Software Restriction Policy Virus

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

wared13

Thread Starter
Joined
Dec 28, 2012
Messages
16
Hi my machine was attacked by something that caused a message saying "cannot open... prevented by a software restriction policy" when I attempt to open vital programs like my ESET security. No software restrictions have ever been set... this is a standalone machine for a small business... My ComboFix & anti-Malware programs didn't fix anything. Running XP Pro SP3, any help appreciated!
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,470

wared13

Thread Starter
Joined
Dec 28, 2012
Messages
16
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Owner at 12:51:48 on 2012-12-26
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2029.356 [GMT -8:00]
.
AV: ESET Smart Security 5.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\FedEx\ShipManager\BIN\FedEx.Gsm.Common.LoggingService.exe
C:\Program Files\FedEx\ShipManager\SQLAnywhere\Bin32\dbsrv11.exe
C:\Program Files\Common Files\Intuit\Entitlement Client\v3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
C:\Program Files\Common Files\Intuit\Entitlement Client\v5.3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Intuit\QuickBooks Point of Sale 6.0\DatabaseServer\QBPOSDBServiceV6.exe
C:\Program Files\Intuit\QuickBooks Point of Sale 8.0\DatabaseServer\QBPOSDBService.exe
C:\Program Files\Intuit\QuickBooks Point of Sale 6.0\DatabaseServer\QBDBMgrN.exe
C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\Program Files\Intuit\QuickBooks Point of Sale 8.0\DatabaseServer\QBDBMgrN10.exe
C:\Program Files\Intuit\QuickBooks Point of Sale 8.0\DatabaseServer\QBDBMgrN10.exe
C:\PROGRA~1\Intuit\QUICKB~3\QBDBMgrN.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\FedEx\ShipManager\BIN\AdminService.exe
C:\Program Files\FedEx\ShipManager\BIN\ShipEngineService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\FedEx\ShipManager\BIN\TransEngineService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intuit\QUC2E1~1\QBDBMgrN.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Intuit\QuickBooks 2012\QBW32.EXE
C:\Program Files\Intuit\QuickBooks Point of Sale 8.0\qbpos.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intuit\QuickBooks Point of Sale 8.0\EftSvr.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\Program Files\Coupons.com CouponBar\TbHelper2.exe
C:\PROGRA~1\Intuit\QUC2E1~1\dbextclr11.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\calc.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.seattletimes.com/
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: TBSB07898 Class: {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - c:\program files\coupons.com couponbar\tbcore3.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Coupons.com CouponBar: {8660E5B3-6C41-44DE-8503-98D99BBECD41} - c:\program files\coupons.com couponbar\tbcore3.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Coupons.com CouponBar: {8660E5B3-6C41-44DE-8503-98D99BBECD41} - c:\program files\coupons.com couponbar\tbcore3.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\fedexd~1.lnk - c:\program files\fedex\fedex desktop\FedEx Desktop.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\intuit~1.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\program files\intuit\quickbooks 2012\QBW32.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoSMConfigurePrograms = dword:1
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: ForceClassicControlPanel = dword:1
mPolicies-Explorer: NoSMConfigurePrograms = dword:1
