: %%2147942402

12/12/2011 2:00:00 PM, error: Schedule [7901] - The At39.job command failed to start due to the following error: %%2147942402

12/12/2011 2:00:00 PM, error: Schedule [7901] - The At15.job command failed to start due to the following error: %%2147942402

12/12/2011 2:00:00 AM, error: Schedule [7901] - The At3.job command failed to start due to the following error: %%2147942402

12/12/2011 2:00:00 AM, error: Schedule [7901] - The At27.job command failed to start due to the following error: %%2147942402

12/12/2011 12:04:00 AM, error: Schedule [7901] - The At25.job command failed to start due to the following error: %%2147942402

12/12/2011 12:02:00 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: %%2147942402

12/12/2011 12:00:00 PM, error: Schedule [7901] - The At37.job command failed to start due to the following error: %%2147942402

12/12/2011 12:00:00 PM, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402

12/12/2011 11:00:00 AM, error: Schedule [7901] - The At36.job command failed to start due to the following error: %%2147942402

12/12/2011 11:00:00 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: %%2147942402

12/12/2011 10:00:00 AM, error: Schedule [7901] - The At35.job command failed to start due to the following error: %%2147942402

12/12/2011 10:00:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402

12/12/2011 1:00:00 PM, error: Schedule [7901] - The At38.job command failed to start due to the following error: %%2147942402

12/12/2011 1:00:00 PM, error: Schedule [7901] - The At14.job command failed to start due to the following error: %%2147942402

12/12/2011 1:00:00 AM, error: Schedule [7901] - The At26.job command failed to start due to the following error: %%2147942402

12/12/2011 1:00:00 AM, error: Schedule [7901] - The At2.job command failed to start due to the following error: %%2147942402

12/11/2011 9:00:00 PM, error: Schedule [7901] - The At46.job command failed to start due to the following error: %%2147942402

12/11/2011 9:00:00 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402

12/11/2011 8:00:00 PM, error: Schedule [7901] - The At45.job command failed to start due to the following error: %%2147942402

12/11/2011 8:00:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402

12/11/2011 7:00:00 PM, error: Schedule [7901] - The At44.job command failed to start due to the following error: %%2147942402

12/11/2011 7:00:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402

12/11/2011 6:00:00 PM, error: Schedule [7901] - The At43.job command failed to start due to the following error: %%2147942402

12/11/2011 6:00:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402

12/11/2011 5:00:00 PM, error: Schedule [7901] - The At42.job command failed to start due to the following error: %%2147942402

12/11/2011 5:00:00 PM, error: Schedule [7901] - The At18.job command failed to start due to the following error: %%2147942402

12/11/2011 11:00:00 PM, error: Schedule [7901] - The At48.job command failed to start due to the following error: %%2147942402

12/11/2011 11:00:00 PM, error: Schedule [7901] - The At24.job command failed to start due to the following error: %%2147942402

12/11/2011 10:00:00 PM, error: Schedule [7901] - The At47.job command failed to start due to the following error: %%2147942402

12/11/2011 10:00:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402

.

==== End Of File ===========================

Link to post
Share on other sites

Welcome to the forum.

See if following this guide works.

if not...........

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

Link to post
Share on other sites

Welcome to the forum.

See if following this guide works.

if not...........

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

Mr. Charlie,

It appears following the guide took care of it. I'm running MalwareBytes again to see.

I'm still getting this popup notification when starting up. "The ordinal 1109 could not be located in the dynamic link library wsock32.dll" Any idea what that is about?

Do I need to do anything else to make sure it is completely gone. Do I need to run OTL and post the logs?

Thanks for the help,

Doc

Link to post
Share on other sites

Yes I need to see the both OTL logs, MrC

Running MalewareBytes again found 1 trojan still around. I'm pasting that malewarebytes log here.

I ran OTL and will attach the OTL logs to this post. I tried to copy and paste them but when I clicked Add Reply, it failed. I don't know if that made the post too long or what?

Thanks,

Doc

Malewarebytes last log:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8397

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/19/2011 11:15:52 AM

mbam-log-2011-12-19 (11-15-52).txt

Scan type: Full scan (C:\|)

Objects scanned: 443104

Time elapsed: 1 hour(s), 35 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\system volume information\_restore{8f3d48bb-533d-4459-bbd2-608782ac05ef}\RP558\A0055213.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.

OTL.Txt

Extras.Txt

Link to post
Share on other sites

I see you ran ComboFix, can you post the log from it.

Please find this file and upload it VirusTotal or Jotti is it's too busy.

