haroldm
-
Posts
46 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by haroldm
-
Taskmgr opens then closes - Peachtree won't open
haroldm replied to haroldm's topic in Resolved Malware Removal Logs
No thanks, I had to wipe out windows and reinstall. -
Taskmgr opens then closes - Peachtree won't open
haroldm replied to haroldm's topic in Resolved Malware Removal Logs
Bump -
Problem started yesterday morning. Peachtree accounting program would start to open, then freeze. Tried to open task manager to kill it, it opens then closes. Ran free MBAM and did a scan. It didn't find anthing. Ran adwcleaner, it found a couple of things and removed them, still same problem. In safe mode taskmgr works. Created a new user, logged in, same problem. Ran TDSSKiller, found nothing. Ran sfc /scannow it found no problems. Tried to do a system restore to the previous day, it wouldn't work, gave an error about a possible anti-virus problem so I disabled Norton Security and tried again, same anti-virus issue. Ran FRST and didn't see anything glaring but I'm not an expert. Also ran MBAR but don't remember the outcome. Just ran MBAR again, no issues detected. Any help would be greatly appreciated. Harold AdwCleaner[C00].txt AdwCleaner[S00].txt AdwCleaner[S01].txt AdwCleaner[C01].txt AdwCleaner[S02].txt Addition.txt FRST.txt
-
Firefox popups and coupons ads by name
haroldm replied to haroldm's topic in Resolved Malware Removal Logs
All is well... thanks for your help. -
Firefox popups and coupons ads by name
haroldm replied to haroldm's topic in Resolved Malware Removal Logs
I think you may have gotten it this time. I'm not constantly getting the popup from Norton saying it blocked something. I cleared Firefox's cache before going to any websites, so that may have helped too. I'll keep testing for a while. Thanks again. -
Firefox popups and coupons ads by name
haroldm replied to haroldm's topic in Resolved Malware Removal Logs
attached Fixlog.txt -
Firefox popups and coupons ads by name
haroldm replied to haroldm's topic in Resolved Malware Removal Logs
attached Addition.txt FRST.txt -
Firefox popups and coupons ads by name
haroldm replied to haroldm's topic in Resolved Malware Removal Logs
Not really... I have a number of custom settings in it, a static ip address, custom port redirects for ftp server, etc. This PC is not normally on my network, my brother brought it to me to try to fix because he is not computer literate. -
Firefox popups and coupons ads by name
haroldm replied to haroldm's topic in Resolved Malware Removal Logs
and I'm continuously having the issue where Norton blocks attempts. -
Firefox popups and coupons ads by name
haroldm replied to haroldm's topic in Resolved Malware Removal Logs
Yes, none of the others have it. -
Firefox popups and coupons ads by name
haroldm replied to haroldm's topic in Resolved Malware Removal Logs
Yes -
Firefox popups and coupons ads by name
haroldm replied to haroldm's topic in Resolved Malware Removal Logs
Sorry, it didn't attach. here it is. FRST.txt -
Firefox popups and coupons ads by name
haroldm replied to haroldm's topic in Resolved Malware Removal Logs
THeir back..... Ads by name popups are back. Attached is new frst.txt -
Firefox popups and coupons ads by name
haroldm replied to haroldm's topic in Resolved Malware Removal Logs
Thank you for your assistance and the recommended software list. I wasn't aware the MBAE existed. I'll be buying you a beer. CHEERS !! -
Firefox popups and coupons ads by name
haroldm replied to haroldm's topic in Resolved Malware Removal Logs
The popups seem to be gone..... tks. Occasionally though, I'll click on a link or the play button on a video, and another tab will open up (the webpage it tries to load is different every time) and I'll get a message from Norton saying "Norton blocked an attack by Web Attack: Fake Scan Webpage 7". Not sure if that's spyware or something else but at least norton seems to be doing it's job. -
Firefox popups and coupons ads by name
haroldm replied to haroldm's topic in Resolved Malware Removal Logs
Attached Fixlog.txt -
Firefox popups and coupons ads by name
haroldm replied to haroldm's topic in Resolved Malware Removal Logs
Logs Attached. Thanks for your prompt reply. Addition.txt FRST.txt -
My brothers PC is having an issue with something called "ads by name". He uses Firefox exclusively and I have run every removal program I know of with no luck. The machine is running Windows 7 Home Premium 64 bit, and is an HP Pavilion desktop PC. I have run the following programs to attempt to remove this problem. Malwarebytes AdwCleaner JRT Norton Anti-virus FRST-64bit tdsskiller hitman Pro 64bit The problem is popup ads. Every time I click on a link from Yahoo.com (or any other major site, like Aol, MSN, etc.), 2 or 3 more tabs will popup wanting me to purchase something and little banner ads popup all over the screen. I have gone into "addons" in Firefox and disable or removed anything that looked suspicious or that I didn't know what it was. I have even "Reset" Firefox but that didn't help either. Any help would be greatly appreciated.
-
Very good... thanks for your help... will donate as soon as I get back home.
