Jump to content

Win32/DownWare.E and Win32/InstallCore.BN (Two Viruses)

jphillips
 Share

Recommended Posts

jphillips

jphillips

Posted
Posted

Ran ESET online scan earlier today and two threats found: Copy/Paste from Log as follows:

C:\System Volume Information\_restore{1870424D-31E5-4D18-B48C-C1B486FA8331}\RP911\A0085459.exe    Win32/InstallCore.BN application
C:\System Volume Information\_restore{1870424D-31E5-4D18-B48C-C1B486FA8331}\RP911\A0085461.exe    Win32/DownWare.E application

 

Log from DDS.txt as follows:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.25.2
Run by Admin at 22:50:53 on 2013-08-12
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2494.1600 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: COMODO Firewall *Enabled*
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.





TCP: NameServer = 192.168.0.1
TCP: Interfaces\{68D015DB-89E2-492A-AB0C-A6D4AEABD34F} : DHCPNameServer = 192.168.0.1
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs= c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\p5ujwgxe.default\

FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\admin\local settings\application data\citrix\plugins\104\npappdetector.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1203133.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_94.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2013-08-03 23:19; {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}; c:\documents and settings\admin\application data\mozilla\firefox\profiles\p5ujwgxe.default\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}.xpi
FF - ExtSQL: 2013-08-03 23:53; {b9bfaf1c-a63f-47cd-8b9a-29526ced9060}; c:\documents and settings\admin\application data\mozilla\firefox\profiles\p5ujwgxe.default\extensions\{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}.xpi
FF - ExtSQL: 2013-08-12 12:01; {23fcfd51-4958-4f00-80a3-ae97e717ed8b}; c:\program files\divx\divx plus web player\firefox\DivXHTML5
FF - ExtSQL: !HIDDEN! 2010-09-07 16:44; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
R0 SI3112r;ATI-4379 Serial ATA Controller;c:\windows\system32\drivers\SI3112r.sys [2007-8-29 116264]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2012-1-17 497952]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-12-19 32640]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2011-12-19 1990464]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-4-18 754856]
S4 TivoBeacon2;TiVo Beacon Service;c:\program files\tivo\desktop\TiVoBeacon.exe [2010-8-24 1104656]
.
=============== Created Last 30 ================
.
2013-08-12 18:58:06    --------    d-----w-    c:\program files\common files\DivX Shared
2013-08-12 18:53:39    --------    d-----w-    c:\program files\DivX
2013-08-12 17:38:41    --------    d-----w-    c:\windows\system32\Adobe
2013-08-12 05:43:05    7143960    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4eab2973-45f6-43a1-a35c-54386355f2f9}\mpengine.dll
2013-08-12 05:43:04    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-08-12 05:28:43    --------    d-----w-    c:\program files\Microsoft Security Client
2013-08-06 03:25:44    --------    d-----w-    c:\documents and settings\all users\application data\DivX
2013-08-06 03:25:43    --------    d-----w-    c:\program files\DSP-worx
2013-08-06 03:25:42    --------    d-----w-    c:\documents and settings\admin\application data\LavFilters
2013-08-06 03:25:42    --------    d-----w-    c:\documents and settings\admin\application data\CDXReader
2013-08-06 03:22:54    --------    d-----w-    c:\documents and settings\admin\application data\DSite
2013-08-04 06:11:31    --------    d-----w-    c:\documents and settings\admin\application data\Windows Desktop Search
2013-08-04 05:08:08    --------    d-----w-    c:\program files\WizTree
2013-07-28 19:01:59    74136    ----a-w-    c:\program files\mozilla firefox\breakpadinjector.dll
2013-07-28 19:01:59    2106216    ----a-w-    c:\program files\mozilla firefox\D3DCompiler_43.dll
2013-07-28 19:01:59    19352    ----a-w-    c:\program files\mozilla firefox\AccessibleMarshal.dll
2013-07-28 19:01:59    116120    ----a-w-    c:\program files\mozilla firefox\crashreporter.exe
2013-07-21 23:58:19    --------    d-----w-    c:\windows\system32\MRT
.
==================== Find3M  ====================
.
2013-08-04 18:42:07    1901    ----a-w-    c:\windows\panose.bin
2013-07-22 03:32:13    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-22 03:32:13    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-06-30 17:12:23    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-06-30 17:12:22    867240    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-06-30 17:12:22    789416    ----a-w-    c:\windows\system32\deployJava1.dll
2013-06-30 17:12:22    144896    ----a-w-    c:\windows\system32\javacpl.cpl
2013-06-23 05:25:53    72748    ----a-w-    c:\windows\unins000.exe
2013-06-08 06:55:44    385024    ------w-    c:\windows\system32\html.iec
2013-06-07 21:56:06    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-06-07 21:56:06    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-06-07 21:56:05    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-06-04 07:23:02    562688    ------w-    c:\windows\system32\qedit.dll
2013-06-04 01:40:45    1876736    ------w-    c:\windows\system32\win32k.sys
.
============= FINISH: 22:51:44.20 ===============

 

Log from Attach.txt as follows:

DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/10/2009 10:56:48 AM
System Uptime: 8/12/2013 1:01:09 PM (9 hours ago)
.
Motherboard: MSI |  | 09AC
Processor: AMD Athlon 64 X2 Dual Core Processor 3800+ | Socket 939 | 1994/199mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 75 GiB total, 15.69 GiB free.
D: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\3&61AAA01&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\3&61AAA01&0
Service: i8042prt
.
==== System Restore Points ===================
.
RP878: 7/19/2013 5:40:14 PM - System Checkpoint
RP879: 7/20/2013 5:45:17 PM - System Checkpoint
RP880: 7/21/2013 4:58:00 PM - Software Distribution Service 3.0
RP881: 7/22/2013 5:31:49 PM - System Checkpoint
RP882: 7/23/2013 8:08:02 PM - System Checkpoint
RP883: 7/24/2013 8:31:30 PM - System Checkpoint
RP884: 7/25/2013 9:31:30 PM - System Checkpoint
RP885: 7/26/2013 10:31:30 PM - System Checkpoint
RP886: 7/27/2013 11:21:36 PM - System Checkpoint
RP887: 7/29/2013 1:06:51 AM - System Checkpoint
RP888: 7/30/2013 1:09:08 AM - System Checkpoint
RP889: 7/31/2013 1:21:29 AM - System Checkpoint
RP890: 8/1/2013 1:25:05 AM - System Checkpoint
RP891: 8/2/2013 1:31:28 AM - System Checkpoint
RP892: 8/3/2013 1:32:33 AM - System Checkpoint
RP893: 8/3/2013 9:48:03 PM - Removed Logitech Gaming Software 5.10.
RP894: 8/3/2013 9:59:17 PM - Removed Microsoft Xbox 360 Accessories 1.2
RP895: 8/3/2013 10:01:16 PM - Removed Nikon Message Center
RP896: 8/3/2013 10:57:24 PM - Removed Apple Application Support
RP897: 8/3/2013 10:59:32 PM - Removed Apple Software Update
RP898: 8/3/2013 11:02:48 PM - Removed QuickTime
RP899: 8/3/2013 11:04:20 PM - Removed SupportSoft Assisted Service
RP900: 8/3/2013 11:10:27 PM - Installed Windows XP KB915800-v4.
RP901: 8/3/2013 11:10:42 PM - Installed Windows XP Windows Search 4.0.
RP902: 8/4/2013 12:25:11 AM - Software Distribution Service 3.0
RP903: 8/5/2013 1:14:04 AM - System Checkpoint
RP904: 8/6/2013 2:03:24 AM - System Checkpoint
RP905: 8/7/2013 2:04:09 AM - System Checkpoint
RP906: 8/8/2013 2:28:12 AM - System Checkpoint
RP907: 8/9/2013 3:28:12 AM - System Checkpoint
RP908: 8/10/2013 4:28:13 AM - System Checkpoint
RP909: 8/11/2013 5:28:12 AM - System Checkpoint
RP910: 8/11/2013 9:29:12 PM - Configured Microsoft Office Small Business 2007
RP911: 8/11/2013 9:29:57 PM - Configured Microsoft Office Small Business 2007
RP912: 8/11/2013 10:26:40 PM - Software Distribution Service 3.0
RP913: 8/12/2013 12:41:00 PM - Removed NVIDIA GAME System Software 2.8.1
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
6400_Help
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe PageMaker 6.5
Adobe Photoshop 7.0
Adobe Reader XI (11.0.03)
Adobe Shockwave Player 12.0
AMD Processor Driver
Anti Red Eye 1.6
ATI - Software Uninstall Utility
ATI Display Driver
Avery LabelPro 3.0
Bonjour
bpd_scan
BPDSoftware
BPDSoftware_Ini
Broadcom Management Programs
Broadcom NetXtreme Ethernet Controller
BufferChm
CCleaner
CD Recovery Toolbox Free 2.0
Citrix Online Launcher
Cole2k Media - Codec Pack (Standard) 7.9.1
COMODO Internet Security
Compatibility Pack for the 2007 Office system
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DivX Setup
DocProc
DocProcQFolder
ESET Online Scanner v3
eSupportQFolder
Family Tree Maker 8.0
Fax
GPBaseService
GPL Ghostscript 9.00
GSview 4.9
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB959765)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Imaging Device Functions 10.0
HP Officejet J6400 Series
HP Print Diagnostic Utility
HP SetRefresh
HP Solution Center 10.0
HPDiagnosticAlert
HPProductAssistant
Icon Restore 1.0
J6400
Java 7 Update 25
Java Auto Updater
Macromedia Dreamweaver 4
Macromedia Extension Manager
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2833941)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Software Update for Web Folders  (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFCLOC_x86
Mozilla Firefox 22.0 (x86 en-US)
Mozilla Maintenance Service
MSVCSetup
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser
OCR Software by I.R.I.S. 10.0
PDFill FREE PDF Tools
PictureProject
Pinnacle Studio 14
Pinnacle Video Driver
Power Email Recovery for Outlook Express 1.1
ProductContext
Realtek AC'97 Audio
RegTweaker version 3.2.2
Remove Hidden Data Tool
Scan
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2832407)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687309) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2597971) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2792100)
Security Update for Windows Internet Explorer 8 (KB2797052)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows Internet Explorer 8 (KB2809289)
Security Update for Windows Internet Explorer 8 (KB2817183)
Security Update for Windows Internet Explorer 8 (KB2829530)
Security Update for Windows Internet Explorer 8 (KB2838727)
Security Update for Windows Internet Explorer 8 (KB2846071)
Security Update for Windows Internet Explorer 8 (KB2847204)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB2834904)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360131)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2416400)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2753842)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2778344)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2799494)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB2808735)
Security Update for Windows XP (KB2813170)
Security Update for Windows XP (KB2813345)
Security Update for Windows XP (KB2820197)
Security Update for Windows XP (KB2820917)
Security Update for Windows XP (KB2829361)
Security Update for Windows XP (KB2834886)
Security Update for Windows XP (KB2839229)
Security Update for Windows XP (KB2845187)
Security Update for Windows XP (KB2850851)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SolutionCenter
Status
swMSM
TiVo Desktop 2.8.3
Toolbox
TrayApp
Tweak UI
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB2836940)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596802) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2817563) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows Internet Explorer 8 (KB2632503)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB2808679)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
VC80CRTRedist - 8.0.50727.6195
Visual Studio 2005 Tools for Office Second Edition Runtime
Visual Studio C++ 10.0 Runtime
VLC media player 2.0.6
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
WinPatrol
WizTree v1.05
.
==== Event Viewer Messages From Past Week ========
.
8/12/2013 6:16:30 PM, error: Print [6161]  - The document Microsoft Word - Important Information-2013.doc owned by Admin failed to print on printer HP Officejet J6400 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 99232. Number of bytes printed: 99232. Total number of pages in the document: 1. Number of pages printed: 3. Client machine: \\2UA6500JWV. Win32 error code returned by the print processor: 0 (0x0).
8/12/2013 1:15:55 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
8/12/2013 1:14:00 AM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD AmdK8 cmdGuard cmdHlp Fips IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
8/12/2013 1:14:00 AM, error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:  A device attached to the system is not functioning.
8/12/2013 1:14:00 AM, error: Service Control Manager [7001]  - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:  A device attached to the system is not functioning.
8/12/2013 1:14:00 AM, error: Service Control Manager [7001]  - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:  A device attached to the system is not functioning.
8/12/2013 1:14:00 AM, error: Service Control Manager [7001]  - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
8/12/2013 1:13:44 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
8/12/2013 1:13:11 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/11/2013 10:45:21 PM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.     New Signature Version:      Previous Signature Version: 1.155.2034.0     Update Source: Microsoft Malware Protection Center     Update Stage: Install     Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=0.0.0.0&avdelta=0.0.0.0&asdelta=0.0.0.0∏=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094     Signature Type: AntiVirus     Update Type: Full     User: NT AUTHORITY\NETWORK SERVICE     Current Engine Version:      Previous Engine Version: 1.1.9700.0     Error code: 0x8050a003     Error description: This package does not contain up-to-date definition files for this program. For more information, see Help and Support.
8/11/2013 10:45:21 PM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.     New Signature Version:      Previous Signature Version: 1.155.2034.0     Update Source: Microsoft Malware Protection Center     Update Stage: Install     Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=0.0.0.0&avdelta=0.0.0.0&asdelta=0.0.0.0∏=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094     Signature Type: AntiVirus     Update Type: Full     User: NT AUTHORITY\NETWORK SERVICE     Current Engine Version:      Previous Engine Version: 1.1.9700.0     Error code: 0x8050a003     Error description: This package does not contain up-to-date definition files for this program. For more information, see Help and Support.
8/11/2013 10:45:21 PM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.     New Signature Version:      Previous Signature Version: 1.155.2034.0     Update Source: Microsoft Malware Protection Center     Update Stage: Install     Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=0.0.0.0&avdelta=0.0.0.0&asdelta=0.0.0.0∏=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094     Signature Type: AntiSpyware     Update Type: Full     User: NT AUTHORITY\NETWORK SERVICE     Current Engine Version:      Previous Engine Version: 1.1.9700.0     Error code: 0x8050a003     Error description: This package does not contain up-to-date definition files for this program. For more information, see Help and Support.
8/11/2013 10:34:42 PM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.     New Signature Version:      Previous Signature Version: 0.0.0.0     Update Source: Microsoft Update Server     Update Stage: Install     Source Path: http://www.microsoft.com     Signature Type: AntiVirus     Update Type: Full     User: NT AUTHORITY\SYSTEM     Current Engine Version:      Previous Engine Version: 0.0.0.0     Error code: 0x80240016     Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
8/11/2013 10:34:42 PM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.     New Signature Version:      Previous Signature Version: 0.0.0.0     Update Source: Microsoft Update Server     Update Stage: Install     Source Path: http://www.microsoft.com     Signature Type: AntiVirus     Update Type: Full     User: NT AUTHORITY\SYSTEM     Current Engine Version:      Previous Engine Version: 0.0.0.0     Error code: 0x80240016     Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
8/11/2013 10:34:42 PM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.     New Signature Version:      Previous Signature Version: 0.0.0.0     Update Source: Microsoft Update Server     Update Stage: Download     Source Path: http://www.microsoft.com     Signature Type: AntiVirus     Update Type: Full     User: NT AUTHORITY\SYSTEM     Current Engine Version:      Previous Engine Version: 0.0.0.0     Error code: 0x80240016     Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
8/11/2013 10:34:07 PM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.     New Signature Version:      Previous Signature Version: 0.0.0.0     Update Source: Microsoft Update Server     Update Stage: Install     Source Path: http://www.microsoft.com     Signature Type: AntiVirus     Update Type: Full     User: NT AUTHORITY\SYSTEM     Current Engine Version:      Previous Engine Version: 0.0.0.0     Error code: 0x80240016     Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
8/11/2013 10:34:07 PM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.     New Signature Version:      Previous Signature Version: 0.0.0.0     Update Source: Microsoft Update Server     Update Stage: Install     Source Path: http://www.microsoft.com     Signature Type: AntiVirus     Update Type: Full     User: NT AUTHORITY\SYSTEM     Current Engine Version:      Previous Engine Version: 0.0.0.0     Error code: 0x80240016     Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
8/11/2013 10:34:07 PM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.     New Signature Version:      Previous Signature Version: 0.0.0.0     Update Source: Microsoft Update Server     Update Stage: Download     Source Path: http://www.microsoft.com     Signature Type: AntiVirus     Update Type: Full     User: NT AUTHORITY\SYSTEM     Current Engine Version:      Previous Engine Version: 0.0.0.0     Error code: 0x80240016     Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
8/10/2013 9:30:46 PM, error: Print [6161]  - The document Microsoft Word - Caliper Definitions-EQ.doc owned by Admin failed to print on printer HP Officejet J6400 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 205816. Number of bytes printed: 205816. Total number of pages in the document: 3. Number of pages printed: 27. Client machine: \\2UA6500JWV. Win32 error code returned by the print processor: 0 (0x0).
8/10/2013 7:00:28 PM, error: Print [6161]  - The document Microsoft PowerPoint - Aris Global Caliper Tendencies-With Names.pptx [Read-Only] owned by Admin failed to print on printer HP Officejet J6400 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 230684. Number of bytes printed: 230684. Total number of pages in the document: 1. Number of pages printed: 3. Client machine: \\2UA6500JWV. Win32 error code returned by the print processor: 0 (0x0).
.
==== End Of File ===========================

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Hello and :welcome:

Please run the following steps and post back all the logs as ATTACHMENTS by clicking on the More Reply Options button.
Please don't put logs in code or quote tags or copy/paste them into your reply unless you're unable to attach them.
Please enable your system to show hidden files: How to see hidden files in Windows

P2P/Piracy Warning:

  • If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.
  • Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
  • If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.