Post back the link of the scan:

C:\WINDOWS\svcs.exe

http://www.virustotal.com/

http://virusscan.jotti.org/en

--------------------------

Please do this:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O4 - HKLM..\Run: [] File not found
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    [2011/12/19 07:38:24 | 000,013,772 | -HS- | M] () -- C:\Documents and Settings\mcneese72.MARTIN\Local Settings\Application Data\5g86ns4c55w722
    [2011/12/19 07:38:24 | 000,013,772 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\5g86ns4c55w722
    [2011/12/12 16:16:35 | 000,012,428 | -HS- | M] () -- C:\Documents and Settings\mcneese72.MARTIN\Local Settings\Application Data\051281o7v803x658d453m2nis1i6
    [2011/12/12 16:16:35 | 000,012,428 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\051281o7v803x658d453m2nis1i6
    [2011/12/14 07:38:01 | 000,013,772 | -HS- | C] () -- C:\Documents and Settings\mcneese72.MARTIN\Local Settings\Application Data\5g86ns4c55w722
    [2011/05/16 06:28:26 | 000,000,144 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~18931492r
    [2011/05/16 06:28:26 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~18931492
    [2011/05/16 06:28:03 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\18931492

    :files
    C:\WINDOWS\tasks\*.job
    :Commands
    [resethosts]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MrC

Link to post
Share on other sites

I see you ran ComboFix, can you post the log from it.

Please find this file and upload it VirusTotal or Jotti is it's too busy.

Post back the link of the scan:

C:\WINDOWS\svcs.exe

http://www.virustotal.com/

http://virusscan.jotti.org/en

--------------------------

Please do this:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O4 - HKLM..\Run: [] File not found
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    [2011/12/19 07:38:24 | 000,013,772 | -HS- | M] () -- C:\Documents and Settings\mcneese72.MARTIN\Local Settings\Application Data\5g86ns4c55w722
    [2011/12/19 07:38:24 | 000,013,772 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\5g86ns4c55w722
    [2011/12/12 16:16:35 | 000,012,428 | -HS- | M] () -- C:\Documents and Settings\mcneese72.MARTIN\Local Settings\Application Data\051281o7v803x658d453m2nis1i6
    [2011/12/12 16:16:35 | 000,012,428 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\051281o7v803x658d453m2nis1i6
    [2011/12/14 07:38:01 | 000,013,772 | -HS- | C] () -- C:\Documents and Settings\mcneese72.MARTIN\Local Settings\Application Data\5g86ns4c55w722
    [2011/05/16 06:28:26 | 000,000,144 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~18931492r
    [2011/05/16 06:28:26 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~18931492
    [2011/05/16 06:28:03 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\18931492

    :files
    C:\WINDOWS\tasks\*.job
    :Commands
    [resethosts]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MrC

Well, Mr. Charlie, I got hit by a virus (Windows XP Antivirus 2012) while viewing a sports messageboard last week. I ran ComboFix but it it didn't finish running and aborted for some reason. I then ran Malewarebytes which cleared up the virus but the .exe file associtations were still screwed up. I ran some program a friend pointe me to that fixes Windows exe associations and that fixed it. I was good for two days and then, like a dumbass, visited the same sports messageboard and got hit with Windows XP Internet Security 2012. I'm not surfing the web anymore with the office desktop and its weakass AVG antivirus program. This one I couldn't clear up by just running Malwarebytes, thus I made my initial post in this string. So the aborted ComboFix was for this infection. Do you still want the log?

I'm going to go do what you suggested in your last post right now.

Thanks,

Doc

Link to post
Share on other sites

The above should have read "wasn't for this infection" instead of "was".

Doc

I tried both the websites and browsed and found the svcs.exe file. I hit upload file button but nothing appeared to happen. ?????

Here is the log after I ran the OTL fix (it didn't ask me to reboot):

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\ not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{A057A204-BACC-4D26-9990-79A187E2698E} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\ not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.

Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.

C:\Documents and Settings\mcneese72.MARTIN\Local Settings\Application Data\5g86ns4c55w722 moved successfully.

C:\Documents and Settings\All Users\Application Data\5g86ns4c55w722 moved successfully.

C:\Documents and Settings\mcneese72.MARTIN\Local Settings\Application Data\051281o7v803x658d453m2nis1i6 moved successfully.

C:\Documents and Settings\All Users\Application Data\051281o7v803x658d453m2nis1i6 moved successfully.

File C:\Documents and Settings\mcneese72.MARTIN\Local Settings\Application Data\5g86ns4c55w722 not found.

C:\Documents and Settings\All Users\Application Data\~18931492r moved successfully.