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1262651089750
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: NameServer = 192.168.254.254
TCP: Interfaces\{7D6B90BF-4843-48E2-BE99-E970FC77CAB4} : DHCPNameServer = 192.168.254.254
Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - c:\program files\intuit\quickbooks 2012\HelpAsyncPluggableProtocol.dll
Handler: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - c:\windows\system32\QBPOSProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2012-3-14 120152]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2012-11-16 913184]
R2 FedExAdminService;FedEx Administration Service;c:\program files\fedex\shipmanager\bin\AdminService.exe [2012-8-23 24576]
R2 FedExLoggingService;FedEx Logging Service;c:\program files\fedex\shipmanager\bin\FedEx.Gsm.Common.LoggingService.exe [2012-8-23 7168]
R2 FedExShipnetDBService;FedEx Shipnet Database Service;c:\program files\fedex\shipmanager\sqlanywhere\bin32\dbsrv11.exe [2012-8-23 141176]
R2 Intuit Entitlement Service v3;Intuit Entitlement Service v3;c:\program files\common files\intuit\entitlement client\v3\server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe [2006-5-24 24576]
R2 Intuit Entitlement Service v5.3;Intuit Entitlement Service v5.3;c:\program files\common files\intuit\entitlement client\v5.3\server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe [2008-7-29 20480]
R2 QBPOSDBServiceV6;QBPOS Database Manager v6;c:\program files\intuit\quickbooks point of sale 6.0\databaseserver\QBPOSDBServiceV6.exe [2007-2-9 1473536]
R2 QBPOSDBServiceV8;QBPOS Database Manager v8;c:\program files\intuit\quickbooks point of sale 8.0\databaseserver\QBPOSDBService.exe [2011-8-12 2734480]
R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2012-3-14 1248256]
R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\intuit\quickb~3\qbdbmgrn.exe -hvquickbooksdb17 --> c:\progra~1\intuit\quickb~3\QBDBMgrN.exe -hvQuickBooksDB17 [?]
R3 FedExShipService;FedEx Shipping Engine;c:\program files\fedex\shipmanager\bin\ShipEngineService.exe [2012-8-23 5120]
R3 FedExTransactionService;FedEx Transaction Engine;c:\program files\fedex\shipmanager\bin\TransEngineService.exe [2012-8-23 6656]
R3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [2008-12-24 80256]
R3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [2008-12-16 70016]
R3 QuickBooksDB22;QuickBooksDB22;c:\progra~1\intuit\quc2e1~1\qbdbmgrn.exe -hvquickbooksdb22 --> c:\progra~1\intuit\quc2e1~1\QBDBMgrN.exe -hvQuickBooksDB22 [?]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
R4 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys --> c:\windows\system32\drivers\epfwtdir.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
.
=============== Created Last 30 ================
.
2012-12-26 20:43:25 -------- d-----w- c:\program files\ESET
.
==================== Find3M ====================
.
2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-16 21:57:30 62512 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2012-11-16 21:57:30 160856 ----a-w- c:\windows\system32\drivers\eamon.sys
2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35:34 385024 ----a-w- c:\windows\system32\html.iec
2012-10-02 18:04:21 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-30 03:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 12:52:27.96 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/4/2010 11:59:51 AM
System Uptime: 12/22/2012 11:13:48 AM (97 hours ago)
.
Motherboard: Intel Corporation | | DP35DP
