Jump to content

oasis

Honorary Members
  • Posts

    27
  • Joined

  • Last visited

Everything posted by oasis

  1. Farbar Service Scanner Version: 14-04-2013 Ran by Bob (administrator) on 06-05-2013 at 15:10:43 Running from "J:\Documents and Settings\Bob\Desktop" Microsoft Windows XP Service Pack 3 (X86) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Attempt to access Yahoo IP returned error. Yahoo IP is offline Yahoo.com is accessible. Windows Firewall: ============= Firewall Disabled Policy: ================== System Restore: ============ System Restore Disabled Policy: ======================== Security Center: ============ Windows Update: ============ Windows Autoupdate Disabled Policy: ============================ File Check: ======== J:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit J:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit J:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit J:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit J:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit J:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit J:\WINDOWS\system32\ipnathlp.dll => MD5 is legit J:\WINDOWS\system32\netman.dll => MD5 is legit J:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit J:\WINDOWS\system32\srsvc.dll => MD5 is legit J:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit J:\WINDOWS\system32\wscsvc.dll => MD5 is legit J:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit J:\WINDOWS\system32\wuauserv.dll => MD5 is legit J:\WINDOWS\system32\qmgr.dll => MD5 is legit J:\WINDOWS\system32\es.dll => MD5 is legit J:\WINDOWS\system32\cryptsvc.dll => MD5 is legit J:\WINDOWS\system32\svchost.exe => MD5 is legit J:\WINDOWS\system32\rpcss.dll => MD5 is legit J:\WINDOWS\system32\services.exe => MD5 is legit Extra List: ======= Gpc(3) IPSec(5) NetBT(6) PSched(7) SYMTDI(8) Tcpip(4) 0x080000000500000001000000020000000300000004000000080000000600000007000000 IpSec Tag value is correct. **** End of log ****
  2. OK...then it was definitely hanging on the scan. I let it go for over an hour with no changes. Any other way to get it to run?
  3. Any other ideas on how to get it to run? Aready tried w/ Norton 360 Antivirus disabled. How long should a typical scan take with DDS? Thanks.
  4. I had antivirus disabled on the first try. I think in safe mode they may not even launch anyway. Do I also need to disable firewalls?
  5. Can't get DDS scan to complete. It appears to launch and there is disk activity, along with the displayed message "Two logs shall be created on your desktop". After that it just hangs and never produces the log files. Also tried to run it in safe mode with same result.
  6. Ran ComboFix with the script. Log below. The Windows Security Center reference to Lavasoft went away but now it simply reports that no antivirus software is installed (when in fact Norton 360 is running). The pop-up message balloon appears from the sys tray on boot. Also, it now appears that Windows firewall is on when the PC first boots, but it then shuts off about 2 minutes after the desktop appears in the boot process. An additional message then appears in the same pop-up balloon from the sys tray warning that the frewall is off. Then after about another minute, it turns itself back on again and teh message disappears. Norton 360 also runs its own "smart firewall" that seems to be undetected by Windows Security Center. ComboFix 13-05-04.01 - Bob 05/04/2013 23:44:56.2.4 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3323.2384 [GMT -4:00] Running from: j:\documents and settings\Bob\Desktop\ComboFix.exe Command switches used :: j:\documents and settings\Bob\Desktop\CFScript.txt . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . j:\documents and settings\All Users\Application Data\TEMP . . ((((((((((((((((((((((((( Files Created from 2013-04-05 to 2013-05-05 ))))))))))))))))))))))))))))))) . . 2013-05-03 21:55 . 2013-05-03 21:56 -------- d-----w- j:\documents and settings\Administrator 2013-05-03 03:03 . 2013-05-03 03:04 -------- d-----w- j:\documents and settings\Bob\Application Data\Foxit Software 2013-05-03 03:03 . 2013-05-03 03:03 -------- d-----w- j:\program files\Foxit Software 2013-05-03 02:37 . 2013-05-03 02:37 -------- d-----w- j:\windows\system32\wbem\Repository 2013-05-02 18:30 . 2013-05-02 18:30 159744 ----a-w- j:\program files\Internet Explorer\Plugins\npqtplugin7.dll 2013-05-02 18:30 . 2013-05-02 18:30 159744 ----a-w- j:\program files\Internet Explorer\Plugins\npqtplugin6.dll 2013-05-02 18:30 . 2013-05-02 18:30 159744 ----a-w- j:\program files\Internet Explorer\Plugins\npqtplugin5.dll 2013-05-02 18:30 . 2013-05-02 18:30 159744 ----a-w- j:\program files\Internet Explorer\Plugins\npqtplugin4.dll 2013-05-02 18:30 . 2013-05-02 18:30 159744 ----a-w- j:\program files\Internet Explorer\Plugins\npqtplugin3.dll 2013-05-02 18:30 . 2013-05-02 18:30 159744 ----a-w- j:\program files\Internet Explorer\Plugins\npqtplugin2.dll 2013-05-02 18:30 . 2013-05-02 18:30 159744 ----a-w- j:\program files\Internet Explorer\Plugins\npqtplugin.dll 2013-05-02 18:30 . 2013-05-02 18:30 -------- d-----w- j:\program files\QuickTime 2013-05-01 01:04 . 2013-05-01 01:04 -------- d-----w- j:\program files\ERUNT 2013-04-30 02:15 . 2013-04-30 02:15 -------- d-----w- j:\documents and settings\All Users\Application Data\McAfee 2013-04-29 22:55 . 2013-04-29 22:55 -------- d-----w- j:\windows\system32\winrm 2013-04-29 22:55 . 2013-04-29 22:55 -------- dc-h--w- j:\windows\$968930Uinstall_KB968930$ 2013-04-29 20:13 . 2013-05-05 03:42 -------- d-----w- j:\windows\system32\CatRoot2 2013-04-29 18:01 . 2013-05-01 03:41 181064 ----a-w- j:\windows\PSEXESVC.EXE 2013-04-29 17:57 . 2013-04-29 17:57 -------- d-----w- J:\RegBackup 2013-04-29 16:26 . 2013-04-29 16:26 -------- d-----w- j:\program files\Malwarebytes' Anti-Malware 2013-04-29 16:26 . 2013-04-04 18:50 22856 ----a-w- j:\windows\system32\drivers\mbam.sys 2013-04-29 05:47 . 2013-04-29 05:55 -------- d-----w- j:\windows\system32\drivers\N360\1403010.016 2013-04-29 05:34 . 2013-04-29 05:34 -------- d-----w- j:\documents and settings\Bob\Application Data\Malwarebytes 2013-04-29 02:20 . 2013-04-29 02:20 -------- d-----w- J:\_OTL 2013-04-24 02:02 . 2013-04-24 02:02 -------- d---a-w- J:\$Anvi Rescue Disk$ 2013-04-23 19:54 . 2013-04-24 01:09 -------- d-----w- j:\windows\Microsoft Antimalware 2013-04-23 08:39 . 2013-04-24 02:09 -------- d-----w- j:\documents and settings\Michael 2013-04-23 07:57 . 2013-04-23 07:57 -------- d-----w- j:\documents and settings\Michelle\Application Data\Malwarebytes 2013-04-23 07:56 . 2013-04-23 07:56 -------- d-----w- j:\documents and settings\All Users\Application Data\Malwarebytes 2013-04-23 07:36 . 2013-04-23 07:45 -------- d-----w- j:\documents and settings\All Users\Application Data\2C533BF2BA1AC45700002C530FA4C976 2013-04-10 21:04 . 2010-09-07 18:26 28160 ----a-w- j:\windows\system32\drivers\PcaSp50.sys 2013-04-10 21:04 . 2006-11-29 01:46 41280 ----a-w- j:\windows\system32\drivers\PCASp50a64.sys 2013-04-10 21:04 . 2003-04-22 01:46 61440 ----a-w- j:\windows\system32\ASIW32N50.dll 2013-04-10 21:04 . 2002-09-10 23:35 16302 ----a-w- j:\windows\system32\ASINDIS5.sys 2013-04-10 21:04 . 2001-04-16 09:48 15577 ----a-w- j:\windows\system32\ASINDIS3.vxd 2013-04-10 21:04 . 2013-04-10 21:04 -------- d-----w- j:\program files\ASUS . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-04-29 05:48 . 2011-04-16 03:50 142496 ----a-w- j:\windows\system32\drivers\SYMEVENT.SYS 2013-03-23 05:22 . 2011-05-21 10:01 1869600 ----a-w- j:\windows\system32\nvcuvenc.dll 2013-03-23 05:22 . 2008-07-27 05:18 7536640 ----a-w- j:\windows\system32\nvcuda.dll 2013-03-23 05:22 . 2008-07-27 05:18 19189760 ----a-w- j:\windows\system32\nvoglnt.dll 2013-03-23 05:22 . 2008-07-27 05:18 12653120 ----a-w- j:\windows\system32\drivers\nv4_mini.sys 2013-03-23 05:22 . 2013-03-23 05:22 5967872 ----a-w- j:\windows\system32\nvopencl.dll 2013-03-23 05:22 . 2013-03-23 05:22 1010464 ----a-w- j:\windows\system32\nvdispco3230790.dll 2013-03-23 05:22 . 2011-05-21 10:01 17551360 ----a-w- j:\windows\system32\nvcompiler.dll 2013-03-23 05:22 . 2008-07-27 05:18 4494720 ----a-w- j:\windows\system32\nv4_disp.dll 2013-03-23 05:22 . 2013-03-23 05:22 893728 ----a-w- j:\windows\system32\nvdispgenco3230790.dll 2013-03-23 05:22 . 2008-07-27 05:18 2392064 ----a-w- j:\windows\system32\nvapi.dll 2013-03-23 05:22 . 2011-05-21 10:01 2582816 ----a-w- j:\windows\system32\nvcuvid.dll 2013-03-21 22:30 . 2008-07-27 05:18 126976 ----a-w- j:\windows\system32\nvrszht.dll 2013-03-21 22:30 . 2008-07-27 05:18 258048 ----a-w- j:\windows\system32\nvrstr.dll 2013-03-21 22:30 . 2008-07-27 05:18 258048 ----a-w- j:\windows\system32\nvrssl.dll 2013-03-21 22:30 . 2008-07-27 05:18 258048 ----a-w- j:\windows\system32\nvrssk.dll 2013-03-21 22:30 . 2008-07-27 05:18 253952 ----a-w- j:\windows\system32\nvrsth.dll 2013-03-21 22:30 . 2008-07-27 05:18 253952 ----a-w- j:\windows\system32\nvrssv.dll 2013-03-21 22:30 . 2008-07-27 05:18 229376 ----a-w- j:\windows\system32\nvrszhc.dll 2013-03-21 22:30 . 2008-07-27 05:18 274432 ----a-w- j:\windows\system32\nvrspt.dll 2013-03-21 22:30 . 2008-07-27 05:18 270336 ----a-w- j:\windows\system32\nvrsru.dll 2013-03-21 22:30 . 2008-07-27 05:18 270336 ----a-w- j:\windows\system32\nvrsptb.dll 2013-03-21 22:30 . 2008-07-27 05:18 258048 ----a-w- j:\windows\system32\nvrspl.dll 2013-03-21 22:30 . 2008-07-27 05:18 253952 ----a-w- j:\windows\system32\nvrsno.dll 2013-03-21 22:30 . 