Jump to content

jaymac

Honorary Members
  • Posts

    29
  • Joined

  • Last visited

Everything posted by jaymac

  1. Gringo- User Accounts in control panel does not function either by double clicking or right clicking and selecting open. In trying to add the user through the command prompt, it messages -"'net' is not recognized as an internal or external command, operable program or batch file." Getting an ax ready to put the pc out of its misery soon....
  2. Gringo- Downloaded latest combofix to laptop, used thumbnail to transfer to infected computer. Turned off MBAM and Norton shuts itself down everytim I but due to aforementioned runtime error. Ran combofix, it said Norton AntiVirus was still running - with no way for me to stop it as the control panel will not open. So I uninstalled norton and continued with Combofix. During the run I continuously got the error "The Instruction at "0x5ff3cbc2" referred at memory "0x0029fe8". The memory could not be "read". Click ok to terminate program." The computer is still the same, MBAM will no longer open, no internet access and the error message above. Combofix log follows but is probably useless: ComboFix 13-07-09.01 - User one 07/10/2013 14:05:24.3.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2045.1422 [GMT -4:00] Running from: c:\documents and settings\User one\Desktop\ComboFix.exe AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} . . ((((((((((((((((((((((((( Files Created from 2013-06-10 to 2013-07-10 ))))))))))))))))))))))))))))))) . . 2013-07-09 21:56 . 2013-07-09 23:00 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2013-07-09 19:04 . 2013-07-09 21:50 181064 ----a-w- c:\windows\PSEXESVC.EXE 2013-07-09 18:58 . 2013-07-09 18:58 -------- d-----w- C:\RegBackup 2013-07-09 18:54 . 2001-08-18 02:36 102400 -c--a-w- c:\windows\system32\dllcache\binlsvc.dll 2013-07-09 18:53 . 2004-08-04 02:32 10880 -c--a-w- c:\windows\system32\dllcache\admjoy.sys 2013-07-09 18:52 . 2001-08-17 18:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll 2013-07-05 10:41 . 2013-07-05 10:41 144896 ----a-w- c:\windows\system32\javacpl.cpl 2013-07-05 10:41 . 2013-07-05 10:41 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2013-07-03 13:12 . 2013-07-03 13:12 -------- d-----w- c:\documents and settings\User one\Application Data\Malwarebytes 2013-07-03 13:05 . 2013-07-03 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2013-07-03 13:05 . 2013-07-03 13:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2013-07-03 13:05 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2013-07-03 12:32 . 2013-07-03 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro 2013-07-01 11:31 . 2013-07-01 11:31 -------- d-----w- C:\FRST 2013-06-24 22:38 . 2013-06-24 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable) 2013-06-22 14:35 . 2013-06-22 14:35 -------- d-----w- C:\_OTL 2013-06-16 14:09 . 2013-06-16 14:09 -------- d-----w- c:\windows\ERUNT 2013-06-16 14:09 . 2013-06-16 14:58 -------- d-----w- C:\JRT 2013-06-15 22:50 . 2013-07-10 18:01 -------- d-----w- c:\program files\Common Files\Symantec Shared 2013-06-15 22:49 . 2013-07-10 18:01 -------- d-----w- c:\program files\Norton Security Suite 2013-06-15 22:37 . 2013-06-15 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-07-05 10:41 . 2012-06-23 17:27 867240 ----a-w- c:\windows\system32\npDeployJava1.dll 2013-07-05 10:41 . 2010-08-03 00:28 789416 ----a-w- c:\windows\system32\deployJava1.dll 2013-06-01 03:48 . 2008-11-07 21:54 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys 2013-05-18 18:57 . 2013-05-18 18:57 715038 ----a-w- c:\windows\unins000.exe 2013-05-18 18:43 . 2012-05-02 23:34 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-05-18 18:43 . 2011-05-27 12:46 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-05-07 22:30 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2013-05-07 22:30 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2013-05-07 21:53 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec 2013-05-03 01:30 . 2006-02-28 12:00 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe 2013-05-03 00:38 . 2004-08-03 22:59 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-08 2595480] "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-08 905056] "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-08 140568] "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-15 1532760] "lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 74672] "FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272] "NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208] "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-05 1632360] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] 2009-03-27 19:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\UmxSbxExw.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MBCameraMonitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MBCameraMonitor.lnk backup=c:\windows\pss\MBCameraMonitor.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk backup=c:\windows\pss\Windows Search.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^User one^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] path=c:\documents and settings\User one\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor] 2008-07-10 00:42 37888 ----a-w- c:\program files\Corel\Corel MediaOne\CorelIOMonitor.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader] 2008-08-18 21:53 532808 ----a-w- c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio] 2006-09-21 14:36 9138176 ----a-w- c:\program files\Intel Audio Studio\IntelAudioStudio.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2012-10-25 08:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMBBLaunchAgent.exe] 2011-02-18 15:47 79192 ----a-w- c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"= "c:\\WINDOWS\\system32\\lxczcoms.exe"= "c:\\Program Files\\Opera\\opera.exe"= "c:\\Program Files\\Winamp\\winamp.exe"= "c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"= "c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"= "c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"= "c:\\Program Files\\Sonos\\Sonos.