Resolved Trojan Horse Crypt AQLW

castironchef · Apr 3, 2012

I have a PC that has been recently infected with Trojan Horse Crypt AQLW. Logs posted below:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.02.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Mary :: LIBROSERFOZO [administrator]

4/2/2012 6:13:43 PM
mbam-log-2012-04-02 (18-13-43).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 310169
Time elapsed: 1 hour(s), 10 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.

(end)

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-04-02 20:10:44
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST3160812A rev.3.AAD
Running: w7i28jjf.exe; Driver: C:\DOCUME~1\Mary\LOCALS~1\Temp\uwliypob.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)

---- EOF - GMER 1.0.15 ----

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Mary at 20:50:10 on 2012-04-02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.986 [GMT -7:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\1.3.21.111\GoogleCrashHandler.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel\The Weather Channel App\TWCApp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
\\.\globalroot\SystemRoot\system32\svchost.exe -k netsvcs
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.2.0.3\AVG Secure Search_toolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ChromeFrame BHO: {ecb3c477-1a0a-44bd-bb57-78f9efe34fa7} - c:\program files\google\chrome frame\application\18.0.1025.142\npchrome_frame.dll
TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:\windows\system32\TwcToolbarIe7.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.2.0.3\AVG Secure Search_toolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\mary\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [DW7] "c:\program files\the weather channel\the weather channel app\TWCApp.exe"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10l_ActiveX.exe -update activex
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [TCASUTIEXE] TCAUDIAG.exe -off
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0379.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
dRunOnce: [AutoLaunch] c:\program files\lavasoft\ad-aware\AutoLaunch.exe monthly
StartupFolder: c:\docume~1\mary\startm~1\programs\startup\mozill~1.lnk - c:\program files\mozilla thunderbird\thunderbird.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2E5E800E-6AC0-411E-940A-369530A35E43} - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}
LSP: mswsock.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30155.www3.hp.com/ediags/hpfix/sj/en/check/xp/qdiagh.cab?326
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\18.0.1025.142\npchrome_frame.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\10.2.0\ViProtocol.dll
Notify: LMIinit - LMIinit.dll
Notify: NecUsb3Sevices - USB3Sw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-25 64160]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 295248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1036104]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-9-26 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2011-9-16 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-11-8 47640]
R2 tcaicchg;tcaicchg;c:\windows\system32\TCAICCHG.SYS [2000-6-6 21233]
R2 TCAITDI;TCAITDI Protocol;c:\windows\system32\drivers\TCAITDI.SYS [2001-9-4 19534]
R2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\10.2.0\ToolbarUpdater.exe [2012-3-12 918880]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 16720]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S2 avg7updsvc;S125obex;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
S2 avgio;Naiavfilter1;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 CTMSHD;RSAFAL;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-10 135664]
S2 Ias;Network Security;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 mksvirmonsvc;Ssm_mdm;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 NecUsb3;USB3 Service;c:\windows\system32\svchost.exe -k NecUsb3Sevic [2004-8-4 14336]
S2 veteboot;IASJet;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-9-10 135664]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2012-04-02 04:19:35 -------- d-----w- c:\documents and settings\mary\application data\Malwarebytes
2012-04-02 04:19:25 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-04-02 04:19:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-02 04:19:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-28 22:50:22 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-03-09 15:46:46 -------- d-----w- c:\program files\The Weather Channel
.
==================== Find3M ====================
.
2012-02-07 16:53:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
2012-02-07 16:53:11 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-02-07 16:53:11 52096 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2012-02-07 16:53:11 30592 ----a-w- c:\windows\system32\LMIport.dll
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 20:50:34.50 ====

