# Software Restriction Policy Virus



## wared13 (Dec 28, 2012)

Hi my machine was attacked by something that caused a message saying "cannot open... prevented by a software restriction policy" when I attempt to open vital programs like my ESET security. No software restrictions have ever been set... this is a standalone machine for a small business... My ComboFix & anti-Malware programs didn't fix anything. Running XP Pro SP3, any help appreciated!


----------



## kevinf80 (Mar 21, 2006)

Run the following:

Download and save DDS to your Desktop from either of the following links:

http://download.bleepingcomputer.com/sUBs/dds.scr
http://compendiate.net/sUBs/dds/dds.scr

Double click DDS to run the scan, Vista or Windows 7 user accept UAC alert.
There will be an alert that two logs will be saved to the Desktop, DDS.txt and Attach.txt 
Copy and paste those two logs to your reply when the scan is complete....

Kevin


----------



## wared13 (Dec 28, 2012)

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702
Run by Owner at 12:51:48 on 2012-12-26
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2029.356 [GMT -8:00]
.
AV: ESET Smart Security 5.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled* 
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\FedEx\ShipManager\BIN\FedEx.Gsm.Common.LoggingService.exe
C:\Program Files\FedEx\ShipManager\SQLAnywhere\Bin32\dbsrv11.exe
C:\Program Files\Common Files\Intuit\Entitlement Client\v3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
C:\Program Files\Common Files\Intuit\Entitlement Client\v5.3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Intuit\QuickBooks Point of Sale 6.0\DatabaseServer\QBPOSDBServiceV6.exe
C:\Program Files\Intuit\QuickBooks Point of Sale 8.0\DatabaseServer\QBPOSDBService.exe
C:\Program Files\Intuit\QuickBooks Point of Sale 6.0\DatabaseServer\QBDBMgrN.exe
C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\Program Files\Intuit\QuickBooks Point of Sale 8.0\DatabaseServer\QBDBMgrN10.exe
C:\Program Files\Intuit\QuickBooks Point of Sale 8.0\DatabaseServer\QBDBMgrN10.exe
C:\PROGRA~1\Intuit\QUICKB~3\QBDBMgrN.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\FedEx\ShipManager\BIN\AdminService.exe
C:\Program Files\FedEx\ShipManager\BIN\ShipEngineService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\FedEx\ShipManager\BIN\TransEngineService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intuit\QUC2E1~1\QBDBMgrN.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Intuit\QuickBooks 2012\QBW32.EXE
C:\Program Files\Intuit\QuickBooks Point of Sale 8.0\qbpos.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intuit\QuickBooks Point of Sale 8.0\EftSvr.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\Program Files\Coupons.com CouponBar\TbHelper2.exe
C:\PROGRA~1\Intuit\QUC2E1~1\dbextclr11.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\calc.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.seattletimes.com/
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: TBSB07898 Class: {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - c:\program files\coupons.com couponbar\tbcore3.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Coupons.com CouponBar: {8660E5B3-6C41-44DE-8503-98D99BBECD41} - c:\program files\coupons.com couponbar\tbcore3.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Coupons.com CouponBar: {8660E5B3-6C41-44DE-8503-98D99BBECD41} - c:\program files\coupons.com couponbar\tbcore3.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\fedexd~1.lnk - c:\program files\fedex\fedex desktop\FedEx Desktop.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\intuit~1.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\program files\intuit\quickbooks 2012\QBW32.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoSMConfigurePrograms = dword:1
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: ForceClassicControlPanel = dword:1
mPolicies-Explorer: NoSMConfigurePrograms = dword:1
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1262651089750
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: NameServer = 192.168.254.254
TCP: Interfaces\{7D6B90BF-4843-48E2-BE99-E970FC77CAB4} : DHCPNameServer = 192.168.254.254
Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - c:\program files\intuit\quickbooks 2012\HelpAsyncPluggableProtocol.dll
Handler: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - c:\windows\system32\QBPOSProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - 
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2012-3-14 120152]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2012-11-16 913184]
R2 FedExAdminService;FedEx Administration Service;c:\program files\fedex\shipmanager\bin\AdminService.exe [2012-8-23 24576]
R2 FedExLoggingService;FedEx Logging Service;c:\program files\fedex\shipmanager\bin\FedEx.Gsm.Common.LoggingService.exe [2012-8-23 7168]
R2 FedExShipnetDBService;FedEx Shipnet Database Service;c:\program files\fedex\shipmanager\sqlanywhere\bin32\dbsrv11.exe [2012-8-23 141176]
R2 Intuit Entitlement Service v3;Intuit Entitlement Service v3;c:\program files\common files\intuit\entitlement client\v3\server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe [2006-5-24 24576]
R2 Intuit Entitlement Service v5.3;Intuit Entitlement Service v5.3;c:\program files\common files\intuit\entitlement client\v5.3\server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe [2008-7-29 20480]
R2 QBPOSDBServiceV6;QBPOS Database Manager v6;c:\program files\intuit\quickbooks point of sale 6.0\databaseserver\QBPOSDBServiceV6.exe [2007-2-9 1473536]
R2 QBPOSDBServiceV8;QBPOS Database Manager v8;c:\program files\intuit\quickbooks point of sale 8.0\databaseserver\QBPOSDBService.exe [2011-8-12 2734480]
R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2012-3-14 1248256]
R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\intuit\quickb~3\qbdbmgrn.exe -hvquickbooksdb17 --> c:\progra~1\intuit\quickb~3\QBDBMgrN.exe -hvQuickBooksDB17 [?]
R3 FedExShipService;FedEx Shipping Engine;c:\program files\fedex\shipmanager\bin\ShipEngineService.exe [2012-8-23 5120]
R3 FedExTransactionService;FedEx Transaction Engine;c:\program files\fedex\shipmanager\bin\TransEngineService.exe [2012-8-23 6656]
R3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [2008-12-24 80256]
R3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [2008-12-16 70016]
R3 QuickBooksDB22;QuickBooksDB22;c:\progra~1\intuit\quc2e1~1\qbdbmgrn.exe -hvquickbooksdb22 --> c:\progra~1\intuit\quc2e1~1\QBDBMgrN.exe -hvQuickBooksDB22 [?]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
R4 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys --> c:\windows\system32\drivers\epfwtdir.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
.
=============== Created Last 30 ================
.
2012-12-26 20:43:25 -------- d-----w- c:\program files\ESET
.
==================== Find3M ====================
.
2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-16 21:57:30 62512 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2012-11-16 21:57:30 160856 ----a-w- c:\windows\system32\drivers\eamon.sys
2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35:34 385024 ----a-w- c:\windows\system32\html.iec
