Chelsea1

Nothing found although I deselected temp files and system restore points as instructed in the post you linked. I also wasn't sure whether or not to run it in Enhanced Protection Mode or not so I just went with standard mode. Let me know if I should do another scan differently.

It is weird for a legit program to hide files, is it not?

http://www.drwebhk.com/en/virus_techinfo/Trojan.AVKill.28808.html Don't know how legit that site is though, admittedly. When you search "AdobeARM.exe", "virus" is one of the first suggested results so I guess that's what made me think so too.

So, the hidden files I posted a screenshot of, which are no longer present, they were definitely part of AdobeARM.exe? I'm a little confused because if you search "AdobeARM.exe virus" online there are supposedly trojans/rootkits that masquerade as that file? Also, why were they hidden, is it normal for legitimate files and folders to hide themselves in the temp folder?

18:07:04.0013 6016 TDSS rootkit removing tool 2.8.18.0 Jun 10 2013 21:44:19 18:07:04.0548 6016 ============================================================ 18:07:04.0548 6016 Current date / time: 2013/06/17 18:07:04.0548 18:07:04.0548 6016 SystemInfo: 18:07:04.0548 6016 18:07:04.0548 6016 OS Version: 6.0.6001 ServicePack: 1.0 18:07:04.0549 6016 Product type: Workstation 18:07:04.0549 6016 ComputerName: Chelsealaptop 18:07:04.0549 6016 UserName: Chelsea 18:07:04.0549 6016 Windows directory: C:\Windows 18:07:04.0549 6016 System windows directory: C:\Windows 18:07:04.0549 6016 Processor architecture: Intel x86 18:07:04.0549 6016 Number of processors: 2 18:07:04.0549 6016 Page size: 0x1000 18:07:04.0549 6016 Boot type: Normal boot 18:07:04.0549 6016 ============================================================ 18:07:06.0503 6016 Drive \Device\Harddisk0\DR0 - Size: 0x2E93E36000 (186.31 Gb), SectorSize: 0x200, Cylinders: 0x5F01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050 18:07:06.0531 6016 ============================================================ 18:07:06.0531 6016 \Device\Harddisk0\DR0: 18:07:06.0535 6016 MBR partitions: 18:07:06.0535 6016 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0xE06800, BlocksNum 0x166981B0 18:07:06.0535 6016 ============================================================ 18:07:06.0675 6016 C: <-> \Device\Harddisk0\DR0\Partition1 18:07:06.0675 6016 ============================================================ 18:07:06.0675 6016 Initialize success 18:07:06.0675 6016 ============================================================ 18:07:20.0940 5136 Deinitialize success Larger file: TDSSKiller.2.8.18.0_17.06.2013_18.09.54_log.txt

Do you think the disappearing temp items were caused by a rootkit or was it the legitimate Adobe application? I'm not sure if I should reformat or assume everything is OK now?

RogueKiller V8.6.1 [Jun 17 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows Vista (6.0.6001 Service Pack 1) 32 bits version Started in : Normal mode User : Chelsea [Admin rights] Mode : Scan -- Date : 06/17/2013 16:14:20 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 3 ¤¤¤ [HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ST9200827AS +++++ --- User --- [MBR] ca8f4acf427b9a5179b6495c99f3918a [bSP] b1ce451f07c050be20538bc63df273f9 : Windows Vista MBR Code Partition table: 0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 7180 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 14706688 | Size: 183600 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[0]_S_06172013_161420.txt >> RKreport[0]_S_06162013_032557.txt I downloaded the newer version of RogueKiller and it seems to have found one new registry item, could you interpret these logs please?

OK, managed to find AdobeARM.exe in msconfig, it was named as another Adobe product. I disabled it and rebooted, the AdobeARM.log file in the temp folder didn't update on startup and the process/service is no longer running in WTM. However, in my temp folder now I have two newly created temp folders called Adobe and lilo.1848?

Rebooted twice now and each time In stop the process and the associated service on startup it is there again along with an updated AdobeARM.exe folder.

I restarted WTM and was able to stop it. Going to reboot now.

It says access is denied?!

I couldn't find AdobeARM.exe listed in msconfig, only other Adobe software, however it is listed in Windows Task Manager as both a process and a service, can I stop it from there or will it only disable it until the next reboot not permanently?

