Inactive System Check malware

D

dennisgolfer

Posts: 20   +0
I, too, have encountered the System Check virus/malware. I've run malware, dds, and gmer as suggested and their logs are enclosed. Right now my machine is in Safe mode but I cannot access the internet. It does appear that I can see all of my hard drive now, however. Help is appreciated.

Malware:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.29.05

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
dennis :: DENNISJONES [administrator]

3/30/2012 7:02:10 AM
mbam-log-2012-03-30 (07-02-10).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 409106
Time elapsed: 50 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


*********************************************************

gmer log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-03-30 06:42:09
Windows 5.1.2600 Service Pack 3 Harddisk1\DR1 -> \Device\00000077 WDC_WD800JD-22MSA1 rev.10.01E01
Running: w1sx6l80.exe; Driver: C:\DOCUME~1\dennis\LOCALS~1\Temp\pwdyqaog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


=============================================================


DDS


DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by dennis at 6:42:48 on 2012-03-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.732 [GMT -5:00]
.
AV: Total Defense Anti-Virus Plus *Enabled/Updated* {6B98D35F-BB76-41C0-876B-A50645ED099A}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\ctfmon.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.lakevalleygolf.com/
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\3.9.0\ViewBarBHO.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.9.0\IEViewBar.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Gu8UZegGF0S] c:\documents and settings\all users\application data\Gu8UZegGF0S.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Akamai NetSession Interface] "c:\documents and settings\dennis\local settings\application data\akamai\netsession_win.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [cctray] "c:\program files\ca\ca internet security suite\casc.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SonicWALLNetExtender] c:\program files\sonicwall\ssl-vpn\netextender\NEGui.exe -hideGUI -clearReboot
mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "c:\documents and settings\all users\application data\malwarebytes\malwarebytes' anti-malware\cleanup.dll",ProcessCleanupScript
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Locate Spot on Map by GPS - c:\program files\opanda\iexif 2.3\IExifMap.htm
IE: View Exif/GPS/IPTC with IExif - c:\program files\opanda\iexif 2.3\IExifCom.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\VetRedir.dll
LSP: mswsock.dll
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://66.112.124.186/CACHE/stc/1/binaries/vpnweb.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1272740649484
DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} - hxxps://69.29.48.55/NELX.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=724
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B967DB00-4311-4E57-A3D9-E9897FF35EE7} : DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
Notify: NecUsb3Sevices - USB3Sw32.dll
Notify: PCANotify - PCANotify.dll
Notify: USB3Sw32 - USB3Sw32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 94.63.147.16 www.google.com
Hosts: 94.63.147.17 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\dennis\application data\mozilla\firefox\profiles\u1h4u1v3.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\documents and settings\dennis\application data\mozilla\firefox\profiles\u1h4u1v3.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.0.61118.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 KmxAMRT;KmxAMRT;c:\windows\system32\drivers\KmxAMRT.sys [2011-10-27 170064]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-10-23 16984]
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2010-5-3 101528]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2009-2-23 20504]
S0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2011-7-29 123984]
S0 lyaxc;lyaxc;c:\windows\system32\drivers\pjdpuyh.sys --> c:\windows\system32\drivers\pjdpuyh.sys [?]
S1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-4-21 10901]
S1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2011-10-26 83536]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
S2 Acceler8DB Server;Acceler8DB Server;c:\program files\asna\adb engine 5.0\adbntsvc.exe [2010-5-1 606528]
S2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\adobe\elements 9 organizer\PhotoshopElementsFileAgent.exe [2010-9-30 169408]
S2 CAAMSvc;CAAMSvc;c:\program files\ca\ca internet security suite\ca anti-virus plus\CAAMSvc.exe [2010-10-29 206152]
S2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus plus\isafe.exe [2010-5-1 222544]
S2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2010-5-1 207920]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 CrossLoopService;CrossLoop Service;c:\documents and settings\dennis\local settings\application data\crossloop\CrossLoopService.exe [2010-5-11 560792]
S2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\epson\epsoncustomerparticipation\EPCP.exe [2011-6-9 521600]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-25 136176]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-8-8 374152]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-5-20 47640]
S2 NecUsb3;USB3 Service;c:\windows\system32\svchost.exe -k NecUsb3Sevic [2003-3-31 14336]
S2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-3-3 428640]
S2 UmxEngine;TM Engine;c:\program files\ca\sharedcomponents\tmengine\UmxEngine.exe [2011-4-4 662096]
S2 Viewpoint Service;Viewpoint Service;c:\program files\viewpoint\common\ViewpointService.exe [2011-1-7 30152]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-12-17 497856]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2011-6-26 101904]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2003-10-31 106496]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [2010-5-14 20448]
S3 EST_BusEnum;Network USB Device Bus;c:\windows\system32\drivers\genbus.sys --> c:\windows\system32\drivers\GenBus.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-25 136176]
S3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2011-9-6 331344]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2011-12-13 50704]
S3 NUS_Bus32;Network USB Server Bus ;c:\windows\system32\drivers\nus_bus32.sys --> c:\windows\system32\drivers\NUS_Bus32.sys [?]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2010-5-3 24876]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-22 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2012-03-29 19:33:07 38400 ----a-w- c:\windows\system32\USB3Sw32.dll
2012-03-29 18:41:43 -------- d-----w- c:\documents and settings\dennis\application data\SUPERAntiSpyware.com
2012-03-29 18:38:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-29 18:38:55 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-03-29 14:03:01 99328 ----a-w- c:\documents and settings\dennis\application data\3C7FC64A.exe
2012-03-29 13:04:09 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-03-29 13:02:10 46080 ----a-w- c:\windows\system32\cCYt7A.com
2012-03-29 12:56:34 99328 ----a-w- c:\windows\system32\cCYt7A.com_
2012-03-29 12:56:32 46080 ----a-w- c:\documents and settings\dennis\application data\6F7C99FE.exe
2012-03-28 14:47:16 -------- d-----w- c:\program files\common files\EPSON
2012-03-28 14:47:14 -------- d-----w- c:\program files\EPSON Software
2012-03-28 14:46:30 93696 ----a-w- c:\windows\system32\E_TLBH5A.DLL
2012-03-28 14:46:30 81408 ----a-w- c:\windows\system32\E_TD4BH5A.DLL
2012-03-28 14:46:04 -------- d-----w- c:\program files\Epson America Inc
2012-03-23 14:10:45 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-03-23 14:10:45 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
.
==================== Find3M ====================
.
2012-03-02 19:55:44 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 6:43:50.59 ===============