2008-07-27 05:18 282624 ----a-w- j:\windows\system32\nvrsit.dll 2013-03-21 22:30 . 2008-07-27 05:18 274432 ----a-w- j:\windows\system32\nvrsnl.dll 2013-03-21 22:30 . 2008-07-27 05:18 274432 ----a-w- j:\windows\system32\nvrsja.dll 2013-03-21 22:30 . 2008-07-27 05:18 266240 ----a-w- j:\windows\system32\nvrsko.dll 2013-03-21 22:30 . 2008-07-27 05:18 335872 ----a-w- j:\windows\system32\nvrshe.dll 2013-03-21 22:30 . 2008-07-27 05:18 286720 ----a-w- j:\windows\system32\nvrsfr.dll 2013-03-21 22:30 . 2008-07-27 05:18 262144 ----a-w- j:\windows\system32\nvrshu.dll 2013-03-21 22:30 . 2008-07-27 05:18 249856 ----a-w- j:\windows\system32\nvrsfi.dll 2013-03-21 22:30 . 2008-07-27 05:18 282624 ----a-w- j:\windows\system32\nvrses.dll 2013-03-21 22:30 . 2008-07-27 05:18 282624 ----a-w- j:\windows\system32\nvrsel.dll 2013-03-21 22:30 . 2008-07-27 05:18 278528 ----a-w- j:\windows\system32\nvrsde.dll 2013-03-21 22:30 . 2008-07-27 05:18 274432 ----a-w- j:\windows\system32\nvrsesm.dll 2013-03-21 22:30 . 2008-07-27 05:18 249856 ----a-w- j:\windows\system32\nvrseng.dll 2013-03-21 22:30 . 2008-07-27 05:18 335872 ----a-w- j:\windows\system32\nvrsar.dll 2013-03-21 22:30 . 2008-07-27 05:18 253952 ----a-w- j:\windows\system32\nvrsda.dll 2013-03-21 22:30 . 2008-07-27 05:18 249856 ----a-w- j:\windows\system32\nvrscs.dll 2013-03-21 22:26 . 2008-07-27 05:18 54272 ----a-w- j:\windows\system32\nvwddi.dll 2013-03-21 22:26 . 2008-07-27 05:18 156448 ----a-w- j:\windows\system32\nvsvc32.exe 2013-03-21 22:26 . 2008-07-27 05:18 15517984 ----a-w- j:\windows\system32\nvcpl.dll 2013-03-21 22:26 . 2008-07-27 05:18 108832 ----a-w- j:\windows\system32\nvmctray.dll 2013-03-21 22:25 . 2008-07-27 05:18 144160 ----a-w- j:\windows\system32\nvcolor.exe 2013-03-08 08:36 . 2008-04-14 12:00 293376 ----a-w- j:\windows\system32\winsrv.dll 2013-03-07 01:32 . 2008-04-14 12:00 2149888 ----a-w- j:\windows\system32\ntoskrnl.exe 2013-03-07 00:50 . 2008-04-14 00:01 2028544 ----a-w- j:\windows\system32\ntkrnlpa.exe 2013-03-02 02:06 . 2008-04-14 12:00 916480 ----a-w- j:\windows\system32\wininet.dll 2013-03-02 02:06 . 2008-04-14 12:00 43520 ----a-w- j:\windows\system32\licmgr10.dll 2013-03-02 02:06 . 2008-04-14 12:00 1469440 ----a-w- j:\windows\system32\inetcpl.cpl 2013-03-02 01:25 . 2008-04-14 12:00 1867264 ----a-w- j:\windows\system32\win32k.sys 2013-03-02 01:08 . 2008-04-14 12:00 385024 ----a-w- j:\windows\system32\html.iec 2013-02-27 07:56 . 2009-03-14 15:33 2067456 ----a-w- j:\windows\system32\mstscax.dll 2013-02-12 00:32 . 2008-04-14 12:00 12928 ----a-w- j:\windows\system32\drivers\usb8023.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NortonUtilities"="j:\program files\Norton Utilities 14\nu.exe" [2010-08-24 4093288] "SansaDispatch"="j:\documents and settings\Bob\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2011-06-22 79872] "gStart"="j:\garmin\gStart.exe" [2008-08-13 1891416] "Akamai NetSession Interface"="j:\documents and settings\Bob\Local Settings\Application Data\Akamai\netsession_win.exe" [2013-01-26 4480768] "swg"="j:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-18 39408] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Symantec PIF AlertEng"="j:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048] "SSBkgdUpdate"="j:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648] "PaperPort PTD"="j:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393] "IndexSearch"="j:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960] "ControlCenter2.0"="j:\program files\Brother\ControlCenter2\brctrcen.exe" [2007-12-21 86016] "SysTrayApp"="j:\program files\IDT\WDM\sttray.exe" [2008-05-07 413696] "type32"="j:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032] "IntelliPoint"="j:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800] "HPDJ Taskbar Utility"="j:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 172032] "HPHUPD06"="j:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152] "HPHmon06"="j:\windows\system32\hphmon06.exe" [2004-06-07 659456] "Norton Ghost 14.0"="j:\program files\Norton Ghost\Agent\VProTray.exe" [2008-12-11 2245992] "Share-to-Web Namespace Daemon"="j:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344] "nmctxth"="j:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856] "Live! Central 2"="j:\program files\Creative\Creative Live! Cam\Live! Central 2\CTLVCentral2.exe" [2009-08-28 426140] "V0610Mon.exe"="j:\windows\V0610Mon.exe" [2009-08-06 24576] "Monitor"="j:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-07-28 554328] "BCSSync"="j:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "BrMfcWnd"="j:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-10-11 1085440] "ControlCenter3"="j:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016] "iTunesHelper"="j:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392] "APSDaemon"="j:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720] "NvMediaCenter"="NvMCTray.dll" [2013-03-21 108832] "QuickTime Task"="j:\program files\QuickTime\qttask.exe" [2012-10-25 421888] . j:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - j:\program files\HP\digital imaging\bin\hpqtra08.exe [2004-5-28 241664] HP Image Zone Fast Start.lnk - j:\program files\HP\digital imaging\bin\hpqthb08.exe [2004-5-28 53248] NCProTray.lnk - j:\program files\SEC\Natural Color Pro\NCProTray.exe [2009-3-14 49220] Windows Search.lnk - j:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "EnableUIADesktopToggle"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) . [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system] "NoAdminPage"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoChangeStartMenu"= 00000000 "MaxRecentDocs"= 0 (0x0) "NoWinKey"= 0 (0x0) "NoNetConnextDisconnect"= 0 (0x0) "NoSMConfigurePrograms"= 0 (0x0) "NoControlPanle"= 0 (0x0) . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "j:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "j:\\Documents and Settings\\Bob\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"= "j:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management . R0 SymDS;Symantec Data Store;j:\windows\system32\drivers\N360\1403010.016\symds.sys [4/29/2013 1:47 AM 367704] R0 SymEFA;Symantec Extended File Attributes;j:\windows\system32\drivers\N360\1403010.016\symefa.sys [4/29/2013 1:47 AM 934488] R1 BHDrvx86;BHDrvx86;j:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130412.001\BHDrvx86.sys [4/12/2013 7:53 PM 1000024] R1 ccSet_N360;Norton 360 Settings Manager;j:\windows\system32\drivers\N360\1403010.016\ccsetx86.sys [4/29/2013 1:47 AM 134304] R1 SymIRON;Symantec Iron Driver;j:\windows\system32\drivers\N360\1403010.016\ironx86.sys [4/29/2013 1:47 AM 175264] R2 IntuitUpdateServiceV4;Intuit Update Service v4;j:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/23/2012 12:37 PM 13672] R2 N360;Norton 360;j:\program files\Norton 360\Engine\20.3.1.22\ccsvchst.exe [4/29/2013 1:47 AM 144520] R3 CtClsFlt;Creative Camera Class Upper Filter Driver;j:\windows\system32\drivers\CtClsFlt.sys [8/8/2010 7:56 PM 143936] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;j:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/21/2013 8:42 PM 106656] R3 IDSxpx86;IDSxpx86;j:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130503.001\IDSXpx86.sys [5/3/2013 9:31 PM 373728] R3 SymSnapService;SymSnapService;j:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [12/20/2007 5:13 PM 1558000] S0 Lbd;Lbd;j:\windows\system32\DRIVERS\Lbd.sys --> j:\windows\system32\DRIVERS\Lbd.sys [?] S2 gupdate1c9a76164ab2998;Google Update Service (gupdate1c9a76164ab2998);j:\program files\Google\Update\GoogleUpdate.exe [3/17/2009 8:35 PM 133104] S2 LinksysUpdater;Linksys Updater;j:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 3:43 PM 204800] S2 SkypeUpdate;Skype Updater;j:\program files\Skype\Updater\Updater.exe [7/13/2012 2:28 PM 160944] S2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;j:\windows\system32\dllhost.exe [4/14/2008 8:00 AM 5120] S3 DCamUSBIntel;USB Video Camera for Intel Proshare technology;j:\windows\system32\drivers\usbintel.sys [4/13/2008 8:15 PM 15872] S3 nosGetPlusHelper;getPlus® Helper 3004;j:\windows\System32\svchost.exe -k nosGetPlusHelper [4/14/2008 8:00 AM 14336] S3 V0610Afx;Creative Camera VF0610 Audio Effects Driver;j:\windows\system32\drivers\V0610Afx.sys [8/8/2010 7:59 PM 160256] S3 V0610Vid;Creative Live! Cam Socialize HD Driver;j:\windows\system32\drivers\V0610Vid.sys [8/8/2010 7:58 PM 274624] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper . Contents of the 'Scheduled Tasks' folder . 2013-05-02 j:\windows\Tasks\AppleSoftwareUpdate.job - j:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57] . 2013-05-04 j:\windows\Tasks\Google Software Updater.job - j:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-18 15:51] . 2013-05-05 j:\windows\Tasks\GoogleUpdateTaskMachineCore.job - j:\program files\Google\Update\GoogleUpdate.exe [2009-03-18 00:35] . 2013-05-05 j:\windows\Tasks\GoogleUpdateTaskMachineUA.job - j:\program files\Google\Update\GoogleUpdate.exe [2009-03-18 00:35] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local;<local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s TCP: DhcpNameServer = 192.168.1.1 DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://77.105.97.97:8000/activex/AMC.cab . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-05-04 23:50 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . HKCU\Software\Microsoft\Windows\CurrentVersion\Run SansaDispatch = j:\documents and settings\Bob\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe??1?"