Solved System Check malware removal

[Audioconsultant]

I always thought I practiced "safe computing", never opening unexpected email attachments, always installing Windows updates as they were installed, using TrendMicro's latest, and doing most browsing using Firefox. My machine is running XP 32 bit.

Friday I was writing a post to a web Forum I had visited many times in the past, when for the first time TrendMicro popped up a window indicating it had blocked a .tmp file. Maybe a minute later before I had posted to the web Forum, Firefox suddenly went away. I closed the other programs I had running and shut down the PC.

When I restarted the PC, I got what looked like a Windows warning message that my hard drive was failing and asking to run a check. Since my hard drive had actually failed about a month ago and been replaced by Dell, I thought maybe the new drive had also failed. I hit the OK button and it ran a scan claiming it found all sorts of things wrong including bad memory. That did not sound right to me. When it told me that to fix the problems would requiring purchasing a program, I knew I had been infected. Then I noticed the program name was System Check.

I shut down, then started back up in safe mode. I found that Trend Micro would not run. I shut down and started in Safe Mode with Networking, and found IE, Firefox, and Opera (the 3 browsers I had installed) would not run.

On a different machine I downloaded from TrendMicro their RescueDisk, which claimed my PC was clean. I downloaded HouseCallLauncher, but it could not reach the Internet. I downloaded RootkitBuster_v5_1050 but it would not run.

Figuring I needed a clean boot CD, I did some searching and found PEBuilder and after several tries made a boot CD with HouseCallLauncher and RootkitBuster_v5_1050 on it. This made no difference, and HouseCallLauncher still could not reach the Internet and RootkitBuster_v5_1050 would not run.

I then downloaded Microsoft Malicious Software Remover, put it on a USB key, booted into Safe mode, and ran both the quick and full checks both of which said my PC was clean.

Meanwhile I found and downloaded Kaspersky Rescue Disk 10 and burned a CD. This boots into Linux and the quick check found and removed a Rootkit. The full check did not find anything else. At the end of the check it said there was an update available (from today) and I downloaded that. The quick check found another Rootkit, and the full check found and deleted or quarantined 5 other items. It then claimed my PC was now cleaned. However when I told it to shut down, the machine hung and never shut down. I had to force a power down.

With great hope I rebooted from the hard drive in normal mode. It appeared to boot correctly, but I had a blank desktop (blue background) with no icons. The right side of the Start menu was blank, but the left side was there and so was the program menu. In the program menu was a System Check group which I stayed away from. Web browsers could reach the Internet.

It was at this point my searching led me to this website. I found the 5 step instructions. Step 1 was to have a running anti-virus so I ran TrendMicro and found it had lost the purchase key. I re-entered the key, and Trend appeared to be running correctly.

For step 2 I downloaded on the problem PC Malwarebytes and followed the instructions up to the point of doing a scan. All went well until I reached:

Objects scanned: 45367
Objects detected: 0
Scan Type: Quick scan
Time elapsed: 4 minute(s), 46 second(s)
Currently scanning:
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Local Settings\Temporary Internet Files\Content.IE5\IONCA6YZ\26615fa[1].js

The above was hand typed, since while Opera would run, I could not access this forum, so I am doing this on another PC.

At that point it hung up and there has been no further progress for maybe an hour (I was not really timing). If the cursor is over the Malwarebytes window it changes into a hourglass. The only sign of activity is every once in a while a message pops up saying Malwarebytes has blocked access to a IP address.

Since Malwarebytes is hung up, what should my next step be? Usually I can deal with most PC issues, but this problem has me stumped.

Trying to post this was difficult since I appeared to have been logged out automatically while typing it. I have now logged back in and hope this works.

Thanks for your help!

 

[Broni]

Welcome aboard

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=============================================================

Restart computer manually, skip Malwarebytes for now and complete as many other steps as you can.

 

[Audioconsultant]

Posting Issues

I did the rest of the steps, but when I tried to post the results I get a "Connection closed by remote server" error (running Opera on the problem PC). I am doing this post from a different machine. If this works, I will try posting a different way.

 

[Broni]

OK................

 

[Audioconsultant]

attempts to post test results

Tried to post from the problem PC using Firefox and got the same error message. Copied the data into a txt file on a USB stick and moved it to the other PC where I now am posting from.

From this machine I got an error "You have included 7 images in your message. You are limited to using 6 images so please go back and correct the problem and then continue again.

"Images include use of smilies, the BB code tag and HTML <img> tags. The use of these is all subject to them being enabled by the administrator."

I tried leaving out the Attach.txt data, but got the same message about "7 images". So this post I am leaving out all the test results to see if it will post.

 

[Audioconsultant]

Gmer

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-01-22 21:31:17
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD5000AAKX-753CA1 rev.19.01H19
Running: 29j2gq6c.exe; Driver: C:\DOCUME~1\RAYA~1.RAY\LOCALS~1\Temp\kxtdqpod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

---- EOF - GMER 1.0.15 ----

 

[Audioconsultant]

DDS part 1

Got that "7 images" error again when attempting to post the DDS.txt data. I just cut off the second half to see if the first half will post.

That did not work, so I will try one tiny bit at a time.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Ray A. Rayburn at 21:35:58 on 2012-01-22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2525 [GMT -7:00]
.
AV: Trend Micro Titanium Maximum Security *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.

 

[Audioconsultant]

DDS Running Processes

============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Windows Home Server\WHSConnector.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\Program Files\Opera\opera.exe
.

 

[Audioconsultant]

DDS Pseudo HJT Report - part 1

Ah Ha!

This is the part triggering the "7 images" error. I will now try to break it in half.

That did not work, so I will try breaking the first part in half.

============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\1.5.1504\6.6.1088\TmIEPlg.dll
BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: BrowserHelper Class: {9a065c65-4ee7-4ddd-9918-f129089a894a} - c:\program files\windows home server\WHSDeskBands.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

 

[Audioconsultant]

DDS Pseudo HJT Report - part 2

Lets try another little chunk.

