jaymac

Gringo- User Accounts in control panel does not function either by double clicking or right clicking and selecting open. In trying to add the user through the command prompt, it messages -"'net' is not recognized as an internal or external command, operable program or batch file." Getting an ax ready to put the pc out of its misery soon....

Gringo- Downloaded latest combofix to laptop, used thumbnail to transfer to infected computer. Turned off MBAM and Norton shuts itself down everytim I but due to aforementioned runtime error. Ran combofix, it said Norton AntiVirus was still running - with no way for me to stop it as the control panel will not open. So I uninstalled norton and continued with Combofix. During the run I continuously got the error "The Instruction at "0x5ff3cbc2" referred at memory "0x0029fe8". The memory could not be "read". Click ok to terminate program." The computer is still the same, MBAM will no longer open, no internet access and the error message above. Combofix log follows but is probably useless: ComboFix 13-07-09.01 - User one 07/10/2013 14:05:24.3.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2045.1422 [GMT -4:00] Running from: c:\documents and settings\User one\Desktop\ComboFix.exe AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} . . ((((((((((((((((((((((((( Files Created from 2013-06-10 to 2013-07-10 ))))))))))))))))))))))))))))))) . . 2013-07-09 21:56 . 2013-07-09 23:00 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2013-07-09 19:04 . 2013-07-09 21:50 181064 ----a-w- c:\windows\PSEXESVC.EXE 2013-07-09 18:58 . 2013-07-09 18:58 -------- d-----w- C:\RegBackup 2013-07-09 18:54 . 2001-08-18 02:36 102400 -c--a-w- c:\windows\system32\dllcache\binlsvc.dll 2013-07-09 18:53 . 2004-08-04 02:32 10880 -c--a-w- c:\windows\system32\dllcache\admjoy.sys 2013-07-09 18:52 . 2001-08-17 18:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll 2013-07-05 10:41 . 2013-07-05 10:41 144896 ----a-w- c:\windows\system32\javacpl.cpl 2013-07-05 10:41 . 2013-07-05 10:41 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2013-07-03 13:12 . 2013-07-03 13:12 -------- d-----w- c:\documents and settings\User one\Application Data\Malwarebytes 2013-07-03 13:05 . 2013-07-03 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2013-07-03 13:05 . 2013-07-03 13:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2013-07-03 13:05 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2013-07-03 12:32 . 2013-07-03 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro 2013-07-01 11:31 . 2013-07-01 11:31 -------- d-----w- C:\FRST 2013-06-24 22:38 . 2013-06-24 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable) 2013-06-22 14:35 . 2013-06-22 14:35 -------- d-----w- C:\_OTL 2013-06-16 14:09 . 2013-06-16 14:09 -------- d-----w- c:\windows\ERUNT 2013-06-16 14:09 . 2013-06-16 14:58 -------- d-----w- C:\JRT 2013-06-15 22:50 . 2013-07-10 18:01 -------- d-----w- c:\program files\Common Files\Symantec Shared 2013-06-15 22:49 . 2013-07-10 18:01 -------- d-----w- c:\program files\Norton Security Suite 2013-06-15 22:37 . 2013-06-15 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-07-05 10:41 . 2012-06-23 17:27 867240 ----a-w- c:\windows\system32\npDeployJava1.dll 2013-07-05 10:41 . 2010-08-03 00:28 789416 ----a-w- c:\windows\system32\deployJava1.dll 2013-06-01 03:48 . 2008-11-07 21:54 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys 2013-05-18 18:57 . 2013-05-18 18:57 715038 ----a-w- c:\windows\unins000.exe 2013-05-18 18:43 . 2012-05-02 23:34 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-05-18 18:43 . 2011-05-27 12:46 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-05-07 22:30 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2013-05-07 22:30 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2013-05-07 21:53 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec 2013-05-03 01:30 . 2006-02-28 12:00 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe 2013-05-03 00:38 . 2004-08-03 22:59 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-08 2595480] "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-08 905056] "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-08 140568] "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-15 1532760] "lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 74672] "FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272] "NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208] "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-05 1632360] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] 2009-03-27 19:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\UmxSbxExw.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MBCameraMonitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MBCameraMonitor.lnk backup=c:\windows\pss\MBCameraMonitor.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk backup=c:\windows\pss\Windows Search.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^User one^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] path=c:\documents and settings\User one\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor] 2008-07-10 00:42 37888 ----a-w- c:\program files\Corel\Corel MediaOne\CorelIOMonitor.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader] 2008-08-18 21:53 532808 ----a-w- c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio] 2006-09-21 14:36 9138176 ----a-w- c:\program files\Intel Audio Studio\IntelAudioStudio.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2012-10-25 08:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMBBLaunchAgent.exe] 2011-02-18 15:47 79192 ----a-w- c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"= "c:\\WINDOWS\\system32\\lxczcoms.exe"= "c:\\Program Files\\Opera\\opera.exe"= "c:\\Program Files\\Winamp\\winamp.exe"= "c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"= "c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"= "c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"= "c:\\Program Files\\Sonos\\Sonos.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management . R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [5/3/2010 2:12 AM 108112] R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [3/22/2010 1:58 PM 79864] R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [9/24/2010 11:16 AM 61008] R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [9/24/2010 11:16 AM 115792] R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [9/24/2010 11:16 AM 146000] R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [9/24/2010 11:16 AM 61008] R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [9/24/2012 8:46 AM 656480] R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [8/4/2009 10:42 AM 887288] R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [8/24/2010 12:07 PM 740160] R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [9/17/2010 12:21 PM 301648] R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [6/9/2010 6:54 AM 244304] R4 BHDrvx86;BHDrvx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130702.001\BHDrvx86.sys --> c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130702.001\BHDrvx86.sys [?] R4 ccSet_N360;Norton Security Suite Settings Manager;c:\windows\system32\drivers\N360\1403010.016\ccSetx86.sys --> c:\windows\system32\drivers\N360\1403010.016\ccSetx86.sys [?] R4 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130706.002\IDSxpx86.sys --> c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130706.002\IDSxpx86.sys [?] R4 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\1403010.016\SYMDS.SYS --> c:\windows\system32\drivers\N360\1403010.016\SYMDS.SYS [?] R4 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\1403010.016\SYMEFA.SYS --> c:\windows\system32\drivers\N360\1403010.016\SYMEFA.SYS [?] S2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe --> c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [?] S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [7/3/2013 9:05 AM 418376] S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/3/2013 9:05 AM 701512] S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/3/2013 9:05 AM 22856] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/9/2013 5:56 PM 40776] S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [12/16/2011 10:19 AM 15544] S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [9/24/2012 8:46 AM 1328736] . Contents of the 'Scheduled Tasks' folder . 2013-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57] . . ------- Supplementary Scan ------- . uStart Page = https://www.google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: turbotax.com TCP: DhcpNameServer = 192.168.0.1 FF - ProfilePath - c:\documents and settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\ FF - ExtSQL: 2013-06-15 19:57; {BBDA0591-3099-440a-AA10-41764D9DB4DB}; c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\IPSFFPlgn FF - ExtSQL: 2013-06-16 14:23; {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}; c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn FF - ExtSQL: !HIDDEN! 2010-08-19 20:14; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension . - - - - ORPHANS REMOVED - - - - . SafeBoot-54485046.sys . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-07-10 14:10 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*] @="?????????????????? v1" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID] @="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*] @="?????????????????? v2" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID] @="{9BE31822-FDAD-461B-AD51-BE1D1C159921}" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(804) c:\windows\system32\UmxWnp.Dll . - - - - - - - > 'explorer.exe'(3712) c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll c:\windows\system32\WindowsPowerShell\v1.0\pwrshsip.dll c:\program files\Microsoft Silverlight\xapauthenticodesip.dll c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll . Completion time: 2013-07-10 14:12:29 ComboFix-quarantined-files.txt 2013-07-10 18:12 ComboFix2.txt 2011-06-26 22:42 . Pre-Run: 120,488,923,136 bytes free Post-Run: 120,472,100,864 bytes free . - - End Of File - - 2A3691B054F1F827D0EF9E12A5CCDD11 8F558EB6672622401DA993E1E865C861

gringo- As I said in my last statement- System Restore does not work. Either get a blank dialogue box or error message "The procedure entry point GetIUriPriv coulnd not be located in the dynamic link library urlmon.dll.

