windows updates fail after virus removed

Endinsight · August 27, 2012

Hello I hope I'm in right place -

Sent from PC help area .

Had Zero Access - Malwarebytes PRO found and removed it. I love Malwarebytes.

All scans since have been clean. ( AVG paid, too). and others.

However, since then -

Windows Updates Fail

Missing services - BITS and RPC ( for sure -maybe others).

FSS scan confirmed and is attatched. .

Chameleon scan attatched

MBAM quick scan also attatched

I don't know what I'm doing - and think I'm adding to the problems by trying to fix them.

Can you help ? Please. . .please I don't want to do clean install .. .

FSS.txt

protection-log-2012-08-26.txt

MrCharlie · August 27, 2012

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Endinsight · August 27, 2012

RK report

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : jill [Admin rights]

Mode : Scan -- Date : 08/27/2012 17:14:11

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : C:\WINDOWS\Installer\{7ec38d52-1255-baad-c5a0-2432000ede72}\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\WINDOWS\Installer\{7ec38d52-1255-baad-c5a0-2432000ede72}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\WINDOWS\Installer\{7ec38d52-1255-baad-c5a0-2432000ede72}\L --> FOUND

[ZeroAccess][FILE] @ : C:\Documents and Settings\jill\Local Settings\Application Data\{7ec38d52-1255-baad-c5a0-2432000ede72}\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\Documents and Settings\jill\Local Settings\Application Data\{7ec38d52-1255-baad-c5a0-2432000ede72}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Documents and Settings\jill\Local Settings\Application Data\{7ec38d52-1255-baad-c5a0-2432000ede72}\L --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3250824AS +++++

--- User ---

[MBR] 778e7f63f7796c212b69e0fb6df5c717

[bSP] 3efdd157322bc54deb4f0f8435ac64f6 : MBR Code unknown

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 47 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 96390 | Size: 233609 Mo

2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 478528155 | Size: 4753 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

MrCharlie · August 27, 2012

As you can see you're still infected:

Run RogueKiller again and click Scan

When the scan completes > click on the Files tab

Put a check next to all of these and uncheck the rest: (if found)

[ZeroAccess][FILE] @ : C:\WINDOWS\Installer\{7ec38d52-1255-baad-c5a0-2432000ede72}\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\WINDOWS\Installer\{7ec38d52-1255-baad-c5a0-2432000ede72}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\WINDOWS\Installer\{7ec38d52-1255-baad-c5a0-2432000ede72}\L --> FOUND
[ZeroAccess][FILE] @ : C:\Documents and Settings\jill\Local Settings\Application Data\{7ec38d52-1255-baad-c5a0-2432000ede72}\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\Documents and Settings\jill\Local Settings\Application Data\{7ec38d52-1255-baad-c5a0-2432000ede72}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\Documents and Settings\jill\Local Settings\Application Data\{7ec38d52-1255-baad-c5a0-2432000ede72}\L --> FOUND

Now click Delete on the right hand column under Options

Reboot and.......

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Endinsight · August 27, 2012

Thank you Charlie -

I highlited all 6 and deleted - I shall return . Dont leave me LOL

Endinsight · August 27, 2012

_{_{ComboFix 12-08-25.04 - jill 08/27/2012 18:28:33.1.2 - x86}}

_{_{Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1332 [GMT -4:00]}}

_{_{Running from: c:\documents and settings\jill\Desktop\ComboFix.exe}}

_{_{AV: AVG Anti-Virus 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}}}

_{_{AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}}}

_{_{FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66}}}

_{_.}

_{_{WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!}}

_{_.}

_{_{((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))}}

_{_.}

_{_{c:\documents and settings\All Users\Application Data\1343683020.bdinstall.bin}}

_{_{c:\documents and settings\All Users\Application Data\1343827820.2980.bin}}

_{_{c:\documents and settings\All Users\Application Data\1343827820.4732.bin}}

_{_{c:\documents and settings\All Users\Application Data\1343827820.4888.bin}}

_{_{c:\documents and settings\All Users\Application Data\1343827820.5192.bin}}

_{_{c:\documents and settings\All Users\Application Data\TEMP}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\avgfinst.dat}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfapx.exe}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfarx.dll}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\avgntdumpx.exe}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\avgrunasx.exe}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\avi7.avg}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\compat.ini}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\crt_x64.msi}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\files.dat}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\htmlayout.dll}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\incavi.avm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\license_cz.htm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\license_da.htm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\license_es.htm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\license_fr.htm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ge.htm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\license_hu.htm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\license_id.htm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\license_in.htm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\license_it.htm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\license_jp.htm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ko.htm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ms.htm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\license_nl.htm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pb.htm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pl.htm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pt.htm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ru.htm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sc.htm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sk.htm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sp.htm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\license_tr.htm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\license_us.htm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zh.htm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zt.htm}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaconf.txt}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfacz.lns}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfada.lns}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaes.lns}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfafr.lns}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfage.lns}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfahu.lns}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaid.lns}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfain.lns}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfait.lns}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfajp.lns}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfako.lns}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfams.lns}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfanl.lns}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapb.lns}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapl.lns}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapt.lns}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaru.lns}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasc.lns}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfask.lns}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasp.lns}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfatr.lns}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaus.lns}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfavera.txt}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaverx.txt}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazh.lns}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazt.lns}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\microavi.avg}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\miniavi.avg}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.dat}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.exe}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.ini}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\vcredis1.cab}}