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Home Server Banner: {d73e76a3-f902-45bd-8fc8-95ae8e014671} - c:\program files\windows home server\WHSDeskBands.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DellCleanup] c:\dell\WINCLEAN.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

 

[Audioconsultant]

DDS Pseudo HJT Report - part 3

Another chunk.

This triggered the "7 images" error, so I will shorten it.

No joy. I will now post 2 lines of the 5 I last attempted to post.

mRun: [Trend Micro Titanium] c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe -set Silent "1" SplashURL ""
mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"

 

[Audioconsultant]

DDS Pseudo HJT Report - part 4

The next 3 lines.

Ugh! Still "7 images" error. Lets try 2 lines.

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

 

[Audioconsultant]

DDS Pseudo HJT Report - part 5

Lets see if I can post the rest of DDS now.

No such luck, so I will try the rest of this section.

That did not work either. I will try 5 lines.

I give up. The Forum appears to be broken. I can't go posting such long documents 2 lines at a time. Please get the Forum fixed so I can post, and I will put up the rest. That may have to wait for the AM.

 

[Audioconsultant]

DDS the rest?

I logged out of TechSpot, then closed the browser tab. Opened a new tab, went to TechSpot, logged in, and tried posting again. Lets see if this works.

Nope.

I just searched the text file I am trying to post, and "img" is not in it. Something must be goofy with the Forum.

 

[Broni]

Attach those logs and I'll try to post them for you.

 

[Audioconsultant]

test results as attachment

Tried to post from a different computer (this time at work) with the same "7 images" error.

Therefore as you asked I have attached a text file.

 

[Broni]