Gringo- SFC would not work. Claimed the disk I had in was not the right disk. Ran repair. Aforementioned error message kept preventing fix script from running properly. Now, in addition to previous problems, I no longer have internet access (no servers can be located for any bookmarked pages), Malwarebytes control panel will not open (runtime error), Norton Shuts down (claims error report to Microsoft is sent when option chosen), and worst of all, System Restore will not run and it will to reed my recovery disk.

Gringo- Thanks! Ran repair. Have always had internet access, just getting that error message for all programs at computer startup, and again for each program as I open or close. Error message still continues. While running fix kept getting error message "cannot find 'netsh' ". Still cannot "enable ..." and when this last round of errors popped up, the "System Restore" could not restore to an earlier point. Did I just make your headache worse? Thanks again - Jeff

Gringo- Did so. Said it was successful. Still got the same error, rebooted, error continues. - Jeff

Gringo- Hitman found no entries. Clicking on next button did NOT take me to screen with "Export scan results to XML file" option. Clicking next again allowed me to save a log, but that was it. Wife apparently went into computer to delete the programs she thought she downloaded around the time the computer became infected (Taqgeditor and Fair CD Ripper). She saw CA firewall still in there and tried to uninstall that. As a result, computer started getting error messages and she tried to restore everything she uninstalled (what is there to not understand about do not touch the computer until it is fixed I do not understand)?! Now getteing error message (apparently for all update checks): The Instruction at "0x5ff3cbc2" referred at memory "0x0029fe8". The memory could not be "read". Click ok to terminate program. This message is showing for: mbamgui.exe nwiz.exe OtTask.exe AdobeARM.exe ADSDaemon.exe Reader_s1.exe The Hitman pro was downloaded and run after all of this. The log is as follows: HitmanPro 3.7.6.201www.hitmanpro.comComputer name . . . . : NEW042408Windows . . . . . . . : 5.1.3.2600.X86/2User name . . . . . . : NEW042408\User oneLicense . . . . . . . : FreeScan date . . . . . . : 2013-07-03 09:27:14Scan mode . . . . . . : NormalScan duration . . . . : 5m 40sDisk access mode . . : Direct disk access (SRB)Cloud . . . . . . . . : InternetReboot . . . . . . . : NoThreats . . . . . . . : 0Traces . . . . . . . : 148Objects scanned . . . : 659,526Files scanned . . . . : 29,376Remnants scanned . . : 143,737 files / 486,413 keysCookies _____________________________________________________________________C:\Documents and Settings\User one\Cookies\02C8L52D.txtC:\Documents and Settings\User one\Cookies\07678UJD.txtC:\Documents and Settings\User one\Cookies\2J4R9QNH.txtC:\Documents and Settings\User one\Cookies\2UMJDQLG.txtC:\Documents and Settings\User one\Cookies\4KUQ5H7L.txtC:\Documents and Settings\User one\Cookies\4QMLHSIW.txtC:\Documents and Settings\User one\Cookies\80RSYR4X.txtC:\Documents and Settings\User one\Cookies\8SDM2LC2.txtC:\Documents and Settings\User one\Cookies\AFT1Z9X7.txtC:\Documents and Settings\User one\Cookies\BKT1FTTA.txtC:\Documents and Settings\User one\Cookies\BTBZQ0X7.txtC:\Documents and Settings\User one\Cookies\HK3EUQ4O.txtC:\Documents and Settings\User one\Cookies\I22MPZUF.txtC:\Documents and Settings\User one\Cookies\I2M2ZJ65.txtC:\Documents and Settings\User one\Cookies\R59OQ1WE.txtC:\Documents and Settings\User one\Cookies\R6013630.txtC:\Documents and Settings\User one\Cookies\SCBSMFIY.txtC:\Documents and Settings\User one\Cookies\TWRFW3MS.txtC:\Documents and Settings\User one\Cookies\user one@excite[1].txtC:\Documents and Settings\User one\Cookies\UULSZCLE.txtC:\Documents and Settings\User one\Cookies\XIMDN6T0.txt