_{_{c:\documents and settings\All Users\Application Data\TEMP\AVG\vcredist.msi}}

_{_{c:\documents and settings\All Users\Application Data\Z@!-2e32fcc2-58e3-4f35-9bba-872ca59cb07f.tmp}}

_{_{c:\documents and settings\jill\g2ax_customer_downloadhelper_win32_x86.exe}}

_{_{c:\documents and settings\jill\WINDOWS}}

_{_{c:\program files\Internet Explorer\msimg32.dll}}

_{_{c:\program files\Search Toolbar}}

_{_{c:\program files\Search Toolbar\icon.ico}}

_{_{c:\program files\Search Toolbar\SearchToolbarUninstall.exe}}

_{_{c:\program files\Search Toolbar\SearchToolbarUpdater.exe}}

_{_{c:\windows\desktop}}

_{_{c:\windows\desktop\Conventions.lnk}}

_{_{c:\windows\system32\ui}}

_{_{c:\windows\system32\ui\bdidntconp.ui}}

_{_{c:\windows\system32\URTTemp}}

_{_{c:\windows\system32\URTTemp\fusion.dll}}

_{_{c:\windows\system32\URTTemp\mscoree.dll}}

_{_{c:\windows\system32\URTTemp\mscoree.dll.local}}

_{_{c:\windows\system32\URTTemp\mscorsn.dll}}

_{_{c:\windows\system32\URTTemp\mscorwks.dll}}

_{_{c:\windows\system32\URTTemp\msvcr71.dll}}

_{_{c:\windows\system32\URTTemp\regtlib.exe}}

_{_.}

_{_{((((((((((((((((((((((((( Files Created from 2012-07-27 to 2012-08-27 )))))))))))))))))))))))))))))))}}

_{_.}

_{_{2012-08-27 22:25 . 2012-08-27 22:25 -------- d-----w- c:\windows\LastGood}}

_{_{2012-08-26 21:22 . 2012-08-26 21:22 -------- d-----w- c:\windows\system32\wbem\Repository}}

_{_{2012-08-25 19:01 . 2012-08-25 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\inf}}

_{_{2012-08-25 19:01 . 2012-08-25 19:01 -------- d-----w- c:\program files\My Drivers}}

_{_{2012-08-25 01:35 . 2012-08-25 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate}}

_{_{2012-08-25 00:14 . 2012-08-25 00:14 -------- d-----w- c:\documents and settings\jill\Application Data\ElevatedDiagnostics}}

_{_{2012-08-24 13:05 . 2012-08-24 13:05 -------- d-sh--w- c:\documents and settings\jill\IECompatCache}}

_{_{2012-08-24 13:04 . 2012-08-24 13:04 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache}}

_{_{2012-08-24 13:04 . 2012-08-24 13:04 -------- d-sh--w- c:\documents and settings\jill\PrivacIE}}

_{_{2012-08-24 13:01 . 2012-08-24 13:01 -------- d-sh--w- c:\documents and settings\jill\IETldCache}}

_{_{2012-08-24 12:54 . 2012-08-24 12:55 -------- dc-h--w- c:\windows\ie8}}

_{_{2012-08-09 16:25 . 2012-08-09 16:25 -------- d-----w- c:\documents and settings\jill\Local Settings\Application Data\Sun}}

_{_{2012-08-09 16:13 . 2012-08-09 16:13 -------- d-----w- c:\program files\Oracle}}

_{_{2012-08-09 16:13 . 2012-08-09 16:13 -------- d-----w- c:\documents and settings\jill\Application Data\Oracle}}

_{_{2012-08-09 16:13 . 2012-07-06 02:07 143872 ----a-w- c:\windows\system32\javacpl.cpl}}

_{_{2012-08-09 16:13 . 2012-07-06 02:06 772544 ----a-w- c:\windows\system32\npDeployJava1.dll}}

_{_{2012-08-09 16:12 . 2012-08-09 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee}}

_{_{2012-08-09 16:09 . 2012-08-15 14:33 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe}}

_{_{2012-08-05 13:55 . 2012-08-27 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012}}

_{_{2012-08-05 13:32 . 2012-08-05 13:32 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard}}