STEP 01
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please download ERUNT from one of the following links: Link1 | Link2 | Link3
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.

    [*]Make sure that at least the first two check boxes are selected. [*]Click on OK [*]Then click on YES to create the folder. [*]Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe


STEP 02
Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

  • RogueKiller 32-bit | RogueKiller 64-bit
  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes Close the program > Don't Fix anything!
  • Don't run any other options, they're not all bad!!
  • Post back the report which should be located on your desktop.


STEP 03
Please download Malwarebytes Anti-Rootkit from here

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

STEP 04
Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus


STEP 05
Please download AdwCleaner by Xplode to your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • If prompted by the User Account Control click Yes to allow it to run.
  • Under Actions click on the Delete button.
  • Click OK on all prompts.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the entire contents of that logfile to your next reply.
  • You can find the logfile at C:\AdwCleaner[s1].txt where the number in brackets indicates how often it was run.


STEP 06
button_eos.gif

Please go here to run the online antivirus scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

    [*]Click Scan [*]Wait for the scan to finish [*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.



STEP 07
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.


 

Link to post
Share on other sites
jphillips

jphillips

Posted
  • Author
Posted

Followed instruction for Step 3. When running mbar.exe I receive following prompt:

 

Registry value "AppInit_Dlls" has been found, which may be caused by rootkit activity. Note: Press "No" button if you're not sure. If the tool crashes or teminates unexpectedly during a system scan, restart the too and press "Yes" should this message appear again. Do you want to remove this value and restart the tool?

 

How shall I answer this prompt?

Link to post
Share on other sites
jphillips

jphillips

Posted
  • Author
Posted

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-08-2013 01
Ran by Admin (administrator) on 13-08-2013 17:08:05
Running from C:\Documents and Settings\admin\Desktop
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\WINDOWS\system32\cisvc.exe
(Microsoft Corporation) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(BillP Studios) C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
(Microsoft Corporation) C:\Program Files\Windows Desktop Search\WindowsSearch.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
(Hewlett-Packard) C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
(Microsoft Corporation) C:\WINDOWS\system32\dwwin.exe
(Microsoft Corporation) C:\WINDOWS\system32\cidaemon.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [WinPatrol] - C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [325000 2011-03-16] (BillP Studios)
HKLM\...\Run: [COMODO Internet Security] - C:\Program Files\COMODO\COMODO Internet Security\cfp.exe [6756048 2012-11-07] (COMODO)
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [947152 2013-01-27] (Microsoft Corporation)
HKLM Group Policy restriction on software: C:\Program Files\Avira\AntiVir Desktop\avnotify.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
Winlogon\Notify\AtiExtEvent: Ati2evxx.dll (ATI Technologies Inc.)
Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)
Startup: C:\Documents and Settings\admin\Start Menu\Programs\Startup\MailWasher PreLoader.lnk
ShortcutTarget: MailWasher PreLoader.lnk -> C:\Program Files\Firetrust\MailWasher\MailWasher PreLoader.exe (No File)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
ShortcutTarget: Windows Search.lnk -> C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU -No Name - {724D43A0-0D85-11D4-9908-00400523E39A} -  No File
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
Handler: ipp - No CLSID Value -
Handler: msdaipp - No CLSID Value -
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\p5ujwgxe.default

FF NetworkProxy: "type", 1
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_8_800_94.dll ()
FF Plugin: @adobe.com/ShockwavePlayer - C:\WINDOWS\system32\Adobe\Director\np32dsw_1203133.dll (Adobe Systems, Inc.)
FF Plugin: @divx.com/DivX Plus Web Player Plug-In,version=1.0.0 - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @java.com/DTPlugin,version=10.25.2 - C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.0.6 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin - C:\Documents and Settings\admin\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Extension: No Name - C:\Documents and Settings\admin\Application Data\Mozilla\Extensions\home2@tomtom.com
FF Extension: No Name - C:\Documents and Settings\admin\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\p5ujwgxe.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF Extension: WOT - C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\p5ujwgxe.default\Extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF Extension: No Name - C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\p5ujwgxe.default\Extensions\{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}.xpi
FF Extension: No Name - C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\p5ujwgxe.default\Extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}.xpi
FF Extension: Default - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF Extension: Default - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] C:\Program Files\Java\jre1.6.0_29\lib\deploy\jqs\ff
FF HKLM\...\Firefox\Extensions: [{23fcfd51-4958-4f00-80a3-ae97e717ed8b}] C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF Extension: DivX Plus Web Player HTML5 <video> - C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5

Chrome:
=======

CHR DefaultSearchURL: (Google) - {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR Plugin: (Shockwave Flash) - C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.250.6) - C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll No File
CHR Plugin: (Java Platform SE 6 U25) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.0.60310.0\npctrl.dll No File
CHR Plugin: (Shockwave for Director) - C:\WINDOWS\system32\Adobe\Director\np32dsw.dll No File
CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.))
CHR Plugin: (Chrome NaCl) - C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\pdf.dll No File
CHR Plugin: (Microsoft\u00AE DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation)
CHR Plugin: (Microsoft\u00AE DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Documents and Settings\admin\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll No File
CHR Plugin: (Veetle TV Player) - C:\Program Files\Veetle\Player\npvlc.dll No File
CHR Plugin: (Veetle TV Core) - C:\Program Files\Veetle\plugins\npVeetle.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Plugin: (Default Plug-in) - default_plugin No File
CHR Extension: (YouTube) - C:\DOCUME~1\admin\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2_0
CHR Extension: (Google Search) - C:\DOCUME~1\admin\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.14_0
CHR Extension: (Gmail) - C:\DOCUME~1\admin\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.3_0
CHR HKLM\...\Chrome\Extension: [nneajnkjbffgblleaoojgaacokifdkhm] - C:\Program Files\DivX\DivX Plus Web Player\chrome\DivXHTML5\DivXHTML5.crx

========================== Services (Whitelisted) =================

R2 cmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [1990464 2012-11-07] (COMODO)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] (Microsoft Corporation)
S4 TivoBeacon2; C:\Program Files\TiVo\Desktop\TiVoBeacon.exe [1104656 2010-08-24] (TiVo Inc.)
S4 GoToMyPC; "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" Start=service [x]
S4 HidServ; %SystemRoot%\System32\hidserv.dll [x]
R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" [x]