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 1/24/2009 10:57:18 PM
System Uptime: 4/2/2012 7:48:33 AM (13 hours ago)
.
Motherboard: ASUSTek Computer Inc. | | P4P800
Processor: Intel(R) Pentium(R) 4 CPU 2.40GHz | CPU 1 | 2405/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 125.545 GiB free.
D: is FIXED (FAT32) - 6 GiB total, 2.104 GiB free.
E: is CDROM ()
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_1106&DEV_3164&SUBSYS_80F41043&REV_06\4&2E98101C&0&20F0
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_1106&DEV_3164&SUBSYS_80F41043&REV_06\4&2E98101C&0&20F0
Service:
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2F30&SUBSYS_205D14F1&REV_01\4&2E98101C&0&48F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2F30&SUBSYS_205D14F1&REV_01\4&2E98101C&0&48F0
Service:
.
==== System Restore Points ===================
.
RP1105: 12/29/2011 4:58:43 PM - System Checkpoint
RP1106: 12/30/2011 5:13:37 PM - System Checkpoint
RP1107: 12/31/2011 5:17:26 PM - System Checkpoint
RP1108: 1/1/2012 5:28:13 PM - System Checkpoint
RP1109: 1/2/2012 5:46:05 PM - System Checkpoint
RP1110: 1/3/2012 5:48:36 PM - System Checkpoint
RP1111: 1/4/2012 6:09:56 PM - System Checkpoint
RP1112: 1/5/2012 6:34:35 PM - System Checkpoint
RP1113: 1/6/2012 6:50:51 PM - System Checkpoint
RP1114: 1/7/2012 7:23:14 PM - System Checkpoint
RP1115: 1/8/2012 7:44:37 PM - System Checkpoint
RP1116: 1/9/2012 8:41:18 PM - System Checkpoint
RP1117: 1/9/2012 10:56:16 PM - Software Distribution Service 3.0
RP1118: 1/11/2012 9:16:43 AM - System Checkpoint
RP1119: 1/11/2012 9:31:07 PM - Software Distribution Service 3.0
RP1120: 1/13/2012 8:36:42 AM - System Checkpoint
RP1121: 1/14/2012 9:18:26 AM - System Checkpoint
RP1122: 1/15/2012 10:17:56 AM - System Checkpoint
RP1123: 1/15/2012 1:18:10 PM - Installed Java(TM) 6 Update 30
RP1124: 1/15/2012 1:22:02 PM - Removed Ask Toolbar.
RP1125: 1/15/2012 1:24:48 PM - Software Distribution Service 3.0
RP1126: 1/16/2012 1:48:08 PM - System Checkpoint
RP1127: 1/17/2012 1:53:46 PM - System Checkpoint
RP1128: 1/18/2012 2:14:36 PM - System Checkpoint
RP1129: 1/19/2012 2:51:27 PM - System Checkpoint
RP1130: 1/20/2012 4:38:17 PM - System Checkpoint
RP1131: 1/21/2012 5:07:07 PM - System Checkpoint
RP1132: 1/22/2012 5:23:43 PM - System Checkpoint
RP1133: 1/23/2012 6:44:02 PM - System Checkpoint
RP1134: 1/24/2012 7:30:52 PM - System Checkpoint
RP1135: 1/25/2012 8:22:31 PM - System Checkpoint
RP1136: 1/26/2012 8:24:21 PM - System Checkpoint
RP1137: 1/27/2012 8:39:24 PM - System Checkpoint
RP1138: 1/28/2012 9:11:52 PM - System Checkpoint
RP1139: 1/30/2012 8:20:35 AM - System Checkpoint
RP1140: 1/31/2012 8:56:34 AM - System Checkpoint
RP1141: 2/1/2012 9:14:50 AM - System Checkpoint
RP1142: 2/2/2012 9:17:29 AM - System Checkpoint
RP1143: 2/3/2012 9:48:19 AM - System Checkpoint
RP1144: 2/4/2012 9:58:14 AM - System Checkpoint
RP1145: 2/5/2012 10:47:05 AM - System Checkpoint
RP1146: 2/6/2012 11:32:03 AM - System Checkpoint
RP1147: 2/7/2012 10:41:55 AM - Printer Driver LogMeIn Printer Driver Installed
RP1148: 2/8/2012 10:54:54 AM - System Checkpoint
RP1149: 2/9/2012 11:05:02 AM - System Checkpoint
RP1150: 2/10/2012 11:46:48 AM - System Checkpoint
RP1151: 2/11/2012 1:02:15 PM - System Checkpoint
RP1152: 2/12/2012 1:25:40 PM - System Checkpoint
RP1153: 2/13/2012 1:35:14 PM - System Checkpoint
RP1154: 2/14/2012 2:41:03 PM - System Checkpoint
RP1155: 2/15/2012 2:54:15 PM - System Checkpoint
RP1156: 2/15/2012 9:04:42 PM - Software Distribution Service 3.0
RP1157: 2/17/2012 8:18:39 AM - System Checkpoint
RP1158: 2/18/2012 8:39:46 AM - System Checkpoint
RP1159: 2/19/2012 8:53:45 AM - System Checkpoint
RP1160: 2/20/2012 9:29:42 AM - System Checkpoint
RP1161: 2/21/2012 10:33:55 AM - System Checkpoint
RP1162: 2/22/2012 10:34:15 AM - System Checkpoint
RP1163: 2/23/2012 11:12:35 AM - System Checkpoint
RP1164: 2/24/2012 1:30:02 PM - System Checkpoint
RP1165: 2/25/2012 1:57:07 PM - System Checkpoint
RP1166: 2/26/2012 2:00:18 PM - System Checkpoint
RP1167: 2/27/2012 2:54:14 PM - System Checkpoint
RP1168: 2/28/2012 3:16:06 PM - System Checkpoint
RP1169: 2/29/2012 4:18:21 PM - System Checkpoint
RP1170: 3/1/2012 4:55:11 PM - System Checkpoint
RP1171: 3/2/2012 4:56:12 PM - System Checkpoint
RP1172: 3/3/2012 5:31:12 PM - System Checkpoint
RP1173: 3/4/2012 6:19:13 PM - System Checkpoint
RP1174: 3/5/2012 7:05:31 PM - System Checkpoint
RP1175: 3/6/2012 7:28:10 PM - System Checkpoint
RP1176: 3/7/2012 7:49:18 PM - System Checkpoint
RP1177: 3/8/2012 8:09:36 PM - System Checkpoint
RP1178: 3/9/2012 8:57:04 PM - System Checkpoint
RP1179: 3/10/2012 10:40:19 PM - System Checkpoint
RP1180: 3/10/2012 11:53:16 PM - Software Distribution Service 3.0
RP1181: 3/12/2012 8:56:39 AM - System Checkpoint
RP1182: 3/13/2012 9:29:41 AM - System Checkpoint
RP1183: 3/14/2012 10:59:13 AM - System Checkpoint
RP1184: 3/14/2012 9:51:34 PM - Software Distribution Service 3.0
RP1185: 3/16/2012 8:25:56 AM - System Checkpoint
RP1186: 3/17/2012 10:55:44 AM - Software Distribution Service 3.0
RP1187: 3/18/2012 2:11:15 PM - System Checkpoint
RP1188: 3/19/2012 2:57:49 PM - System Checkpoint
RP1189: 3/20/2012 3:16:46 PM - System Checkpoint
RP1190: 3/21/2012 3:25:10 PM - System Checkpoint
RP1191: 3/22/2012 3:54:38 PM - System Checkpoint
RP1192: 3/23/2012 4:18:12 PM - System Checkpoint
RP1193: 3/24/2012 4:45:40 PM - System Checkpoint
RP1194: 3/25/2012 4:48:23 PM - System Checkpoint
RP1195: 3/26/2012 5:03:00 PM - System Checkpoint
RP1196: 3/27/2012 5:27:01 PM - System Checkpoint
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
3Com NIC Diagnostics
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.5.0
Apple Software Update
ArcSoft Collage Creator
ASUS Probe V2.20.02
AVG 2012
AVG Security Toolbar
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Copy
CreativeProjects
CreativeProjectsTemplates
Critical Update for Windows Media Player 11 (KB959772)
CueTour
CutePDF Writer 2.7
D7200_Help
Destinations
Director
DocProc
DVD Decoder Pak for Windows XP
Google Chrome
Google Chrome Frame
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Diagnostic Assistant
HP Driver Diagnostics
HP Image Zone 4.0
HP Scanjet 4070
HP Software Update
HP Unload DLL Patch
hpg4070
HPSystemDiagnostics
InstantShare
Java Auto Updater
Java(TM) 6 Update 30
LogMeIn
Malwarebytes Anti-Malware version 1.60.1.1000
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Default Manager
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Publisher 2000 SR-1
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft UI Engine
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft Word 2002
Microsoft Works
Microsoft Works 2004 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Mozilla Thunderbird (8.0)
MSN Toolbar
MSN Toolbar Platform
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
NVIDIA Drivers
OpenOffice.org 3.1
Overland
PhotoGallery
PrintScreen
QFolder
QuickProjects
QuickTime
Scan
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
ShareIns
Sierra Print Artist GFX Installer
Sierra Print Artist Gold
Sierra Utilities
SkinsHP1
SoundMAX
System Requirements Lab
The Weather Channel App
The Weather Channel Desktop 6
The Weather Channel Toolbar
TrayApp
TUGZip 3.5
Unload
UnloadSupport
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
ViewSonic Monitor Drivers
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
.
Part 2 to follow

