AlexSch

Hi. I left Beta 4.01 running after yesterday's install and the report that I posted. Today there was a second detection, I have attached a screen shot, a log file and the follow-on scan zip file. I have found that my HP printer app that I normally access from my desktop was gone. Yesterday I quarantined two files on running for the first time (before reading what to do on a FP), but I restored those before creating yesterday's zip file. I suspect that they were related to my printer, but after the restore I expected that all should be the same as before. I will now remove the Beta and reinstall the printer, no worries. Have a great day fp_tracker_2019-08-27_Forum_b3c7e7a4-c862-11e9-8b15-4ccc6a500631.zip BetaFourSecondTestResultLog.txt ScanResultAfterOneDay.pdf

The scan I performed proceeded smoothly. There were results relative to my existing protection, I however am uncertain if they are false positives or not. I have attached the relevant files in the hope that they are of use. Have a great day. fp_tracker_2019-08-26_Forum_15dca8fd-c7ce-11e9-83f1-4ccc6a500631.zip BetaFourTestResultLog.txt MalwarebytesBetaFourTestResult.pdf

Thank you.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Security Check log ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Results of screen317's Security Check version 0.99.77 Windows XP Service Pack 3 x86 Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! AVG AntiVirus Free Edition 2014 Lavasoft Ad-Watch Live! Anti-Virus Microsoft Security Essentials Antivirus up to date! (On Access scanning disabled!) `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.75.0.1300 Java 6 Update 17 Java version out of Date! Adobe Flash Player 11.9.900.170 Adobe Reader 9 Adobe Reader XI Mozilla Firefox (26.0) Google Chrome 31.0.1650.57 Google Chrome 31.0.1650.63 ````````Process Check: objlist.exe by Laurent```````` Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe AVG avgwdsvc.exe AVG avgrsx.exe AVG avgnsx.exe AVG avgemc.exe Malwarebytes' Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 13% Defragment your hard drive soon! (Do NOT defrag if SSD!) ````````````````````End of Log`````````````````````` ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Follow-on comments ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ I will study the information you have provided on the IP blocking issue when I am more awake, thanks for that. I did investigate where the IP addresses originated and I discovered that they came from the Netherlands and China. The Netherlands has some interesting spamming history that I dug up in the process. It is very possible that Malwarebytes is doing its job as required, I will investigate further in due course. Maybe the inability to log into Office 365 is coincidental, I will research that in due course as well. (FYI - while typing this I received another one of those IP blocks, this time starting with IP 80.). Shout when ready as regards the residual cleaning, thanks for your patience.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ The result of the Adwcleaner action is in the following log: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # AdwCleaner v3.015 - Report created 22/12/2013 at 23:54:29 # Updated 10/12/2013 by Xplode # Operating System : Microsoft Windows XP Service Pack 3 (32 bits) # Username : Belinda - BELINDAWKS # Running from : C:\Documents and Settings\Belinda.BELINDAWKS\Desktop\AdwCleaner.exe # Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** Folder Deleted : C:\Documents and Settings\All Users\Start Menu\Programs\myfree codec Folder Deleted : C:\Program Files\myfree codec Folder Deleted : C:\Documents and Settings\belinda.belindaWKS\Application Data\registry mechanic ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Deleted : HKLM\SOFTWARE\Classes\AppID\secman.DLL Key Deleted : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EasyGPS_is1 Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323} Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5C3B5DAA-0AFF-4808-90FB-0F2F2D760E36} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{64697678-0000-0010-8000-00AA00389B71} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FD501041-8EBE-11CE-8183-00AA00577DA2} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} Key Deleted : HKCU\Software\AVG Secure Search Key Deleted : HKCU\Software\AVG Security Toolbar Key Deleted : HKCU\Software\Myfree Codec Key Deleted : HKCU\Software\YahooPartnerToolbar Key Deleted : HKLM\Software\Myfree Codec Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\MyFreeCodec Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\MyFreeCodec Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{1AE46C09-2AB8-4EE5-88FB-08CD0FF7F2DF} Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08121C32A9C319F4CB0C11FF059552A4 Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094 Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536 ***** [ Browsers ] ***** -\\ Internet Explorer v8.0.6001.18702 -\\ Mozilla Firefox v26.0 (en-US) [ File : C:\Documents and Settings\belinda.belindaWKS\Application Data\Mozilla\Firefox\Profiles\48l43o78.default\prefs.js ] -\\ Google Chrome v31.0.1650.63 [ File : C:\Documents and Settings\belinda.BELINDAWKS\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ] ************************* AdwCleaner[R0].txt - [3711 octets] - [22/12/2013 23:36:02] AdwCleaner[s0].txt - [3702 octets] - [22/12/2013 23:54:29] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [3762 octets] ########## +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Malwarebytes log follows (no malicious items detected) +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Malwarebytes Anti-Malware (PRO) 1.75.0.1300 www.malwarebytes.org Database version: v2013.12.22.04 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Belinda :: BELINDAWKS [administrator] Protection: Enabled 12/23/2013 12:09:06 AM mbam-log-2013-12-23 (00-09-06).