Processor: Intel Pentium III Xeon processor | J1PR | 2999/333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 233 GiB total, 126.705 GiB free.
D: is CDROM (UDF)
E: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_8086&DEV_29C4&SUBSYS_50448086&REV_02\3&61AAA01&0&18
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_8086&DEV_29C4&SUBSYS_50448086&REV_02\3&61AAA01&0&18
Service:
.
==== System Restore Points ===================
.
RP799: 9/27/2012 5:08:44 PM - System Checkpoint
RP800: 9/29/2012 12:45:05 PM - System Checkpoint
RP801: 9/30/2012 6:39:09 PM - System Checkpoint
RP802: 10/1/2012 2:03:34 PM - Removed Apple Software Update
RP803: 10/1/2012 2:08:19 PM - Removed Microsoft Silverlight
RP804: 10/2/2012 2:59:07 PM - System Checkpoint
RP805: 10/3/2012 6:40:17 PM - System Checkpoint
RP806: 10/4/2012 1:57:53 PM - Installed FedEx Ship Manager Delta.
RP807: 10/4/2012 2:13:10 PM - Removed FedEx Ship Manager.
RP808: 10/4/2012 2:13:52 PM - Installed FedEx Ship Manager.
RP809: 10/5/2012 6:48:43 PM - System Checkpoint
RP810: 10/7/2012 7:26:15 PM - System Checkpoint
RP811: 10/8/2012 7:49:55 PM - System Checkpoint
RP812: 10/9/2012 8:49:50 PM - System Checkpoint
RP813: 10/10/2012 3:00:30 AM - Software Distribution Service 3.0
RP814: 10/11/2012 6:51:42 AM - System Checkpoint
RP815: 10/12/2012 9:15:42 AM - System Checkpoint
RP816: 10/13/2012 2:13:52 PM - System Checkpoint
RP817: 10/14/2012 3:05:37 PM - System Checkpoint
RP818: 10/15/2012 4:28:54 PM - System Checkpoint
RP819: 10/17/2012 2:57:26 PM - System Checkpoint
RP820: 10/18/2012 4:37:37 PM - System Checkpoint
RP821: 10/19/2012 6:20:34 PM - System Checkpoint
RP822: 10/20/2012 7:38:45 PM - System Checkpoint
RP823: 10/21/2012 8:49:43 PM - System Checkpoint
RP824: 10/22/2012 10:53:14 PM - System Checkpoint
RP825: 10/23/2012 11:13:12 PM - System Checkpoint
RP826: 10/25/2012 4:28:12 PM - System Checkpoint
RP827: 10/28/2012 1:24:10 PM - System Checkpoint
RP828: 10/29/2012 5:58:29 PM - System Checkpoint
RP829: 10/30/2012 6:31:13 PM - System Checkpoint
RP830: 10/31/2012 7:31:14 PM - System Checkpoint
RP831: 11/2/2012 6:54:02 PM - System Checkpoint
RP832: 11/3/2012 6:12:42 PM - System Checkpoint
RP833: 11/4/2012 6:30:56 PM - System Checkpoint
RP834: 11/5/2012 7:12:49 PM - System Checkpoint
RP835: 11/6/2012 8:12:48 PM - System Checkpoint
RP836: 11/8/2012 1:03:31 PM - System Checkpoint
RP837: 11/9/2012 3:56:07 PM - System Checkpoint
RP838: 11/11/2012 5:44:02 PM - System Checkpoint
RP839: 11/12/2012 6:35:02 PM - System Checkpoint
RP840: 11/13/2012 7:01:50 PM - System Checkpoint
RP841: 11/15/2012 4:00:12 PM - System Checkpoint
RP842: 11/15/2012 7:21:37 PM - Software Distribution Service 3.0
RP843: 11/16/2012 5:32:21 PM - Installed Microsoft PowerPoint Viewer
RP844: 11/17/2012 7:13:01 PM - Software Distribution Service 3.0
RP845: 11/18/2012 8:57:52 PM - System Checkpoint
RP846: 11/19/2012 3:00:24 AM - Software Distribution Service 3.0
RP847: 11/21/2012 4:26:40 PM - System Checkpoint
RP848: 11/22/2012 5:19:40 PM - System Checkpoint
RP849: 11/23/2012 6:24:56 PM - System Checkpoint
RP850: 11/24/2012 6:54:37 PM - System Checkpoint
RP851: 11/25/2012 2:15:49 PM - Installed iTunes
RP852: 11/26/2012 3:19:03 PM - System Checkpoint
RP853: 11/27/2012 3:38:55 PM - System Checkpoint
RP854: 11/28/2012 4:26:07 PM - System Checkpoint
RP855: 11/29/2012 5:36:45 PM - System Checkpoint
RP856: 11/30/2012 5:40:28 PM - System Checkpoint
RP857: 12/2/2012 2:00:11 PM - System Checkpoint
RP858: 12/3/2012 5:25:08 PM - System Checkpoint
RP859: 12/6/2012 5:35:53 PM - System Checkpoint
RP860: 12/7/2012 9:45:27 PM - System Checkpoint
RP861: 12/9/2012 1:12:54 PM - System Checkpoint
