# I think I have a virus



## Pokeyturtle (Oct 25, 2012)

Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows XP Home Edition, Service Pack 3, 32 bit
Processor: Intel(R) Pentium(R) 4 CPU 2.60GHz, x86 Family 15 Model 2 Stepping 9
Processor Count: 2
RAM: 494 Mb
Graphics Card: Intel(R) 82865G Graphics Controller, 96 Mb
Hard Drives: C: Total - 78159 MB, Free - 48264 MB;
Motherboard: Intel Corporation, D865GLC
Antivirus: Microsoft Security Essentials, Updated: Yes, On-Demand Scanner: Enabled

Hi, 
So much to say and not sure where to start. Well, over a year and a half ago a Windstream service man came out to my home to replace my modem. Not sure what he did, but ever since that day my computer has never started up the same. It goes to a black screen, with words before starting windows, which takes a while to load. Not long after that, in July 2011, my Winpatrol detected a new start up, which I disapproved. As soon as i clicked No, another start up program was detected. It keep repeating this, and i clicked no every time. At the time I had Mcafee. I put my system in lock down to run a scan and noticed that my firewall was disabled. It would not let me enable it. Microsoft technicians had me remove McAfee and install MSE. The virus at the time was so new that nothing we used detected it. It was disguised as rundll32 (2 files), same name as a legitimate system file. It deleated all my restore points too. Microsoft tecs were never able to remove the files, but said they were now disabled. I recently downloaded CCleaner to see if that would speed up my computer and think i may have reversed what the Microsoft tecs did. I'm getting lots of spam and sometimes when I start my computer I get the red shield saying that my virus protection is turned off and i can not turn it on in the control panel. If I open MSE it says everything fine. I noticed when I turn off realtime protection, and quick turn it back on, the red shield goes away then the virus protection becomes enabled again. I don't know what that's all about. Also, every time I defrag, there's fragmented files (maybe corrupted)that can't be moved. It won't show what the files are. Hope this wasn't too much information, and thanks for your time. Pokeyturtle

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:36:44 AM, on 10/25/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\TypeItIn\TypeItIn.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1350968930078
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Unknown owner - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (file missing)

--
End of file - 3896 bytes
---------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:36:44 AM, on 10/25/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\TypeItIn\TypeItIn.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1350968930078
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Unknown owner - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (file missing)

--
End of file - 3896 bytes

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-10-19.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 8/14/2003 12:20:11 PM
System Uptime: 10/25/2012 6:29:50 AM (3 hours ago)
.
Motherboard: Intel Corporation | | D865GLC 
Processor: Intel(R) Pentium(R) 4 CPU 2.60GHz | J2E1 | 2593/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 76 GiB total, 47.148 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: CD-ROM Drive
Device ID: IDE\CDROMHL-DT-ST_DVD-ROM_GDR8161B_______________0040____\5&79E09EB&0&0.0.0
Manufacturer: (Standard CD-ROM drives)
Name: HL-DT-ST DVD-ROM GDR8161B
PNP Device ID: IDE\CDROMHL-DT-ST_DVD-ROM_GDR8161B_______________0040____\5&79E09EB&0&0.0.0
Service: cdrom
.
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: CD-ROM Drive
Device ID: IDE\CDROMLITE-ON_LTR-48246S______________________SGS3____\5&79E09EB&0&0.1.0
Manufacturer: (Standard CD-ROM drives)
Name: LITE-ON LTR-48246S
PNP Device ID: IDE\CDROMLITE-ON_LTR-48246S______________________SGS3____\5&79E09EB&0&0.1.0
Service: cdrom
.
Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Microsoft Kernel GS Wavetable Synthesizer
Device ID: SW\{6C1B9F60-C0A9-11D0-96D8-00AA0051E51D}\{9B365890-165F-11D0-A195-0020AFD156E4}
Manufacturer: Microsoft
Name: Microsoft Kernel GS Wavetable Synthesizer
PNP Device ID: SW\{6C1B9F60-C0A9-11D0-96D8-00AA0051E51D}\{9B365890-165F-11D0-A195-0020AFD156E4}
Service: swmidi
.
Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Microsoft Kernel DLS Synthesizer
Device ID: SW\{8C07DD50-7A8D-11D2-8F8C-00C04FBF8FEF}\DMUSIC
Manufacturer: Microsoft
Name: Microsoft Kernel DLS Synthesizer
PNP Device ID: SW\{8C07DD50-7A8D-11D2-8F8C-00C04FBF8FEF}\DMUSIC
Service: DMusic
.
==== System Restore Points ===================
.
RP29: 9/29/2012 12:35:06 PM - System Checkpoint
RP30: 9/30/2012 10:26:25 AM - Software Distribution Service 3.0
RP31: 10/1/2012 10:26:26 AM - Software Distribution Service 3.0
RP32: 10/2/2012 9:02:17 AM - Software Distribution Service 3.0
RP33: 10/2/2012 10:36:34 PM - Software Distribution Service 3.0
RP34: 10/4/2012 3:45:47 AM - System Checkpoint
RP35: 10/4/2012 6:37:57 AM - Microsoft Antimalware Checkpoint
RP36: 10/4/2012 6:45:05 AM - Software Distribution Service 3.0
RP37: 10/5/2012 9:45:45 AM - Software Distribution Service 3.0
RP38: 10/6/2012 12:42:08 AM - Software Distribution Service 3.0
RP39: 10/6/2012 4:10:00 AM - Microsoft Antimalware Checkpoint
RP40: 10/6/2012 9:45:44 AM - Software Distribution Service 3.0
RP41: 10/7/2012 10:00:14 AM - System Checkpoint
RP42: 10/8/2012 9:29:07 AM - Software Distribution Service 3.0
RP43: 10/9/2012 9:28:49 AM - Software Distribution Service 3.0
RP44: 10/10/2012 10:56:43 AM - Software Distribution Service 3.0
RP45: 10/10/2012 11:03:51 AM - Software Distribution Service 3.0
RP46: 10/10/2012 3:31:51 PM - Software Distribution Service 3.0
RP47: 10/11/2012 3:58:13 PM - System Checkpoint
RP48: 10/12/2012 9:43:22 AM - Software Distribution Service 3.0
RP49: 10/13/2012 12:58:33 AM - Software Distribution Service 3.0
RP50: 10/13/2012 8:20:01 PM - Software Distribution Service 3.0
RP51: 10/15/2012 8:25:49 AM - Software Distribution Service 3.0
RP52: 10/16/2012 11:16:00 AM - Software Distribution Service 3.0
RP53: 10/17/2012 3:15:25 PM - System Checkpoint
RP54: 10/18/2012 7:58:43 AM - Software Distribution Service 3.0
RP55: 10/18/2012 9:47:21 AM - Removed Java 7 Update 7
RP56: 10/18/2012 10:42:42 AM - Removed Microsoft .NET Framework 1.1
RP57: 10/18/2012 5:56:00 PM - Software Distribution Service 3.0
RP58: 10/19/2012 9:31:26 AM - Installed Java 7 Update 9
RP59: 10/20/2012 1:15:03 AM - Software Distribution Service 3.0
RP60: 10/20/2012 8:52:11 AM - Software Distribution Service 3.0
RP61: 10/21/2012 9:34:30 AM - System Checkpoint
RP62: 10/22/2012 10:32:32 AM - System Checkpoint
RP63: 10/23/2012 12:52:31 AM - Restore Operation
RP64: 10/23/2012 1:32:34 AM - Software Distribution Service 3.0
RP65: 10/23/2012 1:40:17 AM - Software Distribution Service 3.0
RP66: 10/23/2012 11:40:48 AM - Removed Java 7 Update 7
RP67: 10/23/2012 5:41:43 PM - Installed Java 7 Update 9
RP68: 10/24/2012 7:54:37 AM - Software Distribution Service 3.0
RP69: 10/24/2012 6:31:24 PM - Microsoft Antimalware Checkpoint
RP70: 10/25/2012 6:23:56 AM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Acrobat.com
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.4)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Auslogics Disk Defrag
Bonjour
Canon Easy-PhotoPrint EX
Canon IJ Network Scanner Selector EX
Canon IJ Network Tool
Canon MG3100 series MP Drivers
Canon MG3100 series On-screen Manual
Canon MG3100 series User Registration
Canon MP Navigator EX 5.0
Canon My Printer
Canon Solution Menu EX
CCleaner
Coupon Printer for Windows
Do More 7.0
Easy CD Creator 5 Basic
EPSON Printer Software
FrostWire 5.3.9
G-Force
Gateway Drivers and Applications Recovery
Gateway IE Customizations
Gateway User's Guide
Google Update Helper
GTW V.92 Voicemodem
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB954550-v5)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
iTunes
Java 7 Update 9
Java Auto Updater
Malwarebytes Anti-Malware version 1.65.1.1000
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Picture It! Express 2001
Microsoft Picture It! Photo 7.0
Microsoft Security Client
Microsoft Security Essentials
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
Mozilla Firefox 16.0.1 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
PC-Doctor for Windows
PokerStars
PowerDVD SE
QuickTime
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB923689)
Shockwave
TypeItIn
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Windows Internet Explorer 8 (KB2632503)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2749655)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Windstream Broadband Check-up Center
WinPatrol
WinRAR 4.01 (32-bit)
Works Suite OS Pack
Xvid Video Codec
.
==== Event Viewer Messages From Past Week ========
.
10/25/2012 1:23:45 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
10/25/2012 1:23:45 AM, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
10/24/2012 6:38:18 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
10/23/2012 3:17:19 AM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.2 with the system having network hardware address 00:C6:10:73:2B:94. Network operations on this system may be disrupted as a result.
10/23/2012 2:29:03 AM, error: Dhcp [1002] - The IP address lease 192.168.1.5 for the Network Card with network address 0007E94AF7F0 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/23/2012 12:18:45 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
10/23/2012 11:47:01 AM, error: Service Control Manager [7000] - The MBAMScheduler service failed to start due to the following error: The system cannot find the path specified.
10/23/2012 11:47:01 AM, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: The system cannot find the path specified.
10/23/2012 11:09:36 AM, error: Service Control Manager [7034] - The MBAMScheduler service terminated unexpectedly. It has done this 1 time(s).
10/23/2012 1:48:52 AM, error: Service Control Manager [7024] - The Java Quick Starter service terminated with service-specific error 1 (0x1).
10/23/2012 1:28:08 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
10/23/2012 1:26:58 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/23/2012 1:23:59 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
10/23/2012 1:14:47 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.139.196.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8800.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode 
10/23/2012 1:05:20 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm MpFilter
10/23/2012 1:03:54 AM, error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x80070002 Error description: The system cannot find the file specified. Signature version: 1.137.1239.0;1.137.1239.0 Engine version: 1.1.8800.0
10/22/2012 8:38:22 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.139.220.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8904.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 
10/19/2012 8:40:18 AM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 0007E94AF7F0 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/19/2012 8:38:17 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
10/19/2012 8:37:59 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
10/19/2012 6:44:13 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
10/19/2012 6:44:13 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
10/19/2012 6:44:13 AM, error: Service Control Manager [7001] - The Simple TCP/IP Services service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
10/19/2012 6:44:13 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/19/2012 6:44:13 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/19/2012 6:44:13 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning.
10/18/2012 7:47:36 AM, error: Dhcp [1002] - The IP address lease 192.168.1.4 for the Network Card with network address 0007E94AF7F0 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/18/2012 11:16:34 AM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
10/18/2012 10:42:58 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the COM+ System Application service to connect.
10/18/2012 10:42:58 AM, error: Service Control Manager [7000] - The COM+ System Application service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/18/2012 10:42:56 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service COMSysApp with arguments "" in order to run the server: {182C40F0-32E4-11D0-818B-00A0C9231C29}
.
==== End Of File ===========================

As for the *GMER log, I forgot to rename it and lost the information*. I'll rescan that now.
---------------------------------------------------
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-10-25 16:22:09
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_6Y080L0 rev.YAR41BW0
Running: 7v00ql1c.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kgkdypow.sys

---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF754F87E] <-- ROOTKIT !!!
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF754FBFE] <-- ROOTKIT !!!

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\System32\alg.exe? (*** hidden *** ) [MANUAL] ALG <-- ROOTKIT !!!
Service C:\WINDOWS\system32\cisvc.exe? (*** hidden *** ) [MANUAL] CiSvc <-- ROOTKIT !!!
Service C:\WINDOWS\system32\clipsrv.exe? (*** hidden *** ) [MANUAL] ClipSrv <-- ROOTKIT !!!
Service C:\WINDOWS\system32\imapi.exe? (*** hidden *** ) [MANUAL] ImapiService <-- ROOTKIT !!!
Service C:\WINDOWS\system32\lsass.exe? (*** hidden *** ) [AUTO] PolicyAgent <-- ROOTKIT !!!
Service C:\WINDOWS\system32\lsass.exe? (*** hidden *** ) [AUTO] ProtectedStorage <-- ROOTKIT !!!
Service C:\WINDOWS\system32\spoolsv.exe? (*** hidden *** ) [AUTO] Spooler <-- ROOTKIT !!!
Service C:\WINDOWS\System32\ups.exe? (*** hidden *** ) [MANUAL] UPS <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10000

---- EOF - GMER 1.0.15 ----


----------



## Pokeyturtle (Oct 25, 2012)

If needed, I have also saved my logs from WinPatrol 
(HijackPatrol.log & WinPatrolLog.html) I'll wait for reply before posting them. 

Trying to be patient, pokeyturtle


----------



## kevinf80 (Mar 21, 2006)

Download aswMBR from *Here*

*If it asks to update during the process please allow this to happen.*


 Save aswMBR.exe to your Desktop
 Double click aswMBR.exe to run it
 Ensure Quick scan is selected,then select Scan button to start the scan as illustrated below










Note: Do not take action against any ***Rootkit*** entries until I have reviewed the log. Often there are false positives

Once the scan finishes click Save log to save the log to your Desktop.










Copy and paste the contents of aswMBR.txt back here for review

You will also notice another file created on the desktop named MBR.dat. Right-click that file and select Send To and then Compressed (zipped) file. Attach that zipped file to your next reply as well.

Kevin


----------



## Pokeyturtle (Oct 25, 2012)

Hi Kevin,

Thanks so much for your help.Downloaded aswMBR and it want's me to install avast free antivirus. I selected No. I don't see an option to select Quick scan. What should I do now?


----------



## kevinf80 (Mar 21, 2006)

Just select the Scan tab and follow the rest of the instructions...


----------



## Pokeyturtle (Oct 25, 2012)

Here is the aswMBR log

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-10-25 17:45:57
-----------------------------
17:45:57.984 OS Version: Windows 5.1.2600 Service Pack 3
17:45:57.984 Number of processors: 2 586 0x209
17:45:58.000 ComputerName: GATEWAY-348915F UserName: Owner
17:46:21.968 Initialize success
18:13:04.968 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:13:04.984 Disk 0 Vendor: Maxtor_6Y080L0 YAR41BW0 Size: 78167MB BusType: 3
18:13:05.000 Disk 0 MBR read successfully
18:13:05.000 Disk 0 MBR scan
18:13:05.000 Disk 0 Windows XP default MBR code
18:13:05.000 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 78159 MB offset 63
18:13:05.015 Disk 0 scanning sectors +160071660
18:13:05.140 Disk 0 scanning C:\WINDOWS\system32\drivers
18:13:24.468 Service scanning
18:13:47.000 Service MpKslbc864d19 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7FA00908-18A9-40A9-9E26-AB8A478F784F}\MpKslbc864d19.sys **LOCKED** 32
18:14:03.062 Modules scanning
18:14:25.203 Disk 0 trace - called modules:
18:14:25.234 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys 
18:14:25.234 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8638f030]
18:14:25.750 3 CLASSPNP.SYS[f753ffd7] -> nt!IofCallDriver -> \Device\0000005a[0x86380f18]
18:14:25.750 5 ACPI.sys[f74b6620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x863cfd98]
18:14:25.750 Scan finished successfully
18:15:14.437 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
18:15:14.671 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"


----------



## Pokeyturtle (Oct 25, 2012)

MBR.zip


----------



## kevinf80 (Mar 21, 2006)

OK, proceed as follows:

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

*Combofix*


 Ensure that Combofix is saved directly to the Desktop * <--- Very important*

 Disable all security programs as they will have a negative effect on Combofix, instructions available *Here* if required. Be aware the list may not have all programs listed, if you need more help please ask.

 Close any open browsers and any other programs you might have running

 Double click the







icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)

 Instructions for running Combofix available *Here* if required.

 If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.

 When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

*******Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze* ******

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read *Here* why disabling autoruns is recommended.

*EXTRA NOTES*

 If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
 *If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal*
 If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin


----------



## Pokeyturtle (Oct 25, 2012)

ComboFix 12-10-25.02 - Owner 10/25/2012 19:19:11.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.237 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Application Data\3pvw.log
c:\documents and settings\Owner\g2mdlhlpx.exe
c:\documents and settings\Owner\GoToAssistDownloadHelper.exe
c:\program files\Internet Explorer\SET108A.tmp
c:\program files\Internet Explorer\SETCBB.tmp
c:\windows\help\wmplayer.bak
c:\windows\system32\_003711_.tmp.dll
c:\windows\system32\_003717_.tmp.dll
c:\windows\system32\_003725_.tmp.dll
c:\windows\system32\_003728_.tmp.dll
c:\windows\system32\_003733_.tmp.dll
c:\windows\system32\_003742_.tmp.dll
c:\windows\system32\_003750_.tmp.dll
c:\windows\system32\_003758_.tmp.dll
c:\windows\system32\_003761_.tmp.dll
c:\windows\system32\_003767_.tmp.dll
c:\windows\system32\_003877_.tmp.dll
c:\windows\system32\_003878_.tmp.dll
c:\windows\system32\_003879_.tmp.dll
c:\windows\system32\_003880_.tmp.dll
c:\windows\system32\_003883_.tmp.dll
c:\windows\system32\_003884_.tmp.dll
c:\windows\system32\_003885_.tmp.dll
c:\windows\system32\_003886_.tmp.dll
c:\windows\system32\_003891_.tmp.dll
c:\windows\system32\_003892_.tmp.dll
c:\windows\system32\_003893_.tmp.dll
c:\windows\system32\_003894_.tmp.dll
c:\windows\system32\_003899_.tmp.dll
c:\windows\system32\_003900_.tmp.dll
c:\windows\system32\_003901_.tmp.dll
c:\windows\system32\_003902_.tmp.dll
c:\windows\system32\_003907_.tmp.dll
c:\windows\system32\_003908_.tmp.dll
c:\windows\system32\_003909_.tmp.dll
c:\windows\system32\_003910_.tmp.dll
c:\windows\system32\_003911_.tmp.dll
c:\windows\system32\_003916_.tmp.dll
c:\windows\system32\_003917_.tmp.dll
c:\windows\system32\_003918_.tmp.dll
c:\windows\system32\_003919_.tmp.dll
c:\windows\system32\_003924_.tmp.dll
c:\windows\system32\_003925_.tmp.dll
c:\windows\system32\_003926_.tmp.dll
c:\windows\system32\_003927_.tmp.dll
c:\windows\system32\_003933_.tmp.dll
c:\windows\system32\_003934_.tmp.dll
c:\windows\system32\_003935_.tmp.dll
c:\windows\system32\_003936_.tmp.dll
c:\windows\system32\_006844_.tmp(2)(3).dll
c:\windows\system32\_006887_.tmp(2)(3).dll
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\Packet.dll
c:\windows\system32\Temp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\system32\wpcap.dll
C:\XPHOME.T
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_LOCAL_ACCOUNT_AUTHORITY_SERVICE
-------\Legacy_MOUSEDRIVER
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2012-09-25 to 2012-10-25 )))))))))))))))))))))))))))))))
.
.
2012-10-25 21:46 . 2012-10-25 21:46 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7FA00908-18A9-40A9-9E26-AB8A478F784F}\MpKslbc864d19.sys
2012-10-25 10:39 . 2012-10-25 10:39 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7FA00908-18A9-40A9-9E26-AB8A478F784F}\offreg.dll
2012-10-25 10:39 . 2012-10-25 10:39 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7FA00908-18A9-40A9-9E26-AB8A478F784F}\MpKsl67d22a8e.sys
2012-10-25 10:32 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7FA00908-18A9-40A9-9E26-AB8A478F784F}\mpengine.dll
2012-10-25 10:15 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-10-25 04:59 . 2012-10-25 04:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2012-10-25 04:59 . 2012-10-25 04:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-10-25 04:59 . 2012-10-25 04:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-25 04:59 . 2012-09-29 23:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-25 04:39 . 2012-10-25 05:28 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-10-24 22:30 . 2012-10-24 22:30 -------- d-----w- C:\TDSSKiller_Quarantine
2012-10-23 21:44 . 2012-10-23 21:44 -------- d-----w- c:\program files\Common Files\Java
2012-10-23 21:42 . 2012-10-23 21:41 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-23 21:41 . 2012-10-23 21:41 -------- d-----w- c:\program files\Java
2012-10-23 06:58 . 2012-10-23 17:07 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\NETGEARGenie
2012-10-23 06:58 . 2012-10-23 06:58 35088 ----a-w- c:\windows\system32\drivers\npf.sys
2012-10-23 05:01 . 2012-10-23 05:01 -------- d-----w- c:\windows\system32\wbem\Repository
2012-10-23 04:58 . 2012-10-23 04:58 -------- d-----w- c:\program files\Auslogics
2012-10-23 04:58 . 2012-10-23 04:58 -------- d-----w- c:\program files\CCleaner
2012-10-23 04:58 . 2012-10-24 22:37 -------- d-----w- c:\program files\Common Files\Motive
2012-10-23 04:58 . 2012-10-23 04:58 -------- d-----w- c:\program files\ALLTEL DSL Check-up Center
2012-10-23 04:58 . 2012-10-23 04:58 -------- d-----w- c:\program files\MSXML 4.0
2012-10-23 04:58 . 2012-10-23 04:58 -------- d-----w- c:\program files\Common Files\NSV
2012-10-23 04:58 . 2012-10-23 04:58 -------- d-----w- c:\program files\Citrix
2012-10-23 04:57 . 2012-10-23 04:57 -------- d-----w- c:\program files\MUSICMATCH
2012-10-23 04:57 . 2012-10-23 04:57 -------- d-----w- c:\program files\Hitman Pro 3.5
2012-10-23 04:57 . 2012-10-23 04:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-10-23 04:57 . 2012-10-23 04:57 -------- d-----w- c:\program files\Common Files\Real
2012-10-23 04:57 . 2012-10-23 04:57 -------- d-----w- C:\AOL Instant Messenger
2012-10-19 13:30 . 2012-10-19 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-10-02 19:32 . 2012-10-02 19:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-09-29 02:20 . 2012-10-02 19:10 -------- d-----w- c:\documents and settings\Owner\Application Data\Auslogics
2012-09-28 00:34 . 2012-09-28 00:34 -------- d-----w- c:\documents and settings\Owner\Application Data\Catalina Marketing Corp
2012-09-26 00:47 . 2012-10-23 21:41 143872 ----a-w- c:\windows\system32\javacpl.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-23 21:59 . 2012-09-25 02:51 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-23 21:59 . 2012-09-24 23:52 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-23 21:41 . 2012-09-08 02:36 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-10-23 21:41 . 2010-07-28 00:50 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-21 13:06 . 2012-09-21 13:06 230840 ----a-r- c:\windows\system32\cpnprt2.cid
2012-09-05 16:54 . 2012-09-05 16:54 1409 ----a-w- c:\windows\QTFont.for
2012-08-31 02:03 . 2011-04-18 17:18 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14 . 2004-11-17 20:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2004-11-17 20:57 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2004-11-17 20:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2004-11-17 20:57 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33 . 2004-11-17 20:57 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2004-11-17 20:57 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-12 15:30 . 2009-11-12 15:30 868764 -c--a-w- c:\program files\typeitinpro32.exe
2003-02-24 19:10 . 2003-10-15 18:13 723968 -c--a-w- c:\program files\TypeItIn.exe
2012-10-11 01:06 . 2012-10-25 04:38 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2012-07-13 384232]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 01:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2011-03-15 02:09 2565520 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenuEx]
2011-08-04 18:41 1637496 ----a-w- c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-04-05 18:22 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IJNetworkScannerSelectorEX]
2011-01-15 20:48 452016 ----a-w- c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-01-16 22:22 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2005-04-05 18:23 114688 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 00:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 13:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windstream_BCUC_McciTrayApp]
2011-07-05 19:00 1742336 ----a-w- c:\program files\Windstream_BCUC\McciTrayApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
2012-07-13 01:30 384232 ------w- c:\program files\BillP Studios\WinPatrol\WinPatrol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"gusvc"=3 (0x3)
"mfevtp"=2 (0x2)
"mfefire"=2 (0x2)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"McNaiAnn"=2 (0x2)
"mcmscsvc"=2 (0x2)
"McMPFSvc"=2 (0x2)
"GoToAssist"=3 (0x3)
"AOL ACS"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\FrostWire 5\\FrostWire.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/7/2011 1:17 PM 64288]
R1 MpKslbc864d19;MpKslbc864d19;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7FA00908-18A9-40A9-9E26-AB8A478F784F}\MpKslbc864d19.sys [10/25/2012 5:46 PM 29904]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [1/7/2011 1:17 PM 98392]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [10/25/2012 12:59 AM 399432]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [9/24/2012 10:51 PM 250808]
S3 BlackBox;BlackBox SR2; [x]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/2/2010 6:58 PM 135664]
S3 MozillaMaintenance;Mozilla Maintenance Service;"c:\program files\Mozilla Maintenance Service\maintenanceservice.exe" --> c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [?]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/2/2010 6:58 PM 135664]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-25 21:59]
.
2012-10-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 22:58]
.
2012-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 22:58]
.
2012-10-25 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 21:25]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 192.168.1.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7bjmci2y.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - about:home
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-72001809.sys
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-ApnUpdater - c:\program files\Ask.com\Updater\Updater.exe
MSConfigStartUp-mcui_exe - c:\program files\McAfee.com\Agent\mcagent.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-25 19:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3048)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\windows\System32\locator.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-10-25 19:59:18 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-25 23:59
.
Pre-Run: 50,583,490,560 bytes free
Post-Run: 50,405,543,936 bytes free
.
- - End Of File - - 3FDE65E330147F4817A3C28D6F7C319C


----------



## Pokeyturtle (Oct 25, 2012)

WinPatrol just detected a change in the following monitored file.

c:\windows\system32\drivers\etc\hosts

When clicking view new file, it shows.....

127.0.0.1 localhost

Do I accecpt this new change or reject it?


----------



## kevinf80 (Mar 21, 2006)

Accept the change, just checking log will get back shortly


----------



## kevinf80 (Mar 21, 2006)

OK, run the following and post the logs:

*Step 1*

*Run ESET Online Scan*

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
*ESET OnlineScan*
Click the







button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on







to download the ESET Smart Installer. *Save* it to your desktop.
Double click on the







icon on your desktop.

Check








Click the







button.
Accept any security warnings from your browser.
Check








*Leave the tick out of remove found threats*
Push the *Start* button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push








Push







, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the







button.
Push








You can refer to *this animation* by *neomage* if needed.
Frequently asked questions available *Here* *Please read them before running the scan.*

*Also be aware this scan can take several hours to complete depending on the size of your system.*

ESET log can be found here *"C:\Program Files\ESET\EsetOnlineScanner\log.txt".*

*Step 2*

Download Security Check by screen317 from *HERE* or *HERE*.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Post those two logs, also give update on how your system is responding and what issues remain...

Thanks,

Kevin


----------



## Pokeyturtle (Oct 25, 2012)

I'm scared to click "accept change". I'll just wait to see what you find, just in case.