==================== Drivers (Whitelisted) ====================

R3 ALCXWDM; C:\Windows\System32\drivers\ALCXWDM.SYS [2278784 2004-09-21] (Realtek Semiconductor Corp.)
R1 AmdK8; C:\Windows\System32\DRIVERS\AmdK8.sys [36864 2006-07-01] (Advanced Micro Devices)
S1 AmdPPM; C:\Windows\System32\DRIVERS\AmdPPM.sys [33792 2007-04-16] (Advanced Micro Devices)
R3 ati2mtag; C:\Windows\System32\DRIVERS\ati2mtag.sys [2456064 2007-09-29] (ATI Technologies Inc.)
R2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [281504 2012-02-19] ()
R3 b57w2k; C:\Windows\System32\DRIVERS\b57xp32.sys [176640 2008-07-25] (Broadcom Corporation)
S3 Blfp; C:\Windows\System32\DRIVERS\baspxp32.sys [98816 2008-06-06] (Broadcom Corporation)
S3 CCDECODE; C:\Windows\System32\DRIVERS\CCDECODE.sys [16384 2004-07-09] (Microsoft Corporation)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [497952 2012-11-07] (COMODO)
R1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [32640 2012-11-07] (COMODO)
S3 DCamUSBEMPIA; C:\Windows\System32\DRIVERS\emDevice.sys [100957 2005-12-21] (eMPIA Technology, Inc.)
S3 emAudio; C:\Windows\System32\drivers\emAudio.sys [22528 2006-12-12] (Pinnacle Systems GmbH)
S3 FilterService; C:\Windows\System32\DRIVERS\lvuvcflt.sys [23904 2010-05-14] (Logitech Inc.)
S3 FiltUSBEMPIA; C:\Windows\System32\DRIVERS\emFilter.sys [5245 2005-12-21] (eMPIA Technology, Inc.)
R3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [49920 2007-01-17] (HP)
R3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2007-01-17] (HP)
R3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2007-01-17] (HP)
R0 Inspect; C:\Windows\System32\DRIVERS\inspect.sys [99080 2012-11-07] (COMODO)
R2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [25888 2012-02-19] ()
R3 MarvinBus; C:\Windows\System32\DRIVERS\MarvinBus.sys [171520 2005-09-23] (Pinnacle Systems GmbH)
S3 MPE; C:\Windows\System32\DRIVERS\MPE.sys [15104 2004-07-09] (Microsoft Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)
S3 NABTSFEC; C:\Windows\System32\DRIVERS\NABTSFEC.sys [83968 2004-07-09] (Microsoft Corporation)
S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10112 2004-07-09] (Microsoft Corporation)
S3 ScanUSBEMPIA; C:\Windows\System32\DRIVERS\emScan.sys [4493 2005-12-21] (eMPIA Technology, Inc.)
R0 SI3112r; C:\Windows\System32\DRIVERS\SI3112r.sys [116264 2007-08-29] (Silicon Image, Inc)
R0 SiFilter; C:\Windows\System32\DRIVERS\SiWinAcc.sys [19240 2007-08-29] (Silicon Image, Inc)
S3 SLIP; C:\Windows\System32\DRIVERS\SLIP.sys [10880 2004-07-09] (Microsoft Corporation)
S3 streamip; C:\Windows\System32\DRIVERS\StreamIP.sys [14976 2004-07-09] (Microsoft Corporation)
R3 WmBEnum; C:\Windows\System32\drivers\WmBEnum.sys [22856 2010-04-27] (Logitech Inc.)
S3 WmFilter; C:\Windows\System32\drivers\WmFilter.sys [37704 2010-04-27] (Logitech Inc.)
S3 WmVirHid; C:\Windows\System32\drivers\WmVirHid.sys [15048 2010-04-27] (Logitech Inc.)
R3 WmXlCore; C:\Windows\System32\drivers\WmXlCore.sys [66632 2010-04-27] (Logitech Inc.)
S3 WSTCODEC; C:\Windows\System32\DRIVERS\WSTCODEC.SYS [18688 2004-07-09] (Microsoft Corporation)
S4 IntelIde; No ImagePath
S3 USBAAPL; System32\Drivers\usbaapl.sys [x]
U1 WS2IFSL;
U3 mbr; \??\C:\DOCUME~1\admin\LOCALS~1\Temp\mbr.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-08-13 17:03 - 2013-08-13 17:04 - 01068613 _____ (Farbar) C:\Documents and Settings\admin\Desktop\FRST.exe
2013-08-13 12:41 - 2013-08-13 12:41 - 00000000 ____D C:\Documents and Settings\admin\Desktop\mbar
2013-08-13 11:18 - 2013-08-13 11:22 - 00004071 _____ C:\WINDOWS\KB2859537.log
2013-08-13 11:18 - 2013-08-13 11:22 - 00003670 _____ C:\WINDOWS\KB2850869.log
2013-08-13 11:18 - 2013-08-13 11:18 - 00000000 ____D C:\WINDOWS\LastGood
2013-08-13 10:21 - 2013-08-13 10:21 - 00001942 _____ C:\Documents and Settings\admin\Desktop\RKreport[0]_S_08132013_102129.txt
2013-08-13 10:08 - 2013-08-13 10:23 - 00000000 ____D C:\Documents and Settings\admin\Desktop\RK_Quarantine
2013-08-13 10:04 - 2013-08-13 10:04 - 00000611 _____ C:\Documents and Settings\admin\Desktop\NTREGOPT.lnk
2013-08-13 10:04 - 2013-08-13 10:04 - 00000592 _____ C:\Documents and Settings\admin\Desktop\ERUNT.lnk
2013-08-13 10:04 - 2013-08-13 10:04 - 00000000 ____D C:\Program Files\ERUNT
2013-08-12 23:34 - 2013-08-12 23:34 - 00000057 _____ C:\Documents and Settings\admin\Desktop\Malwarebytes Forum.URL
2013-08-12 23:33 - 2013-08-12 23:33 - 00000054 _____ C:\Documents and Settings\admin\Desktop\Malwarebytes Free anti-malware download.URL
2013-08-12 22:52 - 2013-08-12 22:52 - 00033502 _____ C:\Documents and Settings\admin\Desktop\attach.txt
2013-08-12 22:52 - 2013-08-12 22:51 - 00010311 _____ C:\Documents and Settings\admin\Desktop\dds.txt
2013-08-12 15:13 - 2013-08-12 15:13 - 00000254 _____ C:\Documents and Settings\admin\Desktop\Virus 8_12_13.txt
2013-08-12 13:10 - 2013-08-12 13:10 - 00000103 _____ C:\WINDOWS\drwatson.log
2013-08-12 12:41 - 2013-08-12 12:41 - 00001082 _____ C:\WINDOWS\DIFx.log
2013-08-12 12:01 - 2013-08-12 12:01 - 00001469 _____ C:\Documents and Settings\admin\Desktop\DivX Movies.lnk
2013-08-12 12:00 - 2013-08-12 12:00 - 00000817 _____ C:\Documents and Settings\All Users\Desktop\DivX Plus Converter.lnk
2013-08-12 12:00 - 2013-08-12 12:00 - 00000777 _____ C:\Documents and Settings\All Users\Desktop\DivX Plus Player.lnk
2013-08-12 11:58 - 2013-08-12 12:01 - 00000000 ____D C:\Program Files\Common Files\DivX Shared
2013-08-12 11:53 - 2013-08-12 12:01 - 00000000 ____D C:\Program Files\DivX
2013-08-12 11:53 - 2013-08-12 11:53 - 00000000 _____ C:\END
2013-08-12 10:38 - 2013-08-12 10:38 - 00000000 ____D C:\WINDOWS\system32\Adobe
2013-08-12 10:28 - 2013-08-12 10:29 - 00002135 _____ C:\WINDOWS\LDPINST.LOG
2013-08-12 00:39 - 2013-08-12 00:39 - 01191834 _____ C:\Documents and Settings\admin\Desktop\ProcessExplorer.zip
2013-08-11 23:50 - 2013-08-12 10:29 - 00004376 _____ C:\WINDOWS\setupapi.log
2013-08-11 22:43 - 2013-05-02 08:28 - 00238872 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2013-08-11 22:38 - 2013-08-12 13:12 - 00000384 ____H C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2013-08-11 22:29 - 2013-08-12 10:36 - 00013450 _____ C:\WINDOWS\iis6.log
2013-08-11 22:29 - 2013-08-12 10:36 - 00012974 _____ C:\WINDOWS\FaxSetup.log
2013-08-11 22:29 - 2013-08-12 10:36 - 00008728 _____ C:\WINDOWS\ocgen.log
2013-08-11 22:29 - 2013-08-12 10:36 - 00007412 _____ C:\WINDOWS\tsoc.log
2013-08-11 22:29 - 2013-08-12 10:36 - 00004629 _____ C:\WINDOWS\comsetup.log
2013-08-11 22:29 - 2013-08-12 10:36 - 00003091 _____ C:\WINDOWS\ntdtcsetup.log
2013-08-11 22:29 - 2013-08-12 10:36 - 00002675 _____ C:\WINDOWS\netfxocm.log
2013-08-11 22:29 - 2013-08-12 10:36 - 00001917 _____ C:\WINDOWS\imsins.log
2013-08-11 22:29 - 2013-08-12 10:36 - 00001144 _____ C:\WINDOWS\MedCtrOC.log
2013-08-11 22:29 - 2013-08-12 10:36 - 00000767 _____ C:\WINDOWS\ocmsn.log
2013-08-11 22:29 - 2013-08-12 10:36 - 00000739 _____ C:\WINDOWS\msgsocm.log
2013-08-11 22:29 - 2013-08-12 10:36 - 00000622 _____ C:\WINDOWS\tabletoc.log
2013-08-11 22:29 - 2013-08-12 10:34 - 00003778 _____ C:\WINDOWS\msmqinst.log
2013-08-11 22:29 - 2013-08-11 22:39 - 00001919 _____ C:\WINDOWS\epplauncher.mif
2013-08-11 22:29 - 2013-08-11 22:29 - 00001374 _____ C:\WINDOWS\imsins.BAK
2013-08-11 22:29 - 2013-08-11 22:29 - 00000500 _____ C:\WINDOWS\updspapi.log
2013-08-11 22:29 - 2013-08-11 22:29 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2808679$
2013-08-11 22:29 - 2013-08-11 22:29 - 00000000 _____ C:\WINDOWS\setuperr.log
2013-08-11 22:29 - 2013-08-11 22:29 - 00000000 _____ C:\WINDOWS\setupact.log
2013-08-11 22:28 - 2013-08-11 22:29 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-08-11 22:25 - 2013-08-11 22:29 - 00009389 _____ C:\WINDOWS\KB2808679.log
2013-08-11 17:13 - 2013-08-11 17:20 - 00000000 ____D C:\Documents and Settings\admin\My Documents\LACM3
2013-08-11 16:53 - 2013-08-11 17:18 - 00000000 ____D C:\Documents and Settings\admin\My Documents\LACM2
2013-08-11 14:36 - 2013-08-11 16:27 - 00000000 ____D C:\Documents and Settings\admin\My Documents\American Girl
2013-08-05 20:33 - 2013-08-05 22:59 - 00000000 ____D C:\Documents and Settings\admin\Application Data\DivX
2013-08-05 20:25 - 2013-08-12 12:01 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\DivX
2013-08-05 20:25 - 2013-08-12 10:41 - 00000000 ____D C:\Program Files\DSP-worx
2013-08-05 20:25 - 2013-08-05 20:25 - 00000000 ____D C:\Documents and Settings\admin\Application Data\LavFilters
2013-08-05 20:25 - 2013-08-05 20:25 - 00000000 ____D C:\Documents and Settings\admin\Application Data\CDXReader
2013-08-05 20:22 - 2013-08-11 19:57 - 00000000 ____D C:\Documents and Settings\admin\Application Data\DSite
2013-08-04 13:06 - 2013-08-12 13:07 - 00000159 _____ C:\WINDOWS\wiadebug.log
2013-08-04 13:06 - 2013-08-12 13:07 - 00000049 _____ C:\WINDOWS\wiaservc.log
2013-08-04 13:06 - 2013-08-04 13:06 - 00000000 ____N C:\WINDOWS\Sti_Trace.log
2013-08-03 23:11 - 2013-08-03 23:11 - 00000000 ____D C:\Documents and Settings\admin\Application Data\Windows Desktop Search
2013-08-03 23:10 - 2013-08-03 23:10 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB940157$
2013-08-03 22:08 - 2013-08-03 23:19 - 00000000 ____D C:\Program Files\WizTree
2013-08-03 22:08 - 2013-08-03 22:08 - 00000666 _____ C:\Documents and Settings\admin\Desktop\WizTree.lnk
2013-07-31 13:08 - 2013-07-31 13:08 - 02799296 _____ (Sysinternals - www.sysinternals.com) C:\Documents and Settings\admin\Desktop\procexp.exe
2013-07-28 12:01 - 2013-07-28 12:02 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-07-21 16:58 - 2013-07-21 17:00 - 00000000 ____D C:\WINDOWS\system32\MRT