I rebooted again and managed to get a screen shot before they disappeared, not sure if this is any use but it's the files starting with "cyai59gv...". CropperCapture57.bmp

Rebooted again and unfortunately they're still there, there's about five of them and one is listed as an Application Extension and when I click on properties it disappears within seconds and I only can view the properties of the general Temp folder.

Sorry for the double post, thought it didn't go through the first time.

In terms of rebooting in normal mode, it's fine, nothing necessary appears to have been deleted. The disappearing temp files? They didn't appear after the last reboot but my AppData folder was quite slow at opening so not sure if that's the reason or not, will have to reboot a few more times to test it. Is there anything else I should do? Would Unhide.exe be of any use? There seems to be a lot online about viruses that hide your files but not viruses hiding in hidden files in the temp folder whilst all your other files are accessible as normal, if that makes sense.

In terms of rebooting in normal mode, it's fine, nothing necessary appears to have been deleted. The disappearing temp files? They didn't appear after the last reboot but my AppData folder was quite slow at opening so not sure if that's the reason or not, will have to reboot a few more times to test it. Is there anything else I should do? Would Unhide.exe be of any use? There seems to be a lot online about viruses that hide your files but not viruses hiding in hidden files in the temp folder whilst all your other files are accessible as normal, if that makes sense.

# AdwCleaner v2.303 - Logfile created 06/16/2013 at 20:35:56 # Updated 08/06/2013 by Xplode # Operating system : Windows Vista Home Premium Service Pack 1 (32 bits) # User : Chelsea - Chelsealaptop # Boot Mode : Normal # Running from : C:\Users\Chelsea\Desktop\adwcleaner.exe # Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** Folder Deleted : C:\Program Files\Conduit Folder Deleted : C:\Program Files\registry mechanic Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\registry mechanic Folder Deleted : C:\Users\Chelsea\AppData\LocalLow\BabylonToolbar Folder Deleted : C:\Users\Chelsea\AppData\LocalLow\boost_interprocess Folder Deleted : C:\Users\Chelsea\AppData\LocalLow\Conduit ***** [Registry] ***** Key Deleted : HKCU\Software\AppDataLow\Software\Conduit Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{1F096B29-E9DA-4D64-8D63-936BE7762CC5} Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E} Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\BabylonToolbar Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1} Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3045275 Key Deleted : HKLM\Software\Conduit Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966 ***** [internet Browsers] ***** -\\ Internet Explorer v8.0.6001.19088 Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://search.babylon.com/?babsrc=NT_ss&mntrId=46762f19000000000000001dd9e2ec07&tlver=1.4.19.19&ss=1&affID=17978 --> hxxp://www.google.com -\\ Mozilla Firefox v21.0 (en-US) File : C:\Users\Chelsea\AppData\Roaming\Mozilla\Firefox\Profiles\razjmtso.default\prefs.js [OK] File is clean. -\\ Google Chrome v27.0.1453.110 File : C:\Users\Chelsea\AppData\Local\Google\Chrome\User Data\Default\Preferences [OK] File is clean. ************************* AdwCleaner[R1].txt - [3207 octets] - [16/06/2013 18:36:17] AdwCleaner[s1].txt - [2762 octets] - [16/06/2013 20:35:56] ########## EOF - C:\AdwCleaner[s1].txt - [2822 octets] ##########

Just to clarify, there are no legitimate folders named boost_interprocess? If it's a virus then I don't want to back it up.