----------



## kevinf80 (Mar 21, 2006)

The change is acceptable, 127.0.0.1 localhost is exactly the same as mine. If you wish to refuse the change I cannot force you.

Run ESET and Security Checks when ready and post the logs, ESET is very thorough and will take several hours to complete..

Kevin....


----------



## Pokeyturtle (Oct 25, 2012)

Accepted the winpatrol change, and got the scanner. I disabled realtime protection again, then clicked start. Got to 4% and it says "Can not get update. Is proxy configured?"

What do i do now? I have enabled realtime protection


----------



## kevinf80 (Mar 21, 2006)

Check Browser for Proxy Server, use whichever is appropriate and reset as required:

Check for proxy server settings in your browser, the following are the most common used.

*Internet Explorer:*
Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". Also clear any proxy address and port. ok, apply (only if applicable), ok.

*Firefox:*
Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.

*Chrome:*
Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.

*Safari*

 Launch Safari
 Go to general settings menu
 Then in Preferences/ Advanced
 Then on line click Proxies change settings ...
 Click Internet Options, then click the Connections tab, click Network Settings.
 Disable option (uncheck) for the use of proxy server ...


----------



## Pokeyturtle (Oct 25, 2012)

Do I need to disable realtime protection when running this scan?


----------



## Pokeyturtle (Oct 25, 2012)

"no Proxy" has been selected, and still getting same message


----------



## kevinf80 (Mar 21, 2006)

OK, if ESET will still not run do try it with your security disabled. If still issues run the following instead of ESET:

Download *DrWeb*


 Doubleclick the drweb-cureit.exe file, then on Start and allow the express scan to run.
 This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
 Once the short scan has finished, choose the Complete Scan.
 Select all drives. A red dot shows which drives have been chosen.
 Click the green arrow







at the right, and the scan will start.
 Click 'Yes to all' if it asks if you want to cure/move the file.
 When the scan has finished, look and see if you can click the following icon next to the files found: 








 If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: 








 This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
 After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
 Save the report to your desktop. The report will be called DrWeb.csv
 Close Dr.Web Cureit.
 Reboot your computer to allow files that were in use to be moved/deleted during reboot.
 After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Kevin..


----------



## Pokeyturtle (Oct 25, 2012)

Hi Kevin,

The DrWeb scan has finally completed. It found a bunch, see below. What further steps do I need to take now? 

Many Thanks,
Pokeyturtle


ppctl.dll;C:\Program Files\Common Files\Scanner;Probably DLOADER.Trojan;Incurable.Will be deleted after restart.; McciTrayApp.exe;C:\Program Files\Windstream_BCUC;Trojan.Siggen2.56601;Incurable.Moved.; A0003501.exe;C:\System Volume Information\_restore{6BD1B934-3865-48BA-B96A-3576CE275566}\RP32;Probably BACKDOOR.Trojan;Incurable.Moved.; A0003541.exe;C:\System Volume Information\_restore{6BD1B934-3865-48BA-B96A-3576CE275566}\RP32;Probably BACKDOOR.Trojan;Incurable.Moved.; A0004747.exe;C:\System Volume Information\_restore{6BD1B934-3865-48BA-B96A-3576CE275566}\RP56;Probably BACKDOOR.Trojan;Incurable.Moved.; A0004754.exe;C:\System Volume Information\_restore{6BD1B934-3865-48BA-B96A-3576CE275566}\RP56;Probably BACKDOOR.Trojan;Incurable.Moved.; A0006368.exe;C:\System Volume Information\_restore{6BD1B934-3865-48BA-B96A-3576CE275566}\RP66;Probably BACKDOOR.Trojan;Incurable.Moved.; A0006375.exe;C:\System Volume Information\_restore{6BD1B934-3865-48BA-B96A-3576CE275566}\RP66;Probably BACKDOOR.Trojan;Incurable.Moved.; A0010653.exe;C:\System Volume Information\_restore{6BD1B934-3865-48BA-B96A-3576CE275566}\RP71;Trojan.Siggen2.56601;Incurable.Moved.; vcore.dll;C:\VIPRERESCUE\Definitions;Probably DLOADER.Trojan;Moved.; IE95boot.exe;C:\Program Files\Microsoft Picture It! PhotoPub;Trojan.KillDisk.346;Deleted.; A0006655.exe;C:\System Volume Information\_restore{6BD1B934-3865-48BA-B96A-3576CE275566}\RP69;BackDoor.Pigeon1.3087;Deleted.; A0006736.exe;C:\System Volume Information\_restore{6BD1B934-3865-48BA-B96A-3576CE275566}\RP69;BackDoor.Pigeon1.3087;Deleted.; A0010652.exe;C:\System Volume Information\_restore{6BD1B934-3865-48BA-B96A-3576CE275566}\RP71;Trojan.KillDisk.346;Deleted.;


----------



## kevinf80 (Mar 21, 2006)

We now need to reset your system restore points and create a new clean one. To do this "Turn off" System restore > Left click start > Right click My Computer > Left click Properties > Select System restore tab > put tick in Turn off System Restore box > apply > ok. To reverse as previous but remove the tick from Turn off System Restore > apply ok.

Create a new restore point > Start > all programs > accessories > system tools > system restore > create a restore point > In the Restore point description box give it a name for reference eg. Clean 1. The time and date are added automatically > then select create and follow the prompts.

Next,

We need to see some additional information about what is happening in your machine.

Download and save DDS to your Desktop from either of the following links:

*Link 1*

*Link 2*

Double click DDS to run the scan, Vista or Windows 7 user accept UAC alert.
There will be an alert that two logs will be saved to the Desktop, DDS.txt and Attach.txt 
Copy and paste those two logs to your reply when the scan is complete....

Let me see the logs from DDS, also let me know how your system is responding and if any issues remain...

Kevin


----------



## Pokeyturtle (Oct 25, 2012)

New system restore has been created, DDS logs below

DDS (Ver_2012-10-19.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.9.2
Run by Owner at 20:29:42 on 2012-10-26
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.48 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\System32\locator.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1350968930078
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{B7F604CD-D5D1-4343-82D9-3F83ABF4B0DF} : DHCPNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\7bjmci2y.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: c:\windows\system32\npwmsdrm.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-1-7 64288]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 193552]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2011-1-7 98392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-25 399432]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-9-24 250808]
S3 BlackBox;BlackBox SR2; [x]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-2 135664]
S3 MozillaMaintenance;Mozilla Maintenance Service;"c:\program files\mozilla maintenance service\maintenanceservice.exe" --> c:\program files\mozilla maintenance service\maintenanceservice.exe [?]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys --> c:\progra~1\pc-doc~1\diagno~1\PCDRDRV.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-2 135664]
.
=============== Created Last 30 ================
.
2012-10-26 12:30:45 -------- d-----w- c:\documents and settings\owner\DoctorWeb
2012-10-26 11:59:36 6918632 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d8a5f6d6-ed2e-432d-8196-1a8e3225a436}\mpengine.dll
2012-10-26 02:16:28 6918632 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-10-26 01:07:16 -------- d-----w- c:\program files\ESET
2012-10-25 22:58:36 98816 ----a-w- c:\windows\sed.exe
2012-10-25 22:58:36 256000 ----a-w- c:\windows\PEV.exe
2012-10-25 22:58:36 208896 ----a-w- c:\windows\MBR.exe
2012-10-25 04:59:25 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes
2012-10-25 04:59:11 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-10-25 04:59:09 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-25 04:59:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-25 04:39:11 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-10-24 22:30:19 -------- d-----w- C:\TDSSKiller_Quarantine
2012-10-23 21:42:16 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-23 06:58:37 -------- d-----w- c:\documents and settings\owner\local settings\application data\NETGEARGenie
2012-10-23 06:58:21 35088 ----a-w- c:\windows\system32\drivers\npf.sys
2012-10-23 05:01:32 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-10-23 05:01:32 -------- d-----w- c:\windows\system32\wbem\Repository
2012-10-23 04:58:33 -------- d-----w- c:\program files\Auslogics
2012-10-23 04:58:31 -------- d-----w- c:\program files\CCleaner
2012-10-23 04:58:03 -------- d-----w- c:\program files\MSXML 4.0
2012-10-23 04:58:03 -------- d-----w- c:\program files\common files\ODBC
2012-10-23 04:58:03 -------- d-----w- c:\program files\common files\NSV
2012-10-23 04:58:03 -------- d-----w- c:\program files\common files\Motive
2012-10-23 04:58:03 -------- d-----w- c:\program files\Citrix
2012-10-23 04:58:03 -------- d-----w- c:\program files\ALLTEL DSL Check-up Center
2012-10-23 04:57:26 -------- d-----w- c:\program files\MUSICMATCH
2012-10-23 04:57:26 -------- d-----w- c:\program files\Hitman Pro 3.5
2012-10-23 04:57:25 -------- d-----w- c:\program files\common files\Symantec Shared
2012-10-23 04:57:24 -------- d-----w- c:\program files\common files\Real
2012-10-23 04:57:20 -------- d-----w- C:\AOL Instant Messenger
2012-09-29 02:20:23 -------- d-----w- c:\documents and settings\owner\application data\Auslogics
2012-09-28 00:34:25 -------- d-----w- c:\documents and settings\owner\application data\Catalina Marketing Corp
.
==================== Find3M ====================
.
2012-10-23 21:59:33 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-23 21:59:32 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-23 21:41:54 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-10-23 21:41:53 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-10-23 21:41:52 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-10-12 23:35:52 72104 ----a-w- c:\windows\CouponPrinter.ocx
2012-09-21 13:06:55 230840 ----a-r- c:\windows\system32\cpnprt2.cid
2012-09-05 16:54:04 1409 ----a-w- c:\windows\QTFont.for
2012-08-31 02:03:50 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58:09 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-12 15:30:34 868764 -c--a-w- c:\program files\typeitinpro32.exe
2003-02-24 19:10:12 723968 -c--a-w- c:\program files\TypeItIn.exe
.
============= FINISH: 20:31:51.46 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-10-19.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 8/14/2003 12:20:11 PM
System Uptime: 10/26/2012 6:34:30 PM (2 hours ago)
.
Motherboard: Intel Corporation | | D865GLC 
Processor: Intel(R) Pentium(R) 4 CPU 2.60GHz | J2E1 | 2593/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 76 GiB total, 49.572 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: CD-ROM Drive
Device ID: IDE\CDROMHL-DT-ST_DVD-ROM_GDR8161B_______________0040____\5&79E09EB&0&0.0.0
Manufacturer: (Standard CD-ROM drives)
Name: HL-DT-ST DVD-ROM GDR8161B
PNP Device ID: IDE\CDROMHL-DT-ST_DVD-ROM_GDR8161B_______________0040____\5&79E09EB&0&0.0.0
Service: cdrom
.
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: CD-ROM Drive
Device ID: IDE\CDROMLITE-ON_LTR-48246S______________________SGS3____\5&79E09EB&0&0.1.0
Manufacturer: (Standard CD-ROM drives)
Name: LITE-ON LTR-48246S
PNP Device ID: IDE\CDROMLITE-ON_LTR-48246S______________________SGS3____\5&79E09EB&0&0.1.0
Service: cdrom
.
==== System Restore Points ===================
.
RP1: 10/26/2012 8:21:39 PM - System Checkpoint
RP2: 10/26/2012 8:23:39 PM - Clean1
.
==== Installed Programs ======================
.
Acrobat.com
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.4)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Auslogics Disk Defrag
Bonjour
Canon Easy-PhotoPrint EX
Canon IJ Network Scanner Selector EX
Canon IJ Network Tool
Canon MG3100 series MP Drivers
Canon MG3100 series On-screen Manual
Canon MG3100 series User Registration
Canon MP Navigator EX 5.0
Canon My Printer
Canon Solution Menu EX
CCleaner
Coupon Printer for Windows
Do More 7.0
Easy CD Creator 5 Basic
EPSON Printer Software
ESET Online Scanner v3
FrostWire 5.3.9
G-Force
Gateway Drivers and Applications Recovery
Gateway IE Customizations
Gateway User's Guide
Google Update Helper
GTW V.92 Voicemodem
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB954550-v5)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
iTunes
Java 7 Update 9
Java Auto Updater
Malwarebytes Anti-Malware version 1.65.1.1000
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Picture It! Express 2001
Microsoft Picture It! Photo 7.0
Microsoft Security Client
Microsoft Security Essentials
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
Mozilla Firefox 16.0.1 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
PC-Doctor for Windows
PokerStars
PowerDVD SE
QuickTime
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB923689)
Shockwave
TypeItIn
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Windows Internet Explorer 8 (KB2632503)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2749655)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Windstream Broadband Check-up Center
WinPatrol
WinRAR 4.01 (32-bit)
Works Suite OS Pack
Xvid Video Codec
.
==== Event Viewer Messages From Past Week ========
.
10/26/2012 8:01:27 AM, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).
10/26/2012 8:01:12 AM, error: Service Control Manager [7034] - The HTTP SSL service terminated unexpectedly. It has done this 1 time(s).
10/26/2012 7:36:02 AM, error: Dhcp [1002] - The IP address lease 192.168.1.3 for the Network Card with network address 0007E94AF7F0 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/25/2012 7:42:22 PM, error: PlugPlayManager [11] - The device Root\LEGACY_NPF\0000 disappeared from the system without first being prepared for removal.
10/25/2012 6:44:21 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. .
10/25/2012 6:44:21 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Canon\Solution Menu EX\MFC80U.DLL. Reference error message: The operation completed successfully. .
10/25/2012 6:44:21 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.
10/25/2012 4:40:13 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
10/25/2012 4:39:55 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
10/25/2012 10:01:17 AM, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort0.
10/25/2012 10:00:40 AM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
10/25/2012 1:23:45 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
10/25/2012 1:23:45 AM, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
10/24/2012 6:38:18 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
10/23/2012 3:17:19 AM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.2 with the system having network hardware address 00:C6:10:73:2B:94. Network operations on this system may be disrupted as a result.
10/23/2012 2:29:03 AM, error: Dhcp [1002] - The IP address lease 192.168.1.5 for the Network Card with network address 0007E94AF7F0 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/23/2012 12:18:45 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
10/23/2012 11:47:01 AM, error: Service Control Manager [7000] - The MBAMScheduler service failed to start due to the following error: The system cannot find the path specified.
10/23/2012 11:47:01 AM, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: The system cannot find the path specified.
10/23/2012 11:09:36 AM, error: Service Control Manager [7034] - The MBAMScheduler service terminated unexpectedly. It has done this 1 time(s).
10/23/2012 1:28:58 AM, error: Service Control Manager [7024] - The Java Quick Starter service terminated with service-specific error 1 (0x1).
10/23/2012 1:14:47 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.139.196.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8800.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode 
10/23/2012 1:08:46 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
10/23/2012 1:05:20 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm MpFilter
10/23/2012 1:03:54 AM, error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x80070002 Error description: The system cannot find the file specified. Signature version: 1.137.1239.0;1.137.1239.0 Engine version: 1.1.8800.0
10/22/2012 8:38:22 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.139.220.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8904.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 
10/20/2012 5:07:00 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
10/19/2012 8:40:18 AM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 0007E94AF7F0 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/19/2012 8:38:42 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/19/2012 8:38:17 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
10/19/2012 8:37:59 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
10/19/2012 6:44:13 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
10/19/2012 6:44:13 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
10/19/2012 6:44:13 AM, error: Service Control Manager [7001] - The Simple TCP/IP Services service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
10/19/2012 6:44:13 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/19/2012 6:44:13 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/19/2012 6:44:13 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning.
.
==== End Of File ===========================


----------



## kevinf80 (Mar 21, 2006)

Thanks for the logs, how is your system now responding? any remaining issues or concerns? There are a couple of drivers still running on your system from Adaware a and Webroots Counterspy. If you no longer use or need these please do the following:

Please download *OTM by OldTimer*.
*Alternative Mirror 1*
*Alternative Mirror 2* 
Save it to your desktop. 
Double click *OTM.exe* to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion....

*Copy* the text from the code box belowbelow to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):


```
:Reg
:Services
Lbd
SBRE
BlackBox
:Files
ipconfig /flushdns /c
c:\windows\system32\drivers\Lbd.sys
c:\windows\system32\drivers\SBREDrv.sys
:Commands
[EmptyTemp]
```

 Return to OTMoveIt3, right click in the *"Paste Instructions for Items to be Moved"* window (under the yellow bar) and choose *Paste*.
Click the red







button.
*Copy* everything in the Results window (under the green bar) to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTM*
*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

If the machine reboots, the Results log can be found here:

*c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log*

Where mmddyyyy_hhmmss is the date of the tool run.

Let me see that log, let me know how your system is now responding...

Kevin


----------



## Pokeyturtle (Oct 25, 2012)

Hi Kevin,

OTM log below.

I shut down my computer this morning to see how it would start up and it still didn't start up correctly. Still goes to the black screen, no boot file name received. Then windows takes a long time to load. Also FireFox is freezing, when trying to close it, says this program is not responding. That happens a lot. It also uses lots of Memory, not sure if that's normal.

All processes killed
========== REGISTRY ==========
========== SERVICES/DRIVERS ==========
Service Lbd stopped successfully!
Service Lbd deleted successfully!
Service SBRE stopped successfully!
Service SBRE deleted successfully!
Service BlackBox stopped successfully!
Service BlackBox deleted successfully!
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Owner\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Owner\Desktop\cmd.txt deleted successfully.
c:\windows\system32\drivers\Lbd.sys moved successfully.
c:\windows\system32\drivers\SBREDrv.sys moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users
->Flash cache emptied: 0 bytes

User: DAWN
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 4344 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 11842456 bytes
->Flash cache emptied: 506 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3767 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 11.00 mb

OTM by OldTimer - Version 3.1.21.0 log created on 10272012_112651

Files moved on Reboot...

Registry entries deleted on Reboot...


----------



## kevinf80 (Mar 21, 2006)

OK, run the following and post the log...

Download *RogueKiller* (by tigzy) and save direct to your Desktop.


 Quit all programs
 Start RogueKiller.exe








 Wait until Prescan has finished ...
 Ensure all boxes are ticked under "Report" tab.
 Click on Scan. 
 Click on Report when complete.Copy/paste the content of the report and paste to next reply....










Kevin


----------



## Pokeyturtle (Oct 25, 2012)

RougeKiller Report below....Also, seems to be lots of "Adchoice" ads on sights I visit.

RogueKiller V8.2.0 [10/22/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Scan -- Date : 10/27/2012 12:50:45

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Maxtor 6Y080L0 +++++
--- User ---
[MBR] 532ce180c4a90130ac8391e20c2219a6
[BSP] b7ab30d846c19543b4413bf2367f8f12 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 78159 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt


----------



## kevinf80 (Mar 21, 2006)

RogueKiller log is OK, run the following:

Please download *AdwCleaner* by Xplode onto your Desktop.


 Please close all open programs and internet browsers.
 Double click on *Adwcleaner.exe* to run the tool.
 Click on *Delete*.
 Confirm each time with OK.
 Your computer will be rebooted automatically. A text file will open after the restart.
 Please post the content of that logfile in your reply.
 You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

Please post the log.

If the re-directs still show, run this and post the log...

*Please read carefully and follow these steps.*

Download *TDSSKiller* and save it to your Desktop.

Doubleclick on







to run the application.

The "Ready to scan" window will open, Click on* "Change parameters"*










Place a checkmark next to Verify *Driver Digital Signature* and *Detect TDLFS file system*, (Leave "Service & Drivers" and "Boot Sectors" ticked. Click OK.










Select "Start Scan"










If an infected file is detected, the default action will be *Cure*, click on *Continue.*










If a suspicious file is detected, the default action will be *Skip*, click on *Continue.*










It may ask you to reboot the computer to complete the process. Click on *Reboot Now*.










If no reboot is require, click on *Report*. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "*TDSSKiller.[Version]_[Date]_[Time]_log.txt*". Please copy and paste the contents of that file here.

Kevin


----------



## Pokeyturtle (Oct 25, 2012)

Hi Kevin,

AdwCleaner log below. I already have tdsskiller.exe on my desktop. Can I run that one, or do I need to delete it and download a fresh copy? Thanks, Pokeyturtle

# AdwCleaner v2.005 - Logfile created 10/27/2012 at 16:38:17
# Updated 14/10/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Owner - GATEWAY-348915F
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Owner\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\InstallMate
Folder Deleted : C:\Documents and Settings\Owner\Application Data\Viewpoint

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9DBB28C1-1925-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKLM\Software\Viewpoint

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.1 (en-US)

Profile name : default [Profil par défaut]
File : C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\7bjmci2y.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2838 octets] - [27/10/2012 16:33:02]
AdwCleaner[R2].txt - [2898 octets] - [27/10/2012 16:34:54]
AdwCleaner[S1].txt - [2721 octets] - [27/10/2012 16:38:17]

########## EOF - C:\AdwCleaner[S1].txt - [2781 octets] ##########


----------



## kevinf80 (Mar 21, 2006)

If you stll have redirecs after Adwcleaner Delete the TDSSKiller version you have, get a fresh copy, it may have been updated...


----------



## Pokeyturtle (Oct 25, 2012)

I just used the one from my desktop. TDSSKiller log below.

