HDD Crash Virus

[Vapour Trails]

2700 Athlon, 3.3 GB RAM, Windows XP SP3

I was on the internet this morning when Firefox suddenly closed and my Trend Micro popped up saying it had just stopped an execuable file. I attempted to go back on the internet when I got a pop up message saying my HDD was damaged and need to be scanned/repaired. I cancelled and the prompts and then my computer automatically rebooted. Now my desktop is blank and well as all folders/programs.

I am currently scanning the entire drive with trend micro (it's the only thing that works) and nothing has turned up yet.

How can I get access to my programs to run MBAM?

[Vapour Trails]

I ran unhide.exe which allowed to to update and run MBAM. It found 16 infections. After rebooit it seems like I have regained control of my computer.

How can I get the text file results for the scan I performed that found the infections? I cannot seem to find it.

[Vapour Trails]

Log from 1st scan

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.03.29.06

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Chris :: UPGRAYEDD [administrator]

3/29/2012 12:42:48 PM

mbam-log-2012-03-29 (12-42-48).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 295491

Time elapsed: 1 hour(s), 28 minute(s), 23 second(s)

Memory Processes Detected: 2

C:\Documents and Settings\Chris\Application Data\hpkqqdof.exe (Trojan.LockScreen) -> 384 -> Delete on reboot.

C:\Documents and Settings\Chris\Application Data\hpkqqdof.exe (Trojan.LockScreen) -> 1968 -> Delete on reboot.

Memory Modules Detected: 1

C:\Documents and Settings\Chris\Application Data\dplayx.dll (Trojan.QHost.BG) -> Delete on reboot.

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 2

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|PC Health Status (Trojan.LockScreen) -> Data: C:\Documents and Settings\Chris\Application Data\hpkqqdof.exe -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|PC Health Status (Trojan.LockScreen) -> Data: C:\Documents and Settings\Chris\Application Data\hpkqqdof.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 6

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 0

(No malicious items detected)

Files Detected: 5

C:\Documents and Settings\All Users\Application Data\piQMlgQnBkGLi.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.

C:\Documents and Settings\Chris\Application Data\dplaysvr.exe (Trojan.Ransom) -> Delete on reboot.

C:\Documents and Settings\Chris\Local Settings\Temp\cgs8h0.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.

C:\Documents and Settings\Chris\Application Data\dplayx.dll (Trojan.QHost.BG) -> Delete on reboot.

C:\Documents and Settings\Chris\Application Data\hpkqqdof.exe (Trojan.LockScreen) -> Delete on reboot.

(end)

Log from 2nd scan

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.03.29.06

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Chris :: UPGRAYEDD [administrator]

Protection: Enabled

3/29/2012 2:44:28 PM

mbam-log-2012-03-29 (14-44-28).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 291081

Time elapsed: 42 minute(s), 15 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 2

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dplaysvr (Trojan.QHost.BG) -> Data: C:\Documents and Settings\Chris\Application Data\dplaysvr.exe -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dplaysvr (Trojan.QHost.BG) -> Data: C:\Documents and Settings\Chris\Application Data\dplaysvr.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

What further steps should I take to clean my computer?

[Vapour Trails]

In addition, I have a new folder off my "All progams" menu. The folder is named "Spyware Protection". I did not install this program. I found an application file for this program and it is dated at the time of attack? What should I do to remove this program/file?

[Vapour Trails]

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29

Run by Chris at 16:06:49 on 2012-03-29

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3455.2263 [GMT -5:00]

.

AV: Trend Micro Titanium Internet Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

svchost.exe

C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

F:\Video\Handycam\PMBVolumeWatcher.exe

D:\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

F:\Malwarebytes' Anti-Malware\mbamservice.exe

F:\Nero\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\nvsvc32.exe

F:\Video\Handycam\PMBDeviceInfoProvider.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE

C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

C:\Documents and Settings\All Users\Application Data\84WV644W.exe

C:\Documents and Settings\All Users\Application Data\84WV644W.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\All Users\Application Data\84WV644W.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wscntfy.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.globeandmail.com/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\1.5.1505\6.6.1088\TmIEPlg.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL

BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1

mRun: [Adobe Reader Speed Launcher] "d:\adobe\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Trend Micro Titanium] "c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe" -set Silent "1" SplashURL ""

mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices

mRun: [PMBVolumeWatcher] f:\video\handycam\PMBVolumeWatcher.exe

mRun: [NBKeyScan] "f:\nero\nero\nero8\nero backitup\NBKeyScan.exe"

mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"

mRun: [updatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\9.0"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "d:\itunes\iTunesHelper.exe"

mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Malwarebytes' Anti-Malware] "f:\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32

dRunOnce: [iE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart

dRunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.photolab.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll

Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\1.5.1505\6.6.1088\TmIEPlg.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL

Hosts: 94.63.147.16 www.google.com

Hosts: 94.63.147.17 www.bing.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\chris\application data\mozilla\firefox\profiles\61igybtb.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.globeandmail.com/

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll

FF - plugin: d:\adobe\reader\browser\nppdf32.dll

FF - plugin: d:\itunes\mozilla plugins\npitunes.dll

.