2012-10-02 18:04:21 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-30 03:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 12:52:27.96 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/4/2010 11:59:51 AM
System Uptime: 12/22/2012 11:13:48 AM (97 hours ago)
.
Motherboard: Intel Corporation | | DP35DP
Processor: Intel Pentium III Xeon processor | J1PR | 2999/333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 233 GiB total, 126.705 GiB free.
D: is CDROM (UDF)
E: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_8086&DEV_29C4&SUBSYS_50448086&REV_02\3&61AAA01&0&18
Manufacturer: 
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_8086&DEV_29C4&SUBSYS_50448086&REV_02\3&61AAA01&0&18
Service: 
.
==== System Restore Points ===================
.
RP799: 9/27/2012 5:08:44 PM - System Checkpoint
RP800: 9/29/2012 12:45:05 PM - System Checkpoint
RP801: 9/30/2012 6:39:09 PM - System Checkpoint
RP802: 10/1/2012 2:03:34 PM - Removed Apple Software Update
RP803: 10/1/2012 2:08:19 PM - Removed Microsoft Silverlight
RP804: 10/2/2012 2:59:07 PM - System Checkpoint
RP805: 10/3/2012 6:40:17 PM - System Checkpoint
RP806: 10/4/2012 1:57:53 PM - Installed FedEx Ship Manager Delta.
RP807: 10/4/2012 2:13:10 PM - Removed FedEx Ship Manager.
RP808: 10/4/2012 2:13:52 PM - Installed FedEx Ship Manager.
RP809: 10/5/2012 6:48:43 PM - System Checkpoint
RP810: 10/7/2012 7:26:15 PM - System Checkpoint
RP811: 10/8/2012 7:49:55 PM - System Checkpoint
RP812: 10/9/2012 8:49:50 PM - System Checkpoint
RP813: 10/10/2012 3:00:30 AM - Software Distribution Service 3.0
RP814: 10/11/2012 6:51:42 AM - System Checkpoint
RP815: 10/12/2012 9:15:42 AM - System Checkpoint
RP816: 10/13/2012 2:13:52 PM - System Checkpoint
RP817: 10/14/2012 3:05:37 PM - System Checkpoint
RP818: 10/15/2012 4:28:54 PM - System Checkpoint
RP819: 10/17/2012 2:57:26 PM - System Checkpoint
RP820: 10/18/2012 4:37:37 PM - System Checkpoint
RP821: 10/19/2012 6:20:34 PM - System Checkpoint
RP822: 10/20/2012 7:38:45 PM - System Checkpoint
RP823: 10/21/2012 8:49:43 PM - System Checkpoint
RP824: 10/22/2012 10:53:14 PM - System Checkpoint
RP825: 10/23/2012 11:13:12 PM - System Checkpoint
RP826: 10/25/2012 4:28:12 PM - System Checkpoint
RP827: 10/28/2012 1:24:10 PM - System Checkpoint
RP828: 10/29/2012 5:58:29 PM - System Checkpoint
RP829: 10/30/2012 6:31:13 PM - System Checkpoint
RP830: 10/31/2012 7:31:14 PM - System Checkpoint
RP831: 11/2/2012 6:54:02 PM - System Checkpoint
RP832: 11/3/2012 6:12:42 PM - System Checkpoint
RP833: 11/4/2012 6:30:56 PM - System Checkpoint
RP834: 11/5/2012 7:12:49 PM - System Checkpoint
RP835: 11/6/2012 8:12:48 PM - System Checkpoint
RP836: 11/8/2012 1:03:31 PM - System Checkpoint
RP837: 11/9/2012 3:56:07 PM - System Checkpoint
RP838: 11/11/2012 5:44:02 PM - System Checkpoint
RP839: 11/12/2012 6:35:02 PM - System Checkpoint
RP840: 11/13/2012 7:01:50 PM - System Checkpoint
RP841: 11/15/2012 4:00:12 PM - System Checkpoint
RP842: 11/15/2012 7:21:37 PM - Software Distribution Service 3.0
RP843: 11/16/2012 5:32:21 PM - Installed Microsoft PowerPoint Viewer
RP844: 11/17/2012 7:13:01 PM - Software Distribution Service 3.0
RP845: 11/18/2012 8:57:52 PM - System Checkpoint
RP846: 11/19/2012 3:00:24 AM - Software Distribution Service 3.0
RP847: 11/21/2012 4:26:40 PM - System Checkpoint
RP848: 11/22/2012 5:19:40 PM - System Checkpoint
RP849: 11/23/2012 6:24:56 PM - System Checkpoint
RP850: 11/24/2012 6:54:37 PM - System Checkpoint
RP851: 11/25/2012 2:15:49 PM - Installed iTunes
RP852: 11/26/2012 3:19:03 PM - System Checkpoint
RP853: 11/27/2012 3:38:55 PM - System Checkpoint
RP854: 11/28/2012 4:26:07 PM - System Checkpoint
RP855: 11/29/2012 5:36:45 PM - System Checkpoint
RP856: 11/30/2012 5:40:28 PM - System Checkpoint
RP857: 12/2/2012 2:00:11 PM - System Checkpoint
RP858: 12/3/2012 5:25:08 PM - System Checkpoint
RP859: 12/6/2012 5:35:53 PM - System Checkpoint
RP860: 12/7/2012 9:45:27 PM - System Checkpoint
RP861: 12/9/2012 1:12:54 PM - System Checkpoint
RP862: 12/10/2012 3:16:09 PM - System Checkpoint
RP863: 12/11/2012 3:21:16 PM - System Checkpoint
RP864: 12/12/2012 3:31:32 PM - System Checkpoint
RP865: 12/13/2012 3:00:26 AM - Software Distribution Service 3.0
RP866: 12/14/2012 3:59:25 AM - System Checkpoint
RP867: 12/15/2012 8:14:05 PM - System Checkpoint
RP868: 12/16/2012 9:57:28 PM - System Checkpoint
RP869: 12/17/2012 10:00:50 PM - System Checkpoint
RP870: 12/18/2012 10:36:46 PM - System Checkpoint
RP871: 12/19/2012 11:02:11 PM - System Checkpoint
RP872: 12/21/2012 6:37:36 PM - Software Distribution Service 3.0
RP873: 12/22/2012 7:53:35 PM - System Checkpoint
RP874: 12/23/2012 8:27:03 PM - System Checkpoint
RP875: 12/24/2012 8:51:03 PM - System Checkpoint
RP876: 12/25/2012 9:56:16 PM - System Checkpoint
.
==== Installed Programs ======================
.
7-Zip 4.65
Adobe Flash Player 11 ActiveX
Adobe Reader 9.3.4
Adobe Shockwave Player 11.5
AiO_Scan
Apple Application Support
Apple Mobile Device Support
Apple Software Update
BabasChess
Bonjour
Carbonite
CCleaner
Compatibility Pack for the 2007 Office system
Coupon Printer for Windows
CouponBar
CT-S300 x32 v157
CutePDF Writer 2.8
Defraggler
ESET Smart Security
Everything 1.2.1.371
FedEx Ship Manager
FileZilla Client 3.5.3
Free Window Registry Repair
Google Chrome
Google Desktop
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB971276-v3)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Driver Diagnostics
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
Intel(R) PRO Network Connections Drivers
iTunes
Java Auto Updater
Java(TM) 6 Update 21
Malwarebytes Anti-Malware version 1.65.1.1000
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Office 2003 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Basic Edition 2003
Microsoft Office File Validation Add-In
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft PowerPoint Viewer
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft XML Parser
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
NVIDIA Drivers
OGA Notifier 2.0.0048.0
QFolder
QuickBooks
QuickBooks Point of Sale 6.0
QuickBooks Point of Sale 8.0
QuickBooks Point Of Sale Product Listing Service
QuickBooks Pro 2007
QuickBooks Pro 2012
QuickBooks Pro Edition 2004
QuickBooks Pro Timer
QuickTime Alternative 3.1.0
Real Alternative 2.0.1
Rundll Errors Fix Wizard
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596856) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition 
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2753842)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SmartDraw PDF Export (novaPDF 6.4 printer)
SmartDraw VP
SmartFTP Client
SmartFTP Client 4.0 Setup Files (remove only)
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
Star TSP100 Driver Installer
SweetIM for Messenger 2.8
SweetIM Toolbar for Internet Explorer 3.6
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB971029)
VLC media player 1.1.4
WebFldrs XP
Windows Driver Package - Star Micronics TSP100 (07/26/2006 1.0.4.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Format 11 runtime
Windows Media Player 11
XnView 1.97
XPS Essentials Pack
XPS Essentials Pack 1.0
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
12/23/2012 12:01:19 AM, error: VolSnap [12] - The shadow copy of volume C: became low on diff area space before it was properly installed.
.
==== End Of File ===========================


