TG for Anti-Malware. Now to Clean What it's Protecting

rhoneyman · September 1, 2011

My problems started nine days ago. When I ran a search for something, I got redirected to bizarre sites. What annoys the hell out of me is that I have Symantec Endpoint Protection 2009 (SEV), update it automatically, and run a full scan every night. It should have protected me in the first place, but like a worthless sot, or even better, like the good soldier Schweik, the useless resource hog just sits there soaking up space and cycles while the nasties run havoc all around it.

Anyway, I googled my problem and found your site. I looked around and figured that I ought to be able to follow the leader and try and clean my own house, as it were...I downloaded Hijack This, DDS, GMER, and (ouch) Combofix (ran it but didn't know what to do with it so I tossed it, since, after I turned SEV back on, it chewed it up and spit it out like a rotten piece of meat.) I have none of the logs from any of those. I seem to recal Hijack finding something that I deleted. But that was it. There was also mention of Secunia to flag any out-of-date apps or drivers sitting on the computer. Secunia identified four apps that were out-of-date. Two were missing updates and two were EOL. I deleted an old MS utility that is no longer used and upgraded Java, blowing away a version from years ago (my computer has ridden the rails with me for going on a dog's life: seven+ years). When Secunia pointed to Apache and PHP (?), I knew I was in for a ride. I called my son, who told me there's no way the his father would ever need Apache! Looking deeper, I saw that it was embedded in an interesting open source app, usually hosted but also with a local option. Since I haven't touched that app in months, I blew it away along with the EOL and out-of-date problems.

Still, my computer, already sluggish, was getting ever slower. So a couple of days later, I went back to your site, noticed I had seemingly missed some freeware, and downloaded the Malware application. It found the following:

Files Infected:

c:\WINDOWS\system32\020000009db5cfb41406c.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\020000009db5cfb41406o.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\020000009db5cfb41406p.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\020000009db5cfb41406s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

I ran the app again the next two days and everything was clean. Meanwhile, I was running three or four different registry scrubbers, expecting that between keeping the registry clean and keeping SEV going at full throttle, I was in pretty good shape. Plus, I'd picked up Norton PC Checkup, just to make sure everything was squeaky. But a couple of days later, the SEP morning report showed this:

trkwks32.exe, Trojan.Tracur!gen1, Cleaned by deletion, File, c:\WINDOWS\system32\, The file was deleted successfully., 8/28/2011 3:46:33 AM

Pardon me, but isn't the reason I have SEV sitting on my box? To make sure things get caught trying to enter, not after they'd breached the walls and started setting the fortress afire? At any rate, that led me to purchase a full license from Malware. I set it up to run a flash scan every time it downloaded a new definitions file. It came across some registry action on a flash scan:

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

But what was far more disturbing was the following report from Anti-Malware's Protection Log two days ago:

08:09:23 rhoneyman IP-BLOCK 89.28.124.166 (Type: outgoing)

08:58:33 rhoneyman IP-BLOCK 89.28.124.166 (Type: outgoing)

08:58:40 rhoneyman IP-BLOCK 89.28.124.166 (Type: outgoing)

10:17:26 rhoneyman IP-BLOCK 89.28.124.166 (Type: outgoing)

10:17:28 rhoneyman IP-BLOCK 89.28.124.166 (Type: outgoing)

10:17:32 rhoneyman IP-BLOCK 89.28.124.166 (Type: outgoing)

Nothing over night but again in the morning:

08:58:39 rhoneyman IP-BLOCK 83.128.64.247 (Type: outgoing)

08:58:41 rhoneyman IP-BLOCK 83.128.64.247 (Type: outgoing)

08:58:45 rhoneyman IP-BLOCK 83.128.64.247 (Type: outgoing)

12:27:50 rhoneyman IP-BLOCK 62.45.204.140 (Type: outgoing)

12:27:52 rhoneyman IP-BLOCK 62.45.204.140 (Type: outgoing)

12:55:34 rhoneyman IP-BLOCK 89.28.124.166 (Type: outgoing)

12:55:37 rhoneyman IP-BLOCK 89.28.124.166 (Type: outgoing)

12:55:41 rhoneyman IP-BLOCK 89.28.124.166 (Type: outgoing)

12:59:59 rhoneyman IP-BLOCK 62.45.204.140 (Type: outgoing)

13:00:03 rhoneyman IP-BLOCK 62.45.204.140 (Type: outgoing)

You'll notice that now I've got mind-numbing outbound transmissions going to three different IP addresses. Today, fortunately, there was only a single attempt this morning, although to a fourth address.

08:52:36 rhoneyman IP-BLOCK 62.45.246.216 (Type: outgoing)

At the time that I downloadedI can't recall why but yesterday I became concerned about mshta.exe. Google led me to another thread on your site. The person assisting had two more apps to throw into the mix: ATF Cleaner and Super Antispyware. In for nickel, in for a buck. I downloaded them and followed instructions copiously (even an old dog can, you know, learn to adapt). Nothng surprising about either one, except for finding 52 adware objects that no one else had uncovered.

Meanwhile, I googled mshta again and found a reference to a Symantec reg fix. I checked the five or six registry entries, e.g., HKEY_CLASSES_ROOT\htafile\shell\open\command where the default should equal "%1" %*. Instead, the default pointed to System 32\mshta.exe. One other entry was similar, pointing to hpertrm.exe

or .dll. I fixed both and then moved all versions of the exes and dlls for those two extenstions to trash. They remain sitting there, waiting for some sort of inspiration on what how to tell clean files from dirty ones. As well, Symantec has a simple script to also correct the registry for any problems with .bat, .com, .exe, .pif, .reg, .and .scr extensions.

Back to your site. Reading on, there was a comment to look at scheduled tasks. When I did, I found 10 entries for Real (I think I'm dropping them), I was annoyed. But there was one entry that looked really suspicious.

User_Feed_Synchronization-{47D06254-0040-476E-9B31-03180AC5A720}

I think that the outbound transmissions ended after clearing out scheduled tasks. I couldn't tell what it was linked to. In the registry, searching the final handful of digits only yields two entries, both different flavors of Microsoft\Feeds SyncTask. I don't know how to relate the naming conventions to a commonly identifiable process and application so I have to drop this o

Last night, I started an online ESET scan, another suggestion from this particular thread. When, after seven hours ESET was only 50% finished, I terminated the scan. Besides, it tried to take out some Uniblue files. I discovered that ESET wants to run without any other protection on the machine. But I wasn't about to turn Anti-Malware off, not with all the stuff listed above going on.