RP862: 12/10/2012 3:16:09 PM - System Checkpoint
RP863: 12/11/2012 3:21:16 PM - System Checkpoint
RP864: 12/12/2012 3:31:32 PM - System Checkpoint
RP865: 12/13/2012 3:00:26 AM - Software Distribution Service 3.0
RP866: 12/14/2012 3:59:25 AM - System Checkpoint
RP867: 12/15/2012 8:14:05 PM - System Checkpoint
RP868: 12/16/2012 9:57:28 PM - System Checkpoint
RP869: 12/17/2012 10:00:50 PM - System Checkpoint
RP870: 12/18/2012 10:36:46 PM - System Checkpoint
RP871: 12/19/2012 11:02:11 PM - System Checkpoint
RP872: 12/21/2012 6:37:36 PM - Software Distribution Service 3.0
RP873: 12/22/2012 7:53:35 PM - System Checkpoint
RP874: 12/23/2012 8:27:03 PM - System Checkpoint
RP875: 12/24/2012 8:51:03 PM - System Checkpoint
RP876: 12/25/2012 9:56:16 PM - System Checkpoint
.
==== Installed Programs ======================
.
7-Zip 4.65
Adobe Flash Player 11 ActiveX
Adobe Reader 9.3.4
Adobe Shockwave Player 11.5
AiO_Scan
Apple Application Support
Apple Mobile Device Support
Apple Software Update
BabasChess
Bonjour
Carbonite
CCleaner
Compatibility Pack for the 2007 Office system
Coupon Printer for Windows
CouponBar
CT-S300 x32 v157
CutePDF Writer 2.8
Defraggler
ESET Smart Security
Everything 1.2.1.371
FedEx Ship Manager
FileZilla Client 3.5.3
Free Window Registry Repair
Google Chrome
Google Desktop
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB971276-v3)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Driver Diagnostics
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
Intel(R) PRO Network Connections Drivers
iTunes
Java Auto Updater
Java(TM) 6 Update 21
Malwarebytes Anti-Malware version 1.65.1.1000
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Office 2003 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Basic Edition 2003
Microsoft Office File Validation Add-In
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft PowerPoint Viewer
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft XML Parser
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
NVIDIA Drivers
OGA Notifier 2.0.0048.0
QFolder
QuickBooks
QuickBooks Point of Sale 6.0
QuickBooks Point of Sale 8.0
QuickBooks Point Of Sale Product Listing Service
QuickBooks Pro 2007
QuickBooks Pro 2012
QuickBooks Pro Edition 2004
QuickBooks Pro Timer
QuickTime Alternative 3.1.0
Real Alternative 2.0.1
Rundll Errors Fix Wizard
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596856) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2753842)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SmartDraw PDF Export (novaPDF 6.4 printer)
SmartDraw VP
SmartFTP Client
SmartFTP Client 4.0 Setup Files (remove only)
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
Star TSP100 Driver Installer
SweetIM for Messenger 2.8
SweetIM Toolbar for Internet Explorer 3.6
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB971029)
VLC media player 1.1.4
WebFldrs XP
Windows Driver Package - Star Micronics TSP100 (07/26/2006 1.0.4.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Format 11 runtime
Windows Media Player 11
XnView 1.97
XPS Essentials Pack
XPS Essentials Pack 1.0
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
12/23/2012 12:01:19 AM, error: VolSnap [12] - The shadow copy of volume C: became low on diff area space before it was properly installed.
.
==== End Of File ===========================
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,470
download RogueKiller from here http://tigzy.geekstogo.com/Tools/RogueKiller.exe or here http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe and save Direct to your Desktop.

