1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Software Restriction Policy Virus

Discussion in 'Virus & Other Malware Removal' started by wared13, Dec 28, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. wared13

    wared13 Thread Starter

    Joined:
    Dec 28, 2012
    Messages:
    16
    Hi my machine was attacked by something that caused a message saying "cannot open... prevented by a software restriction policy" when I attempt to open vital programs like my ESET security. No software restrictions have ever been set... this is a standalone machine for a small business... My ComboFix & anti-Malware programs didn't fix anything. Running XP Pro SP3, any help appreciated!
     
  2. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
  3. wared13

    wared13 Thread Starter

    Joined:
    Dec 28, 2012
    Messages:
    16
    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 8.0.6001.18702
    Run by Owner at 12:51:48 on 2012-12-26
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2029.356 [GMT -8:00]
    .
    AV: ESET Smart Security 5.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
    FW: ESET Personal firewall *Enabled*
    .
    ============== Running Processes ================
    .
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
    C:\Program Files\FedEx\ShipManager\BIN\FedEx.Gsm.Common.LoggingService.exe
    C:\Program Files\FedEx\ShipManager\SQLAnywhere\Bin32\dbsrv11.exe
    C:\Program Files\Common Files\Intuit\Entitlement Client\v3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
    C:\Program Files\Common Files\Intuit\Entitlement Client\v5.3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\Program Files\Intuit\QuickBooks Point of Sale 6.0\DatabaseServer\QBPOSDBServiceV6.exe
    C:\Program Files\Intuit\QuickBooks Point of Sale 8.0\DatabaseServer\QBPOSDBService.exe
    C:\Program Files\Intuit\QuickBooks Point of Sale 6.0\DatabaseServer\QBDBMgrN.exe
    C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
    C:\Program Files\Intuit\QuickBooks Point of Sale 8.0\DatabaseServer\QBDBMgrN10.exe
    C:\Program Files\Intuit\QuickBooks Point of Sale 8.0\DatabaseServer\QBDBMgrN10.exe
    C:\PROGRA~1\Intuit\QUICKB~3\QBDBMgrN.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\FedEx\ShipManager\BIN\AdminService.exe
    C:\Program Files\FedEx\ShipManager\BIN\ShipEngineService.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\FedEx\ShipManager\BIN\TransEngineService.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Intuit\QUC2E1~1\QBDBMgrN.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Intuit\QuickBooks 2012\QBW32.EXE
    C:\Program Files\Intuit\QuickBooks Point of Sale 8.0\qbpos.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Intuit\QuickBooks Point of Sale 8.0\EftSvr.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\msdtc.exe
    C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
    C:\Program Files\Coupons.com CouponBar\TbHelper2.exe
    C:\PROGRA~1\Intuit\QUC2E1~1\dbextclr11.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\vssvc.exe
    C:\WINDOWS\system32\calc.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
    C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
    C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    C:\WINDOWS\system32\svchost.exe -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.seattletimes.com/
    BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: TBSB07898 Class: {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - c:\program files\coupons.com couponbar\tbcore3.dll
    BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
    TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: Coupons.com CouponBar: {8660E5B3-6C41-44DE-8503-98D99BBECD41} - c:\program files\coupons.com couponbar\tbcore3.dll
    TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
    TB: Coupons.com CouponBar: {8660E5B3-6C41-44DE-8503-98D99BBECD41} - c:\program files\coupons.com couponbar\tbcore3.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
    mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
    dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    StartupFolder: c:\docume~1\owner\startm~1\programs\startup\fedexd~1.lnk - c:\program files\fedex\fedex desktop\FedEx Desktop.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\intuit~1.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\program files\intuit\quickbooks 2012\QBW32.EXE
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
    uPolicies-Explorer: NoSMConfigurePrograms = dword:1
    uPolicies-Explorer: NoDriveAutoRun = dword:67108863
    uPolicies-Explorer: NoDrives = dword:0
    mPolicies-Explorer: NoDriveAutoRun = dword:67108863
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
    mPolicies-Explorer: NoDrives = dword:0
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
    mPolicies-Explorer: ForceClassicControlPanel = dword:1
    mPolicies-Explorer: NoSMConfigurePrograms = dword:1
    mPolicies-Explorer: NoDriveAutoRun = dword:67108863
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    .
    INFO: HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1262651089750
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    TCP: NameServer = 192.168.254.254
    TCP: Interfaces\{7D6B90BF-4843-48E2-BE99-E970FC77CAB4} : DHCPNameServer = 192.168.254.254
    Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - c:\program files\intuit\quickbooks 2012\HelpAsyncPluggableProtocol.dll
    Handler: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - c:\windows\system32\QBPOSProtocol.dll
    Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2012-3-14 120152]
    R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2012-11-16 913184]
    R2 FedExAdminService;FedEx Administration Service;c:\program files\fedex\shipmanager\bin\AdminService.exe [2012-8-23 24576]
    R2 FedExLoggingService;FedEx Logging Service;c:\program files\fedex\shipmanager\bin\FedEx.Gsm.Common.LoggingService.exe [2012-8-23 7168]
    R2 FedExShipnetDBService;FedEx Shipnet Database Service;c:\program files\fedex\shipmanager\sqlanywhere\bin32\dbsrv11.exe [2012-8-23 141176]
    R2 Intuit Entitlement Service v3;Intuit Entitlement Service v3;c:\program files\common files\intuit\entitlement client\v3\server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe [2006-5-24 24576]