----------



## kevinf80 (Mar 21, 2006)

download RogueKiller from here http://tigzy.geekstogo.com/Tools/RogueKiller.exe or here http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe and save Direct to your Desktop.


 Quit all running programs
 For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
 1. Wait until Prescan has finished...
 The following EULA will appear, please select accept










2. Ensure MBR scan, Check faked and AntiRootkit are checked
3. Select Scan










 When the scan completes select Report, copy and paste that to your reply.


----------



## wared13 (Dec 28, 2012)

RogueKiller V8.4.1 [Dec 28 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Scan -- Date : 12/28/2012 16:25:52
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 2 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts
127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: MIRROR +++++
--- User ---
[MBR] f6480cd2b1989e92dfe4f5fea68e781b
[BSP] 5e99062c50d8519d942ab6c2640bd6e7 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238456 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[1]_S_12282012_02d1625.txt >>
RKreport[1]_S_12282012_02d1625.txt


----------



## kevinf80 (Mar 21, 2006)

Do you still have issues or concerns?


----------



## wared13 (Dec 28, 2012)

Per RogueKiller, I deleted the two registry entries; I believe RogueKiller modified one entry, and deleted the other. However, I'm still having issues pertaining to opening programs like ESET, anti-Malware programs, etc. Please advise.


----------



## kevinf80 (Mar 21, 2006)

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

http://download.bleepingcomputer.com/sUBs/ComboFix.exe


 Ensure that Combofix is saved directly to the Desktop * <--- Very important*

 Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.

 Close any open browsers and any other programs you might have running

 Double click the







icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)

 Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.

 If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.

 When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

*******Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze* ******

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended.

*EXTRA NOTES*

 If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
 *If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal*
 If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin


----------



## wared13 (Dec 28, 2012)

ComboFix 12-12-29.02 - Owner 12/29/2012 12:52:24.17.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2029.1312 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Application Data\Toolbar4
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\arrow_refresh.png
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\basis.xml
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0533ddea046b79382344642507f45004
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0556fc8f70a9aca7d7bcd8ba92123627
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0576bb925bf6d71ea78c0d968579aba3
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0753dc69e4d9bd29ba5a4f0b2ed6449b
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\09243a7e0d5263f96fccb70e16bb0476
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0b9a7a3e0c1c165779dd33b229048b21
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0c74e33c6b89503129478a0eae095b4d
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0e1466e34ff25e57fa813d21ebfe7cf6
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0fb67f15ee619bf63699876db03ab661
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\1eac0d48548907dd2955f853c8069069
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\24234224fe547fa5f61335a325f858b5
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\2612ed9846214cbf7e954476bb044b3b
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\323af8f156d5bb22bb38cd2ce83959de
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\36402215e280142e9fec69a27ce97d32
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\3739298d2bc9d6b94dadd7b19b48ecb3
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\476905aa92e1c9a617bd41ce5318660f
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\4c667e8e6ec412f944dcb9352b851013
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\4d2e45ddaef75a6d2c9afdbc763c3752
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\4e2d5ba12b0ed08ba8960c3e874a01cb
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\5192a89f761039a8f133e9c0e6f074cd
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\560ff84a7533e0f37b61b702a5403538
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\59a443f04bf13d1170b3dfc61f51b928
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\5bc8ebf64906d196c815a3f28ee7be81
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\5dcc33988f89c01e09411de1fadabde2
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\5e4a0304a53d72265f5f470649d2f616
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\5fceefa5d8207202cd84891c2e491f65
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\753df778c49000ceb420710ab27250f3
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\7aab54a686f169a739561ca08b97d70b
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\829a174ff56578e2e86c6ea74ceac599
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\83ad61e99376761b1ad6ca7c90fe4e23
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\8ab60027ede7a5409caf6d1f39cee25f
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\8c192effd1339f8e52b7695d8409b038
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\8f1108fa39f3bc8170ca65bce26afa10
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\9222ff6c3153356869fc34c2bec05e71
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\97be6f9cdebaa8074491269ce024994b
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\9ac01b227ded0862f1cacbfb3aa57c30
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\a03f31127270e5ec9c753d5978824827
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\a0c60a9410bfbe84abdf5e97d0c4c25b
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\a19b273e14c682871c1f05f425edd77d
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\aa65030026dd406f81e1d2f100fe7920
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\b3df571fa6f6ff811aec53f4f8e39093
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\b4129101a6dd1056cc66cb8ee0ed07cb
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\b576b7d306b9484794e87c4894171e9c
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\b672745e0fa0b3d70622c3426bdb0fe6
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\b8cb931520574f1fbe2d6a417ab188a3
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\bc745160ebe75bdbd46f3c0c4b1875e9
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\c9430f8d5d64f3217a9e99836294f6c5
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\cadd36508a4b8f2e96e6251f59441e6d
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\cf00f968a680ae7de4f426758f29e399
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\cf6731590bc533ce3fb95d26dbc20581
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\d210e926e7fc2fc8277b03dcf0f51bf7
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\d5df3e47dbba341f2f3587a30d3147a9
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\d968ef76cba81bea577eec984bdb0fcf
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\dd63f857ccdda3776635728c6e9c9da5
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\df93d78ff74b9089b7e56bad7abf8d54
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\e0274c4eebf32d7d1bf0e38726e4ea71
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\e676561c84d9a41ec2ac1b9379b89748
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\ec6799973f1db7f39bff366162a4850e
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\fb1b51424af30e137842b1cf6f26c03e
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\fdcfc40763b6755ae687e945adb4dba4
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\fe6e9435289d779f70dff3e65824a72a
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\fe98d58b0232c74e3b47d141e87aaa18
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\merchant_notification
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cog.png
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\computer_delete.png
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\dataLoader.js
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\icons3.bmp
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\include_files\879ecc39d0be00e1ba71e4872c078138
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\info.txt
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\login.png
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\logo.png
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\search.png
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\TbHelper2.exe
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\tmp\7afdaa54335acddfc0f32d7c411bff25
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\todays_deals.png
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\uninstall.exe
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\update.exe
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\version.txt
c:\windows\TEMP\{16AA8FB8-4A98-4757-B7A5-0FF22C0A6E33}_1101_1\dbdata11.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-11-28 to 2012-12-29 )))))))))))))))))))))))))))))))
.
.
2012-12-28 19:34 . 2012-12-28 19:34 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-12-26 22:27 . 2012-12-26 22:27 -------- d-----w- c:\documents and settings\Owner\Application Data\ESET