_{_{2012-08-05 13:32 . 2012-08-05 13:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com}}

_{_{2012-08-05 13:25 . 2012-08-05 13:31 -------- d-----w- C:\f1ac9f06980545953529}}

_{_{2012-08-05 12:12 . 2012-08-05 12:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix}}

_{_{2012-08-04 08:58 . 2012-08-05 13:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware}}

_{_{2012-08-04 08:58 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys}}

_{_{2012-08-04 07:02 . 2012-08-05 13:32 -------- d-----w- c:\program files\SUPERAntiSpyware}}

_{_{2012-08-03 19:38 . 2008-04-13 18:46 53376 ----a-w- c:\windows\system32\dllcache\1394bus.sys}}

_{_{2012-08-03 19:38 . 2001-08-17 18:06 11264 ----a-w- c:\windows\system32\dllcache\1394vdbg.sys}}

_{_{2012-08-03 19:36 . 2004-08-10 10:00 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll}}

_{_{2012-08-03 19:35 . 2001-08-17 18:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll}}

_{_{2012-08-03 19:35 . 2004-08-10 10:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll}}

_{_{2012-08-02 01:00 . 2012-08-02 01:00 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\QuickScan}}

_{_{2012-08-02 01:00 . 2012-08-02 01:00 -------- d-----w- c:\program files\Bitdefender}}

_{_{2012-08-02 00:09 . 2004-08-10 10:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe}}

_{_{2012-08-02 00:09 . 2004-08-10 10:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll}}

_{_{2012-08-02 00:09 . 2004-08-10 10:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll}}

_{_{2012-08-02 00:09 . 2004-08-10 10:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe}}

_{_{2012-08-02 00:09 . 2004-08-10 10:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll}}

_{_{2012-08-01 21:55 . 2012-08-26 21:23 -------- d-----w- c:\documents and settings\Guest}}

_{_{2012-08-01 15:25 . 2012-08-01 15:25 -------- d-----w- C:\kleaner.tmp}}

_{_{2012-08-01 00:42 . 2012-08-01 00:42 -------- d-----w- c:\windows\ShellNew}}

_{_{2012-07-30 21:22 . 2008-11-07 22:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll}}

_{_{2012-07-30 21:22 . 2012-07-30 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\BDLogging}}

_{_{2012-07-30 21:22 . 2007-04-11 15:11 511328 ----a-w- c:\windows\capicom.dll}}

_{_{2012-07-30 21:11 . 2012-08-02 00:58 -------- d-----w- c:\program files\Common Files\Bitdefender}}

_{_{2012-07-30 21:00 . 2012-07-30 21:07 -------- d-----w- c:\documents and settings\jill\Application Data\QuickScan}}

_{_{2012-07-30 17:35 . 2012-07-30 17:35 16522 ----a-w- C:\FixitRegBackup.reg}}

_{_{2012-07-30 15:36 . 2012-08-27 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData}}

_{_{2012-07-30 15:09 . 2012-07-30 15:10 -------- d-----w- C:\WINSSLog}}

_{_{2012-07-30 15:02 . 2012-07-30 15:02 -------- d-----w- c:\documents and settings\jill\Local Settings\Application Data\VS Revo Group}}

_{_{2012-07-30 15:02 . 2009-12-30 15:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys}}

_{_{2012-07-30 15:02 . 2012-07-30 15:02 -------- d-----w- c:\program files\VS Revo Group}}

_{_.}

_{_{(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))}}

_{_.}

_{_{2012-08-15 14:33 . 2011-06-13 21:18 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl}}

_{_{2012-07-06 02:06 . 2012-04-11 20:42 687544 ----a-w- c:\windows\system32\deployJava1.dll}}

_{_{2012-06-13 13:19 . 2005-08-16 09:18 1866112 ----a-w- c:\windows\system32\win32k.sys}}

_{_{2012-06-05 15:50 . 2007-05-15 19:43 1372672 ----a-w- c:\windows\system32\msxml6.dll}}

_{_{2012-06-05 15:50 . 2005-08-16 09:18 1172480 ----a-w- c:\windows\system32\msxml3.dll}}

_{_{2012-06-04 21:35 . 2005-08-16 09:40 210968 ----a-w- c:\windows\system32\wuweb.dll}}

_{_{2012-06-04 21:35 . 2009-08-06 23:23 222448 ----a-w- c:\windows\system32\muweb.dll}}

_{_{2012-06-04 04:32 . 2005-08-16 09:18 152576 ----a-w- c:\windows\system32\schannel.dll}}

_{_{2012-06-02 19:19 . 2007-07-19 12:33 22040 ----a-w- c:\windows\system32\wucltui.dll.mui}}