    R2 Intuit Entitlement Service v5.3;Intuit Entitlement Service v5.3;c:\program files\common files\intuit\entitlement client\v5.3\server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe [2008-7-29 20480]
    R2 QBPOSDBServiceV6;QBPOS Database Manager v6;c:\program files\intuit\quickbooks point of sale 6.0\databaseserver\QBPOSDBServiceV6.exe [2007-2-9 1473536]
    R2 QBPOSDBServiceV8;QBPOS Database Manager v8;c:\program files\intuit\quickbooks point of sale 8.0\databaseserver\QBPOSDBService.exe [2011-8-12 2734480]
    R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2012-3-14 1248256]
    R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\intuit\quickb~3\qbdbmgrn.exe -hvquickbooksdb17 --> c:\progra~1\intuit\quickb~3\QBDBMgrN.exe -hvQuickBooksDB17 [?]
    R3 FedExShipService;FedEx Shipping Engine;c:\program files\fedex\shipmanager\bin\ShipEngineService.exe [2012-8-23 5120]
    R3 FedExTransactionService;FedEx Transaction Engine;c:\program files\fedex\shipmanager\bin\TransEngineService.exe [2012-8-23 6656]
    R3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [2008-12-24 80256]
    R3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [2008-12-16 70016]
    R3 QuickBooksDB22;QuickBooksDB22;c:\progra~1\intuit\quc2e1~1\qbdbmgrn.exe -hvquickbooksdb22 --> c:\progra~1\intuit\quc2e1~1\QBDBMgrN.exe -hvQuickBooksDB22 [?]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    R4 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys --> c:\windows\system32\drivers\epfwtdir.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    .
    =============== Created Last 30 ================
    .
    2012-12-26 20:43:25 -------- d-----w- c:\program files\ESET
    .
    ==================== Find3M ====================
    .
    2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
    2012-11-16 21:57:30 62512 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
    2012-11-16 21:57:30 160856 ----a-w- c:\windows\system32\drivers\eamon.sys
    2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys
    2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll
    2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-11-01 12:17:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-11-01 12:17:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-11-01 00:35:34 385024 ----a-w- c:\windows\system32\html.iec
    2012-10-02 18:04:21 58368 ----a-w- c:\windows\system32\synceng.dll
    2012-09-30 03:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    ============= FINISH: 12:52:27.96 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 1/4/2010 11:59:51 AM
    System Uptime: 12/22/2012 11:13:48 AM (97 hours ago)
    .
    Motherboard: Intel Corporation | | DP35DP
    Processor: Intel Pentium III Xeon processor | J1PR | 2999/333mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 233 GiB total, 126.705 GiB free.
    D: is CDROM (UDF)
    E: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: PCI Simple Communications Controller
    Device ID: PCI\VEN_8086&DEV_29C4&SUBSYS_50448086&REV_02\3&61AAA01&0&18
    Manufacturer:
    Name: PCI Simple Communications Controller
    PNP Device ID: PCI\VEN_8086&DEV_29C4&SUBSYS_50448086&REV_02\3&61AAA01&0&18
    Service:
    .
    ==== System Restore Points ===================
    .
    RP799: 9/27/2012 5:08:44 PM - System Checkpoint
    RP800: 9/29/2012 12:45:05 PM - System Checkpoint
    RP801: 9/30/2012 6:39:09 PM - System Checkpoint
    RP802: 10/1/2012 2:03:34 PM - Removed Apple Software Update
    RP803: 10/1/2012 2:08:19 PM - Removed Microsoft Silverlight
    RP804: 10/2/2012 2:59:07 PM - System Checkpoint
    RP805: 10/3/2012 6:40:17 PM - System Checkpoint
    RP806: 10/4/2012 1:57:53 PM - Installed FedEx Ship Manager Delta.
    RP807: 10/4/2012 2:13:10 PM - Removed FedEx Ship Manager.
    RP808: 10/4/2012 2:13:52 PM - Installed FedEx Ship Manager.
    RP809: 10/5/2012 6:48:43 PM - System Checkpoint
    RP810: 10/7/2012 7:26:15 PM - System Checkpoint
    RP811: 10/8/2012 7:49:55 PM - System Checkpoint
    RP812: 10/9/2012 8:49:50 PM - System Checkpoint
    RP813: 10/10/2012 3:00:30 AM - Software Distribution Service 3.0
    RP814: 10/11/2012 6:51:42 AM - System Checkpoint
    RP815: 10/12/2012 9:15:42 AM - System Checkpoint
    RP816: 10/13/2012 2:13:52 PM - System Checkpoint
    RP817: 10/14/2012 3:05:37 PM - System Checkpoint
    RP818: 10/15/2012 4:28:54 PM - System Checkpoint
    RP819: 10/17/2012 2:57:26 PM - System Checkpoint
    RP820: 10/18/2012 4:37:37 PM - System Checkpoint
    RP821: 10/19/2012 6:20:34 PM - System Checkpoint
    RP822: 10/20/2012 7:38:45 PM - System Checkpoint
    RP823: 10/21/2012 8:49:43 PM - System Checkpoint
    RP824: 10/22/2012 10:53:14 PM - System Checkpoint
    RP825: 10/23/2012 11:13:12 PM - System Checkpoint
    RP826: 10/25/2012 4:28:12 PM - System Checkpoint
    RP827: 10/28/2012 1:24:10 PM - System Checkpoint
    RP828: 10/29/2012 5:58:29 PM - System Checkpoint
    RP829: 10/30/2012 6:31:13 PM - System Checkpoint
    RP830: 10/31/2012 7:31:14 PM - System Checkpoint
    RP831: 11/2/2012 6:54:02 PM - System Checkpoint
    RP832: 11/3/2012 6:12:42 PM - System Checkpoint
    RP833: 11/4/2012 6:30:56 PM - System Checkpoint
    RP834: 11/5/2012 7:12:49 PM - System Checkpoint
    RP835: 11/6/2012 8:12:48 PM - System Checkpoint
    RP836: 11/8/2012 1:03:31 PM - System Checkpoint
    RP837: 11/9/2012 3:56:07 PM - System Checkpoint
    RP838: 11/11/2012 5:44:02 PM - System Checkpoint
    RP839: 11/12/2012 6:35:02 PM - System Checkpoint
    RP840: 11/13/2012 7:01:50 PM - System Checkpoint
    RP841: 11/15/2012 4:00:12 PM - System Checkpoint
    RP842: 11/15/2012 7:21:37 PM - Software Distribution Service 3.0
    RP843: 11/16/2012 5:32:21 PM - Installed Microsoft PowerPoint Viewer
    RP844: 11/17/2012 7:13:01 PM - Software Distribution Service 3.0
    RP845: 11/18/2012 8:57:52 PM - System Checkpoint
    RP846: 11/19/2012 3:00:24 AM - Software Distribution Service 3.0
    RP847: 11/21/2012 4:26:40 PM - System Checkpoint
    RP848: 11/22/2012 5:19:40 PM - System Checkpoint
    RP849: 11/23/2012 6:24:56 PM - System Checkpoint
    RP850: 11/24/2012 6:54:37 PM - System Checkpoint
    RP851: 11/25/2012 2:15:49 PM - Installed iTunes
    RP852: 11/26/2012 3:19:03 PM - System Checkpoint
    RP853: 11/27/2012 3:38:55 PM - System Checkpoint
    RP854: 11/28/2012 4:26:07 PM - System Checkpoint