****************************************************************************

and ATTACH:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 5/1/2010 1:49:47 PM
System Uptime: 3/30/2012 6:20:26 AM (0 hours ago)
.
Motherboard: MSI | | MS-7309
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | CPU 1 | 2210/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 75 GiB total, 24.472 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 298 GiB total, 37.406 GiB free.
F: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E980-E325-11CE-BFC1-08002BE10318}
Description: Floppy disk drive
Device ID: FDC\GENERIC_FLOPPY_DRIVE\5&36946FF3&0&0
Manufacturer: (Standard floppy disk drives)
Name: Floppy disk drive
PNP Device ID: FDC\GENERIC_FLOPPY_DRIVE\5&36946FF3&0&0
Service: flpydisk
.
Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&38D79619&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&38D79619&0
Service: i8042prt
.
Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Logitech-compatible Mouse PS/2
Device ID: ACPI\PNP0F03\4&38D79619&0
Manufacturer: Logitech
Name: Logitech-compatible Mouse PS/2
PNP Device ID: ACPI\PNP0F03\4&38D79619&0
Service: i8042prt
.
Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: Unknown Device
Device ID: USB\VID_0000&PID_0000\5&FF56C54&0&5
Manufacturer: (Standard USB Host Controller)
Name: Unknown Device
PNP Device ID: USB\VID_0000&PID_0000\5&FF56C54&0&5
Service:
.
Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Officejet 6500 E710n-z
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Officejet 6500 E710n-z
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Photosmart C309a series
Device ID: ROOT\MULTIFUNCTION\0001
Manufacturer: HP
Name: Photosmart C309a series
PNP Device ID: ROOT\MULTIFUNCTION\0001
Service:
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
PNP Device ID: ROOT\NET\0000
Service: vpnva
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0001
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0001
Service: CVirtA
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: SonicWALL VPN Adapter
Device ID: ROOT\RCVPN\0000
Manufacturer: SonicWALL, Inc.
Name: SonicWALL VPN Adapter
PNP Device ID: ROOT\RCVPN\0000
Service: rcvpn
.
==== System Restore Points ===================
.
RP713: 2/1/2012 11:02:07 AM - System Checkpoint
RP714: 2/2/2012 12:02:37 PM - System Checkpoint
RP715: 2/3/2012 12:56:43 PM - System Checkpoint
RP716: 2/4/2012 12:57:54 PM - System Checkpoint
RP717: 2/5/2012 1:56:38 PM - System Checkpoint
RP718: 2/6/2012 4:55:01 PM - System Checkpoint
RP719: 2/7/2012 5:48:17 PM - System Checkpoint
RP720: 2/8/2012 5:50:32 PM - System Checkpoint
RP721: 2/9/2012 6:01:41 PM - System Checkpoint
RP722: 2/10/2012 7:01:41 PM - System Checkpoint
RP723: 2/11/2012 7:52:39 PM - System Checkpoint
RP724: 2/12/2012 8:01:42 PM - System Checkpoint
RP725: 2/13/2012 9:01:41 PM - System Checkpoint
RP726: 2/14/2012 10:00:53 PM - System Checkpoint
RP727: 2/15/2012 11:00:57 PM - System Checkpoint
RP728: 2/17/2012 12:01:23 AM - System Checkpoint
RP729: 2/18/2012 1:00:54 AM - System Checkpoint
RP730: 2/19/2012 2:00:43 AM - System Checkpoint
RP731: 2/20/2012 3:00:47 AM - System Checkpoint
RP732: 2/21/2012 4:00:56 AM - System Checkpoint
RP733: 2/22/2012 5:00:28 AM - System Checkpoint
RP734: 2/23/2012 6:00:26 AM - System Checkpoint
RP735: 2/24/2012 10:22:11 AM - System Checkpoint
RP736: 2/25/2012 11:00:25 AM - System Checkpoint
RP737: 2/26/2012 12:00:25 PM - System Checkpoint
RP738: 2/27/2012 4:52:25 PM - System Checkpoint
RP739: 2/28/2012 5:05:26 PM - System Checkpoint
RP740: 2/29/2012 5:09:21 PM - System Checkpoint
RP741: 3/1/2012 6:00:31 PM - System Checkpoint
RP742: 3/2/2012 6:44:25 PM - System Checkpoint
RP743: 3/3/2012 7:44:24 PM - System Checkpoint
RP744: 3/4/2012 8:44:25 PM - System Checkpoint
RP745: 3/5/2012 9:08:19 PM - System Checkpoint
RP746: 3/6/2012 10:08:19 PM - System Checkpoint
RP747: 3/7/2012 11:08:22 PM - System Checkpoint
RP748: 3/9/2012 12:08:20 AM - System Checkpoint
RP749: 3/9/2012 1:55:39 PM - Installed Adobe Photoshop Elements 9.
RP750: 3/10/2012 2:08:22 PM - System Checkpoint
RP751: 3/11/2012 3:16:50 PM - System Checkpoint
RP752: 3/12/2012 5:14:27 PM - System Checkpoint
RP753: 3/13/2012 6:08:06 PM - System Checkpoint
RP754: 3/14/2012 7:08:04 PM - System Checkpoint
RP755: 3/16/2012 11:34:48 AM - System Checkpoint
RP756: 3/17/2012 12:08:03 PM - System Checkpoint
RP757: 3/18/2012 1:07:59 PM - System Checkpoint
RP758: 3/19/2012 4:29:02 PM - System Checkpoint
RP759: 3/20/2012 5:07:55 PM - System Checkpoint
RP760: 3/21/2012 6:07:44 PM - System Checkpoint
RP761: 3/22/2012 7:31:37 PM - System Checkpoint
RP762: 3/23/2012 8:07:42 PM - System Checkpoint
RP763: 3/24/2012 9:07:42 PM - System Checkpoint
RP764: 3/25/2012 10:07:37 PM - System Checkpoint
RP765: 3/26/2012 11:07:43 PM - System Checkpoint
RP766: 3/28/2012 12:07:33 AM - System Checkpoint
RP767: 3/28/2012 9:46:04 AM - Installed Epson Connect
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Acceler8DB Engine 5.0
Adobe AIR
Adobe Community Help
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Photoshop Elements 9
Adobe Photoshop.com Inspiration Browser
Adobe Premiere Elements 8.0
Adobe Reader X (10.1.2)
AllWebMenus PRO 5.1.788
AMD APP SDK Runtime
Anti-Virus Plus
Apple Application Support
Apple Software Update
ASNA Visual RPG 4.0
ATI AVIVO Codecs
ATI Catalyst Install Manager
Bay Photo
Bay Photo Economy
Bay Photo Light
BookSmart® 3.0.4 3.0.4
BufferChm
C309a
CA Anti-Virus Plus
CameraHelperMsi
CamStudio
Catalyst Control Center
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
Cisco AnyConnect VPN Client
Cisco Systems VPN Client 4.6.04.0043
Core FTP LE 1.3c
Core FTP LE 2.1
CrossLoop 2.72
Destination Component
DeviceDiscovery
Diamond Multimedia 11.3 2400-5900, 6400-6600, 6800-6900 WinXP
DocProc
DriveImage XML (Private Edition)
Elements 9 Organizer
Elements STI Installer
Envelope Creator
Epson Connect
Epson Customer Participation
Epson Download Navigator
EPSON Printer Software
EPSON WorkForce 1100 Series Printer Uninstall
EPSON WP-4020 Series Printer Uninstall
erLT
FastStone Capture 7.0
Fax
File Uploader
FLV Player
FotoFusion v4
Google Chrome
Google Earth Plug-in
Google Update Helper
GPBaseService2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB946344)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB947789)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB948127)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB951708)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB958655-v2)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Customer Participation Program 12.0
HP Imaging Device Functions 12.0
HP Photosmart C309a All-In-One Driver Software 12.0 Rel .5
HP Photosmart Essential 3.5
HP Smart Web Printing 4.60
HP Solution Center 13.0
HP Update
HPDiagnosticAlert
HPPhotoSmartDiscLabel_PaperLabel
HPPhotoSmartDiscLabel_PrintOnDisc
HPPhotoSmartDiscLabelContent1
hpphotosmartdisclabelplugin