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management . R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [5/3/2010 2:12 AM 108112] R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [3/22/2010 1:58 PM 79864] R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [9/24/2010 11:16 AM 61008] R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [9/24/2010 11:16 AM 115792] R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [9/24/2010 11:16 AM 146000] R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [9/24/2010 11:16 AM 61008] R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [9/24/2012 8:46 AM 656480] R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [8/4/2009 10:42 AM 887288] R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [8/24/2010 12:07 PM 740160] R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [9/17/2010 12:21 PM 301648] R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [6/9/2010 6:54 AM 244304] R4 BHDrvx86;BHDrvx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130702.001\BHDrvx86.sys --> c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130702.001\BHDrvx86.sys [?] R4 ccSet_N360;Norton Security Suite Settings Manager;c:\windows\system32\drivers\N360\1403010.016\ccSetx86.sys --> c:\windows\system32\drivers\N360\1403010.016\ccSetx86.sys [?] R4 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130706.002\IDSxpx86.sys --> c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130706.002\IDSxpx86.sys [?] R4 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\1403010.016\SYMDS.SYS --> c:\windows\system32\drivers\N360\1403010.016\SYMDS.SYS [?] R4 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\1403010.016\SYMEFA.SYS --> c:\windows\system32\drivers\N360\1403010.016\SYMEFA.SYS [?] S2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe --> c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [?] S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [7/3/2013 9:05 AM 418376] S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/3/2013 9:05 AM 701512] S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/3/2013 9:05 AM 22856] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/9/2013 5:56 PM 40776] S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [12/16/2011 10:19 AM 15544] S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [9/24/2012 8:46 AM 1328736] . Contents of the 'Scheduled Tasks' folder . 2013-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57] . . ------- Supplementary Scan ------- . uStart Page = https://www.google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: turbotax.com TCP: DhcpNameServer = 192.168.0.1 FF - ProfilePath - c:\documents and settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\ FF - ExtSQL: 2013-06-15 19:57; {BBDA0591-3099-440a-AA10-41764D9DB4DB}; c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\IPSFFPlgn FF - ExtSQL: 2013-06-16 14:23; {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}; c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn FF - ExtSQL: !HIDDEN! 2010-08-19 20:14; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension . - - - - ORPHANS REMOVED - - - - . SafeBoot-54485046.sys . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-07-10 14:10 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*] @="?????????????????? v1" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID] @="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*] @="?????????????????? v2" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID] @="{9BE31822-FDAD-461B-AD51-BE1D1C159921}" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(804) c:\windows\system32\UmxWnp.Dll . - - - - - - - > 'explorer.exe'(3712) c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll c:\windows\system32\WindowsPowerShell\v1.0\pwrshsip.dll c:\program files\Microsoft Silverlight\xapauthenticodesip.dll c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll . Completion time: 2013-07-10 14:12:29 ComboFix-quarantined-files.txt 2013-07-10 18:12 ComboFix2.txt 2011-06-26 22:42 . Pre-Run: 120,488,923,136 bytes free Post-Run: 120,472,100,864 bytes free . - - End Of File - - 2A3691B054F1F827D0EF9E12A5CCDD11 8F558EB6672622401DA993E1E865C861
  3. gringo- As I said in my last statement- System Restore does not work. Either get a blank dialogue box or error message "The procedure entry point GetIUriPriv coulnd not be located in the dynamic link library urlmon.dll.
  4. Gringo- SFC would not work. Claimed the disk I had in was not the right disk. Ran repair. Aforementioned error message kept preventing fix script from running properly. Now, in addition to previous problems, I no longer have internet access (no servers can be located for any bookmarked pages), Malwarebytes control panel will not open (runtime error), Norton Shuts down (claims error report to Microsoft is sent when option chosen), and worst of all, System Restore will not run and it will to reed my recovery disk.
  5. Gringo- Thanks! Ran repair. Have always had internet access, just getting that error message for all programs at computer startup, and again for each program as I open or close. Error message still continues. While running fix kept getting error message "cannot find 'netsh' ". Still cannot "enable ..." and when this last round of errors popped up, the "System Restore" could not restore to an earlier point. Did I just make your headache worse? Thanks again - Jeff
  6. Gringo- Did so. Said it was successful. Still got the same error, rebooted, error continues. - Jeff
  7. Gringo- Hitman found no entries. Clicking on next button did NOT take me to screen with "Export scan results to XML file" option. Clicking next again allowed me to save a log, but that was it. Wife apparently went into computer to delete the programs she thought she downloaded around the time the computer became infected (Taqgeditor and Fair CD Ripper). She saw CA firewall still in there and tried to uninstall that. As a result, computer started getting error messages and she tried to restore everything she uninstalled (what is there to not understand about do not touch the computer until it is fixed I do not understand)?! Now getteing error message (apparently for all update checks): The Instruction at "0x5ff3cbc2" referred at memory "0x0029fe8". The memory could not be "read". Click ok to terminate program. This message is showing for: mbamgui.exe nwiz.exe OtTask.exe AdobeARM.exe ADSDaemon.exe Reader_s1.exe The Hitman pro was downloaded and run after all of this. The log is as follows: HitmanPro 3.7.6.201www.hitmanpro.comComputer name . . . . : NEW042408Windows . . . . . . . : 5.1.3.2600.X86/2User name . . . . . . : NEW042408\User oneLicense . . . . . . . : FreeScan date . . . . . . : 2013-07-03 09:27:14Scan mode . . . . . . : NormalScan duration . . . . : 5m 40sDisk access mode . . : Direct disk access (SRB)Cloud . . . . . . . . : InternetReboot . . . . . . . : NoThreats . . . . . . . : 0Traces . . . . . . . : 148Objects scanned . . . : 659,526Files scanned . . . . : 29,376Remnants scanned . . : 143,737 files / 486,413 keysCookies _____________________________________________________________________C:\Documents and Settings\User one\Cookies\02C8L52D.txtC:\Documents and Settings\User one\Cookies\07678UJD.txtC:\Documents and Settings\User one\Cookies\2J4R9QNH.txtC:\Documents and Settings\User one\Cookies\2UMJDQLG.txtC:\Documents and Settings\User one\Cookies\4KUQ5H7L.txtC:\Documents and Settings\User one\Cookies\4QMLHSIW.txtC:\Documents and Settings\User one\Cookies\80RSYR4X.txtC:\Documents and Settings\User one\Cookies\8SDM2LC2.txtC:\Documents and Settings\User one\Cookies\AFT1Z9X7.txtC:\Documents and Settings\User one\Cookies\BKT1FTTA.txtC:\Documents and Settings\User one\Cookies\BTBZQ0X7.txtC:\Documents and Settings\User one\Cookies\HK3EUQ4O.txtC:\Documents and Settings\User one\Cookies\I22MPZUF.txtC:\Documents and Settings\User one\Cookies\I2M2ZJ65.txtC:\Documents and Settings\User one\Cookies\R59OQ1WE.txtC:\Documents and Settings\User one\Cookies\R6013630.txtC:\Documents and Settings\User one\Cookies\SCBSMFIY.txtC:\Documents and Settings\User one\Cookies\TWRFW3MS.txtC:\Documents and Settings\User one\Cookies\user one@excite[1].txtC:\Documents and Settings\User one\Cookies\UULSZCLE.txtC:\Documents and Settings\User one\Cookies\XIMDN6T0.txt
  8. Gringo- Re-run of FRST.txt follows: Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 01-07-2013 01 Ran by User one (administrator) on 01-07-2013 13:12:22 Running from C:\Documents and Settings\User one\Desktop Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English(US) Internet Explorer Version 8 Boot Mode: Normal ==================== Processes (Whitelisted) =================== (CA) C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe (CA) C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe (CA) C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe (CA) C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe (Acronis) C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis) C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis) C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Lexmark International, Inc.) C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe (Lexmark International, Inc.) C:\Program Files\Lexmark 1200 Series\lxczbmon.exe (Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe (Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe (Acronis) C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe (Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe ( ) C:\WINDOWS\system32\lxczcoms.exe (Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Symantec Corporation) C:\Program Files\Norton Security Suite\Engine\20.3.1.22\ccSvcHst.exe (Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe () C:\WINDOWS\system32\PSIService.exe (Symantec Corporation) C:\Program Files\Norton Security Suite\Engine\20.3.1.22\ccSvcHst.exe (Protexis Inc.) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Secunia) C:\Program Files\Secunia\PSI\sua.exe () C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe (Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe (Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jucheck.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [2595480 2007-09-07] (Acronis) HKLM\...\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe [905056 2007-09-07] (Acronis) HKLM\...\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [140568 2007-09-07] (Acronis) HKLM\...\Run: [intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [1532760 2011-06-15] (Intuit Inc. All rights reserved.) HKLM\...\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [74672 2007-02-08] (Lexmark International, Inc.) HKLM\...\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s [295856 2007-02-08] () HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [13895272 2011-05-21] (NVIDIA Corporation) HKLM\...\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login [x] HKLM\...\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet [1632360 2011-05-05] () HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.) HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated) HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [253816 2013-03-12] (Oracle Corporation) HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-01-28] (Apple Inc.) HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152392 2013-02-20] (Apple Inc.) HKLM\...\RunOnce: [A0] cmd /c "C:\Documents and Settings\User one\Desktop\MBAM 06.2013\mbar-1.06.0.1004\mbar\mbar.exe" /r /s [769096 2013-06-01] (Malwarebytes Corporation) Winlogon\Notify\PFW: UmxWnp.Dll (CA) HKCR\...0c966feabec1\InprocServer32: [Default-shell32] %SystemRoot%\system32\shdocvw.dll ATTENTION! ====> ZeroAccess? HKCR\...409d6c4515e9\InprocServer32: [Default-shell32] %SystemRoot%\system32\SHELL32.dll ATTENTION! ====> ZeroAccess? ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/ HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation) BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\IPS\IPSBHO.DLL (Symantec Corporation) BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation) Toolbar: HKCU -Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation) DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.) Handler: ipp - No CLSID Value - Handler: msdaipp - No CLSID Value - Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll (Microsoft Corporation) ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation) Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 FireFox: ======== FF ProfilePath: C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll () FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF Plugin: @java.com/JavaPlugin,version=10.21.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation) FF Plugin: @microsoft.com/WLPG,version=14.0.8117.0416 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF Plugin: @microsoft.com/WPF,version=3.5 - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF Plugin: @RIM.com/WebSLLauncher,version=1.0 - C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll () FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF Extension: No Name - C:\Documents and Settings\User one\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} FF Extension: LogMeIn, Inc. Remote Access Plugin - C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\Extensions\LogMeInClient@logmein.com FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} FF Extension: Default - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ FF HKLM\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\IPSFFPlgn\ FF Extension: Norton Vulnerability Protection - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\IPSFFPlgn\ FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn\ FF Extension: Norton Toolbar - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn\ ========================== Services (Whitelisted) ================= R2 AcrSch2Svc; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [427288 2007-09-07] (Acronis) R2 lxcz_device; C:\WINDOWS\system32\lxczcoms.exe [537520 2007-02-08] ( ) R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation) R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation) R2 N360; C:\Program Files\Norton Security Suite\Engine\20.3.1.22\diMaster.dll [554288 2013-03-29] (Symantec Corporation) R2 nvUpdatusService; C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2214504 2011-05-21] (NVIDIA Corporation) R2 ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [177704 2007-06-05] () S3 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [1328736 2012-09-24] (Secunia) R2 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [656480 2012-09-24] (Secunia) R2 TryAndDecideService; C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [492600 2007-09-07] () R2 UmxAgent; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [887288 2009-08-04] (CA) R2 UmxCfg; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [740160 2010-08-24] (CA) R2 UmxFwHlp; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe [150008 2009-07-31] (CA) R2 UmxPol; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe [301648 2010-09-17] (CA) S3 AppMgmt; %SystemRoot%\System32\appmgmts.dll [x] S3 CaCCProvSP; "C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe" [x] S2 ccSchedulerSVC; C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe [x] S4 HidServ; %SystemRoot%\System32\hidserv.dll [x] R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" [x] ==================== Drivers (Whitelisted) ==================== R1 BHDrvx86; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130620.001\BHDrvx86.sys [1002072 2013-05-31] (Symantec Corporation) R1 ccSet_N360; C:\Windows\system32\drivers\N360\1403010.016\ccSetx86.sys [134304 2012-11-15] (Symantec Corporation) R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2013-06-15] (Symantec Corporation) R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2013-06-15] (Symantec Corporation) R3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows ® Server 2003 DDK provider) R3 IDSxpx86; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130628.001\IDSxpx86.sys [373728 2013-06-14] (Symantec Corporation) R1 KmxAgent; C:\Windows\System32\DRIVERS\kmxagent.sys [79864 2010-03-22] (CA) R2 KmxCF; C:\Windows\System32\DRIVERS\KmxCF.sys [146000 2010-09-24] (CA) R3 KmxCfg; C:\Windows\System32\DRIVERS\kmxcfg.sys [244304 2010-06-09] (CA) R1 KmxFile; C:\Windows\System32\DRIVERS\KmxFile.sys [61008 2010-09-24] (CA) R1 KmxFw; C:\Windows\System32\DRIVERS\kmxfw.sys [115792 2010-09-24] (CA) R2 KmxSbx; C:\Windows\System32\DRIVERS\KmxSbx.sys [61008 2010-09-24] (CA) R0 KmxStart; C:\Windows\System32\DRIVERS\kmxstart.sys [108112 2010-05-03] (CA) R3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [35144 2013-06-24] () R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation) R3 NAVENG; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130701.001\NAVENG.SYS [93272 2013-06-15] (Symantec Corporation) R3 NAVEX15; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130701.001\NAVEX15.SYS [1611992 2013-06-15] (Symantec Corporation) S3 PSI; C:\Windows\System32\DRIVERS\psi_mf.sys [15544 2011-12-16] (Secunia) S3 sfng32; C:\Windows\System32\drivers\sfng32.sys [41728 2005-12-02] (Sonic Focus, Inc) S3 SONYPVU1; C:\Windows\System32\DRIVERS\SONYPVU1.SYS [7552 2001-08-17] (Sony Corporation) R3 SRTSP; C:\Windows\System32\Drivers\N360\1403010.016\SRTSP.SYS [602712 2013-01-28] (Symantec Corporation) R1 SRTSPX; C:\Windows\system32\drivers\N360\1403010.016\SRTSPX.SYS [32344 2013-01-28] (Symantec Corporation) R3 STHDA; C:\Windows\System32\drivers\sthda.sys [1271032 2008-04-10] (IDT, Inc.) R0 SymDS; C:\Windows\System32\drivers\N360\1403010.016\SYMDS.SYS [367704 2013-01-21] (Symantec Corporation) R0 SymEFA; C:\Windows\System32\drivers\N360\1403010.016\SYMEFA.SYS [934488 2013-01-30] (Symantec Corporation) R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [142496 2013-06-15] (Symantec Corporation) R1 SymIRON; C:\Windows\system32\drivers\N360\1403010.016\Ironx86.SYS [175264 2012-07-27] (Symantec Corporation) R1 SYMTDI; C:\Windows\System32\Drivers\N360\1403010.016\SYMTDI.SYS [394656 2012-07-22] (Symantec Corporation) R0 tdrpman; C:\Windows\System32\DRIVERS\tdrpman.sys [368736 2008-11-06] (Acronis) R2 tifsfilter; C:\Windows\System32\DRIVERS\tifsfilt.sys [44384 2008-11-06] (Acronis) S3 catchme; \??\C:\DOCUME~1\USERON~1\LOCALS~1\Temp\catchme.sys [x] S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [x] S4 IntelIde; No ImagePath S3 lmimirr; system32\DRIVERS\lmimirr.sys [x] S2 MCSTRM; No ImagePath U3 TlntSvr; U3 aswMBR; \??\C:\DOCUME~1\USERON~1\LOCALS~1\Temp\aswMBR.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-07-01 11:10 - 2013-07-01 11:10 - 00000634 ____A C:\Documents and Settings\User one\Desktop\Dir 7.1.13 A.txt 2013-07-01 07:31 - 2013-07-01 07:31 - 00000000 ____D C:\FRST 2013-07-01 07:30 - 2013-07-01 07:30 - 01372463 ____A (Farbar) C:\Documents and Settings\User one\Desktop\FRST.exe 2013-06-24 18:38 - 2013-06-24 18:53 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable) 2013-06-24 18:36 - 2013-06-24 18:36 - 00035144 ____A C:\Windows\System32\Drivers\mbamchameleon.sys 2013-06-23 09:11 - 2013-06-23 09:11 - 00000000 ____D C:\Documents and Settings\User one\Application Data\Malwarebytes 2013-06-23 09:10 - 2013-06-23 09:10 - 00000784 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk 2013-06-23 09:10 - 2013-06-23 09:10 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware 2013-06-23 09:10 - 2013-06-23 09:10 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes 2013-06-23 09:10 - 2013-04-04 14:50 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2013-06-22 10:35 - 2013-06-22 10:35 - 00000000 ____D C:\_OTL 2013-06-21 18:57 - 2013-07-01 11:10 - 00000000 ____D C:\Documents and Settings\User one\Desktop\MBAM 06.2013 2013-06-16 19:15 - 2013-06-16 19:15 - 00001288 ____A C:\AdwCleaner[s2].txt 2013-06-16 19:14 - 2013-06-16 19:14 - 00001377 ____A C:\AdwCleaner[R1].txt 2013-06-16 18:59 - 2013-06-16 18:59 - 00000000 __HDC C:\Windows\$NtUninstallKB2808679$ 2013-06-16 18:57 - 2013-06-16 18:59 - 00009348 ____A C:\Windows\KB2808679.log 2013-06-16 18:57 - 2013-06-16 18:58 - 00006684 ____A C:\Windows\KB2598845-IE8.log 2013-06-16 18:47 - 2013-06-16 18:48 - 00003485 ____A C:\Windows\ie8Uninst.log 2013-06-16 14:07 - 2013-06-16 14:18 - 00000000 ____D C:\Qoobox 2013-06-16 14:07 - 2013-06-16 14:17 - 00000000 ____D C:\Windows\erdnt 2013-06-16 14:07 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe 2013-06-16 14:07 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe 2013-06-16 14:07 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe 2013-06-16 14:07 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe 2013-06-16 14:07 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe 2013-06-16 14:07 - 2000-08-30 20:00 - 00212480 ____A (SteelWerX) C:\Windows\SWXCACLS.exe 2013-06-16 14:07 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe 2013-06-16 14:07 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe 2013-06-16 14:07 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe 2013-06-16 10:09 - 2013-06-16 10:58 - 00000000 ____D C:\JRT 2013-06-16 10:09 - 2013-06-16 10:09 - 00000000 ____D C:\Windows\ERUNT 2013-06-15 18:50 - 2013-06-15 19:26 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared 2013-06-15 18:50 - 2013-06-15 18:50 - 00142496 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS 2013-06-15 18:50 - 2013-06-15 18:50 - 00007446 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT 2013-06-15 18:50 - 2013-06-15 18:50 - 00000000 ____D C:\Program Files\Symantec 2013-06-15 18:49 - 2013-06-16 10:05 - 00000000 ____D C:\Windows\System32\Drivers\N360 2013-06-15 18:49 - 2013-06-15 18:49 - 00000000 ____D C:\Program Files\Norton Security Suite 2013-06-15 18:45 - 2013-06-15 18:45 - 00001736 ____A C:\Documents and Settings\User one\TmInstall.log 2013-06-15 18:41 - 2013-06-15 18:41 - 00004272 ____A C:\Windows\System32\TmInstall.log 2013-06-15 18:38 - 2013-06-15 18:38 - 00000000 ____D C:\Documents and Settings\User one\My Documents\Symantec 2013-06-15 18:37 - 2013-06-15 18:51 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton 2013-06-15 18:37 - 2013-06-15 18:37 - 00000000 ____D C:\Documents and Settings\All Users\Documents\Norton 2013-06-15 18:23 - 2013-06-15 18:23 - 00000176 ____A C:\Documents and Settings\User one\Desktop\Malwarebytes#2 Desktop.txt 2013-06-15 15:44 - 2013-06-15 15:44 - 00065536 ____A C:\Windows\Minidump\Mini061513-01.dmp 2013-06-14 10:16 - 2013-06-14 10:16 - 00000000 __HDC C:\Windows\$NtUninstallKB2839229$ 2013-06-14 10:13 - 2013-06-14 10:13 - 00010954 ____A C:\Windows\KB2838727-IE8.log 2013-06-14 10:12 - 2013-06-14 10:16 - 00013933 ____A C:\Windows\KB2839229.log ==================== One Month Modified Files and Folders ======== 2013-07-01 11:10 - 2013-07-01 11:10 - 00000634 ____A C:\Documents and Settings\User one\Desktop\Dir 7.1.13 A.txt 2013-07-01 11:10 - 2013-06-21 18:57 - 00000000 ____D C:\Documents and Settings\User one\Desktop\MBAM 06.2013 2013-07-01 10:11 - 2008-04-24 01:12 - 01924438 ____A C:\Windows\WindowsUpdate.log 2013-07-01 07:31 - 2013-07-01 07:31 - 00000000 ____D C:\FRST 2013-07-01 07:30 - 2013-07-01 07:30 - 01372463 ____A (Farbar) C:\Documents and Settings\User one\Desktop\FRST.exe 2013-06-29 08:47 - 2010-02-04 21:38 - 00000284 ____A C:\Windows\Tasks\AppleSoftwareUpdate.job 2013-06-24 18:59 - 2006-02-28 08:00 - 00002422 ____A C:\Windows\System32\wpa.dbl 2013-06-24 18:53 - 2013-06-24 18:38 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable) 2013-06-24 18:36 - 2013-06-24 18:36 - 00035144 ____A C:\Windows\System32\Drivers\mbamchameleon.sys 2013-06-23 20:48 - 2008-04-24 21:04 - 00000159 ____A C:\Windows\wiadebug.log 2013-06-23 20:48 - 2008-04-24 21:04 - 00000049 ____A C:\Windows\wiaservc.log 2013-06-23 20:47 - 2011-07-28 19:10 - 00000062 __ASH C:\Documents and Settings\UpdatusUser\Local Settings\desktop.ini 2013-06-23 20:47 - 2008-04-24 01:21 - 00000062 __ASH C:\Documents and Settings\User one\Local Settings\desktop.ini 2013-06-23 20:47 - 2008-04-24 01:16 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini 2013-06-23 20:47 - 2008-04-24 01:16 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-06-23 20:47 - 2008-04-24 01:15 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini 2013-06-23 20:46 - 2010-10-30 10:41 - 01284069 ____A C:\Windows\System32\Drivers\kmxcfg.u2k1 2013-06-23 20:46 - 2010-10-30 10:41 - 00000373 ____A C:\Windows\System32\Drivers\kmxzone.u2k1 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k7 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k6 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k5 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k4 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k3 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k2 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k0 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k7 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k6 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k5 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k4 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k3 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k2 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k0 2013-06-23 20:46 - 2010-06-24 17:05 - 00977836 ____A C:\Windows\System32\Drivers\KmxAgent.asc 2013-06-23 20:46 - 2008-04-24 01:21 - 00000178 ___SH C:\Documents and Settings\User one\ntuser.ini 2013-06-23 20:46 - 2008-04-24 01:16 - 00032498 ____A C:\Windows\SchedLgU.Txt 2013-06-23 09:11 - 2013-06-23 09:11 - 00000000 ____D C:\Documents and Settings\User one\Application Data\Malwarebytes 2013-06-23 09:10 - 2013-06-23 09:10 - 00000784 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk 2013-06-23 09:10 - 2013-06-23 09:10 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware 2013-06-23 09:10 - 2013-06-23 09:10 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes 2013-06-22 10:35 - 2013-06-22 10:35 - 00000000 ____D C:\_OTL 2013-06-16 19:37 - 2008-10-06 21:20 - 00000000 ____D C:\Windows\Microsoft.NET 2013-06-16 19:15 - 2013-06-16 19:15 - 00001288 ____A C:\AdwCleaner[s2].txt 2013-06-16 19:14 - 2013-06-16 19:14 - 00001377 ____A C:\AdwCleaner[R1].txt 2013-06-16 19:05 - 2008-04-24 21:02 - 00582984 ____A C:\Windows\System32\PerfStringBackup.INI 2013-06-16 18:59 - 2013-06-16 18:59 - 00000000 __HDC C:\Windows\$NtUninstallKB2808679$ 2013-06-16 18:59 - 2013-06-16 18:57 - 00009348 ____A C:\Windows\KB2808679.log 2013-06-16 18:59 - 2008-05-19 04:50 - 00246872 ____A C:\Windows\updspapi.log 2013-06-16 18:59 - 2008-04-24 21:02 - 02554192 ____A C:\Windows\FaxSetup.log 2013-06-16 18:59 - 2008-04-24 21:02 - 01228157 ____A C:\Windows\ocgen.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00976928 ____A C:\Windows\tsoc.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00847570 ____A C:\Windows\comsetup.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00512700 ____A C:\Windows\ntdtcsetup.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00402633 ____A C:\Windows\iis6.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00139595 ____A C:\Windows\ocmsn.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00127606 ____A C:\Windows\msgsocm.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00001374 ____A C:\Windows\imsins.log 2013-06-16 18:59 - 2008-04-24 21:01 - 00346454 ____A C:\Windows\setupapi.log 2013-06-16 18:58 - 2013-06-16 18:57 - 00006684 ____A C:\Windows\KB2598845-IE8.log 2013-06-16 18:58 - 2011-06-30 21:02 - 00000000 ____D C:\Windows\ie8updates 2013-06-16 18:58 - 2008-04-24 21:02 - 00001374 ____A C:\Windows\imsins.BAK 2013-06-16 18:58 - 2008-04-24 01:31 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Microsoft Help 2013-06-16 18:57 - 2008-04-24 01:13 - 00000000 ____D C:\Windows\$hf_mig$ 2013-06-16 18:48 - 2013-06-16 18:47 - 00003485 ____A C:\Windows\ie8Uninst.log 2013-06-16 14:18 - 2013-06-16 14:07 - 00000000 ____D C:\Qoobox 2013-06-16 14:17 - 2013-06-16 14:07 - 00000000 ____D C:\Windows\erdnt 2013-06-16 14:16 - 2006-02-28 08:00 - 00000227 ____A C:\Windows\system.ini 2013-06-16 10:58 - 2013-06-16 10:09 - 00000000 ____D C:\JRT 2013-06-16 10:09 - 2013-06-16 10:09 - 00000000 ____D C:\Windows\ERUNT 2013-06-16 10:05 - 2013-06-15 18:49 - 00000000 ____D C:\Windows\System32\Drivers\N360 2013-06-16 10:03 - 2013-05-05 13:45 - 00412106 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-725345543-1454471165-682003330-1004-0.dat 2013-06-16 10:03 - 2013-05-05 12:09 - 00207098 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat 2013-06-15 19:26 - 2013-06-15 18:50 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared 2013-06-15 19:05 - 2013-05-05 12:00 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Sonos,_Inc 2013-06-15 18:54 - 2013-05-05 12:00 - 00001700 ____A C:\Documents and Settings\All Users\Desktop\Sonos.lnk 2013-06-15 18:54 - 2013-05-05 12:00 - 00000000 ____D C:\Program Files\Sonos 2013-06-15 18:54 - 2013-05-05 11:59 - 00000000 ____D C:\Documents and Settings\User one\Local Settings\Application Data\Downloaded Installations 2013-06-15 18:51 - 2013-06-15 18:37 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton 2013-06-15 18:50 - 2013-06-15 18:50 - 00142496 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS 2013-06-15 18:50 - 2013-06-15 18:50 - 00007446 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT 2013-06-15 18:50 - 2013-06-15 18:50 - 00000000 ____D C:\Program Files\Symantec 2013-06-15 18:49 - 2013-06-15 18:49 - 00000000 ____D C:\Program Files\Norton Security Suite 2013-06-15 18:45 - 2013-06-15 18:45 - 00001736 ____A C:\Documents and Settings\User one\TmInstall.log 2013-06-15 18:44 - 2008-05-19 04:51 - 00000000 ___DC C:\Windows\$NtUninstallKB920213$ 2013-06-15 18:41 - 2013-06-15 18:41 - 00004272 ____A C:\Windows\System32\TmInstall.log 2013-06-15 18:40 - 2011-07-04 09:55 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Trend Micro 2013-06-15 18:38 - 2013-06-15 18:38 - 00000000 ____D C:\Documents and Settings\User one\My Documents\Symantec 2013-06-15 18:37 - 2013-06-15 18:37 - 00000000 ____D C:\Documents and Settings\All Users\Documents\Norton 2013-06-15 18:23 - 2013-06-15 18:23 - 00000176 ____A C:\Documents and Settings\User one\Desktop\Malwarebytes#2 Desktop.txt 2013-06-15 15:52 - 2008-04-24 01:11 - 00000000 ____D C:\Windows\System32\Restore 2013-06-15 15:44 - 2013-06-15 15:44 - 00065536 ____A C:\Windows\Minidump\Mini061513-01.dmp 2013-06-15 15:44 - 2010-07-12 02:35 - 00000000 ____D C:\Windows\Minidump 2013-06-15 15:44 - 2008-04-24 20:54 - 380952576 ____A C:\Windows\MEMORY.DMP 2013-06-14 10:16 - 2013-06-14 10:16 - 00000000 __HDC C:\Windows\$NtUninstallKB2839229$ 2013-06-14 10:16 - 2013-06-14 10:12 - 00013933 ____A C:\Windows\KB2839229.log 2013-06-14 10:14 - 2008-05-19 04:50 - 73381792 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe 2013-06-14 10:13 - 2013-06-14 10:13 - 00010954 ____A C:\Windows\KB2838727-IE8.log ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== End Of Log ============================