    RP855: 11/29/2012 5:36:45 PM - System Checkpoint
    RP856: 11/30/2012 5:40:28 PM - System Checkpoint
    RP857: 12/2/2012 2:00:11 PM - System Checkpoint
    RP858: 12/3/2012 5:25:08 PM - System Checkpoint
    RP859: 12/6/2012 5:35:53 PM - System Checkpoint
    RP860: 12/7/2012 9:45:27 PM - System Checkpoint
    RP861: 12/9/2012 1:12:54 PM - System Checkpoint
    RP862: 12/10/2012 3:16:09 PM - System Checkpoint
    RP863: 12/11/2012 3:21:16 PM - System Checkpoint
    RP864: 12/12/2012 3:31:32 PM - System Checkpoint
    RP865: 12/13/2012 3:00:26 AM - Software Distribution Service 3.0
    RP866: 12/14/2012 3:59:25 AM - System Checkpoint
    RP867: 12/15/2012 8:14:05 PM - System Checkpoint
    RP868: 12/16/2012 9:57:28 PM - System Checkpoint
    RP869: 12/17/2012 10:00:50 PM - System Checkpoint
    RP870: 12/18/2012 10:36:46 PM - System Checkpoint
    RP871: 12/19/2012 11:02:11 PM - System Checkpoint
    RP872: 12/21/2012 6:37:36 PM - Software Distribution Service 3.0
    RP873: 12/22/2012 7:53:35 PM - System Checkpoint
    RP874: 12/23/2012 8:27:03 PM - System Checkpoint
    RP875: 12/24/2012 8:51:03 PM - System Checkpoint
    RP876: 12/25/2012 9:56:16 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    7-Zip 4.65
    Adobe Flash Player 11 ActiveX
    Adobe Reader 9.3.4
    Adobe Shockwave Player 11.5
    AiO_Scan
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    BabasChess
    Bonjour
    Carbonite
    CCleaner
    Compatibility Pack for the 2007 Office system
    Coupon Printer for Windows
    CouponBar
    CT-S300 x32 v157
    CutePDF Writer 2.8
    Defraggler
    ESET Smart Security
    Everything 1.2.1.371
    FedEx Ship Manager
    FileZilla Client 3.5.3
    Free Window Registry Repair
    Google Chrome
    Google Desktop
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB2756822)
    Hotfix for Windows XP (KB2779562)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB971276-v3)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Driver Diagnostics
    HP Image Zone 4.2
    HP PSC & OfficeJet 4.2
    Intel(R) PRO Network Connections Drivers
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 21
    Malwarebytes Anti-Malware version 1.65.1.1000
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656370)
    Microsoft .NET Framework 1.1 Security Update (KB2698023)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Office 2003 Primary Interop Assemblies
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Basic Edition 2003
    Microsoft Office File Validation Add-In
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Publisher 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft PowerPoint Viewer
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual J# 2.0 Redistributable Package
    Microsoft Visual Studio 2005 Tools for Office Runtime
    Microsoft XML Parser
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    NVIDIA Drivers
    OGA Notifier 2.0.0048.0
    QFolder
    QuickBooks
    QuickBooks Point of Sale 6.0
    QuickBooks Point of Sale 8.0
    QuickBooks Point Of Sale Product Listing Service
    QuickBooks Pro 2007
    QuickBooks Pro 2012
    QuickBooks Pro Edition 2004
    QuickBooks Pro Timer
    QuickTime Alternative 3.1.0
    Real Alternative 2.0.1
    Rundll Errors Fix Wizard
    Scan
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596856) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB2675157)
    Security Update for Windows Internet Explorer 8 (KB2699988)
    Security Update for Windows Internet Explorer 8 (KB2722913)
    Security Update for Windows Internet Explorer 8 (KB2744842)
    Security Update for Windows Internet Explorer 8 (KB2761465)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2641653)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2647518)
    Security Update for Windows XP (KB2653956)
    Security Update for Windows XP (KB2655992)
    Security Update for Windows XP (KB2659262)
    Security Update for Windows XP (KB2660465)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB2676562)
    Security Update for Windows XP (KB2685939)
    Security Update for Windows XP (KB2686509)
    Security Update for Windows XP (KB2691442)
    Security Update for Windows XP (KB2695962)
    Security Update for Windows XP (KB2698365)
    Security Update for Windows XP (KB2705219)
    Security Update for Windows XP (KB2707511)
    Security Update for Windows XP (KB2709162)
    Security Update for Windows XP (KB2712808)
    Security Update for Windows XP (KB2718523)
    Security Update for Windows XP (KB2719985)
    Security Update for Windows XP (KB2723135)
    Security Update for Windows XP (KB2724197)
    Security Update for Windows XP (KB2727528)
    Security Update for Windows XP (KB2731847)
    Security Update for Windows XP (KB2753842-v2)
    Security Update for Windows XP (KB2753842)
    Security Update for Windows XP (KB2758857)
    Security Update for Windows XP (KB2761226)
    Security Update for Windows XP (KB2770660)
    Security Update for Windows XP (KB2779030)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SmartDraw PDF Export (novaPDF 6.4 printer)
    SmartDraw VP
    SmartFTP Client
    SmartFTP Client 4.0 Setup Files (remove only)
    Spelling Dictionaries Support For Adobe Reader 9
    Spybot - Search & Destroy
    Star TSP100 Driver Installer
    SweetIM for Messenger 2.8
    SweetIM Toolbar for Internet Explorer 3.6
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows Internet Explorer 8 (KB980302)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB2661254-v2)
    Update for Windows XP (KB2718704)
    Update for Windows XP (KB2736233)
    Update for Windows XP (KB2749655)
    Update for Windows XP (KB971029)
    VLC media player 1.1.4
    WebFldrs XP
    Windows Driver Package - Star Micronics TSP100 (07/26/2006 1.0.4.0)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Media Format 11 runtime
    Windows Media Player 11
    XnView 1.97
    XPS Essentials Pack
    XPS Essentials Pack 1.0
    Yahoo! Messenger
    Yahoo! Software Update
    Yahoo! Toolbar
    .
    ==== Event Viewer Messages From Past Week ========
    .
    12/23/2012 12:01:19 AM, error: VolSnap [12] - The shadow copy of volume C: became low on diff area space before it was properly installed.
    .
    ==== End Of File ===========================
     