17:09:25.0437 2760 TDSS rootkit removing tool 2.8.13.0 Oct 12 2012 17:26:47
17:09:25.0765 2760 ============================================================
17:09:25.0765 2760 Current date / time: 2012/10/27 17:09:25.0765
17:09:25.0765 2760 SystemInfo:
17:09:25.0765 2760 
17:09:25.0765 2760 OS Version: 5.1.2600 ServicePack: 3.0
17:09:25.0765 2760 Product type: Workstation
17:09:25.0765 2760 ComputerName: GATEWAY-348915F
17:09:25.0765 2760 UserName: Owner
17:09:25.0765 2760 Windows directory: C:\WINDOWS
17:09:25.0765 2760 System windows directory: C:\WINDOWS
17:09:25.0765 2760 Processor architecture: Intel x86
17:09:25.0765 2760 Number of processors: 2
17:09:25.0765 2760 Page size: 0x1000
17:09:25.0765 2760 Boot type: Normal boot
17:09:25.0765 2760 ============================================================
17:09:36.0593 2760 Drive \Device\Harddisk0\DR0 - Size: 0x1315740000 (76.34 Gb), SectorSize: 0x200, Cylinders: 0x26EC, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
17:09:36.0718 2760 ============================================================
17:09:36.0718 2760 \Device\Harddisk0\DR0:
17:09:36.0796 2760 MBR partitions:
17:09:36.0796 2760 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x98A7FAD
17:09:36.0796 2760 ============================================================
17:09:37.0359 2760 C: <-> \Device\Harddisk0\DR0\Partition1
17:09:37.0625 2760 ============================================================
17:09:37.0625 2760 Initialize success
17:09:37.0625 2760 ============================================================
17:09:55.0984 0832 ============================================================
17:09:55.0984 0832 Scan started
17:09:55.0984 0832 Mode: Manual; SigCheck; TDLFS; 
17:09:55.0984 0832 ============================================================
17:09:57.0078 0832 ================ Scan system memory ========================
17:09:57.0078 0832 System memory - ok
17:09:57.0078 0832 ================ Scan services =============================
17:09:57.0625 0832 Abiosdsk - ok
17:09:57.0640 0832 abp480n5 - ok
17:09:57.0734 0832 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
17:10:01.0640 0832 ACPI - ok
17:10:01.0687 0832 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
17:10:01.0875 0832 ACPIEC - ok
17:10:02.0000 0832 [ 44C00A385CA9DBC1D5CF3781F8C26AEA ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
17:10:02.0078 0832 AdobeFlashPlayerUpdateSvc - ok
17:10:02.0093 0832 adpu160m - ok
17:10:02.0140 0832 [ 11C04B17ED2ABBB4833694BCD644AC90 ] aeaudio C:\WINDOWS\system32\drivers\aeaudio.sys
17:10:02.0250 0832 aeaudio - ok
17:10:02.0312 0832 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
17:10:02.0562 0832 aec - ok
17:10:02.0640 0832 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
17:10:02.0828 0832 AFD - ok
17:10:02.0843 0832 Aha154x - ok
17:10:02.0859 0832 aic78u2 - ok
17:10:02.0875 0832 aic78xx - ok
17:10:02.0921 0832 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
17:10:03.0109 0832 Alerter - ok
17:10:03.0171 0832 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
17:10:03.0265 0832 ALG - ok
17:10:03.0265 0832 AliIde - ok
17:10:03.0281 0832 amsint - ok
17:10:03.0421 0832 [ 3DEBBECF665DCDDE3A95D9B902010817 ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
17:10:03.0453 0832 Apple Mobile Device - ok
17:10:03.0468 0832 asc - ok
17:10:03.0484 0832 asc3350p - ok
17:10:03.0500 0832  asc3550 - ok
17:10:03.0640 0832 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
17:10:03.0828 0832 aspnet_state - ok
17:10:03.0875 0832 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
17:10:04.0046 0832 AsyncMac - ok
17:10:04.0093 0832 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
17:10:04.0281 0832 atapi - ok
17:10:04.0296 0832 Atdisk - ok
17:10:04.0359 0832 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
17:10:04.0562 0832 Atmarpc - ok
17:10:04.0625 0832 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
17:10:04.0828 0832 AudioSrv - ok
17:10:04.0875 0832 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
17:10:05.0062 0832 audstub - ok
17:10:05.0328 0832 [ 2D39D498108C4810EF8CC1103A2A5B73 ] BCMModem C:\WINDOWS\system32\DRIVERS\BCMDM.sys
17:10:06.0015 0832 BCMModem - ok
17:10:06.0046 0832 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
17:10:06.0218 0832 Beep - ok
17:10:06.0390 0832 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
17:10:06.0781 0832 BITS - ok
17:10:06.0968 0832 [ DB5BEA73EDAF19AC68B2C0FAD0F92B1A ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
17:10:07.0156 0832 Bonjour Service - ok
17:10:07.0218 0832 [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser C:\WINDOWS\System32\browser.dll
17:10:07.0359 0832 Browser - ok
17:10:07.0359 0832 catchme - ok
17:10:07.0421 0832 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
17:10:07.0609 0832 cbidf2k - ok
17:10:07.0656 0832 [ 0BE5AEF125BE881C4F854C554F2B025C ] CCDECODE C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
17:10:07.0906 0832 CCDECODE - ok
17:10:07.0921 0832 cd20xrnt - ok
17:10:07.0968 0832 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
17:10:08.0156 0832 Cdaudio - ok
17:10:08.0203 0832 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
17:10:08.0437 0832 Cdfs - ok
17:10:08.0484 0832 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
17:10:08.0703 0832 Cdrom - ok
17:10:08.0765 0832 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
17:10:08.0968 0832 CiSvc - ok
17:10:09.0015 0832 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
17:10:09.0218 0832 ClipSrv - ok
17:10:09.0265 0832 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
17:10:09.0437 0832 clr_optimization_v2.0.50727_32 - ok
17:10:09.0562 0832 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
17:10:09.0609 0832 clr_optimization_v4.0.30319_32 - ok
17:10:09.0625 0832 CmdIde - ok
17:10:09.0640 0832 COMSysApp - ok
17:10:09.0656 0832 Cpqarray - ok
17:10:09.0734 0832 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
17:10:09.0937 0832 CryptSvc - ok
17:10:09.0953 0832 dac2w2k - ok
17:10:09.0953 0832 dac960nt - ok
17:10:10.0109 0832 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
17:10:10.0421 0832 DcomLaunch - ok
17:10:10.0500 0832 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
17:10:10.0703 0832 Dhcp - ok
17:10:10.0750 0832 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk  C:\WINDOWS\system32\DRIVERS\disk.sys
17:10:10.0968 0832 Disk - ok
17:10:10.0984 0832 dmadmin - ok
17:10:11.0234 0832 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
17:10:11.0781 0832 dmboot - ok
17:10:11.0875 0832 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
17:10:12.0093 0832 dmio - ok
17:10:12.0140 0832 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
17:10:12.0296 0832 dmload - ok
17:10:12.0343 0832 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
17:10:12.0546 0832 dmserver - ok
17:10:12.0578 0832 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
17:10:12.0781 0832 DMusic - ok
17:10:12.0843 0832 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
17:10:13.0015 0832 Dnscache - ok
17:10:13.0093 0832 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
17:10:13.0296 0832 Dot3svc - ok
17:10:13.0312 0832 dpti2o - ok
17:10:13.0359 0832 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
17:10:13.0546 0832 drmkaud - ok
17:10:13.0625 0832 [ 98B46B331404A951CABAD8B4877E1276 ] E100B C:\WINDOWS\system32\DRIVERS\e100b325.sys
17:10:13.0750 0832 E100B - ok
17:10:13.0828 0832 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
17:10:14.0015 0832 EapHost - ok
17:10:14.0062 0832 [ 8C3F3914F1C1E3E3FFE77190A4C9D735 ] ENETHUSB C:\WINDOWS\system32\DRIVERS\enethusb.sys
17:10:14.0140 0832 ENETHUSB - ok
17:10:14.0203 0832 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
17:10:14.0390 0832 ERSvc - ok
17:10:14.0468 0832 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
17:10:14.0578 0832 Eventlog - ok
17:10:14.0671 0832 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\Es.dll
17:10:14.0828 0832 EventSystem - ok
17:10:14.0890 0832 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
17:10:15.0109 0832 Fastfat - ok
17:10:15.0187 0832 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
17:10:15.0343 0832 FastUserSwitchingCompatibility - ok
17:10:15.0390 0832 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
17:10:15.0578 0832 Fdc - ok
17:10:15.0640 0832 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
17:10:15.0843 0832 Fips - ok
17:10:15.0890 0832 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys
17:10:16.0078 0832 Flpydisk - ok
17:10:16.0156 0832 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
17:10:16.0359 0832 FltMgr - ok
17:10:16.0453 0832 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
17:10:16.0484 0832 FontCache3.0.0.0 - ok
17:10:16.0500 0832 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
17:10:16.0703 0832 Fs_Rec - ok
17:10:16.0750 0832 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
17:10:16.0968 0832 Ftdisk - ok
17:10:17.0015 0832 [ 8182FF89C65E4D38B2DE4BB0FB18564E ] GEARAspiWDM C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
17:10:17.0046 0832 GEARAspiWDM - ok
17:10:17.0046 0832 getPlusHelper - ok
17:10:17.0109 0832 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
17:10:17.0312 0832 Gpc - ok
17:10:17.0656 0832 [ 2B34E4AACB5734BFD663C803335B11EA ] GTWModem C:\WINDOWS\system32\DRIVERS\GWMDM.sys
17:10:18.0359 0832 GTWModem - ok
17:10:18.0468 0832 [ 8F0DE4FEF8201E306F9938B0905AC96A ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
17:10:18.0500 0832 gupdate - ok
17:10:18.0546 0832 [ 8F0DE4FEF8201E306F9938B0905AC96A ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
17:10:18.0562 0832 gupdatem - ok
17:10:18.0656 0832 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
17:10:18.0859 0832 helpsvc - ok
17:10:18.0890 0832 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ C:\WINDOWS\System32\hidserv.dll
17:10:19.0062 0832 HidServ - ok
17:10:19.0093 0832 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] hidusb C:\WINDOWS\system32\DRIVERS\hidusb.sys
17:10:19.0281 0832 hidusb - ok
17:10:19.0343 0832 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
17:10:19.0531 0832 hkmsvc - ok
17:10:19.0531 0832 hpn - ok
17:10:19.0640 0832 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
17:10:19.0859 0832 HTTP - ok
17:10:19.0906 0832 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
17:10:20.0093 0832 HTTPFilter - ok
17:10:20.0109 0832 i2omp - ok
17:10:20.0171 0832 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
17:10:20.0359 0832 i8042prt - ok
17:10:20.0625 0832 [ 0294A30B302CA71A2C26E582DDA93486 ] ialm C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
17:10:21.0265 0832 ialm - ok
17:10:21.0562 0832 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
17:10:22.0046 0832 idsvc - ok
17:10:22.0078 0832 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
17:10:22.0265 0832 Imapi - ok
17:10:22.0359 0832 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
17:10:22.0562 0832 ImapiService - ok
17:10:22.0593 0832 ini910u - ok
17:10:22.0609 0832 IntelIde - ok
17:10:22.0656 0832 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
17:10:22.0875 0832 intelppm - ok
17:10:22.0906 0832 [ 3BB22519A194418D5FEC05D800A19AD0 ] ip6fw C:\WINDOWS\system32\drivers\ip6fw.sys
17:10:23.0093 0832 ip6fw - ok
17:10:23.0140 0832 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
17:10:23.0328 0832 IpFilterDriver - ok
17:10:23.0359 0832 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
17:10:23.0546 0832 IpInIp - ok
17:10:23.0609 0832 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
17:10:23.0859 0832 IpNat - ok
17:10:24.0125 0832 [ 49918803B661367023BF325CF602AFDC ] iPod Service C:\Program Files\iPod\bin\iPodService.exe
17:10:24.0500 0832 iPod Service - ok
17:10:24.0562 0832 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
17:10:24.0765 0832 IPSec - ok
17:10:24.0796 0832 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
17:10:24.0890 0832 IRENUM - ok
17:10:24.0937 0832 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
17:10:25.0125 0832 isapnp - ok
17:10:25.0250 0832 [ B591E761161D1EF547D76EF236EAA6A5 ] JavaQuickStarterService C:\Program Files\Java\jre7\bin\jqs.exe
17:10:25.0296 0832 JavaQuickStarterService - ok
17:10:25.0328 0832 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
17:10:25.0515 0832 Kbdclass - ok
17:10:25.0546 0832 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
17:10:25.0718 0832 kbdhid - ok
17:10:25.0781 0832 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
17:10:26.0046 0832 kmixer - ok
17:10:26.0109 0832 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
17:10:26.0296 0832 KSecDD - ok
17:10:26.0375 0832 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
17:10:26.0484 0832 lanmanserver - ok
17:10:26.0562 0832 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
17:10:26.0703 0832 lanmanworkstation - ok
17:10:26.0750 0832 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
17:10:26.0953 0832 LmHosts - ok
17:10:27.0125 0832 [ 85B16A92B117A5A800032ECD904B86DB ] MBAMScheduler C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
17:10:27.0328 0832 MBAMScheduler - ok
17:10:27.0375 0832 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
17:10:27.0546 0832 Messenger - ok
17:10:27.0593 0832 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
17:10:27.0796 0832 mnmdd - ok
17:10:27.0875 0832 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\System32\mnmsrvc.exe
17:10:28.0078 0832 mnmsrvc - ok
17:10:28.0125 0832 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
17:10:28.0312 0832 Modem - ok
17:10:28.0375 0832 [ 1992E0D143B09653AB0F9C5E04B0FD65 ] MODEMCSA C:\WINDOWS\system32\drivers\MODEMCSA.sys
17:10:28.0562 0832 MODEMCSA - ok
17:10:28.0593 0832 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
17:10:28.0781 0832 Mouclass - ok
17:10:28.0843 0832 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
17:10:29.0031 0832 mouhid - ok
17:10:29.0078 0832 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
17:10:29.0265 0832 MountMgr - ok
17:10:29.0296 0832 MozillaMaintenance - ok
17:10:29.0390 0832 [ EE728AF83850DDAD9A3FCAC0AAB3AD97 ] MpFilter C:\WINDOWS\system32\DRIVERS\MpFilter.sys
17:10:29.0484 0832 MpFilter - ok
17:10:29.0500 0832 mraid35x - ok
17:10:29.0578 0832 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
17:10:29.0812 0832 MRxDAV - ok
17:10:29.0984 0832 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
17:10:30.0296 0832 MRxSmb - ok
17:10:30.0328 0832 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\System32\msdtc.exe
17:10:30.0500 0832 MSDTC - ok
17:10:30.0546 0832 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
17:10:30.0734 0832 Msfs - ok
17:10:30.0750 0832 MSIServer - ok
17:10:30.0781 0832 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
17:10:30.0968 0832 MSKSSRV - ok
17:10:31.0031 0832 [ E077FCA2A7E79FB9BF67D3E30B5CE593 ] MsMpSvc c:\Program Files\Microsoft Security Client\MsMpEng.exe
17:10:31.0062 0832 MsMpSvc - ok
17:10:31.0093 0832 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
17:10:31.0265 0832 MSPCLOCK - ok
17:10:31.0312 0832 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
17:10:31.0468 0832 MSPQM - ok
17:10:31.0500 0832 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
17:10:31.0703 0832 mssmbios - ok
17:10:31.0734 0832 [ E53736A9E30C45FA9E7B5EAC55056D1D ] MSTEE C:\WINDOWS\system32\drivers\MSTEE.sys
17:10:31.0937 0832 MSTEE - ok
17:10:32.0000 0832 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
17:10:32.0078 0832 Mup - ok
17:10:32.0125 0832 [ 5B50F1B2A2ED47D560577B221DA734DB ] NABTSFEC C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
17:10:32.0312 0832 NABTSFEC - ok
17:10:32.0437 0832 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
17:10:32.0671 0832 napagent - ok
17:10:32.0750 0832 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
17:10:32.0968 0832 NDIS - ok
17:10:33.0000 0832 [ 7FF1F1FD8609C149AA432F95A8163D97 ] NdisIP C:\WINDOWS\system32\DRIVERS\NdisIP.sys
17:10:33.0171 0832 NdisIP - ok
17:10:33.0218 0832 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
17:10:33.0359 0832 NdisTapi - ok
17:10:33.0375 0832 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
17:10:33.0546 0832 Ndisuio - ok
17:10:33.0625 0832 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
17:10:33.0921 0832 NdisWan - ok
17:10:34.0000 0832 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
17:10:34.0125 0832 NDProxy - ok
17:10:34.0156 0832 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
17:10:34.0328 0832 NetBIOS - ok
17:10:34.0406 0832 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
17:10:34.0625 0832 NetBT - ok
17:10:34.0687 0832 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
17:10:34.0875 0832 NetDDE - ok
17:10:34.0921 0832 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
17:10:35.0062 0832 NetDDEdsdm - ok
17:10:35.0109 0832 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
17:10:35.0281 0832 Netlogon - ok
17:10:35.0375 0832 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
17:10:35.0593 0832 Netman - ok
17:10:35.0671 0832 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
17:10:35.0734 0832 NetTcpPortSharing - ok
17:10:35.0828 0832 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
17:10:35.0953 0832 Nla - ok
17:10:36.0015 0832 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
17:10:36.0187 0832 Npfs - ok
17:10:36.0375 0832 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
17:10:36.0765 0832 Ntfs - ok
17:10:36.0812 0832 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\System32\lsass.exe
17:10:36.0968 0832 NtLmSsp - ok
17:10:37.0125 0832 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
17:10:37.0484 0832 NtmsSvc - ok
17:10:37.0531 0832 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
17:10:37.0703 0832 Null - ok
17:10:37.0734 0832 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
17:10:37.0906 0832 NwlnkFlt - ok
17:10:37.0937 0832 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
17:10:38.0093 0832 NwlnkFwd - ok
17:10:38.0187 0832 [ D0D68ED9F67910FB27388F4DFF0D63C0 ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
17:10:38.0234 0832 ose - ok
17:10:38.0281 0832 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
17:10:38.0468 0832 Parport - ok
17:10:38.0515 0832 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
17:10:38.0703 0832 PartMgr - ok
17:10:38.0750 0832 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
17:10:38.0921 0832 ParVdm - ok
17:10:39.0000 0832 PCDRDRV - ok
17:10:39.0046 0832 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
17:10:39.0234 0832 PCI - ok
17:10:39.0250 0832 PCIDump - ok
17:10:39.0265 0832 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
17:10:39.0468 0832 PCIIde - ok
17:10:39.0531 0832 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
17:10:39.0718 0832 Pcmcia - ok
17:10:39.0734 0832 perc2 - ok
17:10:39.0750 0832 perc2hib - ok
17:10:39.0828 0832 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
17:10:39.0875 0832 PlugPlay - ok
17:10:39.0890 0832 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
17:10:40.0046 0832 PolicyAgent - ok
17:10:40.0109 0832 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
17:10:40.0296 0832 PptpMiniport - ok
17:10:40.0437 0832 [ 57E95881E5F014816A8A53AD94EE0C48 ] PRISM_A02 C:\WINDOWS\system32\DRIVERS\WUSB20XP.sys
17:10:40.0687 0832 PRISM_A02 - ok
17:10:40.0734 0832 [ A32BEBAF723557681BFC6BD93E98BD26 ] Processor C:\WINDOWS\system32\DRIVERS\processr.sys
17:10:40.0937 0832 Processor - ok
17:10:40.0984 0832 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
17:10:41.0125 0832 ProtectedStorage - ok
17:10:41.0171 0832 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
17:10:41.0359 0832 PSched - ok
17:10:41.0390 0832 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
17:10:41.0546 0832 Ptilink - ok
17:10:41.0562 0832 ql1080 - ok
17:10:41.0578 0832 Ql10wnt - ok
17:10:41.0593 0832 ql12160 - ok
17:10:41.0609 0832 ql1240 - ok
17:10:41.0625 0832 ql1280 - ok
17:10:41.0656 0832 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
17:10:41.0828 0832 RasAcd - ok
17:10:41.0890 0832 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
17:10:42.0078 0832 RasAuto - ok
17:10:42.0125 0832 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
17:10:42.0312 0832 Rasl2tp - ok
17:10:42.0421 0832 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
17:10:42.0640 0832 RasMan - ok
17:10:42.0687 0832 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
17:10:42.0890 0832 RasPppoe - ok
17:10:42.0906 0832 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
17:10:43.0062 0832 Raspti - ok
17:10:43.0140 0832 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
17:10:43.0328 0832 Rdbss - ok
17:10:43.0359 0832 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
17:10:43.0531 0832 RDPCDD - ok
17:10:43.0609 0832 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
17:10:43.0765 0832 RDPWD - ok
17:10:43.0843 0832 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
17:10:44.0062 0832 RDSessMgr - ok
17:10:44.0125 0832 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
17:10:44.0296 0832 redbook - ok
17:10:44.0359 0832 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
17:10:44.0531 0832 RemoteAccess - ok
17:10:44.0593 0832 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\System32\locator.exe
17:10:44.0781 0832 RpcLocator - ok
17:10:44.0937 0832 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\System32\rpcss.dll
17:10:45.0062 0832 RpcSs - ok
17:10:45.0140 0832 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\System32\rsvp.exe
17:10:45.0343 0832 RSVP - ok
17:10:45.0375 0832 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
17:10:45.0531 0832 SamSs - ok
17:10:45.0593 0832 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
17:10:45.0765 0832 SCardSvr - ok
17:10:45.0859 0832 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
17:10:46.0078 0832 Schedule - ok
17:10:46.0125 0832 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
17:10:46.0218 0832 Secdrv - ok
17:10:46.0265 0832 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
17:10:46.0437 0832 seclogon - ok
17:10:46.0484 0832 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
17:10:46.0671 0832 SENS - ok
17:10:46.0718 0832 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
17:10:46.0906 0832 serenum - ok
17:10:46.0937 0832 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
17:10:47.0125 0832 Serial - ok
17:10:47.0187 0832 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
17:10:47.0343 0832 Sfloppy - ok
17:10:47.0484 0832 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
17:10:47.0828 0832 SharedAccess - ok
17:10:47.0906 0832 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
17:10:47.0937 0832 ShellHWDetection - ok
17:10:47.0953 0832 Simbad - ok
17:10:48.0000 0832 [ 32933B07FC16D9F778BEE12545FA1B1A ] SimpTcp C:\WINDOWS\System32\tcpsvcs.exe
17:10:48.0171 0832 SimpTcp - ok
17:10:48.0203 0832 [ 866D538EBE33709A5C9F5C62B73B7D14 ] SLIP C:\WINDOWS\system32\DRIVERS\SLIP.sys
17:10:48.0375 0832 SLIP - ok
17:10:48.0578 0832 [ EBA50C8F7EFD8178E8C4BDE6B74E744C ] smwdm C:\WINDOWS\system32\drivers\smwdm.sys
17:10:48.0859 0832 smwdm - ok
17:10:48.0875 0832 Sparrow - ok
17:10:48.0906 0832 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
17:10:49.0093 0832 splitter - ok
17:10:49.0156 0832 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
17:10:49.0234 0832 Spooler - ok
17:10:49.0281 0832 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
17:10:49.0390 0832 sr - ok
17:10:49.0484 0832 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
17:10:49.0625 0832 srservice - ok
17:10:49.0765 0832 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
17:10:50.0015 0832 Srv - ok
17:10:50.0062 0832 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
17:10:50.0156 0832 SSDPSRV - ok
17:10:50.0296 0832 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
17:10:50.0625 0832 stisvc - ok
17:10:50.0687 0832 [ 77813007BA6265C4B6098187E6ED79D2 ] streamip C:\WINDOWS\system32\DRIVERS\StreamIP.sys
17:10:50.0859 0832 streamip - ok
17:10:50.0890 0832 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
17:10:51.0062 0832 swenum - ok
17:10:51.0109 0832 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
17:10:51.0281 0832 swmidi - ok
17:10:51.0296 0832 SwPrv - ok
17:10:51.0312 0832 symc810 - ok
17:10:51.0328 0832 symc8xx - ok
17:10:51.0328 0832 SymEvent - ok
17:10:51.0343 0832 sym_hi - ok
17:10:51.0359 0832 sym_u3 - ok
17:10:51.0390 0832 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
17:10:51.0578 0832 sysaudio - ok
17:10:51.0640 0832 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
17:10:51.0859 0832 SysmonLog - ok
17:10:51.0968 0832 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
17:10:52.0203 0832 TapiSrv - ok
17:10:52.0343 0832 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
17:10:52.0562 0832 Tcpip - ok
17:10:52.0609 0832 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
17:10:52.0781 0832 TDPIPE - ok
17:10:52.0812 0832 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
17:10:52.0984 0832 TDTCP - ok
17:10:53.0031 0832 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
17:10:53.0203 0832 TermDD - ok
17:10:53.0312 0832 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
17:10:53.0562 0832 TermService - ok
17:10:53.0625 0832 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
17:10:53.0656 0832 Themes - ok
17:10:53.0671 0832 TosIde - ok
17:10:53.0718 0832 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
17:10:53.0937 0832 TrkWks - ok
17:10:53.0984 0832 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
17:10:54.0203 0832 Udfs - ok
17:10:54.0218 0832 ultra - ok
17:10:54.0359 0832 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
17:10:54.0828 0832 Update - ok
17:10:54.0906 0832 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
17:10:55.0046 0832 upnphost - ok
17:10:55.0078 0832 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
17:10:55.0250 0832 UPS - ok
17:10:55.0312 0832 [ 83CAFCB53201BBAC04D822F32438E244 ] USBAAPL C:\WINDOWS\system32\Drivers\usbaapl.sys
17:10:55.0375 0832 USBAAPL - ok
17:10:55.0437 0832 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
17:10:55.0609 0832 usbccgp - ok
17:10:55.0656 0832 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
17:10:55.0859 0832 usbehci - ok
17:10:55.0906 0832 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
17:10:56.0078 0832 usbhub - ok
17:10:56.0125 0832 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
17:10:56.0296 0832 usbprint - ok
17:10:56.0343 0832 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
17:10:56.0515 0832 usbscan - ok
17:10:56.0546 0832 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:10:56.0718 0832 USBSTOR - ok
17:10:56.0765 0832 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
17:10:56.0953 0832 usbuhci - ok
17:10:56.0984 0832 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
17:10:57.0156 0832 VgaSave - ok
17:10:57.0171 0832 ViaIde - ok
17:10:57.0218 0832 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
17:10:57.0390 0832 VolSnap - ok
17:10:57.0531 0832 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
17:10:57.0687 0832 VSS - ok
17:10:57.0781 0832 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
17:10:57.0984 0832 W32Time - ok
17:10:58.0046 0832 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
17:10:58.0234 0832 Wanarp - ok
17:10:58.0250 0832 wanatw - ok
17:10:58.0296 0832 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
17:10:58.0500 0832 wdmaud - ok
17:10:58.0546 0832 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
17:10:58.0734 0832 WebClient - ok
17:10:58.0875 0832 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
17:10:59.0109 0832 winmgmt - ok
17:10:59.0218 0832 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\System32\wbem\wmiapsrv.exe
17:10:59.0421 0832 WmiApSrv - ok
17:10:59.0718 0832 [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
17:11:00.0359 0832 WMPNetworkSvc - ok
17:11:00.0687 0832 [ DCF3E3EDF5109EE8BC02FE6E1F045795 ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
17:11:01.0062 0832 WPFFontCache_v0400 - ok
17:11:01.0109 0832 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
17:11:01.0281 0832 WS2IFSL - ok
17:11:01.0343 0832 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
17:11:01.0546 0832 wscsvc - ok
17:11:01.0578 0832 [ C98B39829C2BBD34E454150633C62C78 ] WSTCODEC C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
17:11:01.0765 0832 WSTCODEC - ok
17:11:01.0796 0832 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll
17:11:02.0000 0832 wuauserv - ok
17:11:02.0078 0832 [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
17:11:02.0125 0832 WudfPf - ok
17:11:02.0171 0832 [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys
17:11:02.0234 0832 WudfRd - ok
17:11:02.0281 0832 [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
17:11:02.0312 0832 WudfSvc - ok
17:11:02.0484 0832 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
17:11:02.0890 0832 WZCSVC - ok
17:11:02.0968 0832 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
17:11:03.0156 0832 xmlprov - ok
17:11:03.0234 0832 [ E6C22D34BAEF5196E1B23A4492C275B7 ] {6080A529-897E-4629-A488-ABA0C29B635E} C:\WINDOWS\system32\drivers\ialmsbw.sys
17:11:03.0921 0832 {6080A529-897E-4629-A488-ABA0C29B635E} - ok
17:11:04.0015 0832 [ 6E53BD96B0EBAD721CDD6320DBFC3F5F ] {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} C:\WINDOWS\system32\drivers\ialmkchw.sys
17:11:04.0078 0832 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
17:11:04.0078 0832 ================ Scan global ===============================
17:11:04.0156 0832 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
17:11:04.0281 0832 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
17:11:04.0453 0832 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
17:11:04.0515 0832 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
17:11:04.0515 0832 [Global] - ok
17:11:04.0515 0832 ================ Scan MBR ==================================
17:11:04.0546 0832 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
17:11:04.0921 0832 \Device\Harddisk0\DR0 - ok
17:11:04.0921 0832 ================ Scan VBR ==================================
17:11:04.0921 0832 [ D3C2E93FF7C82AA0707CE0EFF1069E55 ] \Device\Harddisk0\DR0\Partition1
17:11:04.0937 0832 \Device\Harddisk0\DR0\Partition1 - ok
17:11:04.0937 0832 ============================================================
17:11:04.0937 0832 Scan finished
17:11:04.0937 0832 ============================================================
17:11:05.0046 2832 Detected object count: 0
17:11:05.0046 2832 Actual detected object count: 0


----------



## Pokeyturtle (Oct 25, 2012)

I'll download a fresh copy send report


----------



## Pokeyturtle (Oct 25, 2012)

Tdsskiller log below, from the new tdsskiller download.