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 306644 Time elapsed: 20 minute(s), 45 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Responding to your stability question in the previous posting: +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ I note that drive C: now has a lot more space, that is encouraging.. There were no further "system has recovered from a serious problem" type messages or unhandled memory exception events while running the scanning/cleaning processes. I note that an app (that I believed caused problems on my other machine and as loaded when Samsung KIES is linstalled) namely "Myfree CODEC" was indeed identified as a PUP. This XP machine is a slow machine, so I am uncertain if the long bootup time (relatively speaking) and the delays before opening Internet Exporer pages are due to that fact and the machine's lack of RAM, rather than an infection/malfunction. Whle Malwarebytes was running its scan as logged above I again received another one of those "Successfully blocked access to a potentially malicious website: 60.173.11.155 Type incoming" message. That's bad news since that triggered my forum posting. I tried to access the Office 365 web app in Explorer and I still see the following result (I can access that URL on my other machine that is running Windows 8.1): Microsoft.Exchange.Clients.Security.LiveTransientHRESULTException: LiveId authentication code has returned error 0x80049234 PP_E_RPS_REASON_POST_TICKET_TIMEWINDOW_EXPIRED, indicating that there's a temporary problem with the remote server. Please check the Application event log for detailed information and retry the operation later. ---> System.Runtime.InteropServices.COMException (0x80049234): Post ticket time window expired. Ticket could be reposted. at Microsoft.Passport.RPS.Native.IRPSHttpAuth.AuthenticateRawHttp(String siteName, String httpVerb, String path, String QS, String httpVersion, Boolean bHTTPs, String httpHeaders, String httpBody, Object pAuthResultsBag) at Microsoft.Passport.RPS.RPSHttpAuth.Authenticate(String siteName, HttpRequest request, RPSPropBag propBag) at Microsoft.Exchange.Clients.Security.LiveIdAuthentication.Authenticate(HttpContext httpContext, String siteName, String[] memberNameIgnorePrefixes, String& puid, String& orgIdPuid, String& cid, String& membername, UInt32& issueTime, String& responseHeaders, RPSTicket& rpsTicket, Boolean& hasAcceptedAccrual, UInt32& rpsAuthState, Boolean& isConsumerIdentity) --- End of inner exception stack trace --- at Microsoft.Exchange.Clients.Security.LiveIdErrorHandler.ThrowRPSException(COMException e) at Microsoft.Exchange.Clients.Security.LiveIdAuthentication.Authenticate(HttpContext httpContext, String siteName, String[] memberNameIgnorePrefixes, String& puid, String& orgIdPuid, String& cid, String& membername, UInt32& issueTime, String& responseHeaders, RPSTicket& rpsTicket, Boolean& hasAcceptedAccrual, UInt32& rpsAuthState, Boolean& isConsumerIdentity) at Microsoft.Exchange.Clients.Security.LiveIdAuthenticationModule.OnAuthenticateRequest(Object source, EventArgs e) Should I remove any of the cleanup tools/scanners that are currently still on the XP machine's desktop, are there other actions that you recommend that might be having a residual effect? In the meantime I have AVG and Malwarebytes active at this time.

The Combofix report is attached. ComboFix.txt

The Kaspersky scan result is as follows and the scan log is attached. Of the 1190 objects scanned, there were no threats reported. (FYI - thankfully I could use my second PC to read your last posting, the PNG images would not display on the XP machine.) KasperskyReport.rtf

Results to the previously requested actions: 1. I am not aware of any pirate s/w on my daughter's machine, there are definitely no torrents active. She bought the machine from her previous company (after that shut down). 2. System restore is enabled on the infected machine. 3. XP Pro version 2002 SP 3 refers. Celeron CPU 430 @ 1.73 GHz 1.49 GB RAM. (So I ran the 32 bit version of Rogue Killer.) 4. The killer found problems (and as instructed I have not changed anything in response). The log is attached. I did not see any new Malwarebytes IP warnings during the above action. As an aside - what I did do just after my initial post was to change the machine's password as a precautionary measure, I did nothing else. I hope this helps. RKreport0_S_12222013_193950.txt