# AdwCleaner v2.303 - Logfile created 06/16/2013 at 18:36:17 # Updated 08/06/2013 by Xplode # Operating system : Windows Vista Home Premium Service Pack 1 (32 bits) # User : Chelsea - Chelsealaptop # Boot Mode : Normal # Running from : C:\Users\Chelsea\Desktop\adwcleaner.exe # Option [search] ***** [services] ***** ***** [Files / Folders] ***** Folder Found : C:\Program Files\Conduit Folder Found : C:\Program Files\registry mechanic Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\registry mechanic Folder Found : C:\Users\Chelsea\AppData\LocalLow\BabylonToolbar Folder Found : C:\Users\Chelsea\AppData\LocalLow\boost_interprocess Folder Found : C:\Users\Chelsea\AppData\LocalLow\Conduit ***** [Registry] ***** Key Found : HKCU\Software\AppDataLow\Software\Conduit Key Found : HKCU\Software\AppDataLow\Software\SmartBar Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{1F096B29-E9DA-4D64-8D63-936BE7762CC5} Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E} Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\BabylonToolbar Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E} Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1} Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3045275 Key Found : HKLM\Software\Conduit Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966 Key Found : HKU\S-1-5-21-3516223228-646586596-448985359-1003\Software\Microsoft\Internet Explorer\SearchScopes\{1F096B29-E9DA-4D64-8D63-936BE7762CC5} Key Found : HKU\S-1-5-21-3516223228-646586596-448985359-1003\Software\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E} Key Found : HKU\S-1-5-21-3516223228-646586596-448985359-1003\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} ***** [internet Browsers] ***** -\\ Internet Explorer v8.0.6001.19088 [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://search.babylon.com/?babsrc=NT_ss&mntrId=46762f19000000000000001dd9e2ec07&tlver=1.4.19.19&ss=1&affID=17978 -\\ Mozilla Firefox v21.0 (en-US) File : C:\Users\Chelsea\AppData\Roaming\Mozilla\Firefox\Profiles\razjmtso.default\prefs.js [OK] File is clean. -\\ Google Chrome v27.0.1453.110 File : C:\Users\Chelsea\AppData\Local\Google\Chrome\User Data\Default\Preferences [OK] File is clean. ************************* AdwCleaner[R1].txt - [3078 octets] - [16/06/2013 18:36:17] ########## EOF - C:\AdwCleaner[R1].txt - [3138 octets] ########## That all looks okay although what about Registry Mechanic? I don't mind deleting it as I don't use it but it is by PC Tools who are reputable? I'm also unsure of the boost_interprocess folder and the several files found in the Windows\CurrentVersion section of the registry, I want to make sure I don't delete any false positives?

^Sorry, just wanted to add that I rebooted because some items in my system tray were missing. After rebooting (system rebooted normally, system tray items back again) I also looked in my temp folder which was cleared by ComboFix and those hidden files, which I'm sure belong to the trojan/rootkit, are still appearing for a few seconds then disappearing before I can even view the properties of the files or anything else. If ComboFix, one of the most powerful malware removals tools there is can't detect/remove this then it's not looking good, is it?