castironchef · Apr 3, 2012

Part 2

==== Event Viewer Messages From Past Week ========
.
4/2/2012 9:52:59 AM, error: Service Control Manager [7023] - The MagicTune service terminated with the following error: Access is denied.
4/2/2012 9:37:59 AM, error: Service Control Manager [7023] - The Slave service terminated with the following error: Access is denied.
4/2/2012 9:22:59 AM, error: Service Control Manager [7023] - The Govsrv service terminated with the following error: Access is denied.
4/2/2012 9:07:59 AM, error: Service Control Manager [7023] - The Pctoolsfirewallplus service terminated with the following error: Access is denied.
4/2/2012 8:52:59 AM, error: Service Control Manager [7023] - The Avpnnic service terminated with the following error: Access is denied.
4/2/2012 8:37:59 AM, error: Service Control Manager [7023] - The Konfig service terminated with the following error: Access is denied.
4/2/2012 8:23:00 AM, error: Service Control Manager [7023] - The LEX_AS_NIC_SERVICE_YNOS service terminated with the following error: Access is denied.
4/2/2012 8:06:59 AM, error: Service Control Manager [7023] - The RSAFAL service terminated with the following error: Access is denied.
4/2/2012 7:58:20 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
4/2/2012 7:52:04 AM, error: Service Control Manager [7023] - The Lcs service terminated with the following error: Access is denied.
4/2/2012 7:51:02 AM, error: Service Control Manager [7023] - The Emu10k1 service terminated with the following error: Access is denied.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Zpjobq service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The ZD1211BU(ZyDAS) service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The XFX_program service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The WmiAcpi service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Wlancfg service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Winsock2 service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Wg111nd5 service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Wfxsvc service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The W800obex service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The W22n51 service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The W200bus service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Vxsvc service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Vwlogger service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Vstor2 service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Vsserv service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Vmm service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Vcommmgr service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The VAIOMediaPlatform-VideoServer-UPnP service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The VAIOMediaPlatform-MusicServer-HTTP service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Vaiomediaplatform-musicserver-appserver service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The USR1806V service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Usnjsvc service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The UsbserFilt service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The USB3 Service service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Uploadmgr service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The UNDPX2A service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The UlSata service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Uiusys service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The TOSHIBASoftModem service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Timounter service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Tappsrv service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Szserver service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Szkg service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Symproxysvc service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Stylexpservice service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Ssrvc service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Ssm_mdm service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The SRTSP service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The SQLAgent$ABBEYIIOFFLINE service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Spupdsvc service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The SNC service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The SMCB000 service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Slip service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Sk99202k service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Sentinelprotectionserver service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Se2Cnd5 service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The ScFBPNT3 service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The S125obex service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The S116unic service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The S116mgmt service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Rtport service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The ROCKEYNT service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Riomsc service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Retinaengine service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Quickbooksdb service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Qconsvc service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Ptbsync service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The PSSdk21 service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Prohlp02 service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Prevxdriver service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Perfnet service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Pdlndqll service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The PCDCODEC service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The P1131vid service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Osaio service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Oraclexeclragent service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Oracleorahomehttpserver service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Oracleorahome92pagingserver service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Oracledbconsoleorcl service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Omsad service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The OEM02Dev service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Odserv service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The NVR0FLASHDev service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Nuvvid2 service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Ntuneservice service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The NPDriver service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Nmwcdcm service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Nmwcdcj service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Network Security service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The MQAC service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The MozyFilter service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Mlkkbdntdriver service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Memctl service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The MA8032M service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The MA8032C service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Lxcr_device service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The LPCFilter service terminated with the following error: The system cannot find the file specified.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The JGOGO service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Ibmfilter service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The IASJet service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Iaimfp2 service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Help and Support service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Ha10kx2k service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The GENERICDRV service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Gearsecurity service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Fix service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The EU3_USB service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The ESDCR service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Epsonbidirectionalservice service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The EPOWER service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The EMATCORE service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Eloggersvc6 service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The ELacpi service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The El90xbc service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Dtsrvc service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Dptrackerd service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The DN2AKNET service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Dcstor32 service terminated with the following error: The specified procedure could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The DCamUSBMke service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Cvsnt service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The CTHWIUT.DLL service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The CTEDSPFX.DLL service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The CTEAPSFX.DLL service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Cpqnicmgmt service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Cccredmgr service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Backupclientsvc service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Authsyssvc service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Atitool service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Atirage3 service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Asapiw2k service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Arcltsrv service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Alcaudsl service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The AIRPLUS service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The AffinegyService service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The Adobeactivefilemonitor5.0 service terminated with the following error: The specified module could not be found.