?>? ? ?<?h?e?a?d?>? ? ?<?t?i?t?l?e?>?I?F?r?a?m?e? ?G?e?n?e?r?i?c? ?M?e?s?s?a?g?e?< . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360] "ImagePath"="\"j:\program files\Norton 360\Engine\20.3.1.22\ccSvcHst.exe\" /s \"N360\" /m \"j:\program files\Norton 360\Engine\20.3.1.22\diMaster.dll\" /prefetch:1" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-57989841-1078081533-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*# #´] @Class="Shell" . [HKEY_LOCAL_MACHINE\software\Classes\.xml\PersistentHandler] @DACL=(02 0000) @="{7E9D8D44-6926-426F-AA2B-217A819A5CCE}" . [HKEY_LOCAL_MACHINE\software\Classes\.xsl\PersistentHandler] @DACL=(02 0000) @="{7E9D8D44-6926-426F-AA2B-217A819A5CCE}" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(4452) j:\windows\system32\WININET.dll j:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf j:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll j:\program files\Windows Desktop Search\deskbar.dll j:\program files\Windows Desktop Search\en-us\dbres.dll.mui j:\program files\Windows Desktop Search\dbres.dll j:\program files\Windows Desktop Search\wordwheel.dll j:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui j:\program files\Windows Desktop Search\msnlExtRes.dll j:\windows\system32\ieframe.dll j:\windows\system32\webcheck.dll j:\windows\system32\WPDShServiceObj.dll j:\windows\system32\PortableDeviceTypes.dll j:\windows\system32\PortableDeviceApi.dll . Completion time: 2013-05-04 23:52:09 ComboFix-quarantined-files.txt 2013-05-05 03:52 ComboFix2.txt 2013-05-04 02:29 . Pre-Run: 936,661,970,944 bytes free Post-Run: 936,673,763,328 bytes free . - - End Of File - - 8F5B20875F424E6F234213486DB4EE61
  7. That method worked and ComboFix ran successfully. Log file posted below. Can't tell yet if anything major changed as a result of ComboFix. My Windows firewall now appears to be on when the computer is booted, so I think it fixed that issue. I still get the warning about Lavasoft Ad-Watch Live Anti-virus being off. Still not sure why I get anything referencing Lavasoft when I completely uninstalled those applications. Windows Security Center seems to think I am without anti-virus protection even though I have Norton 360 running normally and up to date. ComboFix 13-05-01.03 - Bob 05/03/2013 22:21:31.1.4 - x86 MINIMAL Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3323.2878 [GMT -4:00] Running from: j:\documents and settings\Bob\desktop\combofix.exe Command switches used :: /nombr AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . j:\documents and settings\All Users\Application Data\TEMP j:\documents and settings\Bob\g2mdlhlpx.exe j:\windows\EventSystem.log j:\windows\system32\URTTemp j:\windows\system32\URTTemp\regtlib.exe . . ((((((((((((((((((((((((( Files Created from 2013-04-04 to 2013-05-04 ))))))))))))))))))))))))))))))) . . 2013-05-03 21:55 . 2013-05-03 21:56 -------- d-----w- j:\documents and settings\Administrator 2013-05-03 03:03 . 2013-05-03 03:04 -------- d-----w- j:\documents and settings\Bob\Application Data\Foxit Software 2013-05-03 03:03 . 2013-05-03 03:03 -------- d-----w- j:\program files\Foxit Software 2013-05-03 02:37 . 2013-05-03 02:37 -------- d-----w- j:\windows\system32\wbem\Repository 2013-05-02 18:30 . 2013-05-02 18:30 159744 ----a-w- j:\program files\Internet Explorer\Plugins\npqtplugin7.dll 2013-05-02 18:30 . 2013-05-02 18:30 159744 ----a-w- j:\program files\Internet Explorer\Plugins\npqtplugin6.dll 2013-05-02 18:30 . 2013-05-02 18:30 159744 ----a-w- j:\program files\Internet Explorer\Plugins\npqtplugin5.dll 2013-05-02 18:30 . 2013-05-02 18:30 159744 ----a-w- j:\program files\Internet Explorer\Plugins\npqtplugin4.dll 2013-05-02 18:30 . 2013-05-02 18:30 159744 ----a-w- j:\program files\Internet Explorer\Plugins\npqtplugin3.dll 2013-05-02 18:30 . 2013-05-02 18:30 159744 ----a-w- j:\program files\Internet Explorer\Plugins\npqtplugin2.dll 2013-05-02 18:30 . 2013-05-02 18:30 159744 ----a-w- j:\program files\Internet Explorer\Plugins\npqtplugin.dll 2013-05-02 18:30 . 2013-05-02 18:30 -------- d-----w- j:\program files\QuickTime 2013-05-01 01:04 . 2013-05-01 01:04 -------- d-----w- j:\program files\ERUNT 2013-04-30 02:15 . 2013-04-30 02:15 -------- d-----w- j:\documents and settings\All Users\Application Data\McAfee 2013-04-29 22:55 . 2013-04-29 22:55 -------- d-----w- j:\windows\system32\winrm 2013-04-29 22:55 . 2013-04-29 22:55 -------- dc-h--w- j:\windows\$968930Uinstall_KB968930$ 2013-04-29 20:13 . 2013-05-04 02:20 -------- d-----w- j:\windows\system32\CatRoot2 2013-04-29 18:01 . 2013-05-01 03:41 181064 ----a-w- j:\windows\PSEXESVC.EXE 2013-04-29 17:57 . 2013-04-29 17:57 -------- d-----w- J:\RegBackup 2013-04-29 16:26 . 2013-04-29 16:26 -------- d-----w- j:\program files\Malwarebytes' Anti-Malware 2013-04-29 16:26 . 2013-04-04 18:50 22856 ----a-w- j:\windows\system32\drivers\mbam.sys 2013-04-29 05:47 . 2013-04-29 05:55 -------- d-----w- j:\windows\system32\drivers\N360\1403010.016 2013-04-29 05:34 . 2013-04-29 05:34 -------- d-----w- j:\documents and settings\Bob\Application Data\Malwarebytes 2013-04-29 02:20 . 2013-04-29 02:20 -------- d-----w- J:\_OTL 2013-04-24 02:02 . 2013-04-24 02:02 -------- d---a-w- J:\$Anvi Rescue Disk$ 2013-04-23 19:54 . 2013-04-24 01:09 -------- d-----w- j:\windows\Microsoft Antimalware 2013-04-23 08:39 . 2013-04-24 02:09 -------- d-----w- j:\documents and settings\Michael 2013-04-23 07:57 . 2013-04-23 07:57 -------- d-----w- j:\documents and settings\Michelle\Application Data\Malwarebytes 2013-04-23 07:56 . 2013-04-23 07:56 -------- d-----w- j:\documents and settings\All Users\Application Data\Malwarebytes 2013-04-23 07:36 . 2013-04-23 07:45 -------- d-----w- j:\documents and settings\All Users\Application Data\2C533BF2BA1AC45700002C530FA4C976 2013-04-10 21:04 . 2010-09-07 18:26 28160 ----a-w- j:\windows\system32\drivers\PcaSp50.sys 2013-04-10 21:04 . 2006-11-29 01:46 41280 ----a-w- j:\windows\system32\drivers\PCASp50a64.sys 2013-04-10 21:04 . 2003-04-22 01:46 61440 ----a-w- j:\windows\system32\ASIW32N50.dll 2013-04-10 21:04 . 2002-09-10 23:35 16302 ----a-w- j:\windows\system32\ASINDIS5.sys 2013-04-10 21:04 . 2001-04-16 09:48 15577 ----a-w- j:\windows\system32\ASINDIS3.vxd 2013-04-10 21:04 . 2013-04-10 21:04 -------- d-----w- j:\program files\ASUS . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-04-29 05:48 . 2011-04-16 03:50 142496 ----a-w- j:\windows\system32\drivers\SYMEVENT.SYS 2013-03-23 05:22 . 2011-05-21 10:01 1869600 ----a-w- j:\windows\system32\nvcuvenc.dll 2013-03-23 05:22 . 2008-07-27 05:18 7536640 ----a-w- j:\windows\system32\nvcuda.dll 2013-03-23 05:22 . 2008-07-27 05:18 19189760 ----a-w- j:\windows\system32\nvoglnt.dll 2013-03-23 05:22 . 2008-07-27 05:18 12653120 ----a-w- j:\windows\system32\drivers\nv4_mini.sys 2013-03-23 05:22 . 2013-03-23 05:22 5967872 ----a-w- j:\windows\system32\nvopencl.dll 2013-03-23 05:22 . 2013-03-23 05:22 1010464 ----a-w- j:\windows\system32\nvdispco3230790.dll 2013-03-23 05:22 . 2011-05-21 10:01 17551360 ----a-w- j:\windows\system32\nvcompiler.dll 2013-03-23 05:22 . 2008-07-27 05:18 4494720 ----a-w- j:\windows\system32\nv4_disp.dll 2013-03-23 05:22 . 2013-03-23 05:22 893728 ----a-w- j:\windows\system32\nvdispgenco3230790.dll 2013-03-23 05:22 . 2008-07-27 05:18 2392064 ----a-w- j:\windows\system32\nvapi.dll 2013-03-23 05:22 . 2011-05-21 10:01 2582816 ----a-w- j:\windows\system32\nvcuvid.dll 2013-03-21 22:30 . 2008-07-27 05:18 126976 ----a-w- j:\windows\system32\nvrszht.dll 2013-03-21 22:30 . 2008-07-27 05:18 258048 ----a-w- j:\windows\system32\nvrstr.dll 2013-03-21 22:30 . 2008-07-27 05:18 258048 ----a-w- j:\windows\system32\nvrssl.dll 2013-03-21 22:30 . 2008-07-27 05:18 258048 ----a-w- j:\windows\system32\nvrssk.dll 2013-03-21 22:30 . 2008-07-27 05:18 253952 ----a-w- j:\windows\system32\nvrsth.dll 2013-03-21 22:30 . 2008-07-27 05:18 253952 ----a-w- j:\windows\system32\nvrssv.dll 2013-03-21 22:30 . 2008-07-27 05:18 229376 ----a-w- j:\windows\system32\nvrszhc.dll 2013-03-21 22:30 . 2008-07-27 05:18 274432 ----a-w- j:\windows\system32\nvrspt.dll 2013-03-21 22:30 . 2008-07-27 05:18 270336 ----a-w- j:\windows\system32\nvrsru.dll 2013-03-21 22:30 . 2008-07-27 05:18 270336 ----a-w- j:\windows\system32\nvrsptb.dll 2013-03-21 22:30 . 2008-07-27 05:18 258048 ----a-w- j:\windows\system32\nvrspl.dll 2013-03-21 22:30 . 2008-07-27 05:18 253952 ----a-w- j:\windows\system32\nvrsno.dll 2013-03-21 22:30 . 2008-07-27 05:18 282624 ----a-w- j:\windows\system32\nvrsit.dll 2013-03-21 22:30 . 2008-07-27 05:18 274432 ----a-w- j:\windows\system32\nvrsnl.dll 2013-03-21 22:30 . 2008-07-27 05:18 274432 ----a-w- j:\windows\system32\nvrsja.dll 2013-03-21 22:30 . 2008-07-27 05:18 266240 ----a-w- j:\windows\system32\nvrsko.dll 2013-03-21 22:30 . 2008-07-27 05:18 335872 ----a-w- j:\windows\system32\nvrshe.dll 2013-03-21 22:30 . 2008-07-27 05:18 286720 ----a-w- j:\windows\system32\nvrsfr.dll 2013-03-21 22:30 . 2008-07-27 05:18 262144 ----a-w- j:\windows\system32\nvrshu.dll 2013-03-21 22:30 . 2008-07-27 05:18 249856 ----a-w- j:\windows\system32\nvrsfi.dll 2013-03-21 22:30 . 2008-07-27 05:18 282624 ----a-w- j:\windows\system32\nvrses.dll 2013-03-21 22:30 . 2008-07-27 05:18 282624 ----a-w- j:\windows\system32\nvrsel.dll 2013-03-21 22:30 . 2008-07-27 05:18 278528 ----a-w- j:\windows\system32\nvrsde.dll 2013-03-21 22:30 . 2008-07-27 05:18 274432 ----a-w- j:\windows\system32\nvrsesm.dll 2013-03-21 22:30 . 