============= SERVICES / DRIVERS ===============

.

R2 MBAMService;MBAMService;f:\malwarebytes' anti-malware\mbamservice.exe [2011-6-21 652360]

R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;f:\video\handycam\PMBDeviceInfoProvider.exe [2009-10-24 360224]

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-12-23 64080]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-1-7 20464]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2010-10-30 39456]

R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-10-30 876288]

S2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2010-12-23 188272]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S3 ZOOM_R16MTR;ZOOM R16_R24 Audio Interface;c:\windows\system32\drivers\zmr16usbaudio.sys [2011-12-11 79360]

.

=============== Created Last 30 ================

.

2012-03-29 16:10:28 99328 ----a-w- c:\documents and settings\all users\application data\84WV644W.exe

2012-03-29 16:10:26 99328 ----a-w- c:\documents and settings\chris\application data\3C7FC64A.exe

2012-03-21 03:22:26 -------- d-----w- c:\documents and settings\chris\local settings\application data\PCHealth

2012-03-18 00:39:51 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll

2012-03-18 00:39:51 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll

.

==================== Find3M ====================

.

2012-02-03 09:26:17 1869184 ----a-w- c:\windows\system32\win32k.sys

2012-01-21 22:04:51 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-01-21 22:04:51 472808 ----a-w- c:\windows\system32\deployJava1.dll

2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll

2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys

.

============= FINISH: 16:07:08.32 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 10/30/2010 2:16:21 PM

System Uptime: 3/29/2012 3:31:41 PM (1 hours ago)

.

Motherboard: ASUSTeK Computer INC. | | M3N78-VM

Processor: AMD Athlon 7750 Dual-Core Processor | AM2 | 2699/200mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 39 GiB total, 11.061 GiB free.

D: is FIXED (NTFS) - 78 GiB total, 32.817 GiB free.

E: is CDROM (CDFS)

F: is FIXED (NTFS) - 69 GiB total, 25.126 GiB free.

G: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP527: 2/25/2012 3:30:03 AM - System Checkpoint

RP528: 2/26/2012 3:32:06 AM - System Checkpoint

RP529: 2/27/2012 3:35:22 AM - System Checkpoint

RP530: 2/28/2012 3:37:29 AM - System Checkpoint

RP531: 2/29/2012 3:42:38 AM - System Checkpoint

RP532: 3/1/2012 3:44:51 AM - System Checkpoint

RP533: 3/2/2012 3:48:02 AM - System Checkpoint

RP534: 3/3/2012 3:50:04 AM - System Checkpoint

RP535: 3/4/2012 3:53:10 AM - System Checkpoint

RP536: 3/5/2012 3:56:15 AM - System Checkpoint

RP537: 3/6/2012 3:58:23 AM - System Checkpoint

RP538: 3/7/2012 8:59:51 AM - System Checkpoint

RP539: 3/8/2012 10:04:26 AM - System Checkpoint

RP540: 3/9/2012 11:05:51 AM - System Checkpoint

RP541: 3/10/2012 12:16:39 PM - System Checkpoint

RP542: 3/11/2012 2:13:06 PM - System Checkpoint

RP543: 3/12/2012 3:09:54 PM - System Checkpoint

RP544: 3/13/2012 4:03:12 PM - System Checkpoint

RP545: 3/14/2012 4:33:42 PM - System Checkpoint

RP546: 3/15/2012 3:00:15 AM - Software Distribution Service 3.0

RP547: 3/16/2012 3:18:18 AM - System Checkpoint

RP548: 3/17/2012 3:20:24 AM - System Checkpoint

RP549: 3/18/2012 3:21:25 AM - System Checkpoint

RP550: 3/19/2012 3:24:42 AM - System Checkpoint

RP551: 3/20/2012 3:26:49 AM - System Checkpoint

RP552: 3/21/2012 3:28:58 AM - System Checkpoint

RP553: 3/22/2012 3:31:05 AM - System Checkpoint

RP554: 3/23/2012 3:35:06 AM - System Checkpoint

RP555: 3/24/2012 3:37:07 AM - System Checkpoint

RP556: 3/25/2012 3:39:12 AM - System Checkpoint

RP557: 3/26/2012 3:41:20 AM - System Checkpoint

RP558: 3/27/2012 3:44:26 AM - System Checkpoint

RP559: 3/28/2012 4:04:16 AM - System Checkpoint

RP560: 3/29/2012 4:07:30 AM - System Checkpoint

.