4/2/2012 7:50:21 AM, error: Service Control Manager [7023] - The ACDaemon service terminated with the following error: The specified module could not be found.
4/2/2012 7:49:38 AM, error: Dhcp [1002] - The IP address lease 192.168.1.64 for the Network Card with network address 000C6E4D607D has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
4/2/2012 7:38:07 PM, error: Service Control Manager [7023] - The Stllssvr service terminated with the following error: Access is denied.
4/2/2012 7:23:08 PM, error: Service Control Manager [7023] - The S116obex service terminated with the following error: Access is denied.
4/2/2012 7:08:10 PM, error: Service Control Manager [7023] - The Iviregmgr service terminated with the following error: Access is denied.
4/2/2012 6:53:09 PM, error: Service Control Manager [7023] - The Zebrceb service terminated with the following error: Access is denied.
4/2/2012 6:38:08 PM, error: Service Control Manager [7023] - The SrvcSSIOMngr service terminated with the following error: Access is denied.
4/2/2012 6:23:08 PM, error: Service Control Manager [7023] - The K750mgmt service terminated with the following error: Access is denied.
4/2/2012 6:08:07 PM, error: Service Control Manager [7023] - The CoachVc service terminated with the following error: Access is denied.
4/2/2012 5:53:07 PM, error: Service Control Manager [7023] - The F700imd service terminated with the following error: Access is denied.
4/2/2012 5:38:07 PM, error: Service Control Manager [7023] - The S217unic service terminated with the following error: Access is denied.
4/2/2012 5:23:07 PM, error: Service Control Manager [7023] - The Tphkdrv service terminated with the following error: Access is denied.
4/2/2012 5:08:07 PM, error: Service Control Manager [7023] - The Uleadburninghelper service terminated with the following error: Access is denied.
4/2/2012 4:53:07 PM, error: Service Control Manager [7023] - The Pgsql-8.0 service terminated with the following error: Access is denied.
4/2/2012 4:38:07 PM, error: Service Control Manager [7023] - The Isdrv122 service terminated with the following error: Access is denied.
4/2/2012 4:23:07 PM, error: Service Control Manager [7023] - The Ctljystk service terminated with the following error: Access is denied.
4/2/2012 4:08:07 PM, error: Service Control Manager [7023] - The Ctaud2k service terminated with the following error: Access is denied.
4/2/2012 3:53:07 PM, error: Service Control Manager [7023] - The Wkscfgsrv service terminated with the following error: Access is denied.
4/2/2012 3:38:07 PM, error: Service Control Manager [7023] - The Aksfridge service terminated with the following error: Access is denied.
4/2/2012 3:23:07 PM, error: Service Control Manager [7023] - The Ssrtln service terminated with the following error: Access is denied.
4/2/2012 3:08:06 PM, error: Service Control Manager [7023] - The Emitray service terminated with the following error: Access is denied.
4/2/2012 2:53:06 PM, error: Service Control Manager [7023] - The PDExchange service terminated with the following error: Access is denied.
4/2/2012 2:38:06 PM, error: Service Control Manager [7023] - The NAL service terminated with the following error: Access is denied.
4/2/2012 2:23:07 PM, error: Service Control Manager [7023] - The Smstsmgr service terminated with the following error: Access is denied.
4/2/2012 2:08:07 PM, error: Service Control Manager [7023] - The Fcprintservice service terminated with the following error: Access is denied.
4/2/2012 12:53:06 PM, error: Service Control Manager [7023] - The Upnp service terminated with the following error: Access is denied.
4/2/2012 12:38:06 PM, error: Service Control Manager [7023] - The Lkcitadelserver service terminated with the following error: Access is denied.
4/2/2012 12:23:07 PM, error: Service Control Manager [7023] - The Ccevtmgr service terminated with the following error: Access is denied.
4/2/2012 12:08:07 PM, error: Service Control Manager [7023] - The Awlegacy service terminated with the following error: Access is denied.
4/2/2012 11:52:59 AM, error: Service Control Manager [7023] - The Rvscc service terminated with the following error: Access is denied.
4/2/2012 11:37:59 AM, error: Service Control Manager [7023] - The Rca service terminated with the following error: Access is denied.
4/2/2012 11:22:59 AM, error: Service Control Manager [7023] - The Wampmysqld service terminated with the following error: Access is denied.
4/2/2012 11:08:00 AM, error: Service Control Manager [7023] - The Nvata service terminated with the following error: Access is denied.
4/2/2012 10:52:59 AM, error: Service Control Manager [7023] - The Tdrpman service terminated with the following error: Access is denied.
4/2/2012 10:37:59 AM, error: Service Control Manager [7023] - The Mstdc service terminated with the following error: Access is denied.
4/2/2012 10:22:59 AM, error: Service Control Manager [7023] - The Isdrv120 service terminated with the following error: Access is denied.
4/2/2012 10:07:59 AM, error: Service Control Manager [7023] - The Maya70docserver service terminated with the following error: Access is denied.
4/2/2012 1:53:06 PM, error: Service Control Manager [7023] - The TNaviSrv service terminated with the following error: Access is denied.
4/2/2012 1:38:12 PM, error: Service Control Manager [7023] - The CE3 service terminated with the following error: Access is denied.
4/2/2012 1:23:08 PM, error: Service Control Manager [7023] - The Uclauncherservice service terminated with the following error: Access is denied.
4/2/2012 1:08:08 PM, error: Service Control Manager [7023] - The Naiavfilter1 service terminated with the following error: Access is denied.
4/2/2012 1:01:46 PM, error: Dhcp [1002] - The IP address lease 75.6.2.21 for the Network Card with network address 000C6E4D607D has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
4/1/2012 9:47:36 PM, error: Service Control Manager [7023] - The Arcltsrv service terminated with the following error: Access is denied.
4/1/2012 9:32:36 PM, error: Service Control Manager [7023] - The Stylexpservice service terminated with the following error: Access is denied.
4/1/2012 9:17:34 PM, error: Service Control Manager [7023] - The Cpqnicmgmt service terminated with the following error: Access is denied.
4/1/2012 9:02:41 PM, error: Service Control Manager [7023] - The Pdlndqll service terminated with the following error: Access is denied.
4/1/2012 8:47:37 PM, error: Service Control Manager [7023] - The PCDCODEC service terminated with the following error: Access is denied.
4/1/2012 8:32:35 PM, error: Service Control Manager [7023] - The PSSdk21 service terminated with the following error: Access is denied.
4/1/2012 8:17:40 PM, error: Service Control Manager [7023] - The W22n51 service terminated with the following error: Access is denied.
4/1/2012 8:02:38 PM, error: Service Control Manager [7023] - The Cvsnt service terminated with the following error: Access is denied.
4/1/2012 7:47:30 PM, error: Service Control Manager [7023] - The P1131vid service terminated with the following error: Access is denied.
4/1/2012 7:32:31 PM, error: Service Control Manager [7023] - The Riomsc service terminated with the following error: Access is denied.
4/1/2012 7:17:31 PM, error: Service Control Manager [7023] - The MA8032M service terminated with the following error: Access is denied.
4/1/2012 7:02:30 PM, error: Service Control Manager [7023] - The Adobeactivefilemonitor5.0 service terminated with the following error: Access is denied.
4/1/2012 6:47:30 PM, error: Service Control Manager [7023] - The S116mgmt service terminated with the following error: Access is denied.
4/1/2012 6:32:31 PM, error: Service Control Manager [7023] - The UNDPX2A service terminated with the following error: Access is denied.
4/1/2012 6:17:34 PM, error: Service Control Manager [7023] - The Szkg service terminated with the following error: Access is denied.
4/1/2012 6:16:36 PM, error: Service Control Manager [7023] - The Vsserv service terminated with the following error: Access is denied.
4/1/2012 6:16:36 PM, error: Service Control Manager [7023] - The USB3 Service service terminated with the following error: Access is denied.
4/1/2012 4:30:24 PM, error: Service Control Manager [7023] - The Spupdsvc service terminated with the following error: Access is denied.
4/1/2012 4:29:05 PM, error: Service Control Manager [7023] - The SRTSP service terminated with the following error: Access is denied.
4/1/2012 2:56:34 PM, error: Service Control Manager [7023] - The CTEDSPFX.DLL service terminated with the following error: Access is denied.
4/1/2012 2:55:36 PM, error: Service Control Manager [7023] - The OEM02Dev service terminated with the following error: Access is denied.
4/1/2012 10:17:34 PM, error: Service Control Manager [7023] - The GENERICDRV service terminated with the following error: Access is denied.
4/1/2012 10:02:36 PM, error: Service Control Manager [7023] - The Odserv service terminated with the following error: Access is denied.
.
==== End Of File ===================