2008-07-27 05:18 249856 ----a-w- j:\windows\system32\nvrseng.dll 2013-03-21 22:30 . 2008-07-27 05:18 335872 ----a-w- j:\windows\system32\nvrsar.dll 2013-03-21 22:30 . 2008-07-27 05:18 253952 ----a-w- j:\windows\system32\nvrsda.dll 2013-03-21 22:30 . 2008-07-27 05:18 249856 ----a-w- j:\windows\system32\nvrscs.dll 2013-03-21 22:26 . 2008-07-27 05:18 54272 ----a-w- j:\windows\system32\nvwddi.dll 2013-03-21 22:26 . 2008-07-27 05:18 156448 ----a-w- j:\windows\system32\nvsvc32.exe 2013-03-21 22:26 . 2008-07-27 05:18 15517984 ----a-w- j:\windows\system32\nvcpl.dll 2013-03-21 22:26 . 2008-07-27 05:18 108832 ----a-w- j:\windows\system32\nvmctray.dll 2013-03-21 22:25 . 2008-07-27 05:18 144160 ----a-w- j:\windows\system32\nvcolor.exe 2013-03-08 08:36 . 2008-04-14 12:00 293376 ----a-w- j:\windows\system32\winsrv.dll 2013-03-07 01:32 . 2008-04-14 12:00 2149888 ----a-w- j:\windows\system32\ntoskrnl.exe 2013-03-07 00:50 . 2008-04-14 00:01 2028544 ----a-w- j:\windows\system32\ntkrnlpa.exe 2013-03-02 02:06 . 2008-04-14 12:00 916480 ----a-w- j:\windows\system32\wininet.dll 2013-03-02 02:06 . 2008-04-14 12:00 43520 ----a-w- j:\windows\system32\licmgr10.dll 2013-03-02 02:06 . 2008-04-14 12:00 1469440 ----a-w- j:\windows\system32\inetcpl.cpl 2013-03-02 01:25 . 2008-04-14 12:00 1867264 ----a-w- j:\windows\system32\win32k.sys 2013-03-02 01:08 . 2008-04-14 12:00 385024 ----a-w- j:\windows\system32\html.iec 2013-02-27 07:56 . 2009-03-14 15:33 2067456 ----a-w- j:\windows\system32\mstscax.dll 2013-02-12 00:32 . 2008-04-14 12:00 12928 ----a-w- j:\windows\system32\drivers\usb8023.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NortonUtilities"="j:\program files\Norton Utilities 14\nu.exe" [2010-08-24 4093288] "SansaDispatch"="j:\documents and settings\Bob\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2011-06-22 79872] "gStart"="j:\garmin\gStart.exe" [2008-08-13 1891416] "Akamai NetSession Interface"="j:\documents and settings\Bob\Local Settings\Application Data\Akamai\netsession_win.exe" [2013-01-26 4480768] "swg"="j:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-18 39408] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Symantec PIF AlertEng"="j:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048] "SSBkgdUpdate"="j:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648] "PaperPort PTD"="j:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393] "IndexSearch"="j:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960] "ControlCenter2.0"="j:\program files\Brother\ControlCenter2\brctrcen.exe" [2007-12-21 86016] "SysTrayApp"="j:\program files\IDT\WDM\sttray.exe" [2008-05-07 413696] "type32"="j:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032] "IntelliPoint"="j:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800] "HPDJ Taskbar Utility"="j:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 172032] "HPHUPD06"="j:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152] "HPHmon06"="j:\windows\system32\hphmon06.exe" [2004-06-07 659456] "Norton Ghost 14.0"="j:\program files\Norton Ghost\Agent\VProTray.exe" [2008-12-11 2245992] "Share-to-Web Namespace Daemon"="j:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344] "nmctxth"="j:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856] "Live! Central 2"="j:\program files\Creative\Creative Live! Cam\Live! Central 2\CTLVCentral2.exe" [2009-08-28 426140] "V0610Mon.exe"="j:\windows\V0610Mon.exe" [2009-08-06 24576] "Monitor"="j:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-07-28 554328] "BCSSync"="j:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "BrMfcWnd"="j:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-10-11 1085440] "ControlCenter3"="j:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016] "iTunesHelper"="j:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392] "APSDaemon"="j:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720] "NvMediaCenter"="NvMCTray.dll" [2013-03-21 108832] "QuickTime Task"="j:\program files\QuickTime\qttask.exe" [2012-10-25 421888] . j:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - j:\program files\HP\digital imaging\bin\hpqtra08.exe [2004-5-28 241664] HP Image Zone Fast Start.lnk - j:\program files\HP\digital imaging\bin\hpqthb08.exe [2004-5-28 53248] NCProTray.lnk - j:\program files\SEC\Natural Color Pro\NCProTray.exe [2009-3-14 49220] Windows Search.lnk - j:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "EnableUIADesktopToggle"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) . [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system] "NoAdminPage"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoChangeStartMenu"= 00000000 "MaxRecentDocs"= 0 (0x0) "NoWinKey"= 0 (0x0) "NoNetConnextDisconnect"= 0 (0x0) "NoSMConfigurePrograms"= 0 (0x0) "NoControlPanle"= 0 (0x0) . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "j:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "j:\\Documents and Settings\\Bob\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"= "j:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management "1131:TCP"= 1131:TCP:Akamai NetSession Interface "5000:UDP"= 5000:UDP:Akamai NetSession Interface . R0 SymDS;Symantec Data Store;j:\windows\system32\drivers\N360\1403010.016\symds.sys [4/29/2013 1:47 AM 367704] R0 SymEFA;Symantec Extended File Attributes;j:\windows\system32\drivers\N360\1403010.016\symefa.sys [4/29/2013 1:47 AM 934488] S0 Lbd;Lbd;j:\windows\system32\DRIVERS\Lbd.sys --> j:\windows\system32\DRIVERS\Lbd.sys [?] S1 BHDrvx86;BHDrvx86;j:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130412.001\BHDrvx86.sys [4/12/2013 7:53 PM 1000024] S1 ccSet_N360;Norton 360 Settings Manager;j:\windows\system32\drivers\N360\1403010.016\ccsetx86.sys [4/29/2013 1:47 AM 134304] S1 SymIRON;Symantec Iron Driver;j:\windows\system32\drivers\N360\1403010.016\ironx86.sys [4/29/2013 1:47 AM 175264] S2 gupdate1c9a76164ab2998;Google Update Service (gupdate1c9a76164ab2998);j:\program files\Google\Update\GoogleUpdate.exe [3/17/2009 8:35 PM 133104] S2 IntuitUpdateServiceV4;Intuit Update Service v4;j:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/23/2012 12:37 PM 13672] S2 LinksysUpdater;Linksys Updater;j:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 3:43 PM 204800] S2 N360;Norton 360;j:\program files\Norton 360\Engine\20.3.1.22\ccsvchst.exe [4/29/2013 1:47 AM 144520] S2 SkypeUpdate;Skype Updater;j:\program files\Skype\Updater\Updater.exe [7/13/2012 2:28 PM 160944] S2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;j:\windows\system32\dllhost.exe [4/14/2008 8:00 AM 5120] S3 CtClsFlt;Creative Camera Class Upper Filter Driver;j:\windows\system32\drivers\CtClsFlt.sys [8/8/2010 7:56 PM 143936] S3 DCamUSBIntel;USB Video Camera for Intel Proshare technology;j:\windows\system32\drivers\usbintel.sys [4/13/2008 8:15 PM 15872] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;j:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/21/2013 8:42 PM 106656] S3 IDSxpx86;IDSxpx86;j:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130503.001\IDSXpx86.sys [5/3/2013 9:31 PM 373728] S3 nosGetPlusHelper;getPlus® Helper 3004;j:\windows\System32\svchost.exe -k nosGetPlusHelper [4/14/2008 8:00 AM 14336] S3 SymSnapService;SymSnapService;j:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [12/20/2007 5:13 PM 1558000] S3 V0610Afx;Creative Camera VF0610 Audio Effects Driver;j:\windows\system32\drivers\V0610Afx.sys [8/8/2010 7:59 PM 160256] S3 V0610Vid;Creative Live! Cam Socialize HD Driver;j:\windows\system32\drivers\V0610Vid.sys [8/8/2010 7:58 PM 274624] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper . Contents of the 'Scheduled Tasks' folder . 2013-05-02 j:\windows\Tasks\AppleSoftwareUpdate.job - j:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57] . 2013-05-03 j:\windows\Tasks\Google Software Updater.job - j:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-18 15:51] . 2013-05-04 j:\windows\Tasks\GoogleUpdateTaskMachineCore.job - j:\program files\Google\Update\GoogleUpdate.exe [2009-03-18 00:35] . 2013-05-04 j:\windows\Tasks\GoogleUpdateTaskMachineUA.job - j:\program files\Google\Update\GoogleUpdate.exe [2009-03-18 00:35] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local;<local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s TCP: DhcpNameServer = 192.168.1.1 DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://77.105.97.97:8000/activex/AMC.cab . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) MSConfigStartUp-CTFMON - (no file) . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-05-03 22:27 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . HKCU\Software\Microsoft\Windows\CurrentVersion\Run SansaDispatch = j:\documents and settings\Bob\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe??1?"?>? ? ?<?h?e?a?d?>? ? ?<?t?i?t?l?e?>?I?F?r?a?m?e? ?G?e?n?e?r?i?c? ?M?e?s?s?a?g?e?< . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360] "ImagePath"="\"j:\program files\Norton 360\Engine\20.3.1.22\ccSvcHst.exe\" /s \"N360\" /m \"j:\program files\Norton 360\Engine\20.3.1.22\diMaster.dll\" /prefetch:1" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-57989841-1078081533-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*# #´] @Class="Shell" . [HKEY_LOCAL_MACHINE\software\Classes\.xml\PersistentHandler] @DACL=(02 0000) @="{7E9D8D44-6926-426F-AA2B-217A819A5CCE}" . [HKEY_LOCAL_MACHINE\software\Classes\.xsl\PersistentHandler] @DACL=(02 0000) @="{7E9D8D44-6926-426F-AA2B-217A819A5CCE}" . Completion time: 2013-05-03 22:29:53 ComboFix-quarantined-files.txt 2013-05-04 02:29 . Pre-Run: 937,039,290,368 bytes free Post-Run: 937,419,485,184 bytes free . - - End Of File - - 51E39FED1AC76AF7933B93AD9F9EAB5C
  8. That method worked and ComboFix ran successfully. Log file posted below. Can't tell yet if anything major changed as a result of ComboFix. My Windows firewall now appears to be on when the computer is booted, so I think it fixed that issue. I still get the warning about Lavasoft Ad-Watch Live Anti-virus being off. Still not sure why I get anything referencing Lavasoft when I completely uninstalled those applications. Windows Security Center seems to think I am without anti-virus protection even though I have Norton 360 running normally and up to date. ComboFix 13-05-01.03 - Bob 05/03/2013 22:21:31.1.4 - x86 MINIMAL Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3323.2878 [GMT -4:00] Running from: j:\documents and settings\Bob\desktop\combofix.exe Command switches used :: /nombr AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . j:\documents and settings\All Users\Application Data\TEMP j:\documents and settings\Bob\g2mdlhlpx.exe j:\windows\EventSystem.log j:\windows\system32\URTTemp j:\windows\system32\URTTemp\regtlib.exe . . ((((((((((((((((((((((((( Files Created from 2013-04-04 to 2013-05-04 ))))))))))))))))))))))))))))))) . . 2013-05-03 21:55 . 2013-05-03 21:56 -------- d-----w- j:\documents and settings\Administrator 2013-05-03 03:03 . 2013-05-03 03:04 -------- d-----w- j:\documents and settings\Bob\Application Data\Foxit Software 2013-05-03 03:03 . 2013-05-03 03:03 -------- d-----w- j:\program files\Foxit Software 2013-05-03 02:37 . 2013-05-03 02:37 -------- d-----w- j:\windows\system32\wbem\Repository 2013-05-02 18:30 . 2013-05-02 18:30 159744 ----a-w- j:\program files\Internet Explorer\Plugins\npqtplugin7.dll 2013-05-02 18:30 . 2013-05-02 18:30 159744 ----a-w- j:\program files\Internet Explorer\Plugins\npqtplugin6.dll 2013-05-02 18:30 . 2013-05-02 18:30 159744 ----a-w- j:\program files\Internet Explorer\Plugins\npqtplugin5.dll 2013-05-02 18:30 . 2013-05-02 18:30 159744 ----a-w- j:\program files\Internet Explorer\Plugins\npqtplugin4.dll 2013-05-02 18:30 . 2013-05-02 18:30 159744 ----a-w- j:\program files\Internet Explorer\Plugins\npqtplugin3.dll 2013-05-02 18:30 . 2013-05-02 18:30 159744 ----a-w- j:\program files\Internet Explorer\Plugins\npqtplugin2.dll 2013-05-02 18:30 . 2013-05-02 18:30 159744 ----a-w- j:\program files\Internet Explorer\Plugins\npqtplugin.dll 2013-05-02 18:30 . 2013-05-02 18:30 -------- d-----w- j:\program files\QuickTime 2013-05-01 01:04 . 2013-05-01 01:04 -------- d-----w- j:\program files\ERUNT 2013-04-30 02:15 . 2013-04-30 02:15 -------- d-----w- j:\documents and settings\All Users\Application Data\McAfee 2013-04-29 22:55 . 2013-04-29 22:55 -------- d-----w- j:\windows\system32\winrm 2013-04-29 22:55 . 2013-04-29 22:55 -------- dc-h--w- j:\windows\$968930Uinstall_KB968930$ 2013-04-29 20:13 . 2013-05-04 02:20 -------- d-----w- j:\windows\system32\CatRoot2 2013-04-29 18:01 . 2013-05-01 03:41 181064 ----a-w- j:\windows\PSEXESVC.EXE 2013-04-29 17:57 . 2013-04-29 17:57 -------- d-----w- J:\RegBackup 2013-04-29 16:26 . 2013-04-29 16:26 -------- d-----w- j:\program files\Malwarebytes' Anti-Malware 2013-04-29 16:26 . 2013-04-04 18:50 22856 ----a-w- j:\windows\system32\drivers\mbam.sys 2013-04-29 05:47 . 2013-04-29 05:55 -------- d-----w- j:\windows\system32\drivers\N360\1403010.016 2013-04-29 05:34 . 2013-04-29 05:34 -------- d-----w- j:\documents and settings\Bob\Application Data\Malwarebytes 2013-04-29 02:20 . 2013-04-29 02:20 -------- d-----w- J:\_OTL 2013-04-24 02:02 . 2013-04-24 02:02 -------- d---a-w- J:\$Anvi Rescue Disk$ 2013-04-23 19:54 . 2013-04-24 01:09 -------- d-----w- j:\windows\Microsoft Antimalware 2013-04-23 08:39 . 2013-04-24 02:09 -------- d-----w- j:\documents and settings\Michael 2013-04-23 07:57 . 2013-04-23 07:57 -------- d-----w- j:\documents and settings\Michelle\Application Data\Malwarebytes 2013-04-23 07:56 . 2013-04-23 07:56 -------- d-----w- j:\documents and settings\All Users\Application Data\Malwarebytes 2013-04-23 07:36 . 2013-04-23 07:45 -------- d-----w- j:\documents and settings\All Users\Application Data\2C533BF2BA1AC45700002C530FA4C976 2013-04-10 21:04 . 2010-09-07 18:26 28160 ----a-w- j:\windows\system32\drivers\PcaSp50.sys 2013-04-10 21:04 . 2006-11-29 01:46 41280 ----a-w- j:\windows\system32\drivers\PCASp50a64.sys 2013-04-10 21:04 . 2003-04-22 01:46 61440 ----a-w- j:\windows\system32\ASIW32N50.dll 2013-04-10 21:04 . 2002-09-10 23:35 16302 ----a-w- j:\windows\system32\ASINDIS5.sys 2013-04-10 21:04 . 2001-04-16 09:48 15577 ----a-w- j:\windows\system32\ASINDIS3.vxd 2013-04-10 21:04 . 2013-04-10 21:04 -------- d-----w- j:\program files\ASUS . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-04-29 05:48 . 2011-04-16 03:50 142496 ----a-w- j:\windows\system32\drivers\SYMEVENT.SYS 2013-03-23 05:22 . 2011-05-21 10:01 1869600 ----a-w- j:\windows\system32\nvcuvenc.dll 2013-03-23 05:22 . 2008-07-27 05:18 7536640 ----a-w- j:\windows\system32\nvcuda.dll 2013-03-23 05:22 . 2008-07-27 05:18 19189760 ----a-w- j:\windows\system32\nvoglnt.dll 2013-03-23 05:22 . 2008-07-27 05:18 12653120 ----a-w- j:\windows\system32\drivers\nv4_mini.sys 2013-03-23 05:22 . 2013-03-23 05:22 5967872 ----a-w- j:\windows\system32\nvopencl.dll 2013-03-23 05:22 . 2013-03-23 05:22 1010464 ----a-w- j:\windows\system32\nvdispco3230790.dll 2013-03-23 05:22 . 2011-05-21 10:01 17551360 ----a-w- j:\windows\system32\nvcompiler.dll 2013-03-23 05:22 . 2008-07-27 05:18 4494720 ----a-w- j:\windows\system32\nv4_disp.dll 2013-03-23 05:22 . 2013-03-23 05:22 893728 ----a-w- j:\windows\system32\nvdispgenco3230790.dll 2013-03-23 05:22 . 2008-07-27 05:18 2392064 ----a-w- j:\windows\system32\nvapi.dll 2013-03-23 05:22 . 2011-05-21 10:01 2582816 ----a-w- j:\windows\system32\nvcuvid.dll 2013-03-21 22:30 . 2008-07-27 05:18 126976 ----a-w- j:\windows\system32\nvrszht.dll 2013-03-21 22:30 . 2008-07-27 05:18 258048 ----a-w- j:\windows\system32\nvrstr.dll 2013-03-21 22:30 . 2008-07-27 05:18 258048 ----a-w- j:\windows\system32\nvrssl.dll 2013-03-21 22:30 . 2008-07-27 05:18 258048 ----a-w- j:\windows\system32\nvrssk.dll 2013-03-21 22:30 . 2008-07-27 05:18 253952 ----a-w- j:\windows\system32\nvrsth.dll 2013-03-21 22:30 . 2008-07-27 05:18 253952 ----a-w- j:\windows\system32\nvrssv.dll 2013-03-21 22:30 . 2008-07-27 05:18 229376 ----a-w- j:\windows\system32\nvrszhc.dll 2013-03-21 22:30 . 2008-07-27 05:18 274432 ----a-w- j:\windows\system32\nvrspt.dll 2013-03-21 22:30 . 2008-07-27 05:18 270336 ----a-w- j:\windows\system32\nvrsru.dll 2013-03-21 22:30 . 2008-07-27 05:18 270336 ----a-w- j:\windows\system32\nvrsptb.dll 2013-03-21 22:30 . 2008-07-27 05:18 258048 ----a-w- j:\windows\system32\nvrspl.dll 2013-03-21 22:30 . 2008-07-27 05:18 253952 ----a-w- j:\windows\system32\nvrsno.dll 2013-03-21 22:30 . 2008-07-27 05:18 282624 ----a-w- j:\windows\system32\nvrsit.dll 2013-03-21 22:30 . 2008-07-27 05:18 274432 ----a-w- j:\windows\system32\nvrsnl.dll 2013-03-21 22:30 . 2008-07-27 05:18 274432 ----a-w- j:\windows\system32\nvrsja.dll 2013-03-21 22:30 . 2008-07-27 05:18 266240 ----a-w- j:\windows\system32\nvrsko.dll 2013-03-21 22:30 . 2008-07-27 05:18 335872 ----a-w- j:\windows\system32\nvrshe.dll 2013-03-21 22:30 . 2008-07-27 05:18 286720 ----a-w- j:\windows\system32\nvrsfr.dll 2013-03-21 22:30 . 2008-07-27 05:18 262144 ----a-w- j:\windows\system32\nvrshu.dll 2013-03-21 22:30 . 2008-07-27 05:18 249856 ----a-w- j:\windows\system32\nvrsfi.dll 2013-03-21 22:30 . 2008-07-27 05:18 282624 ----a-w- j:\windows\system32\nvrses.dll 2013-03-21 22:30 . 2008-07-27 05:18 282624 ----a-w- j:\windows\system32\nvrsel.dll 2013-03-21 22:30 . 2008-07-27 05:18 278528 ----a-w- j:\windows\system32\nvrsde.dll 2013-03-21 22:30 . 2008-07-27 05:18 274432 ----a-w- j:\windows\system32\nvrsesm.dll 2013-03-21 22:30 . 2008-07-27 05:18 249856 ----a-w- j:\windows\system32\nvrseng.dll 2013-03-21 22:30 . 2008-07-27 05:18 335872 ----a-w- j:\windows\system32\nvrsar.dll 2013-03-21 22:30 . 2008-07-27 05:18 253952 ----a-w- j:\windows\system32\nvrsda.dll 2013-03-21 22:30 . 2008-07-27 05:18 249856 ----a-w- j:\windows\system32\nvrscs.dll 2013-03-21 22:26 . 2008-07-27 05:18 54272 ----a-w- j:\windows\system32\nvwddi.dll 2013-03-21 22:26 . 2008-07-27 05:18 156448 ----a-w- j:\windows\system32\nvsvc32.exe 2013-03-21 22:26 . 2008-07-27 05:18 15517984 ----a-w- j:\windows\system32\nvcpl.dll 2013-03-21 22:26 . 2008-07-27 05:18 108832 ----a-w- j:\windows\system32\nvmctray.dll 2013-03-21 22:25 . 2008-07-27 05:18 144160 ----a-w- j:\windows\system32\nvcolor.exe 2013-03-08 08:36 . 2008-04-14 12:00 293376 ----a-w- j:\windows\system32\winsrv.dll 2013-03-07 01:32 . 2008-04-14 12:00 2149888 ----a-w- j:\windows\system32\ntoskrnl.exe 2013-03-07 00:50 . 2008-04-14 00:01 2028544 ----a-w- j:\windows\system32\ntkrnlpa.exe 2013-03-02 02:06 . 2008-04-14 12:00 916480 ----a-w- j:\windows\system32\wininet.dll 2013-03-02 02:06 . 2008-04-14 12:00 43520 ----a-w- j:\windows\system32\licmgr10.dll 2013-03-02 02:06 . 2008-04-14 12:00 1469440 ----a-w- j:\windows\system32\inetcpl.cpl 2013-03-02 01:25 . 2008-04-14 12:00 1867264 ----a-w- j:\windows\system32\win32k.sys 2013-03-02 01:08 . 2008-04-14 12:00 385024 ----a-w- j:\windows\system32\html.iec 2013-02-27 07:56 . 2009-03-14 15:33 2067456 ----a-w- j:\windows\system32\mstscax.dll 2013-02-12 00:32 . 