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Ray A. Rayburn at 21:35:58 on 2012-01-22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2525 [GMT -7:00]
.
AV: Trend Micro Titanium Maximum Security *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Windows Home Server\WHSConnector.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\Program Files\Opera\opera.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\1.5.1504\6.6.1088\TmIEPlg.dll
BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: BrowserHelper Class: {9a065c65-4ee7-4ddd-9918-f129089a894a} - c:\program files\windows home server\WHSDeskBands.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Home Server Banner: {d73e76a3-f902-45bd-8fc8-95ae8e014671} - c:\program files\windows home server\WHSDeskBands.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DellCleanup] c:\dell\WINCLEAN.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Trend Micro Titanium] c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe -set Silent "1" SplashURL ""
mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enumn /alertsn /notificationsn /fln /frn /appDatan /tmcpn
mRun: [<NO NAME>]
mRun: [HPUsageTracking] "c:\program files\hp\hp ut\bin\hppusg.exe" "c:\program files\hp\hp ut\"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\raya~1.ray\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\ray a. rayburn\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~2.lnk - c:\windows\installer\{21e49794-7c13-4e84-8659-55bd378267d5}\WHSTrayApp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoDesktop = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1324404328062
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1324404437234
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: DhcpNameServer = 129.82.103.75 75.75.76.76 75.75.75.75
TCP: Interfaces\{61CC70D4-7E08-4CE0-B7D5-662AC5F22918} : DhcpNameServer = 129.82.103.75 75.75.76.76 75.75.75.75
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\1.5.1504\6.6.1088\TmIEPlg.dll
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll
Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - c:\program files\trend micro\titanium\uiframework\ProToolbarIMRatingActiveX.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ray a. rayburn\application data\mozilla\firefox\profiles\2vvxkcq8.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2011-12-20 188272]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-22 652872]
R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2011-12-20 2984832]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-12-20 64080]
R2 WHSConnector;Windows Home Server Connector Service;c:\program files\windows home server\WHSConnector.exe [2011-1-10 376688]
R3 BackupReader;BackupReader;c:\windows\system32\drivers\BackupReader.sys [2007-9-6 44784]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-22 20464]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-1-22 40776]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]
.
=============== Created Last 30 ================
.
2012-01-22 23:37:22 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-22 23:37:22 -------- d-----w- c:\documents and settings\ray a. rayburn\application data\Malwarebytes
2012-01-22 23:37:13 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-01-22 23:37:12 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-22 23:37:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-22 09:36:47 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-01-22 01:24:07 -------- d-----w- C:\log
2012-01-21 18:14:27 8656400 ----a-w- C:\RootkitBuster_v5_1050.exe
2012-01-21 14:50:41 -------- d---a-w- C:\tmbrfix
2012-01-21 04:22:22 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2012-01-16 00:46:59 -------- d-----w- c:\documents and settings\ray a. rayburn\application data\Windows Search
2012-01-11 14:27:01 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-11 14:27:01 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-11 14:27:01 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-11 14:27:01 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2011-12-30 17:17:34 -------- d-----w- c:\documents and settings\ray a. rayburn\application data\HpUpdate
2011-12-30 17:17:32 -------- d-----w- c:\windows\Hewlett-Packard
2011-12-29 16:11:30 -------- d-----w- c:\documents and settings\all users\application data\zvprt50
2011-12-29 16:11:23 9451 ------w- c:\windows\system32\hppfaxprintermonui5.dll
2011-12-29 16:11:23 13385 ------w- c:\windows\system32\hppfaxprintermon5.dll
2011-12-29 16:11:22 608 --sha-w- c:\windows\system32\winzvprt5.sys
2011-12-29 16:06:11 -------- d-----w- C:\hp_LJM2727_full_solution_AM_EMEA1
2011-12-28 20:20:40 -------- d--h--w- c:\windows\PIF
2011-12-27 22:59:20 -------- d-----w- c:\program files\Gold Line
2011-12-27 20:43:37 -------- d-----w- c:\documents and settings\ray a. rayburn\WINDOWS
2011-12-27 02:45:40 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-12-27 02:45:40 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-12-27 02:42:04 -------- d-----w- c:\documents and settings\ray a. rayburn\local settings\application data\Apple Computer
2011-12-27 02:41:57 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-12-27 02:41:57 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-12-27 02:41:20 -------- d-----w- c:\program files\iPod
2011-12-27 02:41:19 -------- d-----w- c:\program files\iTunes
2011-12-27 02:41:19 -------- d-----w- c:\documents and settings\all users\application data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-12-27 02:40:59 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-12-27 02:40:59 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-12-27 02:40:34 -------- d-----w- c:\program files\Bonjour
2011-12-27 02:32:42 -------- d-----w- c:\program files\common files\HP
2011-12-27 02:32:34 -------- d-----w- c:\program files\common files\Hewlett-Packard
2011-12-27 02:32:19 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-12-27 02:32:19 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-12-27 02:31:52 241664 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpzpp5mc.DLL
2011-12-27 02:31:51 59928 ----a-w- c:\windows\system32\fxcompchannel.dll
2011-12-27 02:30:36 876544 ----a-w- c:\windows\system32\hpxp2727.dll
2011-12-27 02:30:36 733184 ----a-w- c:\windows\system32\hpptsp02.dll
2011-12-27 02:30:36 450560 ----a-w- c:\windows\system32\hppasc07.dll
2011-12-27 02:30:36 327680 ----a-w- c:\windows\system32\hppcpr07.dll
2011-12-27 01:38:28 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-12-27 01:38:28 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-12-27 01:20:50 -------- d-----w- c:\windows\system32\NtmsData
2011-12-27 01:19:19 -------- d-----w- c:\program files\HP
.
==================== Find3M ====================
.
2012-01-22 01:37:57 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-12-21 06:31:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-21 06:19:14 92112 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2011-12-21 06:19:14 80464 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2011-12-21 06:19:14 64080 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2011-12-19 17:30:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-12-19 17:30:10 411368 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-15 20:45:21 77824 ----a-w- c:\windows\setpwr32.exe
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:29:56 1868544 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
2011-11-03 15:28:36 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28:36 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 20:35:20 81920 ------w- c:\windows\system32\ieencode.dll