==================== One Month Modified Files and Folders =======

2013-08-13 17:07 - 2013-08-13 17:07 - 00000000 ____D C:\FRST
2013-08-13 17:04 - 2013-08-13 17:03 - 01068613 _____ (Farbar) C:\Documents and Settings\admin\Desktop\FRST.exe
2013-08-13 16:47 - 2012-04-16 16:35 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2013-08-13 16:38 - 2011-12-21 16:53 - 01949404 _____ C:\WINDOWS\WindowsUpdate.log
2013-08-13 14:46 - 2011-01-22 16:17 - 00000000 ____D C:\Documents and Settings\admin\Application Data\MailWasherPro
2013-08-13 12:41 - 2013-08-13 12:41 - 00000000 ____D C:\Documents and Settings\admin\Desktop\mbar
2013-08-13 11:22 - 2013-08-13 11:18 - 00004071 _____ C:\WINDOWS\KB2859537.log
2013-08-13 11:22 - 2013-08-13 11:18 - 00003670 _____ C:\WINDOWS\KB2850869.log
2013-08-13 11:18 - 2013-08-13 11:18 - 00000000 ____D C:\WINDOWS\LastGood
2013-08-13 10:23 - 2013-08-13 10:08 - 00000000 ____D C:\Documents and Settings\admin\Desktop\RK_Quarantine
2013-08-13 10:21 - 2013-08-13 10:21 - 00001942 _____ C:\Documents and Settings\admin\Desktop\RKreport[0]_S_08132013_102129.txt
2013-08-13 10:05 - 2011-05-11 11:30 - 00000000 ____D C:\WINDOWS\ERDNT
2013-08-13 10:04 - 2013-08-13 10:04 - 00000611 _____ C:\Documents and Settings\admin\Desktop\NTREGOPT.lnk
2013-08-13 10:04 - 2013-08-13 10:04 - 00000592 _____ C:\Documents and Settings\admin\Desktop\ERUNT.lnk
2013-08-13 10:04 - 2013-08-13 10:04 - 00000000 ____D C:\Program Files\ERUNT
2013-08-13 10:00 - 2011-12-21 23:11 - 00000000 ___RD C:\Documents and Settings\admin\My Documents\Miscellaneous
2013-08-12 23:34 - 2013-08-12 23:34 - 00000057 _____ C:\Documents and Settings\admin\Desktop\Malwarebytes Forum.URL
2013-08-12 23:33 - 2013-08-12 23:33 - 00000054 _____ C:\Documents and Settings\admin\Desktop\Malwarebytes Free anti-malware download.URL
2013-08-12 22:52 - 2013-08-12 22:52 - 00033502 _____ C:\Documents and Settings\admin\Desktop\attach.txt
2013-08-12 22:51 - 2013-08-12 22:52 - 00010311 _____ C:\Documents and Settings\admin\Desktop\dds.txt
2013-08-12 16:19 - 2011-01-25 13:42 - 00002497 _____ C:\Documents and Settings\admin\Desktop\Word-2003.lnk
2013-08-12 15:13 - 2013-08-12 15:13 - 00000254 _____ C:\Documents and Settings\admin\Desktop\Virus 8_12_13.txt
2013-08-12 14:50 - 2009-03-16 13:41 - 00000000 ___RD C:\Documents and Settings\admin
2013-08-12 13:12 - 2013-08-11 22:38 - 00000384 ____H C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2013-08-12 13:10 - 2013-08-12 13:10 - 00000103 _____ C:\WINDOWS\drwatson.log
2013-08-12 13:07 - 2013-08-04 13:06 - 00000159 _____ C:\WINDOWS\wiadebug.log
2013-08-12 13:07 - 2013-08-04 13:06 - 00000049 _____ C:\WINDOWS\wiaservc.log
2013-08-12 13:02 - 2008-04-14 05:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2013-08-12 13:01 - 2009-03-16 11:37 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-08-12 13:00 - 2013-07-09 21:29 - 04413824 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2013-08-12 13:00 - 2011-12-21 17:49 - 00032518 _____ C:\WINDOWS\SchedLgU.Txt
2013-08-12 13:00 - 2009-03-16 13:41 - 00000178 ___SH C:\Documents and Settings\admin\ntuser.ini
2013-08-12 13:00 - 2009-03-16 13:41 - 00000178 ___SH C:\Documents and Settings\admin\ntuser.ini
2013-08-12 12:41 - 2013-08-12 12:41 - 00001082 _____ C:\WINDOWS\DIFx.log
2013-08-12 12:21 - 2011-05-12 11:00 - 00002447 _____ C:\Documents and Settings\admin\Desktop\HiJackThis.lnk
2013-08-12 12:01 - 2013-08-12 12:01 - 00001469 _____ C:\Documents and Settings\admin\Desktop\DivX Movies.lnk
2013-08-12 12:01 - 2013-08-12 11:58 - 00000000 ____D C:\Program Files\Common Files\DivX Shared
2013-08-12 12:01 - 2013-08-12 11:53 - 00000000 ____D C:\Program Files\DivX
2013-08-12 12:01 - 2013-08-05 20:25 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\DivX
2013-08-12 12:00 - 2013-08-12 12:00 - 00000817 _____ C:\Documents and Settings\All Users\Desktop\DivX Plus Converter.lnk
2013-08-12 12:00 - 2013-08-12 12:00 - 00000777 _____ C:\Documents and Settings\All Users\Desktop\DivX Plus Player.lnk
2013-08-12 11:53 - 2013-08-12 11:53 - 00000000 _____ C:\END
2013-08-12 10:41 - 2013-08-05 20:25 - 00000000 ____D C:\Program Files\DSP-worx
2013-08-12 10:38 - 2013-08-12 10:38 - 00000000 ____D C:\WINDOWS\system32\Adobe
2013-08-12 10:36 - 2013-08-11 22:29 - 00013450 _____ C:\WINDOWS\iis6.log
2013-08-12 10:36 - 2013-08-11 22:29 - 00012974 _____ C:\WINDOWS\FaxSetup.log
2013-08-12 10:36 - 2013-08-11 22:29 - 00008728 _____ C:\WINDOWS\ocgen.log
2013-08-12 10:36 - 2013-08-11 22:29 - 00007412 _____ C:\WINDOWS\tsoc.log
2013-08-12 10:36 - 2013-08-11 22:29 - 00004629 _____ C:\WINDOWS\comsetup.log
2013-08-12 10:36 - 2013-08-11 22:29 - 00003091 _____ C:\WINDOWS\ntdtcsetup.log
2013-08-12 10:36 - 2013-08-11 22:29 - 00002675 _____ C:\WINDOWS\netfxocm.log
2013-08-12 10:36 - 2013-08-11 22:29 - 00001917 _____ C:\WINDOWS\imsins.log
2013-08-12 10:36 - 2013-08-11 22:29 - 00001144 _____ C:\WINDOWS\MedCtrOC.log
2013-08-12 10:36 - 2013-08-11 22:29 - 00000767 _____ C:\WINDOWS\ocmsn.log
2013-08-12 10:36 - 2013-08-11 22:29 - 00000739 _____ C:\WINDOWS\msgsocm.log
2013-08-12 10:36 - 2013-08-11 22:29 - 00000622 _____ C:\WINDOWS\tabletoc.log
2013-08-12 10:34 - 2013-08-11 22:29 - 00003778 _____ C:\WINDOWS\msmqinst.log
2013-08-12 10:29 - 2013-08-12 10:28 - 00002135 _____ C:\WINDOWS\LDPINST.LOG
2013-08-12 10:29 - 2013-08-11 23:50 - 00004376 _____ C:\WINDOWS\setupapi.log
2013-08-12 10:29 - 2011-10-26 15:23 - 00008615 _____ C:\WINDOWS\system32\lvcoinst.log
2013-08-12 10:29 - 2011-10-26 15:21 - 00000000 ____D C:\Program Files\Logitech
2013-08-12 10:29 - 2011-10-26 15:21 - 00000000 ____D C:\Program Files\Common Files\LogiShrd
2013-08-12 10:28 - 2011-10-26 15:22 - 00000000 ____D C:\Program Files\Common Files\LWS
2013-08-12 00:39 - 2013-08-12 00:39 - 01191834 _____ C:\Documents and Settings\admin\Desktop\ProcessExplorer.zip