While that was going on, I somehow got pointed at boot.ini. The file had been hacked. I'm sure to what end, but it was clearly out of spec:

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

I edited out the two strange lines to leave boot.ini back in spec.

Finally, a few weeks ago, TuneUp Utilities informed me that C:\ was set up for networking. I shut that down on the spot. But, two days ago, I got the message again. I again turn off any sharing with the outside world. Today, I checked out security and found two numeric users with full rights.

I logged in as administrator and created a password.

That's when I decided to ask for help.

At this point, the only thing that I know is weird is when I'm on your site and I hit the backspace key, nothing happens. When I hit the dropdown to go back or forward, it lists not bleepingcomputer but https://googleleads.g.doubleclick.net/pag. I'm out of things to do, and way way past my expertise. And that's not even counting that Iomega's QuikProtect blue screens while being configured. Or that it sometimes won't even load. I figure it's all related, although as soon as we're ok with this issue, I will be testing RAM and HDD.

Here follows the requisite submissions.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by rhoneyman at 18:54:31 on 2011-08-31

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.584 [GMT -4:00]

.

AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\WINDOWS\System32\svchost.exe -k Akamai

svchost.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\DataCore Software\SANmelody\DcsSds.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\Explorer.EXE

C:\Program Files\Norton PC Checkup\Engine\2.0.8.13\SymcPCCULaunchSvc.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Norton PC Checkup\Engine\2.0.8.13\ccSvcHst.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Norton PC Checkup\Engine\2.0.8.13\ccSvcHst.exe

C:\Program Files\Secunia\PSI\PSIA.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\WINDOWS\system32\TPSMain.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\DellTPad\Apoint.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\AirPort\APAgent.exe

C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\Program Files\DataCore Software\SANmelody\DcsShMon.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe

C:\Program Files\Secunia\PSI\sua.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://my.yahoo.com/

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: NetAssistantBHO Class: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - c:\program files\freeze.com\netassistant\NetAssistant.dll

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: SecureBrowsing bho: {7632abca-b104-4fbc-9c70-419c4147061b} - c:\program files\m86security secure browsing\SecureBrowsing.dll

BHO: Advertising Cookie Opt-out: {8e425eb4-adbd-4816-b1e8-49bb9decf034} - c:\program files\google\advertising cookie opt-out\opt_out.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: NetAssistantBHO Class: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - c:\program files\freeze.com\netassistant\NetAssistant.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: M86 Security Secure Browsing: {b99f805c-f0b1-48ea-8c8b-753bfcbed913} - c:\program files\m86security secure browsing\SecureBrowsing.dll

EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe

uRun: [installIQUpdater] "c:\program files\w3i\installiqupdater\InstallIQUpdater.exe" /silent /autorun

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe

mRun: [TPSMain] TPSMain.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x089d -f video -m logitech -d 12.0.1278.0

StartupFolder: c:\docume~1\rhoney~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\rhoneyman\application data\dropbox\bin\Dropbox.exe

StartupFolder: c:\documents and settings\rhoneyman\start menu\programs\startup\OneNote Table Of Contents.onetoc2

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sanmel~1.lnk - c:\program files\datacore software\sanmelody\DcsShMon.exe

uPolicies-explorer: MaxRecentDocs = 41 (0x29)

uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)

uPolicies-system: disableregistrytools = 0

mPolicies-system: HideShutdownScripts = 0 (0x0)

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

Trusted Zone: advpa.com\www

Trusted Zone: apple.com\www

Trusted Zone: barclaycardus.com\www

Trusted Zone: chase.com\cards

Trusted Zone: google.com\www

Trusted Zone: target.com\rcam

Trusted Zone: target.com\www

Trusted Zone: usatoday.com\puzzles

Trusted Zone: verizonwireless.com\www

Trusted Zone: wachovia.com\www

DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/sdccommon/download/tgctlsr.cab

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab

DPF: {03A89EFD-E023-A200-A22D-45F77558EB4C} - hxxps://content10.ilinc.com/download/AXCltInstall.dll

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://netsuitemeeting.webex.com/client/T26LSP49EP12/webex/ieatgpc.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F5131C24-E56D-11CF-B78A-444553540000} - hxxps://wc.wachovia.com/common/cab/ikcntrls.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{45193AB9-07F5-46FC-BA7E-E6D0C8AE3B2B} : DhcpNameServer = 192.168.1.1

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R0 DcsCf;DataCore Disk Cache;c:\windows\system32\drivers\DcsCf.sys [2009-5-5 94288]

R0 DcsFcEng;DataCore Fibre Channel Engine Driver;c:\windows\system32\drivers\DcsFcEng.sys [2009-5-5 288464]

R0 DcsPerf;DataCore Disk Performance Driver;c:\windows\system32\drivers\DcsPerf.sys [2009-5-5 15824]

R0 DcsPMF;DataCore Partition Management;c:\windows\system32\drivers\DcsPMF.sys [2009-5-5 65872]

R0 DcsPoll;DataCore Poller Driver;c:\windows\system32\drivers\DcsPoll.sys [2009-5-5 18512]

R0 DcsShim;DataCore Scsi Shim Driver;c:\windows\system32\drivers\DcsShim.sys [2009-5-5 67408]

R0 DcsSp;DataCore SCSI Driver;c:\windows\system32\drivers\DcsSp.sys [2009-5-5 154320]

R0 DcsSup;DataCore Support Driver;c:\windows\system32\drivers\DcsSup.sys [2009-5-5 49104]

R0 DcsTracer;DataCore Tracer Driver;c:\windows\system32\drivers\DcsTracer.sys [2009-5-5 64464]

R1 DcsCap;DataCore Capability;c:\windows\system32\drivers\DcsCap.sys [2009-5-5 238672]

R1 DcsHa;DataCore High Availability;c:\windows\system32\drivers\DcsHa.sys [2009-5-5 84176]

R1 DcsSdc;DataCore Domain;c:\windows\system32\drivers\DcsSdc.sys [2009-5-5 43600]

R1 DcsState;DataCore System State;c:\windows\system32\drivers\DcsState.sys [2009-5-5 27856]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]

R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-14 14336]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-11-11 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-11-11 108392]