  4. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    download RogueKiller from here http://tigzy.geekstogo.com/Tools/RogueKiller.exe or here http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe and save Direct to your Desktop.

    • Quit all running programs
    • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
    • 1. Wait until Prescan has finished...
    • The following EULA will appear, please select accept

      [​IMG]
    • 2. Ensure MBR scan, Check faked and AntiRootkit are checked
    • 3. Select Scan

      [​IMG]
    • When the scan completes select Report, copy and paste that to your reply.

    [​IMG]
     
  5. wared13

    wared13 Thread Starter

    Joined:
    Dec 28, 2012
    Messages:
    16
    RogueKiller V8.4.1 [Dec 28 2012] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/
    Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User : Owner [Admin rights]
    Mode : Scan -- Date : 12/28/2012 16:25:52
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 2 ¤¤¤
    [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver : [LOADED] ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\WINDOWS\system32\drivers\etc\hosts
    127.0.0.1 localhost

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: MIRROR +++++
    --- User ---
    [MBR] f6480cd2b1989e92dfe4f5fea68e781b
    [BSP] 5e99062c50d8519d942ab6c2640bd6e7 : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238456 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!
    Finished : << RKreport[1]_S_12282012_02d1625.txt >>
    RKreport[1]_S_12282012_02d1625.txt
     
  6. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Do you still have issues or concerns?
     
  7. wared13

    wared13 Thread Starter

    Joined:
    Dec 28, 2012
    Messages:
    16
    Per RogueKiller, I deleted the two registry entries; I believe RogueKiller modified one entry, and deleted the other. However, I'm still having issues pertaining to opening programs like ESET, anti-Malware programs, etc. Please advise.
     
  8. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

    http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    • Ensure that Combofix is saved directly to the Desktop <--- Very important
    • Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
    • Close any open browsers and any other programs you might have running
    • Double click the [​IMG] icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
    • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
    • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
    • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended.

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the log in next reply please...