_{_{2012-06-02 19:19 . 2007-07-19 12:33 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui}}

_{_{2012-06-02 19:19 . 2005-08-16 09:40 329240 ----a-w- c:\windows\system32\wucltui.dll}}

_{_{2012-06-02 19:19 . 2005-08-16 09:40 219160 ----a-w- c:\windows\system32\wuaucpl.cpl}}

_{_{2012-06-02 19:19 . 2009-10-06 14:30 15384 ----a-w- c:\windows\system32\wuapi.dll.mui}}

_{_{2012-06-02 19:19 . 2007-01-30 16:31 45080 ----a-w- c:\windows\system32\wups2.dll}}

_{_{2012-06-02 19:19 . 2007-01-30 16:31 45080 ----a-w- c:\windows\system32\wups2(2).dll}}

_{_{2012-06-02 19:19 . 2005-08-16 09:40 53784 ----a-w- c:\windows\system32\wuauclt.exe}}

_{_{2012-06-02 19:19 . 2005-08-16 09:40 35864 ----a-w- c:\windows\system32\wups.dll}}

_{_{2012-06-02 19:19 . 2005-08-16 09:18 97304 ----a-w- c:\windows\system32\cdm.dll}}

_{_{2012-06-02 19:19 . 2007-07-19 12:33 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui}}

_{_{2012-06-02 19:19 . 2005-08-16 09:40 577048 ----a-w- c:\windows\system32\wuapi.dll}}

_{_{2012-06-02 19:19 . 2005-08-16 09:40 1933848 ----a-w- c:\windows\system32\wuaueng.dll}}

_{_{2012-06-02 19:18 . 2012-06-28 21:27 275696 ----a-w- c:\windows\system32\mucltui.dll}}

_{_{2012-06-02 19:18 . 2012-05-09 11:46 17136 ----a-w- c:\windows\system32\mucltui.dll.mui}}

_{_{2012-05-31 16:25 . 2012-06-28 21:32 237072 ------w- c:\windows\system32\MpSigStub.exe}}

_{_{2012-05-31 13:22 . 2005-08-16 09:18 599040 ----a-w- c:\windows\system32\crypt32.dll}}

_{_{2012-05-31 13:22 . 2005-08-16 09:18 599040 ----a-w- c:\windows\system32\crypt32(2)(2).dll}}

_{_.}

_{_{((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))}}

_{_.}

_{_{*Note* empty entries & legit default entries are not shown}}

_{_REGEDIT4}

_{_.}

_{_{[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]}}

_{_{"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]}}

_{_{"CTHelper"="c:\windows\system32\CTHELPER.EXE" [2006-12-12 19456]}}

_{_{"CTxfiHlp"="c:\windows\system32\CTXFIHLP.EXE" [2006-03-02 18944]}}

_{_{"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1352272]}}

_{_{"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]}}

_{_{"NvMediaCenter"="NvMCTray.dll" [2007-09-17 81920]}}

_{_{"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-05 1632360]}}

_{_{"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]}}

_{_{"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]}}

_{_{"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]}}

_{_{"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]}}

_{_{"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2012-07-13 384232]}}

_{_.}

_{_{[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]}}

_{_{"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]}}

_{_.}

_{_{[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]}}

_{_{2008-12-22 15:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll}}

_{_.}

_{_{[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]}}

_{_@="Driver"}

_{_.}

_{_{[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]}}

_{_{backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup}}

_{_.}

_{_{[HKLM\~\startupfolder\C:^Documents and Settings^jill^Start Menu^Programs^Startup^Microsoft Office.lnk]}}

_{_{path=c:\documents and settings\jill\Start Menu\Programs\Startup\Microsoft Office.lnk}}

_{_{backup=c:\windows\pss\Microsoft Office.lnkStartup}}

_{_{HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility}}

_{_.}

_{_{[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]}}

_{_{2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe}}

_{_.}

_{_{[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]}}

_{_{2012-07-13 01:30 384232 ------w- c:\program files\BillP Studios\WinPatrol\WinPatrol.exe}}

_{_.}

_{_{[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]}}

_{_{"EnableFirewall"= 0 (0x0)}}

_{_.}

_{_{[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]}}

_{_{"%windir%\\system32\\sessmgr.exe"=}}

_{_.}

_{_{R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]}}

_{_{R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]}}

_{_{R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/4/2012 4:58 AM 655944]}}

_{_{R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [7/1/2011 3:46 PM 2214504]}}

_{_{R3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.1.391.0\SeaPort.EXE [6/11/2012 4:22 PM 240208]}}

_{_{R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [8/24/2010 1:30 PM 40912]}}

_{_{R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [8/24/2010 1:30 PM 10448]}}

_{_{R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/4/2012 4:58 AM 22344]}}