R2 DcsSDS;DataCore Storage Domain Server;c:\program files\datacore software\sanmelody\DcsSds.exe [2009-5-5 521632]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-23 366640]

R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\norton pc checkup\engine\2.0.8.13\SymcPCCULaunchSvc.exe [2011-8-26 120248]

R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\norton pc checkup\engine\2.0.8.13\ccSvcHst.exe [2011-8-26 126392]

R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-19 993848]

R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-4-19 399416]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-11-11 2477304]

R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2011\TuneUpUtilitiesService32.exe [2011-8-15 1526080]

R3 DcsiMgr;DataCore iScsi Manager Driver;c:\windows\system32\drivers\DcsiMgr.sys [2009-5-5 207184]

R3 DcsIs;DataCore Software iScsi Driver;c:\windows\system32\drivers\DcsIs.sys [2009-5-5 167504]

R3 DcsNULL;DataCore Null FCP Port Driver;c:\windows\system32\drivers\DcsNull.sys [2009-5-5 20560]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-23 22712]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110830.025\NAVENG.SYS [2011-8-31 86136]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110830.025\NAVEX15.SYS [2011-8-31 1576312]

R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]

R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2011\TuneUpUtilitiesDriver32.sys [2011-2-10 10064]

S1 DcsCache;DataCore Cache;c:\windows\system32\drivers\DcsCache.sys [2009-5-5 60496]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 DcsStart;DataCore Start Service;c:\program files\datacore software\sanmelody\DcsStart.exe [2009-5-5 152992]

S2 gupdate1c9da0d7e6556ba;Google Update Service (gupdate1c9da0d7e6556ba);c:\program files\google\update\GoogleUpdate.exe [2009-5-21 133104]

S2 ose32;Office Source Engine ; [x]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-11-11 23888]

S3 DcsRcmd;DataCore Remote Command Service;c:\program files\datacore software\sanmelody\DcsRcmd.exe [2009-5-5 140712]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-5-21 133104]

S3 QPCopyEngine;QPCopyEngine;c:\program files\iomega\quikprotect\QpMonitor.exe [2010-6-24 247088]

S3 QsFsFltr;QsFsFltr;c:\windows\system32\drivers\QsFsFltr.sys [2011-8-25 19384]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 DcsTmSvc;DataCore UpTempo;c:\program files\datacore software\uptempo\DcsTmSvc.exe [2009-5-5 75168]

.

=============== File Associations ===============

.

scrfile="%1" %*

.

=============== Created Last 30 ================

.

2011-08-31 15:04:11 -------- d-----w- C:\Old System ini_broken maybe

2011-08-31 08:58:28 -------- d-----w- c:\program files\ESET

2011-08-31 02:02:12 -------- d-----w- c:\documents and settings\rhoneyman\application data\SUPERAntiSpyware.com

2011-08-31 02:00:56 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-08-31 02:00:56 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2011-08-30 14:31:51 -------- d-----w- c:\program files\Windows Resource Kits

2011-08-28 16:22:55 -------- d-----w- c:\documents and settings\rhoneyman\.gimp-2.6

2011-08-28 16:22:23 -------- d-----w- c:\documents and settings\rhoneyman\.gegl-0.0

2011-08-28 10:12:36 -------- d-----w- c:\documents and settings\rhoneyman\application data\Finjan

2011-08-28 10:12:35 -------- d-----w- c:\program files\M86Security Secure Browsing

2011-08-26 13:47:49 -------- d-----w- c:\documents and settings\rhoneyman\local settings\application data\Tific

2011-08-26 13:47:49 -------- d-----w- c:\documents and settings\rhoneyman\application data\Tific

2011-08-26 13:46:43 -------- d-----w- c:\windows\system32\drivers\nortonpccheckup\0200080.00D

2011-08-26 13:46:43 -------- d-----w- c:\windows\system32\drivers\NortonPCCheckup

2011-08-26 13:46:40 -------- d-----w- c:\program files\Norton PC Checkup

2011-08-26 13:46:39 -------- d-----w- c:\documents and settings\all users\application data\Norton

2011-08-26 13:46:21 -------- d-----w- c:\program files\NortonInstaller

2011-08-26 13:46:21 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller

2011-08-25 17:53:02 -------- d-----w- c:\documents and settings\rhoneyman\local settings\application data\Microsoft Help

2011-08-25 05:12:25 19384 ----a-r- c:\windows\system32\drivers\QsFsFltr.sys

2011-08-25 05:12:03 -------- d-----w- c:\program files\Iomega

2011-08-24 16:19:44 -------- d-----w- c:\documents and settings\rhoneyman\application data\DriverCure

2011-08-24 16:19:12 -------- d-----w- c:\documents and settings\all users\application data\ParetoLogic

2011-08-24 14:43:45 29504 ----a-w- c:\windows\system32\uxtuneup.dll

2011-08-24 03:07:26 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-08-24 02:29:53 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll

2011-08-24 02:29:53 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll

2011-08-24 02:29:53 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll

2011-08-24 02:29:53 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll

2011-08-24 02:29:53 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll

2011-08-24 02:29:53 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll

2011-08-24 02:29:53 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

2011-08-24 02:18:19 -------- d-----w- c:\program files\AirPort

2011-08-24 01:56:33 -------- d--h--w- c:\program files\Zero G Registry

2011-08-23 18:53:08 -------- d-----w- c:\documents and settings\rhoneyman\application data\Malwarebytes

2011-08-23 18:52:41 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-23 18:52:39 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-08-23 18:52:36 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-23 18:52:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-23 18:27:32 -------- d-----w- c:\documents and settings\all users\application data\PC Tools

2011-08-23 18:15:29 -------- d-----w- c:\program files\common files\xing shared

2011-08-23 17:09:47 -------- d-----w- c:\windows\Hewlett-Packard

2011-08-23 14:56:52 -------- d-----w- c:\documents and settings\rhoneyman\local settings\application data\Secunia PSI

2011-08-23 14:56:25 -------- d-----w- c:\program files\Secunia

2011-08-22 03:25:58 -------- d-sha-r- C:\cmdcons

2011-08-22 01:40:12 388096 ----a-r- c:\documents and settings\rhoneyman\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-08-22 01:40:11 -------- d-----w- c:\program files\Trend Micro

2011-08-12 11:25:16 -------- d-----w- c:\documents and settings\rhoneyman\application data\foobar2000