2008-04-14 12:00 12928 ----a-w- j:\windows\system32\drivers\usb8023.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NortonUtilities"="j:\program files\Norton Utilities 14\nu.exe" [2010-08-24 4093288] "SansaDispatch"="j:\documents and settings\Bob\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2011-06-22 79872] "gStart"="j:\garmin\gStart.exe" [2008-08-13 1891416] "Akamai NetSession Interface"="j:\documents and settings\Bob\Local Settings\Application Data\Akamai\netsession_win.exe" [2013-01-26 4480768] "swg"="j:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-18 39408] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Symantec PIF AlertEng"="j:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048] "SSBkgdUpdate"="j:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648] "PaperPort PTD"="j:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393] "IndexSearch"="j:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960] "ControlCenter2.0"="j:\program files\Brother\ControlCenter2\brctrcen.exe" [2007-12-21 86016] "SysTrayApp"="j:\program files\IDT\WDM\sttray.exe" [2008-05-07 413696] "type32"="j:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032] "IntelliPoint"="j:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800] "HPDJ Taskbar Utility"="j:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 172032] "HPHUPD06"="j:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152] "HPHmon06"="j:\windows\system32\hphmon06.exe" [2004-06-07 659456] "Norton Ghost 14.0"="j:\program files\Norton Ghost\Agent\VProTray.exe" [2008-12-11 2245992] "Share-to-Web Namespace Daemon"="j:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344] "nmctxth"="j:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856] "Live! Central 2"="j:\program files\Creative\Creative Live! Cam\Live! Central 2\CTLVCentral2.exe" [2009-08-28 426140] "V0610Mon.exe"="j:\windows\V0610Mon.exe" [2009-08-06 24576] "Monitor"="j:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-07-28 554328] "BCSSync"="j:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "BrMfcWnd"="j:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-10-11 1085440] "ControlCenter3"="j:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016] "iTunesHelper"="j:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392] "APSDaemon"="j:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720] "NvMediaCenter"="NvMCTray.dll" [2013-03-21 108832] "QuickTime Task"="j:\program files\QuickTime\qttask.exe" [2012-10-25 421888] . j:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - j:\program files\HP\digital imaging\bin\hpqtra08.exe [2004-5-28 241664] HP Image Zone Fast Start.lnk - j:\program files\HP\digital imaging\bin\hpqthb08.exe [2004-5-28 53248] NCProTray.lnk - j:\program files\SEC\Natural Color Pro\NCProTray.exe [2009-3-14 49220] Windows Search.lnk - j:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "EnableUIADesktopToggle"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) . [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system] "NoAdminPage"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoChangeStartMenu"= 00000000 "MaxRecentDocs"= 0 (0x0) "NoWinKey"= 0 (0x0) "NoNetConnextDisconnect"= 0 (0x0) "NoSMConfigurePrograms"= 0 (0x0) "NoControlPanle"= 0 (0x0) . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "j:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "j:\\Documents and Settings\\Bob\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"= "j:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management "1131:TCP"= 1131:TCP:Akamai NetSession Interface "5000:UDP"= 5000:UDP:Akamai NetSession Interface . R0 SymDS;Symantec Data Store;j:\windows\system32\drivers\N360\1403010.016\symds.sys [4/29/2013 1:47 AM 367704] R0 SymEFA;Symantec Extended File Attributes;j:\windows\system32\drivers\N360\1403010.016\symefa.sys [4/29/2013 1:47 AM 934488] S0 Lbd;Lbd;j:\windows\system32\DRIVERS\Lbd.sys --> j:\windows\system32\DRIVERS\Lbd.sys [?] S1 BHDrvx86;BHDrvx86;j:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130412.001\BHDrvx86.sys [4/12/2013 7:53 PM 1000024] S1 ccSet_N360;Norton 360 Settings Manager;j:\windows\system32\drivers\N360\1403010.016\ccsetx86.sys [4/29/2013 1:47 AM 134304] S1 SymIRON;Symantec Iron Driver;j:\windows\system32\drivers\N360\1403010.016\ironx86.sys [4/29/2013 1:47 AM 175264] S2 gupdate1c9a76164ab2998;Google Update Service (gupdate1c9a76164ab2998);j:\program files\Google\Update\GoogleUpdate.exe [3/17/2009 8:35 PM 133104] S2 IntuitUpdateServiceV4;Intuit Update Service v4;j:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/23/2012 12:37 PM 13672] S2 LinksysUpdater;Linksys Updater;j:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 3:43 PM 204800] S2 N360;Norton 360;j:\program files\Norton 360\Engine\20.3.1.22\ccsvchst.exe [4/29/2013 1:47 AM 144520] S2 SkypeUpdate;Skype Updater;j:\program files\Skype\Updater\Updater.exe [7/13/2012 2:28 PM 160944] S2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;j:\windows\system32\dllhost.exe [4/14/2008 8:00 AM 5120] S3 CtClsFlt;Creative Camera Class Upper Filter Driver;j:\windows\system32\drivers\CtClsFlt.sys [8/8/2010 7:56 PM 143936] S3 DCamUSBIntel;USB Video Camera for Intel Proshare technology;j:\windows\system32\drivers\usbintel.sys [4/13/2008 8:15 PM 15872] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;j:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/21/2013 8:42 PM 106656] S3 IDSxpx86;IDSxpx86;j:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130503.001\IDSXpx86.sys [5/3/2013 9:31 PM 373728] S3 nosGetPlusHelper;getPlus® Helper 3004;j:\windows\System32\svchost.exe -k nosGetPlusHelper [4/14/2008 8:00 AM 14336] S3 SymSnapService;SymSnapService;j:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [12/20/2007 5:13 PM 1558000] S3 V0610Afx;Creative Camera VF0610 Audio Effects Driver;j:\windows\system32\drivers\V0610Afx.sys [8/8/2010 7:59 PM 160256] S3 V0610Vid;Creative Live! Cam Socialize HD Driver;j:\windows\system32\drivers\V0610Vid.sys [8/8/2010 7:58 PM 274624] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper . Contents of the 'Scheduled Tasks' folder . 2013-05-02 j:\windows\Tasks\AppleSoftwareUpdate.job - j:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57] . 2013-05-03 j:\windows\Tasks\Google Software Updater.job - j:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-18 15:51] . 2013-05-04 j:\windows\Tasks\GoogleUpdateTaskMachineCore.job - j:\program files\Google\Update\GoogleUpdate.exe [2009-03-18 00:35] . 2013-05-04 j:\windows\Tasks\GoogleUpdateTaskMachineUA.job - j:\program files\Google\Update\GoogleUpdate.exe [2009-03-18 00:35] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local;<local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s TCP: DhcpNameServer = 192.168.1.1 DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://77.105.97.97:8000/activex/AMC.cab . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) MSConfigStartUp-CTFMON - (no file) . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-05-03 22:27 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . HKCU\Software\Microsoft\Windows\CurrentVersion\Run SansaDispatch = j:\documents and settings\Bob\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe??1?"?>? ? ?<?h?e?a?d?>? ? ?<?t?i?t?l?e?>?I?F?r?a?m?e? ?G?e?n?e?r?i?c? ?M?e?s?s?a?g?e?< . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360] "ImagePath"="\"j:\program files\Norton 360\Engine\20.3.1.22\ccSvcHst.exe\" /s \"N360\" /m \"j:\program files\Norton 360\Engine\20.3.1.22\diMaster.dll\" /prefetch:1" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-57989841-1078081533-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*# #´] @Class="Shell" . [HKEY_LOCAL_MACHINE\software\Classes\.xml\PersistentHandler] @DACL=(02 0000) @="{7E9D8D44-6926-426F-AA2B-217A819A5CCE}" . [HKEY_LOCAL_MACHINE\software\Classes\.xsl\PersistentHandler] @DACL=(02 0000) @="{7E9D8D44-6926-426F-AA2B-217A819A5CCE}" . Completion time: 2013-05-03 22:29:53 ComboFix-quarantined-files.txt 2013-05-04 02:29 . Pre-Run: 937,039,290,368 bytes free Post-Run: 937,419,485,184 bytes free . - - End Of File - - 51E39FED1AC76AF7933B93AD9F9EAB5C
  9. Same result. Just hangs at the autoscan screen.
  10. Unfortunately, I am unable to get combofix to run. I have tried it three different times and it always hangs on the autoscan screen. One of the times, I let it go for over three hours just to be sure. All antivirus and firewalls are disabled.
  11. I uninstalled Adobe Reader and installed Foxit. Works fine. I followed the reset of Security Center instructions but it did not fix the delayed firewall problem. I also uninstalled Lavasoft Adaware, which actually appeared to have two separate installations on my PC. Now I also get a message in the Windows notifier pop-up that says "Lavasoft Ad-watch Live Anti-virus reports that it is turned off". Windows security center apparently thinks that I do not have anti-virus running even though I have Norton 360 active and up-to-date. Not sure how I get that message to stop as I don't have any Lavasoft application installed any longer. I also have no idea why Windows Security Center won't recognize Norton 360. One other note: I seem to ocassionally get complete freeze-up of any open windows. I can still move the mouse but none of the open apps respond to click. If I hit CTRL-ALT-DEL, everything unfreezes as soon as the Windows Task Manager window pops up. Any ideas? Thanks again.