17:42:30.0156 3720 TDSS rootkit removing tool 2.8.13.0 Oct 12 2012 17:26:47
17:42:30.0718 3720 ============================================================
17:42:30.0718 3720 Current date / time: 2012/10/27 17:42:30.0718
17:42:30.0718 3720 SystemInfo:
17:42:30.0718 3720 
17:42:30.0718 3720 OS Version: 5.1.2600 ServicePack: 3.0
17:42:30.0718 3720 Product type: Workstation
17:42:30.0718 3720 ComputerName: GATEWAY-348915F
17:42:30.0718 3720 UserName: Owner
17:42:30.0718 3720 Windows directory: C:\WINDOWS
17:42:30.0718 3720 System windows directory: C:\WINDOWS
17:42:30.0718 3720 Processor architecture: Intel x86
17:42:30.0718 3720 Number of processors: 2
17:42:30.0718 3720 Page size: 0x1000
17:42:30.0718 3720 Boot type: Normal boot
17:42:30.0718 3720 ============================================================
17:42:34.0171 3720 Drive \Device\Harddisk0\DR0 - Size: 0x1315740000 (76.34 Gb), SectorSize: 0x200, Cylinders: 0x26EC, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
17:42:34.0187 3720 ============================================================
17:42:34.0187 3720 \Device\Harddisk0\DR0:
17:42:34.0187 3720 MBR partitions:
17:42:34.0187 3720 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x98A7FAD
17:42:34.0187 3720 ============================================================
17:42:34.0250 3720 C: <-> \Device\Harddisk0\DR0\Partition1
17:42:34.0296 3720 ============================================================
17:42:34.0296 3720 Initialize success
17:42:34.0296 3720 ============================================================
17:42:40.0937 4028 ============================================================
17:42:40.0937 4028 Scan started
17:42:40.0937 4028 Mode: Manual; SigCheck; TDLFS; 
17:42:40.0937 4028 ============================================================
17:42:42.0125 4028 ================ Scan system memory ========================
17:42:42.0125 4028 System memory - ok
17:42:42.0125 4028 ================ Scan services =============================
17:42:42.0890 4028 Abiosdsk - ok
17:42:42.0906 4028 abp480n5 - ok
17:42:42.0984 4028 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
17:42:46.0921 4028 ACPI - ok
17:42:46.0968 4028 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
17:42:47.0156 4028 ACPIEC - ok
17:42:47.0296 4028 [ 44C00A385CA9DBC1D5CF3781F8C26AEA ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
17:42:47.0390 4028 AdobeFlashPlayerUpdateSvc - ok
17:42:47.0437 4028 adpu160m - ok
17:42:47.0484 4028 [ 11C04B17ED2ABBB4833694BCD644AC90 ] aeaudio C:\WINDOWS\system32\drivers\aeaudio.sys
17:42:47.0593 4028 aeaudio - ok
17:42:47.0656 4028 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
17:42:47.0890 4028 aec - ok
17:42:47.0968 4028 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
17:42:48.0125 4028 AFD - ok
17:42:48.0140 4028 Aha154x - ok
17:42:48.0156 4028 aic78u2 - ok
17:42:48.0171 4028 aic78xx - ok
17:42:48.0218 4028 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
17:42:48.0453 4028 Alerter - ok
17:42:48.0500 4028 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
17:42:48.0593 4028 ALG - ok
17:42:48.0609 4028 AliIde - ok
17:42:48.0625 4028 amsint - ok
17:42:48.0765 4028 [ 3DEBBECF665DCDDE3A95D9B902010817 ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
17:42:48.0796 4028 Apple Mobile Device - ok
17:42:48.0812 4028 asc - ok
17:42:48.0828 4028 asc3350p - ok
17:42:48.0843 4028 asc3550 - ok
17:42:48.0984 4028 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
17:42:49.0031 4028 aspnet_state - ok
17:42:49.0078 4028 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
17:42:49.0265 4028 AsyncMac - ok
17:42:49.0312 4028 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
17:42:49.0515 4028 atapi - ok
17:42:49.0531 4028 Atdisk - ok
17:42:49.0578 4028 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
17:42:49.0765 4028 Atmarpc - ok
17:42:49.0828 4028 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
17:42:50.0015 4028 AudioSrv - ok
17:42:50.0062 4028 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
17:42:50.0250 4028 audstub - ok
17:42:50.0531 4028 [ 2D39D498108C4810EF8CC1103A2A5B73 ] BCMModem C:\WINDOWS\system32\DRIVERS\BCMDM.sys
17:42:51.0187 4028 BCMModem - ok
17:42:51.0234 4028 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
17:42:51.0421 4028 Beep - ok
17:42:51.0578 4028 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
17:42:51.0953 4028 BITS - ok
17:42:52.0140 4028 [ DB5BEA73EDAF19AC68B2C0FAD0F92B1A ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
17:42:52.0328 4028 Bonjour Service - ok
17:42:52.0406 4028 [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser C:\WINDOWS\System32\browser.dll
17:42:52.0500 4028 Browser - ok
17:42:52.0500 4028 catchme - ok
17:42:52.0562 4028 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
17:42:52.0781 4028 cbidf2k - ok
17:42:52.0843 4028 [ 0BE5AEF125BE881C4F854C554F2B025C ] CCDECODE C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
17:42:53.0031 4028 CCDECODE - ok
17:42:53.0046 4028 cd20xrnt - ok
17:42:53.0093 4028 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
17:42:53.0296 4028 Cdaudio - ok
17:42:53.0343 4028 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
17:42:53.0562 4028 Cdfs - ok
17:42:53.0609 4028 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
17:42:53.0828 4028 Cdrom - ok
17:42:53.0875 4028 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
17:42:54.0078 4028 CiSvc - ok
17:42:54.0156 4028 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
17:42:54.0390 4028 ClipSrv - ok
17:42:54.0453 4028 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
17:42:54.0515 4028 clr_optimization_v2.0.50727_32 - ok
17:42:54.0625 4028 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
17:42:54.0687 4028 clr_optimization_v4.0.30319_32 - ok
17:42:54.0687 4028 CmdIde - ok
17:42:54.0703 4028 COMSysApp - ok
17:42:54.0734 4028 Cpqarray - ok
17:42:54.0796 4028 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
17:42:55.0000 4028 CryptSvc - ok
17:42:55.0015 4028 dac2w2k - ok
17:42:55.0031 4028 dac960nt - ok
17:42:55.0171 4028 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
17:42:55.0437 4028 DcomLaunch - ok
17:42:55.0515 4028 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
17:42:55.0687 4028 Dhcp - ok
17:42:55.0734 4028 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
17:42:55.0953 4028 Disk - ok
17:42:55.0953 4028 dmadmin - ok
17:42:56.0218 4028 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
17:42:56.0765 4028 dmboot - ok
17:42:56.0859 4028 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
17:42:57.0078 4028 dmio - ok
17:42:57.0125 4028 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
17:42:57.0312 4028 dmload - ok
17:42:57.0343 4028 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
17:42:57.0546 4028 dmserver - ok
17:42:57.0609 4028 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
17:42:57.0812 4028 DMusic - ok
17:42:57.0859 4028 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
17:42:57.0968 4028 Dnscache - ok
17:42:58.0046 4028 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
17:42:58.0265 4028 Dot3svc - ok
17:42:58.0281 4028 dpti2o - ok
17:42:58.0328 4028 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
17:42:58.0500 4028 drmkaud - ok
17:42:58.0578 4028 [ 98B46B331404A951CABAD8B4877E1276 ] E100B C:\WINDOWS\system32\DRIVERS\e100b325.sys
17:42:58.0671 4028 E100B - ok
17:42:58.0718 4028 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
17:42:58.0890 4028 EapHost - ok
17:42:58.0937 4028 [ 8C3F3914F1C1E3E3FFE77190A4C9D735 ] ENETHUSB C:\WINDOWS\system32\DRIVERS\enethusb.sys
17:42:58.0984 4028 ENETHUSB - ok
17:42:59.0031 4028 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
17:42:59.0234 4028 ERSvc - ok
17:42:59.0312 4028 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
17:42:59.0375 4028 Eventlog - ok
17:42:59.0468 4028 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\Es.dll
17:42:59.0578 4028 EventSystem - ok
17:42:59.0656 4028 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
17:42:59.0859 4028 Fastfat - ok
17:42:59.0953 4028 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
17:43:00.0078 4028 FastUserSwitchingCompatibility - ok
17:43:00.0125 4028 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
17:43:00.0312 4028 Fdc - ok
17:43:00.0359 4028 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
17:43:00.0562 4028 Fips - ok
17:43:00.0593 4028 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys
17:43:00.0781 4028 Flpydisk - ok
17:43:00.0859 4028 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
17:43:01.0062 4028 FltMgr - ok
17:43:01.0156 4028 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
17:43:01.0171 4028 FontCache3.0.0.0 - ok
17:43:01.0203 4028 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
17:43:01.0375 4028 Fs_Rec - ok
17:43:01.0437 4028 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
17:43:01.0656 4028 Ftdisk - ok
17:43:01.0703 4028 [ 8182FF89C65E4D38B2DE4BB0FB18564E ] GEARAspiWDM C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
17:43:01.0734 4028 GEARAspiWDM - ok
17:43:01.0734 4028 getPlusHelper - ok
17:43:01.0796 4028 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
17:43:02.0000 4028 Gpc - ok
17:43:02.0343 4028 [ 2B34E4AACB5734BFD663C803335B11EA ] GTWModem C:\WINDOWS\system32\DRIVERS\GWMDM.sys
17:43:02.0953 4028 GTWModem - ok
17:43:03.0062 4028 [ 8F0DE4FEF8201E306F9938B0905AC96A ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
17:43:03.0125 4028 gupdate - ok
17:43:03.0171 4028 [ 8F0DE4FEF8201E306F9938B0905AC96A ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
17:43:03.0187 4028 gupdatem - ok
17:43:03.0281 4028 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
17:43:03.0468 4028 helpsvc - ok
17:43:03.0500 4028 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ C:\WINDOWS\System32\hidserv.dll
17:43:03.0671 4028 HidServ - ok
17:43:03.0703 4028 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] hidusb C:\WINDOWS\system32\DRIVERS\hidusb.sys
17:43:03.0890 4028 hidusb - ok
17:43:03.0937 4028 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
17:43:04.0156 4028 hkmsvc - ok
17:43:04.0171 4028 hpn - ok
17:43:04.0281 4028 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
17:43:04.0406 4028 HTTP - ok
17:43:04.0453 4028 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
17:43:04.0625 4028 HTTPFilter - ok
17:43:04.0640 4028 i2omp - ok
17:43:04.0703 4028 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
17:43:04.0875 4028 i8042prt - ok
17:43:05.0156 4028 [ 0294A30B302CA71A2C26E582DDA93486 ] ialm C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
17:43:05.0687 4028 ialm - ok
17:43:06.0000 4028 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
17:43:06.0453 4028 idsvc - ok
17:43:06.0500 4028 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
17:43:06.0687 4028 Imapi - ok
17:43:06.0765 4028 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
17:43:06.0968 4028 ImapiService - ok
17:43:06.0984 4028 ini910u - ok
17:43:07.0000 4028 IntelIde - ok
17:43:07.0046 4028 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
17:43:07.0234 4028 intelppm - ok
17:43:07.0265 4028 [ 3BB22519A194418D5FEC05D800A19AD0 ] ip6fw C:\WINDOWS\system32\drivers\ip6fw.sys
17:43:07.0453 4028 ip6fw - ok
17:43:07.0500 4028 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
17:43:07.0671 4028 IpFilterDriver - ok
17:43:07.0718 4028 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
17:43:07.0890 4028 IpInIp - ok
17:43:07.0953 4028 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
17:43:08.0187 4028 IpNat - ok
17:43:08.0453 4028 [ 49918803B661367023BF325CF602AFDC ] iPod Service C:\Program Files\iPod\bin\iPodService.exe
17:43:08.0812 4028 iPod Service - ok
17:43:08.0875 4028 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
17:43:09.0078 4028 IPSec - ok
17:43:09.0109 4028 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
17:43:09.0203 4028 IRENUM - ok
17:43:09.0250 4028 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
17:43:09.0437 4028 isapnp - ok
17:43:09.0562 4028 [ B591E761161D1EF547D76EF236EAA6A5 ] JavaQuickStarterService C:\Program Files\Java\jre7\bin\jqs.exe
17:43:09.0609 4028 JavaQuickStarterService - ok
17:43:09.0625 4028 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
17:43:09.0828 4028 Kbdclass - ok
17:43:09.0875 4028 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
17:43:10.0031 4028 kbdhid - ok
17:43:10.0093 4028 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
17:43:10.0296 4028 kmixer - ok
17:43:10.0375 4028 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
17:43:10.0515 4028 KSecDD - ok
17:43:10.0578 4028 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
17:43:10.0703 4028 lanmanserver - ok
17:43:10.0765 4028 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
17:43:10.0843 4028 lanmanworkstation - ok
17:43:10.0906 4028 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
17:43:11.0078 4028 LmHosts - ok
17:43:11.0281 4028 [ 85B16A92B117A5A800032ECD904B86DB ] MBAMScheduler C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
17:43:11.0468 4028 MBAMScheduler - ok
17:43:11.0515 4028 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
17:43:11.0703 4028 Messenger - ok
17:43:11.0765 4028 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
17:43:11.0921 4028 mnmdd - ok
17:43:11.0984 4028 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\System32\mnmsrvc.exe
17:43:12.0203 4028 mnmsrvc - ok
17:43:12.0250 4028 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
17:43:12.0421 4028 Modem - ok
17:43:12.0468 4028 [ 1992E0D143B09653AB0F9C5E04B0FD65 ] MODEMCSA C:\WINDOWS\system32\drivers\MODEMCSA.sys
17:43:12.0640 4028 MODEMCSA - ok
17:43:12.0671 4028 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
17:43:12.0843 4028 Mouclass - ok
17:43:12.0906 4028 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
17:43:13.0078 4028 mouhid - ok
17:43:13.0125 4028 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
17:43:13.0375 4028 MountMgr - ok
17:43:13.0406 4028 MozillaMaintenance - ok
17:43:13.0500 4028 [ EE728AF83850DDAD9A3FCAC0AAB3AD97 ] MpFilter C:\WINDOWS\system32\DRIVERS\MpFilter.sys
17:43:13.0578 4028 MpFilter - ok
17:43:13.0593 4028 mraid35x - ok
17:43:13.0671 4028 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
17:43:13.0906 4028 MRxDAV - ok
17:43:14.0062 4028 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
17:43:14.0359 4028 MRxSmb - ok
17:43:14.0390 4028 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\System32\msdtc.exe
17:43:14.0562 4028 MSDTC - ok
17:43:14.0609 4028 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
17:43:14.0781 4028 Msfs - ok
17:43:14.0796 4028 MSIServer - ok
17:43:14.0812 4028 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
17:43:15.0000 4028 MSKSSRV - ok
17:43:15.0078 4028 [ E077FCA2A7E79FB9BF67D3E30B5CE593 ] MsMpSvc c:\Program Files\Microsoft Security Client\MsMpEng.exe
17:43:15.0125 4028 MsMpSvc - ok
17:43:15.0156 4028 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
17:43:15.0421 4028 MSPCLOCK - ok
17:43:15.0468 4028 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
17:43:15.0640 4028 MSPQM - ok
17:43:15.0671 4028 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
17:43:15.0828 4028 mssmbios - ok
17:43:15.0859 4028 [ E53736A9E30C45FA9E7B5EAC55056D1D ] MSTEE C:\WINDOWS\system32\drivers\MSTEE.sys
17:43:16.0031 4028 MSTEE - ok
17:43:16.0093 4028 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
17:43:16.0171 4028 Mup - ok
17:43:16.0218 4028 [ 5B50F1B2A2ED47D560577B221DA734DB ] NABTSFEC C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
17:43:16.0406 4028 NABTSFEC - ok
17:43:16.0531 4028 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
17:43:16.0734 4028 napagent - ok
17:43:16.0828 4028 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
17:43:17.0046 4028 NDIS - ok
17:43:17.0078 4028 [ 7FF1F1FD8609C149AA432F95A8163D97 ] NdisIP C:\WINDOWS\system32\DRIVERS\NdisIP.sys
17:43:17.0265 4028 NdisIP - ok
17:43:17.0312 4028 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
17:43:17.0390 4028 NdisTapi - ok
17:43:17.0421 4028 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
17:43:17.0593 4028 Ndisuio - ok
17:43:17.0656 4028 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
17:43:17.0859 4028 NdisWan - ok
17:43:17.0921 4028 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
17:43:18.0015 4028 NDProxy - ok
17:43:18.0046 4028 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
17:43:18.0250 4028 NetBIOS - ok
17:43:18.0328 4028 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
17:43:18.0593 4028 NetBT - ok
17:43:18.0656 4028 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
17:43:18.0828 4028 NetDDE - ok
17:43:18.0875 4028 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
17:43:19.0015 4028 NetDDEdsdm - ok
17:43:19.0062 4028 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
17:43:19.0250 4028 Netlogon - ok
17:43:19.0343 4028 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
17:43:19.0546 4028 Netman - ok
17:43:19.0625 4028 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
17:43:19.0656 4028 NetTcpPortSharing - ok
17:43:19.0750 4028 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
17:43:19.0859 4028 Nla - ok
17:43:19.0921 4028 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
17:43:20.0125 4028 Npfs - ok
17:43:20.0328 4028 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
17:43:20.0718 4028 Ntfs - ok
17:43:20.0765 4028 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\System32\lsass.exe
17:43:20.0921 4028 NtLmSsp - ok
17:43:21.0078 4028 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
17:43:21.0453 4028 NtmsSvc - ok
17:43:21.0484 4028 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
17:43:21.0656 4028 Null - ok
17:43:21.0687 4028 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
17:43:21.0843 4028 NwlnkFlt - ok
17:43:21.0875 4028 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
17:43:22.0031 4028 NwlnkFwd - ok
17:43:22.0125 4028 [ D0D68ED9F67910FB27388F4DFF0D63C0 ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
17:43:22.0156 4028 ose - ok
17:43:22.0218 4028 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
17:43:22.0406 4028 Parport - ok
17:43:22.0453 4028 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
17:43:22.0625 4028 PartMgr - ok
17:43:22.0671 4028 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
17:43:22.0859 4028 ParVdm - ok
17:43:22.0921 4028 PCDRDRV - ok
17:43:22.0968 4028 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
17:43:23.0156 4028 PCI - ok
17:43:23.0171 4028 PCIDump - ok
17:43:23.0203 4028 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
17:43:23.0375 4028 PCIIde - ok
17:43:23.0437 4028 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
17:43:23.0625 4028 Pcmcia - ok
17:43:23.0640 4028 perc2 - ok
17:43:23.0656 4028 perc2hib - ok
17:43:23.0734 4028 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
17:43:23.0765 4028 PlugPlay - ok
17:43:23.0781 4028 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
17:43:23.0953 4028 PolicyAgent - ok
17:43:24.0000 4028 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
17:43:24.0203 4028 PptpMiniport - ok
17:43:24.0343 4028 [ 57E95881E5F014816A8A53AD94EE0C48 ] PRISM_A02 C:\WINDOWS\system32\DRIVERS\WUSB20XP.sys
17:43:24.0562 4028 PRISM_A02 - ok
17:43:24.0625 4028 [ A32BEBAF723557681BFC6BD93E98BD26 ] Processor C:\WINDOWS\system32\DRIVERS\processr.sys
17:43:24.0796 4028 Processor - ok
17:43:24.0828 4028 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
17:43:24.0984 4028 ProtectedStorage - ok
17:43:25.0031 4028 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
17:43:25.0234 4028 PSched - ok
17:43:25.0281 4028 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
17:43:25.0437 4028 Ptilink - ok
17:43:25.0453 4028 ql1080 - ok
17:43:25.0468 4028 Ql10wnt - ok
17:43:25.0484 4028 ql12160 - ok
17:43:25.0500 4028 ql1240 - ok
17:43:25.0500 4028 ql1280 - ok
17:43:25.0546 4028 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
17:43:25.0703 4028 RasAcd - ok
17:43:25.0781 4028 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
17:43:25.0953 4028 RasAuto - ok
17:43:25.0984 4028 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
17:43:26.0187 4028 Rasl2tp - ok
17:43:26.0281 4028 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
17:43:26.0500 4028 RasMan - ok
17:43:26.0546 4028 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
17:43:26.0718 4028 RasPppoe - ok
17:43:26.0750 4028 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
17:43:26.0906 4028 Raspti - ok
17:43:26.0984 4028 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
17:43:27.0203 4028 Rdbss - ok
17:43:27.0234 4028 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
17:43:27.0406 4028 RDPCDD - ok
17:43:27.0500 4028 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
17:43:27.0625 4028 RDPWD - ok
17:43:27.0703 4028 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
17:43:27.0875 4028 RDSessMgr - ok
17:43:27.0921 4028 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
17:43:28.0125 4028 redbook - ok
17:43:28.0187 4028 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
17:43:28.0343 4028 RemoteAccess - ok
17:43:28.0390 4028 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\System32\locator.exe
17:43:28.0546 4028 RpcLocator - ok
17:43:28.0703 4028 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\System32\rpcss.dll
17:43:28.0812 4028 RpcSs - ok
17:43:28.0890 4028 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\System32\rsvp.exe
17:43:29.0078 4028 RSVP - ok
17:43:29.0109 4028 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
17:43:29.0265 4028 SamSs - ok
17:43:29.0312 4028 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
17:43:29.0484 4028 SCardSvr - ok
17:43:29.0578 4028 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
17:43:29.0796 4028 Schedule - ok
17:43:29.0859 4028 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
17:43:29.0953 4028 Secdrv - ok
17:43:30.0000 4028 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
17:43:30.0171 4028 seclogon - ok
17:43:30.0218 4028 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
17:43:30.0390 4028 SENS - ok
17:43:30.0437 4028 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
17:43:30.0609 4028 serenum - ok
17:43:30.0640 4028 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
17:43:30.0812 4028 Serial - ok
17:43:30.0875 4028 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
17:43:31.0046 4028 Sfloppy - ok
17:43:31.0187 4028 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
17:43:31.0484 4028 SharedAccess - ok
17:43:31.0562 4028 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
17:43:31.0578 4028 ShellHWDetection - ok
17:43:31.0593 4028 Simbad - ok
17:43:31.0656 4028 [ 32933B07FC16D9F778BEE12545FA1B1A ] SimpTcp C:\WINDOWS\System32\tcpsvcs.exe
17:43:31.0828 4028 SimpTcp - ok
17:43:31.0859 4028 [ 866D538EBE33709A5C9F5C62B73B7D14 ] SLIP C:\WINDOWS\system32\DRIVERS\SLIP.sys
17:43:32.0031 4028 SLIP - ok
17:43:32.0250 4028 [ EBA50C8F7EFD8178E8C4BDE6B74E744C ] smwdm C:\WINDOWS\system32\drivers\smwdm.sys
17:43:32.0484 4028 smwdm - ok
17:43:32.0500 4028 Sparrow - ok
17:43:32.0531 4028 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
17:43:32.0703 4028 splitter - ok
17:43:32.0796 4028 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
17:43:32.0843 4028 Spooler - ok
17:43:32.0890 4028 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
17:43:33.0000 4028 sr - ok
17:43:33.0093 4028 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
17:43:33.0203 4028 srservice - ok
17:43:33.0343 4028 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
17:43:33.0562 4028 Srv - ok
17:43:33.0625 4028 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
17:43:33.0718 4028 SSDPSRV - ok
17:43:33.0859 4028 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
17:43:34.0187 4028 stisvc - ok
17:43:34.0234 4028 [ 77813007BA6265C4B6098187E6ED79D2 ] streamip C:\WINDOWS\system32\DRIVERS\StreamIP.sys
17:43:34.0390 4028 streamip - ok
17:43:34.0421 4028 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
17:43:34.0593 4028 swenum - ok
17:43:34.0640 4028 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
17:43:34.0812 4028 swmidi - ok
17:43:34.0828 4028 SwPrv - ok
17:43:34.0843 4028 symc810 - ok
17:43:34.0859 4028 symc8xx - ok
17:43:34.0859 4028 SymEvent - ok
17:43:34.0875 4028 sym_hi - ok
17:43:34.0890 4028 sym_u3 - ok
17:43:34.0921 4028 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
17:43:35.0140 4028 sysaudio - ok
17:43:35.0203 4028 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
17:43:35.0375 4028 SysmonLog - ok
17:43:35.0484 4028 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
17:43:35.0718 4028 TapiSrv - ok
17:43:35.0859 4028 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
17:43:36.0062 4028 Tcpip - ok
17:43:36.0109 4028 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
17:43:36.0281 4028 TDPIPE - ok
17:43:36.0312 4028 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
17:43:36.0484 4028 TDTCP - ok
17:43:36.0531 4028 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
17:43:36.0703 4028 TermDD - ok
17:43:36.0796 4028 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
17:43:37.0046 4028 TermService - ok
17:43:37.0109 4028 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
17:43:37.0125 4028 Themes - ok
17:43:37.0140 4028 TosIde - ok
17:43:37.0203 4028 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
17:43:37.0375 4028 TrkWks - ok
17:43:37.0421 4028 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
17:43:37.0609 4028 Udfs - ok
17:43:37.0625 4028 ultra - ok
17:43:37.0765 4028 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
17:43:38.0125 4028 Update - ok
17:43:38.0218 4028 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
17:43:38.0328 4028 upnphost - ok
17:43:38.0359 4028 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
17:43:38.0531 4028 UPS - ok
17:43:38.0593 4028 [ 83CAFCB53201BBAC04D822F32438E244 ] USBAAPL C:\WINDOWS\system32\Drivers\usbaapl.sys
17:43:38.0656 4028 USBAAPL - ok
17:43:38.0703 4028 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
17:43:38.0890 4028 usbccgp - ok
17:43:38.0937 4028 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
17:43:39.0125 4028 usbehci - ok
17:43:39.0187 4028 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
17:43:39.0375 4028 usbhub - ok
17:43:39.0421 4028 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
17:43:39.0593 4028 usbprint - ok
17:43:39.0640 4028 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
17:43:39.0796 4028 usbscan - ok
17:43:39.0828 4028 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:43:40.0000 4028 USBSTOR - ok
17:43:40.0046 4028 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
17:43:40.0234 4028 usbuhci - ok
17:43:40.0265 4028 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
17:43:40.0437 4028 VgaSave - ok
17:43:40.0453 4028 ViaIde - ok
17:43:40.0500 4028 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
17:43:40.0671 4028 VolSnap - ok
17:43:40.0796 4028 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
17:43:40.0937 4028 VSS - ok
17:43:41.0031 4028 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
17:43:41.0250 4028 W32Time - ok
17:43:41.0312 4028 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
17:43:41.0500 4028 Wanarp - ok
17:43:41.0500 4028 wanatw - ok
17:43:41.0562 4028 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
17:43:41.0750 4028 wdmaud - ok
17:43:41.0812 4028 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
17:43:41.0984 4028 WebClient - ok
17:43:42.0125 4028 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
17:43:42.0343 4028 winmgmt - ok
17:43:42.0453 4028 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\System32\wbem\wmiapsrv.exe
17:43:42.0640 4028 WmiApSrv - ok
17:43:42.0968 4028 [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
17:43:43.0515 4028 WMPNetworkSvc - ok
17:43:43.0859 4028 [ DCF3E3EDF5109EE8BC02FE6E1F045795 ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
17:43:44.0203 4028 WPFFontCache_v0400 - ok
17:43:44.0250 4028 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
17:43:44.0421 4028 WS2IFSL - ok
17:43:44.0484 4028 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
17:43:44.0656 4028 wscsvc - ok
17:43:44.0687 4028 [ C98B39829C2BBD34E454150633C62C78 ] WSTCODEC C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
17:43:44.0859 4028 WSTCODEC - ok
17:43:44.0906 4028 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll
17:43:45.0078 4028 wuauserv - ok
17:43:45.0156 4028 [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
17:43:45.0218 4028 WudfPf - ok
17:43:45.0265 4028 [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys
17:43:45.0328 4028 WudfRd - ok
17:43:45.0375 4028 [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
17:43:45.0390 4028 WudfSvc - ok
17:43:45.0578 4028 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
17:43:45.0937 4028 WZCSVC - ok
17:43:46.0015 4028 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
17:43:46.0203 4028 xmlprov - ok
17:43:46.0296 4028 [ E6C22D34BAEF5196E1B23A4492C275B7 ] {6080A529-897E-4629-A488-ABA0C29B635E} C:\WINDOWS\system32\drivers\ialmsbw.sys
17:43:46.0609 4028 {6080A529-897E-4629-A488-ABA0C29B635E} - ok
17:43:46.0687 4028 [ 6E53BD96B0EBAD721CDD6320DBFC3F5F ] {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} C:\WINDOWS\system32\drivers\ialmkchw.sys
17:43:46.0765 4028 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
17:43:46.0765 4028 ================ Scan global ===============================
17:43:46.0812 4028 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
17:43:46.0937 4028 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
17:43:47.0125 4028 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
17:43:47.0203 4028 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
17:43:47.0203 4028 [Global] - ok
17:43:47.0203 4028 ================ Scan MBR ==================================
17:43:47.0234 4028 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
17:43:47.0593 4028 \Device\Harddisk0\DR0 - ok
17:43:47.0593 4028 ================ Scan VBR ==================================
17:43:47.0593 4028 [ D3C2E93FF7C82AA0707CE0EFF1069E55 ] \Device\Harddisk0\DR0\Partition1
17:43:47.0593 4028 \Device\Harddisk0\DR0\Partition1 - ok
17:43:47.0593 4028 ============================================================
17:43:47.0593 4028 Scan finished
17:43:47.0593 4028 ============================================================
17:43:47.0718 4012 Detected object count: 0
17:43:47.0718 4012 Actual detected object count: 0


----------



## kevinf80 (Mar 21, 2006)

TDSSKiller log is clean, are you still having re-directs


----------



## Pokeyturtle (Oct 25, 2012)

I guess I'm not really sure what redirects are. There are still lot's of "AdChoices" ads when visiting websites. Also, I have firefox configured to "warn me when websites try to redirect or reload page" 

With that being said, every time I visit a site I get a warning. Says "Firefox prevented this page from automatically redirecting to another page"


----------



## kevinf80 (Mar 21, 2006)

Open Firefox select > tools > options > advanced > general tab > UNtick "Warn me when Websites try to re-direct or reload pages" then OK

Open Firefox select > tools > options > advanced > Privacy > Make sure "accept cookies from sites" IS Ticked > "accept 3rd party cookies" IS UNticked > "Keep Until" has "I close Firefox" in box. Also "Clear History when Firefox closes" IS Ticked. THEN ok...

Does Firefox now respond OK, maybe a good idea to install the addon AdBlockPlus


----------



## Pokeyturtle (Oct 25, 2012)

Hi Kevin,

I have unticked "Warn me when Websites try to re-direct or reload pages"

As for the rest, my settings were already set to the way that you have mentioned in the above post.

Also, when turning on my computer today, it still starts up going to the black screen with windows taking forever to load. Is that normal?

I used to have AdBlockPlus as one of my addons, not sure what happened to it. I'll add it back now.


----------



## Pokeyturtle (Oct 25, 2012)

Also, Firefox is still freezing up. It just did it when trying to send the above post.


----------



## kevinf80 (Mar 21, 2006)

Re-run Combofix exactly as you did originally, delete the version that is on your Desktop, d/l a fresh version from here:

*Combofix*

Save to your Desktop run as before and post a fresh log...


----------



## Pokeyturtle (Oct 25, 2012)

Here is the new ComboFix log below...