2012-12-26 22:21 . 2012-12-26 22:21 -------- d-----w- c:\program files\iPod
2012-12-26 22:20 . 2012-12-26 22:21 -------- d-----w- c:\program files\iTunes
2012-12-26 22:20 . 2012-12-26 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-16 12:23 . 2008-04-14 12:39 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-13 01:25 . 2008-04-14 08:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-02 02:02 . 2008-04-14 12:41 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2008-05-19 18:16 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2008-05-19 18:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2008-05-19 18:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2008-05-19 18:16 385024 ----a-w- c:\windows\system32\html.iec
2012-10-02 18:04 . 2008-04-14 12:42 58368 ----a-w- c:\windows\system32\synceng.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-05-19 . 4728A2BF7FD18C858772158689ECDAC2 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8660E5B3-6C41-44DE-8503-98D99BBECD41}"= "c:\program files\Coupons.com CouponBar\tbcore3.dll" [2012-02-06 2664864]
.
[HKEY_CLASSES_ROOT\clsid\{8660e5b3-6c41-44de-8503-98d99bbecd41}]
[HKEY_CLASSES_ROOT\TBSB07898.TBSB07898.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB07898.TBSB07898]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{8660E5B3-6C41-44DE-8503-98D99BBECD41}"= "c:\program files\Coupons.com CouponBar\tbcore3.dll" [2012-02-06 2664864]
.
[HKEY_CLASSES_ROOT\clsid\{8660e5b3-6c41-44de-8503-98d99bbecd41}]
[HKEY_CLASSES_ROOT\TBSB07898.TBSB07898.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB07898.TBSB07898]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2012-07-26 17:03 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2012-07-26 17:03 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2012-07-26 17:03 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-03-09 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2012-05-23 1838592]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2012-10-26 2643320]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2012-07-26 1061960]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
FedEx Desktop.lnk - c:\program files\FedEx\FedEx Desktop\FedEx Desktop.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe [2012-12-6 6186872]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2012-12-6 1176464]
QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks 2012\QBW32.EXE [2012-12-6 1181584]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"idsvc"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"NVSvc"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2012\\QBDBMgrN.exe"=
"c:\\Program Files\\FedEx\\ShipManager\\SQLANYWHERE\\BIN32\\DBENG11.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\SQLANYWHERE\\BIN32\\DBSRV11.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\BACKUPDATABASEUTILITY.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\FSMREGISTRATION.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\GSMCOMMSETUP.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\LDSEDIT.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\ADMINSERVICE.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\SHIPENGINESERVICE.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\TRANSENGINESERVICE.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\FEDEX.GSM.CAFE.APPLICATIONENGINE.GUI.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\FEDEX.GSM.EXTERNAL.VERIFI.SERVICE.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\REPORTPROCESSING.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20342:TCP"= 20342:TCP:spport
"3389:TCP"= 3389:TCP:*isabledxpsp2res.dll,-22009
"5353:UDP"= 5353:UDP:home share
.
R2 FedExAdminService;FedEx Administration Service;c:\program files\FedEx\ShipManager\BIN\AdminService.exe [8/23/2012 10:27 AM 24576]
R2 FedExLoggingService;FedEx Logging Service;c:\program files\FedEx\ShipManager\BIN\FedEx.Gsm.Common.LoggingService.exe [8/23/2012 10:26 AM 7168]
R2 FedExShipnetDBService;FedEx Shipnet Database Service;c:\program files\FedEx\ShipManager\SQLAnywhere\Bin32\dbsrv11.exe [8/23/2012 10:21 AM 141176]
R2 Intuit Entitlement Service v3;Intuit Entitlement Service v3;c:\program files\Common Files\Intuit\Entitlement Client\v3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe [5/24/2006 8:09 AM 24576]
R2 Intuit Entitlement Service v5.3;Intuit Entitlement Service v5.3;c:\program files\Common Files\Intuit\Entitlement Client\v5.3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe [7/29/2008 11:26 AM 20480]
R2 QBPOSDBServiceV6;QBPOS Database Manager v6;c:\program files\Intuit\QuickBooks Point of Sale 6.0\DatabaseServer\QBPOSDBServiceV6.exe [2/9/2007 11:02 AM 1473536]
R2 QBPOSDBServiceV8;QBPOS Database Manager v8;c:\program files\Intuit\QuickBooks Point of Sale 8.0\DatabaseServer\QBPOSDBService.exe [8/12/2011 10:07 AM 2734480]
R2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [3/14/2012 4:06 AM 1248256]
R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe -hvQuickBooksDB17 [?]
R3 FedExShipService;FedEx Shipping Engine;c:\program files\FedEx\ShipManager\BIN\ShipEngineService.exe [8/23/2012 10:29 AM 5120]
R3 FedExTransactionService;FedEx Transaction Engine;c:\program files\FedEx\ShipManager\BIN\TransEngineService.exe [8/23/2012 10:26 AM 6656]
R3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [12/24/2008 5:40 AM 80256]
R3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [12/16/2008 6:10 AM 70016]
R3 QuickBooksDB22;QuickBooksDB22;c:\progra~1\Intuit\QUC2E1~1\QBDBMgrN.exe -hvQuickBooksDB22 --> c:\progra~1\Intuit\QUC2E1~1\QBDBMgrN.exe -hvQuickBooksDB22 [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 21:53]
.
2012-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 21:53]
.
2012-12-29 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2010-06-16 17:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.seattletimes.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.254.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-29 13:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3792)
c:\windows\system32\WININET.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\program files\SmartFTP Client\en-US\sfShellTools.dll.mui
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
c:\program files\7-Zip\7-zip.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Intuit\QuickBooks Point of Sale 6.0\DatabaseServer\QBDBMgrN.exe
c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Intuit\QuickBooks Point of Sale 8.0\DatabaseServer\QBDBMgrN10.exe
c:\program files\Intuit\QuickBooks Point of Sale 8.0\DatabaseServer\QBDBMgrN10.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Intuit\QUC2E1~1\QBDBMgrN.exe
.
**************************************************************************
.
Completion time: 2012-12-29 13:03:40 - machine was rebooted
ComboFix-quarantined-files.txt 2012-12-29 21:03
ComboFix2.txt 2012-12-28 19:32
ComboFix3.txt 2012-12-13 19:52
ComboFix4.txt 2011-12-31 20:22
ComboFix5.txt 2012-12-29 20:51
.
Pre-Run: 135,890,710,528 bytes free
Post-Run: 135,893,741,568 bytes free
.
- - End Of File - - 1C98C88E244285664DAE1B086AFD2DF9