Gringo- Re-run of FRST.txt follows: Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 01-07-2013 01 Ran by User one (administrator) on 01-07-2013 13:12:22 Running from C:\Documents and Settings\User one\Desktop Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English(US) Internet Explorer Version 8 Boot Mode: Normal ==================== Processes (Whitelisted) =================== (CA) C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe (CA) C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe (CA) C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe (CA) C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe (Acronis) C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis) C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis) C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Lexmark International, Inc.) C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe (Lexmark International, Inc.) C:\Program Files\Lexmark 1200 Series\lxczbmon.exe (Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe (Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe (Acronis) C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe (Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe ( ) C:\WINDOWS\system32\lxczcoms.exe (Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Symantec Corporation) C:\Program Files\Norton Security Suite\Engine\20.3.1.22\ccSvcHst.exe (Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe () C:\WINDOWS\system32\PSIService.exe (Symantec Corporation) C:\Program Files\Norton Security Suite\Engine\20.3.1.22\ccSvcHst.exe (Protexis Inc.) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Secunia) C:\Program Files\Secunia\PSI\sua.exe () C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe (Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe (Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jucheck.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [2595480 2007-09-07] (Acronis) HKLM\...\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe [905056 2007-09-07] (Acronis) HKLM\...\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [140568 2007-09-07] (Acronis) HKLM\...\Run: [intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [1532760 2011-06-15] (Intuit Inc. All rights reserved.) HKLM\...\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [74672 2007-02-08] (Lexmark International, Inc.) HKLM\...\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s [295856 2007-02-08] () HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [13895272 2011-05-21] (NVIDIA Corporation) HKLM\...\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login [x] HKLM\...\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet [1632360 2011-05-05] () HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.) HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated) HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [253816 2013-03-12] (Oracle Corporation) HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-01-28] (Apple Inc.) HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152392 2013-02-20] (Apple Inc.) HKLM\...\RunOnce: [A0] cmd /c "C:\Documents and Settings\User one\Desktop\MBAM 06.2013\mbar-1.06.0.1004\mbar\mbar.exe" /r /s [769096 2013-06-01] (Malwarebytes Corporation) Winlogon\Notify\PFW: UmxWnp.Dll (CA) HKCR\...0c966feabec1\InprocServer32: [Default-shell32] %SystemRoot%\system32\shdocvw.dll ATTENTION! ====> ZeroAccess? HKCR\...409d6c4515e9\InprocServer32: [Default-shell32] %SystemRoot%\system32\SHELL32.dll ATTENTION! ====> ZeroAccess? ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/ HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation) BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\IPS\IPSBHO.DLL (Symantec Corporation) BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation) Toolbar: HKCU -Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation) DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.) Handler: ipp - No CLSID Value - Handler: msdaipp - No CLSID Value - Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll (Microsoft Corporation) ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation) Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 FireFox: ======== FF ProfilePath: C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll () FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF Plugin: @java.com/JavaPlugin,version=10.21.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation) FF Plugin: @microsoft.com/WLPG,version=14.0.8117.0416 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF Plugin: @microsoft.com/WPF,version=3.5 - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF Plugin: @RIM.com/WebSLLauncher,version=1.0 - C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll () FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF Extension: No Name - C:\Documents and Settings\User one\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} FF Extension: LogMeIn, Inc. Remote Access Plugin - C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\Extensions\LogMeInClient@logmein.com FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} FF Extension: Default - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ FF HKLM\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\IPSFFPlgn\ FF Extension: Norton Vulnerability Protection - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\IPSFFPlgn\ FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn\ FF Extension: Norton Toolbar - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn\ ========================== Services (Whitelisted) ================= R2 AcrSch2Svc; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [427288 2007-09-07] (Acronis) R2 lxcz_device; C:\WINDOWS\system32\lxczcoms.exe [537520 2007-02-08] ( ) R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation) R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation) R2 N360; C:\Program Files\Norton Security Suite\Engine\20.3.1.22\diMaster.dll [554288 2013-03-29] (Symantec Corporation) R2 nvUpdatusService; C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2214504 2011-05-21] (NVIDIA Corporation) R2 ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [177704 2007-06-05] () S3 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [1328736 2012-09-24] (Secunia) R2 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [656480 2012-09-24] (Secunia) R2 TryAndDecideService; C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [492600 2007-09-07] () R2 UmxAgent; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [887288 2009-08-04] (CA) R2 UmxCfg; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [740160 2010-08-24] (CA) R2 UmxFwHlp; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe [150008 2009-07-31] (CA) R2 UmxPol; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe [301648 2010-09-17] (CA) S3 AppMgmt; %SystemRoot%\System32\appmgmts.dll [x] S3 CaCCProvSP; "C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe" [x] S2 ccSchedulerSVC; C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe [x] S4 HidServ; %SystemRoot%\System32\hidserv.dll [x] R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" [x] ==================== Drivers (Whitelisted) ==================== R1 BHDrvx86; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130620.001\BHDrvx86.sys [1002072 2013-05-31] (Symantec Corporation) R1 ccSet_N360; C:\Windows\system32\drivers\N360\1403010.016\ccSetx86.sys [134304 2012-11-15] (Symantec Corporation) R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2013-06-15] (Symantec Corporation) R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2013-06-15] (Symantec Corporation) R3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows ® Server 2003 DDK provider) R3 IDSxpx86; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130628.001\IDSxpx86.sys [373728 2013-06-14] (Symantec Corporation) R1 KmxAgent; C:\Windows\System32\DRIVERS\kmxagent.sys [79864 2010-03-22] (CA) R2 KmxCF; C:\Windows\System32\DRIVERS\KmxCF.sys [146000 2010-09-24] (CA) R3 KmxCfg; C:\Windows\System32\DRIVERS\kmxcfg.sys [244304 2010-06-09] (CA) R1 KmxFile; C:\Windows\System32\DRIVERS\KmxFile.sys [61008 2010-09-24] (CA) R1 KmxFw; C:\Windows\System32\DRIVERS\kmxfw.sys [115792 2010-09-24] (CA) R2 KmxSbx; C:\Windows\System32\DRIVERS\KmxSbx.sys [61008 2010-09-24] (CA) R0 KmxStart; C:\Windows\System32\DRIVERS\kmxstart.sys [108112 2010-05-03] (CA) R3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [35144 2013-06-24] () R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation) R3 NAVENG; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130701.001\NAVENG.SYS [93272 2013-06-15] (Symantec Corporation) R3 NAVEX15; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130701.001\NAVEX15.SYS [1611992 2013-06-15] (Symantec Corporation) S3 PSI; C:\Windows\System32\DRIVERS\psi_mf.sys [15544 2011-12-16] (Secunia) S3 sfng32; C:\Windows\System32\drivers\sfng32.sys [41728 2005-12-02] (Sonic Focus, Inc) S3 SONYPVU1; C:\Windows\System32\DRIVERS\SONYPVU1.SYS [7552 2001-08-17] (Sony Corporation) R3 SRTSP; C:\Windows\System32\Drivers\N360\1403010.016\SRTSP.SYS [602712 2013-01-28] (Symantec Corporation) R1 SRTSPX; C:\Windows\system32\drivers\N360\1403010.016\SRTSPX.SYS [32344 2013-01-28] (Symantec Corporation) R3 STHDA; C:\Windows\System32\drivers\sthda.sys [1271032 2008-04-10] (IDT, Inc.) R0 SymDS; C:\Windows\System32\drivers\N360\1403010.016\SYMDS.SYS [367704 2013-01-21] (Symantec Corporation) R0 SymEFA; C:\Windows\System32\drivers\N360\1403010.016\SYMEFA.SYS [934488 2013-01-30] (Symantec Corporation) R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [142496 2013-06-15] (Symantec Corporation) R1 SymIRON; C:\Windows\system32\drivers\N360\1403010.016\Ironx86.SYS [175264 2012-07-27] (Symantec Corporation) R1 SYMTDI; C:\Windows\System32\Drivers\N360\1403010.016\SYMTDI.SYS [394656 2012-07-22] (Symantec Corporation) R0 tdrpman; C:\Windows\System32\DRIVERS\tdrpman.sys [368736 2008-11-06] (Acronis) R2 tifsfilter; C:\Windows\System32\DRIVERS\tifsfilt.sys [44384 2008-11-06] (Acronis) S3 catchme; \??\C:\DOCUME~1\USERON~1\LOCALS~1\Temp\catchme.sys [x] S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [x] S4 IntelIde; No ImagePath S3 lmimirr; system32\DRIVERS\lmimirr.sys [x] S2 MCSTRM; No ImagePath U3 TlntSvr; U3 aswMBR; \??\C:\DOCUME~1\USERON~1\LOCALS~1\Temp\aswMBR.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-07-01 11:10 - 2013-07-01 11:10 - 00000634 ____A C:\Documents and Settings\User one\Desktop\Dir 7.1.13 A.txt 2013-07-01 07:31 - 2013-07-01 07:31 - 00000000 ____D C:\FRST 2013-07-01 07:30 - 2013-07-01 07:30 - 01372463 ____A (Farbar) C:\Documents and Settings\User one\Desktop\FRST.exe 2013-06-24 18:38 - 2013-06-24 18:53 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable) 2013-06-24 18:36 - 2013-06-24 18:36 - 00035144 ____A C:\Windows\System32\Drivers\mbamchameleon.sys 2013-06-23 09:11 - 2013-06-23 09:11 - 00000000 ____D C:\Documents and Settings\User one\Application Data\Malwarebytes 2013-06-23 09:10 - 2013-06-23 09:10 - 00000784 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk 2013-06-23 09:10 - 2013-06-23 09:10 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware 2013-06-23 09:10 - 2013-06-23 09:10 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes 2013-06-23 09:10 - 2013-04-04 14:50 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2013-06-22 10:35 - 2013-06-22 10:35 - 00000000 ____D C:\_OTL 2013-06-21 18:57 - 2013-07-01 11:10 - 00000000 ____D C:\Documents and Settings\User one\Desktop\MBAM 06.2013 2013-06-16 19:15 - 2013-06-16 19:15 - 00001288 ____A C:\AdwCleaner[s2].txt 2013-06-16 19:14 - 2013-06-16 19:14 - 00001377 ____A C:\AdwCleaner[R1].txt 2013-06-16 18:59 - 2013-06-16 18:59 - 00000000 __HDC C:\Windows\$NtUninstallKB2808679$ 2013-06-16 18:57 - 2013-06-16 18:59 - 00009348 ____A C:\Windows\KB2808679.log 2013-06-16 18:57 - 2013-06-16 18:58 - 00006684 ____A C:\Windows\KB2598845-IE8.log 2013-06-16 18:47 - 2013-06-16 18:48 - 00003485 ____A C:\Windows\ie8Uninst.log 2013-06-16 14:07 - 2013-06-16 14:18 - 00000000 ____D C:\Qoobox 2013-06-16 14:07 - 2013-06-16 14:17 - 00000000 ____D C:\Windows\erdnt 2013-06-16 14:07 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe 2013-06-16 14:07 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe 2013-06-16 14:07 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe 2013-06-16 14:07 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe 2013-06-16 14:07 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe 2013-06-16 14:07 - 2000-08-30 20:00 - 00212480 ____A (SteelWerX) C:\Windows\SWXCACLS.exe 2013-06-16 14:07 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe 2013-06-16 14:07 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe 2013-06-16 14:07 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe 2013-06-16 10:09 - 2013-06-16 10:58 - 00000000 ____D C:\JRT 2013-06-16 10:09 - 2013-06-16 10:09 - 00000000 ____D C:\Windows\ERUNT 2013-06-15 18:50 - 2013-06-15 19:26 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared 2013-06-15 18:50 - 2013-06-15 18:50 - 00142496 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS 2013-06-15 18:50 - 2013-06-15 18:50 - 00007446 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT 2013-06-15 18:50 - 2013-06-15 18:50 - 00000000 ____D C:\Program Files\Symantec 2013-06-15 18:49 - 2013-06-16 10:05 - 00000000 ____D C:\Windows\System32\Drivers\N360 2013-06-15 18:49 - 2013-06-15 18:49 - 00000000 ____D C:\Program Files\Norton Security Suite 2013-06-15 18:45 - 2013-06-15 18:45 - 00001736 ____A C:\Documents and Settings\User one\TmInstall.log 2013-06-15 18:41 - 2013-06-15 18:41 - 00004272 ____A C:\Windows\System32\TmInstall.log 2013-06-15 18:38 - 2013-06-15 18:38 - 00000000 ____D C:\Documents and Settings\User one\My Documents\Symantec 2013-06-15 18:37 - 2013-06-15 18:51 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton 2013-06-15 18:37 - 2013-06-15 18:37 - 00000000 ____D C:\Documents and Settings\All Users\Documents\Norton 2013-06-15 18:23 - 2013-06-15 18:23 - 00000176 ____A C:\Documents and Settings\User one\Desktop\Malwarebytes#2 Desktop.txt 2013-06-15 15:44 - 2013-06-15 15:44 - 00065536 ____A C:\Windows\Minidump\Mini061513-01.dmp 2013-06-14 10:16 - 2013-06-14 10:16 - 00000000 __HDC C:\Windows\$NtUninstallKB2839229$ 2013-06-14 10:13 - 2013-06-14 10:13 - 00010954 ____A C:\Windows\KB2838727-IE8.log 2013-06-14 10:12 - 2013-06-14 10:16 - 00013933 ____A C:\Windows\KB2839229.log ==================== One Month Modified Files and Folders ======== 2013-07-01 11:10 - 2013-07-01 11:10 - 00000634 ____A C:\Documents and Settings\User one\Desktop\Dir 7.1.13 A.txt 2013-07-01 11:10 - 2013-06-21 18:57 - 00000000 ____D C:\Documents and Settings\User one\Desktop\MBAM 06.2013 2013-07-01 10:11 - 2008-04-24 01:12 - 01924438 ____A C:\Windows\WindowsUpdate.log 2013-07-01 07:31 - 2013-07-01 07:31 - 00000000 ____D C:\FRST 2013-07-01 07:30 - 2013-07-01 07:30 - 01372463 ____A (Farbar) C:\Documents and Settings\User one\Desktop\FRST.exe 2013-06-29 08:47 - 2010-02-04 21:38 - 00000284 ____A C:\Windows\Tasks\AppleSoftwareUpdate.job 2013-06-24 18:59 - 2006-02-28 08:00 - 00002422 ____A C:\Windows\System32\wpa.dbl 2013-06-24 18:53 - 2013-06-24 18:38 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable) 2013-06-24 18:36 - 2013-06-24 18:36 - 00035144 ____A C:\Windows\System32\Drivers\mbamchameleon.sys 2013-06-23 20:48 - 2008-04-24 21:04 - 00000159 ____A C:\Windows\wiadebug.log 2013-06-23 20:48 - 2008-04-24 21:04 - 00000049 ____A C:\Windows\wiaservc.log 2013-06-23 20:47 - 2011-07-28 19:10 - 00000062 __ASH C:\Documents and Settings\UpdatusUser\Local Settings\desktop.ini 2013-06-23 20:47 - 2008-04-24 01:21 - 00000062 __ASH C:\Documents and Settings\User one\Local Settings\desktop.ini 2013-06-23 20:47 - 2008-04-24 01:16 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini 2013-06-23 20:47 - 2008-04-24 01:16 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-06-23 20:47 - 2008-04-24 01:15 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini 2013-06-23 20:46 - 2010-10-30 10:41 - 01284069 ____A C:\Windows\System32\Drivers\kmxcfg.u2k1 2013-06-23 20:46 - 2010-10-30 10:41 - 00000373 ____A C:\Windows\System32\Drivers\kmxzone.u2k1 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k7 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k6 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k5 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k4 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k3 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k2 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k0 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k7 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k6 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k5 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k4 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k3 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k2 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k0 2013-06-23 20:46 - 2010-06-24 17:05 - 00977836 ____A C:\Windows\System32\Drivers\KmxAgent.asc 2013-06-23 20:46 - 2008-04-24 01:21 - 00000178 ___SH C:\Documents and Settings\User one\ntuser.ini 2013-06-23 20:46 - 2008-04-24 01:16 - 00032498 ____A C:\Windows\SchedLgU.Txt 2013-06-23 09:11 - 2013-06-23 09:11 - 00000000 ____D C:\Documents and Settings\User one\Application Data\Malwarebytes 2013-06-23 09:10 - 2013-06-23 09:10 - 00000784 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk 2013-06-23 09:10 - 2013-06-23 09:10 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware 2013-06-23 09:10 - 2013-06-23 09:10 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes 2013-06-22 10:35 - 2013-06-22 10:35 - 00000000 ____D C:\_OTL 2013-06-16 19:37 - 2008-10-06 21:20 - 00000000 ____D C:\Windows\Microsoft.NET 2013-06-16 19:15 - 2013-06-16 19:15 - 00001288 ____A C:\AdwCleaner[s2].txt 2013-06-16 19:14 - 2013-06-16 19:14 - 00001377 ____A C:\AdwCleaner[R1].txt 2013-06-16 19:05 - 2008-04-24 21:02 - 00582984 ____A C:\Windows\System32\PerfStringBackup.INI 2013-06-16 18:59 - 2013-06-16 18:59 - 00000000 __HDC C:\Windows\$NtUninstallKB2808679$ 2013-06-16 18:59 - 2013-06-16 18:57 - 00009348 ____A C:\Windows\KB2808679.log 2013-06-16 18:59 - 2008-05-19 04:50 - 00246872 ____A C:\Windows\updspapi.log 2013-06-16 18:59 - 2008-04-24 21:02 - 02554192 ____A C:\Windows\FaxSetup.log 2013-06-16 18:59 - 2008-04-24 21:02 - 01228157 ____A C:\Windows\ocgen.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00976928 ____A C:\Windows\tsoc.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00847570 ____A C:\Windows\comsetup.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00512700 ____A C:\Windows\ntdtcsetup.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00402633 ____A C:\Windows\iis6.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00139595 ____A C:\Windows\ocmsn.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00127606 ____A C:\Windows\msgsocm.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00001374 ____A C:\Windows\imsins.log 2013-06-16 18:59 - 2008-04-24 21:01 - 00346454 ____A C:\Windows\setupapi.log 2013-06-16 18:58 - 2013-06-16 18:57 - 00006684 ____A C:\Windows\KB2598845-IE8.log 2013-06-16 18:58 - 2011-06-30 21:02 - 00000000 ____D C:\Windows\ie8updates 2013-06-16 18:58 - 2008-04-24 21:02 - 00001374 ____A C:\Windows\imsins.BAK 2013-06-16 18:58 - 2008-04-24 01:31 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Microsoft Help 2013-06-16 18:57 - 2008-04-24 01:13 - 00000000 ____D C:\Windows\$hf_mig$ 2013-06-16 18:48 - 2013-06-16 18:47 - 00003485 ____A C:\Windows\ie8Uninst.log 2013-06-16 14:18 - 2013-06-16 14:07 - 00000000 ____D C:\Qoobox 2013-06-16 14:17 - 2013-06-16 14:07 - 00000000 ____D C:\Windows\erdnt 2013-06-16 14:16 - 2006-02-28 08:00 - 00000227 ____A C:\Windows\system.ini 2013-06-16 10:58 - 2013-06-16 10:09 - 00000000 ____D C:\JRT 2013-06-16 10:09 - 2013-06-16 10:09 - 00000000 ____D C:\Windows\ERUNT 2013-06-16 10:05 - 2013-06-15 18:49 - 00000000 ____D C:\Windows\System32\Drivers\N360 2013-06-16 10:03 - 2013-05-05 13:45 - 00412106 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-725345543-1454471165-682003330-1004-0.dat 2013-06-16 10:03 - 2013-05-05 12:09 - 00207098 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat 2013-06-15 19:26 - 2013-06-15 18:50 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared 2013-06-15 19:05 - 2013-05-05 12:00 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Sonos,_Inc 2013-06-15 18:54 - 2013-05-05 12:00 - 00001700 ____A C:\Documents and Settings\All Users\Desktop\Sonos.lnk 2013-06-15 18:54 - 2013-05-05 12:00 - 00000000 ____D C:\Program Files\Sonos 2013-06-15 18:54 - 2013-05-05 11:59 - 00000000 ____D C:\Documents and Settings\User one\Local Settings\Application Data\Downloaded Installations 2013-06-15 18:51 - 2013-06-15 18:37 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton 2013-06-15 18:50 - 2013-06-15 18:50 - 00142496 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS 2013-06-15 18:50 - 2013-06-15 18:50 - 00007446 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT 2013-06-15 18:50 - 2013-06-15 18:50 - 00000000 ____D C:\Program Files\Symantec 2013-06-15 18:49 - 2013-06-15 18:49 - 00000000 ____D C:\Program Files\Norton Security Suite 2013-06-15 18:45 - 2013-06-15 18:45 - 00001736 ____A C:\Documents and Settings\User one\TmInstall.log 2013-06-15 18:44 - 2008-05-19 04:51 - 00000000 ___DC C:\Windows\$NtUninstallKB920213$ 2013-06-15 18:41 - 2013-06-15 18:41 - 00004272 ____A C:\Windows\System32\TmInstall.log 2013-06-15 18:40 - 2011-07-04 09:55 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Trend Micro 2013-06-15 18:38 - 2013-06-15 18:38 - 00000000 ____D C:\Documents and Settings\User one\My Documents\Symantec 2013-06-15 18:37 - 2013-06-15 18:37 - 00000000 ____D C:\Documents and Settings\All Users\Documents\Norton 2013-06-15 18:23 - 2013-06-15 18:23 - 00000176 ____A C:\Documents and Settings\User one\Desktop\Malwarebytes#2 Desktop.txt 2013-06-15 15:52 - 2008-04-24 01:11 - 00000000 ____D C:\Windows\System32\Restore 2013-06-15 15:44 - 2013-06-15 15:44 - 00065536 ____A C:\Windows\Minidump\Mini061513-01.dmp 2013-06-15 15:44 - 2010-07-12 02:35 - 00000000 ____D C:\Windows\Minidump 2013-06-15 15:44 - 2008-04-24 20:54 - 380952576 ____A C:\Windows\MEMORY.DMP 2013-06-14 10:16 - 2013-06-14 10:16 - 00000000 __HDC C:\Windows\$NtUninstallKB2839229$ 2013-06-14 10:16 - 2013-06-14 10:12 - 00013933 ____A C:\Windows\KB2839229.log 2013-06-14 10:14 - 2008-05-19 04:50 - 73381792 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe 2013-06-14 10:13 - 2013-06-14 10:13 - 00010954 ____A C:\Windows\KB2838727-IE8.log ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== End Of Log ============================