HPPhotosmartEssential
HPProductAssistant
HydraVision
InfraRecorder
iTunes
Java Auto Updater
Java(TM) 6 Update 26
Jimco Open Web
Layout Creator
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Logitech MouseWare 9.79.1
LogMeIn
LWS Facebook
LWS Gallery
LWS Help_main
LWS Launcher
LWS Motion Detection
LWS Pictures And Video
LWS Twitter
LWS Video Mask Maker
LWS VideoEffects
LWS Webcam Software
LWS WLM Plugin
LWS YouTube Plugin
Mabry BarCod Sample
Malwarebytes Anti-Malware version 1.60.1.1000
MarketResearch
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Application Error Reporting
Microsoft Help Viewer 1.0
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office FrontPage 2003
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Ultimate 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2008
Microsoft SQL Server 2008 Browser
Microsoft SQL Server 2008 Common Files
Microsoft SQL Server 2008 Database Engine Services
Microsoft SQL Server 2008 Database Engine Shared
Microsoft SQL Server 2008 Native Client
Microsoft SQL Server 2008 R2 Management Objects
Microsoft SQL Server 2008 RsFx Driver
Microsoft SQL Server 2008 Setup Support Files
Microsoft SQL Server Compact 3.5 SP1 Design Tools English
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft SQL Server System CLR Types
Microsoft SQL Server VSS Writer
Microsoft Visual Basic 2008 Express Edition with SP1 - ENU
Microsoft Visual Basic Power Packs 3.0
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_CRT_x86
MobileSigns
Mozilla Firefox 11.0 (x86 en-US)
MSVCSetup
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser
Nero 7 Essentials
neroxml
Network
Nikon Message Center
Noiseware Standard Edition
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA nView Desktop Manager
OCR Software by I.R.I.S. 12.0
OGA Notifier 2.0.0048.0
Opanda IExif 2.3
Picture Control Utility
PictureProject
PictureProject In Touch Downloader 1.0
PrimoPDF
PS_AIO_05_C309_Software_Min
QuickTime
Realtek High Definition Audio Driver
Redistributable_MM
Scan
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office Groove 2007 (KB2494047)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2464594)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Service Pack 1 for SQL Server 2008 (KB968369)
Slideshow Generator Powertoy for Windows XP
SmartSound Quicktracks for Premiere Elements 8.0
SmartWebPrinting
Snood for Windows version 3.52-W
SolutionCenter
SonicWALL Global VPN Client
SonicWALL SSL-VPN NetExtender
Spybot - Search & Destroy
Sql Server Customer Experience Improvement Program
Status
SUPERAntiSpyware
SWiSH Max2
Symantec pcAnywhere
System Requirements Lab
TeamViewer 7
Toolbox
Total Defense Internet Security Suite
TrayApp
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Outlook 2007 Junk Email Filter (KB2522999)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB980182)
ViewNX
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar
VNC Free Edition 4.1.3
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format Runtime
Windows XP Service Pack 3
WinRAR archiver
XL2000 ID Machine
.
==== Event Viewer Messages From Past Week ========
.
3/30/2012 6:23:03 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: awlegacy Fips i8042prt KmxAgent KmxStart ohci1394 Processor SASDIFSV SASKUTIL
3/29/2012 9:02:58 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the TM Engine service to connect.
3/29/2012 9:02:58 AM, error: Service Control Manager [7000] - The TM Engine service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/29/2012 8:33:24 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD awlegacy Fips i8042prt IPSec KmxAgent KmxStart MRxSmb NetBIOS NetBT Processor RasAcd RCFOX Rdbss Tcpip
3/29/2012 8:33:24 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
3/29/2012 8:33:24 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/29/2012 8:33:24 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/29/2012 8:33:24 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
3/29/2012 8:33:24 AM, error: Service Control Manager [7001] - The Cisco AnyConnect VPN Agent service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/29/2012 8:21:04 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/29/2012 8:20:51 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: awlegacy Fips i8042prt KmxAgent KmxStart Processor
3/29/2012 8:08:20 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
3/29/2012 8:08:20 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
3/29/2012 8:08:20 AM, error: Service Control Manager [7022] - The Windows Time service hung on starting.
3/29/2012 8:08:20 AM, error: Service Control Manager [7022] - The Windows Firewall/Internet Connection Sharing (ICS) service hung on starting.
3/29/2012 8:02:01 AM, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402
3/29/2012 7:36:27 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
3/29/2012 4:24:18 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the USB3 Service service to connect.
3/29/2012 4:24:18 PM, error: Service Control Manager [7000] - The USB3 Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/29/2012 4:20:53 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
3/29/2012 4:20:53 PM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/29/2012 4:20:21 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
3/29/2012 4:10:56 PM, error: Service Control Manager [7023] - The USB3 Service service terminated with the following error: The specified module could not be found.
3/29/2012 4:10:56 PM, error: Service Control Manager [7023] - The Network Security service terminated with the following error: The specified module could not be found.
3/29/2012 4:10:56 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Viewpoint Service service to connect.
3/29/2012 4:10:56 PM, error: Service Control Manager [7000] - The Viewpoint Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/29/2012 3:35:15 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: awlegacy Fips i8042prt KmxAgent KmxStart Processor SASDIFSV SASKUTIL
3/29/2012 3:35:15 PM, error: Service Control Manager [7003] - The TCP/IP NetBIOS Helper service depends on the following nonexistent service: NetBT
3/29/2012 3:35:15 PM, error: Service Control Manager [7003] - The DHCP Client service depends on the following nonexistent service: NetBT
3/29/2012 1:47:57 PM, error: Schannel [36870] - A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0xc0000253.
3/29/2012 1:38:46 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service CaCCProvSP with arguments "" in order to run the server: {AACF4A1C-BC69-4359-9518-DF3F77E462BF}
3/29/2012 1:32:47 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
3/29/2012 1:08:57 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
3/27/2012 11:04:59 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
.
==== End Of File ===========================
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