Thanks so much for any help you can provide.

Bobbye · Apr 3, 2012

From Malwarebytes: Files Detected: 1
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
------------------------
The Certstore.dat trojan allows hackers to gain access to your computer system. A hacker may send you spam or hack into your personal information. There will be other related entries and most likely other malware to be found.
================================================
The errors on 4/1 and 4/2 indicate major crashes from 2 problems:
1. The specified module could not be found.
2. Access denied.
Other than those specific events, please give me some information about what you are experiencing.
=========================================
I'd like you to run Combofix- but it won't run with AVG. You will need to temporarily uninstall AVG as follows:

Download AppRemover and save to the desktop

Double click the setup on the desktop> click Next
Select “Remove Security Application”
Let scan finish to determine security apps
A screen like below will appear:
Click on Next after choice has been made
Check the AVG program you want to uninstall
After uninstall shows complete, follow online prompts to Exit the program.

Temporary AV: Use one:
Microsoft Security Essentials
Comodo AV
Avast! Free Antivirus
=============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

Click START> then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Before you run the Combofix scan, please disable any security software you have running.

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

Double click combofix.exe

& follow the prompts.
If prompted for Recovery Console, please allow.
Once installed, you should see a blue screen prompt that says:
- The Recovery Console was successfully installed.[/b]
- Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
- Note: No query will be made if the Recovery Console is already on the system.
.Close/disable all anti virus and anti malware programs
(If you need help with this, please see HERE)
.Close any open browsers.
.Click on Yes, to continue scanning for malware
.If Combofix asks you to update the program, allow
When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine
==================================
Download CKScanner and save to your desktop.

Doubleclick CKScanner.exe and click Search For Files.
When the cursor hourglass disappears, click Save List To File.
A message box will verify that the file is saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

=====================================
My Guidelines: please read and follow:

Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
File sharing programs should be uninstalled or disabled during the cleaning process..
Observe these:
[o] Don't follow directions given to someone else
[o] Don't use any other cleaning programs or scans while I'm helping you.
[o] Don't use a Registry cleaner or make any changes in the Registry.
[o] Don't download and install new programs- except those I give you.

Threads are closed after 5 days if there is no reply. .

castironchef · Apr 3, 2012

Specific issues

Thank you so much for your detailed response. The computer in question is actually one used by my 87-year old mother and I have been helping her via a remote logon program. What we have been seeing is a moderate slowdown in performance and a wide variety of AVG reports as it discovers various malwares that the system is now vulnerable to. For a while we were letting AVG quarantine them but it with them popping up as often as eight times an hour it seemed to be a losing battle. Sometimes AVG would report that the item was eliminated or would give out the following message: "Object does not exist or is inaccessible".

Since Avast is on your recommended list is there any reason why I shouldn't completely swap out the programs before I get started with the next steps? Avast is actually my AV of choice on my personal machines so it would make plenty of sense to do so if it doesn't introduce any additional complications.

Also, of the steps you recommended, how much of it can I do via remote access? It is possible to give my mom instructions over the phone but it both slows down and reduces the accuracy of the process. Thanks again, and I look forward to hearing from you soon.

castironchef · Apr 4, 2012

Followed instructions last night regarding Combofix which has now been running with the blue screen referencing doubled times for over 11 hours. When the program was started apparently it then logged the system off. Once it was logged back in the program started running. I apologize for the lack of detail but it is the best that I have been able to gather from the individual who is actually in front of the box. Stand tight, or do you have further recommendations?

Bobbye · Apr 5, 2012

God love her! There are so many Seniors who won't touch a computer. In face, my mother wouldn't even use a microwave for 30 years!

The biggest problem I see is the large number of errors>>They are legitimate- at least what I checked and once has to wonder why the module couldn't be found or why access has been denied. For instance,
1. The Retinaengine service terminated with the following error: The specified module could not be found.
RetinaEngine.exe Related to eEye Digital Security. Note: Located in \%Program Files%\eEye Digital Security\Retina 5\Scanner\

2. The Pctoolsfirewallplus service terminated with the following error: Access is denied.

Where are these modules? Why is access being denied?
=============================================
Did you fully uninstall AVG with the AppRemover before trying to run Combofix?

NOTE: If, for some reason, Combofix refuses to run, try one of the following:
1. Run Combofix from Safe Mode. If it won't run, go one to #2.

2. Delete Combofix file, download fresh one, but rename combofix.exe to
friday.exe BEFORE saving it to your desktop.
Do NOT run it yet.

3.See which one of the following runs. You do not need to download all three versions:
This is a slight variation on the RKill:
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe
Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7 right-click on it and choose Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
Do not reboot until instructed.
If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, add the following:

Please download exeHelper by Raktor and save it to your desktop.

Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
A black window should pop up, press any key to close once the fix is completed.
A log file called exehelperlog.txt will be created and should open at the end of the scan)
A copy of that log will also be saved in the directory where you ran exeHelper.com
Copy and paste the contents of exehelperlog.txt in your next reply.

Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
(Directions courtesy bleeping computer)

4. With both RKill and exehelper on board:
Go right to the renamed (Combofix) and double click on friday.exe to run
If it won't run in Normal Mode, run BOTH tools from safe mode, then try the double click on friday.exe to run.

If successful, please leave RKill, Exehelper and Combofix logs.
======================================
And I'd really like to have the online virus scan.

castironchef · Apr 5, 2012

After a lot of frustration and switching to safe mode and finally having to manually reboot after 19 hours I have the requested logs. I look forward to the next steps.

ComboFix 12-04-03.02 - Mary 04/04/2012 20:43:07.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1701 [GMT -7:00]
Running from: c:\documents and settings\Mary\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Mary\WINDOWS
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\54089d6037628587.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\9b8ef078a30061c9.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\d811b9fe8e66a400.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\Cache\f17603e11ba5fbae.fb
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\mpe.dll
c:\windows\system32\s217unic.dll
.
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - The cat found it