2011-08-12 04:15:13 -------- d-----w- c:\documents and settings\rhoneyman\application data\EAC

2011-08-12 04:15:00 -------- d-----w- c:\documents and settings\rhoneyman\application data\AccurateRip

2011-08-11 15:35:32 -------- d-----w- c:\program files\Process Monito

2011-08-11 15:04:33 632656 ----a-w- c:\windows\system32\msvcr80.dll

2011-08-11 05:08:41 -------- d-----w- c:\documents and settings\rhoneyman\local settings\application data\Spotify

2011-08-11 05:08:41 -------- d-----w- c:\documents and settings\rhoneyman\application data\Spotify

2011-08-11 03:56:50 -------- d-----w- c:\documents and settings\rhoneyman\application data\ElevatedDiagnostics

2011-08-11 01:05:11 -------- d-----w- c:\documents and settings\rhoneyman\application data\Windows Search

2011-08-10 23:49:08 -------- d-sh--w- c:\documents and settings\rhoneyman\PrivacIE

2011-08-10 23:49:07 -------- d-sh--w- c:\documents and settings\rhoneyman\IECompatCache

2011-08-10 20:28:04 -------- d-----w- c:\documents and settings\rhoneyman\local settings\application data\Conference Manager

2011-08-10 17:58:26 -------- d-----w- c:\documents and settings\rhoneyman\local settings\application data\OneNote

2011-08-10 17:47:27 -------- d-----w- c:\documents and settings\rhoneyman\local settings\application data\LogiShrd

2011-08-10 17:47:16 -------- d-----w- c:\documents and settings\rhoneyman\local settings\application data\Kaluach 3

2011-08-10 17:47:02 -------- d-----w- c:\documents and settings\rhoneyman\local settings\application data\iLinc

2011-08-10 17:46:42 -------- d-----w- c:\documents and settings\rhoneyman\local settings\application data\Identities

2011-08-10 17:42:01 -------- d-----w- c:\documents and settings\rhoneyman\local settings\application data\Google

2011-08-10 17:41:52 -------- d-----w- c:\documents and settings\rhoneyman\local settings\application data\Downloaded Installations

2011-08-10 17:41:44 -------- d-----w- c:\documents and settings\rhoneyman\local settings\application data\Deployment

2011-08-10 17:41:23 -------- d-----w- c:\documents and settings\rhoneyman\local settings\application data\Apple Computer

2011-08-10 17:41:19 -------- d-----w- c:\documents and settings\rhoneyman\local settings\application data\Apple

2011-08-10 17:41:14 -------- d-----w- c:\documents and settings\rhoneyman\local settings\application data\AOL OCP

2011-08-10 17:41:06 -------- d-----w- c:\documents and settings\rhoneyman\local settings\application data\AOL

2011-08-10 17:40:58 -------- d-----w- c:\documents and settings\rhoneyman\local settings\application data\AIM

2011-08-10 17:37:02 -------- d-----w- c:\documents and settings\rhoneyman\application data\eFax Messenger

2011-08-10 17:36:45 -------- d-----w- c:\documents and settings\rhoneyman\application data\HpUpdate

2011-08-10 17:36:40 -------- d-----w- c:\documents and settings\rhoneyman\application data\Intel

2011-08-10 17:36:06 -------- d-----w- c:\documents and settings\rhoneyman\application data\j2 Global

2011-08-10 17:34:37 -------- d-----w- c:\documents and settings\rhoneyman\application data\Office Genuine Advantage

2011-08-10 17:33:58 -------- d-----w- c:\documents and settings\rhoneyman\application data\Mael

2011-08-10 17:33:43 -------- d-----w- c:\documents and settings\rhoneyman\application data\Quicken WillMaker

2011-08-10 17:27:58 -------- d-----w- c:\documents and settings\rhoneyman\application data\Trusteer

2011-08-10 17:27:43 -------- d-----w- c:\documents and settings\rhoneyman\application data\Uniblue

2011-08-10 17:27:38 -------- d-----w- c:\documents and settings\rhoneyman\application data\webex

2011-08-10 17:27:33 -------- d-----w- c:\documents and settings\rhoneyman\application data\Windows Desktop Search

2011-08-10 17:23:06 -------- d-----w- c:\documents and settings\rhoneyman\local settings\application data\Adobe

2011-08-10 17:16:58 -------- d-----w- c:\documents and settings\rhoneyman\application data\Intuit

2011-08-10 17:11:37 -------- d-----w- c:\documents and settings\rhoneyman\local settings\application data\Symantec

2011-08-10 17:07:48 -------- d-----w- c:\documents and settings\rhoneyman\application data\TuneUp Software

2011-08-10 16:55:18 -------- d-----w- c:\documents and settings\rhoneyman\local settings\application data\ApplicationHistory

2011-08-09 00:58:49 -------- d-----w- c:\program files\Free Window Registry Repair

2011-08-09 00:21:06 -------- d-----w- c:\program files\CCleaner

2011-08-08 23:56:07 -------- d-----w- c:\documents and settings\all users\application data\ErrorEND

.

==================== Find3M ====================

.

2011-08-24 19:31:37 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys

2011-08-24 19:29:59 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys

2011-08-15 17:10:19 106496 ----a-w- c:\windows\DUMPf2ad.tmp

2011-08-15 11:19:14 31552 ----a-w- c:\windows\system32\TURegOpt.exe

2011-08-11 03:57:24 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-19 09:05:24 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 20:44:14 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-05 22:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-07-05 22:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-24 13:37:40 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll

2011-06-24 13:37:39 114616 ----a-w- c:\windows\system32\Vxdif.dll

2011-06-24 13:37:38 255096 ----a-w- c:\windows\system32\drivers\Apfiltr.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-02-06 13:30:54 0 ----a-w- c:\program files\common files\admintool.exe

.