    Kevin
     
  9. wared13

    wared13 Thread Starter

    Joined:
    Dec 28, 2012
    Messages:
    16
    ComboFix 12-12-29.02 - Owner 12/29/2012 12:52:24.17.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2029.1312 [GMT -8:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Owner\Application Data\Toolbar4
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\arrow_refresh.png
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\basis.xml
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0533ddea046b79382344642507f45004
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0556fc8f70a9aca7d7bcd8ba92123627
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0576bb925bf6d71ea78c0d968579aba3
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0753dc69e4d9bd29ba5a4f0b2ed6449b
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\09243a7e0d5263f96fccb70e16bb0476
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0b9a7a3e0c1c165779dd33b229048b21
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0c74e33c6b89503129478a0eae095b4d
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0e1466e34ff25e57fa813d21ebfe7cf6
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0fb67f15ee619bf63699876db03ab661
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\1eac0d48548907dd2955f853c8069069
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\24234224fe547fa5f61335a325f858b5
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\2612ed9846214cbf7e954476bb044b3b
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\323af8f156d5bb22bb38cd2ce83959de
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\36402215e280142e9fec69a27ce97d32
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\3739298d2bc9d6b94dadd7b19b48ecb3
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\476905aa92e1c9a617bd41ce5318660f
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\4c667e8e6ec412f944dcb9352b851013
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\4d2e45ddaef75a6d2c9afdbc763c3752
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\4e2d5ba12b0ed08ba8960c3e874a01cb
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\5192a89f761039a8f133e9c0e6f074cd
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\560ff84a7533e0f37b61b702a5403538
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\59a443f04bf13d1170b3dfc61f51b928
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\5bc8ebf64906d196c815a3f28ee7be81
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\5dcc33988f89c01e09411de1fadabde2
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\5e4a0304a53d72265f5f470649d2f616
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\5fceefa5d8207202cd84891c2e491f65
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\753df778c49000ceb420710ab27250f3
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\7aab54a686f169a739561ca08b97d70b
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\829a174ff56578e2e86c6ea74ceac599
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\83ad61e99376761b1ad6ca7c90fe4e23
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\8ab60027ede7a5409caf6d1f39cee25f
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\8c192effd1339f8e52b7695d8409b038
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\8f1108fa39f3bc8170ca65bce26afa10
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\9222ff6c3153356869fc34c2bec05e71
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\97be6f9cdebaa8074491269ce024994b
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\9ac01b227ded0862f1cacbfb3aa57c30
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\a03f31127270e5ec9c753d5978824827
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\a0c60a9410bfbe84abdf5e97d0c4c25b
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\a19b273e14c682871c1f05f425edd77d
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\aa65030026dd406f81e1d2f100fe7920
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\b3df571fa6f6ff811aec53f4f8e39093
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\b4129101a6dd1056cc66cb8ee0ed07cb
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\b576b7d306b9484794e87c4894171e9c
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\b672745e0fa0b3d70622c3426bdb0fe6
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\b8cb931520574f1fbe2d6a417ab188a3
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\bc745160ebe75bdbd46f3c0c4b1875e9
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\c9430f8d5d64f3217a9e99836294f6c5
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\cadd36508a4b8f2e96e6251f59441e6d
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\cf00f968a680ae7de4f426758f29e399
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\cf6731590bc533ce3fb95d26dbc20581
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\d210e926e7fc2fc8277b03dcf0f51bf7
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\d5df3e47dbba341f2f3587a30d3147a9
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\d968ef76cba81bea577eec984bdb0fcf
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\dd63f857ccdda3776635728c6e9c9da5
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\df93d78ff74b9089b7e56bad7abf8d54
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\e0274c4eebf32d7d1bf0e38726e4ea71