2013-08-11 23:04 - 2010-08-31 22:13 - 00000000 ____D C:\WINDOWS\Microsoft.NET
2013-08-11 22:39 - 2013-08-11 22:29 - 00001919 _____ C:\WINDOWS\epplauncher.mif
2013-08-11 22:36 - 2009-03-16 03:08 - 00585646 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2013-08-11 22:29 - 2013-08-11 22:29 - 00001374 _____ C:\WINDOWS\imsins.BAK
2013-08-11 22:29 - 2013-08-11 22:29 - 00000500 _____ C:\WINDOWS\updspapi.log
2013-08-11 22:29 - 2013-08-11 22:29 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2808679$
2013-08-11 22:29 - 2013-08-11 22:29 - 00000000 _____ C:\WINDOWS\setuperr.log
2013-08-11 22:29 - 2013-08-11 22:29 - 00000000 _____ C:\WINDOWS\setupact.log
2013-08-11 22:29 - 2013-08-11 22:28 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-08-11 22:29 - 2013-08-11 22:25 - 00009389 _____ C:\WINDOWS\KB2808679.log
2013-08-11 20:12 - 2009-03-16 13:41 - 00000000 __SHD C:\Documents and Settings\admin\UserData
2013-08-11 20:12 - 2009-03-16 13:41 - 00000000 __SHD C:\Documents and Settings\admin\UserData
2013-08-11 19:57 - 2013-08-05 20:22 - 00000000 ____D C:\Documents and Settings\admin\Application Data\DSite
2013-08-11 17:20 - 2013-08-11 17:13 - 00000000 ____D C:\Documents and Settings\admin\My Documents\LACM3
2013-08-11 17:18 - 2013-08-11 16:53 - 00000000 ____D C:\Documents and Settings\admin\My Documents\LACM2
2013-08-11 16:36 - 2011-01-22 13:42 - 00000000 ___RD C:\Documents and Settings\admin\My Documents\Jana
2013-08-11 16:27 - 2013-08-11 14:36 - 00000000 ____D C:\Documents and Settings\admin\My Documents\American Girl
2013-08-11 15:21 - 2011-12-29 11:29 - 00000000 ___RD C:\Documents and Settings\admin\My Documents\My TiVo Recordings
2013-08-11 10:58 - 2009-03-16 02:58 - 00000000 ____D C:\WINDOWS\Help
2013-08-11 01:10 - 2011-12-21 23:09 - 00000000 ___RD C:\Documents and Settings\admin\My Documents\LACM
2013-08-10 22:53 - 2011-10-31 20:32 - 00032768 _____ C:\Documents and Settings\admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-08-10 21:40 - 2013-05-27 11:58 - 00002401 _____ C:\Documents and Settings\admin\Desktop\Pinnacle Studio 14.lnk
2013-08-10 21:37 - 2013-05-24 15:34 - 00000000 ____D C:\Documents and Settings\admin\Application Data\vlc
2013-08-10 12:52 - 2011-01-25 13:45 - 00002495 _____ C:\Documents and Settings\admin\Desktop\Excel-2003.lnk
2013-08-07 12:24 - 2009-03-16 03:07 - 00383224 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2013-08-05 22:59 - 2013-08-05 20:33 - 00000000 ____D C:\Documents and Settings\admin\Application Data\DivX
2013-08-05 22:02 - 2011-10-29 17:25 - 00108376 _____ C:\Documents and Settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-08-05 20:25 - 2013-08-05 20:25 - 00000000 ____D C:\Documents and Settings\admin\Application Data\LavFilters
2013-08-05 20:25 - 2013-08-05 20:25 - 00000000 ____D C:\Documents and Settings\admin\Application Data\CDXReader
2013-08-04 13:06 - 2013-08-04 13:06 - 00000000 ____N C:\WINDOWS\Sti_Trace.log
2013-08-04 11:42 - 2011-01-24 14:26 - 00001901 _____ C:\WINDOWS\panose.bin
2013-08-04 10:22 - 2013-05-15 09:54 - 00000000 ___RD C:\Documents and Settings\admin\My Documents\Refi
2013-08-04 10:21 - 2013-05-04 11:34 - 00000000 ___RD C:\Documents and Settings\admin\My Documents\Ryan
2013-08-04 00:27 - 2011-05-12 15:41 - 00000000 ____D C:\Program Files\Windows Desktop Search
2013-08-04 00:16 - 2011-10-30 14:40 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
2013-08-03 23:19 - 2013-08-03 22:08 - 00000000 ____D C:\Program Files\WizTree
2013-08-03 23:11 - 2013-08-03 23:11 - 00000000 ____D C:\Documents and Settings\admin\Application Data\Windows Desktop Search
2013-08-03 23:10 - 2013-08-03 23:10 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB940157$
2013-08-03 23:03 - 2011-12-01 18:52 - 00000000 ____D C:\Program Files\QuickTime
2013-08-03 22:08 - 2013-08-03 22:08 - 00000666 _____ C:\Documents and Settings\admin\Desktop\WizTree.lnk
2013-08-03 22:01 - 2009-03-16 11:08 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2013-08-03 21:58 - 2011-01-26 19:46 - 00000000 ____D C:\Program Files\Citrix
2013-08-03 21:55 - 2011-10-26 16:35 - 00000000 ____D C:\Documents and Settings\admin\Local Settings\Application Data\LogiShrd
2013-08-03 21:48 - 2012-01-20 20:54 - 00000000 ____D C:\Program Files\Common Files\Logitech
2013-07-31 13:08 - 2013-07-31 13:08 - 02799296 _____ (Sysinternals - www.sysinternals.com) C:\Documents and Settings\admin\Desktop\procexp.exe
2013-07-30 23:37 - 2011-01-22 16:53 - 00011706 _____ C:\Documents and Settings\admin\gsview32.ini
2013-07-30 23:37 - 2011-01-22 16:53 - 00011706 _____ C:\Documents and Settings\admin\gsview32.ini
2013-07-29 17:17 - 2013-01-06 14:23 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-07-28 12:02 - 2013-07-28 12:01 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-07-21 23:24 - 2010-03-16 08:07 - 00000000 ____D C:\Documents and Settings\admin\Local Settings\Application Data\Adobe
2013-07-21 20:32 - 2012-04-02 18:31 - 00692104 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2013-07-21 20:32 - 2011-12-21 18:47 - 00071048 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2013-07-21 17:00 - 2013-07-21 16:58 - 00000000 ____D C:\WINDOWS\system32\MRT
2013-07-20 20:21 - 2012-01-16 23:03 - 00000000 ___RD C:\Documents and Settings\admin\My Documents\My Scans

Files to move or delete:
====================
C:\Documents and Settings\admin\gotomypc_280.exe
C:\Documents and Settings\admin\gotomypc_372.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

Addition.txt

Link to post
Share on other sites
jphillips

jphillips

Posted
  • Author
Posted

Ran mbar.exe. There was no malware found so received no prompt to reboot. Two logs copied/pasted below. Let me know if I should reboot before next step.