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • 1. Wait until Prescan has finished...
  • The following EULA will appear, please select accept


  • 2. Ensure MBR scan, Check faked and AntiRootkit are checked
  • 3. Select Scan


  • When the scan completes select Report, copy and paste that to your reply.

 

wared13

Thread Starter
Joined
Dec 28, 2012
Messages
16
RogueKiller V8.4.1 [Dec 28 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Scan -- Date : 12/28/2012 16:25:52
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 2 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts
127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: MIRROR +++++
--- User ---
[MBR] f6480cd2b1989e92dfe4f5fea68e781b
[BSP] 5e99062c50d8519d942ab6c2640bd6e7 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238456 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[1]_S_12282012_02d1625.txt >>
RKreport[1]_S_12282012_02d1625.txt
 

wared13

Thread Starter
Joined
Dec 28, 2012
Messages
16
Per RogueKiller, I deleted the two registry entries; I believe RogueKiller modified one entry, and deleted the other. However, I'm still having issues pertaining to opening programs like ESET, anti-Malware programs, etc. Please advise.
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,470
Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the
    icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended.

*EXTRA NOTES*
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin
 

wared13

Thread Starter
Joined
Dec 28, 2012
Messages
16
ComboFix 12-12-29.02 - Owner 12/29/2012 12:52:24.17.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2029.1312 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Application Data\Toolbar4
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\arrow_refresh.png
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\basis.xml
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0533ddea046b79382344642507f45004
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0556fc8f70a9aca7d7bcd8ba92123627
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0576bb925bf6d71ea78c0d968579aba3
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0753dc69e4d9bd29ba5a4f0b2ed6449b
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\09243a7e0d5263f96fccb70e16bb0476
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0b9a7a3e0c1c165779dd33b229048b21
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0c74e33c6b89503129478a0eae095b4d
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0e1466e34ff25e57fa813d21ebfe7cf6
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0fb67f15ee619bf63699876db03ab661
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\1eac0d48548907dd2955f853c8069069
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\24234224fe547fa5f61335a325f858b5
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\2612ed9846214cbf7e954476bb044b3b
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\323af8f156d5bb22bb38cd2ce83959de
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\36402215e280142e9fec69a27ce97d32
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\3739298d2bc9d6b94dadd7b19b48ecb3
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\476905aa92e1c9a617bd41ce5318660f
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\4c667e8e6ec412f944dcb9352b851013
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\4d2e45ddaef75a6d2c9afdbc763c3752
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\4e2d5ba12b0ed08ba8960c3e874a01cb
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\5192a89f761039a8f133e9c0e6f074cd
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\560ff84a7533e0f37b61b702a5403538
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\59a443f04bf13d1170b3dfc61f51b928
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\5bc8ebf64906d196c815a3f28ee7be81
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\5dcc33988f89c01e09411de1fadabde2
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\5e4a0304a53d72265f5f470649d2f616
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\5fceefa5d8207202cd84891c2e491f65
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\753df778c49000ceb420710ab27250f3
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\7aab54a686f169a739561ca08b97d70b
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\829a174ff56578e2e86c6ea74ceac599
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\83ad61e99376761b1ad6ca7c90fe4e23
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\8ab60027ede7a5409caf6d1f39cee25f
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\8c192effd1339f8e52b7695d8409b038
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\8f1108fa39f3bc8170ca65bce26afa10
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\9222ff6c3153356869fc34c2bec05e71
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\97be6f9cdebaa8074491269ce024994b
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\9ac01b227ded0862f1cacbfb3aa57c30
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\a03f31127270e5ec9c753d5978824827
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\a0c60a9410bfbe84abdf5e97d0c4c25b
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\a19b273e14c682871c1f05f425edd77d