============= FINISH: 18:55:55.01 ===============

Anti-Malware:

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7622

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

8/31/2011 8:15:37 PM

mbam-log-2011-08-31 (20-15-37).txt

Scan type: Quick scan

Objects scanned: 186011

Time elapsed: 25 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Attach.zip

screen317 · September 3, 2011

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When the tool is finished, it will produce a report for you.
Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

rhoneyman · September 4, 2011

Thanks, Chris. I'll do this in two posts. Please note that another unauthorized set of schedules was created the other day. I changed the run time to 1/1/2012 in case you wanted to take a look. I've added a password to the admin account, sharing on C: remains under control and there are no new accounts showing up with any rights. However, Anti-Malware continues to intercept transmissions to phantom IP addresses (or, redirected, I suppose). The latest was half an hour ago. The addresses continue to morph somehow. The last couple of days (I was off for 25 hours):

9-2-2011

01:37:03 rhoneyman IP-BLOCK 89.248.160.175 (Type: outgoing)

01:37:06 rhoneyman IP-BLOCK 89.248.160.175 (Type: outgoing)

01:37:12 rhoneyman IP-BLOCK 89.248.160.175 (Type: outgoing)

09:00:15 rhoneyman IP-BLOCK 89.28.124.166 (Type: outgoing)

09:00:17 rhoneyman IP-BLOCK 89.28.124.166 (Type: outgoing)

09:00:21 rhoneyman IP-BLOCK 89.28.124.166 (Type: outgoing)

9-4-2011

00:06:20 rhoneyman IP-BLOCK 89.28.106.6 (Type: outgoing)

00:06:28 rhoneyman IP-BLOCK 89.28.106.6 (Type: outgoing)

00:30:01 rhoneyman MESSAGE Scheduled scan executed successfully

01:01:29 rhoneyman IP-BLOCK 89.28.106.6 (Type: outgoing)

01:01:31 rhoneyman IP-BLOCK 89.28.106.6 (Type: outgoing)

01:01:35 rhoneyman IP-BLOCK 89.28.106.6 (Type: outgoing)

01:11:32 rhoneyman IP-BLOCK 77.78.221.89 (Type: outgoing)

01:11:35 rhoneyman IP-BLOCK 77.78.221.89 (Type: outgoing)

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7639

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/3/2011 9:50:20 PM

mbam-log-2011-09-03 (21-50-20).txt

Scan type: Quick scan

Objects scanned: 187490

Time elapsed: 26 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

rhoneyman · September 4, 2011

ComboFix 11-09-03.01 - rhoneyman 09/04/2011 0:16.5.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.953 [GMT -4:00]

Running from: c:\documents and settings\rhoneyman\Desktop\ComboFix.exe

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\mmc.exe.959a7e97.ini

c:\documents and settings\rhoneyman\Local Settings\Application Data\ApplicationHistory

c:\documents and settings\rhoneyman\Local Settings\Application Data\ApplicationHistory\DcsInstallTasks.exe.18c9ec7b.ini

c:\documents and settings\rhoneyman\Local Settings\Application Data\ApplicationHistory\DcsInstallTasks.exe.322f85d.ini

c:\documents and settings\rhoneyman\Local Settings\Application Data\ApplicationHistory\DcsIscsi.exe.a39d250f.ini.inuse

c:\documents and settings\rhoneyman\Local Settings\Application Data\ApplicationHistory\mmc.exe.959a7e97.ini

c:\documents and settings\rhoneyman\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini

c:\documents and settings\rhoneyman\Local Settings\Application Data\ApplicationHistory\Regasm.exe.11f1da13.ini

c:\windows\system32\lvci11801048.dll

c:\windows\system32\lvci1201278.dll

c:\windows\system32\RC00C140.dll

c:\windows\system32\RC95E140.DLL

.

((((((((((((((((((((((((( Files Created from 2011-08-04 to 2011-09-04 )))))))))))))))))))))))))))))))

.

2011-09-01 21:03 . 2011-09-01 21:03 -------- d-----w- C:\Diskeeper

2011-08-31 16:55 . 2011-08-31 16:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\ElevatedDiagnostics

2011-08-31 15:04 . 2011-08-31 15:05 -------- d-----w- C:\Old System ini_broken maybe

2011-08-31 08:58 . 2011-08-31 08:58 -------- d-----w- c:\program files\ESET

2011-08-31 02:02 . 2011-08-31 02:02 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\SUPERAntiSpyware.com

2011-08-31 02:00 . 2011-08-31 02:02 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-08-31 02:00 . 2011-08-31 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-08-30 14:31 . 2011-08-30 14:31 -------- d-----w- c:\program files\Windows Resource Kits

2011-08-30 04:30 . 2011-08-30 04:30 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Malwarebytes

2011-08-29 04:30 . 2011-08-29 04:30 -------- d-----w- c:\documents and settings\LocalService\Application Data\Malwarebytes

2011-08-28 16:22 . 2011-09-04 03:06 -------- d-----w- c:\documents and settings\rhoneyman\.gimp-2.6

2011-08-28 16:22 . 2011-08-28 16:22 -------- d-----w- c:\documents and settings\rhoneyman\.gegl-0.0

2011-08-28 11:33 . 2011-08-28 11:33 -------- d-----w- c:\program files\Common Files\Java

2011-08-28 10:12 . 2011-08-28 10:12 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\Finjan

2011-08-28 10:12 . 2011-08-28 10:12 -------- d-----w- c:\program files\M86Security Secure Browsing

2011-08-26 13:47 . 2011-08-26 13:49 -------- d-----w- c:\documents and settings\rhoneyman\Local Settings\Application Data\Tific

2011-08-26 13:47 . 2011-08-26 13:47 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\Tific

2011-08-26 13:46 . 2011-08-26 13:46 -------- d-----w- c:\windows\system32\drivers\NortonPCCheckup

2011-08-26 13:46 . 2011-08-26 13:46 -------- d-----w- c:\program files\Norton PC Checkup

2011-08-26 13:46 . 2011-08-26 13:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2011-08-26 13:46 . 2011-08-26 13:46 -------- d-----w- c:\program files\NortonInstaller

2011-08-25 17:53 . 2011-08-25 17:53 -------- d-----w- c:\documents and settings\rhoneyman\Local Settings\Application Data\Microsoft Help

2011-08-25 05:12 . 2010-06-24 20:04 19384 ----a-r- c:\windows\system32\drivers\QsFsFltr.sys

2011-08-25 05:12 . 2011-08-25 05:12 -------- d-----w- c:\program files\Iomega

2011-08-24 18:05 . 2011-08-30 05:55 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\ImgBurn

2011-08-24 18:03 . 2011-08-24 18:03 -------- d-----w- c:\program files\ImgBurn

2011-08-24 16:19 . 2011-08-24 16:19 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\DriverCure

2011-08-24 16:19 . 2011-08-24 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic

2011-08-24 14:43 . 2011-08-15 11:13 29504 ----a-w- c:\windows\system32\uxtuneup.dll

