David1979

Ok, I have updated the programs. I'm running Avast, Zone Alarm and will update and run Malwarebytes regularly. Thank you very much. Shouldn't I just keep the tools on my computer just in case I need them?

Results of screen317's Security Check version 0.99.68 Windows XP Service Pack 4 x86 Out of date service pack!! Internet Explorer 6 Out of date! ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! avast! Antivirus Antivirus up to date! (On Access scanning disabled!) `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.75.0.1300 Java 7 Update 15 Java version out of Date! Adobe Flash Player 11.8.800.88 Adobe Reader 9 Adobe Reader out of Date! Mozilla Firefox (5.0.1) Google Chrome 27.0.1453.110 Google Chrome 27.0.1453.116 Google Chrome plugins... Google Chrome plugins(2)... ````````Process Check: objlist.exe by Laurent```````` AVAST Software Avast AvastSvc.exe AVAST Software Avast avastUI.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 17% Defragment your hard drive soon! (Do NOT defrag if SSD!) ````````````````````End of Log``````````````````````

# AdwCleaner v2.304 - Logfile created 07/03/2013 at 18:58:58 # Updated 03/07/2013 by Xplode # Operating system : Microsoft Windows XP Service Pack 3, v.3264 (32 bits) # User : BOSS - COMPANY-D80ED77 # Boot Mode : Normal # Running from : C:\Documents and Settings\BOSS\Desktop\ANTI-VIRUS\adwcleaner.exe # Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** File Deleted : C:\Documents and Settings\BOSS\Application Data\Mozilla\Firefox\Profiles\5mwlzyk8.default\searchplugins\Askcom.xml File Deleted : C:\Documents and Settings\BOSS\Application Data\Mozilla\Firefox\Profiles\5mwlzyk8.default\searchplugins\search.xml File Deleted : C:\Documents and Settings\BOSS\Local Settings\Application Data\funmoods-speeddial.crx File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml Folder Deleted : C:\Documents and Settings\All Users\Application Data\boost_interprocess Folder Deleted : C:\Documents and Settings\BOSS\Application Data\CheckPoint\ZoneAlarm LTD Toolbar Folder Deleted : C:\Documents and Settings\BOSS\Application Data\Mozilla\Firefox\Profiles\5mwlzyk8.default\extensions\{7473b6bd-4691-4744-a82b-7854eb3d70b6} Folder Deleted : C:\Documents and Settings\BOSS\Application Data\OpenCandy Folder Deleted : C:\Documents and Settings\BOSS\Application Data\searchquband Folder Deleted : C:\Documents and Settings\BOSS\Local Settings\Application Data\APN Folder Deleted : C:\Documents and Settings\BOSS\Local Settings\Application Data\Conduit Folder Deleted : C:\Documents and Settings\BOSS\Local Settings\Application Data\PackageAware Folder Deleted : C:\Documents and Settings\NetworkService\Local Settings\Application Data\Vuze_Remote Folder Deleted : C:\Program Files\Conduit ***** [Registry] ***** Key Deleted : HKCU\Software\APN PIP Key Deleted : HKCU\Software\Conduit Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233} Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Bandoo Key Deleted : HKCU\Software\Softonic Key Deleted : HKCU\Software\YahooPartnerToolbar Key Deleted : HKLM\Software\Bandoo Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947} Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1301A8A5-3DFB-4731-A162-B357D00C9644} Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D} Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} Key Deleted : HKLM\SOFTWARE\Classes\AppID\BandooCore.EXE Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE Key Deleted : HKLM\SOFTWARE\Classes\BandooCore.BandooCore Key Deleted : HKLM\SOFTWARE\Classes\BandooCore.BandooCore.1 Key Deleted : HKLM\SOFTWARE\Classes\BandooCore.ResourcesMngr Key Deleted : HKLM\SOFTWARE\Classes\BandooCore.ResourcesMngr.1 Key Deleted : HKLM\SOFTWARE\Classes\BandooCore.SettingsMngr Key Deleted : HKLM\SOFTWARE\Classes\BandooCore.SettingsMngr.1 Key Deleted : HKLM\SOFTWARE\Classes\BandooCore.StatisticMngr Key Deleted : HKLM\SOFTWARE\Classes\BandooCore.StatisticMngr.1 Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{27F69C85-64E1-43CE-98B5-3C9F22FB408E} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B543EF05-9758-464E-9F37-4C28525B4A4C} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BB76A90B-2B4C-4378-8506-9A2B6E16943C} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C3AB94A4-BFD0-4BBA-A331-DE504F07D2DB} Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine Key Deleted : HKLM\SOFTWARE\Classes\escort.escortIEPane Key Deleted : HKLM\SOFTWARE\Classes\escort.escortIEPane.1 Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{06DE5702-44CF-4B79-B4EF-3DDF653358F5} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{477F210A-2A86-4666-9C4B-1189634D2C84} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FF871E51-2655-4D06-AED5-745962A96B32} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB} Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2504091 Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3220468 Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{8F5F1CB6-EA9E-40AF-A5CA-C7FD63CC1971} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} Key Deleted : HKLM\Software\Conduit Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\clickpotatolitesa Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngine Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm LTD Toolbar Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@checkpoint.com/FFApi Key Deleted : HKLM\Software\PIP ***** [internet Browsers] ***** -\\ Internet Explorer v6.0.2900.3264 -\\ Mozilla Firefox v5.0.1 (en-US) File : C:\Documents and Settings\BOSS\Application Data\Mozilla\Firefox\Profiles\5mwlzyk8.default\prefs.js C:\Documents and Settings\BOSS\Application Data\Mozilla\Firefox\Profiles\5mwlzyk8.default\user.js ... Deleted ! -\\ Google Chrome v27.0.1453.116 File : C:\Documents and Settings\BOSS\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences ************************* AdwCleaner[s1].txt - [6996 octets] - [03/07/2013 18:58:58] ########## EOF - C:\AdwCleaner[s1].txt - [7056 octets] ##########