====================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

===================================================================

Download Bootkit Remover to your desktop.

  • Unzip downloaded file to your Desktop.
  • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.
 
Thank you for your help.


aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-30 11:57:44
-----------------------------
11:57:44.671 OS Version: Windows 5.1.2600 Service Pack 3
11:57:44.671 Number of processors: 2 586 0x4B02
11:57:44.671 ComputerName: DENNISJONES UserName: dennis
11:57:45.906 Initialize success
11:58:14.281 AVAST engine download error: 0
11:58:26.640 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:58:26.640 Disk 0 Vendor: WDC_WD3200AAJB-00TYA0 00.02C01 Size: 305245MB BusType: 3
11:58:26.656 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\00000077
11:58:26.656 Disk 1 Vendor: WDC_WD800JD-22MSA1 10.01E01 Size: 76319MB BusType: 3
11:58:26.687 Disk 1 MBR read successfully
11:58:26.687 Disk 1 MBR scan
11:58:26.687 Disk 1 Windows XP default MBR code
11:58:26.687 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76308 MB offset 63
11:58:26.687 Disk 1 scanning sectors +156280320
11:58:26.781 Disk 1 scanning C:\WINDOWS\system32\drivers
11:58:40.015 Service scanning
11:58:45.406 Service GMSIPCI D:\INSTALL\GMSIPCI.SYS **LOCKED** 21
11:59:01.328 Modules scanning
11:59:08.296 Disk 1 trace - called modules:
11:59:08.328 ntkrnlpa.exe CLASSPNP.SYS disk.sys tsk1.tmp hal.dll nvata.sys
11:59:08.328 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x86dceab8]
11:59:08.343 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\00000079[0x86d4ff18]
11:59:08.343 5 tsk1.tmp[f735e620] -> nt!IofCallDriver -> \Device\00000077[0x86d5f030]
11:59:08.343 Scan finished successfully
11:59:20.109 Disk 1 MBR has been saved successfully to "F:\MBR.dat"
11:59:20.156 The log file has been saved successfully to "F:\aswMBR.txt"




Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive1 at offset 0x00000000`00007e00
ATA_Read(): DeviceIoControl() ERROR 1
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive1 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...
 
Also - when I started bootkit it issued this message with just an "OK" option:

ATA_PASS_THROUGH_DIRECT is not supported by your disk controller. SCSI_PASS_THROUGH_DIRECT will be used for disk I/O.
 
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe
  • Double-click on the Rkill icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.
Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
While running combofix I got a msg box saying "You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack" and before I could record the rest it went away and issued a msg about Rootkit is detected this may take several minutes.

It just initiated a reboot.

Also - the infected machine has not had internet access, but I have a second machine that I have been downloading and transferring fixes, etc from
 
I did NOT run rkill as I wasn't sure if I should or not since I did not have any problems with combofix. Do I need to run rkill regardless?