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\aa65030026dd406f81e1d2f100fe7920
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\b3df571fa6f6ff811aec53f4f8e39093
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\b4129101a6dd1056cc66cb8ee0ed07cb
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\b576b7d306b9484794e87c4894171e9c
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\b672745e0fa0b3d70622c3426bdb0fe6
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\b8cb931520574f1fbe2d6a417ab188a3
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\bc745160ebe75bdbd46f3c0c4b1875e9
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\c9430f8d5d64f3217a9e99836294f6c5
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\cadd36508a4b8f2e96e6251f59441e6d
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\cf00f968a680ae7de4f426758f29e399
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\cf6731590bc533ce3fb95d26dbc20581
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\d210e926e7fc2fc8277b03dcf0f51bf7
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\d5df3e47dbba341f2f3587a30d3147a9
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\d968ef76cba81bea577eec984bdb0fcf
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\dd63f857ccdda3776635728c6e9c9da5
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\df93d78ff74b9089b7e56bad7abf8d54
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\e0274c4eebf32d7d1bf0e38726e4ea71
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\e676561c84d9a41ec2ac1b9379b89748
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\ec6799973f1db7f39bff366162a4850e
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\fb1b51424af30e137842b1cf6f26c03e
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\fdcfc40763b6755ae687e945adb4dba4
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\fe6e9435289d779f70dff3e65824a72a
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\fe98d58b0232c74e3b47d141e87aaa18
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\merchant_notification
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cog.png
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\computer_delete.png
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\dataLoader.js
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\icons3.bmp
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\include_files\879ecc39d0be00e1ba71e4872c078138
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\info.txt
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\login.png
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\logo.png
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\search.png
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\TbHelper2.exe
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\tmp\7afdaa54335acddfc0f32d7c411bff25
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\todays_deals.png
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\uninstall.exe
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\update.exe
c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\version.txt
c:\windows\TEMP\{16AA8FB8-4A98-4757-B7A5-0FF22C0A6E33}_1101_1\dbdata11.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-11-28 to 2012-12-29 )))))))))))))))))))))))))))))))
.
.
2012-12-28 19:34 . 2012-12-28 19:34 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-12-26 22:27 . 2012-12-26 22:27 -------- d-----w- c:\documents and settings\Owner\Application Data\ESET
2012-12-26 22:21 . 2012-12-26 22:21 -------- d-----w- c:\program files\iPod
2012-12-26 22:20 . 2012-12-26 22:21 -------- d-----w- c:\program files\iTunes
2012-12-26 22:20 . 2012-12-26 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-16 12:23 . 2008-04-14 12:39 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-13 01:25 . 2008-04-14 08:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-02 02:02 . 2008-04-14 12:41 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2008-05-19 18:16 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2008-05-19 18:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2008-05-19 18:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2008-05-19 18:16 385024 ----a-w- c:\windows\system32\html.iec
2012-10-02 18:04 . 2008-04-14 12:42 58368 ----a-w- c:\windows\system32\synceng.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-05-19 . 4728A2BF7FD18C858772158689ECDAC2 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8660E5B3-6C41-44DE-8503-98D99BBECD41}"= "c:\program files\Coupons.com CouponBar\tbcore3.dll" [2012-02-06 2664864]
.
[HKEY_CLASSES_ROOT\clsid\{8660e5b3-6c41-44de-8503-98d99bbecd41}]
[HKEY_CLASSES_ROOT\TBSB07898.TBSB07898.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB07898.TBSB07898]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{8660E5B3-6C41-44DE-8503-98D99BBECD41}"= "c:\program files\Coupons.com CouponBar\tbcore3.dll" [2012-02-06 2664864]
.
[HKEY_CLASSES_ROOT\clsid\{8660e5b3-6c41-44de-8503-98d99bbecd41}]
[HKEY_CLASSES_ROOT\TBSB07898.TBSB07898.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB07898.TBSB07898]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2012-07-26 17:03 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2012-07-26 17:03 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2012-07-26 17:03 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-03-09 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2012-05-23 1838592]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2012-10-26 2643320]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2012-07-26 1061960]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