_{_{R4 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys --> c:\windows\system32\DRIVERS\avgidshx.sys [?]}}

_{_{R4 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys --> c:\windows\system32\DRIVERS\avgrkx86.sys [?]}}

_{_{S2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.1.391.0\BBSvc.EXE [6/11/2012 4:22 PM 193616]}}

_{_{S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2010 7:04 PM 136176]}}

_{_{S2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [6/24/2011 4:45 PM 10448]}}

_{_{S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [8/9/2012 12:09 PM 250056]}}

_{_{S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2010 7:04 PM 136176]}}

_{_{S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [7/30/2012 11:02 AM 27064]}}

_{_{S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]}}

_{_{S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\covpndrv.sys --> c:\windows\system32\DRIVERS\covpndrv.sys [?]}}

_{_{S4 SACODiskOptimizer;SACODiskOptimizer;c:\program files\Softarama\Captain Optimizer\SACODefragSrv.exe [4/1/2012 12:48 PM 239936]}}

_{_.}

_{_{--- Other Services/Drivers In Memory ---}}

_{_.}

_{_{*Deregistered* - Avgldx86}}

_{_.}

_{_{[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]}}

_{_{HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12}}

_{_{HPService REG_MULTI_SZ HPSLPSVC}}

_{_{hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc}}

_{_.}

_{_{Contents of the 'Scheduled Tasks' folder}}

_{_.}

_{_{2012-08-27 c:\windows\Tasks\Adobe Flash Player Updater.job}}

_{_{- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-09 14:33]}}

_{_.}

_{_{------- Supplementary Scan -------}}

_{_.}

_{_{uStart Page = hxxp://thundercloud.net/start/index.htm}}

_{_{uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0061229}}

_{_{IE: &Yahoo! Search -}}_{_{file:///c:\program}}_{_{files\Yahoo!\Common/ycsrch.htm}}

_{_{IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000}}

_{_{IE: Yahoo! &Dictionary -}}_{_{file:///c:\program}}_{_{files\Yahoo!\Common/ycdict.htm}}

_{_{IE: Yahoo! &Maps -}}_{_{file:///c:\program}}_{_{files\Yahoo!\Common/ycmap.htm}}

_{_{IE: Yahoo! &SMS -}}_{_{file:///c:\program}}_{_{files\Yahoo!\Common/ycsms.htm}}

_{_{Trusted Zone: microsoft.com\www.update}}

_{_{Trusted Zone: thundercloud.net}}

_{_{TCP: DhcpNameServer = 65.32.5.111 65.32.5.112 192.168.1.1}}

_{_.}

_{_{- - - - ORPHANS REMOVED - - - -}}

_{_.}

_{_{HKLM-Run-QuickTime Task - c:\program files\QuickTime\qttask.exe}}

_{_{SafeBoot-MsMpSvc}}

_{_.}

_{_{**************************************************************************}}

_{_.}

_{_{catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,}}_{_{http://www.gmer.net}}

_{_{Rootkit scan 2012-08-27 18:35}}

_{_{Windows 5.1.2600 Service Pack 3 NTFS}}

_{_.}

_{_{scanning hidden processes ...}}

_{_.}

_{_{scanning hidden autostart entries ...}}

_{_.}

_{_{scanning hidden files ...}}

_{_.}

_{_{scan completed successfully}}

_{_{hidden files: 0}}

_{_.}

_{_{**************************************************************************}}

_{_.}

_{_{--------------------- DLLs Loaded Under Running Processes ---------------------}}

_{_.}

_{_{- - - - - - - > 'winlogon.exe'(772)}}

_{_{c:\program files\SUPERAntiSpyware\SASWINLO.dll}}

_{_.}

_{_{Completion time: 2012-08-27 18:37:27}}

_{_{ComboFix-quarantined-files.txt 2012-08-27 22:37}}

_{_.}

_{_{Pre-Run: 193,299,791,872 bytes free}}

_{_{Post-Run: 193,535,098,880 bytes free}}

_{_.}

_{_{- - End Of File - - FBCBFC6058839BF68B9B981527B7A346}}

_{COMBO FIX LOG - How're we doing ? Whewie, MrCharlie - that was scary - AVG disabled per instructs . still seen by Combo Fix. So I uninstalled AVG.}

_{Her'es the log . . .looks awful (to me)}

Endinsight · August 27, 2012

OH MY - should I do as attatchment ?

MrCharlie · August 27, 2012

Looks Good.....