I uninstalled all McAfee software. I ran ComboFix, here's the log: ComboFix 13-06-15.01 - Chelsea 16/06/2013 17:24:29.1.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2038.707 [GMT 1:00] Running from: c:\users\Chelsea\Desktop\ComboFix.exe AV: PC Tools Spyware Doctor with AntiVirus *Disabled/Updated* {2F668A56-D5E0-2DF1-A0AE-CB1284F42AB2} SP: PC Tools Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe c:\programdata\0tbpw.pad c:\users\Chelsea\Documents\~WRL0005.tmp . . ((((((((((((((((((((((((( Files Created from 2013-05-16 to 2013-06-16 ))))))))))))))))))))))))))))))) . . 2013-06-16 16:38 . 2013-06-16 16:38 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-06-15 21:27 . 2013-06-15 21:27 -------- d-----w- c:\programdata\Sophos 2013-06-15 21:27 . 2013-06-15 21:27 73728 ----a-r- c:\users\Chelsea\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe 2013-06-15 21:27 . 2013-06-15 21:27 73728 ----a-r- c:\users\Chelsea\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe 2013-06-15 21:27 . 2013-06-15 21:27 73728 ----a-r- c:\users\Chelsea\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe 2013-06-15 21:26 . 2013-06-15 21:26 -------- d-----w- c:\program files\Sophos 2013-06-14 19:48 . 2013-05-13 06:19 7016152 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BFC62729-9DA0-48CC-BFC4-DE6E17195425}\mpengine.dll 2013-06-08 16:18 . 2013-06-08 16:18 -------- d-----w- c:\program files\FileASSASSIN 2013-05-30 21:12 . 2013-06-16 14:14 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable) 2013-05-17 23:17 . 2013-05-17 23:17 -------- d-----w- c:\users\Chelsea\AppData\Roaming\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1 2013-05-17 23:17 . 2013-06-16 16:37 -------- d-----w- c:\program files\BBC iPlayer Desktop . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-06-11 23:32 . 2012-12-25 05:03 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-06-11 23:32 . 2011-11-13 23:11 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-05-02 01:06 . 2012-12-19 21:53 238872 ------w- c:\windows\system32\MpSigStub.exe 2013-04-04 13:50 . 2012-12-19 05:15 22856 ----a-w- c:\windows\system32\drivers\mbam.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{6DE552AE-4229-4ED9-B595-77305C8F1D0A}] 2009-03-18 04:54 81920 ----a-w- c:\program files\Cleeki\ieagent\CleekiIEAgent.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}] 2013-04-16 15:10 576976 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}] 2013-04-16 15:10 576976 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}] 2013-04-16 15:10 576976 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}] 2013-04-16 15:10 576976 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472] "NSUFloatingUI"="c:\program files\Sony\Network Utility\LANUtil.exe" [2008-03-10 262144] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-10 39408] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952] "Spotify"="c:\users\Chelsea\AppData\Roaming\Spotify\Spotify.exe" [2011-12-03 6860960] "Cleeki"="c:\program files\Cleeki\Cleeki.exe" [2009-02-23 1048576] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvSvc"="c:\windows\system32\nvsvc.dll" [2008-02-12 86016] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-12 8497696] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-12 81920] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-05 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-05 154136] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-05 137752] "RtHDVCpl"="RtHDVCpl.exe" [2008-01-23 4718592] "Apoint"="c:\program files\Apoint\Apoint.exe" [2008-02-23 122880] "ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-11-21 311296] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-04 30192] "MarketingTools"="c:\program files\Sony\Marketing Tools\MarketingTools.exe" [2008-04-11 36864] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904] "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208] "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096] "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992] "SSDMonitor"="c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2010-11-15 112600] "ISTray"="c:\program files\PC Tools\PC Tools Security\pctsGui.exe" [2012-11-01 2717816] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576] "DivXMediaServer"="c:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2012-11-13 450560] "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2012-11-30 1263512] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.318\SSScheduler.exe [2013-2-5 272248] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon] 2007-08-15 03:05 98304 ----a-w- c:\windows\System32\VESWinlogon.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot] @="" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2013-06-05 22:26 1165776 ----a-w- c:\program files\Google\Chrome\Application\27.0.1453.110\Installer\chrmstp.exe . Contents of the 'Scheduled Tasks' folder . 2013-06-16 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-25 23:32] . 2013-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-05-01 22:07] . 2013-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-05-01 22:07] . 2013-06-12 c:\windows\Tasks\Norton Security Scan for Chelsea.job - c:\progra~1\NORTON~2\Engine\311~1.6\Nss.exe [2011-05-28 02:30] . 2013-06-15 c:\windows\Tasks\RMSchedule.job - c:\program files\Registry Mechanic\RegMech.exe [2011-08-20 09:02] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105 TCP: DhcpNameServer = 192.168.0.1 FF - ProfilePath - c:\users\Chelsea\AppData\Roaming\Mozilla\Firefox\Profiles\razjmtso.default\ . - - - - ORPHANS REMOVED - - - - . URLSearchHooks-{656461ef-40f6-4115-9ff1-bced9812ccbb} - (no file) WebBrowser-{656461EF-40F6-4115-9FF1-BCED9812CCBB} - (no file) HKCU-Run-BitTorrent - c:\program files\BitTorrent\BitTorrent.exe HKCU-Run-DriverScanner - c:\program files\Uniblue\DriverScanner\launcher.exe c:\users\Chelsea\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-06-16 17:38 Windows 6.0.6001 Service Pack 1 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 "MSCurrentCountry"=dword:000000b4 . Completion time: 2013-06-16 17:41:09 ComboFix-quarantined-files.txt 2013-06-16 16:41 . Pre-Run: 88,582,049,792 bytes free Post-Run: 104,654,495,744 bytes free . - - End Of File - - 2FEDC82520CF019ADFA3947353DE9661 5C616939100B85E558DA92B899A0FC36 Should I have rebooted after it completed? Also, after it just began the scan I got a notification saying PEV.exe stopped working?