Dear MrC, Thanks for the welcome and your help. Proceeding: When I went to the infected machine to respond to you (I read my email on my iPad) , there was a system message of the system having responded to a fatal error - I guess this is a symptom. The normal Windows suggestions came up on me reporting the error (i.e. ensure that Windows is updated etc.) Thinking on it, there were a couple of unhandled exceptions after having run Malwarebytes on previous days on starting up the machine (typically memory not available for read/write). When I tried to login to the Outlook web app to gain access to my email on the infected machine, the login kept failing, I have a printout that I can share if that would help. In short - LiveId authentication code has returned error 0x80049234 (Post Ticket Time Window Expired). So sending you the Attach file was a temporary challenge. I managed to place it on DropBox (this posting comes from another machine where I can login to my mail) The Attach file is available to this posting. I will now make a printout of your advice on the other machine and proceed as suggested, subsequent posts to follow. attach.txt

Dear all, thank you for your help. I installed the PRO version of Malwarebytes on my daughter's XP machine (after picking up a problem on my own machine). Some malware was found and removed on her machine (the machine this report comes from). Popups then started regarding the blocking an incoming potentially dangerous sites, from various IP addresses (similar to other such postings on this forum). I am uncertain if I should follow the advice offered for others (since my case relates to incoming (not outgoing) IPs and this is an older machine running XP. Here is the DDS log, advice would be greatly appreciated: DDS (Ver_2012-11-20.01) - NTFS_x86 Internet Explorer: 8.0.6001.18702 Run by Belinda at 12:40:36 on 2013-12-22 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.362 [GMT 4:00] . AV: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF} . ============== Running Processes ================ . C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\LSI SoftModem\agrsmsvc.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Samsung\Kies\KiesTrayAgent.exe C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Samsung\Kies\Kies.exe C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Documents and Settings\Belinda.BELINDAWKS\Application Data\Dropbox\bin\Dropbox.exe C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe C:\WINDOWS\System32\alg.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe C:\Program Files\Microsoft\BingBar\7.3.107.0\SeaPort.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k hpdevmgmt C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\System32\svchost.exe -k HPZ12 . ============== Pseudo HJT Report =============== . uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned> BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\microsoft\bingbar\7.3.107.0\BingExt.dll BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\microsoft\bingbar\7.3.107.0\BingExt.dll uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler uRun: [KiesPreload] c:\program files\samsung\kies\Kies.exe /preload uRun: [KiesAirMessage] c:\program files\samsung\kies\KiesAirMessage.exe -startup uRun: [] c:\program files\samsung\kies\external\firmwareupdate\KiesPDLR.exe uRun: [AVG-Secure-Search-Update_1213b] c:\documents and settings\belinda.belindawks\application data\avg 1213b campaign\AVG-Secure-Search-Update-1213b.exe /PROMPT /mid=57c9bb1e639947d39d4ec15857f5f8e2-0f792f3c56219c37b528f2f8a49141827a7d5d8a /CMPID=1213b mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [hpqSRMon] <no file> dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t StartupFolder: c:\docume~1\belind~1.bel\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\belinda.belindawks\application data\dropbox\bin\Dropbox.exe StartupFolder: c:\docume~1\belind~1.bel\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueso~1.lnk - c:\program files\ivt corporation\bluesoleil\BlueSoleil.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe uPolicies-Explorer: NoDriveTypeAutoRun = dword:145 uPolicies-Explorer: NoWindowsUpdate = dword:0 mPolicies-System: disablecad = dword:1 mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1 mPolicies-Explorer: NoDriveTypeAutoRun = dword:145 IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll TCP: Interfaces\{1DB3E555-A711-4ADA-A57E-86AC3A4C7BD2} : DHCPNameServer = 94.200.200.200 91.74.74.74 Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll LSA: Authentication Packages = msv1_0 nwprovau mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\31.0.1650.63\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\belinda.belindawks\application data\mozilla\firefox\profiles\48l43o78.default\ FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll FF - plugin: c:\program files\microsoft\office live\npOLW.dll FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_170.dll . ============= SERVICES / DRIVERS =============== . R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2013-8-22 147768] R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2013-8-22 222520] R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2013-8-20 102712] R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2013-8-1 27448] R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [2013-8-1 120600] R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2013-8-22 209176] R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2013-8-1 22840] R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2013-8-22 