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\e676561c84d9a41ec2ac1b9379b89748
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\ec6799973f1db7f39bff366162a4850e
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\fb1b51424af30e137842b1cf6f26c03e
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\fdcfc40763b6755ae687e945adb4dba4
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\fe6e9435289d779f70dff3e65824a72a
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\fe98d58b0232c74e3b47d141e87aaa18
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\merchant_notification
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cog.png
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\computer_delete.png
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\dataLoader.js
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\icons3.bmp
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\include_files\879ecc39d0be00e1ba71e4872c078138
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\info.txt
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\login.png
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\logo.png
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\search.png
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\TbHelper2.exe
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\tmp\7afdaa54335acddfc0f32d7c411bff25
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\todays_deals.png
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\uninstall.exe
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\update.exe
    c:\documents and settings\Owner\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\version.txt
    c:\windows\TEMP\{16AA8FB8-4A98-4757-B7A5-0FF22C0A6E33}_1101_1\dbdata11.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-11-28 to 2012-12-29 )))))))))))))))))))))))))))))))
    .
    .
    2012-12-28 19:34 . 2012-12-28 19:34 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2012-12-26 22:27 . 2012-12-26 22:27 -------- d-----w- c:\documents and settings\Owner\Application Data\ESET
    2012-12-26 22:21 . 2012-12-26 22:21 -------- d-----w- c:\program files\iPod
    2012-12-26 22:20 . 2012-12-26 22:21 -------- d-----w- c:\program files\iTunes
    2012-12-26 22:20 . 2012-12-26 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-12-16 12:23 . 2008-04-14 12:39 290560 ----a-w- c:\windows\system32\atmfd.dll
    2012-11-13 01:25 . 2008-04-14 08:00 1866368 ----a-w- c:\windows\system32\win32k.sys
    2012-11-02 02:02 . 2008-04-14 12:41 375296 ----a-w- c:\windows\system32\dpnet.dll
    2012-11-01 12:17 . 2008-05-19 18:16 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-11-01 12:17 . 2008-05-19 18:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-11-01 12:17 . 2008-05-19 18:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-11-01 00:35 . 2008-05-19 18:16 385024 ----a-w- c:\windows\system32\html.iec
    2012-10-02 18:04 . 2008-04-14 12:42 58368 ----a-w- c:\windows\system32\synceng.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2008-05-19 . 4728A2BF7FD18C858772158689ECDAC2 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{8660E5B3-6C41-44DE-8503-98D99BBECD41}"= "c:\program files\Coupons.com CouponBar\tbcore3.dll" [2012-02-06 2664864]
    .
    [HKEY_CLASSES_ROOT\clsid\{8660e5b3-6c41-44de-8503-98d99bbecd41}]
    [HKEY_CLASSES_ROOT\TBSB07898.TBSB07898.3]
    [HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
    [HKEY_CLASSES_ROOT\TBSB07898.TBSB07898]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{8660E5B3-6C41-44DE-8503-98D99BBECD41}"= "c:\program files\Coupons.com CouponBar\tbcore3.dll" [2012-02-06 2664864]
    .
    [HKEY_CLASSES_ROOT\clsid\{8660e5b3-6c41-44de-8503-98d99bbecd41}]
    [HKEY_CLASSES_ROOT\TBSB07898.TBSB07898.3]
    [HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
    [HKEY_CLASSES_ROOT\TBSB07898.TBSB07898]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
    @="{95A27763-F62A-4114-9072-E81D87DE3B68}"
    [HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
    2012-07-26 17:03 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
    @="{E300CD91-100F-4E67-9AF3-1384A6124015}"
    [HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
    2012-07-26 17:03 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
    @="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
    [HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
    2012-07-26 17:03 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-03-09 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2012-05-23 1838592]
    "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2012-10-26 2643320]
    "Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2012-07-26 1061960]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nltide_3"="advpack.dll" [2009-03-08 128512]
    .
    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    FedEx Desktop.lnk - c:\program files\FedEx\FedEx Desktop\FedEx Desktop.exe [N/A]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe [2012-12-6 6186872]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2012-12-6 1176464]
    QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks 2012\QBW32.EXE [2012-12-6 1181584]
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMConfigurePrograms"= 1 (0x1)
    .
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "ForceClassicControlPanel"= 1 (0x1)