2011-08-24 03:07 . 2011-07-19 06:40 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-08-24 02:29 . 2011-08-24 02:29 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll

2011-08-24 02:29 . 2011-08-24 02:29 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll

2011-08-24 02:29 . 2011-08-24 02:29 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll

2011-08-24 02:29 . 2011-08-24 02:29 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll

2011-08-24 02:29 . 2011-08-24 02:29 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll

2011-08-24 02:29 . 2011-08-24 02:29 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll

2011-08-24 02:29 . 2011-08-24 02:29 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll

2011-08-24 02:27 . 2011-08-24 02:29 -------- d-----w- c:\program files\QuickTime

2011-08-24 02:22 . 2011-08-24 02:22 -------- d-----w- c:\program files\Apple Software Update

2011-08-24 02:18 . 2011-08-24 02:18 -------- d-----w- c:\program files\AirPort

2011-08-24 01:56 . 2011-08-24 01:57 -------- d--h--w- c:\program files\Zero G Registry

2011-08-23 18:53 . 2011-08-23 18:53 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\Malwarebytes

2011-08-23 18:52 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-23 18:52 . 2011-08-23 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-08-23 18:52 . 2011-08-23 18:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-23 18:52 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-23 18:27 . 2011-08-23 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2011-08-23 18:15 . 2011-08-23 18:15 -------- d-----w- c:\program files\Common Files\xing shared

2011-08-23 17:09 . 2011-08-23 17:09 -------- d-----w- c:\windows\Hewlett-Packard

2011-08-23 14:56 . 2011-08-23 14:56 -------- d-----w- c:\documents and settings\rhoneyman\Local Settings\Application Data\Secunia PSI

2011-08-23 14:56 . 2011-08-23 14:56 -------- d-----w- c:\program files\Secunia

2011-08-23 05:04 . 2011-09-04 03:06 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\gtk-2.0

2011-08-22 01:40 . 2011-08-22 01:40 388096 ----a-r- c:\documents and settings\rhoneyman\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-08-22 01:40 . 2011-08-22 01:40 -------- d-----w- c:\program files\Trend Micro

2011-08-12 11:25 . 2011-08-12 17:20 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\foobar2000

2011-08-12 04:15 . 2011-08-12 04:15 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\EAC

2011-08-12 04:15 . 2011-08-12 11:19 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\AccurateRip

2011-08-11 15:35 . 2011-08-11 15:35 -------- d-----w- c:\program files\Process Monito

2011-08-11 15:04 . 2011-05-17 09:18 632656 ----a-w- c:\windows\system32\msvcr80.dll

2011-08-11 06:18 . 2011-08-11 06:18 -------- d-----w- c:\program files\Reference Assemblies

2011-08-11 05:08 . 2011-08-11 05:10 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\Spotify

2011-08-11 05:08 . 2011-08-11 05:08 -------- d-----w- c:\documents and settings\rhoneyman\Local Settings\Application Data\Spotify

2011-08-11 03:56 . 2011-08-11 03:56 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\ElevatedDiagnostics

2011-08-11 01:05 . 2011-08-11 01:05 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\Windows Search

2011-08-10 23:49 . 2011-08-10 23:49 -------- d-sh--w- c:\documents and settings\rhoneyman\PrivacIE

2011-08-10 23:49 . 2011-08-10 23:49 -------- d-sh--w- c:\documents and settings\rhoneyman\IECompatCache

2011-08-10 20:28 . 2011-08-10 20:28 -------- d-----w- c:\documents and settings\rhoneyman\Local Settings\Application Data\Conference Manager

2011-08-10 17:58 . 2011-08-10 17:58 -------- d-----w- c:\documents and settings\rhoneyman\Local Settings\Application Data\OneNote

2011-08-10 17:47 . 2011-08-10 17:47 -------- d-----w- c:\documents and settings\rhoneyman\Local Settings\Application Data\LogiShrd

2011-08-10 17:47 . 2011-08-10 18:26 -------- d-----w- c:\documents and settings\rhoneyman\Local Settings\Application Data\Kaluach 3

2011-08-10 17:47 . 2011-08-10 17:47 -------- d-----w- c:\documents and settings\rhoneyman\Local Settings\Application Data\iLinc

2011-08-10 17:46 . 2011-08-10 18:38 -------- d-----w- c:\documents and settings\rhoneyman\Local Settings\Application Data\Identities

2011-08-10 17:42 . 2011-08-15 16:55 -------- d-----w- c:\documents and settings\rhoneyman\Local Settings\Application Data\Google

2011-08-10 17:41 . 2011-08-10 17:41 -------- d-----w- c:\documents and settings\rhoneyman\Local Settings\Application Data\Downloaded Installations

2011-08-10 17:41 . 2011-08-15 16:55 -------- d-----w- c:\documents and settings\rhoneyman\Local Settings\Application Data\Deployment

2011-08-10 17:41 . 2011-08-10 17:41 -------- d-----w- c:\documents and settings\rhoneyman\Local Settings\Application Data\Apple Computer

2011-08-10 17:41 . 2011-08-24 02:15 -------- d-----w- c:\documents and settings\rhoneyman\Local Settings\Application Data\Apple

2011-08-10 17:41 . 2011-08-10 17:41 -------- d-----w- c:\documents and settings\rhoneyman\Local Settings\Application Data\AOL OCP

2011-08-10 17:41 . 2011-08-10 17:41 -------- d-----w- c:\documents and settings\rhoneyman\Local Settings\Application Data\AOL

2011-08-10 17:40 . 2011-08-10 18:12 -------- d-----w- c:\documents and settings\rhoneyman\Local Settings\Application Data\AIM

2011-08-10 17:37 . 2011-08-12 15:28 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\DivX

2011-08-10 17:37 . 2011-08-10 20:13 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\eFax Messenger

2011-08-10 17:36 . 2011-08-10 17:36 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\HP

2011-08-10 17:36 . 2011-08-23 17:10 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\HpUpdate

2011-08-10 17:36 . 2011-08-10 17:36 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\Intel

2011-08-10 17:36 . 2011-08-10 17:36 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\j2 Global

2011-08-10 17:34 . 2011-08-10 17:34 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\Office Genuine Advantage

2011-08-10 17:33 . 2011-08-10 17:33 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\Mael

2011-08-10 17:33 . 2011-08-10 17:33 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\Quicken WillMaker