==== Installed Programs ======================

.

Adobe Flash Player 10 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader 8.2.6

AMD Processor Driver

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Bonjour

Canon MP Navigator EX 1.2

Canon MP190 series MP Drivers

Canon My Printer

Canon Utilities Easy-PhotoPrint EX

Canon Utilities Solution Menu

CyberLink PowerDirector

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

DVD Shrink 3.2

GIMP 2.6.11

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB2633952)

Hotfix for Windows XP (KB932716-v2)

Hotfix for Windows XP (KB942288-v3)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB969084)

iTunes

Java Auto Updater

Java 6 Update 29

LADSPA_plugins-win-0.4.15

Malwarebytes Anti-Malware version 1.60.1.1000

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Groove MUI (English) 2010

Microsoft Office InfoPath MUI (English) 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Professional Plus 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Word MUI (English) 2010

Microsoft Silverlight

Microsoft Software Update for Web Folders (English) 14

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft XML Parser

Mozilla Firefox 11.0 (x86 en-US)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MuseScore 1.0 MuseScore score typesetter

Nero 8

neroxml

NVIDIA Drivers

NVIDIA PhysX v8.10.13

PC Probe II

Platform

PMB

Poker Tracker Version 2.17.04m

QuickTime

R16_R24 Driver

REAPER

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft Office 2010 (KB2553091)

Security Update for Microsoft Office 2010 (KB2553096)

Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition

Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition

Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)

Security Update for Microsoft Visio Viewer 2010 (KB2597170) 32-Bit Edition

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Internet Explorer 7 (KB2360131)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2530548)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2559049)

Security Update for Windows Internet Explorer 8 (KB2586448)

Security Update for Windows Internet Explorer 8 (KB2618444)

Security Update for Windows Internet Explorer 8 (KB2647516)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2483614)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2584146)

Security Update for Windows XP (KB2585542)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB2598479)

Security Update for Windows XP (KB2603381)

Security Update for Windows XP (KB2618451)

Security Update for Windows XP (KB2619339)

Security Update for Windows XP (KB2620712)

Security Update for Windows XP (KB2621440)

Security Update for Windows XP (KB2624667)

Security Update for Windows XP (KB2631813)

Security Update for Windows XP (KB2633171)

Security Update for Windows XP (KB2639417)

Security Update for Windows XP (KB2641653)

Security Update for Windows XP (KB2646524)

Security Update for Windows XP (KB2647518)

Security Update for Windows XP (KB2660465)

Security Update for Windows XP (KB2661637)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB975254)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB982132)

Sereby's Updatepack - IE8 Addon Version 1.0.7

Trend Micro Titanium Internet Security

Trend Micro™ Titanium™ Internet Security

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Excel 2010 (KB2553439) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553065)

Update for Microsoft Office 2010 (KB2553092)

Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition

Update for Microsoft Office 2010 (KB2566458)

Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition

Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition

Update for Microsoft Outlook 2010 (KB2553323) 32-Bit Edition

Update for Microsoft Outlook Social Connector (KB2583935)

Update for Windows Internet Explorer 8 (KB2362765)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2607712)

Update for Windows XP (KB2616676)

Update for Windows XP (KB2641690)

Update for Windows XP (KB971029)

VCRedistSetup

VIA Platform Device Manager

VLC media player 1.1.5

WebEx Support Manager for Internet Explorer

WebFldrs XP

XML Paper Specification Shared Components Pack 1.0

ZOOM Audio File Manager Ver 2.0.4.0 (English)

.

==== Event Viewer Messages From Past Week ========

.

3/29/2012 4:00:00 PM, error: Schedule [7901] - The At41.job command failed to start due to the following error: %%2147942402

3/29/2012 3:00:00 PM, error: Schedule [7901] - The At40.job command failed to start due to the following error: %%2147942402

3/29/2012 2:25:29 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

3/29/2012 2:00:00 PM, error: Schedule [7901] - The At39.job command failed to start due to the following error: %%2147942402

3/29/2012 12:00:00 PM, error: Schedule [7901] - The At37.job command failed to start due to the following error: %%2147942402

3/29/2012 1:00:00 PM, error: Schedule [7901] - The At38.job command failed to start due to the following error: %%2147942402

3/27/2012 11:59:35 AM, error: Print [19] - Sharing printer failed + 1722, Printer WebEx Document Loader share name Printer.

.

==== End Of File ===========================

[Vapour Trails]

Still getting internet explorer randomly opening with popups (and use I firefox). Infection is not cleared and I am currently running 3rd full scan.