ComboFix 12-03-30.06 - dennis 03/30/2012 13:06:19.1.2 - x86
Running from: c:\documents and settings\dennis\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
.
.
.
C:\debug_log.txt
c:\documents and settings\All Users\Application Data\~QIQS362nnJbixw
c:\documents and settings\All Users\Application Data\~QIQS362nnJbixwr
c:\documents and settings\All Users\Application Data\4X726q4j.exe
c:\documents and settings\All Users\Application Data\QIQS362nnJbixw
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{1E3CA1C4-1E90-401B-8CC0-911DF018D8D8}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{1E3CA1C4-1E90-401B-8CC0-911DF018D8D8}\20110105160908.log
c:\documents and settings\All Users\Application Data\Tarma Installer\{1E3CA1C4-1E90-401B-8CC0-911DF018D8D8}\20110209132028.log
c:\documents and settings\All Users\Application Data\Tarma Installer\{1E3CA1C4-1E90-401B-8CC0-911DF018D8D8}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{1E3CA1C4-1E90-401B-8CC0-911DF018D8D8}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{1E3CA1C4-1E90-401B-8CC0-911DF018D8D8}\Setup.ico
c:\documents and settings\dennis\Application Data\rensyschk1.exe
c:\documents and settings\dennis\Application Data\rensyschk2.exe
c:\documents and settings\dennis\My Documents\DPE.DUS
c:\documents and settings\dennis\Start Menu\Programs\System Check
c:\windows\$NtUninstallKB21166$
c:\windows\$NtUninstallKB21166$\3871978599\@
c:\windows\$NtUninstallKB21166$\3871978599\cfg.ini
c:\windows\$NtUninstallKB21166$\3871978599\Desktop.ini
c:\windows\$NtUninstallKB21166$\3871978599\L\aijxgmre
c:\windows\$NtUninstallKB21166$\3871978599\U\00000001.@
c:\windows\$NtUninstallKB21166$\3871978599\U\00000002.@
c:\windows\$NtUninstallKB21166$\3871978599\U\00000004.@
c:\windows\$NtUninstallKB21166$\3871978599\U\80000000.@
c:\windows\$NtUninstallKB21166$\3871978599\U\80000004.@
c:\windows\$NtUninstallKB21166$\3871978599\U\80000032.@
c:\windows\$NtUninstallKB21166$\3871978599\version
c:\windows\$NtUninstallKB21166$\3946123810
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\SET14.tmp
c:\windows\system32\SET15.tmp
c:\windows\system32\SET17.tmp
c:\windows\system32\SET18.tmp
c:\windows\system32\SET1B.tmp
c:\windows\system32\SET24.tmp
c:\windows\system32\SET29.tmp
c:\windows\system32\SET2A.tmp
c:\windows\system32\SET30.tmp
c:\windows\system32\SET31.tmp
c:\windows\system32\SET7.tmp
c:\windows\system32\SET8.tmp
c:\windows\system32\SETD.tmp
c:\windows\system32\SETE.tmp
c:\windows\system32\SETF.tmp
c:\windows\system32\Thumbs.db
c:\windows\system32\USB3Sw32.dll
c:\windows\system32\wpcap.dll
.
c:\windows\system32\drivers\netbt.sys was missing
Restored copy from - c:\windows\ServicePackFiles\i386\netbt.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_NPF
-------\Service_6to4
-------\Service_NPF
.
.
.
.
.
2012-03-30 18:19 . 2008-04-13 19:21 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2012-03-30 18:19 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-03-29 18:41 . 2012-03-29 18:41 -------- d-----w- c:\documents and settings\dennis\Application Data\SUPERAntiSpyware.com
2012-03-29 18:38 . 2012-03-29 18:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-29 18:38 . 2012-03-29 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-03-29 13:02 . 2012-03-29 12:57 99328 ----a-w- c:\windows\system32\cCYt7A.com
2012-03-28 14:47 . 2012-03-28 14:47 -------- d-----w- c:\program files\Common Files\EPSON
2012-03-28 14:47 . 2012-03-28 14:47 -------- d-----w- c:\program files\EPSON Software
2012-03-28 14:46 . 2012-03-28 14:46 -------- d-----w- c:\program files\Epson America Inc
2012-03-23 14:10 . 2012-03-23 14:10 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-23 14:10 . 2012-03-23 14:10 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
.
.
.
.
.
2012-03-02 19:55 . 2011-05-17 19:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-23 14:10 . 2011-08-28 13:23 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
.
.
.

REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-07 3905920]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-19 16062464]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"SonicWALLNetExtender"="c:\program files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2009-08-05 710528]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-03-02 190808]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-03-09 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-07-29 497648]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-07-23 13:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-10-31 16:01 8704 ----a-w- c:\windows\system32\PCANotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-08-19 06:07 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 10:04 2879488 ------r- c:\windows\SkyTel.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"c:\\Documents and Settings\\dennis\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\CoreFTP\\coreftp.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer_Service.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5910:TCP"= 5910:TCP:vnc5910
"1194:TCP"= 1194:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [5/3/2010 10:33 AM 101528]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 Acceler8DB Server;Acceler8DB Server;c:\program files\ASNA\ADB Engine 5.0\adbntsvc.exe [5/1/2010 3:43 PM 606528]
R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [9/30/2010 4:06 AM 169408]
R2 CrossLoopService;CrossLoop Service;c:\documents and settings\dennis\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [5/11/2010 9:36 AM 560792]
R2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [6/9/2011 1:01 PM 521600]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [8/8/2011 1:24 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [3/3/2011 8:31 PM 428640]
R2 Viewpoint Service;Viewpoint Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/7/2011 10:57 PM 30152]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [12/17/2009 5:32 PM 497856]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [6/26/2011 12:08 PM 101904]