2011-08-10 17:28 . 2011-08-10 20:19 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\skypePM

2011-08-10 17:28 . 2011-08-10 17:28 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\Toshiba

2011-08-10 17:27 . 2011-08-10 17:27 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\Trusteer

2011-08-10 17:27 . 2011-08-11 05:15 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\Uniblue

2011-08-10 17:27 . 2011-08-10 17:27 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\webex

2011-08-10 17:27 . 2011-08-10 17:27 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\Windows Desktop Search

2011-08-10 17:27 . 2011-08-10 17:27 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\Apple Computer

2011-08-10 17:27 . 2011-08-10 17:27 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\acccore

2011-08-10 17:23 . 2011-08-10 17:40 -------- d-----w- c:\documents and settings\rhoneyman\Local Settings\Application Data\Adobe

2011-08-10 17:16 . 2011-08-10 17:16 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\Intuit

2011-08-10 17:11 . 2011-08-10 17:48 -------- d-----w- c:\documents and settings\rhoneyman\Local Settings\Application Data\Symantec

2011-08-10 17:07 . 2011-08-10 17:07 -------- d-----w- c:\documents and settings\rhoneyman\Application Data\TuneUp Software

2011-08-09 00:58 . 2011-08-21 23:28 -------- d-----w- c:\program files\Free Window Registry Repair

2011-08-09 00:21 . 2011-08-28 17:17 -------- d-----w- c:\program files\CCleaner

2011-08-08 23:56 . 2011-08-08 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ErrorEND

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-24 19:31 . 2011-01-25 18:01 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys

2011-08-24 19:29 . 2011-01-25 18:01 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys

2011-08-15 17:10 . 2008-11-10 17:21 106496 ----a-w- c:\windows\DUMPf2ad.tmp

2011-08-15 11:19 . 2011-06-29 15:12 31552 ----a-w- c:\windows\system32\TURegOpt.exe

2011-08-11 03:57 . 2011-06-10 03:19 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-19 09:05 . 2010-05-11 10:03 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-07-15 13:29 . 2008-04-14 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2008-04-14 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-06-24 14:10 . 2008-11-11 16:28 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-24 13:37 . 2011-06-24 13:37 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll

2011-06-24 13:37 . 2010-10-04 05:24 114616 ----a-w- c:\windows\system32\Vxdif.dll

2011-06-24 13:37 . 2010-10-04 05:24 255096 ----a-w- c:\windows\system32\drivers\Apfiltr.sys

2011-06-23 18:36 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36 . 2008-04-14 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-02-06 13:30 . 2011-02-06 13:29 0 ----a-w- c:\program files\Common Files\admintool.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}"= "c:\program files\Freeze.com\NetAssistant\NetAssistant.dll" [2010-11-09 371320]

.

[HKEY_CLASSES_ROOT\clsid\{e38fa08e-f56a-4169-abf5-5c71e3c153a1}]

[HKEY_CLASSES_ROOT\NetAssistant.NetAssistantBHO.1]

[HKEY_CLASSES_ROOT\TypeLib\{1E8FC16F-4C51-49C4-BC9B-4FC24BDDCEE7}]

[HKEY_CLASSES_ROOT\NetAssistant.NetAssistantBHO]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}]

2010-11-09 14:21 371320 ----a-w- c:\program files\Freeze.com\NetAssistant\NetAssistant.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 94208 ----a-w- c:\documents and settings\rhoneyman\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 94208 ----a-w- c:\documents and settings\rhoneyman\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 94208 ----a-w- c:\documents and settings\rhoneyman\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 94208 ----a-w- c:\documents and settings\rhoneyman\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

"InstallIQUpdater"="c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe" [2011-05-10 1205760]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]

"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2010-07-02 95744]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]

"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]

"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 73728]

"TPSMain"="TPSMain.exe" [2004-12-28 270336]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-11-11 115560]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-06-24 292208]

"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 88358]

"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2009-04-30 460048]

.

c:\documents and settings\rhoneyman\Start Menu\Programs\Startup\

Dropbox.lnk - c:\documents and settings\rhoneyman\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]

OneNote Table Of Contents.onetoc2 [2011-8-11 3656]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

SANmelody Startup.lnk - c:\program files\DataCore Software\SANmelody\DcsShMon.exe [2009-5-5 198048]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"HideShutdownScripts"= 0 (0x0)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"MaxRecentDocs"= 41 (0x29)

"ForceStartMenuLogOff"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ \0

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerSuite]

2011-07-18 20:08 67448 ----a-w- c:\program files\Uniblue\PowerSuite\Launcher.exe

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"Xvid"=c:\program files\Xvid\CheckUpdate.exe

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

"Aim"="c:\program files\AIM\aim.exe" /d locale=en-US

"Google Update"="c:\documents and settings\rhoneyman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

"ctfmon.exe"=c:\windows\system32\ctfmon.exe

"QuickenScheduledUpdates"=c:\program files\Quicken\bagent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

"HotKeysCmds"=c:\windows\system32\hkcmd.exe

"TPNF"=c:\program files\TOSHIBA\TouchPad\TPTray.exe

"DcsTmTray"="c:\program files\DataCore Software\UpTempo\DcsTmTray.exe"

"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" -osboot

"IgfxTray"=c:\windows\system32\igfxtray.exe

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"

"QuiKProtect"=c:\program files\Iomega\QuikProtect\StartQuikProtect.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\EXCEL.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\WINDOWS\\system32\\searchprotocolhost.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=

"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

"c:\\Documents and Settings\\rhoneyman\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=

"c:\\Documents and Settings\\rhoneyman\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\Program Files\\AirPort\\APAgent.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"25:TCP"= 25:TCP:email

"25:UDP"= 25:UDP:email1

"9100:TCP"= 9100:TCP:PORT_9100_TCP

"161:UDP"= 161:UDP:PORT_161_UDP

"5353:UDP"= 5353:UDP:Bonjour

"1787:TCP"= 1787:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

.