----------



## wared13 (Dec 28, 2012)

Just now I downloaded a fresh copy of Malwarebytes Anti-Malware, then proceeded to install. After installing the program attempted to open, but was unable - the message is: Unable to execute file: (the directory for mbam.exe) - CreateProcess failed; code 1260. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.


----------



## kevinf80 (Mar 21, 2006)

Go to http://www.virustotal.com/


 Click the *Browse...* button
 Navigate to the file *c:\windows\system32\sfcfiles.dll* or just copy/paste it in.
 Click the *Scan it* tab
 If you get a message saying File has already been analyzed: click Reanalyze file now
 Copy and paste the results back here please.
[/list

Next,

Please download VEW by Vino Rosso from HERE and save it to your Desktop.
Double-click VEW.exe. to start, Vista and Windows 7 users Right Click and select "Run as Administrator"
Under 'Select log to query...check the boxes for both Application and System.
Under 'Select type to list... select both Error and Critical.
Click the radio button for 'Number of events...Type 10 in the 1 to 20 box.
Then click the Run button.
Notepad will open with the output log. It will take a couple of minutes to generate the log, please be patient.

Please post the Output log in your next reply.

Do you have any policies set that may effect system software etc...


----------



## wared13 (Dec 28, 2012)

SHA256:3dfa2708eb2864a5d2f4a117de84f6122b601b5083c815d070f88bd44d46f399SHA1:7ea34535a858ac214bdf153ed003f0550461288cMD5:4728a2bf7fd18c858772158689ecdac2File size:1.5 MB ( 1614848 bytes ) File name:sfcfiles.dllFile type:Win32 DLLDetection ratio:0 / 45Analysis date:2012-12-29 22:30:38 UTC ( 1 minute ago )