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Endinsight · August 27, 2012

_{OH Thank you so much - you won't believe this, but I just 'uninstalled Malwarebytes-}

_{Long story - Cust Svc is working on 'unmerging' two different Subscriptions.}

_{Thank You so much. . .BTW - had to reboot . and Win Patrol is asking if I want to accept changes to HOSTS files}

_{I'm not sure which direction to go first or nest LOL}

_{Your Patience is much appreciated}

Endinsight · August 27, 2012

Malwarebytes - LOG -

Malwarebytes Anti-Malware (PRO) 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.27.08

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

jill :: JILLD [administrator]

Protection: Disabled

8/27/2012 7:18:33 PM

mbam-log-2012-08-27 (19-18-33).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 250648

Time elapsed: 5 minute(s), 29 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

MrCharlie · August 27, 2012

OK, run another scan with RogueKiller and post the new log.

Run another scan with FSS and post the new log.

and Win Patrol is asking if I want to accept changes to HOSTS files

Accept them. MrC

Endinsight · August 28, 2012

OK - will do .

Endinsight · August 28, 2012

I do not see AVG anywhere - not in Add/Remove or anywhere - I uninstalled it ? ?

COMBO LOG

ComboFix 12-08-25.04 - jill 08/27/2012 20:10:15.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1398 [GMT -4:00]

Running from: c:\documents and settings\jill\Desktop\ComboFix.exe

AV: AVG Anti-Virus 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66}

.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-28 )))))))))))))))))))))))))))))))

.

2012-08-27 23:40 . 2012-08-27 23:40 -------- d-----w- c:\documents and settings\jill\Application Data\Malwarebytes

2012-08-27 23:40 . 2012-08-27 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-08-27 23:39 . 2012-08-27 23:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-08-27 23:39 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-08-26 21:22 . 2012-08-26 21:22 -------- d-----w- c:\windows\system32\wbem\Repository

2012-08-25 19:01 . 2012-08-25 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\inf

2012-08-25 19:01 . 2012-08-25 19:01 -------- d-----w- c:\program files\My Drivers

2012-08-25 01:35 . 2012-08-25 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate

2012-08-25 00:14 . 2012-08-25 00:14 -------- d-----w- c:\documents and settings\jill\Application Data\ElevatedDiagnostics

2012-08-24 13:05 . 2012-08-24 13:05 -------- d-sh--w- c:\documents and settings\jill\IECompatCache

2012-08-24 13:04 . 2012-08-24 13:04 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2012-08-24 13:04 . 2012-08-24 13:04 -------- d-sh--w- c:\documents and settings\jill\PrivacIE

2012-08-24 13:01 . 2012-08-24 13:01 -------- d-sh--w- c:\documents and settings\jill\IETldCache

2012-08-24 12:54 . 2012-08-24 12:55 -------- dc-h--w- c:\windows\ie8

2012-08-09 16:25 . 2012-08-09 16:25 -------- d-----w- c:\documents and settings\jill\Local Settings\Application Data\Sun

2012-08-09 16:13 . 2012-08-09 16:13 -------- d-----w- c:\program files\Oracle

2012-08-09 16:13 . 2012-08-09 16:13 -------- d-----w- c:\documents and settings\jill\Application Data\Oracle

2012-08-09 16:13 . 2012-07-06 02:07 143872 ----a-w- c:\windows\system32\javacpl.cpl

2012-08-09 16:13 . 2012-07-06 02:06 772544 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-08-09 16:12 . 2012-08-09 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2012-08-09 16:09 . 2012-08-15 14:33 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-08-05 13:32 . 2012-08-05 13:32 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2012-08-05 13:32 . 2012-08-05 13:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2012-08-05 13:25 . 2012-08-05 13:31 -------- d-----w- C:\f1ac9f06980545953529

2012-08-05 12:12 . 2012-08-05 12:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix

2012-08-04 07:02 . 2012-08-05 13:32 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-08-03 19:38 . 2008-04-13 18:46 53376 ----a-w- c:\windows\system32\dllcache\1394bus.sys

2012-08-03 19:38 . 2001-08-17 18:06 11264 ----a-w- c:\windows\system32\dllcache\1394vdbg.sys

2012-08-03 19:36 . 2004-08-10 10:00 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll

2012-08-03 19:35 . 2001-08-17 18:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll

2012-08-03 19:35 . 2004-08-10 10:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll

2012-08-02 01:00 . 2012-08-02 01:00 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\QuickScan

2012-08-02 01:00 . 2012-08-02 01:00 -------- d-----w- c:\program files\Bitdefender

2012-08-02 00:09 . 2004-08-10 10:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe

2012-08-02 00:09 . 2004-08-10 10:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll

2012-08-02 00:09 . 2004-08-10 10:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll

2012-08-02 00:09 . 2004-08-10 10:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe

2012-08-02 00:09 . 2004-08-10 10:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll

2012-08-01 21:55 . 2012-08-26 21:23 -------- d-----w- c:\documents and settings\Guest

2012-08-01 15:25 . 2012-08-01 15:25 -------- d-----w- C:\kleaner.tmp

2012-08-01 00:42 . 2012-08-01 00:42 -------- d-----w- c:\windows\ShellNew

2012-07-30 21:22 . 2008-11-07 22:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll

2012-07-30 21:22 . 2012-07-30 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\BDLogging

2012-07-30 21:22 . 2007-04-11 15:11 511328 ----a-w- c:\windows\capicom.dll

2012-07-30 21:11 . 2012-08-02 00:58 -------- d-----w- c:\program files\Common Files\Bitdefender

2012-07-30 21:00 . 2012-07-30 21:07 -------- d-----w- c:\documents and settings\jill\Application Data\QuickScan

2012-07-30 17:35 . 2012-07-30 17:35 16522 ----a-w- C:\FixitRegBackup.reg

2012-07-30 15:36 . 2012-08-27 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2012-07-30 15:09 . 2012-07-30 15:10 -------- d-----w- C:\WINSSLog

2012-07-30 15:02 . 2012-07-30 15:02 -------- d-----w- c:\documents and settings\jill\Local Settings\Application Data\VS Revo Group

2012-07-30 15:02 . 2009-12-30 15:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys

2012-07-30 15:02 . 2012-07-30 15:02 -------- d-----w- c:\program files\VS Revo Group

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-08-15 14:33 . 2011-06-13 21:18 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-06 02:06 . 2012-04-11 20:42 687544 ----a-w- c:\windows\system32\deployJava1.dll

2012-06-13 13:19 . 2005-08-16 09:18 1866112 ----a-w- c:\windows\system32\win32k.sys

2012-06-05 15:50 . 2007-05-15 19:43 1372672 ----a-w- c:\windows\system32\msxml6.dll

2012-06-05 15:50 . 2005-08-16 09:18 1172480 ----a-w- c:\windows\system32\msxml3.dll

2012-06-04 21:35 . 2005-08-16 09:40 210968 ----a-w- c:\windows\system32\wuweb.dll

2012-06-04 21:35 . 2009-08-06 23:23 222448 ----a-w- c:\windows\system32\muweb.dll

2012-06-04 04:32 . 2005-08-16 09:18 152576 ----a-w- c:\windows\system32\schannel.dll

2012-06-02 19:19 . 2007-07-19 12:33 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

2012-06-02 19:19 . 2007-07-19 12:33 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

2012-06-02 19:19 . 2005-08-16 09:40 329240 ----a-w- c:\windows\system32\wucltui.dll

2012-06-02 19:19 . 2005-08-16 09:40 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

2012-06-02 19:19 . 2009-10-06 14:30 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

2012-06-02 19:19 . 2007-01-30 16:31 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 19:19 . 2007-01-30 16:31 45080 ----a-w- c:\windows\system32\wups2(2).dll

2012-06-02 19:19 . 2005-08-16 09:40 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 19:19 . 2005-08-16 09:40 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-02 19:19 . 2005-08-16 09:18 97304 ----a-w- c:\windows\system32\cdm.dll

2012-06-02 19:19 . 2007-07-19 12:33 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

2012-06-02 19:19 . 2005-08-16 09:40 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 19:19 . 2005-08-16 09:40 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 19:18 . 2012-06-28 21:27 275696 ----a-w- c:\windows\system32\mucltui.dll

2012-06-02 19:18 . 2012-05-09 11:46 17136 ----a-w- c:\windows\system32\mucltui.dll.mui

2012-05-31 16:25 . 2012-06-28 21:32 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-05-31 13:22 . 2005-08-16 09:18 599040 ----a-w- c:\windows\system32\crypt32.dll

2012-05-31 13:22 . 2005-08-16 09:18 599040 ----a-w- c:\windows\system32\crypt32(2)(2).dll

.

((((((((((((((((((((((((((((( SnapShot@2012-08-27_22.35.55 )))))))))))))))))))))))))))))))))))))))))

.

+ 2012-08-27 23:36 . 2012-08-27 23:36 16384 c:\windows\Temp\Perflib_Perfdata_254.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]

"CTHelper"="c:\windows\system32\CTHELPER.EXE" [2006-12-12 19456]

"CTxfiHlp"="c:\windows\system32\CTXFIHLP.EXE" [2006-03-02 18944]

"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1352272]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]

"NvMediaCenter"="NvMCTray.dll" [2007-09-17 81920]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-05 1632360]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Malwarebytes Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 15:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^jill^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\jill\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]

2012-07-13 01:30 384232 ------w- c:\program files\BillP Studios\WinPatrol\WinPatrol.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

.