    "NoSMConfigurePrograms"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WZCSVC"=2 (0x2)
    "WMPNetworkSvc"=3 (0x3)
    "idsvc"=3 (0x3)
    "RemoteRegistry"=2 (0x2)
    "NVSvc"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Intuit\\QuickBooks 2012\\QBDBMgrN.exe"=
    "c:\\Program Files\\FedEx\\ShipManager\\SQLANYWHERE\\BIN32\\DBENG11.EXE"=
    "c:\\Program Files\\FedEx\\ShipManager\\SQLANYWHERE\\BIN32\\DBSRV11.EXE"=
    "c:\\Program Files\\FedEx\\ShipManager\\BIN\\BACKUPDATABASEUTILITY.EXE"=
    "c:\\Program Files\\FedEx\\ShipManager\\BIN\\FSMREGISTRATION.EXE"=
    "c:\\Program Files\\FedEx\\ShipManager\\BIN\\GSMCOMMSETUP.EXE"=
    "c:\\Program Files\\FedEx\\ShipManager\\BIN\\LDSEDIT.EXE"=
    "c:\\Program Files\\FedEx\\ShipManager\\BIN\\ADMINSERVICE.EXE"=
    "c:\\Program Files\\FedEx\\ShipManager\\BIN\\SHIPENGINESERVICE.EXE"=
    "c:\\Program Files\\FedEx\\ShipManager\\BIN\\TRANSENGINESERVICE.EXE"=
    "c:\\Program Files\\FedEx\\ShipManager\\BIN\\FEDEX.GSM.CAFE.APPLICATIONENGINE.GUI.EXE"=
    "c:\\Program Files\\FedEx\\ShipManager\\BIN\\FEDEX.GSM.EXTERNAL.VERIFI.SERVICE.EXE"=
    "c:\\Program Files\\FedEx\\ShipManager\\BIN\\REPORTPROCESSING.EXE"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "20342:TCP"= 20342:TCP:spport
    "3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009
    "5353:UDP"= 5353:UDP:home share
    .
    R2 FedExAdminService;FedEx Administration Service;c:\program files\FedEx\ShipManager\BIN\AdminService.exe [8/23/2012 10:27 AM 24576]
    R2 FedExLoggingService;FedEx Logging Service;c:\program files\FedEx\ShipManager\BIN\FedEx.Gsm.Common.LoggingService.exe [8/23/2012 10:26 AM 7168]
    R2 FedExShipnetDBService;FedEx Shipnet Database Service;c:\program files\FedEx\ShipManager\SQLAnywhere\Bin32\dbsrv11.exe [8/23/2012 10:21 AM 141176]
    R2 Intuit Entitlement Service v3;Intuit Entitlement Service v3;c:\program files\Common Files\Intuit\Entitlement Client\v3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe [5/24/2006 8:09 AM 24576]
    R2 Intuit Entitlement Service v5.3;Intuit Entitlement Service v5.3;c:\program files\Common Files\Intuit\Entitlement Client\v5.3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe [7/29/2008 11:26 AM 20480]
    R2 QBPOSDBServiceV6;QBPOS Database Manager v6;c:\program files\Intuit\QuickBooks Point of Sale 6.0\DatabaseServer\QBPOSDBServiceV6.exe [2/9/2007 11:02 AM 1473536]
    R2 QBPOSDBServiceV8;QBPOS Database Manager v8;c:\program files\Intuit\QuickBooks Point of Sale 8.0\DatabaseServer\QBPOSDBService.exe [8/12/2011 10:07 AM 2734480]
    R2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [3/14/2012 4:06 AM 1248256]
    R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe -hvQuickBooksDB17 [?]
    R3 FedExShipService;FedEx Shipping Engine;c:\program files\FedEx\ShipManager\BIN\ShipEngineService.exe [8/23/2012 10:29 AM 5120]
    R3 FedExTransactionService;FedEx Transaction Engine;c:\program files\FedEx\ShipManager\BIN\TransEngineService.exe [8/23/2012 10:26 AM 6656]
    R3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [12/24/2008 5:40 AM 80256]
    R3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [12/16/2008 6:10 AM 70016]
    R3 QuickBooksDB22;QuickBooksDB22;c:\progra~1\Intuit\QUC2E1~1\QBDBMgrN.exe -hvQuickBooksDB22 --> c:\progra~1\Intuit\QUC2E1~1\QBDBMgrN.exe -hvQuickBooksDB22 [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 21:53]
    .
    2012-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 21:53]
    .
    2012-12-29 c:\windows\Tasks\SDMsgUpdate (TE).job
    - c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2010-06-16 17:29]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.seattletimes.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.254.254
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-12-29 13:00
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3792)
    c:\windows\system32\WININET.dll
    c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
    c:\program files\SmartFTP Client\en-US\sfShellTools.dll.mui
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
    c:\program files\7-Zip\7-zip.dll
    c:\program files\Microsoft Office\OFFICE11\msohev.dll
    c:\windows\system32\wpdshext.dll
    c:\windows\system32\Audiodev.dll
    c:\windows\system32\WMVCore.DLL
    c:\windows\system32\WMASF.DLL
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe
    c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    c:\program files\Intuit\QuickBooks Point of Sale 6.0\DatabaseServer\QBDBMgrN.exe
    c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files\Intuit\QuickBooks Point of Sale 8.0\DatabaseServer\QBDBMgrN10.exe
    c:\program files\Intuit\QuickBooks Point of Sale 8.0\DatabaseServer\QBDBMgrN10.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\progra~1\Intuit\QUC2E1~1\QBDBMgrN.exe
    .
    **************************************************************************
    .
    Completion time: 2012-12-29 13:03:40 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-12-29 21:03
    ComboFix2.txt 2012-12-28 19:32
    ComboFix3.txt 2012-12-13 19:52
    ComboFix4.txt 2011-12-31 20:22
    ComboFix5.txt 2012-12-29 20:51
    .
    Pre-Run: 135,890,710,528 bytes free
    Post-Run: 135,893,741,568 bytes free
    .
    - - End Of File - - 1C98C88E244285664DAE1B086AFD2DF9
     