ComboFix 13-07-03.01 - BOSS 07/03/2013 17:28:05.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1251.7.1033.18.3001.2438 [GMT 1:00] Running from: c:\documents and settings\BOSS\Desktop\ANTI-VIRUS\ComboFix.exe Command switches used :: c:\documents and settings\BOSS\Desktop\ANTI-VIRUS\CFScript.txt AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: ZoneAlarm Free Firewall Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . FILE :: "c:\documents and settings\BOSS\Application Data\Real\Update\UpgradeHelper\RealPlayer\9.11\stub_exe\RealPlayer.exe" "c:\program files\Common Files\Real\Update_OB\realonemessagecenter.exe" "c:\program files\FLV Pro Player\player.swf" "d:\my documents\Downloads\cbsidlm-tr1_7-DivX_Plus_Software-10062728.exe" "d:\my documents\Downloads\cbsidlm-tr1_7-River_Past_Video_Cleaner-10209573 (1).exe" "d:\my documents\Downloads\cbsidlm-tr1_7-River_Past_Video_Cleaner-10209573.exe" . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\system32\blood.dat c:\system32\system.bat c:\system32\system.exe c:\system32\SystemProtection.exe . . ((((((((((((((((((((((((( Files Created from 2013-06-03 to 2013-07-03 ))))))))))))))))))))))))))))))) . . 2013-06-29 08:13 . 2013-06-29 08:13 -------- d-----w- c:\program files\ESET 2013-06-28 09:21 . 2013-06-28 09:22 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2013-06-20 18:08 . 2013-06-20 18:08 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Google 2013-06-11 23:41 . 2013-06-11 23:41 -------- dc----w- C:\FRST 2013-06-11 09:51 . 2013-06-11 09:51 -------- d-----w- c:\program files\Common Files\Skype 2013-06-11 09:51 . 2013-06-11 18:34 -------- d-----r- c:\program files\Skype 2013-06-10 12:06 . 2013-06-27 19:04 369584 ----a-w- c:\windows\system32\drivers\aswSP.sys 2013-06-10 12:06 . 2013-05-09 08:59 29816 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2013-06-10 12:06 . 2013-05-09 08:59 49760 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2013-06-10 12:06 . 2013-05-09 08:59 56080 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2013-06-10 12:06 . 2013-06-27 19:04 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2013-06-10 12:06 . 2013-06-27 19:04 175176 ----a-w- c:\windows\system32\drivers\aswVmm.sys 2013-06-10 12:06 . 2013-05-09 08:59 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys 2013-06-10 12:06 . 2013-05-09 08:59 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys 2013-06-10 12:06 . 2013-05-09 08:58 229648 ----a-w- c:\windows\system32\aswBoot.exe 2013-06-10 12:05 . 2013-05-09 08:58 41664 ----a-w- c:\windows\avastSS.scr 2013-06-10 12:05 . 2013-06-10 12:05 -------- d-----w- c:\program files\AVAST Software 2013-06-10 12:02 . 2013-06-10 12:05 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software 2013-06-10 11:51 . 2013-06-10 11:51 -------- d-----w- c:\documents and settings\BOSS\Application Data\CheckPoint 2013-06-10 11:46 . 2013-06-10 11:46 -------- d-----w- c:\program files\Check Point Software Technologies LTD 2013-06-10 11:46 . 2013-06-12 06:50 -------- d-----w- c:\documents and settings\BOSS\Application Data\Check Point Software Technologies LTD 2013-06-10 11:46 . 2013-06-10 11:48 -------- d-----w- c:\program files\CheckPoint 2013-06-10 11:44 . 2013-06-10 11:44 -------- d-----w- c:\documents and settings\All Users\Application Data\CheckPoint . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-06-24 11:30 . 2012-04-29 05:18 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-06-24 11:30 . 2011-06-01 13:14 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-07-08 07:16 . 2011-07-22 10:52 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll 2008-06-30 11:44 . 2010-02-11 20:39 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2013-05-09 08:58 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}] 2013-06-06 22:57 578512 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}" . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}] 2013-06-06 22:57 578512 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}" . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}] 2013-06-06 22:57 578512 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}] 2013-06-06 22:57 578512 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}] 2013-06-06 22:57 578512 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}] 2013-06-06 22:57 578512 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-06-03 19604072] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-05 1410344] "RTHDCPL"="RTHDCPL.EXE" [2009-02-13 17508864] "PLFSetL"="c:\windows\PLFSetL.exe" [2008-07-03 94208] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-18 150040] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-18 150040] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-18 178712] "AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-07-18 53248] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888] "DivXMediaServer"="c:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2012-11-13 450560] "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2012-11-30 1263512] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] "ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2013-03-27 73832] "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-05-09 4858968] "ISW"="" [bU] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2007-11-30 15360] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Nero BackItUp Scheduler 3"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Opera 10.50 Beta\\opera.