Gringo - Fixlog.txt follows: Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 01-07-2013 01 Ran by User one at 2013-07-01 11:11:01 Run:1 Running from C:\Documents and Settings\User one\Desktop Boot Mode: Normal ============================================== HKCU\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} => Key not found. HKCU\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} => Key not found. ==== End of Fixlog ====

Gringo - thanks again. FRST below and Addition attached: Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 01-07-2013 01 Ran by User one (administrator) on 01-07-2013 07:31:40 Running from C:\Documents and Settings\User one\Desktop Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English(US) Internet Explorer Version 8 Boot Mode: Normal ==================== Processes (Whitelisted) =================== (CA) C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe (CA) C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe (CA) C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe (CA) C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe (Acronis) C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis) C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis) C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Lexmark International, Inc.) C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe (Lexmark International, Inc.) C:\Program Files\Lexmark 1200 Series\lxczbmon.exe (Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe (Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe (Acronis) C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe (Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe ( ) C:\WINDOWS\system32\lxczcoms.exe (Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Symantec Corporation) C:\Program Files\Norton Security Suite\Engine\20.3.1.22\ccSvcHst.exe (Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe () C:\WINDOWS\system32\PSIService.exe (Symantec Corporation) C:\Program Files\Norton Security Suite\Engine\20.3.1.22\ccSvcHst.exe (Protexis Inc.) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Secunia) C:\Program Files\Secunia\PSI\sua.exe () C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe (Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe (Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jucheck.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [2595480 2007-09-07] (Acronis) HKLM\...\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe [905056 2007-09-07] (Acronis) HKLM\...\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [140568 2007-09-07] (Acronis) HKLM\...\Run: [intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [1532760 2011-06-15] (Intuit Inc. All rights reserved.) HKLM\...\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [74672 2007-02-08] (Lexmark International, Inc.) HKLM\...\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s [295856 2007-02-08] () HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [13895272 2011-05-21] (NVIDIA Corporation) HKLM\...\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login [x] HKLM\...\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet [1632360 2011-05-05] () HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.) HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated) HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [253816 2013-03-12] (Oracle Corporation) HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-01-28] (Apple Inc.) HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152392 2013-02-20] (Apple Inc.) HKLM\...\RunOnce: [A0] cmd /c "C:\Documents and Settings\User one\Desktop\MBAM 06.2013\mbar-1.06.0.1004\mbar\mbar.exe" /r /s [769096 2013-06-01] (Malwarebytes Corporation) Winlogon\Notify\PFW: UmxWnp.Dll (CA) HKCR\...0c966feabec1\InprocServer32: [Default-shell32] %SystemRoot%\system32\shdocvw.dll ATTENTION! ====> ZeroAccess? HKCR\...409d6c4515e9\InprocServer32: [Default-shell32] %SystemRoot%\system32\SHELL32.dll ATTENTION! ====> ZeroAccess? ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/ HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation) BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\IPS\IPSBHO.DLL (Symantec Corporation) BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation) Toolbar: HKCU -Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation) DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.) Handler: ipp - No CLSID Value - Handler: msdaipp - No CLSID Value - Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll (Microsoft Corporation) ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation) Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 FireFox: ======== FF ProfilePath: C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll () FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF Plugin: @java.com/JavaPlugin,version=10.21.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation) FF Plugin: @microsoft.com/WLPG,version=14.0.8117.0416 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF Plugin: @microsoft.com/WPF,version=3.5 - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF Plugin: @RIM.com/WebSLLauncher,version=1.0 - C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll () FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF Extension: No Name - C:\Documents and Settings\User one\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} FF Extension: LogMeIn, Inc. Remote Access Plugin - C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\Extensions\LogMeInClient@logmein.com FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} FF Extension: Default - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ FF HKLM\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\IPSFFPlgn\ FF Extension: Norton Vulnerability Protection - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\IPSFFPlgn\ FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn\ FF Extension: Norton Toolbar - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn\ ========================== Services (Whitelisted) ================= R2 AcrSch2Svc; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [427288 2007-09-07] (Acronis) R2 lxcz_device; C:\WINDOWS\system32\lxczcoms.exe [537520 2007-02-08] ( ) R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation) R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation) R2 N360; C:\Program Files\Norton Security Suite\Engine\20.3.1.22\diMaster.dll [554288 2013-03-29] (Symantec Corporation) R2 nvUpdatusService; C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2214504 2011-05-21] (NVIDIA Corporation) R2 ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [177704 2007-06-05] () S3 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [1328736 2012-09-24] (Secunia) R2 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [656480 2012-09-24] (Secunia) R2 TryAndDecideService; C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [492600 2007-09-07] () R2 UmxAgent; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [887288 2009-08-04] (CA) R2 UmxCfg; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [740160 2010-08-24] (CA) R2 UmxFwHlp; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe [150008 2009-07-31] (CA) R2 UmxPol; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe [301648 2010-09-17] (CA) S3 AppMgmt; %SystemRoot%\System32\appmgmts.dll [x] S3 CaCCProvSP; "C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe" [x] S2 ccSchedulerSVC; C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe [x] S4 HidServ; %SystemRoot%\System32\hidserv.dll [x] R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" [x] ==================== Drivers (Whitelisted) ==================== R1 BHDrvx86; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130620.001\BHDrvx86.sys [1002072 2013-05-31] (Symantec Corporation) R1 ccSet_N360; C:\Windows\system32\drivers\N360\1403010.016\ccSetx86.sys [134304 2012-11-15] (Symantec Corporation) R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2013-06-15] (Symantec Corporation) R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2013-06-15] (Symantec Corporation) R3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows ® Server 2003 DDK provider) R3 IDSxpx86; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130628.001\IDSxpx86.sys [373728 2013-06-14] (Symantec Corporation) R1 KmxAgent; C:\Windows\System32\DRIVERS\kmxagent.sys [79864 2010-03-22] (CA) R2 KmxCF; C:\Windows\System32\DRIVERS\KmxCF.sys [146000 2010-09-24] (CA) R3 KmxCfg; C:\Windows\System32\DRIVERS\kmxcfg.sys [244304 2010-06-09] (CA) R1 KmxFile; C:\Windows\System32\DRIVERS\KmxFile.sys [61008 2010-09-24] (CA) R1 KmxFw; C:\Windows\System32\DRIVERS\kmxfw.sys [115792 2010-09-24] (CA) R2 KmxSbx; C:\Windows\System32\DRIVERS\KmxSbx.sys [61008 2010-09-24] (CA) R0 KmxStart; C:\Windows\System32\DRIVERS\kmxstart.sys [108112 2010-05-03] (CA) R3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [35144 2013-06-24] () R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation) R3 NAVENG; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130630.003\NAVENG.SYS [93272 2013-06-15] (Symantec Corporation) R3 NAVEX15; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130630.003\NAVEX15.SYS [1611992 2013-06-15] (Symantec Corporation) S3 PSI; C:\Windows\System32\DRIVERS\psi_mf.sys [15544 2011-12-16] (Secunia) S3 sfng32; C:\Windows\System32\drivers\sfng32.sys [41728 2005-12-02] (Sonic Focus, Inc) S3 SONYPVU1; C:\Windows\System32\DRIVERS\SONYPVU1.SYS [7552 2001-08-17] (Sony Corporation) R3 SRTSP; C:\Windows\System32\Drivers\N360\1403010.016\SRTSP.SYS [602712 2013-01-28] (Symantec Corporation) R1 SRTSPX; C:\Windows\system32\drivers\N360\1403010.016\SRTSPX.SYS [32344 2013-01-28] (Symantec Corporation) R3 STHDA; C:\Windows\System32\drivers\sthda.sys [1271032 2008-04-10] (IDT, Inc.) R0 SymDS; C:\Windows\System32\drivers\N360\1403010.016\SYMDS.SYS [367704 2013-01-21] (Symantec Corporation) R0 SymEFA; C:\Windows\System32\drivers\N360\1403010.016\SYMEFA.SYS [934488 2013-01-30] (Symantec Corporation) R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [142496 2013-06-15] (Symantec Corporation) R1 SymIRON; C:\Windows\system32\drivers\N360\1403010.016\Ironx86.SYS [175264 2012-07-27] (Symantec Corporation) R1 SYMTDI; C:\Windows\System32\Drivers\N360\1403010.016\SYMTDI.SYS [394656 2012-07-22] (Symantec Corporation) R0 tdrpman; C:\Windows\System32\DRIVERS\tdrpman.sys [368736 2008-11-06] (Acronis) R2 tifsfilter; C:\Windows\System32\DRIVERS\tifsfilt.sys [44384 2008-11-06] (Acronis) S3 catchme; \??\C:\DOCUME~1\USERON~1\LOCALS~1\Temp\catchme.sys [x] S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [x] S4 IntelIde; No ImagePath S3 lmimirr; system32\DRIVERS\lmimirr.sys [x] S2 MCSTRM; No ImagePath U3 TlntSvr; U3 aswMBR; \??\C:\DOCUME~1\USERON~1\LOCALS~1\Temp\aswMBR.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-07-01 07:31 - 2013-07-01 07:31 - 00000000 ____D C:\FRST 2013-07-01 07:30 - 2013-07-01 07:30 - 01372463 ____A (Farbar) C:\Documents and Settings\User one\Desktop\FRST.exe 2013-06-24 18:38 - 2013-06-24 18:53 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable) 2013-06-24 18:36 - 2013-06-24 18:36 - 00035144 ____A C:\Windows\System32\Drivers\mbamchameleon.sys 2013-06-23 09:11 - 2013-06-23 09:11 - 00000000 ____D C:\Documents and Settings\User one\Application Data\Malwarebytes 2013-06-23 09:10 - 2013-06-23 09:10 - 00000784 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk 2013-06-23 09:10 - 2013-06-23 09:10 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware 2013-06-23 09:10 - 2013-06-23 09:10 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes 2013-06-23 09:10 - 2013-04-04 14:50 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2013-06-22 10:35 - 2013-06-22 10:35 - 00000000 ____D C:\_OTL 2013-06-21 18:57 - 2013-07-01 07:31 - 00000000 ____D C:\Documents and Settings\User one\Desktop\MBAM 06.2013 2013-06-16 19:15 - 2013-06-16 19:15 - 00001288 ____A C:\AdwCleaner[s2].txt 2013-06-16 19:14 - 2013-06-16 19:14 - 00001377 ____A C:\AdwCleaner[R1].txt 2013-06-16 18:59 - 2013-06-16 18:59 - 00000000 __HDC C:\Windows\$NtUninstallKB2808679$ 2013-06-16 18:57 - 2013-06-16 18:59 - 00009348 ____A C:\Windows\KB2808679.log 2013-06-16 18:57 - 2013-06-16 18:58 - 00006684 ____A C:\Windows\KB2598845-IE8.log 2013-06-16 18:47 - 2013-06-16 18:48 - 00003485 ____A C:\Windows\ie8Uninst.log 2013-06-16 14:07 - 2013-06-16 14:18 - 00000000 ____D C:\Qoobox 2013-06-16 14:07 - 2013-06-16 14:17 - 00000000 ____D C:\Windows\erdnt 2013-06-16 14:07 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe 2013-06-16 14:07 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe 2013-06-16 14:07 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe 2013-06-16 14:07 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe 2013-06-16 14:07 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe 2013-06-16 14:07 - 2000-08-30 20:00 - 00212480 ____A (SteelWerX) C:\Windows\SWXCACLS.exe 2013-06-16 14:07 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe 2013-06-16 14:07 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe 2013-06-16 14:07 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe 2013-06-16 10:09 - 2013-06-16 10:58 - 00000000 ____D C:\JRT 2013-06-16 10:09 - 2013-06-16 10:09 - 00000000 ____D C:\Windows\ERUNT 2013-06-15 18:50 - 2013-06-15 19:26 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared 2013-06-15 18:50 - 2013-06-15 18:50 - 00142496 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS 2013-06-15 18:50 - 2013-06-15 18:50 - 00007446 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT 2013-06-15 18:50 - 2013-06-15 18:50 - 00000000 ____D C:\Program Files\Symantec 2013-06-15 18:49 - 2013-06-16 10:05 - 00000000 ____D C:\Windows\System32\Drivers\N360 2013-06-15 18:49 - 2013-06-15 18:49 - 00000000 ____D C:\Program Files\Norton Security Suite 2013-06-15 18:45 - 2013-06-15 18:45 - 00001736 ____A C:\Documents and Settings\User one\TmInstall.log 2013-06-15 18:41 - 2013-06-15 18:41 - 00004272 ____A C:\Windows\System32\TmInstall.log 2013-06-15 18:38 - 2013-06-15 18:38 - 00000000 ____D C:\Documents and Settings\User one\My Documents\Symantec 2013-06-15 18:37 - 2013-06-15 18:51 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton 2013-06-15 18:37 - 2013-06-15 18:37 - 00000000 ____D C:\Documents and Settings\All Users\Documents\Norton 2013-06-15 18:23 - 2013-06-15 18:23 - 00000176 ____A C:\Documents and Settings\User one\Desktop\Malwarebytes#2 Desktop.txt 2013-06-15 15:44 - 2013-06-15 15:44 - 00065536 ____A C:\Windows\Minidump\Mini061513-01.dmp 2013-06-14 10:16 - 2013-06-14 10:16 - 00000000 __HDC C:\Windows\$NtUninstallKB2839229$ 2013-06-14 10:13 - 2013-06-14 10:13 - 00010954 ____A C:\Windows\KB2838727-IE8.log 2013-06-14 10:12 - 2013-06-14 10:16 - 00013933 ____A C:\Windows\KB2839229.log ==================== One Month Modified Files and Folders ======== 2013-07-01 07:31 - 2013-07-01 07:31 - 00000000 ____D C:\FRST 2013-07-01 07:31 - 2013-06-21 18:57 - 00000000 ____D C:\Documents and Settings\User one\Desktop\MBAM 06.2013 2013-07-01 07:30 - 2013-07-01 07:30 - 01372463 ____A (Farbar) C:\Documents and Settings\User one\Desktop\FRST.exe 2013-06-30 13:16 - 2008-04-24 01:12 - 01914330 ____A C:\Windows\WindowsUpdate.log 2013-06-29 08:47 - 2010-02-04 21:38 - 00000284 ____A C:\Windows\Tasks\AppleSoftwareUpdate.job 2013-06-24 18:59 - 2006-02-28 08:00 - 00002422 ____A C:\Windows\System32\wpa.dbl 2013-06-24 18:53 - 2013-06-24 18:38 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable) 2013-06-24 18:36 - 2013-06-24 18:36 - 00035144 ____A C:\Windows\System32\Drivers\mbamchameleon.sys 2013-06-23 20:48 - 2008-04-24 21:04 - 00000159 ____A C:\Windows\wiadebug.log 2013-06-23 20:48 - 2008-04-24 21:04 - 00000049 ____A C:\Windows\wiaservc.log 2013-06-23 20:47 - 2011-07-28 19:10 - 00000062 __ASH C:\Documents and Settings\UpdatusUser\Local Settings\desktop.ini 2013-06-23 20:47 - 2008-04-24 01:21 - 00000062 __ASH C:\Documents and Settings\User one\Local Settings\desktop.ini 2013-06-23 20:47 - 2008-04-24 01:16 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini 2013-06-23 20:47 - 2008-04-24 01:16 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-06-23 20:47 - 2008-04-24 01:15 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini 2013-06-23 20:46 - 2010-10-30 10:41 - 01284069 ____A C:\Windows\System32\Drivers\kmxcfg.u2k1 2013-06-23 20:46 - 2010-10-30 10:41 - 00000373 ____A C:\Windows\System32\Drivers\kmxzone.u2k1 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k7 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k6 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k5 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k4 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k3 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k2 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k0 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k7 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k6 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k5 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k4 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k3 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k2 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k0 2013-06-23 20:46 - 2010-06-24 17:05 - 00977836 ____A C:\Windows\System32\Drivers\KmxAgent.asc 2013-06-23 20:46 - 2008-04-24 01:21 - 00000178 ___SH C:\Documents and Settings\User one\ntuser.ini 2013-06-23 20:46 - 2008-04-24 01:16 - 00032498 ____A C:\Windows\SchedLgU.Txt 2013-06-23 09:11 - 2013-06-23 09:11 - 00000000 ____D C:\Documents and Settings\User one\Application Data\Malwarebytes 2013-06-23 09:10 - 2013-06-23 09:10 - 00000784 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk 2013-06-23 09:10 - 2013-06-23 09:10 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware 2013-06-23 09:10 - 2013-06-23 09:10 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes 2013-06-22 10:35 - 2013-06-22 10:35 - 00000000 ____D C:\_OTL 2013-06-16 19:37 - 2008-10-06 21:20 - 00000000 ____D C:\Windows\Microsoft.NET 2013-06-16 19:15 - 2013-06-16 19:15 - 00001288 ____A C:\AdwCleaner[s2].txt 2013-06-16 19:14 - 2013-06-16 19:14 - 00001377 ____A C:\AdwCleaner[R1].txt 2013-06-16 19:05 - 2008-04-24 21:02 - 00582984 ____A C:\Windows\System32\PerfStringBackup.INI 2013-06-16 18:59 - 2013-06-16 18:59 - 00000000 __HDC C:\Windows\$NtUninstallKB2808679$ 2013-06-16 18:59 - 2013-06-16 18:57 - 00009348 ____A C:\Windows\KB2808679.log 2013-06-16 18:59 - 2008-05-19 04:50 - 00246872 ____A C:\Windows\updspapi.log 2013-06-16 18:59 - 2008-04-24 21:02 - 02554192 ____A C:\Windows\FaxSetup.log 2013-06-16 18:59 - 2008-04-24 21:02 - 01228157 ____A C:\Windows\ocgen.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00976928 ____A C:\Windows\tsoc.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00847570 ____A C:\Windows\comsetup.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00512700 ____A C:\Windows\ntdtcsetup.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00402633 ____A C:\Windows\iis6.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00139595 ____A C:\Windows\ocmsn.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00127606 ____A C:\Windows\msgsocm.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00001374 ____A C:\Windows\imsins.log 2013-06-16 18:59 - 2008-04-24 21:01 - 00346454 ____A C:\Windows\setupapi.log 2013-06-16 18:58 - 2013-06-16 18:57 - 00006684 ____A C:\Windows\KB2598845-IE8.log 2013-06-16 18:58 - 2011-06-30 21:02 - 00000000 ____D C:\Windows\ie8updates 2013-06-16 18:58 - 2008-04-24 21:02 - 00001374 ____A C:\Windows\imsins.BAK 2013-06-16 18:58 - 2008-04-24 01:31 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Microsoft Help 2013-06-16 18:57 - 2008-04-24 01:13 - 00000000 ____D C:\Windows\$hf_mig$ 2013-06-16 18:48 - 2013-06-16 18:47 - 00003485 ____A C:\Windows\ie8Uninst.log 2013-06-16 14:18 - 2013-06-16 14:07 - 00000000 ____D C:\Qoobox 2013-06-16 14:17 - 2013-06-16 14:07 - 00000000 ____D C:\Windows\erdnt 2013-06-16 14:16 - 2006-02-28 08:00 - 00000227 ____A C:\Windows\system.ini 2013-06-16 10:58 - 2013-06-16 10:09 - 00000000 ____D C:\JRT 2013-06-16 10:09 - 2013-06-16 10:09 - 00000000 ____D C:\Windows\ERUNT 2013-06-16 10:05 - 2013-06-15 18:49 - 00000000 ____D C:\Windows\System32\Drivers\N360 2013-06-16 10:03 - 2013-05-05 13:45 - 00412106 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-725345543-1454471165-682003330-1004-0.dat 2013-06-16 10:03 - 2013-05-05 12:09 - 00207098 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat 2013-06-15 19:26 - 2013-06-15 18:50 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared 2013-06-15 19:05 - 2013-05-05 12:00 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Sonos,_Inc 2013-06-15 18:54 - 2013-05-05 12:00 - 00001700 ____A C:\Documents and Settings\All Users\Desktop\Sonos.lnk 2013-06-15 18:54 - 2013-05-05 12:00 - 00000000 ____D C:\Program Files\Sonos 2013-06-15 18:54 - 2013-05-05 11:59 - 00000000 ____D C:\Documents and Settings\User one\Local Settings\Application Data\Downloaded Installations 2013-06-15 18:51 - 2013-06-15 18:37 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton 2013-06-15 18:50 - 2013-06-15 18:50 - 00142496 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS 2013-06-15 18:50 - 2013-06-15 18:50 - 00007446 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT 2013-06-15 18:50 - 2013-06-15 18:50 - 00000000 ____D C:\Program Files\Symantec 2013-06-15 18:49 - 2013-06-15 18:49 - 00000000 ____D C:\Program Files\Norton Security Suite 2013-06-15 18:45 - 2013-06-15 18:45 - 00001736 ____A C:\Documents and Settings\User one\TmInstall.log 2013-06-15 18:44 - 2008-05-19 04:51 - 00000000 ___DC C:\Windows\$NtUninstallKB920213$ 2013-06-15 18:41 - 2013-06-15 18:41 - 00004272 ____A C:\Windows\System32\TmInstall.log 2013-06-15 18:40 - 2011-07-04 09:55 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Trend Micro 2013-06-15 18:38 - 2013-06-15 18:38 - 00000000 ____D C:\Documents and Settings\User one\My Documents\Symantec 2013-06-15 18:37 - 2013-06-15 18:37 - 00000000 ____D C:\Documents and Settings\All Users\Documents\Norton 2013-06-15 18:23 - 2013-06-15 18:23 - 00000176 ____A C:\Documents and Settings\User one\Desktop\Malwarebytes#2 Desktop.txt 2013-06-15 15:52 - 2008-04-24 01:11 - 00000000 ____D C:\Windows\System32\Restore 2013-06-15 15:44 - 2013-06-15 15:44 - 00065536 ____A C:\Windows\Minidump\Mini061513-01.dmp 2013-06-15 15:44 - 2010-07-12 02:35 - 00000000 ____D C:\Windows\Minidump 2013-06-15 15:44 - 2008-04-24 20:54 - 380952576 ____A C:\Windows\MEMORY.DMP 2013-06-14 10:16 - 2013-06-14 10:16 - 00000000 __HDC C:\Windows\$NtUninstallKB2839229$ 2013-06-14 10:16 - 2013-06-14 10:12 - 00013933 ____A C:\Windows\KB2839229.log 2013-06-14 10:14 - 2008-05-19 04:50 - 73381792 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe 2013-06-14 10:13 - 2013-06-14 10:13 - 00010954 ____A C:\Windows\KB2838727-IE8.log ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== End Of Log ============================ Addition.txt

Gringo- Rootkit found and repaired nothing (first posting). Everything works, still unable to select "Enable Malicious...". aswMBR.txt follows MBAM rootkit report. Thanks again! Malwarebytes Anti-Rootkit BETA 1.06.0.1004 www.malwarebytes.org Database version: v2013.06.24.07 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 User one :: NEW042408 [administrator] 6/24/2013 6:38:13 PM mbar-log-2013-06-24 (18-38-13).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P Scan options disabled: PUP Objects scanned: 257997 Time elapsed: 15 minute(s), 2 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end) ____________________________________________________________________________________________ aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software Run date: 2013-06-24 19:01:35 ----------------------------- 19:01:35.703 OS Version: Windows 5.1.2600 Service Pack 3 19:01:35.703 Number of processors: 2 586 0xF0D 19:01:35.703 ComputerName: NEW042408 UserName: User one 19:01:37.062 Initialize success 19:07:27.843 AVAST engine defs: 13062402 19:07:44.171 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17 19:07:44.171 Disk 0 Vendor: Hitachi_HDS721616PLA380 P22OABEA Size: 152627MB BusType: 3 19:07:44.171 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-22 19:07:44.171 Disk 1 Vendor: Hitachi_HDT725025VLA380 V5DOA7EA Size: 238475MB BusType: 3 19:07:44.218 Disk 0 MBR read successfully 19:07:44.234 Disk 0 MBR scan 19:07:44.234 Disk 0 Windows XP default MBR code 19:07:44.234 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152617 MB offset 63 19:07:44.250 Disk 0 scanning sectors +312560640 19:07:44.265 Disk 0 scanning C:\WINDOWS\system32\drivers 19:07:55.109 Service scanning 19:08:10.250 Modules scanning 19:08:16.250 Disk 0 trace - called modules: 19:08:16.265 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS 19:08:16.265 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a733ab8] 19:08:16.265 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\00000073[0x8a748268] 19:08:16.265 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-17[0x8a736b00] 19:08:16.875 AVAST engine scan C:\WINDOWS 19:08:31.906 AVAST engine scan C:\WINDOWS\system32 19:10:57.468 AVAST engine scan C:\WINDOWS\system32\drivers 19:11:13.312 AVAST engine scan C:\Documents and Settings\User one 19:17:41.156 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User one\Desktop\MBR.dat" 19:17:41.156 The log file has been saved successfully to "C:\Documents and Settings\User one\Desktop\aswMBR.txt" 19:20:36.234 AVAST engine scan C:\Documents and Settings\All Users 19:22:57.734 Scan finished successfully 19:23:12.671 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User one\Desktop\MBR.dat" 19:23:12.671 The log file has been saved successfully to "C:\Documents and Settings\User one\Desktop\aswMBR.txt"