FedEx Desktop.lnk - c:\program files\FedEx\FedEx Desktop\FedEx Desktop.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe [2012-12-6 6186872]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2012-12-6 1176464]
QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks 2012\QBW32.EXE [2012-12-6 1181584]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"idsvc"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"NVSvc"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2012\\QBDBMgrN.exe"=
"c:\\Program Files\\FedEx\\ShipManager\\SQLANYWHERE\\BIN32\\DBENG11.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\SQLANYWHERE\\BIN32\\DBSRV11.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\BACKUPDATABASEUTILITY.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\FSMREGISTRATION.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\GSMCOMMSETUP.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\LDSEDIT.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\ADMINSERVICE.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\SHIPENGINESERVICE.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\TRANSENGINESERVICE.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\FEDEX.GSM.CAFE.APPLICATIONENGINE.GUI.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\FEDEX.GSM.EXTERNAL.VERIFI.SERVICE.EXE"=
"c:\\Program Files\\FedEx\\ShipManager\\BIN\\REPORTPROCESSING.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20342:TCP"= 20342:TCP:spport
"3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009
"5353:UDP"= 5353:UDP:home share
.
R2 FedExAdminService;FedEx Administration Service;c:\program files\FedEx\ShipManager\BIN\AdminService.exe [8/23/2012 10:27 AM 24576]
R2 FedExLoggingService;FedEx Logging Service;c:\program files\FedEx\ShipManager\BIN\FedEx.Gsm.Common.LoggingService.exe [8/23/2012 10:26 AM 7168]
R2 FedExShipnetDBService;FedEx Shipnet Database Service;c:\program files\FedEx\ShipManager\SQLAnywhere\Bin32\dbsrv11.exe [8/23/2012 10:21 AM 141176]
R2 Intuit Entitlement Service v3;Intuit Entitlement Service v3;c:\program files\Common Files\Intuit\Entitlement Client\v3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe [5/24/2006 8:09 AM 24576]
R2 Intuit Entitlement Service v5.3;Intuit Entitlement Service v5.3;c:\program files\Common Files\Intuit\Entitlement Client\v5.3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe [7/29/2008 11:26 AM 20480]
R2 QBPOSDBServiceV6;QBPOS Database Manager v6;c:\program files\Intuit\QuickBooks Point of Sale 6.0\DatabaseServer\QBPOSDBServiceV6.exe [2/9/2007 11:02 AM 1473536]
R2 QBPOSDBServiceV8;QBPOS Database Manager v8;c:\program files\Intuit\QuickBooks Point of Sale 8.0\DatabaseServer\QBPOSDBService.exe [8/12/2011 10:07 AM 2734480]
R2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [3/14/2012 4:06 AM 1248256]
R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe -hvQuickBooksDB17 [?]
R3 FedExShipService;FedEx Shipping Engine;c:\program files\FedEx\ShipManager\BIN\ShipEngineService.exe [8/23/2012 10:29 AM 5120]
R3 FedExTransactionService;FedEx Transaction Engine;c:\program files\FedEx\ShipManager\BIN\TransEngineService.exe [8/23/2012 10:26 AM 6656]
R3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [12/24/2008 5:40 AM 80256]
R3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [12/16/2008 6:10 AM 70016]
R3 QuickBooksDB22;QuickBooksDB22;c:\progra~1\Intuit\QUC2E1~1\QBDBMgrN.exe -hvQuickBooksDB22 --> c:\progra~1\Intuit\QUC2E1~1\QBDBMgrN.exe -hvQuickBooksDB22 [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 21:53]
.
2012-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 21:53]
.
2012-12-29 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2010-06-16 17:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.seattletimes.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.254.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-29 13:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3792)
c:\windows\system32\WININET.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\program files\SmartFTP Client\en-US\sfShellTools.dll.mui
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
c:\program files\7-Zip\7-zip.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Intuit\QuickBooks Point of Sale 6.0\DatabaseServer\QBDBMgrN.exe
c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Intuit\QuickBooks Point of Sale 8.0\DatabaseServer\QBDBMgrN10.exe
c:\program files\Intuit\QuickBooks Point of Sale 8.0\DatabaseServer\QBDBMgrN10.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Intuit\QUC2E1~1\QBDBMgrN.exe
.
**************************************************************************
.
Completion time: 2012-12-29 13:03:40 - machine was rebooted
ComboFix-quarantined-files.txt 2012-12-29 21:03
ComboFix2.txt 2012-12-28 19:32
ComboFix3.txt 2012-12-13 19:52
ComboFix4.txt 2011-12-31 20:22
ComboFix5.txt 2012-12-29 20:51
.
Pre-Run: 135,890,710,528 bytes free
Post-Run: 135,893,741,568 bytes free
.
- - End Of File - - 1C98C88E244285664DAE1B086AFD2DF9
 