-
Here's the log file. Everything seems to be working better. Should I run defogger again and re-enable emulation ? Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-01-2015 Ran by default (administrator) on WIERSON on 13-01-2015 13:25:10 Running from C:\Documents and Settings\default\Desktop Loaded Profile: default (Available profiles: default & Ellie Wierson & Administrator) Platform: Microsoft Windows XP Service Pack 3 (X86) OS Language: English (United States) Internet Explorer Version 8 (Default browser: IE) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_service.exe (Intel Corporation) C:\WINDOWS\system32\IPROSetMonitor.exe (Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (Symantec Corporation) C:\Program Files\Norton AntiVirus\Engine\21.6.0.32\nav.exe () C:\Program Files\CyberLink\Shared files\RichVideo.exe (Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe (Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_comm_customer.exe (Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_system_customer.exe (Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_host.exe (Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_user_customer.exe (Symantec Corporation) C:\Program Files\Norton AntiVirus\Engine\21.6.0.32\nav.exe (CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe (Intel Corporation) C:\WINDOWS\system32\igfxtray.exe (Intel Corporation) C:\WINDOWS\system32\hkcmd.exe (Intel Corporation) C:\WINDOWS\system32\igfxpers.exe (Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE (Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe () C:\Program Files\Unlocker\UnlockerAssistant.exe (Eastman Kodak Company) C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe () C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe (Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe (Hewlett-Packard Co.) C:\Program Files\HP\HP Photosmart 6520 series\Bin\HPNetworkCommunicatorCom.exe (Microsoft Corporation) C:\WINDOWS\system32\taskmgr.exe ==================== Registry (Whitelisted) ================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [NeroFilterCheck] => C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [155648 2006-01-12] (Nero AG) HKLM\...\Run: [RemoteControl9] => C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2009-07-06] (CyberLink Corp.) HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\qttask.exe [421888 2012-04-18] (Apple Inc.) HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [19722344 2011-01-26] (Realtek Semiconductor Corp.) HKLM\...\Run: [HP Software Update] => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard) HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated) HKLM\...\Run: [unlockerAssistant] => C:\Program Files\Unlocker\UnlockerAssistant.exe [17408 2010-07-04] () Winlogon\Notify\GoToAssist Express Customer: C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_winlogon.dll (Citrix Online, a division of Citrix Systems, Inc.) HKU\S-1-5-18\...\Policies\Explorer: [CDRAutoRun] 0 Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk ShortcutTarget: Kodak EasyShare software.lnk -> C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company) Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk ShortcutTarget: KODAK Software Updater.lnk -> C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe () Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation) Startup: C:\Documents and Settings\default\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Photosmart 6520 series (Network).lnk ShortcutTarget: Monitor Ink Alerts - HP Photosmart 6520 series (Network).lnk -> C:\Program Files\HP\HP Photosmart 6520 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-1935655697-329068152-839522115-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome HKU\S-1-5-21-1935655697-329068152-839522115-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://cableone.net/ HKU\S-1-5-21-1935655697-329068152-839522115-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-1935655697-329068152-839522115-1003 -> {5828B99C-25EC-47B9-A363-B04BF50F4B14} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage} SearchScopes: HKU\S-1-5-21-1935655697-329068152-839522115-1003 -> {87B4AD04-1AFD-470B-9F3D-CCDDC868A750} URL = http://www.bing.com/search?FORM=UP94DF&PC=UP94&dt=092813&q={searchTerms}&src=IE-SearchBox SearchScopes: HKU\S-1-5-21-1935655697-329068152-839522115-1003 -> {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = BHO: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Norton AntiVirus\Engine\21.6.0.32\IPS\IPSBHO.DLL (Symantec Corporation) BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation) BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation) BHO: HP Smart Print Helper -> {FD6C6509-FE36-44B0-A917-6C2A0DDBDF88} -> C:\Program Files\Hewlett-Packard\Smart Print 2.1\Espresso.dll (Hewlett-Packard) Toolbar: HKU\S-1-5-21-1935655697-329068152-839522115-1003 -> No Name - {A13C2648-91D4-4BF3-BC6D-0079707C4389} - No File DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft.com/fwlink/?linkid=58813 DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1341700385640 DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation) Tcpip\Parameters: [DhcpNameServer] 24.116.0.53 24.116.2.50 FireFox: ======== FF ProfilePath: C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yl60un9q.default FF DefaultSearchEngine: Wikipedia (en) FF SelectedSearchEngine: Wikipedia (en) FF Homepage: www.google.com FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_15_0_0_246.dll () FF Plugin: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation) FF Plugin: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation) FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation) FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF Plugin: @rocketlife.com/RocketLife Secure Plug-In Layer;version=1.0.5 -> C:\Documents and Settings\All Users\Application Data\Visan\plugins\npRLSecurePluginLayer.dll (RocketLife, LLP) FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-01-03] Chrome: ======= CHR Profile: C:\Documents and Settings\default\Local Settings\Application Data\Google\Chrome\User Data\Default CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\default\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-12-01] CHR Extension: (Google Wallet) - C:\Documents and Settings\default\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-01] ========================== Services (Whitelisted) ================= (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R2 GoToAssist Remote Support Customer; C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_service.exe [610888 2014-12-29] (Citrix Online, a division of Citrix Systems, Inc.) R2 Intel® PROSet Monitoring Service; C:\WINDOWS\system32\IProsetMonitor.exe [110752 2010-09-22] (Intel Corporation) R2 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [61440 2006-12-14] (Hewlett-Packard Company) [File not signed] R2 NAV; C:\Program Files\Norton AntiVirus\Engine\21.6.0.32\NAV.exe [262968 2014-09-21] (Symantec Corporation) S3 NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [262144 2006-12-23] (Nero AG) [File not signed] R2 RichVideo; C:\Program Files\CyberLink\Shared files\RichVideo.exe [271760 2009-04-27] () S3 COMSysApp; %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} S3 SwPrv; C:\WINDOWS\system32\dllhost.exe /Processid:{37A67D94-70A9-4397-BE5B-E044A7070AA0} ==================== Drivers (Whitelisted) ==================== (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1691480 2011-01-26] (Creative) S3 AON325; C:\WINDOWS\System32\DRIVERS\AON325.SYS [46976 2003-01-22] (AOpen Inc ) R1 BHDrvx86; C:\Program Files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\BASHDefs\20141209.001\BHDrvx86.sys [1138392 2014-10-03] (Symantec Corporation) R1 ccSet_NAV; C:\WINDOWS\system32\drivers\NAV\1506000.020\ccSetx86.sys [127064 2013-09-25] (Symantec Corporation) R3 e1cexpress; C:\WINDOWS\System32\DRIVERS\e1c5132.sys [174248 2011-01-03] (Intel Corporation) R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2014-12-11] (Symantec Corporation) R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-12-15] (Symantec Corporation) R3 IDSxpx86; C:\Program Files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\IPSDefs\20150108.002\IDSxpx86.sys [475288 2015-01-11] (Symantec Corporation) R3 MEI; C:\WINDOWS\System32\DRIVERS\HECI.sys [41088 2011-01-23] (Intel Corporation) S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1395800 2011-01-26] (Creative Technology Ltd.) S3 NAVENG; C:\Program Files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\VirusDefs\20150112.035\NAVENG.SYS [95704 2015-01-07] (Symantec Corporation) S3 NAVEX15; C:\Program Files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\VirusDefs\20150112.035\NAVEX15.SYS [1636696 2015-01-07] (Symantec Corporation) S3 SRTSP; C:\WINDOWS\System32\Drivers\NAV\1506000.020\SRTSP.SYS [664792 2014-08-25] (Symantec Corporation) R1 SRTSPX; C:\WINDOWS\system32\drivers\NAV\1506000.020\SRTSPX.SYS [32984 2014-08-25] (Symantec Corporation) R0 SymDS; C:\WINDOWS\System32\drivers\NAV\1506000.020\SYMDS.SYS [367704 2013-07-31] (Symantec Corporation) R0 SymEFA; C:\WINDOWS\System32\drivers\NAV\1506000.020\SYMEFA.SYS [936152 2014-03-03] (Symantec Corporation) R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [142936 2013-10-07] (Symantec Corporation) R1 SymIRON; C:\WINDOWS\system32\drivers\NAV\1506000.020\Ironx86.SYS [209624 2014-08-06] (Symantec Corporation) R1 SYMTDI; C:\WINDOWS\System32\Drivers\NAV\1506000.020\SYMTDI.SYS [423256 2014-02-17] (Symantec Corporation) S3 {6080A529-897E-4629-A488-ABA0C29B635E}; C:\WINDOWS\System32\drivers\ialmsbw.sys [122942 2004-05-20] (Intel Corporation) S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}; C:\WINDOWS\System32\drivers\ialmkchw.sys [99002 2004-05-20] (Intel Corporation) S3 catchme; \??\C:\ComboFix\catchme.sys [X] U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation) U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [4096 2010-07-04] () [File not signed] ==================== NetSvcs (Whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.) ==================== One Month Created Files and Folders ======== (If an entry is included in the fixlist, the file\folder will be moved.) 2015-01-13 13:25 - 2015-01-13 13:25 - 00014886 _____ () C:\Documents and Settings\default\Desktop\FRST.txt 2015-01-13 12:23 - 2002-03-13 06:57 - 00024576 _____ (BackWeb) C:\Documents and Settings\default\Local Settings\TempIadHide3.dll 2015-01-13 12:09 - 2015-01-13 12:26 - 00000000 ____D () C:\Program Files\Unlocker 2015-01-13 12:09 - 2015-01-13 12:09 - 00000000 ____D () C:\Documents and Settings\default\Start Menu\Programs\Unlocker 2015-01-13 11:35 - 2015-01-13 11:35 - 00011449 _____ () C:\ComboFix.txt 2015-01-13 11:35 - 2015-01-13 11:35 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp 2015-01-13 11:35 - 2015-01-13 11:35 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp 2015-01-13 11:35 - 2015-01-13 11:35 - 00000000 ____D () C:\Documents and Settings\Ellie Wierson\Local Settings\temp 2015-01-13 11:35 - 2015-01-13 11:35 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp 2015-01-13 01:30 - 2015-01-13 13:25 - 00000000 ____D () C:\Documents and Settings\default\Local Settings\temp 2015-01-12 12:58 - 2015-01-12 12:56 - 00000114 _____ () C:\Documents and Settings\default\My Documents\CFScript.txt 2015-01-12 11:20 - 2015-01-12 11:20 - 01115648 _____ (Farbar) C:\Documents and Settings\default\Desktop\frst.exe 2015-01-11 12:30 - 2015-01-11 12:29 - 00000409 _____ () C:\Documents and Settings\default\My Documents\fixlist.txt.don.txt 2015-01-11 12:23 - 2015-01-11 12:23 - 00000000 ____D () C:\Program Files\Common Files\Java 2015-01-11 12:19 - 2015-01-11 12:26 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Oracle 2015-01-10 19:33 - 2015-01-10 19:33 - 00000000 _____ () C:\Documents and Settings\default\defogger_reenable 2014-12-30 16:49 - 2014-12-30 16:49 - 00002347 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader XI.lnk 2014-12-30 16:49 - 2014-12-30 16:49 - 00001734 _____ () C:\Documents and Settings\All Users\Desktop\Adobe Reader XI.lnk 2014-12-30 16:48 - 2014-12-30 16:49 - 00000000 ____D () C:\Program Files\Common Files\Adobe 2014-12-30 16:25 - 2014-12-30 16:25 - 00000000 _RSHD () C:\cmdcons 2014-12-30 16:25 - 2012-07-07 09:38 - 00000211 _____ () C:\Boot.bak 2014-12-30 16:25 - 2004-08-03 23:00 - 00260272 __RSH () C:\cmldr 2014-12-30 16:23 - 2015-01-13 11:35 - 00000000 ____D () C:\Qoobox 2014-12-30 16:23 - 2011-06-26 00:45 - 00256000 _____ () C:\WINDOWS\PEV.exe 2014-12-30 16:23 - 2010-11-07 11:20 - 00208896 _____ () C:\WINDOWS\MBR.exe 2014-12-30 16:23 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe 2014-12-30 16:23 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe 2014-12-30 16:23 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe 2014-12-30 16:23 - 2000-08-30 18:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe 2014-12-30 16:23 - 2000-08-30 18:00 - 00098816 _____ () C:\WINDOWS\sed.exe 2014-12-30 16:23 - 2000-08-30 18:00 - 00080412 _____ () C:\WINDOWS\grep.exe 2014-12-30 16:23 - 2000-08-30 18:00 - 00068096 _____ () C:\WINDOWS\zip.exe 2014-12-30 16:22 - 2014-12-30 16:29 - 00000000 ____D () C:\WINDOWS\erdnt 2014-12-30 13:49 - 2014-12-30 13:49 - 00000000 ____D () C:\WINDOWS\ERUNT 2014-12-30 13:18 - 2015-01-11 12:21 - 00272296 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe 2014-12-30 13:18 - 2015-01-11 12:21 - 00176552 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe 2014-12-30 13:18 - 2015-01-11 12:21 - 00176552 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe 2014-12-30 13:18 - 2015-01-11 12:21 - 00146432 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl 2014-12-30 13:18 - 2015-01-11 12:21 - 00096680 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll 2014-12-30 13:18 - 2014-12-30 13:18 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Java 2014-12-30 13:17 - 2014-12-30 13:18 - 00004673 _____ () C:\WINDOWS\system32\jupdate-1.7.0_71-b14.log 2014-12-29 18:07 - 2015-01-13 13:24 - 00000000 ____D () C:\Documents and Settings\default\Desktop\Spyware removal 2014-12-29 16:04 - 2015-01-13 13:25 - 00000000 ____D () C:\FRST 2014-12-29 15:56 - 2014-12-29 15:56 - 00000000 ____D () C:\Documents and Settings\default\Start Menu\Programs\Citrix 2014-12-29 15:40 - 2014-12-29 15:56 - 00001219 _____ () C:\Documents and Settings\default\Desktop\GoToAssist Customer.lnk 2014-12-29 13:06 - 2015-01-10 19:44 - 00000000 ____D () C:\AdwCleaner 2014-12-29 10:06 - 2015-01-10 19:51 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys 2014-12-29 10:05 - 2014-12-30 14:29 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware 2014-12-29 10:05 - 2014-12-29 10:05 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware 2014-12-29 10:05 - 2014-11-21 06:14 - 00054360 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys 2014-12-29 10:05 - 2014-11-21 06:14 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys 2014-12-26 19:05 - 2014-12-26 19:05 - 00065536 _____ () C:\WINDOWS\Minidump\Mini122614-01.dmp ==================== One Month Modified Files and Folders ======= (If an entry is included in the fixlist, the file\folder will be moved.) 2015-01-13 13:25 - 2012-05-01 13:38 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job 2015-01-13 13:16 - 2013-09-23 17:01 - 00000494 _____ () C:\WINDOWS\Tasks\HP Photo Creations Communicator.job 2015-01-13 12:40 - 2012-05-04 12:20 - 00002341 _____ () C:\Documents and Settings\default\Desktop\WordPerfect.lnk 2015-01-13 12:32 - 2001-08-23 06:00 - 00012620 _____ () C:\WINDOWS\system32\wpa.dbl 2015-01-13 12:30 - 2007-08-08 12:32 - 01942697 _____ () C:\WINDOWS\WindowsUpdate.log 2015-01-13 12:29 - 2007-08-08 07:23 - 00000159 _____ () C:\WINDOWS\wiadebug.log 2015-01-13 12:29 - 2007-08-08 07:23 - 00000049 _____ () C:\WINDOWS\wiaservc.log 2015-01-13 12:28 - 2007-08-08 12:40 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT 2015-01-13 12:27 - 2007-08-08 12:41 - 00000178 ___SH () C:\Documents and Settings\default\ntuser.ini 2015-01-13 12:27 - 2007-08-08 12:40 - 00032542 _____ () C:\WINDOWS\SchedLgU.Txt 2015-01-13 12:12 - 2010-11-06 22:16 - 00001324 _____ () C:\WINDOWS\system32\d3d9caps.dat 2015-01-13 12:08 - 2007-08-08 12:42 - 00000000 ____D () C:\download 2015-01-13 11:35 - 2007-08-08 12:36 - 00000000 __SHD () C:\Documents and Settings\NetworkService 2015-01-13 11:31 - 2001-08-23 06:00 - 00000227 _____ () C:\WINDOWS\system.ini 2015-01-13 01:13 - 2007-08-08 12:41 - 00000000 ____D () C:\Documents and Settings\default 2015-01-12 02:04 - 2007-08-08 14:48 - 00000000 ____D () C:\Program Files\Common Files\LightScribe 2015-01-11 12:29 - 2012-04-29 18:44 - 00000000 ____D () C:\Program Files\Java 2015-01-10 16:58 - 2012-05-01 13:38 - 00701616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe 2015-01-10 16:58 - 2011-06-02 12:37 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl 2015-01-10 16:57 - 2010-01-03 18:22 - 00000000 ____D () C:\Documents and Settings\default\Local Settings\Application Data\Adobe 2014-12-30 16:52 - 2007-08-08 20:00 - 00002483 _____ () C:\Documents and Settings\default\Desktop\Microsoft Word.lnk 2014-12-30 16:48 - 2010-01-03 18:23 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Adobe 2014-12-30 16:48 - 2007-08-08 13:12 - 00000000 ____D () C:\Program Files\Adobe 2014-12-30 16:25 - 2007-08-08 07:19 - 00000327 ___SH () C:\boot.ini 2014-12-30 15:34 - 2012-07-07 16:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB958644$ 2014-12-30 07:52 - 2007-08-08 07:15 - 00000000 ____D () C:\WINDOWS\Help 2014-12-29 11:48 - 2012-07-07 16:52 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2478971$ 2014-12-29 11:26 - 2012-05-01 12:33 - 00025992 ____C (Sysinternals - www.sysinternals.com) C:\WINDOWS\system32\pgdfgsvc.exe 2014-12-29 11:14 - 2010-01-03 15:50 - 00000667 ____C () C:\WINDOWS\pkzipw.INI 2014-12-29 10:05 - 2014-02-17 10:34 - 00000000 ____D () C:\Documents and Settings\default\Application Data\Malwarebytes 2014-12-29 10:05 - 2014-02-17 10:34 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes 2014-12-29 10:04 - 2014-02-17 10:34 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware 2014-12-26 19:05 - 2013-10-20 06:42 - 00000000 ____D () C:\WINDOWS\Minidump 2014-12-26 19:05 - 2012-07-07 04:24 - 2036809728 _____ () C:\WINDOWS\MEMORY.DMP 2014-12-24 23:40 - 2013-09-16 17:16 - 00001742 _____ () C:\Documents and Settings\All Users\Desktop\HP Photo Creations.lnk 2014-12-24 23:40 - 2013-09-16 17:16 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HP Photo Creations 2014-12-17 16:15 - 2014-02-17 11:26 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service 2014-12-17 16:14 - 2014-12-13 16:35 - 00000000 ____D () C:\Program Files\Yahoo! 2014-12-17 16:12 - 2014-12-13 16:37 - 00000000 ____D () C:\Documents and Settings\default\Application Data\Yahoo! 2014-12-17 16:12 - 2012-11-09 23:11 - 00000000 ____D () C:\Program Files\Google ZeroAccess: C:\Documents and Settings\default\Local Settings\Application Data\Google\Desktop\Install ZeroAccess: C:\Program Files\Google\Desktop\Install ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) C:\WINDOWS\explorer.exe => File is digitally signed C:\WINDOWS\system32\winlogon.exe => File is digitally signed C:\WINDOWS\system32\svchost.exe => File is digitally signed C:\WINDOWS\system32\services.exe => File is digitally signed C:\WINDOWS\system32\User32.dll => File is digitally signed C:\WINDOWS\system32\userinit.exe => File is digitally signed C:\WINDOWS\system32\rpcss.dll => File is digitally signed C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed ==================== End Of Log ============================
-
The only file that wouldn't delete, even in safe mode, was: c:\documents and settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896}\ListSvc.dll It said the file was in use and couldn't be deleted. I downloaded the program UNlocker, which is a program that tries to unlock files that are locked by a windows process, so it can be deleted. It didn't work in safe mode, but it DID work in normal mode. The folder {377B2A12-6A01-40D9-977F-FDB9149D3896} has been deleted. I rebooted and I now only have one explorer.exe process and it's only taking up 27K of memory. I think you found the problem.
-
I will attempt to reboot in safe mode and manually delete those files.
-
Sorry to take so long to get back to you. For some reason the forums did not email me this time, that you had replied. To work on this machine, I'm using a program called Citrix Goto Assist, which allows me to remote control the PC without user intervention. It does allow me to reboot in safe mode, but when I dragged the CFScript on top of the Combofix icon, it disconnects me and I have to re-connect to the machine after a few minutes. When I re-connected, the PC was back in normal mode so I assume it rebooted, but combofix was still running and here is the log. However, I don't know whether it actually ran in safe mode or not. ComboFix 15-01-08.01 - default 01/13/2015 1:19.6.4 - x86 NETWORK Running from: c:\documents and settings\default\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\default\Desktop\CFScript.txt * Created a new restore point . FILE :: "c:\documents and settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896}\ListSvc.dll" "c:\documents and settings\default\Local Settings\TempIadHide3.dll" "c:\windows\system32\wscntfy.exe" . . ((((((((((((((((((((((((( Files Created from 2014-12-13 to 2015-01-13 ))))))))))))))))))))))))))))))) . . 2015-01-11 18:23 . 2015-01-11 18:23 -------- d-----w- c:\program files\Common Files\Java 2015-01-11 18:19 . 2015-01-11 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Oracle 2014-12-30 22:48 . 2014-12-30 22:49 -------- d-----w- c:\program files\Common Files\Adobe 2014-12-30 19:49 . 2014-12-30 19:49 -------- d-----w- c:\windows\ERUNT 2014-12-30 19:18 . 2015-01-11 18:21 146432 ----a-w- c:\windows\system32\javacpl.cpl 2014-12-30 19:18 . 2015-01-11 18:21 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2014-12-29 22:04 . 2015-01-12 17:21 -------- d-----w- C:\FRST 2014-12-29 19:06 . 2015-01-11 01:44 -------- d-----w- C:\AdwCleaner 2014-12-29 16:06 . 2015-01-11 01:51 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys 2014-12-29 16:05 . 2014-12-30 20:29 -------- d-----w- c:\program files\Malwarebytes Anti-Malware 2014-12-29 16:05 . 2014-11-21 12:14 54360 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys 2014-12-29 16:05 . 2014-11-21 12:14 23256 ----a-w- c:\windows\system32\drivers\mbam.sys 2014-12-25 22:37 . 2015-01-13 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896} . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2015-01-10 22:58 . 2012-05-01 19:38 701616 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2015-01-10 22:58 . 2011-06-02 18:37 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2014-12-29 17:26 . 2012-05-01 18:33 25992 -c--a-w- c:\windows\system32\pgdfgsvc.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648] "RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-01-24 142360] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-01-24 176152] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-01-24 145944] "RTHDCPL"="RTHDCPL.EXE" [2011-01-27 19722344] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-05-08 959904] . c:\documents and settings\default\Start Menu\Programs\Startup\ Monitor Ink Alerts - HP Photosmart 6520 series (Network).lnk - c:\windows\system32\RunDll32.exe "c:\program files\HP\HP Photosmart 6520 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=TH36F120YM05XP;CONNECTION=NW;MONITOR=1; [2008-4-14 33280] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Kodak EasyShare software.lnk - c:\program files\KODAK\Kodak EasyShare software\bin\EasyShare.exe -h [2002-9-16 299008] KODAK Software Updater.lnk - c:\program files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2002-3-13 16384] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer] 2014-12-29 21:55 610888 ----a-w- c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_winlogon.dll . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"= . R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-01-27 1691480] R3 AON325;AOpen AON-325 10/100M Fast Ethernet PCI Adapter Driver;c:\windows\system32\DRIVERS\AON325.SYS [2003-01-22 46976] S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1506000.020\SYMDS.SYS [2013-08-01 367704] S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1506000.020\SYMEFA.SYS [2014-03-04 936152] S1 BHDrvx86;BHDrvx86;c:\program files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\BASHDefs\20141209.001\BHDrvx86.sys [2014-10-03 1138392] S1 ccSet_NAV;NAV Settings Manager;c:\windows\system32\drivers\NAV\1506000.020\ccSetx86.sys [2013-09-26 127064] S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1506000.020\Ironx86.SYS [2014-08-06 209624] S2 GoToAssist Remote Support Customer;GoToAssist Remote Support Customer;c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_service.exe Start=service [x] S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-09-22 110752] S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\21.6.0.32\NAV.exe [2014-09-21 262968] S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-01-24 2656280] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2014-12-15 111408] S3 IDSxpx86;IDSxpx86;c:\program files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\IPSDefs\20150108.002\IDSxpx86.sys [2015-01-11 475288] S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2011-01-24 41088] . . Contents of the 'Scheduled Tasks' folder . 2015-01-13 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-01 22:58] . 2015-01-13 c:\windows\Tasks\HP Photo Creations Communicator.job - c:\documents and settings\All Users\Application Data\HP Photo Creations\Communicator.exe [2014-12-25 05:40] . . ------- Supplementary Scan ------- . uStart Page = hxxp://cableone.net/ uInternet Settings,ProxyOverride = localhost TCP: DhcpNameServer = 24.116.0.53 24.116.2.50 FF - ProfilePath - c:\documents and settings\default\Application Data\Mozilla\Firefox\Profiles\yl60un9q.default\ FF - prefs.js: browser.search.selectedEngine - Wikipedia (en) FF - prefs.js: browser.startup.homepage - www.google.com . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2015-01-13 11:31 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV] "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\21.6.0.32\NAV.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\21.6.0.32\diMaster.dll\" /prefetch:1" "ImagePath"="\SystemRoot\System32\Drivers\NAV\1506000.020\SYMTDI.SYS" "TrustedImagePaths"="c:\program files\Norton AntiVirus\Engine\21.6.0.32" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_235_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_235_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}] @Denied: (A 2) (Everyone) @="IFlashBroker6" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(728) c:\windows\system32\WININET.dll c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_winlogon.dll . - - - - - - - > 'explorer.exe'(284) c:\windows\system32\WININET.dll c:\docume~1\default\LOCALS~1\TempIadHide3.dll c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\program files\Microsoft Office\Office10\msohev.dll c:\documents and settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896}\ListSvc.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_service.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\program files\CyberLink\Shared files\RichVideo.exe c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_comm_customer.exe c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_system_customer.exe c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_host.exe c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_user_customer.exe c:\windows\RTHDCPL.EXE c:\program files\KODAK\Kodak EasyShare software\bin\EasyShare.exe c:\windows\system32\RunDll32.exe c:\program files\HP\HP Photosmart 6520 series\Bin\HPNetworkCommunicatorCom.exe . ************************************************************************** . Completion time: 2015-01-13 11:34:59 - machine was rebooted ComboFix-quarantined-files.txt 2015-01-13 17:34 ComboFix2.txt 2015-01-12 21:35 ComboFix3.txt 2015-01-12 19:33 ComboFix4.txt 2015-01-12 02:59 ComboFix5.txt 2015-01-13 07:18 . Pre-Run: 477,971,271,680 bytes free Post-Run: 478,100,668,416 bytes free . - - End Of File - - 73C9A31E99A5765AACE64F412BBC3533 8F558EB6672622401DA993E1E865C861
-
ComboFix 15-01-08.01 - default 01/12/2015 14:50:31.5.4 - x86 Running from: c:\documents and settings\default\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\default\Desktop\CFScript.txt * Created a new restore point . FILE :: "c:\documents and settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896}\ListSvc.dll" "c:\documents and settings\default\Local Settings\TempIadHide3.dll" "c:\windows\system32\wscntfy.exe" . . ((((((((((((((((((((((((( Files Created from 2014-12-12 to 2015-01-12 ))))))))))))))))))))))))))))))) . . 2015-01-11 18:23 . 2015-01-11 18:23 -------- d-----w- c:\program files\Common Files\Java 2015-01-11 18:19 . 2015-01-11 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Oracle 2014-12-30 22:48 . 2014-12-30 22:49 -------- d-----w- c:\program files\Common Files\Adobe 2014-12-30 19:49 . 2014-12-30 19:49 -------- d-----w- c:\windows\ERUNT 2014-12-30 19:18 . 2015-01-11 18:21 146432 ----a-w- c:\windows\system32\javacpl.cpl 2014-12-30 19:18 . 2015-01-11 18:21 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2014-12-29 22:04 . 2015-01-12 17:21 -------- d-----w- C:\FRST 2014-12-29 19:06 . 2015-01-11 01:44 -------- d-----w- C:\AdwCleaner 2014-12-29 16:06 . 2015-01-11 01:51 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys 2014-12-29 16:05 . 2014-12-30 20:29 -------- d-----w- c:\program files\Malwarebytes Anti-Malware 2014-12-29 16:05 . 2014-11-21 12:14 54360 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys 2014-12-29 16:05 . 2014-11-21 12:14 23256 ----a-w- c:\windows\system32\drivers\mbam.sys 2014-12-25 22:37 . 2015-01-12 21:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896} 2014-12-13 22:37 . 2014-12-17 22:12 -------- d-----w- c:\documents and settings\default\Application Data\Yahoo! 2014-12-13 22:35 . 2014-12-17 22:14 -------- d-----w- c:\program files\Yahoo! . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2015-01-10 22:58 . 2012-05-01 19:38 701616 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2015-01-10 22:58 . 2011-06-02 18:37 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2014-12-29 17:26 . 2012-05-01 18:33 25992 -c--a-w- c:\windows\system32\pgdfgsvc.