R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2/23/2009 4:55 PM 20504]
S0 lyaxc;lyaxc;c:\windows\system32\drivers\pjdpuyh.sys --> c:\windows\system32\drivers\pjdpuyh.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/25/2010 10:11 AM 136176]
S2 NecUsb3;USB3 Service;c:\windows\System32\svchost.exe -k NecUsb3Sevic [3/31/2003 7:00 AM 14336]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [5/14/2010 4:58 PM 20448]
S3 EST_BusEnum;Network USB Device Bus;c:\windows\system32\DRIVERS\GenBus.sys --> c:\windows\system32\DRIVERS\GenBus.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/25/2010 10:11 AM 136176]
S3 NUS_Bus32;Network USB Server Bus ;c:\windows\system32\DRIVERS\NUS_Bus32.sys --> c:\windows\system32\DRIVERS\NUS_Bus32.sys [?]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [5/3/2010 10:32 AM 24876]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/22/2009 10:08 PM 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 3:09 AM 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 3:23 AM 366936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
slee_81_service
AlteraByteBlaster
pctfw1
nimxdfk
s116obex
sscdbus
SilverLink
anydvd
nvmpu401
LVCap138
dwmrcs
iSMBIOS
nipxirmu
nsm1serd
iaimfp3
lvcomser
XBCD
BootScreen
vsserv
ASInsHelp
getPlusHelper
spcsutilityservice
epoxusdm
twotrack
aslm75
Dfs
bjmcmng
tosrfsnd
.
.
.
2012-03-29 c:\windows\Tasks\AdobeAAMUpdater-1.0-DENNISJONES-dennis.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-07-29 07:25]
.
2012-03-29 c:\windows\Tasks\At1.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At11.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At13.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At15.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At17.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At19.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At21.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-30 c:\windows\Tasks\At23.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-30 c:\windows\Tasks\At25.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-30 c:\windows\Tasks\At27.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At29.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At3.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At31.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At33.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At35.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At37.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At39.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At41.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At43.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At45.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At47.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At49.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At5.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At51.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At53.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At55.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At57.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At59.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At61.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At63.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At65.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At67.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At69.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At7.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-30 c:\windows\Tasks\At71.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-30 c:\windows\Tasks\At73.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-30 c:\windows\Tasks\At75.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At77.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At79.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At81.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At83.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At85.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At87.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At89.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At9.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At91.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At93.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-29 c:\windows\Tasks\At95.job
- c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
.
2012-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-25 15:11]
.
2012-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-25 15:11]
.
2012-03-30 c:\windows\Tasks\User_Feed_Synchronization-{C276CCE1-5D5D-43C6-B6EB-3580CBE7D38B}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- -------
.
uStart Page = hxxp://www.lakevalleygolf.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Locate Spot on Map by GPS - c:\program files\Opanda\IExif 2.3\IExifMap.htm
IE: View Exif/GPS/IPTC with IExif - c:\program files\Opanda\IExif 2.3\IExifCom.htm
TCP: DhcpNameServer = 192.168.1.1
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://66.112.124.186/CACHE/stc/1/binaries/vpnweb.cab
FF - ProfilePath - c:\documents and settings\dennis\Application Data\Mozilla\Firefox\Profiles\u1h4u1v3.default\
FF - prefs.js: browser.search.selectedEngine - Google
.
- - - - - - - -
.
HKCU-Run-Gu8UZegGF0S - c:\documents and settings\All Users\Application Data\Gu8UZegGF0S.exe
HKCU-Run-Akamai NetSession Interface - c:\documents and settings\dennis\Local Settings\Application Data\Akamai\netsession_win.exe
Notify-NecUsb3Sevices - USB3Sw32.dll
Notify-USB3Sw32 - USB3Sw32.dll
SafeBoot-71918672.sys
AddRemove-Diamond Multimedia 11.3 2400-5900, 6400-6600, 6800-6900 WinXP - c:\program files\Diamond Multimedia 11.3 2400-5900
AddRemove-{1E3CA1C4-1E90-401B-8CC0-911DF018D8D8} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{1E3CA~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-30 13:23
Windows 5.1.2600 Service Pack 3 NTFS
.