  10. wared13

    wared13 Thread Starter

    Joined:
    Dec 28, 2012
    Messages:
    16
    Just now I downloaded a fresh copy of Malwarebytes Anti-Malware, then proceeded to install. After installing the program attempted to open, but was unable - the message is: Unable to execute file: (the directory for mbam.exe) - CreateProcess failed; code 1260. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
     
  11. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Go to http://www.virustotal.com/

    • Click the Browse... button
    • Navigate to the file c:\windows\system32\sfcfiles.dll or just copy/paste it in.
    • Click the Scan it tab
    • If you get a message saying File has already been analyzed: click Reanalyze file now
    • Copy and paste the results back here please.
      [/list

      Next,

      Please download VEW by Vino Rosso from HERE and save it to your Desktop.
      • Double-click VEW.exe. to start, Vista and Windows 7 users Right Click and select "Run as Administrator"
      • Under 'Select log to query...check the boxes for both Application and System.
      • Under 'Select type to list... select both Error and Critical.
      • Click the radio button for 'Number of events...Type 10 in the 1 to 20 box.
      • Then click the Run button.
      • Notepad will open with the output log. It will take a couple of minutes to generate the log, please be patient.

      Please post the Output log in your next reply.

      Do you have any policies set that may effect system software etc...
     
  12. wared13

    wared13 Thread Starter

    Joined:
    Dec 28, 2012
    Messages:
    16
    SHA256:3dfa2708eb2864a5d2f4a117de84f6122b601b5083c815d070f88bd44d46f399SHA1:7ea34535a858ac214bdf153ed003f0550461288cMD5:4728a2bf7fd18c858772158689ecdac2File size:1.5 MB ( 1614848 bytes ) File name:sfcfiles.dllFile type:Win32 DLLDetection ratio:0 / 45Analysis date:2012-12-29 22:30:38 UTC ( 1 minute ago )
     
  13. wared13

    wared13 Thread Starter

    Joined:
    Dec 28, 2012
    Messages:
    16
    Vino's Event Viewer v01c run on Windows XP in English
    Report run at 29/12/2012 2:42:40 PM
    Note: All dates below are in the format dd/mm/yyyy
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'Application' Log - error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'Application' Date/Time: 29/12/2012 1:10:24 PM
    Type: error Category: 2
    Event: 4 Source: QuickBooks
    An unexpected error has occured in "QuickBooks Pro 2012":
    DBConnPool::HandleConnectionError errorCode:-6069, dbCode:-103 from file:'.\.\src\ConnPool.cpp' at line 1038 from function:'DBMgr::DBConnPool::init'
    Log: 'Application' Date/Time: 29/12/2012 1:10:24 PM
    Type: error Category: 2
    Event: 4 Source: QuickBooks
    An unexpected error has occured in "QuickBooks Pro 2012":
    Connection String:CON=QBConnectionPool-Probe-QB_XPPRO_22;;DBF=C:\Documents and Settings\Owner\Desktop\Backups\Hellams Vineyard, L.L.C..QBW;CommLinks="ShMem,tcpip(IP=192.168.254.24;TO=5;DOBROADCAST=NONE;port=55348)";ServerName=QB_XPPRO_22;DBN=647532f9915b423380fb89928b38e26e
    Log: 'Application' Date/Time: 29/12/2012 1:10:24 PM
    Type: error Category: 2
    Event: 4 Source: QuickBooks
    An unexpected error has occured in "QuickBooks Pro 2012":
    Connection Error:Invalid user ID or password
    Log: 'Application' Date/Time: 29/12/2012 1:01:05 PM
    Type: error Category: 2
    Event: 4 Source: QuickBooks
    An unexpected error has occured in "QuickBooks":
    Returning NULL QBWinInstance Handle
    Log: 'Application' Date/Time: 29/12/2012 1:01:05 PM
    Type: error Category: 2
    Event: 4 Source: QuickBooks
    An unexpected error has occured in "QuickBooks":
    Returning NULL QBWinInstance Handle
    Log: 'Application' Date/Time: 29/12/2012 1:01:05 PM
    Type: error Category: 2
    Event: 4 Source: QuickBooks
    An unexpected error has occured in "QuickBooks":
    Returning NULL QBWinInstance Handle
    Log: 'Application' Date/Time: 29/12/2012 12:50:19 PM
    Type: error Category: 2
    Event: 4 Source: QuickBooks
    An unexpected error has occured in "QuickBooks":
    Returning NULL QBWinInstance Handle
    Log: 'Application' Date/Time: 29/12/2012 12:50:19 PM
    Type: error Category: 2
    Event: 4 Source: QuickBooks
    An unexpected error has occured in "QuickBooks":
    Returning NULL QBWinInstance Handle
    Log: 'Application' Date/Time: 29/12/2012 12:50:19 PM
    Type: error Category: 2
    Event: 4 Source: QuickBooks
    An unexpected error has occured in "QuickBooks":
    Returning NULL QBWinInstance Handle
    Log: 'Application' Date/Time: 29/12/2012 12:44:43 PM
    Type: error Category: 100
    Event: 1000 Source: Application Error
    Faulting application ekrn.exe, version 5.2.15.0, faulting module msvcr80.dll, version 8.0.50727.6195, fault address 0x0001500a.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'System' Date/Time: 28/12/2012 11:35:19 AM
    Type: error Category: 0
    Event: 10005 Source: DCOM
    DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
    Type: error Category: 0
    Event: 10005 Source: DCOM
    DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666}
    Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
    Type: error Category: 0
    Event: 10005 Source: DCOM
    DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666}
    Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
    Type: error Category: 0
    Event: 10005 Source: DCOM
    DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666}
    Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
    Type: error Category: 0
    Event: 10005 Source: DCOM
    DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666}
    Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
    Type: error Category: 0
    Event: 10005 Source: DCOM
    DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666}
    Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
    Type: error Category: 0
    Event: 10005 Source: DCOM
    DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666}
    Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
    Type: error Category: 0
    Event: 10005 Source: DCOM
    DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666}
    Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
    Type: error Category: 0
    Event: 10005 Source: DCOM
    DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666}
    Log: 'System' Date/Time: 28/12/2012 11:34:28 AM
    Type: error Category: 0
    Event: 10005 Source: DCOM
    DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666}
     
  14. wared13

    wared13 Thread Starter

    Joined:
    Dec 28, 2012
    Messages:
    16
    No settings/policies that would restrict any programs
     
  15. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Download Windows Repair Tool by Tweaking.com from here :- http://majorgeeks.com/Tweaking.com_-_Windows_Repair_Portable_d7222.html and unzip the contents into a newly created folder on your desktop.

    • Now open Repair_Windows.exe in the folder
    • Go to Step 4 and create a Restore Point
    • Go to Start repairs tab then select Start
    • In the Custom Mode window, only select the following repair options:
    • Reset Registry Permissions
    • Reset File Permissions
    • Register System Files
    • Repair WMI
    • Repair Internet Explorer
    • Remove Policies Set By Infections
    • Repair MSI (Windows Installer)

    • Click the Start button.


    Be patient while the tool repairs the selected items.
    If prompted reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before re-booting..

    Let me see the log which will be found in this folder:

    C:\Tweaking.com_windows_Repair_Logs

    Has that made any difference?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1082771

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice