ComboFix 13-07-11.03 - Tim 07/11/2013  14:19:04.1.3 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3325.2662 [GMT -5:00]
Running from: c:\documents and settings\Tim\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\spnsrv9x.exe
c:\documents and settings\Tim\Desktop\Internet Explorer.lnk
c:\documents and settings\Tim\WINDOWS
C:\Thumbs.db
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-11 to 2013-07-11  )))))))))))))))))))))))))))))))
.
.
2013-07-11 19:16 . 2013-07-11 19:16	--------	d--h--w-	c:\windows\PIF
2013-07-11 17:43 . 2013-07-11 17:43	--------	d-----w-	C:\017cbb53a3728a87dd76
2013-07-11 14:31 . 2013-07-11 14:31	--------	d-----w-	C:\_OTL
2013-07-11 12:41 . 2013-07-11 17:36	--------	d-----w-	c:\windows\SxsCaPendDel
2013-07-10 19:11 . 2013-07-10 19:16	--------	d-----w-	c:\documents and settings\All Users\Application Data\ErrorEND
2013-07-10 18:56 . 2013-07-10 18:56	15960	----a-w-	C:\FixitRegBackup.reg
2013-07-10 18:41 . 2013-07-10 18:41	--------	d-----w-	c:\program files\Common Files\Windows Live
2013-06-27 13:48 . 2013-06-27 13:48	--------	d-----w-	c:\documents and settings\Tim\Application Data\Oracle
2013-06-27 13:47 . 2013-06-27 13:47	144896	----a-w-	c:\windows\system32\javacpl.cpl
2013-06-27 13:47 . 2013-06-27 13:47	94632	----a-w-	c:\windows\system32\WindowsAccessBridge.dll
2013-06-21 12:37 . 2013-07-11 12:42	--------	d-----w-	c:\program files\Microsoft
2013-06-21 12:36 . 2012-10-17 09:04	580712	------w-	c:\windows\system32\HPDiscoPM5312.dll
2013-06-21 12:36 . 2012-09-12 12:43	496016	----a-w-	c:\windows\system32\HPWia1_OJ8500_A910.dll
2013-06-21 12:36 . 2012-09-12 12:43	1979280	----a-w-	c:\windows\system32\HPScanTRDrv_OJ8500_A910.dll
2013-06-21 12:36 . 2012-09-12 12:43	529296	----a-w-	c:\windows\system32\hpinksts5312.dll
2013-06-21 12:36 . 2012-09-12 12:43	269200	----a-w-	c:\windows\system32\hpinksts5312LM.dll
2013-06-21 12:36 . 2012-09-12 12:43	221072	----a-w-	c:\windows\system32\hpinkcoi5312.dll
2013-06-21 12:36 . 2012-09-12 12:04	2216848	----a-w-	c:\windows\system32\hpinkins5312.exe
2013-06-19 20:50 . 2013-06-19 20:50	--------	d-----w-	c:\documents and settings\Employees\Local Settings\Application Data\Logitech® Webcam Software
2013-06-19 20:48 . 2013-06-19 20:48	--------	d-----w-	c:\documents and settings\Employees\Application Data\Mobisynapse
2013-06-19 20:48 . 2013-06-19 20:48	--------	d-----w-	c:\documents and settings\Employees\Application Data\Apple Computer
2013-06-18 17:55 . 2013-06-18 17:55	--------	d-----w-	c:\documents and settings\Tim\Local Settings\Application Data\ESRI
2013-06-18 17:55 . 2013-06-18 17:55	--------	d-----w-	c:\documents and settings\Tim\Application Data\esri
2013-06-14 20:53 . 2013-06-14 20:53	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2013-06-14 13:40 . 2013-06-14 13:40	--------	d-----w-	c:\windows\Downloaded Program Files
2013-06-13 15:59 . 2013-06-14 18:42	--------	d-----w-	c:\documents and settings\Tim\Application Data\Apple Computer
2013-06-13 15:54 . 2013-06-13 15:54	159744	----a-w-	c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2013-06-13 15:54 . 2013-06-13 15:54	159744	----a-w-	c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2013-06-13 15:54 . 2013-06-13 15:54	159744	----a-w-	c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2013-06-13 15:54 . 2013-06-13 15:54	159744	----a-w-	c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2013-06-13 15:54 . 2013-06-13 15:54	159744	----a-w-	c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2013-06-13 15:54 . 2013-06-13 15:54	--------	d-----w-	c:\program files\QuickTime