C:\Documents and Settings\All Users\Application Data\~18931492 moved successfully.

C:\Documents and Settings\All Users\Application Data\18931492 moved successfully.

========== FILES ==========

C:\WINDOWS\tasks\AppleSoftwareUpdate.job moved successfully.

C:\WINDOWS\tasks\At1.job moved successfully.

C:\WINDOWS\tasks\At10.job moved successfully.

C:\WINDOWS\tasks\At11.job moved successfully.

C:\WINDOWS\tasks\At12.job moved successfully.

C:\WINDOWS\tasks\At13.job moved successfully.

C:\WINDOWS\tasks\At14.job moved successfully.

C:\WINDOWS\tasks\At15.job moved successfully.

C:\WINDOWS\tasks\At16.job moved successfully.

C:\WINDOWS\tasks\At17.job moved successfully.

C:\WINDOWS\tasks\At18.job moved successfully.

C:\WINDOWS\tasks\At19.job moved successfully.

C:\WINDOWS\tasks\At2.job moved successfully.

C:\WINDOWS\tasks\At20.job moved successfully.

C:\WINDOWS\tasks\At21.job moved successfully.

C:\WINDOWS\tasks\At22.job moved successfully.

C:\WINDOWS\tasks\At23.job moved successfully.

C:\WINDOWS\tasks\At24.job moved successfully.

C:\WINDOWS\tasks\At25.job moved successfully.

C:\WINDOWS\tasks\At26.job moved successfully.

C:\WINDOWS\tasks\At27.job moved successfully.

C:\WINDOWS\tasks\At28.job moved successfully.

C:\WINDOWS\tasks\At29.job moved successfully.

C:\WINDOWS\tasks\At3.job moved successfully.

C:\WINDOWS\tasks\At30.job moved successfully.

C:\WINDOWS\tasks\At31.job moved successfully.

C:\WINDOWS\tasks\At32.job moved successfully.

C:\WINDOWS\tasks\At33.job moved successfully.

C:\WINDOWS\tasks\At34.job moved successfully.

C:\WINDOWS\tasks\At35.job moved successfully.

C:\WINDOWS\tasks\At36.job moved successfully.

C:\WINDOWS\tasks\At37.job moved successfully.

C:\WINDOWS\tasks\At38.job moved successfully.

C:\WINDOWS\tasks\At39.job moved successfully.

C:\WINDOWS\tasks\At4.job moved successfully.

C:\WINDOWS\tasks\At40.job moved successfully.

C:\WINDOWS\tasks\At41.job moved successfully.

C:\WINDOWS\tasks\At42.job moved successfully.

C:\WINDOWS\tasks\At43.job moved successfully.

C:\WINDOWS\tasks\At44.job moved successfully.

C:\WINDOWS\tasks\At45.job moved successfully.

C:\WINDOWS\tasks\At46.job moved successfully.

C:\WINDOWS\tasks\At47.job moved successfully.

C:\WINDOWS\tasks\At48.job moved successfully.

C:\WINDOWS\tasks\At5.job moved successfully.

C:\WINDOWS\tasks\At6.job moved successfully.

C:\WINDOWS\tasks\At7.job moved successfully.

C:\WINDOWS\tasks\At8.job moved successfully.

C:\WINDOWS\tasks\At9.job moved successfully.

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1577292782-2261485559-2658815546-1116Core.job moved successfully.

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1577292782-2261485559-2658815546-1116UA.job moved successfully.

========== COMMANDS ==========

HOSTS file reset successfully

OTL by OldTimer - Version 3.2.31.0 log created on 12192011_130900

Thanks,

Doc

Link to post
Share on other sites

Delete your copy of ComboFix and download a fresh one and run as outlined:

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

MrC

Link to post
Share on other sites

Delete your copy of ComboFix and download a fresh one and run as outlined:

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

MrC

Well, that was exciting. It found a rootkit infection and had reboot a couple of times and it deleted a whole bunch of files and folders. And now, I have lost my internet connection. Of course, somewhere along the line Combofix said I might and that I would have to rerun Combofix to repair. Do I run it again? I tried the manual repair with no success.