R0 DcsCf;DataCore Disk Cache;c:\windows\system32\drivers\DcsCf.sys [5/5/2009 12:25 PM 94288]

R0 DcsFcEng;DataCore Fibre Channel Engine Driver;c:\windows\system32\drivers\DcsFcEng.sys [5/5/2009 1:16 PM 288464]

R0 DcsPerf;DataCore Disk Performance Driver;c:\windows\system32\drivers\DcsPerf.sys [5/5/2009 1:16 PM 15824]

R0 DcsPMF;DataCore Partition Management;c:\windows\system32\drivers\DcsPMF.sys [5/5/2009 1:16 PM 65872]

R0 DcsPoll;DataCore Poller Driver;c:\windows\system32\drivers\DcsPoll.sys [5/5/2009 1:16 PM 18512]

R0 DcsShim;DataCore Scsi Shim Driver;c:\windows\system32\drivers\DcsShim.sys [5/5/2009 1:16 PM 67408]

R0 DcsSp;DataCore SCSI Driver;c:\windows\system32\drivers\DcsSp.sys [5/5/2009 1:16 PM 154320]

R0 DcsSup;DataCore Support Driver;c:\windows\system32\drivers\DcsSup.sys [5/5/2009 1:16 PM 49104]

R0 DcsTracer;DataCore Tracer Driver;c:\windows\system32\drivers\DcsTracer.sys [5/5/2009 1:16 PM 64464]

R1 DcsCap;DataCore Capability;c:\windows\system32\drivers\DcsCap.sys [5/5/2009 1:16 PM 238672]

R1 DcsHa;DataCore High Availability;c:\windows\system32\drivers\DcsHa.sys [5/5/2009 1:16 PM 84176]

R1 DcsSdc;DataCore Domain;c:\windows\system32\drivers\DcsSdc.sys [5/5/2009 1:16 PM 43600]

R1 DcsState;DataCore System State;c:\windows\system32\drivers\DcsState.sys [5/5/2009 1:16 PM 27856]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/14/2008 8:00 AM 14336]

R2 DcsSDS;DataCore Storage Domain Server;c:\program files\DataCore Software\SANmelody\DcsSds.exe [5/5/2009 1:16 PM 521632]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/23/2011 2:52 PM 366640]

R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Engine\2.0.8.13\SymcPCCULaunchSvc.exe [8/26/2011 9:46 AM 120248]

R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Engine\2.0.8.13\ccSvcHst.exe [8/26/2011 9:46 AM 126392]

R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [4/19/2011 2:44 AM 399416]

R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [8/15/2011 7:16 AM 1526080]

R3 DcsiMgr;DataCore iScsi Manager Driver;c:\windows\system32\drivers\DcsiMgr.sys [5/5/2009 1:16 PM 207184]

R3 DcsIs;DataCore Software iScsi Driver;c:\windows\system32\drivers\DcsIs.sys [5/5/2009 1:16 PM 167504]

R3 DcsNULL;DataCore Null FCP Port Driver;c:\windows\system32\drivers\DcsNull.sys [5/5/2009 1:16 PM 20560]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/1/2011 1:05 AM 105592]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/23/2011 2:52 PM 22712]

R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [2/10/2011 10:22 AM 10064]

R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/23/2011 2:52 PM 41272]

S1 DcsCache;DataCore Cache;c:\windows\system32\drivers\DcsCache.sys [5/5/2009 1:16 PM 60496]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]

S2 DcsStart;DataCore Start Service;c:\program files\DataCore Software\SANmelody\DcsStart.exe [5/5/2009 1:16 PM 152992]

S2 gupdate1c9da0d7e6556ba;Google Update Service (gupdate1c9da0d7e6556ba);c:\program files\Google\Update\GoogleUpdate.exe [5/21/2009 8:13 AM 133104]

S2 ose32;Office Source Engine ; [x]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/11/2009 12:52 PM 23888]

S3 DcsRcmd;DataCore Remote Command Service;c:\program files\DataCore Software\SANmelody\DcsRcmd.exe [5/5/2009 1:16 PM 140712]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/21/2009 8:13 AM 133104]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 4:30 AM 15544]

S3 QPCopyEngine;QPCopyEngine;c:\program files\Iomega\QuikProtect\QpMonitor.exe [6/24/2010 4:04 PM 247088]

S3 QsFsFltr;QsFsFltr;c:\windows\system32\drivers\QsFsFltr.sys [8/25/2011 1:12 AM 19384]

S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [4/19/2011 2:44 AM 993848]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]

S4 DcsTmSvc;DataCore UpTempo;c:\program files\DataCore Software\UpTempo\DcsTmSvc.exe [5/5/2009 12:25 PM 75168]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MBAMSWISSARMY

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

Akamai REG_MULTI_SZ Akamai

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-02 c:\windows\Tasks\User_Feed_Synchronization-{47D06254-0040-476E-9B31-03180AC5A720}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

uInternet Settings,ProxyOverride = *.local

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: advpa.com\www

Trusted Zone: apple.com\www

Trusted Zone: barclaycardus.com\www

Trusted Zone: chase.com\cards

Trusted Zone: google.com\www

Trusted Zone: target.com\rcam

Trusted Zone: target.com\www

Trusted Zone: usatoday.com\puzzles

Trusted Zone: verizonwireless.com\www

Trusted Zone: wachovia.com\www

TCP: DhcpNameServer = 192.168.1.1

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-04 00:38

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCCUJobMgr]

"ImagePath"="\"c:\program files\Norton PC Checkup\Engine\2.0.8.13\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Engine\2.0.8.13\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-484763869-220523388-1417001333-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Services\mirror\MK*]

"Attach.ToDesktop"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1248)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

.

Completion time: 2011-09-04 00:44:56

ComboFix-quarantined-files.txt 2011-09-04 04:44

ComboFix2.txt 2011-08-28 16:08

.

Pre-Run: 35,553,316,864 bytes free

Post-Run: 35,617,226,752 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - EF535DEE9C2DF9B2C690658AD8C54348

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by rhoneyman at 1:02:46 on 2011-09-04

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1031 [GMT -4:00]

.

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\WINDOWS\System32\svchost.exe -k Akamai

svchost.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\DataCore Software\SANmelody\DcsSds.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Norton PC Checkup\Engine\2.0.8.13\SymcPCCULaunchSvc.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Norton PC Checkup\Engine\2.0.8.13\ccSvcHst.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Norton PC Checkup\Engine\2.0.8.13\ccSvcHst.exe

C:\Program Files\Secunia\PSI\sua.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\WINDOWS\system32\TPSMain.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\DellTPad\Apoint.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\AirPort\APAgent.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\DataCore Software\SANmelody\DcsShMon.exe

C:\Documents and Settings\rhoneyman\Application Data\Dropbox\bin\Dropbox.exe

C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\explorer.exe