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Documents and Settings\\BOSS\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= "c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"= "c:\\Program Files\\WinMX\\WinMX.exe"= "c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"= "c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"= "c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"= "c:\\Program Files\\FreeCall.com\\FreeCall\\FreeCall.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "<NO NAME>"= "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [6/10/2013 1:06 PM 49376] R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [6/10/2013 1:06 PM 175176] R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [6/10/2013 1:06 PM 770344] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/10/2013 1:06 PM 369584] R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [10/8/2011 11:47 PM 232512] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/10/2013 1:06 PM 29816] R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [6/10/2013 1:06 PM 66336] R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/22/2012 3:33 PM 27056] R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/22/2012 3:33 PM 497320] R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [6/7/2009 1:20 PM 61440] R3 k57w2k;Broadcom NetLink Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2/11/2010 9:23 PM 186880] S2 gupdate1cac3e2ce595d4e;Google Update Service (gupdate1cac3e2ce595d4e);c:\program files\Google\Update\GoogleUpdate.exe [3/15/2010 2:57 AM 133104] S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [6/3/2013 4:34 PM 162408] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/12/2010 2:14 PM 1684736] S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [3/12/2013 9:36 PM 117248] S3 flash;flash;\??\e:\install\BIOS_ACER_1.25_Windows_Aspire 5738\Winflash32\flash.sys --> e:\install\BIOS_ACER_1.25_Windows_Aspire 5738\Winflash32\flash.sys [?] S3 hspa_zi_cdc_acm;HSPA Mobile Connect CDC-ACM driver;c:\windows\system32\drivers\hspa_zi_cdc_acm.sys [3/20/2013 3:16 PM 67968] S3 hspa_zi_cdc_ecm;hspa_zi_cdc_ecm;c:\windows\system32\drivers\hspa_zi_cdc_ecm.sys [3/20/2013 3:16 PM 32768] S3 hspa_zi_ecm_enum;HSPA Mobile Connect DC Enumerator;c:\windows\system32\drivers\hspa_zi_ecm_enum.sys [3/20/2013 3:16 PM 47488] S3 hspa_zi_ecm_enum_filter;hspa_zi_ecm_enum_filter;c:\windows\system32\drivers\hspa_zi_ecm_enum_filter.sys [3/20/2013 3:16 PM 47488] S3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\drivers\ew_jucdcacm.sys [3/12/2013 9:36 PM 91136] S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [3/12/2013 9:36 PM 85504] S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys --> c:\windows\system32\DRIVERS\ewusbfake.sys [?] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/28/2013 10:21 AM 40776] S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2/11/2010 10:26 PM 158720] S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?] . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2013-06-21 06:31 1165776 ----a-w- c:\program files\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe . Contents of the 'Scheduled Tasks' folder . 2013-07-03 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-29 11:30] . 2013-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 20:57] . 2013-07-03 c:\windows\Tasks\avast! Emergency Update.job - c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-06-10 08:58] . 2013-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 01:56] . 2013-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 01:56] . . ------- Supplementary Scan ------- . IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.43.1 FF - ProfilePath - c:\documents and settings\BOSS\Application Data\Mozilla\Firefox\Profiles\5mwlzyk8.default\ . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-07-03 17:42 Windows 5.1.2600 Service Pack 3, v.3264 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_88_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_88_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_75_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_75_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}] @Denied: (A 2) (Everyone) @="IFlashBroker6" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1276) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . - - - - - - - > 'lsass.exe'(1332) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . Completion time: 2013-07-03 17:44:19 ComboFix-quarantined-files.txt 2013-07-03 16:44 ComboFix2.txt 2013-06-27 22:20 ComboFix3.txt 2013-06-27 14:06 . Pre-Run: 7,546,261,504 bytes free Post-Run: 7,598,243,840 bytes free . - - End Of File - - 804A4DC428381A3160E075F19CFEFE29 8F558EB6672622401DA993E1E865C861

I have no idea

C:\Documents and Settings\BOSS\Application Data\Real\Update\UpgradeHelper\RealPlayer\9.11\stub_exe\RealPlayer.exe a variant of Win32/Kryptik.AXGG trojan C:\Kernel\r00t3r VBS/AutoRun.HW worm C:\Program Files\Common Files\Real\Update_OB\realonemessagecenter.exe a variant of Win32/Kryptik.AXGG trojan C:\Program Files\FLV Pro Player\player.swf Win32/Adware.FlvDirect application C:\system32\blood.dat VBS/AutoRun.HW worm D:\My Documents\Downloads\cbsidlm-tr1_7-DivX_Plus_Software-10062728.exe Win32/DownloadAdmin.D application D:\My Documents\Downloads\cbsidlm-tr1_7-River_Past_Video_Cleaner-10209573 (1).exe Win32/DownloadAdmin.D application D:\My Documents\Downloads\cbsidlm-tr1_7-River_Past_Video_Cleaner-10209573.exe Win32/DownloadAdmin.D application

ComboFix 13-06-27.02 - BOSS 06/27/2013 23:05:23.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1251.7.1033.18.3001.1915 [GMT 1:00] Running from: c:\documents and settings\BOSS\Desktop\ANTI-VIRUS\ComboFix.exe Command switches used :: c:\documents and settings\BOSS\Desktop\ANTI-VIRUS\CFScript.txt AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: ZoneAlarm Free Firewall Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . . ((((((((((((((((((((((((( Files Created from 2013-05-27 to 2013-06-27 ))))))))))))))))))))))))))))))) . . 2013-06-20 18:08 . 2013-06-20 18:08 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Google 2013-06-11 23:41 . 2013-06-11 23:41 -------- dc----w- C:\FRST 2013-06-11 09:51 . 2013-06-11 09:51 -------- d-----w- c:\program files\Common Files\Skype 2013-06-11 09:51 . 2013-06-11 18:34 -------- d-----r- c:\program files\Skype 2013-06-10 12:06 . 2013-06-27 19:04 369584 ----a-w- c:\windows\system32\drivers\aswSP.sys 2013-06-10 12:06 . 2013-05-09 08:59 29816 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2013-06-10 12:06 . 2013-05-09 08:59 49760 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2013-06-10 12:06 . 2013-05-09 08:59 56080 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2013-06-10 12:06 . 2013-06-27 19:04 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2013-06-10 12:06 . 2013-06-27 19:04 175176 ----a-w- c:\windows\system32\drivers\aswVmm.sys 2013-06-10 12:06 . 2013-05-09 08:59 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys 2013-06-10 12:06 . 2013-05-09 08:59 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys 2013-06-10 12:06 . 2013-05-09 08:58 229648 ----a-w- c:\windows\system32\aswBoot.exe 2013-06-10 12:05 . 2013-05-09 08:58 41664 ----a-w- c:\windows\avastSS.scr 2013-06-10 12:05 . 2013-06-10 12:05 -------- d-----w- c:\program files\AVAST Software 2013-06-10 12:02 . 2013-06-10 12:05 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software 2013-06-10 11:51 . 2013-06-10 11:51 -------- d-----w- c:\documents and settings\BOSS\Application Data\CheckPoint 2013-06-10 11:46 . 2013-06-10 11:46 -------- d-----w- c:\program files\Check Point Software Technologies LTD 2013-06-10 11:46 . 2013-06-12 06:50 -------- d-----w- c:\documents and settings\BOSS\Application Data\Check Point Software Technologies LTD 2013-06-10 11:46 . 2013-06-10 11:48 -------- d-----w- c:\program files\CheckPoint 2013-06-10 11:44 . 2013-06-10 11:44 -------- d-----w- c:\documents and settings\All Users\Application Data\CheckPoint . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-06-24 11:30 . 2012-04-29 05:18 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-06-24 11:30 . 2011-06-01 13:14 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-04-04 13:50 . 2010-05-19 05:33 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-07-08 07:16 . 2011-07-22 10:52 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll 2008-06-30 11:44 . 2010-02-11 20:39 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2013-05-09 08:58 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}] 2013-06-06 22:57 578512 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}" . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}] 2013-06-06 22:57 578512 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}" . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}] 2013-06-06 22:57 578512 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}] 2013-06-06 22:57 578512 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}] 2013-06-06 22:57 578512 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}] 2013-06-06 22:57 578512 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-06-03 19604072] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-05 1410344] "RTHDCPL"="RTHDCPL.EXE" [2009-02-13 17508864] "PLFSetL"="c:\windows\PLFSetL.exe" [2008-07-03 94208] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-18 150040] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-18 150040] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-18 178712] "AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-07-18 53248] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888] "DivXMediaServer"="c:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2012-11-13 450560] "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2012-11-30 1263512] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] "ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2013-03-27 73832] "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-05-09 4858968] "ISW"="" [bU] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2007-11-30 15360] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Nero BackItUp Scheduler 3"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Opera 10.50 Beta\\opera.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Documents and Settings\\BOSS\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= "c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"= "c:\\Program Files\\WinMX\\WinMX.exe"= "c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"= "c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"= "c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"= "c:\\Program Files\\FreeCall.com\\FreeCall\\FreeCall.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "<NO NAME>"= "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [6/10/2013 1:06 PM 49376] R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [6/10/2013 1:06 PM 175176] R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [6/10/2013 1:06 PM 770344] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/10/2013 1:06 PM 369584] R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [10/8/2011 11:47 PM 232512] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/10/2013 1:06 PM 29816] R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [6/10/2013 1:06 PM 66336] R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/22/2012 3:33 PM 27056] R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/22/2012 3:33 PM 497320] R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [6/7/2009 1:20 PM 61440] R3 k57w2k;Broadcom NetLink Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2/11/2010 9:23 PM 186880] S2 gupdate1cac3e2ce595d4e;Google Update Service (gupdate1cac3e2ce595d4e);c:\program files\Google\Update\GoogleUpdate.exe [3/15/2010 2:57 AM 133104] S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [6/3/2013 4:34 PM 162408] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/12/2010 2:14 PM 1684736] S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [3/12/2013 9:36 PM 117248] S3 flash;flash;\??\e:\install\BIOS_ACER_1.25_Windows_Aspire 5738\Winflash32\flash.sys --> e:\install\BIOS_ACER_1.25_Windows_Aspire 5738\Winflash32\flash.sys [?] S3 hspa_zi_cdc_acm;HSPA Mobile Connect CDC-ACM driver;c:\windows\system32\drivers\hspa_zi_cdc_acm.sys [3/20/2013 3:16 PM 67968] S3 hspa_zi_cdc_ecm;hspa_zi_cdc_ecm;c:\windows\system32\drivers\hspa_zi_cdc_ecm.sys [3/20/2013 3:16 PM 32768] S3 hspa_zi_ecm_enum;HSPA Mobile Connect DC Enumerator;c:\windows\system32\drivers\hspa_zi_ecm_enum.sys [3/20/2013 3:16 PM 47488] S3 hspa_zi_ecm_enum_filter;hspa_zi_ecm_enum_filter;c:\windows\system32\drivers\hspa_zi_ecm_enum_filter.sys [3/20/2013 3:16 PM 47488] S3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\drivers\ew_jucdcacm.sys [3/12/2013 9:36 PM 91136] S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [3/12/2013 9:36 PM 85504] S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys --> c:\windows\system32\DRIVERS\ewusbfake.sys [?] S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2/11/2010 10:26 PM 158720] S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?] . --- Other Services/Drivers In Memory --- . *Deregistered* - MBAMSwissArmy . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2013-06-21 06:31 1165776 ----a-w- c:\program files\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe . Contents of the 'Scheduled Tasks' folder . 2013-06-27 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-29 11:30] . 2013-06-19 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 20:57] . 2013-06-27 c:\windows\Tasks\avast! Emergency Update.job - c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-06-10 08:58] . 2013-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 01:56] . 2013-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 01:56] . . ------- Supplementary Scan ------- . IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\BOSS\Application Data\Mozilla\Firefox\Profiles\5mwlzyk8.default\ . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-06-27 23:19 Windows 5.1.2600 Service Pack 3, v.3264 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_88_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_88_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_75_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_75_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}] @Denied: (A 2) (Everyone) @="IFlashBroker6" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1276) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . - - - - - - - > 'lsass.exe'(1332) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . - - - - - - - > 'explorer.exe'(4660) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll c:\program files\Google\Drive\googledrivesync32.dll . Completion time: 2013-06-27 23:20:57 ComboFix-quarantined-files.txt 2013-06-27 22:20 ComboFix2.txt 2013-06-27 14:06 . Pre-Run: 8,605,405,184 bytes free Post-Run: 8,677,677,056 bytes free . - - End Of File - - 76EF0F57393CEEEB748F46E4394CB6E1 8F558EB6672622401DA993E1E865C861

ComboFix 13-06-27.01 - BOSS 06/27/2013 14:52:34.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1251.7.1033.18.3001.1660 [GMT 1:00] Running from: c:\documents and settings\BOSS\Desktop\ComboFix.exe AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: ZoneAlarm Free Firewall Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\AUTORUN.INF c:\documents and settings\BOSS\Application Data\Mozilla\Firefox\Profiles\5mwlzyk8.default\searchplugins\SearchquWebSearch.xml c:\documents and settings\BOSS\Application Data\VAP c:\program files\Mozilla Firefox\searchplugins\SearchquWebSearch.xml c:\windows\system32\B052B792CC.dll c:\windows\system32\drivers\etc\hosts.ics d:\my documents\~WRL0214.tmp d:\my documents\~WRL3518.tmp . . ((((((((((((((((((((((((( Files Created from 2013-05-27 to 2013-06-27 ))))))))))))))))))))))))))))))) . . 2013-06-27 06:11 . 2013-06-27 06:12 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2013-06-20 18:08 . 2013-06-20 18:08 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Google 2013-06-11 23:41 . 2013-06-11 23:41 -------- dc----w- C:\FRST 2013-06-11 09:51 . 2013-06-11 09:51 -------- d-----w- c:\program files\Common Files\Skype 2013-06-11 09:51 . 2013-06-11 18:34 -------- d-----r- c:\program files\Skype 2013-06-10 12:06 . 2013-06-27 06:09 369456 ----a-w- c:\windows\system32\drivers\aswSP.sys 2013-06-10 12:06 . 2013-05-09 08:59 29816 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2013-06-10 12:06 . 2013-05-09 08:59 49760 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2013-06-10 12:06 . 2013-05-09 08:59 56080 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2013-06-10 12:06 . 2013-06-27 06:09 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2013-06-10 12:06 . 2013-05-09 08:59 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys 2013-06-10 12:06 . 2013-05-09 08:59 174664 ----a-w- c:\windows\system32\drivers\aswVmm.sys 2013-06-10 12:06 . 2013-05-09 08:59 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys 2013-06-10 12:06 . 2013-05-09 08:58 229648 ----a-w- c:\windows\system32\aswBoot.exe 2013-06-10 12:05 . 2013-05-09 08:58 41664 ----a-w- c:\windows\avastSS.scr 2013-06-10 12:05 . 2013-06-10 12:05 -------- d-----w- c:\program files\AVAST Software 2013-06-10 12:02 . 2013-06-10 12:05 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software 2013-06-10 11:51 . 2013-06-10 11:51 -------- d-----w- c:\documents and settings\BOSS\Application Data\CheckPoint 2013-06-10 11:46 . 2013-06-10 11:46 -------- d-----w- c:\program files\Check Point Software Technologies LTD 2013-06-10 11:46 . 2013-06-12 06:50 -------- d-----w- c:\documents and settings\BOSS\Application Data\Check Point Software Technologies LTD 2013-06-10 11:46 . 2013-06-10 11:48 -------- d-----w- c:\program files\CheckPoint 2013-06-10 11:44 . 2013-06-10 11:44 -------- d-----w- c:\documents and settings\All Users\Application Data\CheckPoint . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-06-24 11:30 . 2012-04-29 05:18 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-06-24 11:30 . 2011-06-01 13:14 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-04-04 13:50 . 2010-05-19 05:33 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-07-08 07:16 . 2011-07-22 10:52 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll 2008-06-30 11:44 . 2010-02-11 20:39 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2013-05-09 08:58 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}] 2013-06-06 22:57 578512 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}" . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}] 2013-06-06 22:57 578512 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}" . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}] 2013-06-06 22:57 578512 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}] 2013-06-06 22:57 578512 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}] 2013-06-06 22:57 578512 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}] 2013-06-06 22:57 578512 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-06-03 19604072] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-05 1410344] "RTHDCPL"="RTHDCPL.EXE" [2009-02-13 17508864] "PLFSetL"="c:\windows\PLFSetL.exe" [2008-07-03 94208] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-18 150040] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-18 150040] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-18 178712] "AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-07-18 53248] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888] "DivXMediaServer"="c:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2012-11-13 450560] "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2012-11-30 1263512] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] "ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2013-03-27 73832] "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-05-09 4858968] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2007-11-30 15360] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360] . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "disabletaskmgr"= 1 (0x1) . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Nero BackItUp Scheduler 3"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Opera 10.50 Beta\\opera.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Documents and Settings\\BOSS\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= "c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"= "c:\\Program Files\\WinMX\\WinMX.exe"= "c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"= "c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"= "c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"= "c:\\Program Files\\FreeCall.com\\FreeCall\\FreeCall.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "<NO NAME>"= "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [6/10/2013 1:06 PM 49376] R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [6/10/2013 1:06 PM 174664] R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [6/10/2013 1:06 PM 770344] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/10/2013 1:06 PM 369456] R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [10/8/2011 11:47 PM 232512] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/10/2013 1:06 PM 29816] R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [6/10/2013 1:06 PM 66336] R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/22/2012 3:33 PM 27056] R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/22/2012 3:33 PM 497320] R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [6/7/2009 1:20 PM 61440] R3 k57w2k;Broadcom NetLink Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2/11/2010 9:23 PM 186880] S2 gupdate1cac3e2ce595d4e;Google Update Service (gupdate1cac3e2ce595d4e);c:\program files\Google\Update\GoogleUpdate.exe [3/15/2010 2:57 AM 133104] S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [6/3/2013 4:34 PM 162408] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/12/2010 2:14 PM 1684736] S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [3/12/2013 9:36 PM 117248] S3 flash;flash;\??\e:\install\BIOS_ACER_1.25_Windows_Aspire 5738\Winflash32\flash.sys --> e:\install\BIOS_ACER_1.25_Windows_Aspire 5738\Winflash32\flash.sys [?] S3 hspa_zi_cdc_acm;HSPA Mobile Connect CDC-ACM driver;c:\windows\system32\drivers\hspa_zi_cdc_acm.sys [3/20/2013 3:16 PM 67968] S3 hspa_zi_cdc_ecm;hspa_zi_cdc_ecm;c:\windows\system32\drivers\hspa_zi_cdc_ecm.sys [3/20/2013 3:16 PM 32768] S3 hspa_zi_ecm_enum;HSPA Mobile Connect DC Enumerator;c:\windows\system32\drivers\hspa_zi_ecm_enum.sys [3/20/2013 3:16 PM 47488] S3 hspa_zi_ecm_enum_filter;hspa_zi_ecm_enum_filter;c:\windows\system32\drivers\hspa_zi_ecm_enum_filter.sys [3/20/2013 3:16 PM 47488] S3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\drivers\ew_jucdcacm.sys [3/12/2013 9:36 PM 91136] S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [3/12/2013 9:36 PM 85504] S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys --> c:\windows\system32\DRIVERS\ewusbfake.sys [?] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/27/2013 7:11 AM 40776] S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2/11/2010 10:26 PM 158720] S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?] . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2013-06-21 06:31 1165776 ----a-w- c:\program files\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe . Contents of the 'Scheduled Tasks' folder . 2013-06-27 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-29 11:30] . 2013-06-19 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 20:57] . 2013-06-27 c:\windows\Tasks\avast! Emergency Update.job - c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-06-10 08:58] . 2013-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 01:56] . 2013-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 01:56] . . ------- Supplementary Scan ------- . IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.43.1 FF - ProfilePath - c:\documents and settings\BOSS\Application Data\Mozilla\Firefox\Profiles\5mwlzyk8.default\ FF - user.js: extensions.funmoods.hmpg - true FF - user.js: extensions.funmoods.dfltSrch - true FF - user.js: extensions.funmoods.srchPrvdr - Search FF - user.js: extensions.funmoods.dnsErr - true FF - user.js: extensions.funmoods_i.newTab - true FF - user.js: extensions.funmoods.id - 904CE5077CDB14B9 FF - user.js: extensions.funmoods.instlDay - 15600 FF - user.js: extensions.funmoods.vrsn - 1.5.23.22 FF - user.js: extensions.funmoods.vrsni - 1.5.23.22 FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.220:27 FF - user.js: extensions.funmoods.prtnrId - funmoods FF - user.js: extensions.funmoods.prdct - funmoods FF - user.js: extensions.funmoods.aflt - ironpub FF - user.js: extensions.funmoods_i.smplGrp - none FF - user.js: extensions.funmoods.tlbrId - base FF - user.js: extensions.funmoods.instlRef - ironpub FF - user.js: extensions.funmoods.dfltLng - FF - user.js: extensions.funmoods.excTlbr - false FF - user.js: extensions.funmoods.autoRvrt - false FF - user.js: extensions.funmoods.envrmnt - production FF - user.js: extensions.funmoods.isdcmntcmplt - true FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0 . - - - - ORPHANS REMOVED - - - - . Toolbar-10 - (no file) HKCU-Run-tmp - (no file) HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe HKLM-Run-NeroFilterCheck - c:\program files\Common Files\Nero\Lib\NeroCheck.exe HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe HKLM-Run-ACU - c:\program files\Atheros\ACU.exe HKLM-Run-ISW - (no file) AddRemove-Windows Essentials Media Codec Pack - c:\program files\Essentials Codec Pack\uninst.exe AddRemove-{28006915-2739-4EBE-B5E8-49B25D32EB33} - c:\program files\InstallShield Installation Information\{28006915-2739-4EBE-B5E8-49B25D32EB33}\Setup.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-06-27 15:04 Windows 5.1.2600 Service Pack 3, v.3264 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_88_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_88_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_75_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_75_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}] @Denied: (A 2) (Everyone) @="IFlashBroker6" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1276) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . - - - - - - - > 'lsass.exe'(1332) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . Completion time: 2013-06-27 15:06:46 ComboFix-quarantined-files.txt 2013-06-27 14:06 . Pre-Run: 6,550,022,144 bytes free Post-Run: 8,671,672,320 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 33ACECD9B6B0DB1A3B1B3D3B51286D2E 8F558EB6672622401DA993E1E865C861