Also, do I need to turn off Windows Firewall?

I have old McAfee VirusScan software that is out of date and says my computer is not protected. Does this mean it is switched off because I can't see any option to disable it.

OK, scan finished and nothing found: Malwarebytes Anti-Rootkit BETA 1.06.0.1003 www.malwarebytes.org Database version: v2013.06.16.02 Windows Vista Service Pack 1 x86 NTFS Internet Explorer 8.0.6001.19088 Chelsea :: Chelsealaptop [administrator] 16/06/2013 14:19:06 mbar-log-2013-06-16 (14-19-06).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P Scan options disabled: Deep Anti-Rootkit Scan | PUP Objects scanned: 241377 Time elapsed: 54 minute(s), Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end) --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.06.0.1003 © Malwarebytes Corporation 2011-2012 OS version: 6.0.6001 Windows Vista Service Pack 1 x86 Account is Administrative Internet Explorer version: 8.0.6001.19088 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED CPU speed: 1.862000 GHz Memory total: 2136674304, free: 849285120 Downloaded database version: v2013.06.16.02 Initializing... ------------ Kernel report ------------ 06/16/2013 14:18:25 ------------ Loaded modules ----------- \SystemRoot\system32\ntkrnlpa.exe \SystemRoot\system32\hal.dll \SystemRoot\system32\kdcom.dll \SystemRoot\system32\mcupdate_GenuineIntel.dll \SystemRoot\system32\PSHED.dll \SystemRoot\system32\BOOTVID.dll \SystemRoot\system32\CLFS.SYS \SystemRoot\system32\CI.dll \SystemRoot\system32\drivers\Wdf01000.sys \SystemRoot\system32\drivers\WDFLDR.SYS \SystemRoot\system32\drivers\fltmgr.sys \SystemRoot\system32\drivers\acpi.sys \SystemRoot\system32\drivers\WMILIB.SYS \SystemRoot\system32\drivers\msisadrv.sys \SystemRoot\system32\drivers\pci.sys \SystemRoot\System32\drivers\partmgr.sys \SystemRoot\system32\DRIVERS\compbatt.sys \SystemRoot\system32\DRIVERS\BATTC.SYS \SystemRoot\system32\drivers\volmgr.sys \SystemRoot\System32\drivers\volmgrx.sys \SystemRoot\system32\drivers\intelide.sys \SystemRoot\system32\drivers\PCIIDEX.SYS \SystemRoot\system32\DRIVERS\pcmcia.sys \SystemRoot\System32\drivers\mountmgr.sys \SystemRoot\system32\DRIVERS\iaStor.sys \SystemRoot\system32\drivers\atapi.sys \SystemRoot\system32\drivers\ataport.SYS \SystemRoot\system32\drivers\fileinfo.sys \SystemRoot\system32\drivers\pctDS.sys \SystemRoot\system32\drivers\PCTCore.sys \SystemRoot\system32\drivers\pctEFA.sys \SystemRoot\System32\Drivers\PxHelp20.sys \SystemRoot\System32\Drivers\ksecdd.sys \SystemRoot\system32\drivers\ndis.sys \SystemRoot\system32\drivers\msrpc.sys \SystemRoot\system32\drivers\NETIO.SYS \SystemRoot\System32\Drivers\Ntfs.sys \SystemRoot\system32\drivers\volsnap.sys \SystemRoot\System32\Drivers\spldr.sys \SystemRoot\System32\Drivers\mup.sys \SystemRoot\System32\drivers\ecache.sys \SystemRoot\system32\drivers\disk.sys \SystemRoot\system32\drivers\CLASSPNP.SYS \SystemRoot\system32\drivers\crcdisk.sys \SystemRoot\system32\DRIVERS\tunnel.sys \SystemRoot\system32\DRIVERS\tunmp.sys \SystemRoot\system32\DRIVERS\intelppm.sys \SystemRoot\system32\DRIVERS\CmBatt.sys \SystemRoot\system32\DRIVERS\igdkmd32.sys \SystemRoot\System32\drivers\dxgkrnl.sys \SystemRoot\System32\drivers\watchdog.sys \SystemRoot\system32\DRIVERS\usbuhci.sys \SystemRoot\system32\DRIVERS\USBPORT.SYS \SystemRoot\system32\DRIVERS\usbehci.sys \SystemRoot\system32\DRIVERS\HDAudBus.sys \SystemRoot\system32\DRIVERS\yk60x86.sys \SystemRoot\system32\DRIVERS\athr.sys \SystemRoot\system32\DRIVERS\ohci1394.sys \SystemRoot\system32\DRIVERS\1394BUS.SYS \SystemRoot\system32\drivers\ti21sony.sys \SystemRoot\system32\DRIVERS\SFEP.sys \SystemRoot\system32\DRIVERS\i8042prt.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\Apfiltr.sys \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\DRIVERS\cdrom.sys \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys \SystemRoot\system32\DRIVERS\msiscsi.sys \SystemRoot\system32\DRIVERS\storport.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\rassstp.sys \SystemRoot\system32\DRIVERS\termdd.sys \SystemRoot\system32\DRIVERS\swenum.sys \SystemRoot\system32\DRIVERS\ks.sys \SystemRoot\system32\DRIVERS\mssmbios.sys \SystemRoot\system32\DRIVERS\umbus.sys \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\drivers\RTKVHDA.sys \SystemRoot\system32\drivers\portcls.sys \SystemRoot\system32\drivers\drmk.sys \SystemRoot\system32\DRIVERS\HSXHWAZL.sys \SystemRoot\system32\DRIVERS\HSX_DPV.sys \SystemRoot\system32\DRIVERS\HSX_CNXT.sys \SystemRoot\system32\drivers\modem.sys \SystemRoot\System32\Drivers\Fs_Rec.SYS \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\drivers\VIDEOPRT.SYS \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\system32\drivers\rdpencdd.sys \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\System32\DRIVERS\rasacd.sys \SystemRoot\System32\drivers\tcpip.sys \SystemRoot\System32\drivers\fwpkclnt.sys \SystemRoot\System32\Drivers\Mpfp.sys \SystemRoot\system32\DRIVERS\tdx.sys \SystemRoot\system32\DRIVERS\ipfltdrv.sys \??\C:\Windows\System32\drivers\pctgntdi.sys \ArcName\multi(0)disk(0)rdisk(0)partition(2)\Windows\system32\drivers\PctWfpFilter.sys \SystemRoot\system32\DRIVERS\smb.sys \SystemRoot\system32\drivers\afd.sys \SystemRoot\System32\DRIVERS\netbt.sys \SystemRoot\system32\DRIVERS\pacer.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\system32\DRIVERS\wanarp.sys \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\System32\Drivers\PCTSD.sys \SystemRoot\system32\drivers\nsiproxy.sys \SystemRoot\system32\drivers\mfehidk.sys \SystemRoot\system32\DRIVERS\DMICall.sys \SystemRoot\System32\Drivers\dfsc.sys \SystemRoot\system32\DRIVERS\cdfs.sys \SystemRoot\System32\Drivers\crashdmp.sys \SystemRoot\System32\Drivers\dump_iaStor.sys \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\system32\DRIVERS\monitor.sys \SystemRoot\System32\TSDDD.dll \SystemRoot\System32\cdd.dll \SystemRoot\System32\ATMFD.DLL \SystemRoot\system32\drivers\luafv.sys \??\C:\Windows\system32\drivers\mbam.sys \SystemRoot\system32\DRIVERS\Sftvollh.sys \SystemRoot\system32\drivers\spsys.sys \SystemRoot\system32\DRIVERS\lltdio.sys \SystemRoot\system32\DRIVERS\nwifi.sys \SystemRoot\system32\DRIVERS\ndisuio.sys \SystemRoot\system32\DRIVERS\rspndr.sys \SystemRoot\system32\drivers\HTTP.sys \SystemRoot\System32\DRIVERS\srvnet.sys \SystemRoot\system32\DRIVERS\bowser.sys \SystemRoot\System32\drivers\mpsdrv.sys \SystemRoot\system32\drivers\mrxdav.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\system32\DRIVERS\mrxsmb10.sys \SystemRoot\system32\DRIVERS\mrxsmb20.sys \SystemRoot\System32\DRIVERS\srv2.sys \SystemRoot\System32\DRIVERS\srv.sys \SystemRoot\system32\DRIVERS\mdmxsdk.sys \SystemRoot\system32\drivers\peauth.sys \SystemRoot\system32\drivers\regi.sys \SystemRoot\System32\Drivers\secdrv.SYS \SystemRoot\system32\DRIVERS\Sftfslh.sys \SystemRoot\system32\DRIVERS\Sftplaylh.sys \SystemRoot\System32\drivers\tcpipreg.sys \SystemRoot\system32\DRIVERS\xaudio.sys \SystemRoot\system32\DRIVERS\WUDFRd.sys \SystemRoot\system32\DRIVERS\WUDFPf.sys \SystemRoot\system32\drivers\mfebopk.sys \SystemRoot\system32\drivers\mfeavfk.sys \SystemRoot\system32\DRIVERS\Sftredirlh.sys \??