  9. Gringo - Fixlog.txt follows: Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 01-07-2013 01 Ran by User one at 2013-07-01 11:11:01 Run:1 Running from C:\Documents and Settings\User one\Desktop Boot Mode: Normal ============================================== HKCU\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} => Key not found. HKCU\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} => Key not found. ==== End of Fixlog ====
  10. Gringo - thanks again. FRST below and Addition attached: Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 01-07-2013 01 Ran by User one (administrator) on 01-07-2013 07:31:40 Running from C:\Documents and Settings\User one\Desktop Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English(US) Internet Explorer Version 8 Boot Mode: Normal ==================== Processes (Whitelisted) =================== (CA) C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe (CA) C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe (CA) C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe (CA) C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe (Acronis) C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis) C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis) C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Lexmark International, Inc.) C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe (Lexmark International, Inc.) C:\Program Files\Lexmark 1200 Series\lxczbmon.exe (Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe (Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe (Acronis) C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe (Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe ( ) C:\WINDOWS\system32\lxczcoms.exe (Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Symantec Corporation) C:\Program Files\Norton Security Suite\Engine\20.3.1.22\ccSvcHst.exe (Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe () C:\WINDOWS\system32\PSIService.exe (Symantec Corporation) C:\Program Files\Norton Security Suite\Engine\20.3.1.22\ccSvcHst.exe (Protexis Inc.) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Secunia) C:\Program Files\Secunia\PSI\sua.exe () C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe (Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe (Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jucheck.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [2595480 2007-09-07] (Acronis) HKLM\...\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe [905056 2007-09-07] (Acronis) HKLM\...\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [140568 2007-09-07] (Acronis) HKLM\...\Run: [intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [1532760 2011-06-15] (Intuit Inc. All rights reserved.) HKLM\...\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [74672 2007-02-08] (Lexmark International, Inc.) HKLM\...\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s [295856 2007-02-08] () HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [13895272 2011-05-21] (NVIDIA Corporation) HKLM\...\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login [x] HKLM\...\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet [1632360 2011-05-05] () HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.) HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated) HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [253816 2013-03-12] (Oracle Corporation) HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-01-28] (Apple Inc.) HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152392 2013-02-20] (Apple Inc.) HKLM\...\RunOnce: [A0] cmd /c "C:\Documents and Settings\User one\Desktop\MBAM 06.2013\mbar-1.06.0.1004\mbar\mbar.exe" /r /s [769096 2013-06-01] (Malwarebytes Corporation) Winlogon\Notify\PFW: UmxWnp.Dll (CA) HKCR\...0c966feabec1\InprocServer32: [Default-shell32] %SystemRoot%\system32\shdocvw.dll ATTENTION! ====> ZeroAccess? HKCR\...409d6c4515e9\InprocServer32: [Default-shell32] %SystemRoot%\system32\SHELL32.dll ATTENTION! ====> ZeroAccess? ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/ HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation) BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\IPS\IPSBHO.DLL (Symantec Corporation) BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation) Toolbar: HKCU -Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation) DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.) Handler: ipp - No CLSID Value - Handler: msdaipp - No CLSID Value - Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll (Microsoft Corporation) ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation) Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 FireFox: ======== FF ProfilePath: C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll () FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF Plugin: @java.com/JavaPlugin,version=10.21.