 

Malwarebytes Anti-Rootkit BETA 1.06.1.1005
www.malwarebytes.org

Database version: v2013.08.14.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Admin :: 2UA6500JWV [administrator]

8/13/2013 5:32:46 PM
mbar-log-2013-08-13 (17-32-46).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 248519
Time elapsed: 17 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.1.1005

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.994000 GHz
Memory total: 2615652352, free: 1699643392

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.1.1005

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.994000 GHz
Memory total: 2615652352, free: 1713795072

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.1.1005

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.994000 GHz
Memory total: 2615652352, free: 1714741248

Downloaded database version: v2013.08.14.01
Initializing...
------------ Kernel report ------------
     08/13/2013 17:32:32
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
VolSnap.sys
atapi.sys
SI3112r.sys
\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltMgr.sys
sr.sys
MpFilter.sys
SiWinAcc.sys
KSecDD.sys
Ntfs.sys
inspect.sys
\WINDOWS\System32\DRIVERS\NDIS.SYS
\WINDOWS\System32\DRIVERS\TDI.SYS
Mup.sys
\SystemRoot\system32\DRIVERS\AmdK8.sys
\SystemRoot\system32\DRIVERS\ati2mtag.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\b57xp32.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\drivers\ALCXWDM.SYS
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\drivers\WmBEnum.sys
\SystemRoot\system32\drivers\WmXlCore.sys
\SystemRoot\system32\DRIVERS\MarvinBus.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\DRIVERS\cmdguard.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\System32\DRIVERS\cmdhlp.sys
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\usbscan.sys
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\HPZius12.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\HPZid412.sys
\SystemRoot\system32\DRIVERS\HPZipr12.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_SI3112r.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ati2dvag.dll
\SystemRoot\System32\ati2cqag.dll
\SystemRoot\System32\atikvmag.dll
\SystemRoot\System32\atiok3x2.dll
\SystemRoot\System32\ati3duag.dll
\SystemRoot\System32\ativvaxx.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\system32\DRIVERS\atksgt.sys
\SystemRoot\system32\DRIVERS\lirsgt.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\??\C:\DOCUME~1\admin\LOCALS~1\Temp\mbr.sys
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR2
Upper Device Object: 0xffffffff899fd8b8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000070\
Lower Device Object: 0xffffffff8a4e89c8
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8a8a48b8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Scsi\SI3112r1Port2Path0Target0Lun0\
Lower Device Object: 0xffffffff8a900a38
Lower Device Driver Name: \Driver\SI3112r\
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8a8a48b8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8a95c830, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8a8a48b8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8a95ff18, DeviceName: \Device\00000060\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8a900a38, DeviceName: \Device\Scsi\SI3112r1Port2Path0Target0Lun0\, DriverName: \Driver\SI3112r\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Read File: File "c:\WINDOWS\system32\drivers\acpiec.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\acpiec.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\amdk6.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\amdk6.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\amdk7.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\amdk7.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\arp1394.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\arp1394.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\ati2erec.dll" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ati2erec.dll" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\nwlnkflt.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\nwlnkflt.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\nwlnkfwd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\nwlnkfwd.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\nwlnkipx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\nwlnkipx.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\nwlnknb.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\nwlnknb.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\nwlnkspx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\nwlnkspx.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\nwrdr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\nwrdr.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\oprghdlr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\oprghdlr.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\p3.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\p3.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\partmgr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\partmgr.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\parvdm.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\parvdm.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\pci.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\pci.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\pciide.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\pciide.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\pciidex.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\pciidex.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\pcmcia.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\pcmcia.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\gm.dls" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\gm.dls" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\gmreadme.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\gmreadme.txt" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\hdaudbus.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\hdaudbus.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\intelppm.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\intelppm.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\ip6fw.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ip6fw.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\ipfltdrv.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ipfltdrv.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\ipinip.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ipinip.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\rio8drv.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\rio8drv.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\riodrv.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\riodrv.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\rmcast.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\rmcast.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\rootmdm.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\rootmdm.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\scsiport.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\scsiport.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\sdbus.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\sdbus.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\secdrv.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\secdrv.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\sffdisk.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\sffdisk.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\sffp_mmc.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\sffp_mmc.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\sffp_sd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\sffp_sd.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\smclib.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\smclib.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\sonydcam.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\sonydcam.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\tape.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\tape.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\tcpip6.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\tcpip6.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\tdpipe.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\tdpipe.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\tdtcp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\tdtcp.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\tosdvd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\tosdvd.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\tsbvcap.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\tsbvcap.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\tunmp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\tunmp.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\udfs.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\udfs.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\usbcamd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\usbcamd.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\MSKSSRV.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\MSKSSRV.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\MSPCLOCK.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\MSPCLOCK.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\MSPQM.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\MSPQM.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\ndis.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ndis.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\nic1394.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\nic1394.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\nikedrv.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\nikedrv.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\nmnt.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\nmnt.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\ntfs.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ntfs.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\atmarpc.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\atmarpc.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\classpnp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\classpnp.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\ftdisk.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ftdisk.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\mqac.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\mqac.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\rawwan.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\rawwan.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\sr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\sr.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\usbcamd2.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\usbcamd2.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\cpqdap01.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\cpqdap01.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\crusoe.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\crusoe.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\disk.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\disk.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\diskdump.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\diskdump.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\dmboot.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\dmboot.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\dmio.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\dmio.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\dmload.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\dmload.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\fltMgr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\fltMgr.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\fsvga.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\fsvga.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\usbintel.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\usbintel.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\vdmindvd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\vdmindvd.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\volsnap.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\volsnap.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\wpdusb.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\wpdusb.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\ws2ifsl.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ws2ifsl.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\WudfPf.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\WudfPf.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\WudfRd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\WudfRd.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\atmepvc.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\atmepvc.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\atmlane.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\atmlane.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\atmuni.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\atmuni.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\b57cdx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\b57cdx.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\baspxp32.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\baspxp32.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\bridge.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\bridge.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\bthport.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\bthport.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\cbidf2k.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\cbidf2k.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\cinemst2.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\cinemst2.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\irenum.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\irenum.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\isapnp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\isapnp.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\ksecdd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ksecdd.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\mcd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\mcd.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\mf.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\mf.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\modem.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\modem.sys" is compressed (flags = 1)
Read File: File "c:\WINDOWS\system32\drivers\mountmgr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\mountmgr.sys" is compressed (flags = 1)
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: D42AD42A

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63  Numsec = 156296322
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 80026361856 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-156281488-156301488)...
Done!
Physical Sector Size: 0
Drive: 1, DevicePointer: 0xffffffff899fd8b8, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff899fb658, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff899fd8b8, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8a4e89c8, DeviceName: \Device\00000070\, DriverName: \Driver\USBSTOR\
------------ End ----------
Read File: File "c:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat" is compressed (flags = 1)
Read File: File "c:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat" is compressed (flags = 1)
Scan finished
=======================================


Removal queue found; removal started
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\bootstrap_0_0_63_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
Removal finished
 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please go ahead and reboot, then run the following.

 

 

Please download the following scanner from Kaspersky and save it to your computer: TDSSkiller

Then watch the following video on how to use the tool and make sure to temporarily disable your security applications before running TDSSkiller.



If any infection is found please make sure to choose SKIP and post back the log in case of a False Positive detection.

Once the tool has completed scanning make sure to re-enable your other security applications.
 
Link to post
Share on other sites
jphillips

jphillips

Posted
  • Author
Posted

Watched the TDSSkiller video. There is a part on the video where one is directed to ask the forum helper which Additional Options Settings should be checked. There are two options: Verify the digital signatures and Detect TDFLS file system. On the video, the person checks both options. Shall I do the same?

Link to post
Share on other sites
jphillips

jphillips

Posted
  • Author
Posted

Ran TDSSKiller. Two logs attached.

 

Did want to mention the following (although 2 and 3 are may not be relevant to existing malware issue).

 

1) Upon reboot, I still get the pop-up notice "Windows Explorer has encountered a problem and needs to close. We are sorry for the inconvenience." Further information about the error is also still the same:

 

Error Signature

AppName: explorer.exe

AppVer: 6.0.29900.5512

ModName: ntdl.dll

ModVer: 5.1.2600.6055

Offset: 0003729b

 

This pop-up notice is the reason why I ran an online ESET scan in the first place and found the two threats which are the topic of my post.

 

2) A new occurrence since I ran TDDSkiller is that the destop takes almost two minutes to load all the icons (screen stays solid blue all that time). I've actually had this happen before and know that there's a solution to fix it although I can't remember what that solution is at the moment.

 

3) Another new occurrence is multiple pop-up notices that came up in a DOS screen. The notice is relative to the HP Digital Imaging Monitor Product Assistant. I've had this happen before and know that there's a solution to fix it although I can't remember what that solution is at the moment.

 

 

TDSSKiller.2.8.18.0_13.08.2013_22.47.59_log.txt

TDSSKiller.2.8.18.0_13.08.2013_22.52.12_log.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

The items found by TDSSKiller are okay.

 

 

Okay we'll try Combofix and when its done we'll run another antivirus scanner to check for any actual viruses.  Most infections are not virus now days and are often mislabeled
 
 
Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.
Link to post
Share on other sites
jphillips

jphillips

Posted
  • Author
Posted

Ran Combofix. Log attached.

 

I currently have a WinPatrol pop-up notice: Scotty has detected a change in the following monitored file:

 

Filename: HOSTS

Location: c\windows\system32\drivers\etc\hosts.

 

Shall I click Accept Change or Reject Change?

 

 

While Combofix was running, the same pop-up window (Windows Explorer has encountered a problem and needs to close) came up again.

ComboFix.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Okay overall that looks good.  Let's have you run the following antivirus and post back the results.