ComboFix 12-10-26.05 - Owner 10/28/2012 17:19:54.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.203 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2012-09-28 to 2012-10-28 )))))))))))))))))))))))))))))))
.
.
2012-10-28 20:37 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{662A15C4-AB11-4D2F-9BA8-9030FD2DB6CA}\mpengine.dll
2012-10-27 15:26 . 2012-10-27 15:26 -------- d-----w- C:\_OTM
2012-10-27 05:03 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-10-26 23:16 . 2012-10-26 23:16 -------- d-----w- c:\windows\Sun
2012-10-26 12:30 . 2012-10-26 12:30 -------- d-----w- c:\documents and settings\Owner\DoctorWeb
2012-10-26 01:07 . 2012-10-26 01:07 -------- d-----w- c:\program files\ESET
2012-10-25 04:59 . 2012-10-25 04:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2012-10-25 04:59 . 2012-10-25 04:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-10-25 04:59 . 2012-10-25 04:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-25 04:59 . 2012-09-29 23:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-25 04:39 . 2012-10-27 20:42 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-10-24 22:30 . 2012-10-24 22:30 -------- d-----w- C:\TDSSKiller_Quarantine
2012-10-23 21:44 . 2012-10-23 21:44 -------- d-----w- c:\program files\Common Files\Java
2012-10-23 21:42 . 2012-10-23 21:41 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-23 21:41 . 2012-10-23 21:41 -------- d-----w- c:\program files\Java
2012-10-23 06:58 . 2012-10-23 17:07 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\NETGEARGenie
2012-10-23 06:58 . 2012-10-23 06:58 35088 ----a-w- c:\windows\system32\drivers\npf.sys
2012-10-23 05:01 . 2012-10-23 05:01 -------- d-----w- c:\windows\system32\wbem\Repository
2012-10-23 04:58 . 2012-10-23 04:58 -------- d-----w- c:\program files\Auslogics
2012-10-23 04:58 . 2012-10-23 04:58 -------- d-----w- c:\program files\CCleaner
2012-10-23 04:58 . 2012-10-24 22:37 -------- d-----w- c:\program files\Common Files\Motive
2012-10-23 04:58 . 2012-10-23 04:58 -------- d-----w- c:\program files\ALLTEL DSL Check-up Center
2012-10-23 04:58 . 2012-10-23 04:58 -------- d-----w- c:\program files\MSXML 4.0
2012-10-23 04:58 . 2012-10-23 04:58 -------- d-----w- c:\program files\Common Files\NSV
2012-10-23 04:58 . 2012-10-23 04:58 -------- d-----w- c:\program files\Citrix
2012-10-23 04:57 . 2012-10-23 04:57 -------- d-----w- c:\program files\MUSICMATCH
2012-10-23 04:57 . 2012-10-23 04:57 -------- d-----w- c:\program files\Hitman Pro 3.5
2012-10-23 04:57 . 2012-10-23 04:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-10-23 04:57 . 2012-10-23 04:57 -------- d-----w- c:\program files\Common Files\Real
2012-10-23 04:57 . 2012-10-23 04:57 -------- d-----w- C:\AOL Instant Messenger
2012-10-19 13:30 . 2012-10-19 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-10-02 19:32 . 2012-10-02 19:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-09-29 02:20 . 2012-10-02 19:10 -------- d-----w- c:\documents and settings\Owner\Application Data\Auslogics
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-23 21:59 . 2012-09-25 02:51 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-23 21:59 . 2012-09-24 23:52 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-23 21:41 . 2012-09-26 00:47 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-10-23 21:41 . 2012-09-08 02:36 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-10-23 21:41 . 2010-07-28 00:50 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-10-12 23:35 . 2012-01-30 04:25 72104 ----a-w- c:\windows\CouponPrinter.ocx
2012-09-21 13:06 . 2012-09-21 13:06 230840 ----a-r- c:\windows\system32\cpnprt2.cid
2012-09-05 16:54 . 2012-09-05 16:54 1409 ----a-w- c:\windows\QTFont.for
2012-08-31 02:03 . 2011-04-18 17:18 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14 . 2004-11-17 20:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2004-11-17 20:57 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2004-11-17 20:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2004-11-17 20:57 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33 . 2004-11-17 20:57 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2004-11-17 20:57 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-12 15:30 . 2009-11-12 15:30 868764 -c--a-w- c:\program files\typeitinpro32.exe
2003-02-24 19:10 . 2003-10-15 18:13 723968 -c--a-w- c:\program files\TypeItIn.exe
2012-10-27 20:29 . 2012-10-27 20:26 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2012-07-13 384232]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 01:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2011-03-15 02:09 2565520 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenuEx]
2011-08-04 18:41 1637496 ----a-w- c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-04-05 18:22 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IJNetworkScannerSelectorEX]
2011-01-15 20:48 452016 ----a-w- c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-01-16 22:22 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2005-04-05 18:23 114688 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 00:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 13:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
2012-07-13 01:30 384232 ------w- c:\program files\BillP Studios\WinPatrol\WinPatrol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"gusvc"=3 (0x3)
"mfevtp"=2 (0x2)
"mfefire"=2 (0x2)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"McNaiAnn"=2 (0x2)
"mcmscsvc"=2 (0x2)
"McMPFSvc"=2 (0x2)
"GoToAssist"=3 (0x3)
"AOL ACS"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\FrostWire 5\\FrostWire.exe"=
.
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [10/25/2012 12:59 AM 399432]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [9/24/2012 10:51 PM 250808]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/2/2010 6:58 PM 135664]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/2/2010 6:58 PM 135664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-25 21:59]
.
2012-10-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 22:58]
.
2012-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 22:58]
.
2012-10-28 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 21:25]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 192.168.1.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7bjmci2y.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-10-28 15:47; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7bjmci2y.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Windstream_BCUC_McciTrayApp - c:\program files\Windstream_BCUC\McciTrayApp.exe
AddRemove-{A62F9CD0-B2E0-4F2A-88F2-79254A3C8539} - c:\docume~1\ALLUSE~1\APPLIC~1\INSTAL~1\{A62F9~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-28 17:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3236)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-10-28 17:49:16
ComboFix-quarantined-files.txt 2012-10-28 21:49
ComboFix2.txt 2012-10-25 23:59
.
Pre-Run: 53,113,073,664 bytes free
Post-Run: 53,103,656,960 bytes free
.
- - End Of File - - 007B7F6B85E5FE84672A84661A43EEB2


----------



## kevinf80 (Mar 21, 2006)

1. Close any open browsers.

2. *Close/disable all anti virus and anti malware programs* so they do not interfere with the running of ComboFix.

3. Open *notepad* and copy/paste the text in the Codebox below into it:


```
ClearJavaCache::
Killall::
File::
c:\windows\CouponPrinter.ocx
c:\windows\system32\cpnprt2.cid
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7bjmci2y.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
```
Save this as *CFScript.txt*, and as Type: *All Files* *(*.*)* in the same location as ComboFix.exe



















Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at *C:\ComboFix.txt* which I will require in your next reply.

Next,

*Malwarebytes* Anti-Malware and save it to your desktop.
*Alernative D/L mirror*
*Alternative D/L mirror*

Double Click mbam-setup.exe to install the application.









Please download
 Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
 If an update is found, it will download and install the latest version.
 Once the program has loaded, select "Perform Quick Scan", then click Scan.
 The scan may take some time to finish,so please be patient.
 When the scan is complete, click OK, then Show Results to view the results.
 Make sure that everything is checked, and click Remove Selected.
 When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
 Please save the log to a location you will remember.
 The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
 Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Post both logs, give update on current issues..

Kevin


----------



## Pokeyturtle (Oct 25, 2012)

I already have Malwarebytes on my computer, do i need to delete that one and get a fresh copy as well?


----------



## kevinf80 (Mar 21, 2006)

Apologies, just update the version of Malwarebytes you have and then run the quick scan....


----------



## Pokeyturtle (Oct 25, 2012)

Hi Kevin,

First attempt at the new Combofix log was unsuccessful. My computer had froze and and I was unable to shut down. Eventually I had to just unplug my computer from wall. Second attempt worked, logs below.

ComboFix 12-10-26.05 - Owner 10/28/2012 21:07:26.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.186 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7bjmci2y.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi"
"c:\windows\CouponPrinter.ocx"
"c:\windows\system32\cpnprt2.cid"
.
.
((((((((((((((((((((((((( Files Created from 2012-09-28 to 2012-10-29 )))))))))))))))))))))))))))))))
.
.
2012-10-29 00:37 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DF40E8F6-BC97-4085-B82F-182461338A6B}\mpengine.dll
2012-10-27 15:26 . 2012-10-27 15:26 -------- d-----w- C:\_OTM
2012-10-27 05:03 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-10-26 23:16 . 2012-10-26 23:16 -------- d-----w- c:\windows\Sun
2012-10-26 12:30 . 2012-10-26 12:30 -------- d-----w- c:\documents and settings\Owner\DoctorWeb
2012-10-26 01:07 . 2012-10-26 01:07 -------- d-----w- c:\program files\ESET
2012-10-25 04:59 . 2012-10-25 04:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2012-10-25 04:59 . 2012-10-25 04:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-10-25 04:59 . 2012-10-25 04:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-25 04:59 . 2012-09-29 23:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-25 04:39 . 2012-10-27 20:42 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-10-24 22:30 . 2012-10-24 22:30 -------- d-----w- C:\TDSSKiller_Quarantine
2012-10-23 21:44 . 2012-10-23 21:44 -------- d-----w- c:\program files\Common Files\Java
2012-10-23 21:42 . 2012-10-23 21:41 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-23 21:41 . 2012-10-23 21:41 -------- d-----w- c:\program files\Java
2012-10-23 06:58 . 2012-10-23 17:07 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\NETGEARGenie
2012-10-23 06:58 . 2012-10-23 06:58 35088 ----a-w- c:\windows\system32\drivers\npf.sys
2012-10-23 05:01 . 2012-10-23 05:01 -------- d-----w- c:\windows\system32\wbem\Repository
2012-10-23 04:58 . 2012-10-23 04:58 -------- d-----w- c:\program files\Auslogics
2012-10-23 04:58 . 2012-10-23 04:58 -------- d-----w- c:\program files\CCleaner
2012-10-23 04:58 . 2012-10-24 22:37 -------- d-----w- c:\program files\Common Files\Motive
2012-10-23 04:58 . 2012-10-23 04:58 -------- d-----w- c:\program files\ALLTEL DSL Check-up Center
2012-10-23 04:58 . 2012-10-23 04:58 -------- d-----w- c:\program files\MSXML 4.0
2012-10-23 04:58 . 2012-10-23 04:58 -------- d-----w- c:\program files\Common Files\NSV
2012-10-23 04:58 . 2012-10-23 04:58 -------- d-----w- c:\program files\Citrix
2012-10-23 04:57 . 2012-10-23 04:57 -------- d-----w- c:\program files\MUSICMATCH
2012-10-23 04:57 . 2012-10-23 04:57 -------- d-----w- c:\program files\Hitman Pro 3.5
2012-10-23 04:57 . 2012-10-23 04:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-10-23 04:57 . 2012-10-23 04:57 -------- d-----w- c:\program files\Common Files\Real
2012-10-23 04:57 . 2012-10-23 04:57 -------- d-----w- C:\AOL Instant Messenger
2012-10-19 13:30 . 2012-10-19 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-10-02 19:32 . 2012-10-02 19:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-09-29 02:20 . 2012-10-02 19:10 -------- d-----w- c:\documents and settings\Owner\Application Data\Auslogics
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-23 21:59 . 2012-09-25 02:51 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-23 21:59 . 2012-09-24 23:52 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-23 21:41 . 2012-09-26 00:47 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-10-23 21:41 . 2012-09-08 02:36 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-10-23 21:41 . 2010-07-28 00:50 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-10-12 23:35 . 2012-01-30 04:25 72104 ----a-w- c:\windows\CouponPrinter.ocx
2012-09-21 13:06 . 2012-09-21 13:06 230840 ----a-r- c:\windows\system32\cpnprt2.cid
2012-09-05 16:54 . 2012-09-05 16:54 1409 ----a-w- c:\windows\QTFont.for
2012-08-31 02:03 . 2011-04-18 17:18 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14 . 2004-11-17 20:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2004-11-17 20:57 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2004-11-17 20:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2004-11-17 20:57 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33 . 2004-11-17 20:57 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2004-11-17 20:57 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-12 15:30 . 2009-11-12 15:30 868764 -c--a-w- c:\program files\typeitinpro32.exe
2003-02-24 19:10 . 2003-10-15 18:13 723968 -c--a-w- c:\program files\TypeItIn.exe
2012-10-27 20:29 . 2012-10-27 20:26 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2012-07-13 384232]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 01:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2011-03-15 02:09 2565520 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenuEx]
2011-08-04 18:41 1637496 ----a-w- c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-04-05 18:22 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IJNetworkScannerSelectorEX]
2011-01-15 20:48 452016 ----a-w- c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-01-16 22:22 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2005-04-05 18:23 114688 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 00:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 13:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
2012-07-13 01:30 384232 ------w- c:\program files\BillP Studios\WinPatrol\WinPatrol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"gusvc"=3 (0x3)
"mfevtp"=2 (0x2)
"mfefire"=2 (0x2)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"McNaiAnn"=2 (0x2)
"mcmscsvc"=2 (0x2)
"McMPFSvc"=2 (0x2)
"GoToAssist"=3 (0x3)
"AOL ACS"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\FrostWire 5\\FrostWire.exe"=
.
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [10/25/2012 12:59 AM 399432]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [9/24/2012 10:51 PM 250808]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/2/2010 6:58 PM 135664]
S3 MozillaMaintenance;Mozilla Maintenance Service;"c:\program files\Mozilla Maintenance Service\maintenanceservice.exe" --> c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [?]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/2/2010 6:58 PM 135664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-25 21:59]
.
2012-10-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 22:58]
.
2012-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 22:58]
.
2012-10-29 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 21:25]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 192.168.1.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7bjmci2y.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-10-28 15:47; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7bjmci2y.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-28 21:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3584)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\windows\System32\locator.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-10-28 21:40:14 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-29 01:40
ComboFix2.txt 2012-10-28 21:49
ComboFix3.txt 2012-10-25 23:59
.
Pre-Run: 53,091,037,184 bytes free
Post-Run: 53,070,684,160 bytes free
.
- - End Of File - - EB05588792B527B97CE18470406EE8EF

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.28.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: GATEWAY-348915F [administrator]

10/28/2012 10:03:58 PM
mbam-log-2012-10-28 (22-03-58).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 231405
Time elapsed: 13 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


----------



## kevinf80 (Mar 21, 2006)

How is your system responding now, what issues remain?


----------



## Pokeyturtle (Oct 25, 2012)

Firefox has not crashed or got hung-up today. Computer still starts up going to that black screen saying something like...("no boot file name received", "exiting intel boot...."), with window taking awhile to load. Also, MSE and WinPatrol shortcut icons have disappeared from lower right-hand of toolbar (near clock). This has happened before and usually reappears when re-staring the computer. I have re-started twice and still no icons. MSE still runs with or without the icon showing, but I can't open up WinPatrol when the shortcut icon disappears.


----------



## kevinf80 (Mar 21, 2006)

Regrding the missing icons - Right click on the task bar and select "Properties" A new window will open, ensure Tasbar tab is selected.
In the Notification area select "Customize" Do you see MSE and Winpatrol? if there click on each entry, an option box will open where you can choose the setting for each icon in turn. Ensure "Aways Show" is selected, select OK to each in turn. Then select "Apply" then OK.
Does that help.

What is the exact wording you see when you boot, I`m not sure what you mean....


----------



## Pokeyturtle (Oct 25, 2012)

Hi Kevin,

As for the missing icons, it's a 50/50 chance that they will appear in the taskbar on start-up even though "always show" is selected. 

As for the exact wording I see on the black screen when my computer starts, I just went ahead and made a video. I've zipped it and will try to attach to this post. (hope it works) I also tried making a second video to show you how the icons will be missing, but this time when my computer started I got the red shield once again saying my virus protection was turned off. 

Also, computer is back to freezing up. (I don't think my video attached, is there another way to send it?)


----------



## kevinf80 (Mar 21, 2006)

There are some issues still showing in the CF log, See if you can disable WinPatrol and run CF again as follows:

Disable WinPatrol
- Right Click the 'Scotty Dog' icon in the system tray
- Click Options
- At the bottom of the options page, Uncheck Automatically Run WinPatrol When Computer Starts
- Click the X to end program.
- Right Click the 'Scotty Dog' icon in the system tray again
- Click Exit Program

WinPatrol is now disabled and will not start at bootup.

Next,

1. Close any open browsers.

2. *Close/disable all anti virus and anti malware programs* so they do not interfere with the running of ComboFix.

3. Open *notepad* and copy/paste the text in the Codebox below into it:


```
ClearJavaCache::
Killall::
File::
c:\windows\CouponPrinter.ocx
c:\windows\system32\cpnprt2.cid
c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys
Driver::
PCDRDRV
Firefox::
FF - ExtSQL: 2012-10-28 15:47; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7bjmci2y.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mfevtp"=-
"mfefire"=-
"McShield"=-
"McProxy"=-
"McODS"=-
"McNASvc"=-
"McNaiAnn"=-
"mcmscsvc"=-
"McMPFSvc"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"c:\\Program Files\\FrostWire 5\\FrostWire.exe"=-
```
Save this as *CFScript.txt*, and as Type: *All Files* *(*.*)* in the same location as ComboFix.exe



















Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at *C:\ComboFix.txt* which I will require in your next reply.


----------



## Pokeyturtle (Oct 25, 2012)

Kevin,

I have disabled WinPatrol as requested, and here is the newest ComboFix log below...

ComboFix 12-10-29.05 - Owner 10/29/2012 20:35:49.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.214 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys"
"c:\windows\CouponPrinter.ocx"
"c:\windows\system32\cpnprt2.cid"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_PCDRDRV
.
.
((((((((((((((((((((((((( Files Created from 2012-09-28 to 2012-10-30 )))))))))))))))))))))))))))))))
.
.
2012-10-29 20:35 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B8BF38FD-8B60-4EF5-832A-6AD7077E7820}\mpengine.dll
2012-10-29 20:24 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-10-27 15:26 . 2012-10-27 15:26 -------- d-----w- C:\_OTM
2012-10-26 23:16 . 2012-10-26 23:16 -------- d-----w- c:\windows\Sun
2012-10-26 12:30 . 2012-10-26 12:30 -------- d-----w- c:\documents and settings\Owner\DoctorWeb
2012-10-26 01:07 . 2012-10-26 01:07 -------- d-----w- c:\program files\ESET
2012-10-25 04:59 . 2012-10-25 04:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2012-10-25 04:59 . 2012-10-25 04:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-10-25 04:59 . 2012-10-25 04:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-25 04:59 . 2012-09-29 23:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-25 04:39 . 2012-10-27 20:42 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-10-24 22:30 . 2012-10-24 22:30 -------- d-----w- C:\TDSSKiller_Quarantine
2012-10-23 21:44 . 2012-10-23 21:44 -------- d-----w- c:\program files\Common Files\Java
2012-10-23 21:42 . 2012-10-23 21:41 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-23 21:41 . 2012-10-23 21:41 -------- d-----w- c:\program files\Java
2012-10-23 06:58 . 2012-10-23 17:07 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\NETGEARGenie
2012-10-23 06:58 . 2012-10-23 06:58 35088 ----a-w- c:\windows\system32\drivers\npf.sys
2012-10-23 05:01 . 2012-10-23 05:01 -------- d-----w- c:\windows\system32\wbem\Repository
2012-10-23 04:58 . 2012-10-23 04:58 -------- d-----w- c:\program files\Auslogics
2012-10-23 04:58 . 2012-10-23 04:58 -------- d-----w- c:\program files\CCleaner
2012-10-23 04:58 . 2012-10-24 22:37 -------- d-----w- c:\program files\Common Files\Motive
2012-10-23 04:58 . 2012-10-23 04:58 -------- d-----w- c:\program files\ALLTEL DSL Check-up Center
2012-10-23 04:58 . 2012-10-23 04:58 -------- d-----w- c:\program files\MSXML 4.0
2012-10-23 04:58 . 2012-10-23 04:58 -------- d-----w- c:\program files\Common Files\NSV
2012-10-23 04:58 . 2012-10-23 04:58 -------- d-----w- c:\program files\Citrix
2012-10-23 04:57 . 2012-10-23 04:57 -------- d-----w- c:\program files\MUSICMATCH
2012-10-23 04:57 . 2012-10-23 04:57 -------- d-----w- c:\program files\Hitman Pro 3.5
2012-10-23 04:57 . 2012-10-23 04:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-10-23 04:57 . 2012-10-23 04:57 -------- d-----w- c:\program files\Common Files\Real
2012-10-23 04:57 . 2012-10-23 04:57 -------- d-----w- C:\AOL Instant Messenger
2012-10-19 13:30 . 2012-10-19 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-10-02 19:32 . 2012-10-02 19:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-23 21:59 . 2012-09-25 02:51 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-23 21:59 . 2012-09-24 23:52 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-23 21:41 . 2012-09-26 00:47 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-10-23 21:41 . 2012-09-08 02:36 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-10-23 21:41 . 2010-07-28 00:50 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-10-12 23:35 . 2012-01-30 04:25 72104 ----a-w- c:\windows\CouponPrinter.ocx
2012-09-21 13:06 . 2012-09-21 13:06 230840 ----a-r- c:\windows\system32\cpnprt2.cid
2012-09-05 16:54 . 2012-09-05 16:54 1409 ----a-w- c:\windows\QTFont.for
2012-08-31 02:03 . 2011-04-18 17:18 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14 . 2004-11-17 20:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2004-11-17 20:57 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2004-11-17 20:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2004-11-17 20:57 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33 . 2004-11-17 20:57 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2004-11-17 20:57 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-12 15:30 . 2009-11-12 15:30 868764 -c--a-w- c:\program files\typeitinpro32.exe
2003-02-24 19:10 . 2003-10-15 18:13 723968 -c--a-w- c:\program files\TypeItIn.exe
2012-10-27 20:29 . 2012-10-27 20:26 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 01:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2011-03-15 02:09 2565520 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenuEx]
2011-08-04 18:41 1637496 ----a-w- c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-04-05 18:22 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IJNetworkScannerSelectorEX]
2011-01-15 20:48 452016 ----a-w- c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-01-16 22:22 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2005-04-05 18:23 114688 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 00:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 13:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
2012-07-13 01:30 384232 ------w- c:\program files\BillP Studios\WinPatrol\WinPatrol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"gusvc"=3 (0x3)
"GoToAssist"=3 (0x3)
"AOL ACS"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\FrostWire 5\\FrostWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [10/25/2012 12:59 AM 399432]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [9/24/2012 10:51 PM 250808]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/2/2010 6:58 PM 135664]
S3 MozillaMaintenance;Mozilla Maintenance Service;"c:\program files\Mozilla Maintenance Service\maintenanceservice.exe" --> c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/2/2010 6:58 PM 135664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-25 21:59]
.
2012-10-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-10-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 22:58]
.
2012-10-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 22:58]
.
2012-10-30 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 21:25]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 192.168.1.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7bjmci2y.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-10-28 15:47; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7bjmci2y.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-29 21:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2844)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\windows\System32\locator.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-10-29 21:07:19 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-30 01:07
ComboFix2.txt 2012-10-29 01:40
ComboFix3.txt 2012-10-28 21:49
ComboFix4.txt 2012-10-25 23:59
.
Pre-Run: 52,436,217,856 bytes free
Post-Run: 52,666,589,184 bytes free
.
- - End Of File - - 873B7E2BA83F2C72E18DBF05703C6EC8


----------



## kevinf80 (Mar 21, 2006)

Any change in status? can you get the following files checked:

Please visit 
*Virustotal*

 Click the *Browse...* button
 Navigate to the file *c:\windows\CouponPrinter.ocx* or just copy/paste it in.
 Click the *Scan it* tab
 If you get a message saying File has already been analyzed: click Reanalyze file now
 Copy and paste the results back here please.
 Repeat the above steps for the following files

*c:\windows\system32\cpnprt2.cid*

Let me see the results, also did you manage to get the boot screen info?


----------



## Pokeyturtle (Oct 25, 2012)

Hi Kevin,

No change in status. My computer still starts up with the black boot screen and also firefox is still getting hung-up. I'm now at the site you mentioned above checking the first file *c:\windows\CouponPrinter.ocx, *but it's been over 90 minutes and still no results. Should it be taking this long?I don't know how to get you the boot screen info. I made a video of how my computer starts-up, zipped it and tried attaching it to our posts, but I end up getting the error message below...

"Your submission could not be processed because a security token was missing.

If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error."Any suggestions on sending the video? Maybe temporarily post it on youtube and send you the url? Would that work?


----------



## kevinf80 (Mar 21, 2006)

You will not be able to attach a zipped video file, it will be too big and exceed the data limit. I`ll PM you an email address you can send it there, It will be Yahoo, I think the data limit is 16 MB....

Regarding the files to VT it sort of depends how busy the site is, it will usually give a prompt on how far back in the queue you are...

Try Jotti if VT is no good..

We need to upload a file to *Jotti*

1. Click *HERE* to get to Jotti's site.

2. At the top of the Jotti window, use the *Browse* button to locate the following file on your system:

*Filepath*

3. Once you have located the file, click *SUBMIT* and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis.

5. Please repeat steps 2-4 for the following files:

*filepath*


----------



## Pokeyturtle (Oct 25, 2012)

Hi Kevin,

Video has been sent.

First file *c:\windows\CouponPrinter.ocx *scanned clean

http://virusscan.jotti.org/en/scanresult/a5f65944bb6d1a741916f139b4683288344d9b01

second file *c:\windows\system32\cpnprt2.cid *scanned clean as well

http://virusscan.jotti.org/en/scanresult/8dd86ed380cfe3c338c97b8e8cf438e4520ac29c


----------



## kevinf80 (Mar 21, 2006)

Run the following scan by gmer, lets see if that will give a clue:

Download the *GMER Rootkit Scanner*. Unzip it to your Desktop.

*Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur*

*Altenative mirror*

Disable the active protection component of your antivirus and antispyware programs by following the directions that apply here:
*Temporarily disable Security*

*Do not use your computer for anything else during the scan.*

 Double click GMER.exe.








 If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on *NO*
Then use the following settings for a more complete scan..
 In the right panel, you will see several boxes that have been checked. Ensure the following are *UNCHECKED* ...
 *IAT/EAT*
 *Drives/Partition other than Systemdrive (typically C:\)*
 *Show All (don't miss this one)*


_Click the image to enlarge it_


 Then click the Scan button & wait for it to finish.
 Once done click on the *[Save..]* button, and in the File name area, type in *"ark.txt"* 
Save the log where you can easily find it, such as your desktop.
_**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries _

Please copy and paste the report into your Post.

Kevin...


----------



## Pokeyturtle (Oct 25, 2012)

Kevin,

My system shut down in the middle of the GMER scan. When it rebooted an error message from Microsoft windows popped up saying "The system has recovered from a serious error" 

I can't copy and paste the error message so I'll try to type out what seems to be important.........I've also taken pictures just in case.....

A log has been created....

Error signature
BCCode : 100000d1 BCP1 : 18800148 BCP2 : 00000005 BCP3: 00000001
BCP4 : F747189B OSVer : 5_1_260 SP : 3_0 Product : 768_1

The following files included in this report:
C:\DOCUME~1\Owner\LOCALS~1\Temp\WER7e0d.dir00\Mini10512-01.dmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\WER7e0d.dir00\sysdata.xml

What do I need to do now??


----------



## kevinf80 (Mar 21, 2006)

Run GMER from Safe mode, ensure all security is turned off. Did you get my PM about the BIOS


----------



## Pokeyturtle (Oct 25, 2012)

I got it. I'm just trying to figure it all out. Do I need to attempt changing the BIOS before running the GMER scan in safe mode?


----------



## kevinf80 (Mar 21, 2006)

I`d run GMER first from Safe mode and see what the log produces for us.... The BIOS mode is not too bad, i`m sure you`ll pick it up, read through the instructions a few times, it will all fall into place..