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_IAS
-------\Legacy_TMESBS32
-------\Service_Ias
-------\Service_tmesbs32
-------\Legacy_RMSvc
-------\Service_RMSvc
.
.
((((((((((((((((((((((((( Files Created from 2012-03-06 to 2012-04-06 )))))))))))))))))))))))))))))))
.
.
2012-04-04 02:10 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-04-02 04:19 . 2012-04-02 04:19 -------- d-----w- c:\documents and settings\Mary\Application Data\Malwarebytes
2012-04-02 04:19 . 2012-04-02 04:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-02 04:19 . 2011-12-10 22:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-02 04:19 . 2012-04-02 04:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-31 17:15 . 2012-03-31 17:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2012-03-09 15:51 . 2012-03-09 15:51 -------- d-----w- c:\program files\Microsoft.NET
2012-03-09 15:46 . 2012-03-09 15:46 -------- d-----w- c:\program files\The Weather Channel
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-07 16:53 . 2011-11-09 04:11 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2012-02-07 16:53 . 2011-11-09 04:11 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-02-07 16:53 . 2011-11-09 04:11 30592 ----a-w- c:\windows\system32\LMIport.dll
2012-02-07 16:53 . 2011-11-09 04:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
2012-02-03 09:22 . 2004-08-04 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 15:54 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2009-01-25 06:51 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-25 39408]
"DW7"="c:\program files\The Weather Channel\The Weather Channel App\TWCApp.exe" [2011-12-12 10448384]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TCASUTIEXE"="TCAUDIAG.exe -off" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-04-04 774144]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe" [2009-12-09 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-09-16 63048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\documents and settings\Mary\Start Menu\Programs\Startup\
Mozilla Thunderbird.lnk - c:\program files\Mozilla Thunderbird\thunderbird.exe [2009-1-25 399512]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-02-07 16:53 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Google\\Chrome Frame\\Application\\chrome.exe"=
"c:\\Documents and Settings\\Mary\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/10/2010 10:42 AM 135664]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/26/2011 7:15 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/16/2011 4:10 PM 12856]
R2 tcaicchg;tcaicchg;c:\windows\system32\TCAICCHG.SYS [6/6/2000 11:08 AM 21233]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 NecUsb3;USB3 Service;c:\windows\System32\svchost.exe -k NecUsb3Sevic [8/4/2004 5:00 AM 14336]
S2 TCAITDI;TCAITDI Protocol;c:\windows\system32\DRIVERS\TCAITDI.sys --> c:\windows\system32\DRIVERS\TCAITDI.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/10/2010 10:42 AM 135664]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUSB54GV2SVC
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Messenger
Netman
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
c34nb4c5
se45obex
hclinetd
GBDevice
MTDVC2_ENUM
ibmcicstransactiongateway
win32sl
basic2
DritekPortIO
tifsfilter
btwdndis
Defrag32
nuvaud2
USB_RNDIS_XP
nbservice
niorbk
w810mgmt
sglogplayer
KMWDFilter
InCDsrvR
AYDrvNT_ALYAC
3compxe
cwcwdm
wanatw
autostore
W700mdfl
sscdmdm
hpconfig
ZSMC303
atixsaudio
epson_pm_rpcv2_02
coste
dmisrv
ABVPN2K
X10UIF
asusgsb
sfman
RimSerPort
iomegaaccess
SiSGbeXP
timounter
Gernuwa
se58mdm
OsaFsLoc
Anydlc
veteboot
axskbus
sonicatheaterinstallerservice
roxupnprenderer
kbdhid
sifilter
rtm
Pcatip
WacomVKHid
PCDRSRVC
rtport
avsinc
lxby_device
rt2500
cvsnt
rslinx
streamip
elbycdfl
CTMSHD
emupia
anydvd
ati2mtaa
wmccds
LVPrcMon
basfipm
BrUsbSer
DCamUSBSQTECH
zpcollector
avgio
RMCAST
hcmon
WmaCVideo32
genregistrar
tfsnboio
dwusbdnt
mssqlserver
s7otranx
ATIVTUTW
akshhl
giveio
apfiltrservice
aolservice
AR5523
utilman
vpcnets2
oracleorahomedatagatherer
nim32
bcm4sbxp
FTSER2K
Defrag32b
kavsvc
vrmonsvc
inort
v124
awhost32
spbbcdrv
SimpTcp
odysseyIM3
CTAudSvcService
asapiw2k
se45bus
surveyor
epgspooler
smartscaps
U3sHlpDr
wusb54gv2svc
RMSvc
ndasbus
vrfwsvc
mcmscsvc
mindrepair
dlacdbhm
iPassPeriodicUpdateService
icepack
CamAv
BCMTPM
WinDriver6
uhcd
ASInsHelp
Sntnlusb
citrixxteserver
sptisrv
CTEDSPIO.DLL
roxupnpserver
zebrsce
dladresn
TdmService
elnkservice
Cam5603D
symdns
vpcusb
lanusb
mpfp
sit_mdm
AsuhfivrO
sscdserd
pnkbstrb
se2Cunic
sfilter
om518p
WISTechVIDCAP
mr2kserv
bdrsdrv
flashcom
profos
pdlnemap
clisvc
pxhelp20
nisvcloc
se44mgmt
dbmanagerscheduler
rwbackupsrv
UMAXPCLS
bthport
FINEPIX_PCC
radclock
Si3132r5
bt3cser
uisp
TMHIDSRV
WUSB54Gv4SVC
mqdmbus
merakpop3
picturetaker
crystaloutputfileserver
USBModem
bthusb
bdss
nvgts
cqmgstor
rpcnet
dlcj_device
dcpflics
IPFilter
db2das00
VCAM
lxrsii1s
lxda_device
mksvirmonsvc
iastor
icollectservice
s716mgmt
ood2000
NETGEAR_MA111
VSP1284D
omniusbl
tdimsys
SaiMini
asctrm
HSXHWBS2
lirsgt
comhost
dcevt32
procexp100
PTDCBus
bgsvcgen
avidsdmservice
{d31a0762-0ceb-444e-acff-b049a1f6fe91}
phnxvcdservice
ovepstatusengine
avg7updsvc
se58nd5
UMPass
areschatserver
hcwPP2
dm1service
hf30service
pdlncfwk
cxlpt
camdrl
teefer2
vmauthdservice
cwafrmiregistry
syslogd
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc
WmdmPmSN
napagent
hkmsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2012-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-10 17:42]
.
2012-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-10 17:42]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-839522115-682003330-1004Core.job
- c:\documents and settings\Mary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-17 00:57]
.
2012-04-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-839522115-682003330-1004UA.job
- c:\documents and settings\Mary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-17 00:57]
.
.
------- Supplementary Scan -------
.
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.0.1 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
HKLM-Run-ROC_roc_dec12 - c:\program files\AVG Secure Search\ROC_roc_dec12.exe
HKU-Default-RunOnce-AutoLaunch - c:\program files\Lavasoft\Ad-Aware\AutoLaunch.exe
Notify-NecUsb3Sevices - USB3Sw32.dll
Notify-USB3Sw32 - (no file)
AddRemove-The Weather Channel Desktop 6 - c:\program files\The Weather Channel FW\Desktop\TheWeatherChannelCustomUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-05 18:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB55715$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'lsass.exe'(732)
c:\windows\system32\mswsock.dll
mswsock.dll 71a50000 258048 \\.\globalroot\systemroot\system32\mswsock.dll
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1748)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Google\Update\1.3.21.111\GoogleCrashHandler.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\\.\globalroot\SystemRoot\system32\svchost.exe
c:\program files\Google\Update\Install\{2B244839-B196-41C7-9AFB-825BE3AC00DA}\chrome_updater.exe
c:\windows\system32\config\SYSTEM~1\LOCALS~1\Temp\CR_59F10.tmp\setup.exe
c:\windows\system32\logonui.exe
.
**************************************************************************
.
Completion time: 2012-04-05 18:37:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-06 01:37
.
Pre-Run: 141,382,328,320 bytes free
Post-Run: 143,300,780,032 bytes free
.
- - End Of File - - F7550308EE93021F767838FC3EA1302B

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11.DTAPRN
----- EOF -----

castironchef · Apr 5, 2012

Aqlw

It looks like our posts missed each other by just a few minutes. First off, yes I did run AppRemover before starting the CF process. After it hung in standard mode I went into safe mode and it ran well all the way to the final reboot, where it hung. After 20 hours or so I rebooted manually and the log that I posted above was created.