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 21:36:40.78 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 12/20/2011 9:48:51 AM
System Uptime: 1/22/2012 9:21:51 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0GN723
Processor: Intel(R) Core(TM)2 Duo CPU E8200 @ 2.66GHz | Socket 775 | 2660/333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 385.421 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP10: 12/20/2011 7:45:04 PM - Installed Windows Home Server Connector
RP11: 12/20/2011 7:56:03 PM - Removed Windows Home Server Connector
RP12: 12/20/2011 7:56:19 PM - Installed Windows Home Server Connector
RP13: 12/20/2011 7:58:54 PM - Installed Windows Home Server Toolkit 1.1
RP14: 12/21/2011 8:29:20 AM - Software Distribution Service 3.0
RP15: 12/21/2011 8:34:31 AM - Printer Driver AdobePS Acrobat Distiller Installed
RP16: 12/21/2011 8:37:25 AM - Installed Adobe Acrobat 6.0 Professional
RP17: 12/21/2011 8:40:21 AM - Printer Driver Adobe PDF Converter Installed
RP18: 12/21/2011 8:41:48 AM - Installed Adobe Acrobat - Reader 6.0.2 Update
RP19: 12/21/2011 8:42:07 AM - Installed Adobe Interactive Forms Update SP1
RP20: 12/21/2011 8:42:28 AM - Installed Adobe Acrobat and Reader 6.0.3 Update
RP21: 12/21/2011 8:52:51 AM - Installed Bonjour Print Services
RP22: 12/22/2011 10:40:52 AM - System Checkpoint
RP23: 12/23/2011 11:07:38 AM - System Checkpoint
RP24: 12/24/2011 11:55:38 AM - System Checkpoint
RP25: 12/25/2011 12:55:38 PM - System Checkpoint
RP26: 12/26/2011 1:55:38 PM - System Checkpoint
RP27: 12/26/2011 7:31:56 PM - Printer Driver HP LaserJet M2727 MFP Series PCL 6 Installed
RP28: 12/26/2011 7:41:14 PM - Installed iTunes
RP29: 12/27/2011 3:59:20 PM - Installed Sound Lab TDSenh
RP30: 12/28/2011 4:07:56 PM - System Checkpoint
RP31: 12/29/2011 9:11:26 AM - Printer Driver hpfax1 Installed
RP32: 12/29/2011 9:11:40 AM - Installed HPSU306Stub
RP33: 12/30/2011 9:23:27 AM - System Checkpoint
RP34: 12/30/2011 10:17:38 AM - Removed HPSU306Stub
RP35: 12/31/2011 1:29:45 PM - System Checkpoint
RP36: 1/1/2012 2:23:27 PM - System Checkpoint
RP37: 1/2/2012 3:23:27 PM - System Checkpoint
RP38: 1/3/2012 3:23:34 PM - System Checkpoint
RP39: 1/4/2012 4:23:33 PM - System Checkpoint
RP40: 1/5/2012 11:35:22 PM - System Checkpoint
RP41: 1/7/2012 12:23:33 AM - System Checkpoint
RP42: 1/8/2012 12:46:49 AM - System Checkpoint
RP43: 1/9/2012 1:23:33 AM - System Checkpoint
RP44: 1/10/2012 2:23:33 AM - System Checkpoint
RP45: 1/11/2012 3:23:42 AM - System Checkpoint
RP46: 1/11/2012 9:19:35 PM - Software Distribution Service 3.0
RP47: 1/13/2012 12:27:34 AM - System Checkpoint
RP48: 1/14/2012 12:58:32 AM - System Checkpoint
RP49: 1/15/2012 1:58:31 AM - System Checkpoint
RP50: 1/16/2012 2:58:32 AM - System Checkpoint
RP51: 1/17/2012 3:58:31 AM - System Checkpoint
RP52: 1/18/2012 3:58:38 AM - System Checkpoint
RP53: 1/19/2012 4:58:38 AM - System Checkpoint
RP54: 1/20/2012 5:58:38 AM - System Checkpoint
RP55: 1/22/2012 5:51:32 PM - System Checkpoint
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 6.0.1 Professional
Adobe Acrobat and Reader 6.0.3 Update
Adobe Flash Player 11 Plugin
Adobe Interactive Forms Update SP1
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Bonjour Print Services
CustomerResearchQFolder
Dell Driver Reset Tool
Destination Component
DeviceDiscovery
DeviceManagementQFolder
Dropbox
eWallet 7.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954434)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB958347)
Hotfix for Windows XP (KB959252)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB968764)
Hotfix for Windows XP (KB969084)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Customer Participation Program 9.0
HP LaserJet M2727 MFP Series 5.0
HP Update
hppFaxDrvM2727
hppFaxUtility
hppFonts
hppLJM2727
hppManualsM2727
hppscanM2727
hppScanTo
hppSendFax
hppTLBXFXM2727
hppusgM2727
HPSSupply
hpzTLBXFX
Intel(R) PRO Network Connections 12.1.12.0
IrfanView (remove only)
iTunes
Java Auto Updater
Java(TM) 6 Update 20
Malwarebytes Anti-Malware version 1.60.0.1800
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Ultimate 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox 9.0.1 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP3 Parser (KB973685)
MSXML 6.0 Parser (KB927977)
NVIDIA Drivers
Opera 11.60
Product_Min_QFolder
Realtek High Definition Audio Driver
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2483614)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544521)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618444)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Sound Lab TDSenh
TeamViewer 7
Trend Micro Titanium Maximum Security
Trend Micro™ Titanium™ Maximum Security
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596686) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2641690)
Update for Windows XP (KB898461)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB980182)
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Home Server Connector
Windows Home Server Toolkit 1.1
Windows Internet Explorer 8
Windows Management Framework Core
Windows Presentation Foundation
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows Search 4.0
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
1/21/2012 3:11:12 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
1/21/2012 2:29:27 PM, error: Dhcp [1002] - The IP address lease 192.168.2.104 for the Network Card with network address 001D09912E42 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
1/20/2012 7:59:32 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.2.104 with the system having network hardware address 8C:7B:9D:13:5E:93. Network operations on this system may be disrupted as a result.
1/20/2012 10:55:01 AM, error: Dhcp [1002] - The IP address lease 192.168.2.106 for the Network Card with network address 001D09912E42 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
1/20/2012 10:34:11 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
1/20/2012 10:30:35 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm tmtdi
1/20/2012 10:24:20 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip tmtdi
1/20/2012 10:24:20 PM, error: Service Control Manager [7001] - The Windows Home Server Connector Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/20/2012 10:24:20 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
1/20/2012 10:24:20 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/20/2012 10:24:20 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/20/2012 10:24:20 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
1/20/2012 10:24:20 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/20/2012 10:24:20 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/20/2012 10:23:38 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/20/2012 10:07:35 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
1/20/2012 10:07:35 PM, error: Service Control Manager [7000] - The NTPort Library Driver service failed to start due to the following error: The system cannot find the file specified.
1/19/2012 10:55:00 PM, error: Dhcp [1002] - The IP address lease 192.168.2.107 for the Network Card with network address 001D09912E42 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
1/17/2012 10:54:58 PM, error: Dhcp [1002] - The IP address lease 192.168.2.101 for the Network Card with network address 001D09912E42 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
1/17/2012 10:54:57 AM, error: Dhcp [1002] - The IP address lease 192.168.2.102 for the Network Card with network address 001D09912E42 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
1/16/2012 10:54:48 AM, error: Dhcp [1002] - The IP address lease 192.168.2.109 for the Network Card with network address 001D09912E42 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================