[Vapour Trails]

Rogue Killer report below

RogueKiller V7.3.2 [03/20/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: Chris [Admin rights]

Mode: Scan -- Date: 03/29/2012 21:16:48

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 56 ¤¤¤

[sUSP PATH] At17.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe -> FOUND

[sUSP PATH] At16.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe -> FOUND

[sUSP PATH] At15.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe -> FOUND

[sUSP PATH] At14.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe -> FOUND

[sUSP PATH] At13.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe -> FOUND

[sUSP PATH] At12.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe -> FOUND

[sUSP PATH] At11.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe -> FOUND

[sUSP PATH] At10.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe -> FOUND

[sUSP PATH] At1.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe -> FOUND

[sUSP PATH] At26.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe_ -> FOUND

[sUSP PATH] At25.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe_ -> FOUND

[sUSP PATH] At24.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe -> FOUND

[sUSP PATH] At23.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe -> FOUND

[sUSP PATH] At22.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe -> FOUND

[sUSP PATH] At21.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe -> FOUND

[sUSP PATH] At20.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe -> FOUND

[sUSP PATH] At2.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe -> FOUND

[sUSP PATH] At19.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe -> FOUND

[sUSP PATH] At18.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe -> FOUND

[sUSP PATH] At35.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe_ -> FOUND

[sUSP PATH] At34.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe_ -> FOUND

[sUSP PATH] At33.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe_ -> FOUND

[sUSP PATH] At32.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe_ -> FOUND

[sUSP PATH] At31.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe_ -> FOUND

[sUSP PATH] At30.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe_ -> FOUND

[sUSP PATH] At3.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe -> FOUND

[sUSP PATH] At29.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe_ -> FOUND

[sUSP PATH] At28.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe_ -> FOUND

[sUSP PATH] At27.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe_ -> FOUND

[sUSP PATH] At44.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe_ -> FOUND

[sUSP PATH] At43.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe_ -> FOUND

[sUSP PATH] At42.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe_ -> FOUND

[sUSP PATH] At41.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe_ -> FOUND

[sUSP PATH] At40.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe_ -> FOUND

[sUSP PATH] At4.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe -> FOUND

[sUSP PATH] At39.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe_ -> FOUND

[sUSP PATH] At38.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe_ -> FOUND

[sUSP PATH] At37.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe_ -> FOUND

[sUSP PATH] At36.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe_ -> FOUND

[sUSP PATH] At9.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe -> FOUND

[sUSP PATH] At8.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe -> FOUND

[sUSP PATH] At7.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe -> FOUND

[sUSP PATH] At6.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe -> FOUND

[sUSP PATH] At5.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe -> FOUND

[sUSP PATH] At48.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe_ -> FOUND

[sUSP PATH] At47.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe_ -> FOUND

[sUSP PATH] At46.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe_ -> FOUND

[sUSP PATH] At45.job @ : C:\Documents and Settings\All Users\Application Data\84WV644W.exe_ -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

SSDT[41] : NtCreateKey @ 0x80624120 -> HOOKED (Unknown @ 0x873A4780)

SSDT[43] : NtCreateMutant @ 0x806176CE -> HOOKED (Unknown @ 0x87376500)

SSDT[47] : NtCreateProcess @ 0x805D1260 -> HOOKED (Unknown @ 0x873A3580)

SSDT[48] : NtCreateProcessEx @ 0x805D11AA -> HOOKED (Unknown @ 0x873A3880)

SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A26 -> HOOKED (Unknown @ 0x873768C0)

SSDT[53] : NtCreateThread @ 0x805D1048 -> HOOKED (Unknown @ 0x87376020)

SSDT[63] : NtDeleteKey @ 0x806245BC -> HOOKED (Unknown @ 0x873A4D80)

SSDT[65] : NtDeleteValueKey @ 0x8062478C -> HOOKED (Unknown @ 0x873A5680)

SSDT[68] : NtDuplicateObject @ 0x805BE034 -> HOOKED (Unknown @ 0x87376AA0)

SSDT[97] : NtLoadDriver @ 0x80584160 -> HOOKED (Unknown @ 0x87376200)

SSDT[122] : NtOpenProcess @ 0x805CB470 -> HOOKED (Unknown @ 0x873A3B80)

SSDT[125] : NtOpenSection @ 0x805AA418 -> HOOKED (Unknown @ 0x873A5C60)

SSDT[128] : NtOpenThread @ 0x805CB6FC -> HOOKED (Unknown @ 0x873A3E80)

SSDT[192] : NtRenameKey @ 0x80623B42 -> HOOKED (Unknown @ 0x873A5080)

SSDT[204] : NtRestoreKey @ 0x80625B00 -> HOOKED (Unknown @ 0x873A5380)

SSDT[240] : NtSetSystemInformation @ 0x8060FD36 -> HOOKED (Unknown @ 0x873766E0)