2013-06-13 15:54 . 2013-06-13 15:54	--------	d-----w-	c:\documents and settings\All Users\Application Data\Apple Computer
2013-06-13 15:54 . 2013-06-13 15:54	--------	d-----w-	c:\documents and settings\Tim\Local Settings\Application Data\Apple
2013-06-13 15:54 . 2013-06-13 15:54	--------	d-----w-	c:\documents and settings\Tim\Local Settings\Application Data\Apple Computer
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-27 13:47 . 2012-10-29 13:58	867240	----a-w-	c:\windows\system32\npDeployJava1.dll
2013-06-27 13:47 . 2012-10-29 13:58	789416	----a-w-	c:\windows\system32\deployJava1.dll
2013-06-08 12:14 . 2012-10-31 17:58	86888	----a-w-	c:\windows\system32\LMIRfsClientNP.dll
2013-06-08 12:14 . 2012-10-31 17:58	53064	----a-w-	c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2013-06-08 12:14 . 2012-10-31 17:58	31560	----a-w-	c:\windows\system32\LMIport.dll
2013-06-08 12:14 . 2012-10-31 17:58	92488	----a-w-	c:\windows\system32\LMIinit.dll
2013-06-08 04:55 . 2008-04-14 12:00	385024	------w-	c:\windows\system32\html.iec
2013-06-07 21:56 . 2008-04-14 12:00	920064	----a-w-	c:\windows\system32\wininet.dll
2013-06-07 21:56 . 2008-04-14 12:00	43520	------w-	c:\windows\system32\licmgr10.dll
2013-06-07 21:56 . 2008-04-14 12:00	1469440	------w-	c:\windows\system32\inetcpl.cpl
2013-06-04 07:23 . 2008-04-14 12:00	562688	----a-w-	c:\windows\system32\qedit.dll
2013-06-04 01:40 . 2008-04-14 12:00	1876736	----a-w-	c:\windows\system32\win32k.sys
2013-05-25 12:14 . 2012-10-31 17:58	86888	----a-w-	c:\windows\system32\LMIRfsClientNP.dll.000.bak
2013-05-25 12:14 . 2012-10-31 17:58	92488	----a-w-	c:\windows\system32\LMIinit.dll.000.bak
2013-05-09 05:28 . 2006-10-19 03:47	1543680	------w-	c:\windows\system32\wmvdecod.dll
2013-05-03 18:04 . 2013-05-03 18:04	53248	----a-r-	c:\documents and settings\Tim\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2013-05-03 01:30 . 2008-04-14 12:00	2149888	----a-w-	c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2008-04-14 00:01	2028544	----a-w-	c:\windows\system32\ntkrnlpa.exe
2013-05-02 15:28 . 2012-10-30 15:30	238872	------w-	c:\windows\system32\MpSigStub.exe
2013-05-01 08:59 . 2013-05-01 08:59	94208	----a-w-	c:\windows\system32\QuickTimeVR.qtx
2013-05-01 08:59 . 2013-05-01 08:59	69632	----a-w-	c:\windows\system32\QuickTime.qts
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2012-11-08 15:01	1019976	----a-r-	c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2012-11-08 15:01	1019976	----a-r-	c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2012-11-08 15:01	1019976	----a-r-	c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Officejet Pro 8500 A910 (NET)"="c:\program files\HP\HP Officejet Pro 8500 A910\Bin\ScanToPCActivationApp.exe" [2012-10-17 1837672]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-07-28 98304]
"RTHDCPL"="RTHDCPL.EXE" [2011-10-14 20064872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2013-05-31 2786104]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2012-10-10 63048]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2012-11-08 1065032]
"VMM Mode Selection"="c:\program files\HTC\ModeSelection\VMMModeSelection.exe" [2011-02-14 43520]
"PDFPrint"="c:\program files\PDF24\pdf24.exe" [2012-12-12 163000]
"MobisynapseSyncHelper"="c:\program files\Mobisynapse\MobisynapseSyncHelper.exe" [2013-02-01 71024]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2012-09-13 204136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2013-05-01 421888]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]
Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe /Startup [2012-10-25 6258488]
QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks 2012\QBW32.EXE -silent [2013-5-31 1182024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2013-06-08 12:14	92488	----a-w-	c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Mobisynapse\\Mobisynapse.exe"=
"c:\\Program Files\\Mobisynapse\\MobisynapseSyncHelper.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2012\\QBW32PremierWholesale.exe"=
"c:\\Program Files\\Autodesk\\Autodesk DWF Viewer\\DWFViewer.exe"=
"c:\\Program Files\\Common Files\\Intuit\\QuickBooks\\QBServerUtilityMgr.exe"=
"c:\\Program Files\\AutoCAD 2002\\acad.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2012\\QBDBMgrN.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2012\\QBW32.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks 2012\\DBManagerExe.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2012\\FileManagement.exe"=
"c:\\Program Files\\Common Files\\Intuit\\QuickBooks\\QBCFMonitorService.exe"=
"c:\\Program Files\\Common Files\\Intuit\\QuickBooks\\QBLaunch.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8019:TCP"= 8019:TCP:QB2
"56723:TCP"= 56723:TCP:qb3
"55353:TCP"= 55353:TCP:qb4
"55354:TCP"= 55354:TCP:qb5
"55355:TCP"= 55355:TCP:qb6
"55356:TCP"= 55356:TCP:qb7
"55357:TCP"= 55357:TCP:qb8
"80:UDP"= 80:UDP:qb11
"8019:UDP"= 8019:UDP:qb12
"56723:UDP"= 56723:UDP:qb13
"55353:UDP"= 55353:UDP:qb14
"55354:UDP"= 55354:UDP:qb15
"55355:UDP"= 55355:UDP:qb16
"55356:UDP"= 55356:UDP:qb17
"55357:UDP"= 55357:UDP:qb18
.
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/19/2012 6:08 PM 375120]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/24/2012 2:41 PM 13624]
R2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [12/6/2011 6:40 AM 1248256]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [10/29/2012 7:50 AM 36096]
R3 ustp2;ustp2;c:\windows\system32\drivers\ustp2.sys [11/15/2012 2:18 PM 19840]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/29/2012 8:50 AM 1691480]
S3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [12/24/2008 5:40 AM 80256]
S3 qcserxp;HTC Diagnostic Port;c:\windows\system32\drivers\qcserxp.sys [12/5/2012 9:38 AM 103424]
S3 qcusbser;Qualcomm USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcmdmxp.sys [12/5/2012 9:38 AM 105984]
S3 QuickBooksDB22;QuickBooksDB22;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB22 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB22 [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-07-11 17:38	1173456	----a-w-	c:\program files\Google\Chrome\Application\28.0.1500.71\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-11 c:\windows\Tasks\CopyBackups.job
- c:\backups\CopyBackups.bat [2010-01-06 13:32]
.
2013-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-27 21:24]
.
2013-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-27 21:24]
.
2013-07-11 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 17:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: wellsfargo.com
TCP: DhcpNameServer = 192.168.1.1
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-11 14:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1644491937-287218729-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2013-07-11  14:23:12
ComboFix-quarantined-files.txt  2013-07-11 19:23
.
Pre-Run: 63,512,580,096 bytes free
Post-Run: 63,475,646,464 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - B91EF1CFA06562A954BE5DE53F53EA40
8F558EB6672622401DA993E1E865C861