----------



## wared13 (Dec 28, 2012)

Vino's Event Viewer v01c run on Windows XP in English
Report run at 29/12/2012 2:42:40 PM
Note: All dates below are in the format dd/mm/yyyy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 29/12/2012 1:10:24 PM
Type: error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks Pro 2012":
DBConnPool::HandleConnectionError errorCode:-6069, dbCode:-103 from file:'.\.\src\ConnPool.cpp' at line 1038 from function:'DBMgr:BConnPool::init'
Log: 'Application' Date/Time: 29/12/2012 1:10:24 PM
Type: error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks Pro 2012":
Connection String:CON=QBConnectionPool-Probe-QB_XPPRO_22;;DBF=C:\Documents and Settings\Owner\Desktop\Backups\Hellams Vineyard, L.L.C..QBW;CommLinks="ShMem,tcpip(IP=192.168.254.24;TO=5;DOBROADCAST=NONE;port=55348)";ServerName=QB_XPPRO_22;DBN=647532f9915b423380fb89928b38e26e
Log: 'Application' Date/Time: 29/12/2012 1:10:24 PM
Type: error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks Pro 2012":
Connection Error:Invalid user ID or password
Log: 'Application' Date/Time: 29/12/2012 1:01:05 PM
Type: error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
Log: 'Application' Date/Time: 29/12/2012 1:01:05 PM
Type: error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
Log: 'Application' Date/Time: 29/12/2012 1:01:05 PM
Type: error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
Log: 'Application' Date/Time: 29/12/2012 12:50:19 PM
Type: error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
Log: 'Application' Date/Time: 29/12/2012 12:50:19 PM
Type: error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
Log: 'Application' Date/Time: 29/12/2012 12:50:19 PM
Type: error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
Log: 'Application' Date/Time: 29/12/2012 12:44:43 PM
Type: error Category: 100
Event: 1000 Source: Application Error
Faulting application ekrn.exe, version 5.2.15.0, faulting module msvcr80.dll, version 8.0.50727.6195, fault address 0x0001500a. 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 28/12/2012 11:35:19 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 
Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666} 
Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666} 
Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666} 
Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666} 
Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666} 
Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666} 
Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666} 
Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666} 
Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666}


----------



## wared13 (Dec 28, 2012)

No settings/policies that would restrict any programs


----------



## kevinf80 (Mar 21, 2006)

Download Windows Repair Tool by Tweaking.com from here :- http://majorgeeks.com/Tweaking.com_-_Windows_Repair_Portable_d7222.html and unzip the contents into a newly created folder on your desktop.


 Now open Repair_Windows.exe in the folder
 Go to *Step 4* and create a *Restore Point*
 Go to *Start repairs tab* then select *Start*
 In the Custom Mode window, only select the following repair options:

Reset Registry Permissions
Reset File Permissions
Register System Files
Repair WMI
Repair Internet Explorer
Remove Policies Set By Infections
Repair MSI (Windows Installer)

 Click the Start button.

Be patient while the tool repairs the selected items.
If prompted reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before re-booting..

Let me see the log which will be found in this folder:

C:\Tweaking.com_windows_Repair_Logs

Has that made any difference?


----------



## wared13 (Dec 28, 2012)

going through the repair process now... will post the log upon completion


----------



## kevinf80 (Mar 21, 2006)

OK, let me know how your system responds...