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]

R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [6/24/2011 4:45 PM 10448]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/27/2012 7:39 PM 655944]

R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [7/1/2011 3:46 PM 2214504]

R3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.1.391.0\SeaPort.EXE [6/11/2012 4:22 PM 240208]

R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [8/24/2010 1:30 PM 40912]

R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [8/24/2010 1:30 PM 10448]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/27/2012 7:39 PM 22344]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]

S2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.1.391.0\BBSvc.EXE [6/11/2012 4:22 PM 193616]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2010 7:04 PM 136176]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [8/9/2012 12:09 PM 250056]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2010 7:04 PM 136176]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [7/30/2012 11:02 AM 27064]

S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\covpndrv.sys --> c:\windows\system32\DRIVERS\covpndrv.sys [?]

S4 SACODiskOptimizer;SACODiskOptimizer;c:\program files\Softarama\Captain Optimizer\SACODefragSrv.exe [4/1/2012 12:48 PM 239936]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2012-08-27 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-09 14:33]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://thundercloud.net/start/index.htm

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0061229

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Trusted Zone: microsoft.com\www.update

Trusted Zone: thundercloud.net

TCP: DhcpNameServer = 65.32.5.111 65.32.5.112 192.168.1.1

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-08-27 20:18

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(720)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

- - - - - - - > 'explorer.exe'(248)

c:\windows\system32\ieframe.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2012-08-27 20:19:36

ComboFix-quarantined-files.txt 2012-08-28 00:19

ComboFix2.txt 2012-08-27 22:37

.

Pre-Run: 193,510,432,768 bytes free

Post-Run: 193,488,633,856 bytes free

.

- - End Of File - - BB801BA8FF556BE9BED44B3316782924

RK LOGRogueKiller V8.0.0 [08/26/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : jill [Admin rights]

Mode : Remove -- Date : 08/27/2012 20:05:23

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3250824AS +++++

--- User ---

[MBR] 778e7f63f7796c212b69e0fb6df5c717

[bSP] 3efdd157322bc54deb4f0f8435ac64f6 : MBR Code unknown

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 47 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 96390 | Size: 233609 Mo

2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 478528155 | Size: 4753 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[4].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt

MrCharlie · August 28, 2012

Please download Farbar Service Scanner and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
- Windows Defender
[*]Press "Scan".
[*]It will create a log (FSS.txt) in the same directory the tool is run.
[*]Please copy and paste the log to your reply.

MrC

Endinsight · August 28, 2012

_{MS Security Center says my Firewall is ON - but I've selected OFF}

_{MS Security Centere says I have AVG running - but I uninstalled it. . .It's not in add/remove or anywhere.}

_{Will just ignore and Run Rogue and FSS - back soon.}

Endinsight · August 28, 2012

oogle.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall"=DWORD:0

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

Windows Update:

============

BITS Service is not running. Checking service configuration:

The start type of BITS service is OK.

The ImagePath of BITS service is OK.

The ServiceDll of BITS service is OK.

Windows Autoupdate Disabled Policy:

============================

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

C:\WINDOWS\system32\netman.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\srsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

C:\WINDOWS\system32\wscsvc.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\wuauserv.dll => MD5 is legit

C:\WINDOWS\system32\qmgr.dll => MD5 is legit

C:\WINDOWS\system32\es.dll => MD5 is legit

C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

=======

Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)

0x06000000040000000300000008000000050000000600000007000000

IpSec Tag value is correct.

**** End of log ****

Fingers Crossed

MrCharlie · August 28, 2012

Go to Start > Run > copy and paste this in services.msc > Click OK

Double click on > Background Intelligent Transfer Service (BITS)

Make sure it's set to Start and Startup type > Manual

Reboot and run another FSS scan, MrC

Endinsight · August 28, 2012

I can't find BITS - have been looking for it for long time.

Maybe I didn't follow your instructs . . .Here's what I did. .

Went to Start-Run and typed in services.msc

No RPC whatever that is (lol) and no BITS

MrCharlie · August 28, 2012

You're looking for:

Background Intelligent Transfer Service

Not BITS

Check again, MrC

Endinsight · August 28, 2012

Checked again. . don't see it. .

The only B's are: BBUpdate and Bing Bar Service

MrCharlie · August 28, 2012

Download BITS.reg to your desktop:

http://download.bleepingcomputer.com/win-services/xp/BITS.reg

Double click on it and allow it to merge into the registry

Reboot and see if updates work now, MrC

Endinsight · August 28, 2012

Oh Mr C - I'm sorry. . . to be such a pain.

Endinsight · August 28, 2012

It's hopeless, isn't it. . ? totally trashed. I LOVED my XP and have taken very good care of it.

But . . .sure doesn't look like it.

Endinsight · August 28, 2012

youuu DID IT !! You DID IT !

The good news is: BITS is back !!!

The bad news is: I went to Windows updates via link . .tried just one update - It failed.

MrCharlie · August 28, 2012

Run a new FSS scan and post the log, MrC

windows updates fail after virus removed

Recommended Posts

Link to post

Share on other sites

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information