 

[Broni]

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

============================================================

Download Bootkit Remover to your Desktop.

• Unzip downloaded file to your Desktop.
• Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
• Press CTRL+C
• Open a Notepad and press CTRL+V
• Post the output back here.

 

[Audioconsultant]

aswMBR

aswMBR version 0.9.9.1509 Copyright(c) 2011 AVAST Software
Run date: 2012-01-23 23:36:28
-----------------------------
23:36:28.437 OS Version: Windows 5.1.2600 Service Pack 3
23:36:28.437 Number of processors: 2 586 0x1706
23:36:28.437 ComputerName: KELLY UserName:
23:36:30.140 Initialize success
23:37:40.203 AVAST engine defs: 12012301
23:40:35.015 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
23:40:35.015 Disk 0 Vendor: WDC_WD5000AAKX-753CA1 19.01H19 Size: 476940MB BusType: 3
23:40:35.031 Disk 0 MBR read successfully
23:40:35.031 Disk 0 MBR scan
23:40:35.078 Disk 0 Windows VISTA default MBR code
23:40:35.078 Disk 0 Partition 1 00 DE Dell Utility DELL 4.1 39 MB offset 63
23:40:35.109 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 476898 MB offset 80325
23:40:35.109 Disk 0 scanning sectors +976768065
23:40:35.203 Disk 0 scanning C:\WINDOWS\system32\drivers
23:40:38.562 File: C:\WINDOWS\system32\drivers\afd.sys **INFECTED** Win32:Kryptik-GQO [Trj]
23:40:48.359 Disk 0 trace - called modules:
23:40:48.375 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xb5d25ff0]<<
23:40:48.375 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a6a5ab8]
23:40:48.375 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x8a1fa5b8]
23:40:48.375 \Driver\00000480[0x8a1f6d30] -> IRP_MJ_CREATE -> 0xb5d25ff0
23:40:49.640 AVAST engine scan C:\WINDOWS
23:40:56.890 AVAST engine scan C:\WINDOWS\system32
23:42:24.609 AVAST engine scan C:\WINDOWS\system32\drivers
23:42:28.031 File: C:\WINDOWS\system32\drivers\afd.sys **INFECTED** Win32:Kryptik-GQO [Trj]
23:42:41.125 AVAST engine scan C:\Documents and Settings\Ray A. Rayburn
00:05:51.031 AVAST engine scan C:\Documents and Settings\All Users
00:10:09.187 Scan finished successfully
00:11:59.640 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ray A. Rayburn\Desktop\MBR.dat"
00:11:59.640 The log file has been saved successfully to "C:\Documents and Settings\Ray A. Rayburn\Desktop\aswMBR.txt"