SSDT[247] : NtSetValueKey @ 0x80622692 -> HOOKED (Unknown @ 0x873A4A80)

SSDT[257] : NtTerminateProcess @ 0x805D2A12 -> HOOKED (Unknown @ 0x873A4180)

SSDT[258] : NtTerminateThread @ 0x805D2C0C -> HOOKED (Unknown @ 0x873A4480)

SSDT[277] : NtWriteVirtualMemory @ 0x805B43F8 -> HOOKED (Unknown @ 0x873A5E40)

S_SSDT[548] : Unknown -> HOOKED (Unknown @ 0x87377CA0)

S_SSDT[549] : Unknown -> HOOKED (Unknown @ 0x87377A80)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

94.63.147.16 www.google.com

94.63.147.17 www.bing.com

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2000JB-00GVA0 +++++

--- User ---

[MBR] 7216381d0f822aa15cfbfd7380c5c891

[bSP] f70a8d0dca29fb99ba496469689ffb02 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 39997 Mo

1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 81915435 | Size: 150774 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: CBM Flash Disk USB Device +++++

--- User ---

[MBR] 73cbcbbb72fdc4b9a4d4aa5474c633d4

[bSP] ff5ab1cd8a5af1bf6d71114e543a25df : Standard MBR Code

Partition table:

0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 32 | Size: 1008 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1].txt >>

RKreport[1].txt

[Vapour Trails]

I deleted the registry entries using Rogue Killer, post-delete scan below

RogueKiller V7.3.2 [03/20/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: Chris [Admin rights]

Mode: Scan -- Date: 03/29/2012 21:30:01

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

SSDT[41] : NtCreateKey @ 0x80624120 -> HOOKED (Unknown @ 0x873C5780)

SSDT[43] : NtCreateMutant @ 0x806176CE -> HOOKED (Unknown @ 0x8739D500)

SSDT[47] : NtCreateProcess @ 0x805D1260 -> HOOKED (Unknown @ 0x873C4580)

SSDT[48] : NtCreateProcessEx @ 0x805D11AA -> HOOKED (Unknown @ 0x873C4880)

SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A26 -> HOOKED (Unknown @ 0x8739D8C0)

SSDT[53] : NtCreateThread @ 0x805D1048 -> HOOKED (Unknown @ 0x8739D020)

SSDT[63] : NtDeleteKey @ 0x806245BC -> HOOKED (Unknown @ 0x873C5D80)

SSDT[65] : NtDeleteValueKey @ 0x8062478C -> HOOKED (Unknown @ 0x873C6680)

SSDT[68] : NtDuplicateObject @ 0x805BE034 -> HOOKED (Unknown @ 0x8739DAA0)

SSDT[97] : NtLoadDriver @ 0x80584160 -> HOOKED (Unknown @ 0x8739D200)

SSDT[122] : NtOpenProcess @ 0x805CB470 -> HOOKED (Unknown @ 0x873C4B80)

SSDT[125] : NtOpenSection @ 0x805AA418 -> HOOKED (Unknown @ 0x873C6C60)

SSDT[128] : NtOpenThread @ 0x805CB6FC -> HOOKED (Unknown @ 0x873C4E80)

SSDT[192] : NtRenameKey @ 0x80623B42 -> HOOKED (Unknown @ 0x873C6080)

SSDT[204] : NtRestoreKey @ 0x80625B00 -> HOOKED (Unknown @ 0x873C6380)

SSDT[240] : NtSetSystemInformation @ 0x8060FD36 -> HOOKED (Unknown @ 0x8739D6E0)

SSDT[247] : NtSetValueKey @ 0x80622692 -> HOOKED (Unknown @ 0x873C5A80)

SSDT[257] : NtTerminateProcess @ 0x805D2A12 -> HOOKED (Unknown @ 0x873C5180)

SSDT[258] : NtTerminateThread @ 0x805D2C0C -> HOOKED (Unknown @ 0x873C5480)

SSDT[277] : NtWriteVirtualMemory @ 0x805B43F8 -> HOOKED (Unknown @ 0x873C6E40)

S_SSDT[548] : Unknown -> HOOKED (Unknown @ 0x8739EF60)

S_SSDT[549] : Unknown -> HOOKED (Unknown @ 0x8739ED40)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

94.63.147.16 www.google.com

94.63.147.17 www.bing.com

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2000JB-00GVA0 +++++

--- User ---

[MBR] 7216381d0f822aa15cfbfd7380c5c891

[bSP] f70a8d0dca29fb99ba496469689ffb02 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 39997 Mo

1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 81915435 | Size: 150774 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: CBM Flash Disk USB Device +++++