I'm not sure what to make of the retinaengine or PC Tools firewall. I didn't put either of those into her box when I built it but it's quite possible that they snuck in there through another download. They were not picked up by AppRemover, only AVG was.

Since you have the CF log are the RKill and exehelper steps still recommended. You also requested an online virus scan. Would that be something like the ESET that I have seen noted on other discussions? I, and my mother, thank you.

castironchef · Apr 6, 2012

I went ahead and ran the ESET Online scan (with the remove found threats unchecked) as it seemed to be a reasonable and harmless cause of action. With the exception of one unexpected trojan on the storage (D:\) drive the findings were not much of a surprise. The log is posted below. Let me know what to do next and I'll get on it promptly. Thanks.

C:\Qoobox\Quarantine\C\WINDOWS\system32\s217unic.dll.vir probably a variant of Win32/Sirefef.ER trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\afd.sys.vir Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{9F6C8E90-C852-49CB-9BF6-5B58E13287FB}\RP1196\A0092747.dll probably a variant of Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{9F6C8E90-C852-49CB-9BF6-5B58E13287FB}\RP1196\A0092748.dll probably a variant of Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{9F6C8E90-C852-49CB-9BF6-5B58E13287FB}\RP1196\A0092761.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{9F6C8E90-C852-49CB-9BF6-5B58E13287FB}\RP1196\A0093180.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{9F6C8E90-C852-49CB-9BF6-5B58E13287FB}\RP1196\A0093306.dll probably a variant of Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{9F6C8E90-C852-49CB-9BF6-5B58E13287FB}\RP1196\A0094278.sys a variant of Win32/Sirefef.DA trojan
C:\WINDOWS\system32\w800mdm.dll probably a variant of Win32/Sirefef.ER trojan
C:\WINDOWS\system32\drivers\netbt.sys a variant of Win32/Sirefef.DA trojan
D:\Program Files\Norton AntiVirus\setup.exe Win32/TrojanDownloader.Agent.QXU.Gen trojan
Operating memory multiple threats

Bobbye · Apr 6, 2012

It looks like you tried to install Norton AV outside of the suite it's in. Wherever you got it, you also got Trojan with the setup you tried.

I think we are at an impasse. We have remove many Win32/Sirefef.ER trojan and variant Win32/Sirefef.DA trojan. There is still active infection and there is a vital system process that is infected and has to be removed. A program can be run to look for a clean copy on the system and if found, I can replace the infected file. The problem is that you will not be able to have the remote connection to help her.

There is also a great problem with Services and drivers not running due to the 2 reason I previously gave. And if you view the Combofix log, you will see 'NetSvrs need repair' followed by a long string of Services. So because of the matters of 'access denied', 'module can't be found' and the infected 'netbt.sys' driver, plus the still active Sirefef, I regretfully advise you that the system needs a reformat/reinstall.

The error examples and others I checked were legitimate processes. Something in the system is looking for them. They are not drive by malware.

The thought has also occurred to me that the OS might not be a legitimate copy, with license and validation.

I don't know how you will work this, but the computer has been compromised and is not safe for your mother to use. Please have he change ll of the passwords and monitor any online financial processes.

I don't know whether the two of you can work this out, but you will find excellent reformat/reinstall instructions here:
http://www.tech-101.com/support/ind...and-repair-xp-vista-7/page__p__5329#entry5329

I'm sorry the news isn't better.

castironchef · Apr 6, 2012

Not exactly what I was hoping to hear. The software is definitely all legit and paid for, and the Norton reference was from an online download from around 5 years ago. I noticed that the Gen.trojan is sometimes associated with false positives, but either way that is just an old drive on the system that doesn't get accessed.

Is there any possibility that the large number of access denied and services needing repair has anything to do with me using logmein at the time the scans were being run?

Is it possible to eliminate all traces of Sirefef using a tool or combination of them and then do a repair install of XP?

I was aware of the scorched earth option from the outset but would still like to avoid it if at all possible. I'm going to work on transferring documents and mail settings right now as I think that needs to be done regardless of what the next step will be. Thanks again for all your help.

Bobbye · Apr 17, 2012

I m going to reopen this thread only to make the following comment-again:

The system is incorrectly configured. Coupled with the malware that was found, the only solution I can offer is to reformat and reinstall the operating system. After that has been done, the entire system should be checked for correct configuration, to include Services, Drivers and Permissions.

Resolved Trojan Horse Crypt AQLW

castironchef

Posts: 20 +0

castironchef

Posts: 20 +0

Bobbye

Posts: 16,313 +36

castironchef

Posts: 20 +0

castironchef

Posts: 20 +0

Bobbye

Posts: 16,313 +36

castironchef

Posts: 20 +0

castironchef

Posts: 20 +0

castironchef

Posts: 20 +0

Bobbye

Posts: 16,313 +36

castironchef

Posts: 20 +0

Bobbye

Posts: 16,313 +36

Similar threads

Latest posts