----------



## Pokeyturtle (Oct 25, 2012)

Kevin,

I ran GMER in safe mode and it did not leave me a log.


----------



## kevinf80 (Mar 21, 2006)

Lets try a different approach, can you access the BIOS and reset the boot list as discussed. Reboot, is that now booting correctly...

If that is OK run the following:

Please download *Rootkit Unhooker* and save it on your desktop.
*Alternative Mirror*

 Disable your security programs
 Double click RKUnhookerLE.exe to run it
 Click the Report tab, then click Scan
 Check Drivers, Stealth Code, Files, and Code Hooks










 Uncheck the rest, then click OK
 When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
 Wait till the scanner has finished then go File > Save Report
 Save the report somewhere you can find it. Click Close
 Copy the entire contents of the report and paste it in your next reply.

*Note* - You may get this warning it is ok, just ignore it:
"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

Please include the following in your next post:

Rootkit Unhooker log

Thanks,

Kevin


----------



## Pokeyturtle (Oct 25, 2012)

I can access my bios but haven't changed anything yet. I've attached a picture to this post of what I'm seeing. I'm still not sure which one to take out, or how to take it out.


I could not download Rootkit Unhooker, both the download links were did not work.


----------



## kevinf80 (Mar 21, 2006)

That boot order is wrong, write down the order as shown just incase it has to be put back. When you BOOT each item will be checked in sequence.
At present the first item (1st Boot device) is OK, if your XP CD had been in the CD/DVD tray you would have been given the option (Press any key to boot from CD) If you did nothing it would time out and move on to the next device. If no XP CD in tray that Boot device would be ignored and the next one selected. Normally the second device would be your HDD so the OS would load.
In your case the second Boot device is wrong so the system tries to Boot from that, as nothing happens it times out and moves on to the 3rd Boot device, your HDD and now Boots correctly.

What you need to do is change the Boot order from the BIOS. The CD/DVD tray should be first, The Maxtor HDD second and finally the other item last. Select F10 to save and exit.

Now as you Boot the system will look at Boot device 1, as nothing bootable is in the tray it will be immediately ignored, Boot device 2 will selected and XP will load.

Amend the BIOS to set the order correctly, see how it now loads. Let me know how your system responds..

Kevin


----------



## Pokeyturtle (Oct 25, 2012)

Okay, much better. So I switched 2 & 3 around, and now when booting, it just quick flashes to that black screen. (Windows still takes awhile to load)

What do I need to do next?


----------



## kevinf80 (Mar 21, 2006)

Nice job, at least you`ve got the Boot order sorted out. Can you use the GMER instructions from the stickie at the top of the thread, see if you can produce a log:

http://forums.techguy.org/virus-other-malware-removal/943214-everyone-must-read-before-posting.html

Kevin


----------



## Pokeyturtle (Oct 25, 2012)

Kevin,

Scanned with GMER again, clicked save, and renamed it ark.tex. Saved it to my desktop and the log was blank. ??


----------



## kevinf80 (Mar 21, 2006)

Run Malwarebytes one more time, Use the *Full* scan this time, it will take considerably more time than a quick scan. Post that log when finished.

Next,

Download and save DDS to your Desktop from either of the following links:

*Link 1*
*Link 2*

Double click DDS to run the scan, Vista or Windows 7 user accept UAC alert.
There will be an alert that two logs will be saved to the Desktop, DDS.txt and Attach.txt 
Copy and paste those two logs to your reply when the scan is complete....

Let me see all logs in your reply, give me an update on how your system is responding also what issues or concerns remain.

Thanks,

Kevin


----------



## Pokeyturtle (Oct 25, 2012)

Hi Kevin,

Malwarebytes scan froze and became unresponsive. I had to run it again in safe mode. Also, computer is slow and seems to be freezing up even when not having firefox running. For example, just trying to upload pictures from my camera is taking forever. Firefox is still using up a lot more memory usage than any other process running. I've started up my computer twice today, and both times MSE didn't appear in the taskbar. I checked to see if it was still running and it was. MSE said that I haven't updated my virus and spyware definitions in awhile, and that I should. I don't understand why I had to do that manually, being that it's set to check automatically. I thought maybe my Microsoft Automatic Updates was disabled, but it's not. Below are the logs from Malwarebytes and DDS. Would it help to include logs from my WinPatrol too?

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.02.11

Windows XP Service Pack 3 x86 NTFS (Safe Mode)
Internet Explorer 8.0.6001.18702
Owner :: GATEWAY-348915F [administrator]

11/2/2012 7:37:20 PM
mbam-log-2012-11-02 (19-37-20).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 299210
Time elapsed: 1 hour(s), 16 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

DDS (Ver_2012-10-19.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.9.2
Run by Owner at 21:14:39 on 2012-11-02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.211 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\System32\locator.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1350968930078
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{B7F604CD-D5D1-4343-82D9-3F83ABF4B0DF} : DHCPNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\7bjmci2y.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: c:\windows\system32\npwmsdrm.dll
FF - ExtSQL: 2012-10-28 15:47; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\owner\application data\mozilla\firefox\profiles\7bjmci2y.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 193552]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-25 399432]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-9-24 250808]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-2 135664]
S3 MozillaMaintenance;Mozilla Maintenance Service;"c:\program files\mozilla maintenance service\maintenanceservice.exe" --> c:\program files\mozilla maintenance service\maintenanceservice.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-2 135664]
.
=============== Created Last 30 ================
.
2012-11-02 23:06:07 6918632 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dd80f9fa-1b62-426b-bc9f-fda4af574d5a}\mpengine.dll
2012-11-02 05:26:42 6918632 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-10-27 15:26:51 -------- d-----w- C:\_OTM
2012-10-26 12:30:45 -------- d-----w- c:\documents and settings\owner\DoctorWeb
2012-10-26 01:07:16 -------- d-----w- c:\program files\ESET
2012-10-25 22:58:36 98816 ----a-w- c:\windows\sed.exe
2012-10-25 22:58:36 256000 ----a-w- c:\windows\PEV.exe
2012-10-25 22:58:36 208896 ----a-w- c:\windows\MBR.exe
2012-10-25 04:59:25 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes
2012-10-25 04:59:11 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-10-25 04:59:09 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-25 04:59:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-25 04:39:11 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-10-24 22:30:19 -------- d-----w- C:\TDSSKiller_Quarantine
2012-10-23 21:42:16 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-23 06:58:37 -------- d-----w- c:\documents and settings\owner\local settings\application data\NETGEARGenie
2012-10-23 06:58:21 35088 ----a-w- c:\windows\system32\drivers\npf.sys
2012-10-23 05:01:32 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-10-23 05:01:32 -------- d-----w- c:\windows\system32\wbem\Repository
2012-10-23 04:58:33 -------- d-----w- c:\program files\Auslogics
2012-10-23 04:58:31 -------- d-----w- c:\program files\CCleaner
2012-10-23 04:58:03 -------- d-----w- c:\program files\MSXML 4.0
2012-10-23 04:58:03 -------- d-----w- c:\program files\common files\ODBC
2012-10-23 04:58:03 -------- d-----w- c:\program files\common files\NSV
2012-10-23 04:58:03 -------- d-----w- c:\program files\common files\Motive
2012-10-23 04:58:03 -------- d-----w- c:\program files\Citrix
2012-10-23 04:58:03 -------- d-----w- c:\program files\ALLTEL DSL Check-up Center
2012-10-23 04:57:26 -------- d-----w- c:\program files\MUSICMATCH
2012-10-23 04:57:26 -------- d-----w- c:\program files\Hitman Pro 3.5
2012-10-23 04:57:25 -------- d-----w- c:\program files\common files\Symantec Shared
2012-10-23 04:57:24 -------- d-----w- c:\program files\common files\Real
2012-10-23 04:57:20 -------- d-----w- C:\AOL Instant Messenger
.
==================== Find3M ====================
.
2012-10-23 21:59:33 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-23 21:59:32 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-23 21:41:54 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-10-23 21:41:53 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-10-23 21:41:52 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-10-12 23:35:52 72104 ----a-w- c:\windows\CouponPrinter.ocx
2012-09-21 13:06:55 230840 ----a-r- c:\windows\system32\cpnprt2.cid
2012-09-05 16:54:04 1409 ----a-w- c:\windows\QTFont.for
2012-08-31 02:03:50 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58:09 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-12 15:30:34 868764 -c--a-w- c:\program files\typeitinpro32.exe
2003-02-24 19:10:12 723968 -c--a-w- c:\program files\TypeItIn.exe
.
============= FINISH: 21:17:22.00 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-10-19.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 8/14/2003 12:20:11 PM
System Uptime: 11/2/2012 9:00:23 PM (0 hours ago)
.
Motherboard: Intel Corporation | | D865GLC 
Processor: Intel(R) Pentium(R) 4 CPU 2.60GHz | J2E1 | 2593/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 76 GiB total, 48.752 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: CD-ROM Drive
Device ID: IDE\CDROMHL-DT-ST_DVD-ROM_GDR8161B_______________0040____\5&79E09EB&0&0.0.0
Manufacturer: (Standard CD-ROM drives)
Name: HL-DT-ST DVD-ROM GDR8161B
PNP Device ID: IDE\CDROMHL-DT-ST_DVD-ROM_GDR8161B_______________0040____\5&79E09EB&0&0.0.0
Service: cdrom
.
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: CD-ROM Drive
Device ID: IDE\CDROMLITE-ON_LTR-48246S______________________SGS3____\5&79E09EB&0&0.1.0
Manufacturer: (Standard CD-ROM drives)
Name: LITE-ON LTR-48246S
PNP Device ID: IDE\CDROMLITE-ON_LTR-48246S______________________SGS3____\5&79E09EB&0&0.1.0
Service: cdrom
.
==== System Restore Points ===================
.
RP1: 10/26/2012 8:21:39 PM - System Checkpoint
RP2: 10/26/2012 8:23:39 PM - Clean1
RP3: 10/27/2012 1:03:01 AM - Software Distribution Service 3.0
RP4: 10/28/2012 11:48:53 AM - System Checkpoint
RP5: 10/28/2012 3:33:28 PM - Software Distribution Service 3.0
RP6: 10/29/2012 4:35:34 PM - Software Distribution Service 3.0
RP7: 10/30/2012 8:11:08 PM - Software Distribution Service 3.0
RP8: 10/31/2012 8:19:49 PM - System Checkpoint
RP9: 11/1/2012 12:20:20 AM - Software Distribution Service 3.0
RP10: 11/2/2012 5:56:30 PM - System Checkpoint
RP11: 11/2/2012 7:05:53 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Acrobat.com
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.4)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Auslogics Disk Defrag
Bonjour
Canon Easy-PhotoPrint EX
Canon IJ Network Scanner Selector EX
Canon IJ Network Tool
Canon MG3100 series MP Drivers
Canon MG3100 series On-screen Manual
Canon MG3100 series User Registration
Canon MP Navigator EX 5.0
Canon My Printer
Canon Solution Menu EX
CCleaner
Coupon Printer for Windows
Do More 7.0
Easy CD Creator 5 Basic
EPSON Printer Software
ESET Online Scanner v3
FrostWire 5.3.9
G-Force
Gateway Drivers and Applications Recovery
Gateway IE Customizations
Gateway User's Guide
Google Update Helper
GTW V.92 Voicemodem
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB954550-v5)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
iTunes
Java 7 Update 9
Java Auto Updater
Malwarebytes Anti-Malware version 1.65.1.1000
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Picture It! Express 2001
Microsoft Picture It! Photo 7.0
Microsoft Security Client
Microsoft Security Essentials
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
Mozilla Firefox 16.0.2 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
PC-Doctor for Windows
PokerStars
PowerDVD SE
QuickTime
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB923689)
Shockwave
TypeItIn
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Windows Internet Explorer 8 (KB2632503)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2749655)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Windstream Broadband Check-up Center
WinRAR 4.01 (32-bit)
Works Suite OS Pack
Xvid Video Codec
.
==== Event Viewer Messages From Past Week ========
.
11/2/2012 8:59:10 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
11/2/2012 6:52:07 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.2 with the system having network hardware address 00:C6:10:8A:AF:15. Network operations on this system may be disrupted as a result.
11/2/2012 4:05:45 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.139.1073.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8904.0 Error code: 0x80240022 Error description: The program can't check for definition updates. 
11/2/2012 4:05:45 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.139.1073.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8904.0 Error code: 0x80240022 Error description: The program can't check for definition updates. 
10/31/2012 2:04:50 PM, error: Print [6161] - The document Microsoft Word - Document1 owned by Owner failed to print on printer Canon MG3100 series Printer. Data type: NT EMF 1.008. Size of the spool file in bytes: 4800. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\GATEWAY-348915F. Win32 error code returned by the print processor: 3 (0x3). 
10/31/2012 2:04:38 PM, error: Print [6161] - The document Microsoft Word - Document1 owned by Owner failed to print on printer Canon MG3100 series Printer. Data type: NT EMF 1.008. Size of the spool file in bytes: 65536. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\GATEWAY-348915F. Win32 error code returned by the print processor: 3 (0x3). 
10/30/2012 7:57:58 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
10/30/2012 7:57:20 PM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 0007E94AF7F0 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/30/2012 3:18:26 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip WS2IFSL
10/30/2012 3:18:26 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
10/30/2012 3:18:26 PM, error: Service Control Manager [7001] - The Simple TCP/IP Services service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
10/30/2012 3:18:26 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/30/2012 3:18:26 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/30/2012 3:18:26 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning.
10/30/2012 3:17:46 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/30/2012 3:17:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
10/30/2012 2:34:04 PM, error: System Error [1003] - Error code 10000050, parameter1 e1394000, parameter2 00000000, parameter3 804daab5, parameter4 00000001.
10/30/2012 2:33:10 PM, error: System Error [1003] - Error code 10000050, parameter1 ff576008, parameter2 00000000, parameter3 b4a583cb, parameter4 00000000.
10/30/2012 12:31:36 PM, error: System Error [1003] - Error code 100000d1, parameter1 18800148, parameter2 00000005, parameter3 00000001, parameter4 f747189b.
10/30/2012 12:28:03 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
10/29/2012 4:17:56 PM, error: Service Control Manager [7034] - The Windows Image Acquisition (WIA) service terminated unexpectedly. It has done this 1 time(s).
10/29/2012 4:17:36 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
10/28/2012 9:07:06 PM, error: Service Control Manager [7034] - The Simple TCP/IP Services service terminated unexpectedly. It has done this 1 time(s).
10/28/2012 9:07:06 PM, error: Service Control Manager [7034] - The Remote Procedure Call (RPC) Locator service terminated unexpectedly. It has done this 1 time(s).
10/28/2012 11:20:57 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.139.712.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8904.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 
10/27/2012 9:07:00 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
10/27/2012 11:26:53 AM, error: Service Control Manager [7034] - The Office Source Engine service terminated unexpectedly. It has done this 1 time(s).
10/27/2012 11:05:16 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
10/27/2012 11:05:16 AM, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
10/26/2012 8:01:30 AM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
10/26/2012 8:01:27 AM, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).
10/26/2012 8:01:12 AM, error: Service Control Manager [7034] - The HTTP SSL service terminated unexpectedly. It has done this 1 time(s).
10/26/2012 8:01:06 AM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
10/26/2012 7:36:02 AM, error: Dhcp [1002] - The IP address lease 192.168.1.3 for the Network Card with network address 0007E94AF7F0 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/26/2012 6:36:04 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
.
==== End Of File ===========================


----------



## kevinf80 (Mar 21, 2006)

This problem is proving very difficult to find.... Can you reset your Modem/Router back to original settings, ensure password etc are also changed. Instructions here http://www.online-tech-tips.com/computer-tips/reset-wireless-router-default-settings/ if required. If necessary go to the Website of the manufacturer of your Modem/Router for help with that.

If resetting the router helps, let me know. If not run the following:

Please download *Farbar Service Scanner* and run it on the computer with the issue.

*Make sure the following options are checked:*


*Internet Services*
*Windows Firewall*
*System Restore*
*Security Center*
*Windows Update*
*Windows Defender*
Press "*Scan*".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

Kevin...


----------



## Pokeyturtle (Oct 25, 2012)

Kevin,

Which do I reset, my windstream dsl modem or my Netgear wireless router?


----------



## kevinf80 (Mar 21, 2006)

If you are ok with the reset, do them both, just want to make sure nothing has been hacked..


----------



## Pokeyturtle (Oct 25, 2012)

I reset both but have no clue what my Windstream modem Login and password is. So I'm not able to change the the password. I am connected though. I'll need to call windstream during business hours to get that information. As for my Netgear wifi router, I think that it was never configured correctly as my friend recently installed it for me. I think it needs to be set up and configured to work with my dsl modem which would require my windstream login password. So the way it is set it up now, in the netgear "internet setup" page, it asks 
"*Does your Internet connection require a login?* and NO is checked.
That's the only way I can stay connected until I can get that info from windstream and change the way my wifi is set up.

I did change the name and password for the wifi, so I'll fun the farbar scan now


----------



## Pokeyturtle (Oct 25, 2012)

Farbar Service Scanner Version: 03-11-2012
Ran by Owner (administrator) on 03-11-2012 at 21:53:39
Running from "C:\Documents and Settings\Owner\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy: 
==================


System Restore:
============

System Restore Disabled Policy: 
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy: 
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3) 
0x0A000000040000000100000002000000030000000A0000000900000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****


----------



## kevinf80 (Mar 21, 2006)

Farbar Service Scanner is not showing any issues, a repeat of the latest malware scans. By resetting the router etc I meant a full reset back to default settings, not just a login/password change. A full reset would remove any hacks that had been applied.

We are struggling to find any obvious malicious issues with the OS,

Run the following see if any bad blocks are found on the HDD..

Go to Start, then Run and type *cmd* into the Run box and tap <Enter>. After the command box opens, type this at the prompt *chkdsk /r* and tap <Enter>. 
Note the space between the * chkdsk * and the * /r *. You will get a message that the drive cannot be locked, but that the command can be scheduled to run at the next boot. Type *Y* and then tap <Enter> again. You will get a message that *chkdsk* has been scheduled to run on the next boot. Then reboot.

*chkdsk* will run during the boot, and it will take quite a bit of time, particularly if your boot partition is large. What the */r* flag does is force *chkdsk* to run an expanded version of *chkdsk* that has 5 tests. The last two will check the drive for file/folder/free space errors and also fix related MFT errors if there are any.

Kevin...


----------



## Pokeyturtle (Oct 25, 2012)

Hi Kevin,

I did do a full reset on the netgear modem and windstream router. I went to the online-tech-tips site like you said, and followed the directions on there. Your post had said to change the passwords too, but I was unable to do so with the windstream router.

I will do the *chkdsk /r *next*.
*


----------



## kevinf80 (Mar 21, 2006)

OK, we`ll get there eventually...

Thanks,

Kevin


----------



## Pokeyturtle (Oct 25, 2012)

Kevin,

chkdsk /r has been done.


----------



## kevinf80 (Mar 21, 2006)

Where there any results? go here http://forums.techguy.org/windows-xp/718494-solved-windows-xp-chkdsk-report.html to find the log...


----------



## Pokeyturtle (Oct 25, 2012)

Hi Kevin,
I'm noticing a few more issues now. My printer is no longer working. Also, in my Device Manager, under DVD/CD-ROM drives, there's an exclamation next to the the two devices listed. First one is..... 
HL-DT-ST DVD ROM GDR8161B, device status is "Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)" The other device is LITE-ON LTR-482465, device status is "Windows successfully loaded the device driver for this hardware but cannot find the hardware device. (Code 41)"

Here is the log below for *chkdsk /r. *

Event Type: Information
Event Source: Winlogon
Event Category: None
Event ID: 1001
Date: 11/5/2012
Time: 1:15:03 AM
User: N/A
Computer: GATEWAY-348915F
Description:
Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk. 
Cleaning up minor inconsistencies on the drive.
Cleaning up 1672 unused index entries from index $SII of file 0x9.
Cleaning up 1672 unused index entries from index $SDH of file 0x9.
Cleaning up 1672 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.

80035798 KB total disk space.
28797068 KB in 73997 files.
29616 KB in 8715 indexes.
0 KB in bad sectors.
258942 KB in use by the system.
65536 KB occupied by the log file.
50950172 KB available on disk.

4096 bytes in each allocation unit.
20008949 total allocation units on disk.
12737543 allocation units available on disk.

Internal Info:
60 b0 02 00 23 43 01 00 e4 c7 01 00 00 00 00 00 `...#C..........
47 16 00 00 03 00 00 00 35 0c 00 00 00 00 00 00 G.......5.......
ec 79 b3 22 00 00 00 00 72 41 db 6b 00 00 00 00 .y."....rA.k....
82 34 f5 76 00 00 00 00 16 f9 7e bd 13 00 00 00 .4.v......~.....
24 cc 25 e2 02 00 00 00 8e 85 87 bb 17 00 00 00 $.%.............
90 20 96 9a 00 00 00 00 98 38 07 00 0d 21 01 00 . .......8...!..
00 00 00 00 00 30 a2 dd 06 00 00 00 0b 22 00 00 .....0......."..

Windows has finished checking your disk.
Please wait while your computer restarts.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## kevinf80 (Mar 21, 2006)

OK, Go here http://support.microsoft.com/kb/314060 run the Fixit tool, re-boot check your issue with CD tray are they still showing as previously in Devic Manager?

If the registry alert is still showing UNzip the attached file to your desktop, double click on the UNzipped file (cdrom.reg) agree the merge, reboot is the issue still the same in Device manager?

Regarding your printer, did it come with software, can you re-install that or visit the Manufacturers website and d/l latest driver..

Does printer work now...

Can you tell me how many CD/DVD trays your PC has, the alerts you give are indicating two. Is that correct?

Thanks,

Kevin

oooops missed the reg file off, will follow in next message...


----------



## kevinf80 (Mar 21, 2006)

Missing .rg file attached....


----------



## Pokeyturtle (Oct 25, 2012)

Kevin,

I have two CD/DVD trays. Fixit tool worked. It's no longer showing the exclamations in the device manager and says that theses devices are working properly. 

Do I still need to unzip the file (cdrom.reg)?

As for the printer, my Son says he used it last Thursday and got a message saying that the black ink was low. When I tried to use it, is says the printer is not responding. I can't access the ink monitor at all. No big deal, I'll buy some ink and see if that works before trying t reinstall etc.


----------



## kevinf80 (Mar 21, 2006)

No need for the reg file if cd/dvd is now ok. What about the rest of your system, how does it respond, what are remaining issues


----------



## Pokeyturtle (Oct 25, 2012)

Firefox still freezes up and is slow to respond. My personal email is getting overloaded with spam and phishing emails. I haven't seen those kind of emails in years.


----------



## kevinf80 (Mar 21, 2006)

What about Internet Explorer, how does that respond. Is it better or worse than FF? 
Have you got many Bookmarks saved in Firefox, maybe worthwhile resetting FF then reapply bookmarks if necessary. How does that sound to you, do you know how to backup Bookmarks if required?


----------



## Pokeyturtle (Oct 25, 2012)

I don't use internet explorer anymore to compare. 

I've recently reset FF quite a few times trying to fix the freezing problem myself. This last time I tried completely removing FF off of my computer and starting fresh. It didn't help.


----------



## Pokeyturtle (Oct 25, 2012)

Is it okay to do a disc clean up and defrag? Another issue I had was fragmented files that were unmovable. Just curious to see if that problem still exist.


----------



## kevinf80 (Mar 21, 2006)

IE 8 is on your system, does that run OK, I just curious if it feezes and is slow like you mentioned for Firefox. If you have some spare time run the following program to do a boot time defrag and disk check, see if this makes any difference:

Download and run the free version of *Puran Disc Defragmenter*
For the first run I would recommend a boot defrag and disk check :-










1.	Select your Boot drive, normally C:
2.	Select Boot time defrag.
3.	Restart  Defrag  Restart  Disk Check.

Then just follow the prompts. This will take an extended time to run so always do at a time when you do not wish to use the system for several hours.


----------



## Pokeyturtle (Oct 25, 2012)

Hi Kevin,

Just checked IE to see how it works, and it stinks. Took over two minutes to load a page, and a security alert message pops up that I can't get rid of. I can't continue on because I can't get rid of the alert message. It say's ... "You are about to view pages over a secure connection.....Any information you share with this site can not be viewed by anyone else on the web." Shouldn't that be a good thing? Well, I can't get rid of the message and my computer is winding and grinding making all kinds of noises like it's downloading something. Also on the bottom of the IE page just above my task bar it says it's waiting for https://googleads.g.doubleclick.net/pagead/dtr/si?p=CAA&ut=AFAKxlQAAAAAAA....etc.

It was flashing all kinds of ad urls before stopping on the above url. I will just X out of IE.

I have a few things to check and will run the Puran Defragmenter afterwards. http://www.puransoftware.com/Puran-Defrag-Download.html

Thanks for all your time and help!


----------



## kevinf80 (Mar 21, 2006)

If you`ve completed Prun Defrag see if the following helps with the Browsers:

It would appear that both broswers have problems, go here http://support.microsoft.com/kb/923737 run the Fixit to reset Internet Explorer to default settings...

Regarding Firefox I recommend a reset on that one also. First back up any bookmarks you have so they can be put back when required. Do the following:

Open Firefox, select > Bookmarks > Show all Bookmarks > that will open the Library. Select > Import and Backup > Export Bookmarks to HTML. Save that file to you Desktop or somewhere handy, name it Bookmarks. Shut down the Library page.

From Menu bar again select > Help > Trouble shooting information. That will open a new window, near top righthand corner is "Reset Firefox" button. Select that, when finished close FF and reboot your PC.

Run Firefox, see how it responds. If ok you can import the Bookmarks. Select > Bookmarks > Show all Bookmarks > that will open the Library. Select > Import and Backup > Import Bookmarks from HTML> Navigate to the saved file, follow prompts.

Close Firefox down, run IE see if that is working OK....

Let me know if that has made any difference to the Browsers....

Kevin


----------



## Pokeyturtle (Oct 25, 2012)

Okay, did the Puran defrag, took all day.

Reset IE, despite checking the boxes to remove all personal settings, my bookmarks on toolbar remained. I manually removed them all.

Reset firefox once again, and my boomarks on the toolbar remained there as well. All plugins have been re-enabled, most were disabled before. There are many which I don't know if I need. I checked to see if my plugins were up to date and now my Shockwave 11.4 r402 is saying I need to update. I had that set to update automatically, don't know why it didn't. 

Widows update just started as well. I clicked to update.

And WinPatrol just detected a new task to the Widows Task Scheduler. Not sure if it's legitimate. Says it's Microsoft Feeds Synchroization located in C:\WINDOWS\system32\msfeedssync.exe 
version 8.00.6001.18720

I'm going to click No for now, until I know it's really safe.


----------



## Pokeyturtle (Oct 25, 2012)

Went to check the history of my Microsoft Update and noticed that one of my definitions failed to update on the 2nd.

Windows XP Cumulative Security Update for Internet Explorer 8 for Windows XP (KB2744842)







Wednesday, November 07, 2012 Automatic Updates MS Security Essentials Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.139.1515.0)







Wednesday, November 07, 2012 Other Source MS Security Essentials Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.139.1393.0)







Monday, November 05, 2012 Other Source MS Security Essentials Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.139.1329.0)







Monday, November 05, 2012 Other Source MS Security Essentials Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.139.1303.0)







Saturday, November 03, 2012 Other Source MS Security Essentials Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.139.1290.0)







Saturday, November 03, 2012 Other Source MS Security Essentials Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.139.1276.0)







Saturday, November 03, 2012 Other Source MS Security Essentials Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.139.1245.0)







Friday, November 02, 2012 Other Source MS Security Essentials Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.139.1216.0)







Friday, November 02, 2012 Other Source MS Security Essentials Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.139.1073.0)







Thursday, November 01, 2012 Other Source


----------



## kevinf80 (Mar 21, 2006)

Hiya Pokeyturtle,

If you are worried about UNknown Addons, Plugins, extensions or themes in Firefox go here http://support.mozilla.org/en-US/kb/disable-or-remove-add-ons and learn how to remove them.