wared13

Thread Starter
Joined
Dec 28, 2012
Messages
16
Just now I downloaded a fresh copy of Malwarebytes Anti-Malware, then proceeded to install. After installing the program attempted to open, but was unable - the message is: Unable to execute file: (the directory for mbam.exe) - CreateProcess failed; code 1260. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,470
Go to http://www.virustotal.com/

  • Click the Browse... button
  • Navigate to the file c:\windows\system32\sfcfiles.dll or just copy/paste it in.
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the results back here please.
    [/list

    Next,

    Please download VEW by Vino Rosso from HERE and save it to your Desktop.
    • Double-click VEW.exe. to start, Vista and Windows 7 users Right Click and select "Run as Administrator"
    • Under 'Select log to query...check the boxes for both Application and System.
    • Under 'Select type to list... select both Error and Critical.
    • Click the radio button for 'Number of events...Type 10 in the 1 to 20 box.
    • Then click the Run button.
    • Notepad will open with the output log. It will take a couple of minutes to generate the log, please be patient.

    Please post the Output log in your next reply.

    Do you have any policies set that may effect system software etc...
 

wared13

Thread Starter
Joined
Dec 28, 2012
Messages
16
SHA256:3dfa2708eb2864a5d2f4a117de84f6122b601b5083c815d070f88bd44d46f399SHA1:7ea34535a858ac214bdf153ed003f0550461288cMD5:4728a2bf7fd18c858772158689ecdac2File size:1.5 MB ( 1614848 bytes ) File name:sfcfiles.dllFile type:Win32 DLLDetection ratio:0 / 45Analysis date:2012-12-29 22:30:38 UTC ( 1 minute ago )
 

wared13

Thread Starter
Joined
Dec 28, 2012
Messages
16
Vino's Event Viewer v01c run on Windows XP in English
Report run at 29/12/2012 2:42:40 PM
Note: All dates below are in the format dd/mm/yyyy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 29/12/2012 1:10:24 PM
Type: error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks Pro 2012":
DBConnPool::HandleConnectionError errorCode:-6069, dbCode:-103 from file:'.\.\src\ConnPool.cpp' at line 1038 from function:'DBMgr::DBConnPool::init'
Log: 'Application' Date/Time: 29/12/2012 1:10:24 PM
Type: error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks Pro 2012":
Connection String:CON=QBConnectionPool-Probe-QB_XPPRO_22;;DBF=C:\Documents and Settings\Owner\Desktop\Backups\Hellams Vineyard, L.L.C..QBW;CommLinks="ShMem,tcpip(IP=192.168.254.24;TO=5;DOBROADCAST=NONE;port=55348)";ServerName=QB_XPPRO_22;DBN=647532f9915b423380fb89928b38e26e
Log: 'Application' Date/Time: 29/12/2012 1:10:24 PM
Type: error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks Pro 2012":
Connection Error:Invalid user ID or password
Log: 'Application' Date/Time: 29/12/2012 1:01:05 PM
Type: error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
Log: 'Application' Date/Time: 29/12/2012 1:01:05 PM
Type: error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
Log: 'Application' Date/Time: 29/12/2012 1:01:05 PM
Type: error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
Log: 'Application' Date/Time: 29/12/2012 12:50:19 PM
Type: error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
Log: 'Application' Date/Time: 29/12/2012 12:50:19 PM
Type: error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
Log: 'Application' Date/Time: 29/12/2012 12:50:19 PM
Type: error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
Log: 'Application' Date/Time: 29/12/2012 12:44:43 PM
Type: error Category: 100
Event: 1000 Source: Application Error
Faulting application ekrn.exe, version 5.2.15.0, faulting module msvcr80.dll, version 8.0.50727.6195, fault address 0x0001500a.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 28/12/2012 11:35:19 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666}
Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666}
Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666}
Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666}
Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666}
Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666}
Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666}
Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666}
Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666}
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,470
Download Windows Repair Tool by Tweaking.com from here :- http://majorgeeks.com/Tweaking.com_-_Windows_Repair_Portable_d7222.html and unzip the contents into a newly created folder on your desktop.

  • Now open Repair_Windows.exe in the folder
  • Go to Step 4 and create a Restore Point
  • Go to Start repairs tab then select Start
  • In the Custom Mode window, only select the following repair options:
  • Reset Registry Permissions
  • Reset File Permissions
  • Register System Files
  • Repair WMI
  • Repair Internet Explorer
  • Remove Policies Set By Infections
  • Repair MSI (Windows Installer)

  • Click the Start button.


Be patient while the tool repairs the selected items.
If prompted reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before re-booting..

Let me see the log which will be found in this folder:

C:\Tweaking.com_windows_Repair_Logs

Has that made any difference?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top