  12. Windows firewall already set to automatic. Cleared Adware. Log file below. Ran Security Check. Log file below. Thanks. # AdwCleaner v2.300 - Logfile created 05/01/2013 at 12:26:26 # Updated 28/04/2013 by Xplode # Operating system : Microsoft Windows XP Service Pack 3 (32 bits) # User : Bob - OFFICE-SERVER # Boot Mode : Normal # Running from : J:\Documents and Settings\Bob\Desktop\adwcleaner.exe # Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** Folder Deleted : J:\Documents and Settings\Bob\My Documents\Video Downloader ***** [Registry] ***** Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5} Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966 Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094 Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536 Key Deleted : HKU\S-1-5-21-57989841-1078081533-682003330-1004\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} ***** [internet Browsers] ***** -\\ Internet Explorer v8.0.6001.18702 [OK] Registry is clean. ************************* AdwCleaner[R1].txt - [1858 octets] - [30/04/2013 23:50:51] AdwCleaner[s1].txt - [1657 octets] - [01/05/2013 12:26:26] ########## EOF - J:\AdwCleaner[s1].txt - [1717 octets] ########## Results of screen317's Security Check version 0.99.63 Windows XP Service Pack 3 x86 (UAC is enabled) Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Lavasoft Ad-Watch Live! Anti-Virus Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Ad-Aware MVPS Hosts File Spybot - Search & Destroy Norton Ghost Malwarebytes Anti-Malware version 1.75.0.1300 Adobe Flash Player 11.2.202.235 Adobe Reader 10.1.6 Adobe Reader out of Date! ````````Process Check: objlist.exe by Laurent```````` Norton ccSvcHst.exe Ad-Aware AAWService.exe Ad-Aware AAWTray.exe `````````````````System Health check````````````````` Total Fragmentation on Drive J:: 9% ````````````````````End of Log``````````````````````
  13. Ran windows repair again with repair windows firewall checked. Rebooted. No change. The firewall off message still appears for 1-2 minutes after boot. Ran Adwcleaner search. Nothing in the results that I recognize or want to keep. Here is the log... # AdwCleaner v2.300 - Logfile created 04/30/2013 at 23:50:51 # Updated 28/04/2013 by Xplode # Operating system : Microsoft Windows XP Service Pack 3 (32 bits) # User : Bob - OFFICE-SERVER # Boot Mode : Normal # Running from : J:\Documents and Settings\Bob\Desktop\adwcleaner.exe # Option [search] ***** [services] ***** ***** [Files / Folders] ***** Folder Found : J:\Documents and Settings\Bob\My Documents\Video Downloader ***** [Registry] ***** Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com Key Found : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5} Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966 Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094 Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536 Key Found : HKU\S-1-5-21-57989841-1078081533-682003330-1003\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} Key Found : HKU\S-1-5-21-57989841-1078081533-682003330-1004\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} ***** [internet Browsers] ***** -\\ Internet Explorer v8.0.6001.18702 [OK] Registry is clean. ************************* AdwCleaner[R1].txt - [1729 octets] - [30/04/2013 23:50:51] ########## EOF - J:\AdwCleaner[R1].txt - [1789 octets] ##########
  14. Thanks MrC. Drives are already running in DMA mode. I removed a few items with StartupLite. I ran Rogue Killer again and deleted the six items you specified above. There is still one remaining item in the Registry tab that shows up in red font. I posted the latest RK log below. I have not yet re-enabled CD emulation. System is still slower than it used to be (especially on boot-up), but has definitely improved. On a boot, I still get a pop-up balloon from the sys tray with the message "Your computer might be at risk. Windows firewall is turned off." After about a minute, it goes away and Windows firewall appears to turn itself on. Would it also be smart to check for adware as a possible contributor to the system slowness? If so, what do you recommend to scan for it? Any other recommendations? RogueKiller V8.5.4 [Mar 18 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : Bob [Admin rights] Mode : Scan -- Date : 04/30/2013 21:11:44 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 1 ¤¤¤ [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ SSDT[12] : NtAlertResumeThread @ 0x805D4BDC -> HOOKED (Unknown @ 0x8B0557E0) SSDT[13] : NtAlertThread @ 0x805D4B8C -> HOOKED (Unknown @ 0x8B0559F0) SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AC2 -> HOOKED (Unknown @ 0x8AF72500) SSDT[19] : NtAssignProcessToJobObject @ 0x805D66A0 -> HOOKED (Unknown @ 0x8B054C60) SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x8AED5650) SSDT[43] : NtCreateMutant @ 0x806177F2 -> HOOKED (Unknown @ 0x8B055440) SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A02 -> HOOKED (Unknown @ 0x8B054970) SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0x8AF5B658) SSDT[57] : NtDebugActiveProcess @ 0x80643C82 -> HOOKED (Unknown @ 0x8B054D40) SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0x8B09C008) SSDT[83] : NtFreeVirtualMemory @ 0x805B2FBA -> HOOKED (Unknown @ 0x8B029B68) SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9332 -> HOOKED (Unknown @ 0x8B055530) SSDT[91] : NtImpersonateThread @ 0x805D7860 -> HOOKED (Unknown @ 0x8B055720) SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x8B0106D0) SSDT[108] : unknown @ 0x805B2042 -> HOOKED (Unknown @ 0x8B020A48) SSDT[114] : NtOpenEvent @ 0x8060F1B0 -> HOOKED (Unknown @ 0x8B055258) SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0x8AD425B8) SSDT[123] : NtOpenProcessToken @ 0x805EE000 -> HOOKED (Unknown @ 0x8AD06720) SSDT[125] : NtOpenSection @ 0x805AA3F4 -> HOOKED (Unknown @ 0x8B054EF0) SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0x8ACF13D0) SSDT[137] : NtProtectVirtualMemory @ 0x805B8426 -> HOOKED (Unknown @ 0x8B054A60) SSDT[206] : NtResumeThread @ 0x805D4A18 -> HOOKED (Unknown @ 0x8B055AB0) SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0x8B053A70) SSDT[228] : NtSetInformationProcess @ 0x805CDEA0 -> HOOKED (Unknown @ 0x8B054210) SSDT[240] : NtSetSystemInformation @ 0x8060FE68 -> HOOKED (Unknown @ 0x8B054778) SSDT[253] : NtSuspendProcess @ 0x805D4AE0 -> HOOKED (Unknown @ 0x8B054FD0) SSDT[254] : NtSuspendThread @ 0x805D4952 -> HOOKED (Unknown @ 0x8B053CB8) SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0x8AD26A18) SSDT[258] : unknown @ 0x805D24D2 -> HOOKED (Unknown @ 0x8B053990) SSDT[267] : NtUnmapViewOfSection @ 0x805B2E50 -> HOOKED (Unknown @ 0x8B054300) SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (Unknown @ 0x8B029C38) S_SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8A0D9408) S_SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8AF01410) S_SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8AF8D2A8) S_SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8AF018D0) S_SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8AF01950) S_SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x8AEFA1D8) S_SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8AED21F8) S_SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x89FEF7B8) S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x89FEE840) S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8B1B90D0) ¤¤¤ HOSTS File: ¤¤¤ --> J:\WINDOWS\system32\drivers\etc\hosts 127.0.0.1 localhost 192.168.1.2 HP000E7FD4E88F 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 127.0.0.1 www.0scan.com 127.0.0.1 0scan.com 127.0.0.1 1000gratisproben.com 127.0.0.1 www.1000gratisproben.com 127.0.0.1 1001namen.com 127.0.0.1 www.1001namen.com 127.0.0.1 100888290cs.com [...] ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD1001FALS-00Y6A0 +++++ --- User --- [MBR] 29c4c383c3910d3cbd7352336f01741e [bSP] e5689fa077fdbde540f3aa45688e8d30 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953859 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: ST31000333AS +++++ --- User --- [MBR] d8bc69b26b2ea6cd42733af77250683d [bSP] 588c4ef17834bb2909ed18f3951fe7ba : Empty MBR Code Partition table: 0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[6]_S_04302013_02d2111.txt >> RKreport[1]_S_04282013_02d2227.txt ; RKreport[2]_S_04292013_02d1116.txt ; RKreport[3]_S_04292013_02d1140.txt ; RKreport[4]_S_04302013_02d2106.txt ; RKreport[5]_D_04302013_02d2109.txt ; RKreport[6]_S_04302013_02d2111.txt
  15. OK. Making some good progress now. Once I unchecked Registry Permissions, Windows Repair made it through the entire cycle and rebooted. I was then able to run Windows Update and actually download and install the updates. The first time around, I did get a number of SearchFilterHost "file not found" errors, but I haven't seen that message since then. There seems to be a slight speed improvement in some areas since running Windows Repair. One new strange thing that occurs is Windows Firewall seems to be turned off when I first reboot the PC. It pops up with a warning, but after a minute or two it turns itself on. Not sure if this is a major concern, but it didn't used to happen. Do we still need to go back and do something about the line items that were uncovered by Rogue Killer? I don't believe we ever deleted or removed anything that was listed in the report. Also, do we need to re-enable CD emulation that we previously disabled with defogger? Any other tricks to improve speed/performance? Thanks again!
  16. Unfortunately, I'm not able to make any progress with Windows Repair. I have tried it twice. Both times it starts the process but doesn't get very far into the first portion (registry permissions) before the MS "blue screen of death" appears and forces a complete reboot.
  17. Definitely running slow, but that was a problem before I was infected with the MoneyPak trojan. All other applications I have tried seem to be launching and running OK. Just need to fix Windows Update and wish I could speed the PC up a bit.
  18. Definitely running slow, but that was a problem before I was infected with the MoneyPak trojan. All other applications I have tried seem to be launching and running OK. Just need to fix Windows Update and wish I could speed the PC up a bit.