Similar information for Internet Explorer available here http://windows.microsoft.com/en-GB/...t-Explorer-add-ons-frequently-asked-questions

Maybe worthwhile book marking the two above links for future reference....

Be aware that IE must be kept installed when XP is the operating system, it is specifically used for Windows Updates, also a Windows XP PC still uses Internet Explorer for a number of internal processes

Microsoft Feeds Synchroization is part of the Windows RSS platform that monitors RSS feeds you may have subscribed to. If you don't use it, you can block it, but would be best to also turn it off:

1. Open IE click the Tools button and select Internet Options from the pop-up menu.
2. On the Content tab of the Internet Options dialog box, click the Settings button in the Feeds section of the dialog box.
3. In the Feed Settings dialog box, uncheck the "Automatically check feeds for updates" check box

I wouldn`t worry about the missed MSE update if subsequent updates have occured. OK, if FF and IE are working now can you run this Windows repair Tool and let me know how your system is responding...

Download *Windows Repair* by Tweaking.com and unzip the contents into a newly created folder on your desktop.


 Now open Repair_Windows.exe in the folder
 Go to *Step 4* and create a *Restore Point*
 Go to *Start repairs tab* then select *Start*
 In the Custom Mode window, only select the following repair options:

Reset Registry Permissions
Reset File Permissions
Register System Files
Repair WMI
Repair Windows Firewall
Repair Internet Explorer
Remove Policies Set By Infections
Remove Temp Files
Repair Windows Updates

 Click the Start button.

Be patient while the tool repairs the selected items.
If prompted reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before re-booting..

Let me see the log which will be found in this folder:

C:\Tweaking.com_windows_Repair_Logs.

What is the current status of your system now, has there been an improvement. What issues/concerns are still present..

Kevin.


----------



## Pokeyturtle (Oct 25, 2012)

Hi Kevin,

Below is the windows repair log. FF seems to be worse after the reset. Very slow to start up and will not shut down after exit. I have to manually close FF in my task manager and it's still using way more memory usage than any other process. Experiencing extreme lagging issues right now, could barely type this message

Starting Repairs...
Start (11/8/2012 8:24:33 AM)

Reset Registry Permissions 01/03
HKEY_CURRENT_USER & Sub Keys
Start (11/8/2012 8:24:33 AM)
Done (11/8/2012 8:24:47 AM)

Reset Registry Permissions 02/03
HKEY_LOCAL_MACHINE & Sub Keys
Start (11/8/2012 8:24:47 AM)
Done (11/8/2012 8:26:06 AM)

Reset Registry Permissions 03/03
HKEY_CLASSES_ROOT & Sub Keys
Start (11/8/2012 8:26:06 AM)
Done (11/8/2012 8:27:21 AM)

Reset File Permissions 01/24
C:\9ec9c84 & Sub Folders
Start (11/8/2012 8:27:21 AM)
Done (11/8/2012 8:27:24 AM)

Reset File Permissions 02/24
C:\ac0ab23c92b9496af3d88d1045 & Sub Folders
Start (11/8/2012 8:27:24 AM)
Done (11/8/2012 8:27:26 AM)

Reset File Permissions 03/24
C:\AOL Instant Messenger & Sub Folders
Start (11/8/2012 8:27:26 AM)
Done (11/8/2012 8:27:29 AM)

Reset File Permissions 04/24
C:\CABS & Sub Folders
Start (11/8/2012 8:27:29 AM)
Done (11/8/2012 8:27:57 AM)

Reset File Permissions 05/24
C:\cmdcons & Sub Folders
Start (11/8/2012 8:27:57 AM)
Done (11/8/2012 8:28:02 AM)

Reset File Permissions 06/24
C:\ComboFix101 & Sub Folders
Start (11/8/2012 8:28:02 AM)
Done (11/8/2012 8:28:04 AM)

Reset File Permissions 07/24
C:\ComboFix1011402C & Sub Folders
Start (11/8/2012 8:28:04 AM)
Done (11/8/2012 8:28:11 AM)

Reset File Permissions 08/24
C:\Config.Msi & Sub Folders
Start (11/8/2012 8:28:11 AM)
Done (11/8/2012 8:28:13 AM)

Reset File Permissions 09/24
C:\DECCHECK & Sub Folders
Start (11/8/2012 8:28:13 AM)
Done (11/8/2012 8:28:15 AM)

Reset File Permissions 10/24
C:\Graphs & Sub Folders
Start (11/8/2012 8:28:15 AM)
Done (11/8/2012 8:28:18 AM)

Reset File Permissions 11/24
C:\Install ICQ & Sub Folders
Start (11/8/2012 8:28:18 AM)
Done (11/8/2012 8:28:20 AM)

Reset File Permissions 12/24
C:\Install Winamp & Sub Folders
Start (11/8/2012 8:28:20 AM)
Done (11/8/2012 8:28:23 AM)

Reset File Permissions 13/24
C:\Intel & Sub Folders
Start (11/8/2012 8:28:23 AM)
Done (11/8/2012 8:28:25 AM)

Reset File Permissions 14/24
C:\MSOCache & Sub Folders
Start (11/8/2012 8:28:25 AM)
Done (11/8/2012 8:28:27 AM)

Reset File Permissions 15/24
C:\My Downloads & Sub Folders
Start (11/8/2012 8:28:27 AM)
Done (11/8/2012 8:28:32 AM)

Reset File Permissions 16/24
C:\My Music & Sub Folders
Start (11/8/2012 8:28:32 AM)
Done (11/8/2012 8:28:34 AM)

Reset File Permissions 17/24
C:\Program Files & Sub Folders
Start (11/8/2012 8:28:34 AM)
Done (11/8/2012 8:32:01 AM)

Reset File Permissions 18/24
C:\Qoobox & Sub Folders
Start (11/8/2012 8:32:01 AM)
Done (11/8/2012 8:32:10 AM)

Reset File Permissions 19/24
C:\TDSSKiller_Quarantine & Sub Folders
Start (11/8/2012 8:32:10 AM)
Done (11/8/2012 8:32:18 AM)

Reset File Permissions 20/24
C:\Tweaking.com_Windows_Repair_Logs & Sub Folders
Start (11/8/2012 8:32:18 AM)
Done (11/8/2012 8:32:21 AM)

Reset File Permissions 21/24
C:\VIPRERESCUE & Sub Folders
Start (11/8/2012 8:32:21 AM)
Done (11/8/2012 8:32:29 AM)

Reset File Permissions 22/24
C:\WINDOWS & Sub Folders
Start (11/8/2012 8:32:29 AM)
Done (11/8/2012 8:39:43 AM)

Reset File Permissions 23/24
C:\WUTemp & Sub Folders
Start (11/8/2012 8:39:43 AM)
Done (11/8/2012 8:39:48 AM)

Reset File Permissions 24/24
C:\_OTM & Sub Folders
Start (11/8/2012 8:39:48 AM)
Done (11/8/2012 8:39:50 AM)

Register System Files
Start (11/8/2012 8:39:50 AM)
Done (11/8/2012 8:44:05 AM)

Repair WMI
Start (11/8/2012 8:44:05 AM)
Step 01/03 - Deleting WMI Repository...
The system cannot find the path specified.
Step 02/03 - Rebuilding WMI Repository...
Step 03/03 - Registering WMI...
Done (11/8/2012 8:48:10 AM)

Repair Windows Firewall
Start (11/8/2012 8:48:11 AM)
System error 1060 has occurred.

The specified service does not exist as an installed service.

The Windows Firewall/Internet Connection Sharing (ICS) service is not started.

More help is available by typing NET HELPMSG 3521.

System error 1060 has occurred.

The specified service does not exist as an installed service.

The service name is invalid.

More help is available by typing NET HELPMSG 2185.

The service name is invalid.

More help is available by typing NET HELPMSG 2185.

Done (11/8/2012 8:48:17 AM)

Repair Internet Explorer
Start (11/8/2012 8:48:17 AM)
Done (11/8/2012 8:50:48 AM)

Remove Policies Set By Infections
Start (11/8/2012 8:50:48 AM)
Done (11/8/2012 8:50:51 AM)

Remove Temp Files
Start (11/8/2012 8:50:51 AM)
The process cannot access the file because it is being used by another process.
C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFB8D7.tmp - The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
C:\WINDOWS\Temp\Perflib_Perfdata_5c8.dat - The process cannot access the file because it is being used by another process.
Done (11/8/2012 8:50:55 AM)

Repair Windows Updates
Start (11/8/2012 8:50:55 AM)
The Automatic Updates service is not started.

More help is available by typing NET HELPMSG 3521.

The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
C:\WINDOWS\system32\catroot2\edb.log - The process cannot access the file because it is being used by another process.
C:\WINDOWS\system32\catroot2\edbtmp.log - The process cannot access the file because it is being used by another process.
C:\WINDOWS\system32\catroot2\tmp.edb - The process cannot access the file because it is being used by another process.
The requested service has already been started.

More help is available by typing NET HELPMSG 2182.

'bitsadmin.exe' is not recognized as an internal or external command,
operable program or batch file.
Done (11/8/2012 8:53:57 AM)

Cleaning up empty logs...

All Selected Repairs Done.
Done (11/8/2012 8:53:57 AM)
Total Repair Time: 00:29:24


...YOU MUST RESTART YOUR SYSTEM...


----------



## kevinf80 (Mar 21, 2006)

Hiya Pokeyturtle,

These issues with Firefox seem to repeat for no apparent reason. The recent diagnostic scans show nothing obvious, we`ve tried many fixes and resets, nothing changes.
Modem and router have been reset to default, no hacks are therefore present. *Maybe the best option is to fully format your HD and re-install XP, a clean start.* what are your thoughts on that as an option?

Possibly there is a hidden rootkit that we have failed to see, I honestly cannot think of any other reason. OK, best way forward is to d/l GMER to your Desktop and save it. Then do a clean boot of windows, make sure no security is on, same with internet connection. Then run GMER and see what is produced in its log....

Please download GMER (only for use on 32-bit operating systems) from: http://www.gmer.net/index.php

Click on the "Download EXE" button and save the randomly named .exe file to your desktop.

Note: You must uninstall any CD Emulation programs that you have before running GMER as they can cause conflicts and give false results.

Next,

We now do a clean boot of your system:

Click Start, click Run, type msconfig, and then click OK.

The System Configuration Utility dialog box is displayed.

We now need to configure selective startup options:


 In the *System Configuration Utility* dialog box, click the *General tab*, and then click *Selective Startup*.
 Click to clear the *Process SYSTEM.INI File* check box.
 Click to clear the *Process WIN.INI File* check box.
 Click to clear the *Load Startup Items check box*. Verify that *Load System Services* and *Use Original BOOT.INI* are checked.
 Click the Services tab.
 Click to select the *Hide All Microsoft Services* check box.
 Click *Disable All*, and then click *OK*. this will disable none MS services.
 When you are prompted, click Restart to restart the computer.

When you receive the following message, click to select the Don't show this message or launch the System Configuration Utility when Windows start check box, and then click OK.

Next,

Now we run GMER, ensure Security and Internet connection are not active....

Double click the GMER .exe file on your desktop to run the tool and it will automatically do a quick scan.

If the tool warns of rootkit activity and asks if you want to run a full scan, click on No and make sure the following are unchecked on the right-hand side:

*IAT/EAT*

*Any* drive letter other than the primary system drive (which is generally C:\).

Click the Scan button and when the scan is finished, click Save and save the log in Notepad with the name ark.txt to your desktop.

Note: It's important that all other windows be closed and that you don't touch the mouse or do anything with the computer during the scan as it may cause it to freeze.

Next,

To return your computer to a Normal startup mode when complete, follow these steps:


 Open msconfig...
 On the General tab, click Normal Startup - load all device drivers and services, and then click OK.
 When you are prompted, click Restart.

Post the GMER log in your reply...

Kevin


----------



## Pokeyturtle (Oct 25, 2012)

Stupid question. I don't think I have any, but what exactly are CD Emulation programs? Where would they be located so I can uninstall them?


----------



## kevinf80 (Mar 21, 2006)

I`d guess if you do not understand Emulation with regard to the available software, you have none. Having CD/DVD emulation software works like having multiple CD/DVD ROM drives.

The emulation software allows users to run a CD/DVD image directly from a hard disk after mounting the image to a virtual disk drive. This works the same as or even better than the traditional way for users to run a CD/DVD from a physical disk drive after mounting the CD/DVD onto it.

Depending on the emulation software, the number of virtual disk drives can be easily set to more than 10 or 20, at no extra cost, while the number of physical disk drives is usually limited to one that was bought as part of the PC.

I guess the two most common ones are Alcohol 52% and Daemon Tools....


----------



## Pokeyturtle (Oct 25, 2012)

Daemon sounds familiar, but i don't see that in my programs. Would the below programs cause GMER not to work correctly?

Easy CD creator 5 Basic

PowerDVD SE

Frostwire

Xvid Video Codec


----------



## Pokeyturtle (Oct 25, 2012)

One more thing..for GMER, should "Show All" be unchecked as well?


----------



## kevinf80 (Mar 21, 2006)

Yes remove "Show all" tick, the other list you show are OK, will not effect GMER. 

Frostwire is P2P application and not recommended in any respect, bad potential...


----------



## Pokeyturtle (Oct 25, 2012)

GMER log didn't save to my desktop, found it in my documents and it was blank.


----------



## Pokeyturtle (Oct 25, 2012)

I don't know, I'm at a loss here. I know something isn't right but can not pin point it. 

After GMER ran, I went to msconfig to set it back to Normal Startup. I went to Services just to see what was there. I checked Hide All Microsoft Services to see what was left, and Microsoft Antimalware Service is in the list. Shouldn't that be hidden now? Is it possible that it's not legitimate? It was stopped earlier but is now running. Also, when I rebooted, MSE is not showing in my taskbar again. Though it's set to Always Show. 

I rebooted again to see if it would appear, and some kind of warning popped up (above my clock). It was a white box with a red border and words. It flashed up very fast, then dropped down behind my taskbar. I have no idea what it said. Very frustrating.

The other issue I've had is fragments that cannot be fixed or moved. I ran Puran defrag again to see if I can find a path to the files. Not sure what to do about them, or how to fix it. I'm posting the Puran log below......What are your thoughts??

2012/11/08 at 22:51:07 
Analysis Report For C: 

Total Files 72595 
Total Directories 9300 
Total Excluded 0 
Total Deleted 0 
Total Deleted Bytes 0 MB 

Total Fragmented Files 22 
Total Fragmented Directories 0 
Total Fragmented Bytes 58 MB 

MFT Fragments 3 
Registry Fragments 1 
Pagefile Fragments 1 

Fragmentation Percentage By Size 0% 
Fragmentation Percentage By Count 0% 

Analysis Report For C: After Defragmentation 

Total Fragmented Files 2 
Total Fragmented Directories 0 
Total Fragmented Bytes 57 MB 

Fragmentation Percentage By Size 0% 
Fragmentation Percentage By Count 0% 


The following files/directories were defragmented - Top 10 

Path Lcn Size in MB Fragments 
C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Scans\History\Results\Resource\{0357A1F5-8382-402F-B408-20089CA2C689} 106846 0.01 1 
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG 107546 0.00 1 
C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Scans\History\Results\Resource\{C1450D28-F7F9-499B-859A-D39EF424BDEF} 109818 0.01 1 
C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Scans\History\Results\Resource\{5762A8F4-9CB6-4EA7-AE2A-6D81A4EE13F6} 109820 0.01 1 
C:\My Downloads\Puran Defrag\PuranDefrag.html 110387 0.01 1 
C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Scans\History\Results\Resource\{F0C7B9F2-CC55-46DE-8029-EAC5604ABB1E} 110389 0.01 1 
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG 110547 0.00 1 
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG 110612 0.00 1 
C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Scans\History\Results\Resource\{B7689973-F494-4135-80D3-F4C5F4E744B1} 111674 0.01 1 
C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Scans\History\Results\Resource\{FA981BD3-9ADC-4AEF-A17B-B97B7279CE88} 111676 0.01 1 


The following files/directories are still fragmented - Top 10 

Path Lcn Size in MB Fragments 
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 4393 0.06 2


----------



## kevinf80 (Mar 21, 2006)

Hiya Pokeyturtle,

I too am becoming lost with this chase, the file you quote from Puran log as showing fragmented is usually ignored:
*C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb* have a read of the following link for a bit of info on the file:

http://answers.microsoft.com/en-us/...edb-file/8fe699fc-aae1-4b26-9bc0-55cb24608fbe

The other point you mention about hidden files, only MS system files are hidden initially. That is files belonging to the Operating system. Anything such as MSE are installed after the OS installation and would have to be hidden manually when doing preps for the clean boot.

Probably the best way forward is to do a check on your HD, lets make sure that is ok first. Go to the following link:

http://www.seagate.com/support/inte...-electronics/ld25-series/seatools-dos-master/

All instructions and knowledge bases are there for you, if the HD is good with now faults we`ll try some scans from outside of windows. Let me know th results on the HD tests...

Kevin


----------



## Pokeyturtle (Oct 25, 2012)

Hi Kevin,

I read the article at answers.microsoft.com for the file *
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb*

Though, I don't see that file in my Puran log as being fragmented.......I see this one
*C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 4393 0.06 2*

Will do the HD check next and report back.


----------



## kevinf80 (Mar 21, 2006)

Yes the file *tmp.edb* will appear in both navigations, the one you quote and the one from the link I gave you, if you look you should have both on your system.

I have XP and Windows 7 open just now, those files are on both of those systems if I navaigate to the shown addresses. As far as I know they are never malicious. 
If you are concerned upload the file to VirusTotal and have it checked out...


----------



## Pokeyturtle (Oct 25, 2012)

Well, HD check from seagate is proving to be very challenging for me. It wants me to create a bootable cd from an iso image file. I'm using Roxio which has worked fine in the past. When opening Roxio Easy CD Creator, a warning comes up saying that Easy CD Creator Engine initialization failed : (could not load CDR4) The program still opened, so I tried to burn the file anyway. It didn't work, it says "There are no supported CD-Recorders available". 

I checked in my device manager to see if the drives are working, and it says that they are working properly.


----------



## kevinf80 (Mar 21, 2006)

Maybe try a different application to burn the ISO. ImgBurn is the one I use:

http://www.imgburn.com/index.php?act=download


----------



## Pokeyturtle (Oct 25, 2012)

Hi Kevin,

Hope you had a great weekend. I needed to spend mine away from this computer as I'm overwhelmed with it all. I appreciate all of your help and time spent with me, and I'm throwing in the towel. I did some research last Friday on the Microsoft security website and help can't but think there my be a hole in my security. I think I'm missing a few important security updates, but I'm not for sure. I found a 1-800# and may give that a try as my last ditch effort. I'll report back if that indeed is the source of any of my problems. What do I need next, to do to completely remove all of the programs, logs, etc. we used?

Many thanks,
Pokeyturtle


----------



## kevinf80 (Mar 21, 2006)

Try this one last scan, is an antrootkit scan from Malwarebytes and relatively new, maybe will show something up. If this fails I give you clean up procedure to remove all tools etc...

1. Download Malwarebytes Anti-Rootkit from this link http://www.malwarebytes.org/products/mbar/
2. Unzip the File to a convenient location. (Recommend the Desktop)
3. Open the folder where the contents were unzipped and run *mbar.exe*










4. The following image opens, select Next.










5. The following image opens, select Update










6. When the Update completes, select Next










7. In the following window ensure "Targets" are ticked. Then select "Scan"










8. If an infection is found select the *"Cleanup Button"* to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

9. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click *"Cleanup Button"* once more and repeat the process.
10. If no threats were found you will see the following image, Select *Exit*:










11. Verify that your system is now running normally, making sure that the following items are functional:


 Internet access
 Windows Update
 Windows Firewall

12. If there are additional problems with your system, such as any of those listed above or *other system* issues, then run the *'fixdamage'* tool included within Malwarebytes Anti-Rootkit folder.










13. The following Window will open, Select *"Y"* from your Keyboard, tap Enter.










14. The fix will be applied, select any key to Exit.










15. Let me know how your system now responds. Copy and paste the two following logs from the *mbar* folder:

*System - log*
*Mbar - log* Date and time of scan will also be shown










Thanks,

Kevin...


----------



## Pokeyturtle (Oct 25, 2012)

Hi Kevin, 

Once I update the definitions to this, can I run this without internet access? I've been turning on my computer without the wifi. I noticed when the wifi is turned on during start up or a reboot, is when my winpatrol or MSE disappears from the taskbar. I ran TFC earlier this morning and when it rebooted with the wifi turned on, I got the red shield saying my virus protection is turned off. Opened MSE and it showed all was good, but it was indeed turned off when going to my security center.


----------



## kevinf80 (Mar 21, 2006)

Yes run it wifi off if you want...


----------



## Pokeyturtle (Oct 25, 2012)

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.593000 GHz
Memory total: 518762496, free: 128921600

------------ Kernel report ------------
11/12/2012 13:29:21
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\System32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
MpFilter.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\System32\DRIVERS\intelppm.sys
\SystemRoot\System32\DRIVERS\ialmnt5.sys
\SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\usbuhci.sys
\SystemRoot\System32\DRIVERS\USBPORT.SYS
\SystemRoot\System32\DRIVERS\usbehci.sys
\SystemRoot\System32\DRIVERS\GWMDM.sys
\SystemRoot\System32\DRIVERS\ks.sys
\SystemRoot\System32\Drivers\Modem.SYS
\SystemRoot\System32\DRIVERS\e100b325.sys
\SystemRoot\System32\DRIVERS\fdc.sys
\SystemRoot\System32\DRIVERS\serial.sys
\SystemRoot\System32\DRIVERS\serenum.sys
\SystemRoot\System32\DRIVERS\parport.sys
\SystemRoot\System32\DRIVERS\cdrom.sys
\SystemRoot\System32\DRIVERS\redbook.sys
\SystemRoot\System32\Drivers\GEARAspiWDM.sys
\SystemRoot\System32\DRIVERS\imapi.sys
\SystemRoot\system32\drivers\smwdm.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\aeaudio.sys
\SystemRoot\System32\DRIVERS\audstub.sys
\SystemRoot\System32\DRIVERS\rasl2tp.sys
\SystemRoot\System32\DRIVERS\ndistapi.sys
\SystemRoot\System32\DRIVERS\ndiswan.sys
\SystemRoot\System32\DRIVERS\raspppoe.sys
\SystemRoot\System32\DRIVERS\raspptp.sys
\SystemRoot\System32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\psched.sys
\SystemRoot\System32\DRIVERS\msgpc.sys
\SystemRoot\System32\DRIVERS\ptilink.sys
\SystemRoot\System32\DRIVERS\raspti.sys
\SystemRoot\System32\DRIVERS\termdd.sys
\SystemRoot\System32\DRIVERS\kbdclass.sys
\SystemRoot\System32\DRIVERS\mouclass.sys
\SystemRoot\System32\DRIVERS\swenum.sys
\SystemRoot\System32\DRIVERS\update.sys
\SystemRoot\System32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\DRIVERS\usbhub.sys
\SystemRoot\System32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\MODEMCSA.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\System32\DRIVERS\tcpip.sys
\SystemRoot\System32\DRIVERS\ipnat.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbios.sys
\SystemRoot\System32\DRIVERS\rdbss.sys
\SystemRoot\System32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\System32\DRIVERS\hidusb.sys
\SystemRoot\System32\DRIVERS\HIDCLASS.SYS
\SystemRoot\System32\DRIVERS\kbdhid.sys
\SystemRoot\System32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ialmdnt5.dll
\SystemRoot\System32\ialmrnt5.dll
\SystemRoot\System32\ialmdev5.DLL
\SystemRoot\System32\ialmdd5.DLL
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\System32\DRIVERS\ndisuio.sys
\SystemRoot\System32\DRIVERS\mrxdav.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\HTTP.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff863cd030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
Lower Device Object: 0xffffffff86368030
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
DriverEntry returned 0x0
Function returned 0x0
Downloaded database version: v2012.11.12.05
Downloaded database version: v2012.11.09.02
=======================================

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.593000 GHz
Memory total: 518762496, free: 218513408

------------ Kernel report ------------
11/12/2012 14:26:48
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\System32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
MpFilter.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\System32\DRIVERS\intelppm.sys
\SystemRoot\System32\DRIVERS\ialmnt5.sys
\SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\usbuhci.sys
\SystemRoot\System32\DRIVERS\USBPORT.SYS
\SystemRoot\System32\DRIVERS\usbehci.sys
\SystemRoot\System32\DRIVERS\GWMDM.sys
\SystemRoot\System32\DRIVERS\ks.sys
\SystemRoot\System32\Drivers\Modem.SYS
\SystemRoot\System32\DRIVERS\e100b325.sys
\SystemRoot\System32\DRIVERS\fdc.sys
\SystemRoot\System32\DRIVERS\serial.sys
\SystemRoot\System32\DRIVERS\serenum.sys
\SystemRoot\System32\DRIVERS\parport.sys
\SystemRoot\System32\DRIVERS\cdrom.sys
\SystemRoot\System32\DRIVERS\redbook.sys
\SystemRoot\System32\Drivers\GEARAspiWDM.sys
\SystemRoot\System32\DRIVERS\imapi.sys
\SystemRoot\system32\drivers\smwdm.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\aeaudio.sys
\SystemRoot\System32\DRIVERS\audstub.sys
\SystemRoot\System32\DRIVERS\rasl2tp.sys
\SystemRoot\System32\DRIVERS\ndistapi.sys
\SystemRoot\System32\DRIVERS\ndiswan.sys
\SystemRoot\System32\DRIVERS\raspppoe.sys
\SystemRoot\System32\DRIVERS\raspptp.sys
\SystemRoot\System32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\psched.sys
\SystemRoot\System32\DRIVERS\msgpc.sys
\SystemRoot\System32\DRIVERS\ptilink.sys
\SystemRoot\System32\DRIVERS\raspti.sys
\SystemRoot\System32\DRIVERS\termdd.sys
\SystemRoot\System32\DRIVERS\kbdclass.sys
\SystemRoot\System32\DRIVERS\mouclass.sys
\SystemRoot\System32\DRIVERS\swenum.sys
\SystemRoot\System32\DRIVERS\update.sys
\SystemRoot\System32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\DRIVERS\usbhub.sys
\SystemRoot\System32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\MODEMCSA.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\System32\DRIVERS\tcpip.sys
\SystemRoot\System32\DRIVERS\ipnat.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbios.sys
\SystemRoot\System32\DRIVERS\rdbss.sys
\SystemRoot\System32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\System32\DRIVERS\hidusb.sys
\SystemRoot\System32\DRIVERS\HIDCLASS.SYS
\SystemRoot\System32\DRIVERS\kbdhid.sys
\SystemRoot\System32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ialmdnt5.dll
\SystemRoot\System32\ialmrnt5.dll
\SystemRoot\System32\ialmdev5.DLL
\SystemRoot\System32\ialmdd5.DLL
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\System32\DRIVERS\ndisuio.sys
\SystemRoot\System32\DRIVERS\mrxdav.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\HTTP.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff863cd030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
Lower Device Object: 0xffffffff86368030
Lower Device Driver Name: \Driver\atapi\
Device already Exists: 0xffffffff85d42578
Initializing...
Done!
Scanning directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff863cd030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff863ce9e0, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff863cd030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff86369f18, DeviceName: \Device\00000059\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff86368030, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Upper DeviceData: 0xffffffffe1bb3ee0, 0xffffffff863cd030, 0xffffffff8622a5d0
Lower DeviceData: 0xffffffffe1b8d428, 0xffffffff86368030, 0xffffffff85d42578
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 9BB09BB0

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 160071597
Partition file system is NTFS
Partition is bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 81964302336 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-160066528-160086528)...
Done!
Performing system, memory and registry scan...
Done!
Scan finished
=======================================

Malwarebytes Anti-Rootkit 1.1.0.1009
www.malwarebytes.org

Database version: v2012.11.12.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: GATEWAY-348915F [administrator]

11/12/2012 2:59:13 PM
mbar-log-2012-11-12 (14-59-13).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: PUP | PUM | P2P
Objects scanned: 26325
Time elapsed: 31 minute(s), 33 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


----------



## kevinf80 (Mar 21, 2006)

mmm.... another very clean log, Maybe your best option is to format the HD and just complete a fresh install of XP.....