--- User ---

[MBR] 73cbcbbb72fdc4b9a4d4aa5474c633d4

[bSP] ff5ab1cd8a5af1bf6d71114e543a25df : Standard MBR Code

Partition table:

0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 32 | Size: 1008 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[3].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

[Vapour Trails]

Last MBAM scan

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.03.29.09

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Chris :: UPGRAYEDD [administrator]

3/29/2012 9:35:05 PM

mbam-log-2012-03-29 (21-35-05).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 225053

Time elapsed: 6 minute(s), 35 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[Vapour Trails]

Ran Combofix this afternoon report below

ComboFix 12-03-30.06 - Chris 03/30/2012 12:57:20.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3455.2626 [GMT -5:00]

Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe

AV: Trend Micro Titanium Internet Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: Trend Micro Firewall Booster *Disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\84WV644W.exe

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\All Users\Application Data\TEMP\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\PostBuild.exe

c:\documents and settings\All Users\Application Data\TEMP\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\Setup.exe

c:\documents and settings\Chris\Application Data\3C7FC64A.exe

c:\documents and settings\Chris\Application Data\html.html

.

.

((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-30 )))))))))))))))))))))))))))))))

.

.

2012-03-30 01:52 . 2012-03-30 01:52 -------- d-----w- c:\program files\Common Files\Adobe

2012-03-29 23:30 . 2010-12-24 03:22 341072 ----a-w- c:\windows\system32\drivers\TM_CFW.sys

2012-03-29 20:01 . 2012-03-29 20:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

2012-03-21 03:22 . 2012-03-21 03:22 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\PCHealth

2012-03-18 00:39 . 2012-03-18 00:39 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll

2012-03-18 00:39 . 2012-03-18 00:39 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-02-03 09:26 . 2010-08-21 02:52 1869184 ----a-w- c:\windows\system32\win32k.sys

2012-01-21 22:04 . 2012-01-21 22:05 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-01-21 22:04 . 2012-01-21 22:05 472808 ----a-w- c:\windows\system32\deployJava1.dll

2012-01-11 19:06 . 2012-02-15 04:54 3072 ------w- c:\windows\system32\iacenc.dll

2012-01-09 16:20 . 2010-10-30 19:08 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-03-18 00:39 . 2011-11-12 21:40 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2010-08-21 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-16 13578240]

"nwiz"="nwiz.exe" [2008-10-16 1630208]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-16 86016]

"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-10-07 33538048]

"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-10-08 1111568]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-25 652624]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-13 1603152]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"PMBVolumeWatcher"="f:\video\Handycam\PMBVolumeWatcher.exe" [2010-03-24 599328]

"NBKeyScan"="f:\nero\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]

"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 116752]

"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"iTunesHelper"="d:\itunes\iTunesHelper.exe" [2011-04-14 421160]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"Malwarebytes' Anti-Malware"="f:\malwarebytes' anti-malware\mbamgui.exe" [2012-01-13 460872]

"Adobe Reader Speed Launcher"="d:\adobe\Reader\Reader_sl.exe" [2011-08-31 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_2"="shell32" [X]

"ShowDeskFix"="shell32" [X]

"IE8"="advpack.dll" [2009-03-08 128512]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"d:\\iTunes\\iTunes.exe"=

"c:\\Program Files\\VIA\\VIAudioi\\HDADeck\\HDeck.exe"=

.

R2 MBAMService;MBAMService;f:\malwarebytes' anti-malware\mbamservice.exe [6/21/2011 3:26 PM 652360]

R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;f:\video\Handycam\PMBDeviceInfoProvider.exe [10/24/2009 4:18 AM 360224]

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [12/23/2010 10:30 PM 64080]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/7/2011 1:40 PM 20464]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [10/30/2010 3:41 PM 39456]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 10:37 PM 4640000]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [3/29/2012 6:30 PM 341072]

R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [10/30/2010 3:43 PM 876288]

S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [12/23/2010 10:27 PM 188272]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [6/12/2011 11:15 AM 31125880]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

S3 ZOOM_R16MTR;ZOOM R16_R24 Audio Interface;c:\windows\system32\drivers\zmr16usbaudio.sys [12/11/2011 1:48 PM 79360]

.

Contents of the 'Scheduled Tasks' folder

.

2012-03-30 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.globeandmail.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 64.59.176.13 64.59.176.15 64.59.177.226

FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\61igybtb.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.globeandmail.com/

FF - prefs.js: network.proxy.type - 0

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-LADSPA_plugins-win_is1 - f:\audacity\Plug-Ins\unins000.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-03-30 13:00

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,cd,c5,3f,42,73,72,42,9f,8d,ff,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,cd,c5,3f,42,73,72,42,9f,8d,ff,\

.

Completion time: 2012-03-30 13:01:37

ComboFix-quarantined-files.txt 2012-03-30 18:01

.