.

.

.
.
: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPI]
"ImagePath"="system32\drivers\tsk1.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]
"ImagePath"="system32\drivers\tsk2.tmp"
.
--------------------- ---------------------
.
[HKEY_LOCAL_MACHINE\software\ASNA\Shared\Security Provider*Wrong guess again!]
"<No Name>"="{3C90A7C3-0CFE-4AF6-9B74-A2492C3EEC47}"
.
--------------------- ---------------------
.
- - - - - - - > 'winlogon.exe'(572)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\LMIinit.dll
.
- - - - - - - > 'explorer.exe'(2788)
c:\windows\system32\WININET.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
------------------------ ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
: 2012-03-30 13:37:05 -
ComboFix-quarantined-files.txt 2012-03-30 18:37
.
Pre-Run: 26,610,233,344 bytes free
: 27,403,599,872 bytes free
.
- - End Of File - - 51F2F9440C51BB46C5212B3471D532BA
 
the infected machine has not had internet access,
Click to expand...
By your choice or it happened because of the infection?

Unless you installed Viewpoint Manager knowledgeably...
Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
Uninstall any of the following programs associated with Viewpoint:
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOl, AIM, Compuserve, etc.

================================================================

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\windows\system32\cCYt7A.com


AtJob::

Driver::
lyaxc

Rootkit::
c:\windows\system32\drivers\pjdpuyh.sys 

Registry::

ClearJavaCache::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
ComboFix 12-03-30.06 - dennis 03/30/2012 15:00:16.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.363 [GMT -5:00]
Running from: c:\documents and settings\dennis\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\dennis\Desktop\cfscript.txt
.
FILE ::
"c:\windows\system32\cCYt7A.com"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Tasks\At1.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At73.job
c:\windows\Tasks\At75.job
c:\windows\Tasks\At77.job
c:\windows\Tasks\At79.job
c:\windows\Tasks\At81.job
c:\windows\Tasks\At83.job
c:\windows\Tasks\At85.job
c:\windows\Tasks\At87.job
c:\windows\Tasks\At89.job
c:\windows\Tasks\At9.job
c:\windows\Tasks\At91.job
c:\windows\Tasks\At93.job
c:\windows\Tasks\At95.job
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_lyaxc
.
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-30 )))))))))))))))))))))))))))))))
.
.
2012-03-30 19:03 . 2012-03-30 19:03 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2012-03-30 19:03 . 2012-03-30 19:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Viewpoint
2012-03-30 19:03 . 2012-03-30 19:08 -------- d-----w- c:\documents and settings\NetworkService\Application Data\HPAppData
2012-03-30 18:19 . 2008-04-13 19:21 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2012-03-29 18:41 . 2012-03-29 18:41 -------- d-----w- c:\documents and settings\dennis\Application Data\SUPERAntiSpyware.com
2012-03-29 18:38 . 2012-03-29 18:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-29 18:38 . 2012-03-29 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-03-29 13:02 . 2012-03-29 12:57 99328 ----a-w- c:\windows\system32\cCYt7A.com_
2012-03-28 14:47 . 2012-03-28 14:47 -------- d-----w- c:\program files\Common Files\EPSON
2012-03-28 14:47 . 2012-03-28 14:47 -------- d-----w- c:\program files\EPSON Software
2012-03-28 14:46 . 2010-09-28 11:01 93696 ----a-w- c:\windows\system32\E_TLBH5A.DLL
2012-03-28 14:46 . 2010-08-09 11:02 81408 ----a-w- c:\windows\system32\E_TD4BH5A.DLL
2012-03-28 14:46 . 2012-03-28 14:46 -------- d-----w- c:\program files\Epson America Inc
2012-03-23 14:10 . 2012-03-23 14:10 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-23 14:10 . 2012-03-23 14:10 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-02 19:55 . 2011-05-17 19:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-23 14:10 . 2011-08-28 13:23 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-30_18.23.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-30 20:18 . 2012-03-30 20:18 16384 c:\windows\Temp\Perflib_Perfdata_9e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-07 3905920]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-19 16062464]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"SonicWALLNetExtender"="c:\program files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2009-08-05 710528]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-03-02 190808]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-03-09 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-07-29 497648]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil11f_ActiveX.exe" [2012-03-02 250016]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-07-23 13:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-10-31 16:01 8704 ----a-w- c:\windows\system32\PCANotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-08-19 06:07 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 10:04 2879488 ------r- c:\windows\SkyTel.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"c:\\Documents and Settings\\dennis\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\CoreFTP\\coreftp.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer_Service.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5910:TCP"= 5910:TCP:vnc5910
"1194:TCP"= 1194:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [5/3/2010 10:33 AM 101528]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 Acceler8DB Server;Acceler8DB Server;c:\program files\ASNA\ADB Engine 5.0\adbntsvc.exe [5/1/2010 3:43 PM 606528]
R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [9/30/2010 4:06 AM 169408]
R2 CrossLoopService;CrossLoop Service;c:\documents and settings\dennis\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [5/11/2010 9:36 AM 560792]
R2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [6/9/2011 1:01 PM 521600]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [8/8/2011 1:24 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [3/3/2011 8:31 PM 428640]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [12/17/2009 5:32 PM 497856]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [6/26/2011 12:08 PM 101904]
R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2/23/2009 4:55 PM 20504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/25/2010 10:11 AM 136176]
S2 NecUsb3;USB3 Service;c:\windows\System32\svchost.exe -k NecUsb3Sevic [3/31/2003 7:00 AM 14336]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [5/14/2010 4:58 PM 20448]
S3 EST_BusEnum;Network USB Device Bus;c:\windows\system32\DRIVERS\GenBus.sys --> c:\windows\system32\DRIVERS\GenBus.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/25/2010 10:11 AM 136176]
S3 NUS_Bus32;Network USB Server Bus ;c:\windows\system32\DRIVERS\NUS_Bus32.sys --> c:\windows\system32\DRIVERS\NUS_Bus32.sys [?]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [5/3/2010 10:32 AM 24876]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/22/2009 10:08 PM 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 3:09 AM 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 3:23 AM 366936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
slee_81_service
AlteraByteBlaster
pctfw1
nimxdfk
s116obex
sscdbus
SilverLink
anydvd
nvmpu401
LVCap138
dwmrcs
iSMBIOS
nipxirmu
nsm1serd
iaimfp3
lvcomser
XBCD
BootScreen
vsserv
ASInsHelp
getPlusHelper
spcsutilityservice
epoxusdm
twotrack
aslm75
Dfs
bjmcmng
tosrfsnd
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-29 c:\windows\Tasks\AdobeAAMUpdater-1.0-DENNISJONES-dennis.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-07-29 07:25]
.
2012-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-25 15:11]
.
2012-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-25 15:11]
.
2012-03-30 c:\windows\Tasks\User_Feed_Synchronization-{C276CCE1-5D5D-43C6-B6EB-3580CBE7D38B}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.lakevalleygolf.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Locate Spot on Map by GPS - c:\program files\Opanda\IExif 2.3\IExifMap.htm
IE: View Exif/GPS/IPTC with IExif - c:\program files\Opanda\IExif 2.3\IExifCom.htm
TCP: DhcpNameServer = 192.168.1.1
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://66.112.124.186/CACHE/stc/1/binaries/vpnweb.cab
FF - ProfilePath - c:\documents and settings\dennis\Application Data\Mozilla\Firefox\Profiles\u1h4u1v3.default\
FF - prefs.js: browser.search.selectedEngine - Google
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-30 15:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPI]
"ImagePath"="system32\drivers\tsk1.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]
"ImagePath"="system32\drivers\tsk2.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\ASNA\Shared\Security Provider*Wrong guess again!]
"<No Name>"="{3C90A7C3-0CFE-4AF6-9B74-A2492C3EEC47}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(576)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\LMIinit.dll
.
- - - - - - - > 'explorer.exe'(3924)
c:\windows\system32\WININET.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\msi.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-03-30 15:25:13 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-30 20:25
ComboFix2.txt 2012-03-30 18:37
.
Pre-Run: 27,385,085,952 bytes free
Post-Run: 27,383,963,648 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
[spybotsd]
timeout.old=30
.
- - End Of File - - D371E266598C0DE2B8D185F08784265B
 