Gringo- Still cannot enable malicious website blocking. FSS text follows: Farbar Service Scanner Version: 16-06-2013 Ran by User one (administrator) on 23-06-2013 at 20:51:08 Running from "C:\Documents and Settings\User one\Desktop" Microsoft Windows XP Service Pack 3 (X86) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo.com is accessible. Windows Firewall: ============= Firewall Disabled Policy: ================== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall"=DWORD:0 System Restore: ============ System Restore Disabled Policy: ======================== Security Center: ============ Windows Update: ============ BITS Service is not running. Checking service configuration: The start type of BITS service is set to Demand. The default start type is Auto. The ImagePath of BITS service is OK. The ServiceDll of BITS service is OK. Windows Autoupdate Disabled Policy: ============================ File Check: ======== C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit C:\WINDOWS\system32\netman.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\srsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit C:\WINDOWS\system32\wscsvc.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\wuauserv.dll => MD5 is legit C:\WINDOWS\system32\qmgr.dll => MD5 is legit C:\WINDOWS\system32\es.dll => MD5 is legit C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit C:\WINDOWS\system32\svchost.exe => MD5 is legit C:\WINDOWS\system32\rpcss.dll => MD5 is legit C:\WINDOWS\system32\services.exe => MD5 is legit Extra List: ======= Gpc(3) IPSec(5) NetBT(6) PSched(7) SYMTDI(8) Tcpip(4) 0x080000000500000001000000020000000300000004000000080000000600000007000000 IpSec Tag value is correct. **** End of log ****

Gringo- FSS text follows: Farbar Service Scanner Version: 16-06-2013 Ran by User one (administrator) on 23-06-2013 at 13:01:02 Running from "C:\Documents and Settings\User one\Desktop" Microsoft Windows XP Service Pack 3 (X86) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo.com is accessible. Windows Firewall: ============= Firewall Disabled Policy: ================== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall"=DWORD:0 System Restore: ============ System Restore Disabled Policy: ======================== Security Center: ============ Windows Update: ============ BITS Service is not running. Checking service configuration: The start type of BITS service is set to Demand. The default start type is Auto. The ImagePath of BITS service is OK. The ServiceDll of BITS service is OK. Windows Autoupdate Disabled Policy: ============================ File Check: ======== C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit C:\WINDOWS\system32\netman.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\srsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit C:\WINDOWS\system32\wscsvc.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\wuauserv.dll => MD5 is legit C:\WINDOWS\system32\qmgr.dll => MD5 is legit C:\WINDOWS\system32\es.dll => MD5 is legit C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit C:\WINDOWS\system32\svchost.exe => MD5 is legit C:\WINDOWS\system32\rpcss.dll => MD5 is legit C:\WINDOWS\system32\services.exe => MD5 is legit Extra List: ======= Gpc(3) IPSec(5) NetBT(6) PSched(7) SYMTDI(8) Tcpip(4) 0x080000000500000001000000020000000300000004000000080000000600000007000000 IpSec Tag value is correct. **** End of log ****

Gringo- Done and still no ability to check the box to Enable malicious Website Blocking... -Jeff

Good Morning Gringo- Script ran no problem. Still cannot enable malicious website blocking in MBAM - however, the IE search box dump to "Vafmusic7 Customized Web Search" is gone. I appreciate all the hard work on your end. OTL report follows: ========== OTL ========== Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.2\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.5\ deleted successfully. Registry key HKEY_CURRENT_USER\Software\MozillaPlugins\@adobe.com/FlashPlayer\ deleted successfully. Registry value HKEY_USERS\S-1-5-21-725345543-1454471165-682003330-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0123B506-0AD9-43AA-B0CF-916C122AD4C5} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0123B506-0AD9-43AA-B0CF-916C122AD4C5}\ not found. Registry value HKEY_USERS\S-1-5-21-725345543-1454471165-682003330-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{10134636-E7AF-4AC5-A1DC-C7C44BB97D81} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10134636-E7AF-4AC5-A1DC-C7C44BB97D81}\ not found. Registry key HKEY_USERS\S-1-5-21-725345543-1454471165-682003330-1004\Software\Microsoft\Internet Explorer\SearchScopes\{20B42714-2AE1-4BCA-8F0C-27691DFCBF63}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20B42714-2AE1-4BCA-8F0C-27691DFCBF63}\ not found. ========== FILES ========== < ipconfig /flushdns /c > Windows IP Configuration Successfully flushed the DNS Resolver Cache. C:\Documents and Settings\User one\Desktop\cmd.bat deleted successfully. C:\Documents and Settings\User one\Desktop\cmd.txt deleted successfully. ========== COMMANDS ========== [EMPTYJAVA] User: Administrator User: All Users User: Default User User: LocalService User: NetworkService User: UpdatusUser User: User one ->Java cache emptied: 54081345 bytes Total Java Files Cleaned = 52.00 mb [EMPTYFLASH] User: Administrator User: All Users User: Default User User: LocalService User: NetworkService User: UpdatusUser User: User one ->Flash cache emptied: 14028 bytes Total Flash Files Cleaned = 0.00 mb OTL by OldTimer - Version 3.2.69.0 log created on 06222013_103553