----------



## Pokeyturtle (Oct 25, 2012)

If my DVD/CD-ROM drives are no longer working correctly, how could I reformat? Not sure if my computer can read my windows xp disc?

I'm confused about part of the log. (copied below) Is that referring to my boot order? 
The picture of my bios screen I sent you on page 5 #61, says "A device enclosed in parentheses has been disabled in the corresponding menu"

Well, all the devices shown are enclosed in parentheses.....I don't get it. Wouldn't that make everything in my boot order disabled? How and where is my computer booting from?

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 160071597
Partition file system is NTFS
Partition is bootable

Partition 1 type is Empty (0x0) 
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0) 
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

I've been going through all of our posts to see if I overlooked a step, and trying to find the scan you had me run, that found all the trojans. (page 2 DrWeb) I'm second guessing myself here and hoping I followed all the directions correctly. After we did DrWeb, you had me create a new system restore point. I just checked to see if my system restore is working okay, and noticed Software Distribution Service 3.0" has installed everyday since then. Could that be the cause of my problems? Should I run the DrWeb scan again??


----------



## kevinf80 (Mar 21, 2006)

When you sent the picture of the boot order that showed a list of Hardware in "Boot", your Hard drive, CD/DVD drive, etc etc.... If you recall your boot order was wrong and we had to correct it...

The list you show in blue only relates to your Hardrive and is showing its potential Partition layout, it is very safe and is correct. Up to now we are not seeing anything malicious in the recent scans. 

Have you actually tried your CD/DVD tray to see if it works, maybe put a musuc cd in or video dvd in and see if they work.

Occasionally when malware has been removed and the system is clean there may have been damage done to system files, the registry etc. Although the system starts and runs the there are issues, in that situation a full re-format and re-install is the best option
Occasionally UNinstalling SP3 and then Re-installing it can also help, but not always....

There is also the option to do a repair install, that is where the OS is overwritten from the installation CD, all files folders with personal data, pictures, music etc are retained, just the OS is changed. However, it is always best to back up important data just incase....

If a repair install is done the system will be out of date, if the Installation CD only has SP1 or SP2 it would need SP3 update as soon as possible.

You mention DrWeb, if you want to run that again, yep go ahead and post the log. 

Kevin...

***Edit forgot about your other question:

The Software Distribution Service 3.0 Restore Point gets created when new Microsoft updates are downloaded and installed. Depending on how your system is configured, the updates may be downloaded and installed automatically such that you never see it happening.
As you are using Microsoft Security Essentials and an update to MSE comes out daily, you may not "see" anything on your system to let you know about it, but when the MSE update gets installed, a new Restore Point called "Software Distribution Service 3.0" will be created. That may show more than once per day if several updates are installed...
Does that clear that question for you


----------



## Pokeyturtle (Oct 25, 2012)

Well, the repair install sounds great at this point. I've recently backed up my whole C drive onto an old 
80gb ipod, but that was before the malware had been remove. I'll try to find some memory sticks or something, to back up my important files.

I'm leaving home now,when I return I'll try the DrWeb one more time.

Also, when starting up my system today, I turned on my wifi and a Yellow triangle with an exclamation showed up saying there was an IP address conflict with a device on my network. I'm going to turn it off for now, until I return home.


----------



## kevinf80 (Mar 21, 2006)

What other systems are attached to the network, that seems odd what you`ve just quoted. Do you connect via wired or wireless?

Can you run this before you go for DrWeb:

Please download *MiniToolBox** and save it to your desktop.

Double click the







icon to run the tool.

You will now see the following Control Panel.










Checkmark following check-boxes and select *GO:*

*Flush DNS
Report IE Proxy Settings
Report FF Proxy Settings
List content of Hosts
List IP Configuration
List Winsock Entries
List last 10 EventViewer Entries
List Installed Programs
List Users. Partitions and Memory size
List Minidump Files*

Post the result (Result.txt) that pops up. A copy of result.txt will be save in the same directory the tool is saved.

Kevin


----------



## Pokeyturtle (Oct 25, 2012)

Hi Kevin,

I know nothing about this wireless stuff. It's all new to me. As of yesterday, nothing should of been attached to my network but my computer, which is listed on my router page under Wired Devices. 
*Wired Devices* # IP Address Device Name MAC Address 1192.168.1.2gateway-348915f00:07:E9:4A:F7:F0
Then below that it says Wireless Devices (Wireless intruders also show up here)
and there wasanother IP address and MAC address listed as well. It did not show the device name, and I thought that may suspicious. (maybe it could of been my printer) I reset my wireless router and changed the SSID and Password. The only thing listed then was my computer. Later I added my daughters Ipod which showed up under wireless devices, with her name showing. Then added my sons Nintendo DS. His DS never showed up in the list for wireless devices. I thought that was because I disabled the internet browser in the parental controls of his DS. Maybe that's the conflict, I don't know.

Today when turning on the wireless router, I got that message. I checked my router page to see what was listed and all of the same above info was listed under Wired Devices, except for the Device Name, which was blank. It did not show gateway-348915f. Same for the Wireless Devices. It showed an IP and MAC Address but no Device Name. I'm assuming that's my daughters Ipod. Again, I don't know. I just turned it off until now, and now it's showing gateway-348915f. Nothing showed under wireless devices. I just closed the router page and reopened and the Ipod now shows up. The IP address is different than the gateway IP address.


----------



## Pokeyturtle (Oct 25, 2012)

MiniToolBox by Farbar Version: 10-11-2012 02
Ran by Owner (administrator) on 13-11-2012 at 16:41:00
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

Intel(R) PRO/100 VE Network Connection = Local Area Connection (Connected)

# ---------------------------------- 
# Interface IP Configuration 
# ---------------------------------- 
pushd interface ip

# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp 
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp

popd
# End of interface IP configuration

Windows IP Configuration

Host Name . . . . . . . . . . . . : gateway-348915f

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection

Physical Address. . . . . . . . . : 00-07-E9-4A-F7-F0

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.2

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

Lease Obtained. . . . . . . . . . : Tuesday, November 13, 2012 3:33:20 PM

Lease Expires . . . . . . . . . . : Wednesday, November 14, 2012 3:33:20 PM

1.1.168.192.in-addr.arpa
primary name server = localhost
responsible mail addr = nobody.invalid
serial = 1
refresh = 600 (10 mins)
retry = 1200 (20 mins)
expire = 604800 (7 days)
default TTL = 10800 (3 hours)
Server: UnKnown
Address: 192.168.1.1

Name: google.com
Addresses: 74.125.137.138, 74.125.137.100, 74.125.137.101, 74.125.137.102
74.125.137.139, 74.125.137.113

Pinging google.com [74.125.137.138] with 32 bytes of data:

Reply from 74.125.137.138: bytes=32 time=36ms TTL=48

Reply from 74.125.137.138: bytes=32 time=32ms TTL=48

Ping statistics for 74.125.137.138:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 32ms, Maximum = 36ms, Average = 34ms

1.1.168.192.in-addr.arpa
primary name server = localhost
responsible mail addr = nobody.invalid
serial = 1
refresh = 600 (10 mins)
retry = 1200 (20 mins)
expire = 604800 (7 days)
default TTL = 10800 (3 hours)
Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com
Addresses: 98.138.253.109, 98.139.183.24, 72.30.38.140

Pinging yahoo.com [98.138.253.109] with 32 bytes of data:

Reply from 98.138.253.109: bytes=32 time=205ms TTL=47

Reply from 98.138.253.109: bytes=32 time=119ms TTL=47

Ping statistics for 98.138.253.109:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 119ms, Maximum = 205ms, Average = 162ms

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 07 e9 4a f7 f0 ...... Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.1.2 192.168.1.2 20
192.168.1.0 255.255.255.0 192.168.1.2 192.168.1.2 20
192.168.1.2 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.2 192.168.1.2 20
224.0.0.0 240.0.0.0 192.168.1.2 192.168.1.2 20
255.255.255.255 255.255.255.255 192.168.1.2 192.168.1.2 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (11/12/2012 10:39:17 AM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 unspecified, P2 hardeningtelemetry, P3 hardeningtelemetrydisablertp, P4 4.1.522.0, P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (11/10/2012 08:10:57 PM) (Source: Application Hang) (User: )
Description: Hanging application WINWORD.EXE, version 11.0.5207.4, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (11/08/2012 08:57:39 AM) (Source: Application Hang) (User: )
Description: Hanging application firefox.exe, version 16.0.2.4680, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (11/08/2012 08:49:20 AM) (Source: LoadPerf) (User: )
Description: Unable to read the performance counter strings of the 009 language ID.
The Win32 status returned by the call is the first DWORD in Data section.

Error: (11/08/2012 08:49:17 AM) (Source: LoadPerf) (User: )
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The
Error code is the first DWORD in Data section.

Error: (11/08/2012 08:48:10 AM) (Source: LoadPerf) (User: )
Description: Unable to read the performance counter strings of the 009 language ID.
The Win32 status returned by the call is the first DWORD in Data section.

Error: (11/08/2012 08:48:07 AM) (Source: LoadPerf) (User: )
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The
Error code is the first DWORD in Data section.

Error: (11/08/2012 08:47:58 AM) (Source: LoadPerf) (User: )
Description: Unable to read the performance counter strings of the 009 language ID.
The Win32 status returned by the call is the first DWORD in Data section.

Error: (11/08/2012 08:47:55 AM) (Source: LoadPerf) (User: )
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The
Error code is the first DWORD in Data section.

Error: (11/08/2012 08:44:58 AM) (Source: WinMgmt) (User: )
Description: Failed to load MOF C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MOF\SERVICEMODEL.MOF while recovering repository file.

System errors:
=============
Error: (11/13/2012 03:33:06 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (11/13/2012 03:33:06 PM) (Source: W32Time) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Error: (11/13/2012 00:39:08 PM) (Source: 0) (User: )
Description: 192.168.1.200:C6:10:8A:AF:15

Error: (11/13/2012 00:39:07 PM) (Source: 0) (User: )
Description: 192.168.1.200:C6:10:8A:AF:15

Error: (11/13/2012 00:39:07 PM) (Source: 0) (User: )
Description: 192.168.1.200:C6:10:8A:AF:15

Error: (11/13/2012 00:38:27 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.2 for the Network Card with network address 0007E94AF7F0 has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (11/13/2012 00:38:20 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (11/13/2012 00:38:20 PM) (Source: W32Time) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Error: (11/12/2012 03:00:35 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.2 for the Network Card with network address 0007E94AF7F0 has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (11/12/2012 10:52:21 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 1.139.1835.0

Update Source: %NT AUTHORITY59

Update Stage: 4.1.0522.00

Source Path: 4.1.0522.01

Signature Type: %NT AUTHORITY602

Update Type: %NT AUTHORITY604

User: NT AUTHORITY\SYSTEM

Current Engine Version: %NT AUTHORITY605

Previous Engine Version: %NT AUTHORITY606

Error code: %NT AUTHORITY607

Error description: %NT AUTHORITY608

Microsoft Office Sessions:
=========================
Error: (11/12/2012 10:39:17 AM) (Source: MPSampleSubmission)(User: )
Description: mptelemetryunspecifiedhardeningtelemetryhardeningtelemetrydisablertp4.1.522.0unspecifiedunspecifiedunspecifiedNILNILNIL

Error: (11/10/2012 08:10:57 PM) (Source: Application Hang)(User: )
Description: WINWORD.EXE11.0.5207.4hungapp0.0.0.000000000

Error: (11/08/2012 08:57:39 AM) (Source: Application Hang)(User: )
Description: firefox.exe16.0.2.4680hungapp0.0.0.000000000

Error: (11/08/2012 08:49:20 AM) (Source: LoadPerf)(User: )
Description: 009

Error: (11/08/2012 08:49:17 AM) (Source: LoadPerf)(User: )
Description: WmiApRplWmiApRpl

Error: (11/08/2012 08:48:10 AM) (Source: LoadPerf)(User: )
Description: 009

Error: (11/08/2012 08:48:07 AM) (Source: LoadPerf)(User: )
Description: WmiApRplWmiApRpl

Error: (11/08/2012 08:47:58 AM) (Source: LoadPerf)(User: )
Description: 009

Error: (11/08/2012 08:47:55 AM) (Source: LoadPerf)(User: )
Description: WmiApRplWmiApRpl

Error: (11/08/2012 08:44:58 AM) (Source: WinMgmt)(User: )
Description: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MOF\SERVICEMODEL.MOF

=========================== Installed Programs ============================

Acrobat.com (Version: 0.0.0)
Adobe Flash Player 11 Plugin (Version: 11.5.502.110)
Adobe Reader X (10.1.4) (Version: 10.1.4)
Apple Application Support (Version: 2.1.7)
Apple Mobile Device Support (Version: 4.0.0.97)
Apple Software Update (Version: 2.1.3.127)
Auslogics Disk Defrag (Version: 3.5)
Bonjour (Version: 3.0.0.10)
Canon Easy-PhotoPrint EX
Canon IJ Network Scanner Selector EX
Canon IJ Network Tool
Canon MG3100 series MP Drivers
Canon MP Navigator EX 5.0
Canon My Printer
Canon Solution Menu EX
CCleaner (Version: 3.23)
Coupon Printer for Windows (Version: 5.0.0.1)
Do More 7.0 (Version: 1.00.000)
Easy CD Creator 5 Basic (Version: 5.3.5.10)
EPSON Printer Software
ESET Online Scanner v3
FrostWire 5.3.9 (Version: 5.3.9.0)
G-Force (Version: 3.5.6)
Gateway Drivers and Applications Recovery
Gateway IE Customizations
Gateway User's Guide
Google Update Helper (Version: 1.3.21.123)
GTW V.92 Voicemodem
HighMAT Extension to Microsoft Windows XP CD Writing Wizard (Version: 1.1.1905.1)
Intel(R) Extreme Graphics 2 Driver (Version: 6.14.10.4299)
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet (Version: 6.05.2001)
iTunes (Version: 10.5.3.3)
Java 7 Update 9 (Version: 7.0.90)
Java Auto Updater (Version: 2.1.9.0)
Malwarebytes Anti-Malware version 1.65.1.1000 (Version: 1.65.1.1000)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003 (Version: 11.0.5207.5)
Microsoft Picture It! Express 2001 (Version: 5.0.0.0000)
Microsoft Picture It! Photo 7.0 (Version: 7.0.0.0000)
Microsoft Security Client (Version: 4.1.0522.0)
Microsoft Security Essentials (Version: 4.1.522.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0 (Version: 07.02.0710.1)
Microsoft Works Suite Add-in for Microsoft Word (Version: 2.0.0.0000)
Mozilla Firefox 16.0.2 (x86 en-US) (Version: 16.0.2)
Mozilla Maintenance Service (Version: 16.0.2)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
NETGEAR Live Parental Controls Management Utility 2.1.5 (Version: 2.1.5)
PC-Doctor for Windows
PokerStars (Version: 1.803)
PowerDVD SE
Puran Defrag 7.5
QuickTime (Version: 7.72.80.56)
Shockwave
TypeItIn
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Windows Internet Explorer 8 (KB2632503) (Version: 1)
Update for Windows Internet Explorer 8 (KB973874) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update for Windows Internet Explorer 8 (KB976749) (Version: 1)
Update for Windows Internet Explorer 8 (KB980182) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2749655) (Version: 1)
Visual C++ 2008 x86 Runtime - (v9.0.30729) (Version: 9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01 (Version: 9.0.30729.01)
WebFldrs XP (Version: 9.50.6513)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.7.0017.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 7 (Version: 20061107.210142)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3 (Version: 20080414.031525)
Windstream Broadband Check-up Center
WinRAR 4.01 (32-bit) (Version: 4.01.0)
Works Suite OS Pack (Version: 3.0.0.0000)
Xvid Video Codec (Version: 1.3.2)

========================= Memory info: ===================================

Percentage of memory in use: 84%
Total physical RAM: 494.73 MB
Available physical RAM: 76.05 MB
Total Pagefile: 1155.47 MB
Available Pagefile: 754.14 MB
Total Virtual: 2047.88 MB
Available Virtual: 1972.67 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:76.33 GB) (Free:48.5 GB) NTFS

========================= Users: ========================================

User accounts for \\GATEWAY-348915F

Administrator ASPNET Guest 
HelpAssistant Owner SUPPORT_388945a0

========================= Minidump Files ==================================

C:\WINDOWS\Minidump\Mini102512-01.dmp
C:\WINDOWS\Minidump\Mini102512-02.dmp
C:\WINDOWS\Minidump\Mini103012-01.dmp

**** End of log ****


----------



## kevinf80 (Mar 21, 2006)

Hiya Pokeyturtle,

Nothing malicious in that log, However, one point of note to look at......

========================= Memory info: ===================================

*Percentage of memory in use: 84%*
Total physical RAM: 494.73 MB
Available physical RAM: 76.05 MB
Total Pagefile: 1155.47 MB
Available Pagefile: 754.14 MB
Total Virtual: 2047.88 MB
Available Virtual: 1972.67 MB

The amout of physical memory is sailing close to the wind, 84% in use, that means only 16% available. It maybe a worthwhile option to upgrade your Ram (memory) maybe go to a website at crucial and have your system checked, you will get part numbers etc for what ever Ram is needed. They will be expensive from Crucial but will be cheaper at local stores...

http://www.crucial.com/

Kevin...


----------



## Pokeyturtle (Oct 25, 2012)

Will all The RAM be reset if I reformat?


----------



## kevinf80 (Mar 21, 2006)

The amount of Ram in use is dependant on your OS and what applications are running at any given time. It was intially recommended that 512MB of ram was adequate for XP when it was first brought out. Since then more and more applications are becoming more Ram hungry. 
Even if you did a format and re-install of XP the amount of ram you have available may deminish as you update and re-install your favorite applications etc etc...
If I recall correctly I always had a minimum of I gb of ram on any XP systems I had... Run the Crucial online check, see what it says your system is capable of running.


----------



## Pokeyturtle (Oct 25, 2012)

Hi Kevin,

Thanks for all the info. It all makes sense to me. Looks like I'll be adding more RAM to my computer here soon. Says I have four slots and each can hold up to 1GB each. Since I have a 32 bit system, my computer can only use around 3GB's. So I'll just keep the RAM I have and add 1GB to the two remaining slots I have available. Looks easy enough to do myself.

My only issue now are these failing MS updates. KB2698023 keeps failing to update over and over again. Says the following updates were not installed:*
Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2698023)*
Then it trys to install again, with the same above results. Over and over.
It's a security update, so I'm not sure how vulnerable this is making computer.

What are the next steps on cleaning up my computer from all the scans I've downloaded?

Many thanks,
PokeyTurtle


----------



## kevinf80 (Mar 21, 2006)

Hiya Pokeyturtle,

Go here https://www.microsoft.com/en-us/download/search.aspx?q=KB2698023 d/l and install that update, it is the top one do not go for the ISO...

For the clean up do the following:

*Step 1*

Remove Combofix now that we're done with it

Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")









 Please follow the prompts to uninstall Combofix.
 You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
The above procedure will delete the following:

 ComboFix and its associated files and folders.
 VundoFix backups, if present
 The C:_OtMoveIt folder, if present
 Reset the clock settings.
 Hide file extensions, if required.
 Hide System/Hidden files, if required.
 Reset System Restore.

*It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.*

*Step 2*

We need to remove ESET Online Scanner (If installed).


 Click Start, click Run, type *control appwiz.cpl* in the Open box, and then press ENTER.
 Click to select *ESET Online Scanner* from the application list, and then click Remove. Only re-boot if prompted

*Step 3*


Download *OTC* by OldTimer and save it to your *desktop.* *Alternative mirror*
Double click







icon to start the program. 
If you are using Vista or Windows 7 accept UAC
Then Click the big







button.
You will get a prompt saying "_Begining Cleanup Process_". Please select *Yes*.
Restart your computer when prompted.
This will remove tools we have used and itself.

*Any tools/logs remaining on the Desktop can be deleted.*

*Step 4*

If any of the following remain on the Desktop either delete or drag and drop in the recycle bin:

aswMBR plus any logs/files
Farbar SS plus any logs/files
MBAR plus any logs/files
Mini Toolbox plus any logs/files
Windows repair tool plus any logs/files
Security Checkup plus any logs/files.

When that completes run TFC, Not sure if you have TFC so i`ll give instructions... Ensure to re-boot after a run, even if not prompted. If you do not, icons that did appear in the tray will not show after a run with TFC. Remember the Desktop disappears and returns after the scan, minus tray icons!!!

Download







TFC to your desktop, from either of the following links
*Link 1*
*Link 2*

 Save any open work. TFC will close all open application windows.
 Double-click TFC.exe to run the program. Vista or Windows 7 users accept the UAC alert.
 If prompted, click "Yes" to reboot.
TFC will automatically close any open programs, *including your Desktop*. Let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. TFC may re-boot your system, if not *Re-boot it yourself to complete cleaning process* *<---- Very Important *

Keep TFC it is an excellent, run weekly utility to keep your system optimized, it empties all user temp folders, Java cache etc etc. *Always remember to re-boot after a run, even if not prompted*

Let me know if the above steps complete, also what issues/concerns remain......

Thanks,

Kevin...


----------



## Pokeyturtle (Oct 25, 2012)

Hi Kevin,

Well, I've _really_ messed things up now.

I haven't even got to the clean up process for all of the scans we ran, because I never was able to get the security update KB2698023.

My error code for that update is "0x643". I've spent all morning and afternoon following the trouble shooting support for that code at http://support.microsoft.com/kb/976982#method2

Did everything on that page, and last followed the directions to "Repair the version of the .NET Framework that did not update"

I was in the process of running the "NET Framework cleanup tool" to remove NET Framework 1.1, so I can then reinstall it. Then I got a Fatal Execution Engine Error (0x792803f6)

Now I can't shutdown or restart my computer. Tried to do a system restore and their all gone. System restore had been turned off. ???

(at this point, I need to dump out my cup of coffee and switch to Jack Daniels......sigh )


----------



## kevinf80 (Mar 21, 2006)

Hiya Pokeyturtle,

I prefer a good single malt, but hey, JD sounds good for those crisis moments. I still believe your best way forward is to start again, Format your HD and re-install XP, this has gone on way too long....

Kevin...:up:


----------



## Pokeyturtle (Oct 25, 2012)

Okay, I guess I need to get this show on the road. I'm in the process of backing up 10 years of pictures and videos. About 40 minutes remaining. What else do I need to do? I'm scared of losing my TypeitIn program that my friend bought and installed onto my computer.


----------



## kevinf80 (Mar 21, 2006)

Maybe its worth going for a repair/install first, at least that gives you a chance to lose nothing. The Operating system will be installed but you should not lose anything. Have a look at the following link, the instructions are very easy to follow.

http://forums.malwarebytes.org/index.php?showtopic=61918

Would you rather give that a try than go for a Reformat and Full re-installation?


----------



## Pokeyturtle (Oct 25, 2012)

I'm really not sure what to do. I've backed up my whole C drive onto an old 80gb ipod, but that was before the malware was removed. I just backed up all pictures/music and important folders from my documents. My only concern is this TypeItIn program, as it was paid for. Not sure where to find my registration key for the program. If it's located somewhere in a folder, than it should be somewhere backed up on the ipod. I don't know....

Guess I could try it the safe way first. 

Okay, found my restoration cd's. I'm assuming the blue cd for the Operating System is the one to reinstall windows? If not, all I have left is the red drivers, yellow application and white InterVideo WinDVD.

I'm not able to shutdown my computer, to boot the Cd. Will I need to unplug from the wall?


----------



## kevinf80 (Mar 21, 2006)

If the CD is in the tray hold in the power button on your PC, that will power down. Leave for 10 minutes incase anything is overheated. Then re-boot, should give the option to boot from CD...


----------



## Pokeyturtle (Oct 25, 2012)

Wish me luck :up:


----------



## kevinf80 (Mar 21, 2006)

You`ll be fine, don`t worry. If the worst happens go for two JD`s then a Re-Format and Re-Install....


----------



## Pokeyturtle (Oct 25, 2012)

Hi Kevin,

Well, I made it through the reinstall of Windows. Not without complications though. Seems like soon as I fix one problem two more pop up. I'm still not able to use my CD burner and not my kids ipods can not connect to my wireless network anymore. 

I followed the clean up process in the above post, Crucial Scan and Malwarebytes still remain. Is there a removal tool for those as well?


----------



## kevinf80 (Mar 21, 2006)

For Malwarebytes it is ok to Uninstall via start > control panel > Add/Remove Programs..

For Crucial follow instructions here http://www.crucial.com/kb/answer.aspx?qid=4389

What is wrong with CD burner, I thought that was already working OK?


----------



## Pokeyturtle (Oct 25, 2012)

For Crucial Scan, went to C:\, Windows, and Downloaded Program Files. Nothing is in that file except for WUWebControl Class. Is it safe to say it's gone and I can just delete it from my desktop?

Also noticed a few more files in C:/ and I'm not sure if they should be there....
ComboFix101 - contains 1 folder (iexplore)
ComboFix1011402C - contains 255 files, 2 folders 
TDSSKiller_Quarantine - 142 files, 2 folders
Tweaking.com_Windows_Repair_Logs - 7 files, 0 folders

and in program files..
Hitman Pro 3.5

As for the CD burner, (Roxio, I believe this program came with my computer?) Error says: Easy CD Creator Engine initialization failed: (could not load CDR4)
Another error says: CreatorAPI can't see all the cdroms in the system. Please check if they are connected properly.
Then another error say: Disc copier could not locate a supported CD-ROM reader. You will not be able to make disc-to-disc copies.


----------



## kevinf80 (Mar 21, 2006)

Yes to Crucial, delete from Desktop.

Yes to C:\ Question , Delete all entries you quote.

Yes to Hitman Pro, Uninstall via Start > Control Panel > Add/Remove Programs.

Regarding your CD burner problem, Do you mean Roxio will not work? Maybe you will have to re-install that software. Or check for any updates for that software. Have a read through this link regarding a patch for that software, is old thread but may give you good information http://forums.support.roxio.com/topic/7877-engine-initialization-has-failed-could-not-load-cdr4/

Did you not create some CD`s earlier in this thread, I mean actually burn a CD?

Kevin..


----------



## Pokeyturtle (Oct 25, 2012)

WooHoo, I finally fixed something in a timely manor! Roxio did come with my computer, so I was able to find and repair it from my Applications CD. 

No, I was never able to burn a cd earlier in this thread. You wanted me to do a check of my HD, by going to Seagate. I wasn't able to make the bootable cd from the iso image. 

Guess I'll be working on the ipod/wifi issue next. If I'm able to fix that too, I won't know what to do with myself anymore.


----------



## kevinf80 (Mar 21, 2006)

Sooooh, are we finally at a stage where your system is working? Give me an update on any remaining issues/concerns...

Regarding the iPod issue go here http://www.apple.com/support/ipodtouch/assistant/wifi/ use the instructions provided by apple to connect to wifi network etc... Well worth bookmarking that site for future needs..

Kevin


----------