1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\windows\system32\cCYt7A.com_
c:\windows\system32\E_TLBH5A.DLL
c:\windows\system32\E_TD4BH5A.DLL


Folder::

Driver::

Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPI]
"ImagePath"="system32\drivers\acpi.sys"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]
"ImagePath"="system32\drivers\redbook.sys"

RegLockDel::
[HKEY_LOCAL_MACHINE\software\ASNA\Shared\Security Provider*Wrong guess again!]

ClearJavaCache::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
ComboFix 12-03-30.06 - dennis 03/30/2012 15:57:20.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.373 [GMT -5:00]
Running from: c:\documents and settings\dennis\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\dennis\Desktop\cfscript.txt
.
FILE ::
"c:\windows\system32\cCYt7A.com_"
"c:\windows\system32\E_TD4BH5A.DLL"
"c:\windows\system32\E_TLBH5A.DLL"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\cCYt7A.com_
c:\windows\system32\E_TD4BH5A.DLL
c:\windows\system32\E_TLBH5A.DLL
.
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-30 )))))))))))))))))))))))))))))))
.
.
2012-03-30 19:03 . 2012-03-30 19:03 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2012-03-30 19:03 . 2012-03-30 19:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Viewpoint
2012-03-30 19:03 . 2012-03-30 19:08 -------- d-----w- c:\documents and settings\NetworkService\Application Data\HPAppData
2012-03-30 18:19 . 2008-04-13 19:21 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2012-03-30 18:19 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-03-29 18:41 . 2012-03-29 18:41 -------- d-----w- c:\documents and settings\dennis\Application Data\SUPERAntiSpyware.com
2012-03-29 18:38 . 2012-03-29 18:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-29 18:38 . 2012-03-29 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-03-28 14:47 . 2012-03-28 14:47 -------- d-----w- c:\program files\Common Files\EPSON
2012-03-28 14:47 . 2012-03-28 14:47 -------- d-----w- c:\program files\EPSON Software
2012-03-28 14:46 . 2012-03-28 14:46 -------- d-----w- c:\program files\Epson America Inc
2012-03-23 14:10 . 2012-03-23 14:10 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-23 14:10 . 2012-03-23 14:10 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-02 19:55 . 2011-05-17 19:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-23 14:10 . 2011-08-28 13:23 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-30_18.23.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-30 21:09 . 2012-03-30 21:09 16384 c:\windows\Temp\Perflib_Perfdata_e54.dat
+ 2012-03-30 21:12 . 2012-03-30 21:12 16384 c:\windows\Temp\Perflib_Perfdata_84.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-07 3905920]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-19 16062464]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"SonicWALLNetExtender"="c:\program files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2009-08-05 710528]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-03-02 190808]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-03-09 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-07-29 497648]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil11f_ActiveX.exe" [2012-03-02 250016]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-07-23 13:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-10-31 16:01 8704 ----a-w- c:\windows\system32\PCANotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-08-19 06:07 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 10:04 2879488 ------r- c:\windows\SkyTel.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"c:\\Documents and Settings\\dennis\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\CoreFTP\\coreftp.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer_Service.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5910:TCP"= 5910:TCP:vnc5910
"1194:TCP"= 1194:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [5/3/2010 10:33 AM 101528]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 Acceler8DB Server;Acceler8DB Server;c:\program files\ASNA\ADB Engine 5.0\adbntsvc.exe [5/1/2010 3:43 PM 606528]
R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [9/30/2010 4:06 AM 169408]
R2 CrossLoopService;CrossLoop Service;c:\documents and settings\dennis\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [5/11/2010 9:36 AM 560792]
R2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [6/9/2011 1:01 PM 521600]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [8/8/2011 1:24 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [3/3/2011 8:31 PM 428640]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [12/17/2009 5:32 PM 497856]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [6/26/2011 12:08 PM 101904]
R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2/23/2009 4:55 PM 20504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/25/2010 10:11 AM 136176]
S2 NecUsb3;USB3 Service;c:\windows\System32\svchost.exe -k NecUsb3Sevic [3/31/2003 7:00 AM 14336]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [5/14/2010 4:58 PM 20448]
S3 EST_BusEnum;Network USB Device Bus;c:\windows\system32\DRIVERS\GenBus.sys --> c:\windows\system32\DRIVERS\GenBus.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/25/2010 10:11 AM 136176]
S3 NUS_Bus32;Network USB Server Bus ;c:\windows\system32\DRIVERS\NUS_Bus32.sys --> c:\windows\system32\DRIVERS\NUS_Bus32.sys [?]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [5/3/2010 10:32 AM 24876]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/22/2009 10:08 PM 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 3:09 AM 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 3:23 AM 366936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
slee_81_service
AlteraByteBlaster
pctfw1
nimxdfk
s116obex
sscdbus
SilverLink
anydvd
nvmpu401
LVCap138
dwmrcs
iSMBIOS
nipxirmu
nsm1serd
iaimfp3
lvcomser
XBCD
BootScreen
vsserv
ASInsHelp
getPlusHelper
spcsutilityservice
epoxusdm
twotrack
aslm75
Dfs
bjmcmng
tosrfsnd
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-29 c:\windows\Tasks\AdobeAAMUpdater-1.0-DENNISJONES-dennis.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-07-29 07:25]
.
2012-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-25 15:11]
.
2012-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-25 15:11]
.
2012-03-30 c:\windows\Tasks\User_Feed_Synchronization-{C276CCE1-5D5D-43C6-B6EB-3580CBE7D38B}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.lakevalleygolf.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Locate Spot on Map by GPS - c:\program files\Opanda\IExif 2.3\IExifMap.htm
IE: View Exif/GPS/IPTC with IExif - c:\program files\Opanda\IExif 2.3\IExifCom.htm
TCP: DhcpNameServer = 192.168.1.1
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://66.112.124.186/CACHE/stc/1/binaries/vpnweb.cab
FF - ProfilePath - c:\documents and settings\dennis\Application Data\Mozilla\Firefox\Profiles\u1h4u1v3.default\
FF - prefs.js: browser.search.selectedEngine - Google
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-30 16:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPI]
"ImagePath"="system32\drivers\tsk1.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]
"ImagePath"="system32\drivers\tsk2.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\ASNA\Shared\Security Provider*Wrong guess again!]
"<No Name>"="{3C90A7C3-0CFE-4AF6-9B74-A2492C3EEC47}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(576)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\LMIinit.dll
.
- - - - - - - > 'explorer.exe'(944)
c:\windows\system32\WININET.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\msi.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2012-03-30 16:24:54 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-30 21:24
ComboFix2.txt 2012-03-30 20:25
ComboFix3.txt 2012-03-30 18:37
.
Pre-Run: 27,392,663,552 bytes free
Post-Run: 27,373,314,048 bytes free
.
- - End Of File - - 26F7D190AF5EED8397DC017068535101
 
1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\windows\system32\drivers\tsk1.tmp
c:\windows\system32\drivers\tsk2.tmp

Rootkit::
c:\windows\system32\drivers\tsk1.tmp
c:\windows\system32\drivers\tsk2.tmp


Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPI]
"ImagePath"="system32\drivers\acpi.sys"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]
"ImagePath"="system32\drivers\redbook.sys"

RegLockDel::
[HKEY_LOCAL_MACHINE\software\ASNA\Shared\Security Provider*Wrong guess again!]
ClearJavaCache::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
Having a problem now. I copied/pasted and ran the combofix as indicated above. Now the machine is in a reboot loop. It tries to boot, then comes to a screen saying it did not boot successfully. If I tell it to reboot in Safe mode it acts like it wants to, then reboots and starts over. What next?
 
Just tried a Safe Mode boot. it goes through a bunch of "multi disc..." statements and the last one it shows is mup.sys then it starts a reboot
 
that didn't go well. It's read the cd and rebooted to finish the Repair. Now it wants the location of SP1. Suggestions? I've looked all over the cd and got nothing.
 
I think I'm going to walk away for a while. If you have any suggestions leave me a note and I'll pick it up later. Thanks.
 
Hi Broni: Thank again for helping. I'm working on copying and creating the bootable cd with SP included but I've run into another hiccup. Following the link you provided I'm down to their second step in Copying and Extracting Files.

The second step is to navigate to where you downloaded the Service Pack 3 file.

Of course, this is a problem because I'm unable to boot now, so I can't navigate to where I downloaded the file to. Are you aware of an alternative? If I have another XP machine can I copy it from there?

I will continue to explore but wanted to send a note in case you had a quick n dirty answer.
 
Just to keep you updated..... I've tried downloading SP3 and it didn't like that, so I download SP2 and created the disc, etc., and it didn't like that either. When the machine boots now it is asking for "The file 'asms' on Windox XP Professional Service Pack 1 CD is needed."

The only downloads I've been able to find were for SP2 and SP3 and it doesn't seem to like those. The SP2 disc shows up with an ASMS folder, but I can't find an asms file anywhere. I've tried a variety of paths and it doesn't seem to want any of them.

I have a friend who has an SP2 cd that he has used before so he knows it's good. I'm going to pick it up from him later this morning and try it.

So, since my machine was XP Pro, SP3 and I'm doing a Repair, do I need SP3, SP2, or SP1 to continue the Repair? The machine is asking for SP1.
 
You must log in or register to reply here.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
796
uber_beetle
uber_beetle
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
A
Microsoft breaks users' PCs again with latest Windows 11 update
Replies
19
Views
397
trparky
T

Latest posts

Back