 

dr_web_cureit_zpse80d87bf.jpg

  1. Please download Dr.Web CureIt! antivirus and save it to your computer. The file size is in excess of 100MB
  2. NOTE: Free usage of Dr.Web CureIt! for business purposes is illegal.
  3. Internet Explorer may show a warning when downloading - the file is safe to download from the provided link.
  4. Shutdown your antivirus to avoid any conflicts while scanning.
  5. Once the scans have completed please re-enable your antivirus.
  6. If using Malwarebytes Anti-Malware PRO you can right click over the tray icon and disable the Protection Modules
  7. If needed you can also temporarily disable it from starting with Windows
  8. Temporarily turn off any other security add-ons or applications you may also have.
  9. Once you have downloaded Dr.Web CureIt! you should right click over it and choose Properties and verify it has a Digital Signature.
  10. If it does not have a Digital Signature then do not run it.
  11. Close all open programs including all Web browsers and then double-click on drweb-cureit.exe to start the installer.
  12. You should have your User Account Control (UAC) enabled for improved security and which should then produce a dialog box asking for approval to run the installer.
  13. Click on the Yes button to start the installer.
  14. Click OK to scan your computer in the Enhanced Protection Mode
  15. Click on the check box to agree to participate in their software improvement program.
  16. Then if needed choose your Language by clicking on the small globe like icon in the upper right corner by the wrench.
  17. Then click on the Continue button and then click on the Select objects for scanning link just below the "Start scanning" button.
  18. Place a check mark on all the items except for Temporary files and System restore points - those items should not have a check mark on them.
  19. Then click on the Start scanning button.
  20. If a threat is found you can click on the Action column in the program.
  21. Your options will be Cure or Ignore
  22. If you see an item that you are absolutely sure is OK, then un-check the check box for that item, otherwise keep it on Cure.
  23. Then click on the Neutralize button.
  24. Once completed click on the green Open Report link. It will open the report in NOTEPAD
  25. Save the report to your desktop. The report will be called Cureit.log
  26. Close Dr.Web Cureit!
  27. Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  28. After reboot, attach the log Cureit.log you saved previously in your next reply.
  29. Re-Enable your antivirus and other security programs when all done.


 

Link to post
Share on other sites
jphillips

jphillips

Posted
  • Author
Posted

Ran Dr.Web Cureit. There were 4 threats found (one of them was JRT.exe which I downloaded from this forum). I kept all of them on Cure and clicked on Neutralize. After Curing Completed, I waited for the green Open Report link to come up but nothing happened. The program did NOT provide an Open Report link to click on or load a report into Notepad. Searched for a Cureit.log file but found nothing. I closed Dr. Web Cureit and rebooted.

 

Same pop-up window (Windows Explorer has encountered a problem and needs to close).

Same WinPatrol pop-up notice came up: Scotty has detected a change in the following monitored file:

Filename: HOSTS

Location: c\windows\system32\drivers\etc\hosts.

You never directed me whether I should Accept Change or Reject Change

 

I did a Print Screen before closing Dr. Web CureIt (file is attached).

 

 

DrWeb CureIt-Print Screen.doc

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

The second hosts file is the correct one but either one will work just fine.

The Cureit log file is okay no big deal there either way as those are not your issue.

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /R | SHUTDOWN /R /T 30

 

# Copyright (c) 1993-1999 Microsoft Corp.## This is a sample HOSTS file used by Microsoft TCP/IP for Windows.## This file contains the mappings of IP addresses to host names. Each# entry should be kept on an individual line. The IP address should# be placed in the first column followed by the corresponding host name.# The IP address and the host name should be separated by at least one# space.## Additionally, comments (such as these) may be inserted on individual# lines or following the machine name denoted by a '#' symbol.## For example:##      102.54.94.97     rhino.acme.com          # source server#       38.25.63.10     x.acme.com              # x client host127.0.0.1       localhost
Link to post
Share on other sites
jphillips

jphillips

Posted
  • Author
Posted

Accepted the change of the second HOSTS file in Win Patrol and it didn't come up again. After I ran chkdsk, a new WinPatrol Change Alert came up: Scotty has detected a change to one of your file type associations .URL

 

The program currently associated with this file type is:

Run a DLL as an App

Microsoft Corporation

C:WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ieframe.dll,OpenURL %|

 

A change was made to use the following program for this file type.

Run a DLL as an App

Microsoft Corporation

rundll32.exe ieframe.dll,OpenURL %|

 

Shall I say Yes or No to the change?

 

After chkdsk and reboot, the same pop-up window (Windows Explorer has encountered a problem and needs to close) came up. Attached is the chkdsk report.

Chkdsk 8_15_13.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Go ahead and let Scotty make the change.

 

The real results of the disk check should be in your Event Logs under Winlogon

 

Click on START - RUN and type in EVENTVWR and click OK

 

Then highlight the Application section and on the right side look for a Winlogon entry and then double click on that and it will have the results for you.

You can click on the double book like symbol button to copy that entry and post back here.

 

Have  you been to the Windows Update site and check for Windows updates ?

Link to post
Share on other sites
jphillips

jphillips

Posted
  • Author
Posted

Correct results of disk check copied/pasted below:

 

Event Type:    Information
Event Source:    Winlogon
Event Category:    None
Event ID:    1001
Date:        8/15/2013
Time:        11:22:13 PM
User:        N/A
Computer:    2UA6500JWV
Description:
Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.                         
Cleaning up minor inconsistencies on the drive.
Cleaning up 2228 unused index entries from index $SII of file 0x9.
Cleaning up 2228 unused index entries from index $SDH of file 0x9.
Cleaning up 2228 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.

  78148160 KB total disk space.
  63248684 KB in 110008 files.
     40920 KB in 9303 indexes.
         0 KB in bad sectors.
    233356 KB in use by the system.
     65536 KB occupied by the log file.
  14625200 KB available on disk.

      4096 bytes in each allocation unit.
  19537040 total allocation units on disk.
   3656300 allocation units available on disk.

Internal Info:
70 ea 01 00 1b d2 01 00 bb b6 02 00 00 00 00 00  p...............
b0 04 00 00 03 00 00 00 74 0e 00 00 00 00 00 00  ........t.......
f2 40 82 09 00 00 00 00 82 fc 58 5a 00 00 00 00  .@........XZ....
5a e6 d9 17 00 00 00 00 c8 a9 b4 4a 07 00 00 00  Z..........J....
fa 71 7f fa 00 00 00 00 16 89 b1 c9 08 00 00 00  .q..............
99 9e 36 00 00 00 00 00 b8 3b 07 00 b8 ad 01 00  ..6......;......
00 00 00 00 00 b0 64 14 0f 00 00 00 57 24 00 00  ......d.....W$..

Windows has finished checking your disk.
Please wait while your computer restarts.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

I checked for Windows updates and installed 4 nonessential software updates. I ran an ESET online scan. Results are copied/pasted below:

 

C:\System Volume Information\_restore{1870424D-31E5-4D18-B48C-C1B486FA8331}\RP911\A0085459.exe    Win32/InstallCore.BN application
C:\System Volume Information\_restore{1870424D-31E5-4D18-B48C-C1B486FA8331}\RP911\A0085461.exe    Win32/DownWare.E application

Aren't we just back to square one? These are the same 2 threats that I started the topic with. Are they still infecting my PC and if so, why haven't all the programs we've been running been able to get rid of them?
 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

No those items are in the System Restore area of the system and normally are not a threat in most cases.  They're often left there so that if needed one can do a system restore as a bootable computer that is infected is better than a computer that cannot boot.

 

Please run RKill and then run JRT and AdwCleaner right after you run RKill

 

 

RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes
so that your normal security software can then run and clean your computer of infections.
When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.


Link 2

  • On Windows XP double-click on the Rkill desktop icon to run the tool.
  • On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.

 
 
 
Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus


 

 

 

Please download AdwCleaner by Xplode to your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • If prompted by the User Account Control click Yes to allow it to run.
  • Under Actions click on the Delete button.
  • Click OK on all prompts.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the entire contents of that logfile to your next reply.
  • You can find the logfile at C:\AdwCleaner[s1].txt where the number in brackets indicates how often it was run.


 

 

Then run MBAM and check for updates and run a Quick Scan and post back that log as well.

 

Link to post
Share on other sites
jphillips

jphillips

Posted
  • Author
Posted

I started my PC in Safe Mode with Networking today so when I ran Rkill, there was a prompt “Windows running in safe mode. If you want to proceed to work in Safe Mode, click yes. If you prefer to use SYSTEM RESTORE to restore your computer to previous state, click No.” I chose Yes and the program ran successfully. Then I ran JRT, which did not take long at all although your direction indicated it could take a while. Then I ran AdwCleaner. I inadvertently clicked Search first but then clicked Delete. Then I tried to run MBAM but program just wouldn’t load after numerous attempts. I removed it, downloaded a new version, updated it, and ran a Quick Scan. Attached are the text files for Rkill, JRT, and MBAM.

 

After the reboot (Normal Mode) the popup window “Windows Explorer has encountered a problem and needs to close” came up again.

Rkill.txt

JRT.txt

mbam-log-2013-08-17 (12-07-52).txt

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.