 

[Audioconsultant]

Bootkit Remover

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02738a00
Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

 

[Broni]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[Audioconsultant]

Combofix

ComboFix 12-01-23.02 - Ray A. Rayburn 01/24/2012 17:01:49.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2935 [GMT -7:00]
Running from: c:\documents and settings\Ray A. Rayburn\Desktop\ComboFix.exe
AV: Trend Micro Titanium Maximum Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\~UryG62GqbSFGtC
c:\documents and settings\All Users\Application Data\~UryG62GqbSFGtCr
c:\documents and settings\All Users\Application Data\UryG62GqbSFGtC
c:\documents and settings\Ray A. Rayburn\Desktop\System Check.lnk
c:\documents and settings\Ray A. Rayburn\Start Menu\Programs\System Check
c:\documents and settings\Ray A. Rayburn\Start Menu\Programs\System Check\System Check.lnk
c:\documents and settings\Ray A. Rayburn\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\documents and settings\Ray A. Rayburn\WINDOWS
c:\windows\$NtUninstallKB37017$
c:\windows\$NtUninstallKB37017$\1370661434
c:\windows\$NtUninstallKB37017$\2577664317\@
c:\windows\$NtUninstallKB37017$\2577664317\bckfg.tmp
c:\windows\$NtUninstallKB37017$\2577664317\cfg.ini
c:\windows\$NtUninstallKB37017$\2577664317\Desktop.ini
c:\windows\$NtUninstallKB37017$\2577664317\keywords
c:\windows\$NtUninstallKB37017$\2577664317\kwrd.dll
c:\windows\$NtUninstallKB37017$\2577664317\L\rohepcid
c:\windows\$NtUninstallKB37017$\2577664317\lsflt7.ver
c:\windows\$NtUninstallKB37017$\2577664317\U\00000001.@
c:\windows\$NtUninstallKB37017$\2577664317\U\00000002.@
c:\windows\$NtUninstallKB37017$\2577664317\U\00000004.@
c:\windows\$NtUninstallKB37017$\2577664317\U\80000000.@
c:\windows\$NtUninstallKB37017$\2577664317\U\80000004.@
c:\windows\$NtUninstallKB37017$\2577664317\U\80000032.@
.
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - The cat found it
c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
.
.
((((((((((((((((((((((((( Files Created from 2011-12-25 to 2012-01-25 )))))))))))))))))))))))))))))))
.
.
2012-01-24 23:59 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-01-22 23:37 . 2012-01-22 23:37 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-22 23:37 . 2012-01-22 23:37 -------- d-----w- c:\documents and settings\Ray A. Rayburn\Application Data\Malwarebytes
2012-01-22 23:37 . 2012-01-22 23:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-22 23:37 . 2012-01-22 23:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-22 23:37 . 2011-12-10 22:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-22 09:36 . 2012-01-22 16:20 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-01-22 01:45 . 2012-01-22 01:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2012-01-22 01:24 . 2012-01-22 01:24 -------- d-----w- C:\log
2012-01-21 18:14 . 2012-01-21 21:54 8656400 ----a-w- C:\RootkitBuster_v5_1050.exe
2012-01-21 14:50 . 2012-01-21 15:14 -------- d---a-w- C:\tmbrfix
2012-01-21 05:39 . 2012-01-21 05:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-01-21 05:32 . 2012-01-21 05:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Opera
2012-01-21 05:29 . 2012-01-21 05:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-01-21 04:58 . 2012-01-21 04:58 -------- d-----w- c:\windows\Sun
2012-01-21 04:22 . 2008-04-14 07:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2012-01-16 00:46 . 2012-01-16 00:46 -------- d-----w- c:\documents and settings\Ray A. Rayburn\Application Data\Windows Search
2012-01-11 14:27 . 2012-01-11 14:27 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-11 14:27 . 2012-01-11 14:27 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-11 14:27 . 2012-01-11 14:27 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-11 14:27 . 2012-01-11 14:27 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2011-12-30 17:17 . 2011-12-30 17:18 -------- d-----w- c:\documents and settings\Ray A. Rayburn\Application Data\HpUpdate
2011-12-30 17:17 . 2011-12-30 17:17 -------- d-----w- c:\windows\Hewlett-Packard
2011-12-29 16:12 . 2011-12-29 16:12 -------- d-----w- c:\documents and settings\Ray A. Rayburn\Application Data\HP
2011-12-29 16:11 . 2011-12-29 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\zvprt50
2011-12-29 16:11 . 2007-04-02 15:19 9451 ------w- c:\windows\system32\hppfaxprintermonui5.dll
2011-12-29 16:11 . 2007-04-02 15:19 13385 ------w- c:\windows\system32\hppfaxprintermon5.dll
2011-12-29 16:11 . 2011-12-29 16:11 608 --sha-w- c:\windows\system32\winzvprt5.sys
2011-12-29 16:06 . 2011-12-29 16:06 -------- d-----w- C:\hp_LJM2727_full_solution_AM_EMEA1
2011-12-28 20:20 . 2011-12-28 20:20 -------- d--h--w- c:\windows\PIF
2011-12-28 02:01 . 2011-12-28 02:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2011-12-27 22:59 . 2011-12-27 22:59 -------- d-----w- c:\program files\Gold Line
2011-12-27 02:45 . 2008-04-14 12:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-12-27 02:45 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-12-27 02:42 . 2011-12-27 02:42 -------- d-----w- c:\documents and settings\Ray A. Rayburn\Local Settings\Application Data\Apple Computer
2011-12-27 02:42 . 2011-12-27 02:45 -------- d-----w- c:\documents and settings\Ray A. Rayburn\Application Data\Apple Computer
2011-12-27 02:41 . 2009-05-18 20:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-12-27 02:41 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-12-27 02:41 . 2011-12-27 02:41 -------- d-----w- c:\program files\iPod
2011-12-27 02:41 . 2011-12-27 02:41 -------- d-----w- c:\program files\iTunes
2011-12-27 02:41 . 2011-12-27 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-12-27 02:41 . 2011-12-27 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2011-12-27 02:41 . 2011-12-27 02:41 -------- d-----w- c:\program files\Apple Software Update
2011-12-27 02:41 . 2011-12-27 02:41 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2011-12-27 02:40 . 2011-08-03 00:38 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-12-27 02:40 . 2011-08-03 00:38 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-12-27 02:40 . 2011-12-27 02:40 -------- d-----w- c:\program files\Bonjour
2011-12-27 02:40 . 2011-12-27 02:41 -------- d-----w- c:\program files\Common Files\Apple
2011-12-27 02:32 . 2011-12-27 02:32 -------- d-----w- c:\program files\Common Files\HP
2011-12-27 02:32 . 2011-12-27 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2011-12-27 02:32 . 2011-12-27 02:32 -------- d-----w- c:\program files\Hewlett-Packard