  19. MBAM has never detected the above items as far as I can recall. They have always shown up when I run Rogue Killer and we have never addressed or removed them. I made the modifications to MBAM and ran it again. Nothing found. Here is the log... Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2013.04.29.06 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Bob :: OFFICE-SERVER [administrator] 4/29/2013 12:29:13 PM mbam-log-2013-04-29 (12-29-13).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 317186 Time elapsed: 4 minute(s), 8 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
  20. Here is the latest RK report... RogueKiller V8.5.4 [Mar 18 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : Bob [Admin rights] Mode : Scan -- Date : 04/29/2013 11:40:38 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 7 ¤¤¤ [sHELL][HJNAME] HKCU\[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND [sHELL][HJNAME] HKUS\S-1-5-21-57989841-1078081533-682003330-1003[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND [sHELL][HJNAME] HKUS\S-1-5-21-57989841-1078081533-682003330-1004[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND [sHELL][HJNAME] HKUS\S-1-5-21-57989841-1078081533-682003330-1005[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND [sHELL][HJNAME] HKUS\S-1-5-21-57989841-1078081533-682003330-1007[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND [sHELL][HJNAME] HKUS\S-1-5-21-57989841-1078081533-682003330-1009[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ SSDT[12] : NtAlertResumeThread @ 0x805D4BDC -> HOOKED (Unknown @ 0x8B190070) SSDT[13] : NtAlertThread @ 0x805D4B8C -> HOOKED (Unknown @ 0x8B190130) SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AC2 -> HOOKED (Unknown @ 0x8AF54120) SSDT[19] : NtAssignProcessToJobObject @ 0x805D66A0 -> HOOKED (Unknown @ 0x8B109CA8) SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x8AF094B0) SSDT[43] : NtCreateMutant @ 0x806177F2 -> HOOKED (Unknown @ 0x8B1A1120) SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A02 -> HOOKED (Unknown @ 0x8B1D5458) SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0x8AEC0B80) SSDT[57] : NtDebugActiveProcess @ 0x80643C82 -> HOOKED (Unknown @ 0x8B109D88) SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0x8AF6F2E8) SSDT[83] : NtFreeVirtualMemory @ 0x805B2FBA -> HOOKED (Unknown @ 0x8AF55090) SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9332 -> HOOKED (Unknown @ 0x8B1D6960) SSDT[91] : NtImpersonateThread @ 0x805D7860 -> HOOKED (Unknown @ 0x8B1D6A20) SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x8AEBD290) SSDT[108] : unknown @ 0x805B2042 -> HOOKED (Unknown @ 0x8AF5C150) SSDT[114] : NtOpenEvent @ 0x8060F1B0 -> HOOKED (Unknown @ 0x8B1A1060) SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0x8AF5B418) SSDT[123] : NtOpenProcessToken @ 0x805EE000 -> HOOKED (Unknown @ 0x8B0210E8) SSDT[125] : NtOpenSection @ 0x805AA3F4 -> HOOKED (Unknown @ 0x8B24BC88) SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0x8AF5B348) SSDT[137] : NtProtectVirtualMemory @ 0x805B8426 -> HOOKED (Unknown @ 0x8B1D5548) SSDT[206] : NtResumeThread @ 0x805D4A18 -> HOOKED (Unknown @ 0x8B1D0C40) SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0x8AF10748) SSDT[228] : NtSetInformationProcess @ 0x805CDEA0 -> HOOKED (Unknown @ 0x8AF5A160) SSDT[240] : NtSetSystemInformation @ 0x8060FE68 -> HOOKED (Unknown @ 0x8AF640E8) SSDT[253] : NtSuspendProcess @ 0x805D4AE0 -> HOOKED (Unknown @ 0x8B24BD48) SSDT[254] : NtSuspendThread @ 0x805D4952 -> HOOKED (Unknown @ 0x8B1D0D00) SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0x8AFB3668) SSDT[258] : unknown @ 0x805D24D2 -> HOOKED (Unknown @ 0x8AF54058) SSDT[267] : NtUnmapViewOfSection @ 0x805B2E50 -> HOOKED (Unknown @ 0x8AD8D128) SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (Unknown @ 0x8AF55160) S_SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8AEC4300) S_SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8AEBE2A8) S_SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8AEBD300) S_SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8AED62F8) S_SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8AEC33C8) S_SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x8AEB9080) S_SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8AED02B0) S_SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8AF421F0) S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8AF4B1A8) S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8AECA330) ¤¤¤ HOSTS File: ¤¤¤ --> J:\WINDOWS\system32\drivers\etc\hosts 127.0.0.1 localhost 192.168.1.2 HP000E7FD4E88F 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 127.0.0.1 www.0scan.com 127.0.0.1 0scan.com 127.0.0.1 1000gratisproben.com 127.0.0.1 www.1000gratisproben.com 127.0.0.1 1001namen.com 127.0.0.1 www.1001namen.com 127.0.0.1 100888290cs.com [...] ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD1001FALS-00Y6A0 +++++ --- User --- [MBR] 29c4c383c3910d3cbd7352336f01741e [bSP] e5689fa077fdbde540f3aa45688e8d30 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953859 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: ST31000333AS +++++ --- User --- [MBR] d8bc69b26b2ea6cd42733af77250683d [bSP] 588c4ef17834bb2909ed18f3951fe7ba : Empty MBR Code Partition table: 0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[3]_S_04292013_02d1140.txt >> RKreport[1]_S_04282013_02d2227.txt ; RKreport[2]_S_04292013_02d1116.txt ; RKreport[3]_S_04292013_02d1140.txt
  21. Just ran Rogue Killer. Here is the latest RK log file... RogueKiller V8.5.4 [Mar 18 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : Bob [Admin rights] Mode : Scan -- Date : 04/29/2013 11:16:00 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 7 ¤¤¤ [RUN][sUSP PATH] HKLM\[...]\RunOnce : Z1 (cmd /c "J:\Documents and Settings\Bob\Desktop\MWB Anti-Rootkit\MBAR Extract\mbar\mbar.exe" /cleanup /s) [7] -> FOUND [sHELL][HJNAME] HKCU\[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND [sHELL][HJNAME] HKUS\S-1-5-21-57989841-1078081533-682003330-1003[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND [sHELL][HJNAME] HKUS\S-1-5-21-57989841-1078081533-682003330-1004[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND [sHELL][HJNAME] HKUS\S-1-5-21-57989841-1078081533-682003330-1005[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND [sHELL][HJNAME] HKUS\S-1-5-21-57989841-1078081533-682003330-1007[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe) [x] -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ SSDT[12] : NtAlertResumeThread @ 0x805D4BDC -> HOOKED (Unknown @ 0x8A7F33B0) SSDT[13] : NtAlertThread @ 0x805D4B8C -> HOOKED (Unknown @ 0x8A7EBBC8) SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AC2 -> HOOKED (Unknown @ 0x8A77D5B0) SSDT[19] : NtAssignProcessToJobObject @ 0x805D66A0 -> HOOKED (Unknown @ 0x8B096178) SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x8AD2C258) SSDT[43] : NtCreateMutant @ 0x806177F2 -> HOOKED (Unknown @ 0x8A9646F0) SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A02 -> HOOKED (Unknown @ 0x8B055268) SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0x8A77BA18) SSDT[57] : NtDebugActiveProcess @ 0x80643C82 -> HOOKED (Unknown @ 0x8AD1D378) SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0x8A73BC08) SSDT[83] : NtFreeVirtualMemory @ 0x805B2FBA -> HOOKED (Unknown @ 0x8A78A3B0) SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9332 -> HOOKED (Unknown @ 0x8A7EA510) SSDT[91] : NtImpersonateThread @ 0x805D7860 -> HOOKED (Unknown @ 0x8B0633E8) SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x8AE943B0) SSDT[108] : unknown @ 0x805B2042 -> HOOKED (Unknown @ 0x8A7403B0) SSDT[114] : NtOpenEvent @ 0x8060F1B0 -> HOOKED (Unknown @ 0x8A5C94B8) SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (\??\J:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xB03A9C4C) SSDT[123] : NtOpenProcessToken @ 0x805EE000 -> HOOKED (Unknown @ 0x8B0458A0) SSDT[125] : NtOpenSection @ 0x805AA3F4 -> HOOKED (Unknown @ 0x8AE79500) SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (\??\J:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xB03A9D3C) SSDT[137] : NtProtectVirtualMemory @ 0x805B8426 -> HOOKED (Unknown @ 0x8AD2A150) SSDT[206] : NtResumeThread @ 0x805D4A18 -> HOOKED (Unknown @ 0x8B006C70) SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0x8A72CD40) SSDT[228] : NtSetInformationProcess @ 0x805CDEA0 -> HOOKED (Unknown @ 0x8A735740) SSDT[240] : NtSetSystemInformation @ 0x8060FE68 -> HOOKED (Unknown @ 0x8B033278) SSDT[253] : NtSuspendProcess @ 0x805D4AE0 -> HOOKED (Unknown @ 0x8AE7DD40) SSDT[254] : NtSuspendThread @ 0x805D4952 -> HOOKED (Unknown @ 0x8A619860) SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0x8AD0EB08) SSDT[258] : unknown @ 0x805D24D2 -> HOOKED (Unknown @ 0x8AED6740) SSDT[267] : NtUnmapViewOfSection @ 0x805B2E50 -> HOOKED (Unknown @ 0x8A973D10) SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (Unknown @ 0x8A5B3420) S_SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8B064600) S_SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8B04E248) S_SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8A733440) S_SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8B04E280) S_SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8B00B860) S_SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x8A73C1E0) S_SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8A73EAA8) S_SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8A73C6C0) S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8A7F4440) S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8AF278C0) ¤¤¤ HOSTS File: ¤¤¤ --> J:\WINDOWS\system32\drivers\etc\hosts 127.0.0.1 localhost 192.168.1.2 HP000E7FD4E88F 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 127.0.0.1 www.0scan.com 127.0.0.1 0scan.com 127.0.0.1 1000gratisproben.com 127.0.0.1 www.1000gratisproben.com 127.0.0.1 1001namen.com 127.0.0.1 www.1001namen.com 127.0.0.1 100888290cs.com [...] ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD1001FALS-00Y6A0 +++++ --- User --- [MBR] 29c4c383c3910d3cbd7352336f01741e [bSP] e5689fa077fdbde540f3aa45688e8d30 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953859 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: ST31000333AS +++++ --- User --- [MBR] d8bc69b26b2ea6cd42733af77250683d [bSP] 588c4ef17834bb2909ed18f3951fe7ba : Empty MBR Code Partition table: 0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[2]_S_04292013_02d1116.txt >> RKreport[1]_S_04282013_02d2227.txt ; RKreport[2]_S_04292013_02d1116.txt
  22. Sorry...I neglected to mention that I already did run fixdamage yesterday and it did not change the outcome. I ran MBAR again this morning and nothing was found. Also re-ran fixdamage. I was able to get Windows Update to at least scan my system and provide a list of available updates (no critical updates, but several optional updates). Any attempt to install one or more of the updates (either HW or SW updates) hangs for a few minutes, then fails to install (returns a failure message).
  23. Ran MBAR. First run detected 10 instances of malware. Used cleanup to remove. Rebooted and ran MBAR scan again. No additional malware found. Log files below. Internet access and Windows firewall appear to be working OK, but Windows Update is not. Attempting to run Windows Update and/or Microsoft Update is VERY slow. Almost goes to 'not responding' state. Returns message: "Files required to use Microsoft Update are no longer registered or installed on your computer." Offers option to "Register or reinstall the files for me now." Appears to download software. Screen says "Registering 100%". Returns error message: "The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem." Options are generic MS FAQs or a link to online MS support. How can I restore Windows Update? Thanks. System log file attached. Log files from MBAR follow... Malwarebytes Anti-Rootkit BETA 1.05.0.1001 www.malwarebytes.org Database version: v2013.04.29.01 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Bob :: OFFICE-SERVER [administrator] 4/28/2013 11:45:17 PM mbar-log-2013-04-28 (23-45-17).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P Scan options disabled: Objects scanned: 29419 Time elapsed: 7 minute(s), 32 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 6 j:\RECYCLER\S-1-5-18\$858d097930831b36089b39a3c55210d3\U (Trojan.Siredef.C) -> Delete on reboot. j:\RECYCLER\S-1-5-21-57989841-1078081533-682003330-1003\$858d097930831b36089b39a3c55210d3\U (Trojan.Siredef.C) -> Delete on reboot. j:\RECYCLER\S-1-5-18\$858d097930831b36089b39a3c55210d3\L (Trojan.Siredef.C) -> Delete on reboot. j:\RECYCLER\S-1-5-21-57989841-1078081533-682003330-1003\$858d097930831b36089b39a3c55210d3\L (Trojan.Siredef.C) -> Delete on reboot. j:\RECYCLER\S-1-5-18\$858d097930831b36089b39a3c55210d3 (Trojan.Siredef.C) -> Delete on reboot. j:\RECYCLER\S-1-5-21-57989841-1078081533-682003330-1003\$858d097930831b36089b39a3c55210d3 (Trojan.Siredef.C) -> Delete on reboot. Files Detected: 4 j:\Documents and Settings\Bob\Local Settings\Temp\hfgTy68aaa.tmp.exe (Trojan.Winlock) -> Delete on reboot. j:\RECYCLER\S-1-5-18\$858d097930831b36089b39a3c55210d3\L\00000004.@ (Trojan.Siredef.C) -> Delete on reboot. j:\RECYCLER\S-1-5-18\$858d097930831b36089b39a3c55210d3\L\201d3dde (Trojan.Siredef.C) -> Delete on reboot. j:\RECYCLER\S-1-5-18\$858d097930831b36089b39a3c55210d3\L\76603ac3 (Trojan.Siredef.C) -> Delete on reboot. (end) Malwarebytes Anti-Rootkit BETA 1.05.0.1001 www.malwarebytes.org Database version: v2013.04.29.01 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Bob :: OFFICE-SERVER [administrator] 4/29/2013 12:15:12 AM mbar-log-2013-04-29 (00-15-12).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P Scan options disabled: Objects scanned: 29322 Time elapsed: 7 minute(s), 28 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) system-log.txt
  24. RK - 32 bit ran successfully. Here is the output quarantine report... Time : 28/04/2013 22:27:42 -------------------------- ERROR [userinit.exe.vir] -> C:\Windows\system32\userinit.exe ERROR [userinit.exe.vir] -> C:\Windows\system32\userinit.exe ERROR [userinit.exe.vir] -> C:\Windows\system32\userinit.exe ERROR [userinit.exe.vir] -> C:\Windows\system32\userinit.exe ERROR [userinit.exe.vir] -> C:\Windows\system32\userinit.exe
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.