----------



## wared13 (Dec 28, 2012)

Starting Repairs...
Start (12/29/2012 3:11:07 PM)
Reset Registry Permissions 01/03
HKEY_CURRENT_USER & Sub Keys
Start (12/29/2012 3:11:07 PM)
Done (12/29/2012 3:11:18 PM)
Reset Registry Permissions 02/03
HKEY_LOCAL_MACHINE & Sub Keys
Start (12/29/2012 3:11:18 PM)
Done (12/29/2012 3:12:02 PM)
Reset Registry Permissions 03/03
HKEY_CLASSES_ROOT & Sub Keys
Start (12/29/2012 3:12:02 PM)
Done (12/29/2012 3:13:18 PM)
Reset File Permissions 01/24
C:\$NtUninstallXPSEP$ & Sub Folders
Start (12/29/2012 3:13:18 PM)
Done (12/29/2012 3:13:20 PM)
Reset File Permissions 02/24
C:\Adobe & Sub Folders
Start (12/29/2012 3:13:20 PM)
Done (12/29/2012 3:13:24 PM)
Reset File Permissions 03/24
C:\BabasChess & Sub Folders
Start (12/29/2012 3:13:24 PM)
Done (12/29/2012 3:13:27 PM)
Reset File Permissions 04/24
C:\Backup & Sub Folders
Start (12/29/2012 3:13:27 PM)
Done (12/29/2012 3:13:33 PM)
Reset File Permissions 05/24
C:\cmdcons & Sub Folders
Start (12/29/2012 3:13:33 PM)
Done (12/29/2012 3:13:38 PM)
Reset File Permissions 06/24
C:\Config.Msi & Sub Folders
Start (12/29/2012 3:13:38 PM)
Done (12/29/2012 3:13:40 PM)
Reset File Permissions 07/24
C:\dfc6e537fec3011a90f8065b3167a567 & Sub Folders
Start (12/29/2012 3:13:40 PM)
Done (12/29/2012 3:13:43 PM)
Reset File Permissions 08/24
C:\Drivers & Sub Folders
Start (12/29/2012 3:13:43 PM)
Done (12/29/2012 3:13:45 PM)
Reset File Permissions 09/24
C:\FedEx & Sub Folders
Start (12/29/2012 3:13:45 PM)
Done (12/29/2012 3:14:04 PM)
Reset File Permissions 10/24
C:\fsm & Sub Folders
Start (12/29/2012 3:14:04 PM)
Done (12/29/2012 3:14:06 PM)
Reset File Permissions 11/24
C:\Hellams Vineyard & Sub Folders
Start (12/29/2012 3:14:06 PM)
Done (12/29/2012 3:14:08 PM)
Reset File Permissions 12/24
C:\HP & Sub Folders
Start (12/29/2012 3:14:08 PM)
Done (12/29/2012 3:14:17 PM)
Reset File Permissions 13/24
C:\Italy Pics & Sub Folders
Start (12/29/2012 3:14:17 PM)
Done (12/29/2012 3:14:42 PM)
Reset File Permissions 14/24
C:\MSOCache & Sub Folders
Start (12/29/2012 3:14:42 PM)
Done (12/29/2012 3:14:46 PM)
Reset File Permissions 15/24
C:\Program Files & Sub Folders
Start (12/29/2012 3:14:46 PM)
Done (12/29/2012 3:17:58 PM)
Reset File Permissions 16/24
C:\Qoobox & Sub Folders
Start (12/29/2012 3:17:58 PM)
Done (12/29/2012 3:18:03 PM)
Reset File Permissions 17/24
C:\QuickBooks Pro & Sub Folders
Start (12/29/2012 3:18:03 PM)
Done (12/29/2012 3:18:17 PM)
Reset File Permissions 18/24
C:\Real & Sub Folders
Start (12/29/2012 3:18:17 PM)
Done (12/29/2012 3:18:24 PM)
Reset File Permissions 19/24
C:\Star & Sub Folders
Start (12/29/2012 3:18:24 PM)
Done (12/29/2012 3:18:26 PM)
Reset File Permissions 20/24
C:\StarMicronics & Sub Folders
Start (12/29/2012 3:18:26 PM)
Done (12/29/2012 3:18:28 PM)
Reset File Permissions 21/24
C:\temp & Sub Folders
Start (12/29/2012 3:18:28 PM)
Done (12/29/2012 3:18:31 PM)
Reset File Permissions 22/24
C:\Tweaking.com_Windows_Repair_Logs & Sub Folders
Start (12/29/2012 3:18:31 PM)
Done (12/29/2012 3:18:33 PM)
Reset File Permissions 23/24
C:\WINDOWS & Sub Folders
Start (12/29/2012 3:18:33 PM)
Done (12/29/2012 3:22:48 PM)
Reset File Permissions 24/24
C:\ZebraDriver & Sub Folders
Start (12/29/2012 3:22:48 PM)
Done (12/29/2012 3:22:50 PM)
Register System Files
Start (12/29/2012 3:22:50 PM)
Done (12/29/2012 3:24:30 PM)
Repair WMI
Start (12/29/2012 3:24:30 PM)
Step 01/03 - Deleting WMI Repository...
The system cannot find the path specified.
Step 02/03 - Rebuilding WMI Repository...
Step 03/03 - Registering WMI...
Invalid Global Switch.
Done (12/29/2012 3:25:43 PM)
Repair Internet Explorer
Start (12/29/2012 3:25:43 PM)
Done (12/29/2012 3:26:09 PM)
Remove Policies Set By Infections
Start (12/29/2012 3:26:09 PM)
Done (12/29/2012 3:26:14 PM)
Repair MSI (Windows Installer)
Start (12/29/2012 3:26:14 PM)
The Windows Installer service is not started.
More help is available by typing NET HELPMSG 3521.
Done (12/29/2012 3:26:20 PM)
Cleaning up empty logs...
All Selected Repairs Done.
Done (12/29/2012 3:26:20 PM)
Total Repair Time: 00:15:13

...YOU MUST RESTART YOUR SYSTEM...


----------



## wared13 (Dec 28, 2012)

what is the best way to test now?


----------



## wared13 (Dec 28, 2012)

Just had the same result again with Malwarebytes... installed a fresh copy, tried to run and received the error message. Confusing!


----------



## kevinf80 (Mar 21, 2006)

That would suggeset that a group policy has been set, can you go here http://support.microsoft.com/kb/310791 follow the instruction to see if there is an active policy...


----------



## wared13 (Dec 28, 2012)

i haven't been able to find any group policies; i checked even before posting my help question here. i'm a bit stumped by this and if possible, would welcome a remote access situation so you can have a look... please let me know, thank you.


----------



## kevinf80 (Mar 21, 2006)

Can you do the following, select start > run > in the open box type *regedit* tap enter. That should open REGEDIT.

Expand the following keys in turn. When you have expanded to *Current Version* scroll to policies and right click on that folder > select "export" save that to your Desktop name the one from HKEY_LOCAL_MACHINE *hklm* and the one from HKEY_CURRENT_USER *hkcu*

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

Zip both files and attach to reply..


----------



## wared13 (Dec 28, 2012)

Files


----------



## kevinf80 (Mar 21, 2006)

Run the following:

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from here: http://downloads.malwareremoval.com/BillCastner/FixPolicies.exe


 Double-click FixPolicies.exe.
 Click the "Install" button on the bottom toolbar of the box that will open.
 The program will create a new Folder called FixPolicies.
 Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
 A black box will briefly appear and then close.
 This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again. 

Kevin


----------



## wared13 (Dec 28, 2012)

The problem appears to have been resolved; thank you *very much* for your thorough assistance! 
Happy New Year


----------



## kevinf80 (Mar 21, 2006)

You`re very welcome...


----------