2011-12-27 02:32 . 2011-12-27 02:32 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2011-12-27 02:32 . 2008-04-14 07:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-12-27 02:32 . 2008-04-14 07:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-12-27 02:32 . 2011-12-29 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2011-12-27 02:31 . 2008-02-01 18:13 241664 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5mc.DLL
2011-12-27 02:31 . 2007-07-17 12:29 59928 ----a-w- c:\windows\system32\fxcompchannel.dll
2011-12-27 02:30 . 2008-01-15 08:00 327680 ----a-w- c:\windows\system32\hppcpr07.dll
2011-12-27 02:30 . 2008-01-07 02:48 733184 ----a-w- c:\windows\system32\hpptsp02.dll
2011-12-27 02:30 . 2007-06-05 22:31 876544 ----a-w- c:\windows\system32\hpxp2727.dll
2011-12-27 02:30 . 2007-02-08 04:03 450560 ----a-w- c:\windows\system32\hppasc07.dll
2011-12-27 01:38 . 2008-04-14 07:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-12-27 01:38 . 2008-04-14 07:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-12-27 01:20 . 2011-12-27 01:20 -------- d-----w- c:\windows\system32\NtmsData
2011-12-27 01:19 . 2011-12-27 02:41 -------- dc----w- c:\windows\system32\DRVSTORE
2011-12-27 01:19 . 2011-12-30 17:17 -------- d-----w- c:\program files\HP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-22 01:37 . 2011-12-21 06:23 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-12-21 06:31 . 2011-12-21 06:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-21 06:19 . 2011-12-21 06:23 92112 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2011-12-21 06:19 . 2011-12-21 06:23 80464 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2011-12-21 06:19 . 2011-12-21 06:23 64080 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2011-12-19 17:30 . 2011-12-19 17:30 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-12-19 17:30 . 2011-12-19 17:30 411368 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-15 20:45 . 2011-12-15 20:45 77824 ----a-w- c:\windows\setpwr32.exe
2011-11-25 21:57 . 2008-04-25 16:16 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:29 . 2008-04-25 16:16 1868544 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2008-04-25 16:16 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-04 19:20 . 2008-04-25 16:16 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2008-04-25 16:16 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2008-04-25 16:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2008-04-25 16:16 385024 ------w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2008-04-25 16:16 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2008-04-25 16:16 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 20:35 . 2011-11-01 20:35 81920 ------w- c:\windows\system32\ieencode.dll
2011-11-01 16:07 . 2008-04-25 16:16 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2008-04-25 16:16 33280 ----a-w- c:\windows\system32\csrsrv.dll
2012-01-11 14:27 . 2011-12-20 23:33 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Ray A. Rayburn\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Ray A. Rayburn\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Ray A. Rayburn\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Ray A. Rayburn\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-22 16132608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-28 8429568]
"DellCleanup"="c:\dell\WINCLEAN.EXE" [2011-12-15 212992]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-10-08 1111568]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 116752]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-01-10 53248]
"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2007-08-31 36864]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-25 460872]
.
c:\documents and settings\Ray A. Rayburn\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Ray A. Rayburn\Application Data\Dropbox\bin\Dropbox.exe [2011-12-5 24242056]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]
Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2011-12-20 603504]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Ray A. Rayburn\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer_Service.exe"=
"c:\\Documents and Settings\\Ray A. Rayburn\\My Documents\\My_Downloads\\HP_M2727_printer\\setup\\hppnet01.exe"=
"c:\\Documents and Settings\\Ray A. Rayburn\\My Documents\\My_Downloads\\HP_M2727_printer\\setup\\hppniprint01.exe"=
"c:\\Documents and Settings\\Ray A. Rayburn\\My Documents\\My_Downloads\\HP_M2727_printer\\setup\\hppniprint64.exe"=
"c:\\Documents and Settings\\Ray A. Rayburn\\My Documents\\My_Downloads\\HP_M2727_printer\\setup\\hppnicifs01.exe"=
"c:\\Documents and Settings\\Ray A. Rayburn\\My Documents\\My_Downloads\\HP_M2727_printer\\setup\\LaunchApp.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Gold Line\\TEF\\SL60.exe"=
"c:\\Program Files\\HP\\hp laserjet m2727\\Fax Config utility0.exe"=
"c:\\Documents and Settings\\Ray A. Rayburn\\My Documents\\My_Downloads\\WS_FTP\\WS_FTP95.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*isabled:Windows Remote Management
.
R2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [12/20/2011 11:22 PM 188272]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/22/2012 4:37 PM 652872]
R2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [12/20/2011 11:34 PM 2984832]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [12/20/2011 11:23 PM 64080]
R2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [1/10/2011 12:28 PM 376688]
R3 BackupReader;BackupReader;c:\windows\system32\drivers\BackupReader.sys [9/6/2007 6:53 PM 44784]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/22/2012 4:37 PM 20464]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/22/2012 4:37 PM 40776]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 9:16 AM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 129.82.103.75 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\documents and settings\Ray A. Rayburn\Application Data\Mozilla\Firefox\Profiles\2vvxkcq8.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-24 17:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3244)
c:\windows\system32\WININET.dll
c:\documents and settings\Ray A. Rayburn\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Trend Micro\AMSP\coreFrameworkHost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\TeamViewer\Version7\TeamViewer.exe
c:\program files\TeamViewer\Version7\tv_w32.exe
c:\windows\RTHDCPL.EXE
c:\program files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
c:\program files\Windows Home Server\WHSTrayApp.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2012-01-24 17:19:12 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-25 00:19
.
Pre-Run: 414,330,695,680 bytes free
Post-Run: 414,856,302,592 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - A514409431CF3BB833DE2C0D537D8191