This virus make a dialog box come up that says: 16 bit MS-DOS Subsystem C:\system32\system.exe The NTVDM CPU has encountered and illegal instruction CS:0dd1 IP:02f5 OP:63 75 6d 65 6e Choose 'Close' to terminate the application.

This may be interesting: -I updated the virus database and then turned off the internet before doing a MBAM scan. The scan found the virus as usual and said that it was removed successfully. -Then, without turning on the internet, I did the scan again. The virus was not found. -Still without turning on the internet, I restarted the computer, did another scan and found the virus. The virus came back with the restart of the computer, without internet. -I removed the virus again, turned on the internet, and scanned again. The virus was found. So, it also come back with internet without restaring.

Hi! Thank you!

Attached file TDSSKiller.2.8.16.0_12.06.2013_00.45.55_log.txt

Attached files FRST.txt Addition.txt

I'm very sorry. I don't understand what "html-tags" are, or how to post "as is". I copied and pasted. Should I do it another way?

It's always like this. But in less than 5 minutes the virus is back. I'm running avast anti-virus and zone alarm firewall. Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2013.06.12.01 Windows XP Service Pack 3 x86 NTFS Internet Explorer 6.0.2900.3264 BOSS :: COMPANY-D80ED77 [administrator] 6/12/2013 8:05:22 AM mbam-log-2013-06-12 (08-05-22).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 232273 Time elapsed: 54 minute(s), 29 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|disabletaskmgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully. Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)