Pre-Run: 17,002,872,832 bytes free

Post-Run: 18,930,900,992 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

.

- - End Of File - - DEBCC234A93122B927AA4D39111F86B4

[Vapour Trails]

Ran OTL after combo fix

OTL Extras logfile created on: 3/30/2012 3:03:18 PM - Run 1

OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Chris\My Documents\Downloads

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.37 Gb Total Physical Memory | 2.55 Gb Available Physical Memory | 75.54% Memory free

5.21 Gb Paging File | 4.62 Gb Available in Paging File | 88.63% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 39.06 Gb Total Space | 20.95 Gb Free Space | 53.64% Space Free | Partition Type: NTFS

Drive D: | 78.13 Gb Total Space | 32.90 Gb Free Space | 42.11% Space Free | Partition Type: NTFS

Drive F: | 69.11 Gb Total Space | 40.58 Gb Free Space | 58.71% Space Free | Partition Type: NTFS

Drive G: | 1007.95 Mb Total Space | 969.16 Mb Free Space | 96.15% Space Free | Partition Type: FAT

Computer Name: UPGRAYEDD | User Name: Chris | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)

InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [AddToPlaylistVLC] -- "C:\Documents and Settings\Chris\My Documents\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [PlayWithVLC] -- "C:\Documents and Settings\Chris\My Documents\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Microsoft Office\Office14\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office14\GROOVE.EXE:*:Enabled:Microsoft SharePoint Workspace -- (Microsoft Corporation)

"C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE:*:Enabled:Microsoft OneNote -- (Microsoft Corporation)

"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP190_series" = Canon MP190 series MP Drivers

"{19CF1A77-C522-4082-8A2B-A9952EE9E372}" = R16_R24 Driver

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform

"{26A24AE4-039D-4CA4-87B4-2F83216029FF}" = Java 6 Update 29

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{353FE16B-30FE-469A-BF55-B978F4218003}" = iTunes

"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup

"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml

"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime

"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable

"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update

"{7FCC4EDC-6EE2-4309-ABD7-85F2667A7B90}" = WebEx Support Manager for Internet Explorer

"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable

"{853A4763-6643-4604-8D64-28BDD8925F4C}" = Apple Application Support

"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{90140000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 14

"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010

"{90140000-0015-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010

"{90140000-0016-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010

"{90140000-0018-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010

"{90140000-0019-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010

"{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010

"{90140000-001B-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010

"{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010

"{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUSR_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010

"{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.PROPLUSR_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010

"{90140000-002C-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010

"{90140000-0044-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010

"{90140000-006E-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010

"{90140000-00A1-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010

"{90140000-00BA-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010

"{90140000-0115-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010

"{90140000-0117-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{91140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010

"{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

"{9EDBB857-8028-49CD-B9C9-0B4D10CD1033}" = Nero 8

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{ABBD4BA8-6703-40D2-AB1E-5BB1F7DB49A4}" = Trend Micro Titanium Internet Security

"{ABBD4BA9-6703-40D2-AB1E-5BB1F7DB49A4}" = Trend Micro™ Titanium™ Internet Security

"{AC54E544-3E42-443C-A91D-A00A6974C592}" = NVIDIA PhysX v8.10.13

"{AC76BA86-7AD7-1033-7B44-A83000000003}" = Adobe Reader 8.3.1

"{B6A98E5F-D6A7-46FB-9E9D-1F7BF443491C}" = PMB

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C151CE54-E7EA-4804-854B-F515368B0798}" = AMD Processor Driver

"{C2E4B5BD-32DB-4817-A060-341AB17C3F90}" = Bonjour

"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support

"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser

"{F7338FA3-DAB5-49B2-900D-0AFB5760C166}" = PC Probe II

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin

"AFM_E" = ZOOM Audio File Manager Ver 2.0.4.0 (English)

"CanonMyPrinter" = Canon My Printer

"CanonSolutionMenu" = Canon Utilities Solution Menu

"DVD Shrink_is1" = DVD Shrink 3.2

"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX

"IE8" = Sereby's Updatepack - IE8 Addon Version 1.0.7

"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager

"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector

"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"Mozilla Firefox 11.0 (x86 en-US)" = Mozilla Firefox 11.0 (x86 en-US)

"MP Navigator EX 1.2" = Canon MP Navigator EX 1.2

"MuseScore" = MuseScore 1.0 MuseScore score typesetter

"NVIDIA Drivers" = NVIDIA Drivers

"Office14.PROPLUSR" = Microsoft Office Professional Plus 2010

"Poker Tracker Version 2.17.04m_is1" = Poker Tracker Version 2.17.04m

"REAPER" = REAPER

"VLC media player" = VLC media player 1.1.5

"WinGimp-2.0_is1" = GIMP 2.6.11

"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 3/9/2012 12:44:26 PM | Computer Name = UPGRAYEDD | Source = Microsoft Office 14 | ID = 1000

Description = Faulting application outlook.exe, version 14.0.6109.5005, stamp 4e79b881,

faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address

0x00000200.