\C:\Windows\System32\drivers\pctplsm.sys \SystemRoot\system32\drivers\mfesmfk.sys \??\C:\Windows\system32\drivers\mbamchameleon.sys \??\C:\Windows\system32\drivers\mbamswissarmy.sys \Windows\System32\ntdll.dll ----------- End ----------- Done! <<<1>>> Upper Device Name: \Device\Harddisk2\DR2 Upper Device Object: 0xffffffff87482030 Upper Device Driver Name: \Driver\disk\ Lower Device Name: \Device\00000069\ Lower Device Object: 0xffffffff87488600 Lower Device Driver Name: \Driver\ti21sony\ <<<1>>> Upper Device Name: \Device\Harddisk1\DR1 Upper Device Object: 0xffffffff87489ac8 Upper Device Driver Name: \Driver\disk\ Lower Device Name: \Device\00000068\ Lower Device Object: 0xffffffff87488c60 Lower Device Driver Name: \Driver\ti21sony\ <<<1>>> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xffffffff8587b170 Upper Device Driver Name: \Driver\disk\ Lower Device Name: \Device\Ide\IAAStorageDevice-0\ Lower Device Object: 0xffffffff84e25030 Lower Device Driver Name: \Driver\iaStor\ <<<2>>> Device number: 0, partition: 2 Physical Sector Size: 512 Drive: 0, DevicePointer: 0xffffffff8587b170, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff8589ad20, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xffffffff8587b170, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\ DevicePointer: 0xffffffff8587b970, DeviceName: Unknown, DriverName: \Driver\PCTCore\ DevicePointer: 0xffffffff84e0b698, DeviceName: Unknown, DriverName: \Driver\ACPI\ DevicePointer: 0xffffffff84e25030, DeviceName: \Device\Ide\IAAStorageDevice-0\, DriverName: \Driver\iaStor\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes <<<2>>> Device number: 0, partition: 2 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning drivers directory: C:\Windows\system32\drivers... <<<2>>> Device number: 0, partition: 2 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Done! Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: 353FDACC Partition information: Partition 0 type is Other (0x27) Partition is NOT ACTIVE. Partition starts at LBA: 2048 Numsec = 14704640 Partition 1 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 14706688 Numsec = 376013232 Partition file system is NTFS Partition is bootable Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 200049647616 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-2047-390701968-390721968)... Done! Physical Sector Size: 0 Drive: 1, DevicePointer: 0xffffffff87489ac8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff874897b8, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xffffffff87489ac8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\disk\ DevicePointer: 0xffffffff8748cbd0, DeviceName: Unknown, DriverName: \Driver\PCTCore\ DevicePointer: 0xffffffff87488c60, DeviceName: \Device\00000068\, DriverName: \Driver\ti21sony\ ------------ End ---------- Physical Sector Size: 0 Drive: 2, DevicePointer: 0xffffffff87482030, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff874894b8, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xffffffff87482030, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\disk\ DevicePointer: 0xffffffff87475a20, DeviceName: Unknown, DriverName: \Driver\PCTCore\ DevicePointer: 0xffffffff87488600, DeviceName: \Device\00000069\, DriverName: \Driver\ti21sony\ ------------ End ---------- Scan finished ======================================= Removal queue found; removal started Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_i.mbam... Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_0_1_14706688_i.mbam... Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_r.mbam... Removal finished