176952] R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2013-8-1 193848] R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2014\avgidsagent.exe [2013-11-11 3478544] R2 avgwd;AVG WatchDog;c:\program files\avg\avg2014\avgwdsvc.exe [2013-9-24 348008] R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-10-30 54752] R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-12-19 418376] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-12-19 701512] R2 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\program files\microsoft forefront uag\endpoint components\3.1.0\uagqecsvc.exe [2011-5-12 150928] R3 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.3.107.0\SeaPort.EXE [2013-8-30 240288] R3 BlackBerry Device Manager;BlackBerry Device Manager;c:\program files\common files\research in motion\usb drivers\BbDevMgr.exe [2013-6-27 585728] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-12-19 22856] S2 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.3.107.0\BBSvc.EXE [2013-8-30 193696] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2013-8-31 84248] S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2013-5-4 20032] S3 DMService;Microsoft Forefront UAG Endpoint Component Manager;c:\windows\downlo~1\DMService.exe [2011-5-12 487312] S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872] S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568] S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [2008-11-21 81832] S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [2008-12-2 13864] S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [2008-12-2 107304] S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [2009-1-3 99112] S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [2009-1-13 21928] S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [2008-12-20 97320] S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [2009-1-13 97704] S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2013-8-31 181912] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856] . =============== Created Last 30 ================ . 2013-12-19 17:11:08 -------- d-----w- C:\f54d5619edd680d2de272f2fa6c5 2013-12-19 12:43:20 -------- d-----w- c:\documents and settings\belinda.belindawks\application data\Malwarebytes 2013-12-19 12:42:54 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2013-12-19 12:42:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2013-12-19 12:42:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2013-12-19 12:39:44 -------- d-----w- c:\program files\EasyGPS 2013-12-12 16:03:38 9293192 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe . ==================== Find3M ==================== . 2013-12-12 16:05:04 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-12-12 16:05:03 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-11-19 10:21:30 230048 ------w- c:\windows\system32\MpSigStub.exe 2013-11-13 02:59:42 150528 ----a-w- c:\windows\system32\imagehlp.dll 2013-11-07 05:38:51 591360 ----a-w- c:\windows\system32\rpcrt4.dll 2013-11-06 01:03:31 7168 ----a-w- c:\windows\system32\xpsp4res.dll 2013-11-05 17:50:48 120600 ----a-w- c:\windows\system32\drivers\avgdiskx.sys 2013-11-04 17:57:30 209176 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys 2013-10-31 19:00:28 176952 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2013-10-31 18:30:08 222520 ----a-w- c:\windows\system32\drivers\avglogx.sys 2013-10-30 02:26:17 1879040 ----a-w- c:\windows\system32\win32k.sys 2013-10-29 07:57:34 920064 ----a-w- c:\windows\system32\wininet.dll 2013-10-29 07:57:33 43520 ----a-w- c:\windows\system32\licmgr10.dll 2013-10-29 07:57:33 18944 ----a-w- c:\windows\system32\corpol.dll 2013-10-29 07:57:33 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2013-10-29 00:45:02 385024 ----a-w- c:\windows\system32\html.iec 2013-10-24 18:28:32 147768 ----a-w- c:\windows\system32\drivers\avgidshx.sys 2013-10-23 23:45:49 172032 ----a-w- c:\windows\system32\scrrun.dll 2013-10-12 15:56:19 278528 ----a-w- c:\windows\system32\oakley.dll 2013-10-09 13:12:48 287744 ----a-w- c:\windows\system32\gdi32.dll 2013-10-07 10:59:21 603136 ----a-w- c:\windows\system32\crypt32.dll 2007-06-01 14:07:48 741376 ----a-w- c:\program files\common files\InfoSlips.ForMe.exe . ============= FINISH: 12:42:37.04 ===============

My apologies if this is in the wrong place and/or if my theory does not hold water. I can't seem to find the best place to test what I experienced with someone else. I found that my computer (Windows 8) was infected with a browser (Explorer) hijack after installing Samsung Kies. Malwarebytes removed the hijack. Reading up in the Forums indicated that some people reported Kies as being malware (so those people's installed Malwarebytes detected Kies as having a problem at a time). I have installed/reinstalled Kies on various machines at different times so why did this trojan not activate all of the time? Theory: One has to install the "Myfree CODEC" with Kies. This "codec" might selectively install a trojan for some users based on a counter or a random variable. So every 100th person (say) might get a surprise package. This CODEC might not be under the full control of Samsung, so a third party might manipulate a trojan's installation at their pleasure using Mycodec (maybe there could also be a remote controlled "switch"?) So - depending on the luck of the draw you get the codec or you get a dummy codec plus trojan and then the trojan zaps your browser, leading to other possible infections based on text such as "You are the lucky 100 00th person". Comments anyone?