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648] "RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-01-24 142360] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-01-24 176152] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-01-24 145944] "RTHDCPL"="RTHDCPL.EXE" [2011-01-27 19722344] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-05-08 959904] . c:\documents and settings\default\Start Menu\Programs\Startup\ Monitor Ink Alerts - HP Photosmart 6520 series (Network).lnk - c:\windows\system32\RunDll32.exe "c:\program files\HP\HP Photosmart 6520 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=TH36F120YM05XP;CONNECTION=NW;MONITOR=1; [2008-4-14 33280] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Kodak EasyShare software.lnk - c:\program files\KODAK\Kodak EasyShare software\bin\EasyShare.exe -h [2002-9-16 299008] KODAK Software Updater.lnk - c:\program files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2002-3-13 16384] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer] 2014-12-29 21:55 610888 ----a-w- c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_winlogon.dll . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"= . R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-01-27 1691480] R3 AON325;AOpen AON-325 10/100M Fast Ethernet PCI Adapter Driver;c:\windows\system32\DRIVERS\AON325.SYS [2003-01-22 46976] S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1506000.020\SYMDS.SYS [2013-08-01 367704] S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1506000.020\SYMEFA.SYS [2014-03-04 936152] S1 BHDrvx86;BHDrvx86;c:\program files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\BASHDefs\20141209.001\BHDrvx86.sys [2014-10-03 1138392] S1 ccSet_NAV;NAV Settings Manager;c:\windows\system32\drivers\NAV\1506000.020\ccSetx86.sys [2013-09-26 127064] S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1506000.020\Ironx86.SYS [2014-08-06 209624] S2 GoToAssist Remote Support Customer;GoToAssist Remote Support Customer;c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_service.exe Start=service [x] S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-09-22 110752] S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\21.6.0.32\NAV.exe [2014-09-21 262968] S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-01-24 2656280] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2014-12-15 111408] S3 IDSxpx86;IDSxpx86;c:\program files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\IPSDefs\20150108.002\IDSxpx86.sys [2015-01-11 475288] S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2011-01-24 41088] . . Contents of the 'Scheduled Tasks' folder . 2015-01-12 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-01 22:58] . 2015-01-12 c:\windows\Tasks\HP Photo Creations Communicator.job - c:\documents and settings\All Users\Application Data\HP Photo Creations\Communicator.exe [2014-12-25 05:40] . . ------- Supplementary Scan ------- . uStart Page = hxxp://cableone.net/ uInternet Settings,ProxyOverride = localhost TCP: DhcpNameServer = 24.116.0.53 24.116.2.50 FF - ProfilePath - c:\documents and settings\default\Application Data\Mozilla\Firefox\Profiles\yl60un9q.default\ FF - prefs.js: browser.search.selectedEngine - Wikipedia (en) FF - prefs.js: browser.startup.homepage - www.google.com . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2015-01-12 15:31 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV] "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\21.6.0.32\NAV.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\21.6.0.32\diMaster.dll\" /prefetch:1" "ImagePath"="\SystemRoot\System32\Drivers\NAV\1506000.020\SYMTDI.SYS" "TrustedImagePaths"="c:\program files\Norton AntiVirus\Engine\21.6.0.32" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_235_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_235_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}] @Denied: (A 2) (Everyone) @="IFlashBroker6" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(732) c:\windows\system32\WININET.dll c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_winlogon.dll . - - - - - - - > 'explorer.exe'(280) c:\windows\system32\WININET.dll c:\docume~1\default\LOCALS~1\TempIadHide3.dll c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll c:\windows\system32\WPDShServiceObj.dll c:\documents and settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896}\ListSvc.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_service.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\program files\CyberLink\Shared files\RichVideo.exe c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_comm_customer.exe c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_system_customer.exe c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_host.exe c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_user_customer.exe c:\windows\system32\wscntfy.exe c:\windows\RTHDCPL.EXE c:\program files\KODAK\Kodak EasyShare software\bin\EasyShare.exe c:\windows\system32\RunDll32.exe c:\program files\HP\HP Photosmart 6520 series\Bin\HPNetworkCommunicatorCom.exe c:\windows\system32\igfxsrvc.exe c:\windows\system32\imapi.exe . ************************************************************************** . Completion time: 2015-01-12 15:35:04 - machine was rebooted ComboFix-quarantined-files.txt 2015-01-12 21:34 ComboFix2.txt 2015-01-12 19:33 ComboFix3.txt 2015-01-12 02:59 ComboFix4.txt 2015-01-11 20:51 ComboFix5.txt 2015-01-12 20:48 . Pre-Run: 478,034,300,928 bytes free Post-Run: 478,018,093,056 bytes free . - - End Of File - - C2DC7B0134D6F0455A7E024AB1697FC1 8F558EB6672622401DA993E1E865C861
-
ComboFix 15-01-08.01 - default 01/12/2015 13:05:06.4.4 - x86 Running from: c:\documents and settings\default\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\default\Desktop\CFScript.txt * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896} . . . . Failed to delete . . ((((((((((((((((((((((((( Files Created from 2014-12-12 to 2015-01-12 ))))))))))))))))))))))))))))))) . . 2015-01-11 18:23 . 2015-01-11 18:23 -------- d-----w- c:\program files\Common Files\Java 2015-01-11 18:19 . 2015-01-11 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Oracle 2014-12-30 22:48 . 2014-12-30 22:49 -------- d-----w- c:\program files\Common Files\Adobe 2014-12-30 19:49 . 2014-12-30 19:49 -------- d-----w- c:\windows\ERUNT 2014-12-30 19:18 . 2015-01-11 18:21 146432 ----a-w- c:\windows\system32\javacpl.cpl 2014-12-30 19:18 . 2015-01-11 18:21 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2014-12-29 22:04 . 2015-01-12 17:21 -------- d-----w- C:\FRST 2014-12-29 19:06 . 2015-01-11 01:44 -------- d-----w- C:\AdwCleaner 2014-12-29 16:06 . 2015-01-11 01:51 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys 2014-12-29 16:05 . 