 

[Audioconsultant]

Combofix Notes

When I got home tonight and tried to download Combofix nothing would download. I also noted that Windows had updates it wanted to install. I shut down without installing the updates. When I rebooted the machine and ran Opera, I was able to download Combofix. It took a while and it did two automatic reboots, but at last popped open a log.txt file which I just posted.

I now have my icons back on the Desktop (I was accessing the Desktop via Windows Explorer), the missing items on the right side of the Start menu are back, and the System Check group under All Programs is gone. The only thing not yet right in terms of appearances is the blue desktop instead of the original image.

Thanks for getting me this far!

 

[Broni]

Good news

See if you can change background manually.

We have one system file missing - i8042prt.sys
I uploaded that file for you here: http://www.filedropper.com/i8042prt
Download it and past it to c:\windows\system32\drivers folder.
Disregard any Windows complaints.

Re-run Combofix and post fresh log.

 

[Audioconsultant]

ComboFix log.txt

ComboFix 12-01-23.02 - Ray A. Rayburn 01/24/2012 18:37:25.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2709 [GMT -7:00]
Running from: c:\documents and settings\Ray A. Rayburn\Desktop\ComboFix.exe
AV: Trend Micro Titanium Maximum Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-25 to 2012-01-25 )))))))))))))))))))))))))))))))
.
.
2012-01-25 01:34 . 2008-04-14 07:48 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2012-01-25 01:34 . 2008-04-14 07:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-01-24 23:59 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-01-22 23:37 . 2012-01-22 23:37 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-22 23:37 . 2012-01-22 23:37 -------- d-----w- c:\documents and settings\Ray A. Rayburn\Application Data\Malwarebytes
2012-01-22 23:37 . 2012-01-22 23:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-22 23:37 . 2012-01-22 23:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-22 23:37 . 2011-12-10 22:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-22 09:36 . 2012-01-22 16:20 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-01-22 01:45 . 2012-01-22 01:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2012-01-22 01:24 . 2012-01-22 01:24 -------- d-----w- C:\log
2012-01-21 18:14 . 2012-01-21 21:54 8656400 ----a-w- C:\RootkitBuster_v5_1050.exe
2012-01-21 14:50 . 2012-01-21 15:14 -------- d---a-w- C:\tmbrfix
2012-01-21 05:39 . 2012-01-21 05:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-01-21 05:32 . 2012-01-21 05:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Opera
2012-01-21 05:29 . 2012-01-21 05:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-01-21 04:58 . 2012-01-21 04:58 -------- d-----w- c:\windows\Sun
2012-01-21 04:22 . 2008-04-14 07:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2012-01-16 00:46 . 2012-01-16 00:46 -------- d-----w- c:\documents and settings\Ray A. Rayburn\Application Data\Windows Search
2012-01-11 14:27 . 2012-01-11 14:27 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-11 14:27 . 2012-01-11 14:27 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-11 14:27 . 2012-01-11 14:27 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-11 14:27 . 2012-01-11 14:27 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2011-12-30 17:17 . 2011-12-30 17:18 -------- d-----w- c:\documents and settings\Ray A. Rayburn\Application Data\HpUpdate
2011-12-30 17:17 . 2011-12-30 17:17 -------- d-----w- c:\windows\Hewlett-Packard
2011-12-29 16:12 . 2011-12-29 16:12 -------- d-----w- c:\documents and settings\Ray A. Rayburn\Application Data\HP
2011-12-29 16:11 . 2011-12-29 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\zvprt50
2011-12-29 16:11 . 2007-04-02 15:19 9451 ------w- c:\windows\system32\hppfaxprintermonui5.dll
2011-12-29 16:11 . 2007-04-02 15:19 13385 ------w- c:\windows\system32\hppfaxprintermon5.dll
2011-12-29 16:11 . 2011-12-29 16:11 608 --sha-w- c:\windows\system32\winzvprt5.sys
2011-12-29 16:06 . 2011-12-29 16:06 -------- d-----w- C:\hp_LJM2727_full_solution_AM_EMEA1
2011-12-28 20:20 . 2011-12-28 20:20 -------- d--h--w- c:\windows\PIF
2011-12-28 02:01 . 2011-12-28 02:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2011-12-27 22:59 . 2011-12-27 22:59 -------- d-----w- c:\program files\Gold Line
2011-12-27 02:45 . 2008-04-14 12:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-12-27 02:45 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-12-27 02:42 . 2011-12-27 02:42 -------- d-----w- c:\documents and settings\Ray A. Rayburn\Local Settings\Application Data\Apple Computer
2011-12-27 02:42 . 2011-12-27 02:45 -------- d-----w- c:\documents and settings\Ray A. Rayburn\Application Data\Apple Computer
2011-12-27 02:41 . 2009-05-18 20:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-12-27 02:41 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-12-27 02:41 . 2011-12-27 02:41 -------- d-----w- c:\program files\iPod
2011-12-27 02:41 . 2011-12-27 02:41 -------- d-----w- c:\program files\iTunes
2011-12-27 02:41 . 2011-12-27 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-12-27 02:41 . 2011-12-27 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2011-12-27 02:41 . 2011-12-27 02:41 -------- d-----w- c:\program files\Apple Software Update
2011-12-27 02:41 . 2011-12-27 02:41 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2011-12-27 02:40 . 2011-08-03 00:38 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-12-27 02:40 . 2011-08-03 00:38 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-12-27 02:40 . 2011-12-27 02:40 -------- d-----w- c:\program files\Bonjour
2011-12-27 02:40 . 2011-12-27 02:41 -------- d-----w- c:\program files\Common Files\Apple
2011-12-27 02:32 . 2011-12-27 02:32 -------- d-----w- c:\program files\Common Files\HP
2011-12-27 02:32 . 2011-12-27 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2011-12-27 02:32 . 2011-12-27 02:32 -------- d-----w- c:\program files\Hewlett-Packard
2011-12-27 02:32 . 2011-12-27 02:32 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2011-12-27 02:32 . 2008-04-14 07:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-12-27 02:32 . 2008-04-14 07:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-12-27 02:32 . 2011-12-29 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2011-12-27 02:31 . 2008-02-01 18:13 241664 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5mc.DLL
2011-12-27 02:31 . 2007-07-17 12:29 59928 ----a-w- c:\windows\system32\fxcompchannel.dll
2011-12-27 02:30 . 2008-01-15 08:00 327680 ----a-w- c:\windows\system32\hppcpr07.dll
2011-12-27 02:30 . 2008-01-07 02:48 733184 ----a-w- c:\windows\system32\hpptsp02.dll
2011-12-27 02:30 . 2007-06-05 22:31 876544 ----a-w- c:\windows\system32\hpxp2727.dll
2011-12-27 02:30 . 2007-02-08 04:03 450560 ----a-w- c:\windows\system32\hppasc07.dll
2011-12-27 01:38 . 2008-04-14 07:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-12-27 01:38 . 2008-04-14 07:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-12-27 01:20 . 2011-12-27 01:20 -------- d-----w- c:\windows\system32\NtmsData
2011-12-27 01:19 . 2011-12-27 02:41 -------- dc----w- c:\windows\system32\DRVSTORE
2011-12-27 01:19 . 2011-12-30 17:17 -------- d-----w- c:\program files\HP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-22 01:37 . 2011-12-21 06:23 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-12-21 06:31 . 2011-12-21 06:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-21 06:19 . 2011-12-21 06:23 92112 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2011-12-21 06:19 . 2011-12-21 06:23 80464 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2011-12-21 06:19 . 2011-12-21 06:23 64080 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2011-12-19 17:30 . 2011-12-19 17:30 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-12-19 17:30 . 2011-12-19 17:30 411368 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-15 20:45 . 2011-12-15 20:45 77824 ----a-w- c:\windows\setpwr32.exe
2011-11-25 21:57 . 2008-04-25 16:16 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:29 . 2008-04-25 16:16 1868544 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2008-04-25 16:16 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-04 19:20 . 2008-04-25 16:16 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2008-04-25 16:16 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2008-04-25 16:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2008-04-25 16:16 385024 ------w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2008-04-25 16:16 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2008-04-25 16:16 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 20:35 . 2011-11-01 20:35 81920 ------w- c:\windows\system32\ieencode.dll
2011-11-01 16:07 . 2008-04-25 16:16 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2008-04-25 16:16 33280 ----a-w- c:\windows\system32\csrsrv.dll
2012-01-11 14:27 . 2011-12-20 23:33 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Ray A. Rayburn\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Ray A. Rayburn\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Ray A. Rayburn\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Ray A. Rayburn\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-22 16132608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-28 8429568]
"DellCleanup"="c:\dell\WINCLEAN.EXE" [2011-12-15 212992]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-10-08 1111568]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 116752]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-01-10 53248]
"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2007-08-31 36864]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-25 460872]
.
c:\documents and settings\Ray A. Rayburn\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Ray A. Rayburn\Application Data\Dropbox\bin\Dropbox.exe [2011-12-5 24242056]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]
Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2011-12-20 603504]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Ray A. Rayburn\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer_Service.exe"=
"c:\\Documents and Settings\\Ray A. Rayburn\\My Documents\\My_Downloads\\HP_M2727_printer\\setup\\hppnet01.exe"=
"c:\\Documents and Settings\\Ray A. Rayburn\\My Documents\\My_Downloads\\HP_M2727_printer\\setup\\hppniprint01.exe"=
"c:\\Documents and Settings\\Ray A. Rayburn\\My Documents\\My_Downloads\\HP_M2727_printer\\setup\\hppniprint64.exe"=
"c:\\Documents and Settings\\Ray A. Rayburn\\My Documents\\My_Downloads\\HP_M2727_printer\\setup\\hppnicifs01.exe"=
"c:\\Documents and Settings\\Ray A. Rayburn\\My Documents\\My_Downloads\\HP_M2727_printer\\setup\\LaunchApp.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Gold Line\\TEF\\SL60.exe"=
"c:\\Program Files\\HP\\hp laserjet m2727\\Fax Config utility0.exe"=
"c:\\Documents and Settings\\Ray A. Rayburn\\My Documents\\My_Downloads\\WS_FTP\\WS_FTP95.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*isabled:Windows Remote Management
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/22/2012 4:37 PM 652872]
R2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [12/20/2011 11:34 PM 2984832]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [12/20/2011 11:23 PM 64080]
R2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [1/10/2011 12:28 PM 376688]
R3 BackupReader;BackupReader;c:\windows\system32\drivers\BackupReader.sys [9/6/2007 6:53 PM 44784]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/22/2012 4:37 PM 20464]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [12/20/2011 11:22 PM 188272]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/22/2012 4:37 PM 40776]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 9:16 AM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 129.82.103.75 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\documents and settings\Ray A. Rayburn\Application Data\Mozilla\Firefox\Profiles\2vvxkcq8.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-24 18:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3588)
c:\windows\system32\WININET.dll
c:\documents and settings\Ray A. Rayburn\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2012-01-24 18:41:37
ComboFix-quarantined-files.txt 2012-01-25 01:41
ComboFix2.txt 2012-01-25 00:19
.
Pre-Run: 414,863,556,608 bytes free
Post-Run: 414,873,649,152 bytes free
.
- - End Of File - - 84F8B2029B070453405AA08591DDCC74