Below is the log file:

ComboFix 11-12-19.01 - mcneese72 12/19/2011 15:05:14.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2002.1392 [GMT -6:00]

Running from: c:\documents and settings\mcneese72.MARTIN\Desktop\ComboFix.exe

AV: AVG Internet Security Network Edition *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\aaitech.MARTIN\Desktop\Windows XP Recovery.lnk

c:\documents and settings\aaitech\Desktop\Windows XP Recovery.lnk

c:\documents and settings\aaitech\WINDOWS

c:\documents and settings\administrator.MARTIN.000\Desktop\Internet Explorer.lnk

c:\documents and settings\administrator.MARTIN.000\Start Menu\Internet Explorer.lnk

c:\documents and settings\Administrator.MARTIN\Desktop\Windows XP Recovery.lnk

c:\documents and settings\Administrator\Desktop\Windows XP Recovery.lnk

c:\documents and settings\All Users\Application Data\xml1.tmp

c:\documents and settings\All Users\Application Data\xml2.tmp

c:\documents and settings\All Users\Application Data\xml3.tmp

c:\documents and settings\All Users\Application Data\xml41.tmp

c:\documents and settings\All Users\Application Data\xml42.tmp

c:\documents and settings\Default User\Desktop\Windows XP Recovery.lnk

c:\documents and settings\mcneese72.MARTIN\Desktop\Internet Explorer.lnk

c:\documents and settings\mcneese72.MARTIN\Start Menu\Programs\Windows XP Recovery

c:\documents and settings\mcneese72.MARTIN\Start Menu\Programs\Windows XP Recovery\Uninstall Windows XP Recovery.lnk

c:\documents and settings\mcneese72.MARTIN\Start Menu\Programs\Windows XP Recovery\Windows XP Recovery.lnk

c:\documents and settings\mcneese72.MARTIN\WINDOWS

c:\documents and settings\user\Desktop\Windows XP Recovery.lnk

c:\windows\$NtUninstallKB41000$\1880408755

c:\windows\$NtUninstallKB41000$\780373675\@

c:\windows\$NtUninstallKB41000$\780373675\bckfg.tmp

c:\windows\$NtUninstallKB41000$\780373675\cfg.ini

c:\windows\$NtUninstallKB41000$\780373675\Desktop.ini

c:\windows\$NtUninstallKB41000$\780373675\keywords

c:\windows\$NtUninstallKB41000$\780373675\kwrd.dll

c:\windows\$NtUninstallKB41000$\780373675\L\dymsovmn

c:\windows\$NtUninstallKB41000$\780373675\lsflt7.ver

c:\windows\$NtUninstallKB41000$\780373675\U\00000001.@

c:\windows\$NtUninstallKB41000$\780373675\U\00000002.@

c:\windows\$NtUninstallKB41000$\780373675\U\00000004.@

c:\windows\$NtUninstallKB41000$\780373675\U\80000000.@

c:\windows\$NtUninstallKB41000$\780373675\U\80000004.@

c:\windows\$NtUninstallKB41000$\780373675\U\80000032.@

c:\windows\Downloaded Program Files\Install.inf

c:\windows\svcs.exe

c:\windows\system32\SET3CEC.tmp

c:\windows\system32\SET3CEF.tmp

c:\windows\system32\SET3CFB.tmp

c:\windows\system32\SET3CFD.tmp

c:\windows\$NtUninstallKB41000$ . . . . Failed to delete

.

c:\windows\system32\drivers\cdrom.sys was missing

Restored copy from - c:\windows\ServicePackFiles\i386\cdrom.sys

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_6TO4

-------\Service_.cdrom

-------\Service_6to4

-------\Service_Services

-------\Legacy_NetworkLog

-------\Service_NetworkLog

.

.

((((((((((((((((((((((((( Files Created from 2011-11-19 to 2011-12-19 )))))))))))))))))))))))))))))))

.

.

2011-12-19 21:49 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys

2011-12-19 21:49 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-12-19 19:09 . 2011-12-19 19:09 -------- d-----w- C:\_OTL

2011-12-19 15:12 . 2011-12-19 15:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

2011-12-14 17:30 . 2011-12-15 13:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-12-13 17:07 . 2011-12-13 17:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Intuit

2011-12-13 00:37 . 2011-12-14 18:57 -------- d-----w- c:\documents and settings\administrator.MARTIN.000

2011-12-12 23:01 . 2011-12-12 23:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2011-12-12 22:47 . 2011-12-12 22:47 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2011-11-28 13:31 . 2011-11-28 13:31 -------- d-sh--w- c:\documents and settings\mcneese72.MARTIN\IECompatCache

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-17 15:42 . 2011-06-28 14:05 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-10 14:22 . 2008-06-13 20:31 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06 . 2007-07-27 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 16:41 . 2007-10-09 17:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 16:41 . 2007-07-27 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 16:41 . 2007-07-27 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll

.

<pre>
c:\program files\AVG\AVG8\avgtray .exe
c:\program files\Common Files\Intuit\Sync\intuitsyncmanager .exe
</pre>

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2011-05-30 2495816]

.

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2011-05-30 16:33 2495816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2011-05-30 2495816]

.

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2011-05-30 2495816]

.

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"atchk"="c:\program files\Intel\AMT\atchk.exe" [2008-02-13 408088]

"WinVNC"="c:\program files\TightVNC\WinVNC.exe" [2007-05-07 589824]

"ipTray.exe"="c:\program files\Intel\IDU\iptray.exe" [2006-12-28 2242328]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-08-30 188416]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-10-19 1439496]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-13 134656]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-01-13 166912]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-13 135680]

"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"KDSDriverInstallMonitor"="c:\tw\KDSDriverInstallMonitor.exe" [2006-10-30 436736]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

.

c:\documents and settings\mcneese72.MARTIN\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

Pervasive.SQL Workgroup Engine.lnk - c:\pvsw\bin\w3dbsmgr.exe [2006-5-18 106546]

Printkey.exe [1999-5-20 589824]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-11-11 1155432]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

Pervasive.SQL Workgroup Engine.lnk - c:\pvsw\bin\w3dbsmgr.exe [2006-5-18 106546]

Printkey.exe [1999-5-20 589824]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-11-11 1155432]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"disablecad"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-01-19 18:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\PVSW\\bin\\w3dbsmgr.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [1/19/2010 12:00 PM 12552]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/19/2010 12:00 PM 335240]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/19/2010 12:00 PM 108552]

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/16/2011 7:12 AM 98392]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/19/2010 11:59 AM 908056]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/19/2010 11:59 AM 297752]

R2 RVGNetworkConfigurationService;RVG Network Configuration Service;c:\program files\Common Files\Trophy\Services\RVGNetworkConfiguration\RVGNetworkConfiguration.exe [4/9/2010 8:14 AM 40960]

R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe [6/13/2008 4:35 PM 98488]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [6/13/2008 2:59 PM 2525720]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/20/2009 2:02 PM 24652]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG8\Toolbar\ToolbarBroker.exe [10/26/2010 7:42 AM 1025352]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.geauxcowboys.com/homepage.asp

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

TCP: Interfaces\{BB876675-C682-48A9-AD6A-582B79B100A9}: NameServer = 10.1.1.10

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://134.250.150.60/SysCamInst.cab

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-RVGInstaller - c:\windows\TEMP\DriverRVG\RVG-uninst.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-19 16:15

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3912)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

c:\program files\Intel\AMT\atchksrv.exe

c:\progra~1\AVG\AVG8\avgam.exe

c:\progra~1\AVG\AVG8\avgrsx.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\windows\system32\crypserv.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Intel\AMT\LMS.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\windows\system32\SearchIndexer.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\SearchProtocolHost.exe

c:\documents and settings\All Users\Start Menu\Programs\Startup\Printkey.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\windows\system32\SearchFilterHost.exe

.

**************************************************************************

.

Completion time: 2011-12-19 16:23:28 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-19 22:23

.

Pre-Run: 27,701,948,416 bytes free

Post-Run: 33,310,724,096 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

redirect=usebiossettings

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /redirect

.

- - End Of File - - 0EA9DA8DDD79CDFAB2599BAF2F6CC572

I haven't had time to see what exacly might be messed up besides the internet connection.

Doc

Link to post
Share on other sites

Okay, ran ComboFix again. Still can't get an internet connection nor can I connect to my network server. Tried connecting desktop directly to the cable modem and bypassing the router and network and still couldn't get a internet connection. Computer runs okay right after startup but then gets slow as molasses very shortly.

What next?

Here is the latest ComboFix log:

ComboFix 11-12-19.01 - mcneese72 12/20/2011 8:28.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2002.122 [GMT -6:00]

Running from: c:\documents and settings\mcneese72.MARTIN\Desktop\ComboFix.exe

AV: AVG Internet Security Network Edition *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_Services

.

.

((((((((((((((((((((((((( Files Created from 2011-11-20 to 2011-12-20 )))))))))))))))))))))))))))))))

.

.

2011-12-19 21:49 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys

2011-12-19 21:49 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-12-19 19:09 . 2011-12-19 19:09 -------- d-----w- C:\_OTL

2011-12-19 15:12 . 2011-12-19 15:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

2011-12-14 17:30 . 2011-12-15 13:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-12-13 17:07 . 2011-12-13 17:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Intuit

2011-12-13 00:37 . 2011-12-14 18:57 -------- d-----w- c:\documents and settings\administrator.MARTIN.000

2011-12-12 23:01 . 2011-12-12 23:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2011-12-12 22:47 . 2011-12-12 22:47 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2011-11-28 13:31 . 2011-11-28 13:31 -------- d-sh--w- c:\documents and settings\mcneese72.MARTIN\IECompatCache

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-17 15:42 . 2011-06-28 14:05 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-10 14:22 . 2008-06-13 20:31 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06 . 2007-07-27 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 16:41 . 2007-10-09 17:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 16:41 . 2007-07-27 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 16:41 . 2007-07-27 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll

.

<pre>
c:\program files\AVG\AVG8\avgtray .exe
c:\program files\Common Files\Intuit\Sync\intuitsyncmanager .exe
c:\program files\iTunes\ituneshelper .exe
</pre>

.

((((((((((((((((((((((((((((( SnapShot@2011-12-19_22.15.45 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-12-20 15:35 . 2011-12-20 15:35 16384 c:\windows\Temp\Perflib_Perfdata_24c.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2011-05-30 2495816]

.

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2011-05-30 16:33 2495816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2011-05-30 2495816]

.

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2011-05-30 2495816]

.

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"atchk"="c:\program files\Intel\AMT\atchk.exe" [2008-02-13 408088]

"WinVNC"="c:\program files\TightVNC\WinVNC.exe" [2007-05-07 589824]

"ipTray.exe"="c:\program files\Intel\IDU\iptray.exe" [2006-12-28 2242328]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-08-30 188416]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-10-19 1439496]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-13 134656]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-01-13 166912]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-13 135680]

"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"KDSDriverInstallMonitor"="c:\tw\KDSDriverInstallMonitor.exe" [2006-10-30 436736]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

.

c:\documents and settings\mcneese72.MARTIN\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

Pervasive.SQL Workgroup Engine.lnk - c:\pvsw\bin\w3dbsmgr.exe [2006-5-18 106546]

Printkey.exe [1999-5-20 589824]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-11-11 1155432]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

Pervasive.SQL Workgroup Engine.lnk - c:\pvsw\bin\w3dbsmgr.exe [2006-5-18 106546]

Printkey.exe [1999-5-20 589824]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-11-11 1155432]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"disablecad"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-01-19 18:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\PVSW\\bin\\w3dbsmgr.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [1/19/2010 12:00 PM 12552]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/19/2010 12:00 PM 335240]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/19/2010 12:00 PM 108552]

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/16/2011 7:12 AM 98392]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/19/2010 11:59 AM 908056]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/19/2010 11:59 AM 297752]

R2 RVGNetworkConfigurationService;RVG Network Configuration Service;c:\program files\Common Files\Trophy\Services\RVGNetworkConfiguration\RVGNetworkConfiguration.exe [4/9/2010 8:14 AM 40960]

R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe [6/13/2008 4:35 PM 98488]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [6/13/2008 2:59 PM 2525720]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/20/2009 2:02 PM 24652]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG8\Toolbar\ToolbarBroker.exe [10/26/2010 7:42 AM 1025352]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.geauxcowboys.com/homepage.asp

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

TCP: Interfaces\{BB876675-C682-48A9-AD6A-582B79B100A9}: NameServer = 10.1.1.10

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://134.250.150.60/SysCamInst.cab

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-20 09:35

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(2088)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

c:\program files\Intel\AMT\atchksrv.exe

c:\progra~1\AVG\AVG8\avgam.exe

c:\progra~1\AVG\AVG8\avgrsx.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\windows\system32\crypserv.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Intel\AMT\LMS.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\windows\system32\SearchIndexer.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\RTHDCPL.EXE

c:\documents and settings\All Users\Start Menu\Programs\Startup\Printkey.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\windows\system32\SearchProtocolHost.exe

c:\windows\system32\SearchFilterHost.exe

.

**************************************************************************

.

Completion time: 2011-12-20 09:41:39 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-20 15:41

ComboFix2.txt 2011-12-19 22:23

.

Pre-Run: 33,313,214,464 bytes free

Post-Run: 33,286,377,472 bytes free

.

- - End Of File - - D068674D8692953CB7CE8939F0E3F70E

Thanks,

Doc

Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

RenV::

c:\program files\AVG\AVG8\avgtray .exe

c:\program files\Common Files\Intuit\Sync\intuitsyncmanager .exe

c:\program files\iTunes\ituneshelper .exe

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

---------------------------

Take a look in this folder and see what's in it:

C:\Qoobox\Quarantine

------------------------------

Take a look in the Device Manager and see if any of these are disabled as ComboFix discovered:

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Intel® 82566DM-2 Gigabit Network Connection

Device ID: PCI\VEN_8086&DEV_10BD&SUBSYS_00018086&REV_02\3&61AAA01&0&C8

Manufacturer: Intel

Name: Intel® 82566DM-2 Gigabit Network Connection

PNP Device ID: PCI\VEN_8086&DEV_10BD&SUBSYS_00018086&REV_02\3&61AAA01&0&C8

Service: e1express

.

Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}

Description: CD-ROM Drive

Device ID: USBSTOR\CDROM&VEN_SANDISK&PROD_U3_CRUZER_MICRO&REV_8.01\1101610EF7C2E6CE&1

Manufacturer: (Standard CD-ROM drives)

Name: SanDisk U3 Cruzer Micro USB Device

PNP Device ID: USBSTOR\CDROM&VEN_SANDISK&PROD_U3_CRUZER_MICRO&REV_8.01\1101610EF7C2E6CE&1

Service: cdrom

.

Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}

Description: CD-ROM Drive

Device ID: IDE\CDROMDVDROM_PATA_16X48X______________________HA31____\6&19E3BCC4&0&0.0.0

Manufacturer: (Standard CD-ROM drives)

Name: DVDROM PATA 16X48X

PNP Device ID: IDE\CDROMDVDROM_PATA_16X48X______________________HA31____\6&19E3BCC4&0&0.0.0

Service: cdrom

.

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description:

Device ID: ACPI\WEC1000\4&376E3BFF&0

Manufacturer:

Name:

PNP Device ID: ACPI\WEC1000\4&376E3BFF&0

Service:

--------------------------------

MrC

Link to post
Share on other sites

Dumb question. Do I drag the script into the ComboFix icon after it is running or before?

In the Qoobox Quarantine folder there is a folder called C. In that folder there is a documents and settings folder. Subfolders of that folder are named as all the users on the computer (I didn't create them, the IT people who put together this network did that). Most of the username folders (the ones that aren't used) just have a destop folder with a file called Windows XP Recovery.link.vir in them. The All Users folder has an application data folder with some xml#.temp.vir files which I were think left over from the previous infection. All the files in the folders have .vir designation at the end.

The other main folder in Qoobox Quarantine folder is called Registry backups. There are seven files with .dat designation and one called tcpip.reg.

Looking at the properties of the Intel 2-Gigabit Network Connection, it says this device is working properly. I assume that means it is enabled. It is in the enable/disable device as enabled.

It says that the Cruzer thumbdrive is working properly.

It says the cdrom device is working properly.

I'm not sure of the last device. The only thing I can find with the ACPI designation is the ACPI Multiprocessor PC under computer and that is working properly.

Doc

Link to post
Share on other sites

Dumb question. Do I drag the script into the ComboFix icon after it is running or before?

Before, that will start CF running, MrC

Done. Here is the latest ComboFix log. What next?

ComboFix 11-12-19.01 - mcneese72 12/20/2011 15:36:56.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2002.1368 [GMT -6:00]

Running from: c:\documents and settings\mcneese72.MARTIN\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\mcneese72.MARTIN\Desktop\CFScript.txt

AV: AVG Internet Security Network Edition *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_Services

.

.

((((((((((((((((((((((((( Files Created from 2011-11-20 to 2011-12-20 )))))))))))))))))))))))))))))))

.

.

2011-12-19 21:49 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys

2011-12-19 21:49 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-12-19 19:09 . 2011-12-19 19:09 -------- d-----w- C:\_OTL

2011-12-19 15:12 . 2011-12-19 15:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

2011-12-14 17:30 . 2011-12-15 13:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-12-13 17:07 . 2011-12-13 17:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Intuit

2011-12-13 00:37 . 2011-12-20 17:01 -------- d-----w- c:\documents and settings\administrator.MARTIN.000

2011-12-12 23:01 . 2011-12-12 23:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2011-12-12 22:47 . 2011-12-12 22:47 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2011-11-28 13:31 . 2011-11-28 13:31 -------- d-sh--w- c:\documents and settings\mcneese72.MARTIN\IECompatCache

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-17 15:42 . 2011-06-28 14:05 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-10 14:22 . 2008-06-13 20:31 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06 . 2007-07-27 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 16:41 . 2007-10-09 17:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 16:41 . 2007-07-27 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 16:41 . 2007-07-27 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll

.

<pre>
c:\program files\iTunes\ituneshelper .exe
</pre>

.

((((((((((((((((((((((((((((( SnapShot@2011-12-19_22.15.45 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-12-20 21:49 . 2011-12-20 21:49 16384 c:\windows\Temp\Perflib_Perfdata_248.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2011-05-30 2495816]

.

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2011-05-30 16:33 2495816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2011-05-30 2495816]

.

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2011-05-30 2495816]

.

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"atchk"="c:\program files\Intel\AMT\atchk.exe" [2008-02-13 408088]

"WinVNC"="c:\program files\TightVNC\WinVNC.exe" [2007-05-07 589824]

"ipTray.exe"="c:\program files\Intel\IDU\iptray.exe" [2006-12-28 2242328]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-08-30 188416]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-11-26 1087752]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-13 134656]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-01-13 166912]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-13 135680]

"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"KDSDriverInstallMonitor"="c:\tw\KDSDriverInstallMonitor.exe" [2006-10-30 436736]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

.

c:\documents and settings\mcneese72.MARTIN\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

Pervasive.SQL Workgroup Engine.lnk - c:\pvsw\bin\w3dbsmgr.exe [2006-5-18 106546]

Printkey.exe [1999-5-20 589824]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-11-11 1155432]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

Pervasive.SQL Workgroup Engine.lnk - c:\pvsw\bin\w3dbsmgr.exe [2006-5-18 106546]

Printkey.exe [1999-5-20 589824]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-11-11 1155432]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"disablecad"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-01-19 18:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\PVSW\\bin\\w3dbsmgr.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [1/19/2010 12:00 PM 12552]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/19/2010 12:00 PM 335240]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/19/2010 12:00 PM 108552]

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/16/2011 7:12 AM 98392]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/19/2010 11:59 AM 908056]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/19/2010 11:59 AM 297752]

R2 RVGNetworkConfigurationService;RVG Network Configuration Service;c:\program files\Common Files\Trophy\Services\RVGNetworkConfiguration\RVGNetworkConfiguration.exe [4/9/2010 8:14 AM 40960]

R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe [6/13/2008 4:35 PM 98488]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [6/13/2008 2:59 PM 2525720]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/20/2009 2:02 PM 24652]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG8\Toolbar\ToolbarBroker.exe [10/26/2010 7:42 AM 1025352]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.geauxcowboys.com/homepage.asp

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

TCP: Interfaces\{BB876675-C682-48A9-AD6A-582B79B100A9}: NameServer = 10.1.1.10

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://134.250.150.60/SysCamInst.cab

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-20 15:51

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3524)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

c:\program files\Intel\AMT\atchksrv.exe

c:\progra~1\AVG\AVG8\avgam.exe

c:\progra~1\AVG\AVG8\avgrsx.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\windows\system32\crypserv.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Intel\AMT\LMS.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\windows\system32\SearchIndexer.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\RTHDCPL.EXE

c:\documents and settings\All Users\Start Menu\Programs\Startup\Printkey.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\windows\system32\SearchProtocolHost.exe

c:\windows\system32\SearchFilterHost.exe

.

**************************************************************************

.

Completion time: 2011-12-20 15:57:04 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-20 21:57

ComboFix2.txt 2011-12-20 15:41

ComboFix3.txt 2011-12-19 22:23

.

Pre-Run: 31,055,593,472 bytes free

Post-Run: 33,223,020,544 bytes free

.

- - End Of File - - A7DC369A12D6A71295A596E581A5C50E

Doc

Link to post
Share on other sites

c:\program files\iTunes\ituneshelper .exe

This program is corrupt by malware sometime in the past and should be reinstalled at some point.

--------------------------------

I see you have a ton of restore points, try to restore the computer before the problems started.

http://support.microsoft.com/kb/306084

Let me know...MrC

Link to post
Share on other sites

c:\program files\iTunes\ituneshelper .exe

This program is corrupt by malware sometime in the past and should be reinstalled at some point.

--------------------------------

I see you have a ton of restore points, try to restore the computer before the problems started.

http://support.microsoft.com/kb/306084

Let me know...MrC

At home now. Will do tomorrow when get back to office. My Quickbooks is the most critical thing on my office desktop. I installed Quickbooks on my laptop and restored my company files on it tonight. Just in case. :)

Doc

Link to post
Share on other sites

ComboFix make creates a restore point just before it runs, that doesn't work either??

It also makes a complete backup of the registry located here:

Windows\ERDNT\hiv-backup\erdnt.exe

MrC

I ran that restore point last. I thought it said it was unsuccessful but it took a lot longer and the computer is running normally as far as speed. But I have limited or connectivity with my network connection. When I run repair, it says it cannot renew the ip.

Of course, the rootkit virus is probably back, too. Looking at the files with windows explorer, there a lot of them back with spidery looking icons on them.

Doc

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.