Error - 3/9/2012 3:14:25 PM | Computer Name = UPGRAYEDD | Source = Application Hang | ID = 1002

Description = Hanging application firefox.exe, version 10.0.2.4428, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/15/2012 12:17:12 PM | Computer Name = UPGRAYEDD | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This operation returned because the timeout period expired.

Error - 3/15/2012 12:17:12 PM | Computer Name = UPGRAYEDD | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The specified server cannot perform the requested operation.

Error - 3/15/2012 12:17:22 PM | Computer Name = UPGRAYEDD | Source = crypt32 | ID = 131075

Description = Failed auto update retrieval of third-party root list cab from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: This operation returned because the timeout period expired.

Error - 3/15/2012 12:17:22 PM | Computer Name = UPGRAYEDD | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The specified server cannot perform the requested operation.

Error - 3/15/2012 12:17:27 PM | Computer Name = UPGRAYEDD | Source = crypt32 | ID = 131075

Description = Failed auto update retrieval of third-party root list cab from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: This operation returned because the timeout period expired.

Error - 3/20/2012 11:22:26 PM | Computer Name = UPGRAYEDD | Source = Microsoft Office 14 | ID = 5000

Description = EventType office12asserttimer, P1 2lz8, P2 14.0.6029.0, P3 5, P4 2312,

P5 NIL, P6 NIL, P7 NIL, P8 NIL, P9 NIL, P10 NIL.

Error - 3/24/2012 12:31:15 PM | Computer Name = UPGRAYEDD | Source = Application Hang | ID = 1002

Description = Hanging application firefox.exe, version 11.0.0.4454, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/29/2012 12:15:39 PM | Computer Name = UPGRAYEDD | Source = Application Hang | ID = 1002

Description = Hanging application firefox.exe, version 11.0.0.4454, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

[ SitNGoWizard Events ]

Error - 12/7/2010 11:26:43 PM | Computer Name = UPGRAYEDD | Source = SitNGoWizard | ID = 1

Description = Invoke or BeginInvoke cannot be called on a control until the window

handle has been created.

[ System Events ]

Error - 3/29/2012 3:00:00 PM | Computer Name = UPGRAYEDD | Source = Schedule | ID = 7901

Description = The At39.job command failed to start due to the following error: %%2147942402

Error - 3/29/2012 3:25:29 PM | Computer Name = UPGRAYEDD | Source = sr | ID = 1

Description = The System Restore filter encountered the unexpected error '0xC0000001'

while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring

the volume.

Error - 3/29/2012 4:00:00 PM | Computer Name = UPGRAYEDD | Source = Schedule | ID = 7901

Description = The At40.job command failed to start due to the following error: %%2147942402

Error - 3/29/2012 4:32:12 PM | Computer Name = UPGRAYEDD | Source = sr | ID = 1

Description = The System Restore filter encountered the unexpected error '0xC0000001'

while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring

the volume.

Error - 3/29/2012 5:00:00 PM | Computer Name = UPGRAYEDD | Source = Schedule | ID = 7901

Description = The At41.job command failed to start due to the following error: %%2147942402

Error - 3/29/2012 6:00:00 PM | Computer Name = UPGRAYEDD | Source = Schedule | ID = 7901

Description = The At42.job command failed to start due to the following error: %%2147942402

Error - 3/29/2012 7:00:00 PM | Computer Name = UPGRAYEDD | Source = Schedule | ID = 7901

Description = The At43.job command failed to start due to the following error: %%2147942402

Error - 3/29/2012 8:00:00 PM | Computer Name = UPGRAYEDD | Source = Schedule | ID = 7901

Description = The At44.job command failed to start due to the following error: %%2147942402

Error - 3/29/2012 9:00:00 PM | Computer Name = UPGRAYEDD | Source = Schedule | ID = 7901

Description = The At45.job command failed to start due to the following error: %%2147942402

Error - 3/29/2012 10:00:00 PM | Computer Name = UPGRAYEDD | Source = Schedule | ID = 7901

Description = The At46.job command failed to start due to the following error: %%2147942402

< End of report >

[Maurice Naggar]

@ Vapour Trails,

Have you resolved your issues? If I do not hear back from you in a few days, this will be closed.

You should not have responded (posted) with a new reply until and unless you got a 1st reply from an authorized helper!

But you self-medicated and posted many posts and thus helper-observers were made to think you were being helped.

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!