2014-12-30 20:29 -------- d-----w- c:\program files\Malwarebytes Anti-Malware 2014-12-29 16:05 . 2014-11-21 12:14 54360 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys 2014-12-29 16:05 . 2014-11-21 12:14 23256 ----a-w- c:\windows\system32\drivers\mbam.sys 2014-12-25 22:37 . 2015-01-12 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896} 2014-12-13 22:37 . 2014-12-17 22:12 -------- d-----w- c:\documents and settings\default\Application Data\Yahoo! 2014-12-13 22:35 . 2014-12-17 22:14 -------- d-----w- c:\program files\Yahoo! . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2015-01-10 22:58 . 2012-05-01 19:38 701616 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2015-01-10 22:58 . 2011-06-02 18:37 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2014-12-29 17:26 . 2012-05-01 18:33 25992 -c--a-w- c:\windows\system32\pgdfgsvc.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648] "RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-01-24 142360] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-01-24 176152] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-01-24 145944] "RTHDCPL"="RTHDCPL.EXE" [2011-01-27 19722344] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-05-08 959904] . c:\documents and settings\default\Start Menu\Programs\Startup\ Monitor Ink Alerts - HP Photosmart 6520 series (Network).lnk - c:\windows\system32\RunDll32.exe "c:\program files\HP\HP Photosmart 6520 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=TH36F120YM05XP;CONNECTION=NW;MONITOR=1; [2008-4-14 33280] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Kodak EasyShare software.lnk - c:\program files\KODAK\Kodak EasyShare software\bin\EasyShare.exe -h [2002-9-16 299008] KODAK Software Updater.lnk - c:\program files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2002-3-13 16384] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer] 2014-12-29 21:55 610888 ----a-w- c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_winlogon.dll . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"= . R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-01-27 1691480] R3 AON325;AOpen AON-325 10/100M Fast Ethernet PCI Adapter Driver;c:\windows\system32\DRIVERS\AON325.SYS [2003-01-22 46976] S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1506000.020\SYMDS.SYS [2013-08-01 367704] S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1506000.020\SYMEFA.SYS [2014-03-04 936152] S1 BHDrvx86;BHDrvx86;c:\program files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\BASHDefs\20141209.001\BHDrvx86.sys [2014-10-03 1138392] S1 ccSet_NAV;NAV Settings Manager;c:\windows\system32\drivers\NAV\1506000.020\ccSetx86.sys [2013-09-26 127064] S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1506000.020\Ironx86.SYS [2014-08-06 209624] S2 GoToAssist Remote Support Customer;GoToAssist Remote Support Customer;c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_service.exe Start=service [x] S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-09-22 110752] S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\21.6.0.32\NAV.exe [2014-09-21 262968] S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-01-24 2656280] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2014-12-15 111408] S3 IDSxpx86;IDSxpx86;c:\program files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\IPSDefs\20150108.002\IDSxpx86.sys [2015-01-11 475288] S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2011-01-24 41088] . . Contents of the 'Scheduled Tasks' folder . 2015-01-12 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-01 22:58] . 2015-01-12 c:\windows\Tasks\HP Photo Creations Communicator.job - c:\documents and settings\All Users\Application Data\HP Photo Creations\Communicator.exe [2014-12-25 05:40] . . ------- Supplementary Scan ------- . uStart Page = hxxp://cableone.net/ uInternet Settings,ProxyOverride = localhost TCP: DhcpNameServer = 24.116.0.53 24.116.2.50 FF - ProfilePath - c:\documents and settings\default\Application Data\Mozilla\Firefox\Profiles\yl60un9q.default\ FF - prefs.js: browser.search.selectedEngine - Wikipedia (en) FF - prefs.js: browser.startup.homepage - www.google.com . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2015-01-12 13:27 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV] "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\21.6.0.32\NAV.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\21.6.0.32\diMaster.dll\" /prefetch:1" "ImagePath"="\SystemRoot\System32\Drivers\NAV\1506000.020\SYMTDI.SYS" "TrustedImagePaths"="c:\program files\Norton AntiVirus\Engine\21.6.0.32" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_235_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_235_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}] @Denied: (A 2) (Everyone) @="IFlashBroker6" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(724) c:\windows\system32\WININET.dll c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_winlogon.dll . - - - - - - - > 'explorer.exe'(1064) c:\windows\system32\WININET.dll c:\docume~1\default\LOCALS~1\TempIadHide3.dll c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_service.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\program files\CyberLink\Shared files\RichVideo.exe c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_comm_customer.exe c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_system_customer.exe c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_host.exe c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_user_customer.exe c:\windows\system32\wscntfy.exe c:\windows\RTHDCPL.EXE c:\program files\KODAK\Kodak EasyShare software\bin\EasyShare.exe c:\windows\system32\RunDll32.exe c:\program files\HP\HP Photosmart 6520 series\Bin\HPNetworkCommunicatorCom.exe . ************************************************************************** . Completion time: 2015-01-12 13:33:14 - machine was rebooted ComboFix-quarantined-files.txt 2015-01-12 19:33 ComboFix2.txt 2015-01-12 02:59 ComboFix3.txt 2015-01-11 20:51 ComboFix4.txt 2014-12-30 22:30 . Pre-Run: 477,895,602,176 bytes free Post-Run: 478,050,889,728 bytes free . - - End Of File - - 8C30F9EA15FD2FEBBC4A8216AC7A0422 8F558EB6672622401DA993E1E865C861