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation) FF Plugin: @microsoft.com/WLPG,version=14.0.8117.0416 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF Plugin: @microsoft.com/WPF,version=3.5 - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF Plugin: @RIM.com/WebSLLauncher,version=1.0 - C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll () FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF Extension: No Name - C:\Documents and Settings\User one\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} FF Extension: LogMeIn, Inc. Remote Access Plugin - C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\Extensions\LogMeInClient@logmein.com FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} FF Extension: Default - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ FF HKLM\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\IPSFFPlgn\ FF Extension: Norton Vulnerability Protection - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\IPSFFPlgn\ FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn\ FF Extension: Norton Toolbar - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn\ ========================== Services (Whitelisted) ================= R2 AcrSch2Svc; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [427288 2007-09-07] (Acronis) R2 lxcz_device; C:\WINDOWS\system32\lxczcoms.exe [537520 2007-02-08] ( ) R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation) R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation) R2 N360; C:\Program Files\Norton Security Suite\Engine\20.3.1.22\diMaster.dll [554288 2013-03-29] (Symantec Corporation) R2 nvUpdatusService; C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2214504 2011-05-21] (NVIDIA Corporation) R2 ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [177704 2007-06-05] () S3 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [1328736 2012-09-24] (Secunia) R2 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [656480 2012-09-24] (Secunia) R2 TryAndDecideService; C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [492600 2007-09-07] () R2 UmxAgent; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [887288 2009-08-04] (CA) R2 UmxCfg; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [740160 2010-08-24] (CA) R2 UmxFwHlp; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe [150008 2009-07-31] (CA) R2 UmxPol; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe [301648 2010-09-17] (CA) S3 AppMgmt; %SystemRoot%\System32\appmgmts.dll [x] S3 CaCCProvSP; "C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe" [x] S2 ccSchedulerSVC; C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe [x] S4 HidServ; %SystemRoot%\System32\hidserv.dll [x] R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" [x] ==================== Drivers (Whitelisted) ==================== R1 BHDrvx86; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130620.001\BHDrvx86.sys [1002072 2013-05-31] (Symantec Corporation) R1 ccSet_N360; C:\Windows\system32\drivers\N360\1403010.016\ccSetx86.sys [134304 2012-11-15] (Symantec Corporation) R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2013-06-15] (Symantec Corporation) R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2013-06-15] (Symantec Corporation) R3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows ® Server 2003 DDK provider) R3 IDSxpx86; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130628.001\IDSxpx86.sys [373728 2013-06-14] (Symantec Corporation) R1 KmxAgent; C:\Windows\System32\DRIVERS\kmxagent.sys [79864 2010-03-22] (CA) R2 KmxCF; C:\Windows\System32\DRIVERS\KmxCF.sys [146000 2010-09-24] (CA) R3 KmxCfg; C:\Windows\System32\DRIVERS\kmxcfg.sys [244304 2010-06-09] (CA) R1 KmxFile; C:\Windows\System32\DRIVERS\KmxFile.sys [61008 2010-09-24] (CA) R1 KmxFw; C:\Windows\System32\DRIVERS\kmxfw.sys [115792 2010-09-24] (CA) R2 KmxSbx; C:\Windows\System32\DRIVERS\KmxSbx.sys [61008 2010-09-24] (CA) R0 KmxStart; C:\Windows\System32\DRIVERS\kmxstart.sys [108112 2010-05-03] (CA) R3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [35144 2013-06-24] () R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation) R3 NAVENG; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130630.003\NAVENG.SYS [93272 2013-06-15] (Symantec Corporation) R3 NAVEX15; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130630.003\NAVEX15.SYS [1611992 2013-06-15] (Symantec Corporation) S3 PSI; C:\Windows\System32\DRIVERS\psi_mf.sys [15544 2011-12-16] (Secunia) S3 sfng32; C:\Windows\System32\drivers\sfng32.sys [41728 2005-12-02] (Sonic Focus, Inc) S3 SONYPVU1; C:\Windows\System32\DRIVERS\SONYPVU1.SYS [7552 2001-08-17] (Sony Corporation) R3 SRTSP; C:\Windows\System32\Drivers\N360\1403010.016\SRTSP.SYS [602712 2013-01-28] (Symantec Corporation) R1 SRTSPX; C:\Windows\system32\drivers\N360\1403010.016\SRTSPX.SYS [32344 2013-01-28] (Symantec Corporation) R3 STHDA; C:\Windows\System32\drivers\sthda.sys [1271032 2008-04-10] (IDT, Inc.) R0 SymDS; C:\Windows\System32\drivers\N360\1403010.016\SYMDS.SYS [367704 2013-01-21] (Symantec Corporation) R0 SymEFA; C:\Windows\System32\drivers\N360\1403010.016\SYMEFA.SYS [934488 2013-01-30] (Symantec Corporation) R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [142496 2013-06-15] (Symantec Corporation) R1 SymIRON; C:\Windows\system32\drivers\N360\1403010.016\Ironx86.SYS [175264 2012-07-27] (Symantec Corporation) R1 SYMTDI; C:\Windows\System32\Drivers\N360\1403010.016\SYMTDI.SYS [394656 2012-07-22] (Symantec Corporation) R0 tdrpman; C:\Windows\System32\DRIVERS\tdrpman.sys [368736 2008-11-06] (Acronis) R2 tifsfilter; C:\Windows\System32\DRIVERS\tifsfilt.sys [44384 2008-11-06] (Acronis) S3 catchme; \??\C:\DOCUME~1\USERON~1\LOCALS~1\Temp\catchme.sys [x] S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [x] S4 IntelIde; No ImagePath S3 lmimirr; system32\DRIVERS\lmimirr.sys [x] S2 MCSTRM; No ImagePath U3 TlntSvr; U3 aswMBR; \??\C:\DOCUME~1\USERON~1\LOCALS~1\Temp\aswMBR.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-07-01 07:31 - 2013-07-01 07:31 - 00000000 ____D C:\FRST 2013-07-01 07:30 - 2013-07-01 07:30 - 01372463 ____A (Farbar) C:\Documents and Settings\User one\Desktop\FRST.exe 2013-06-24 18:38 - 2013-06-24 18:53 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable) 2013-06-24 18:36 - 2013-06-24 18:36 - 00035144 ____A C:\Windows\System32\Drivers\mbamchameleon.sys 2013-06-23 09:11 - 2013-06-23 09:11 - 00000000 ____D C:\Documents and Settings\User one\Application Data\Malwarebytes 2013-06-23 09:10 - 2013-06-23 09:10 - 00000784 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk 2013-06-23 09:10 - 2013-06-23 09:10 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware 2013-06-23 09:10 - 2013-06-23 09:10 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes 2013-06-23 09:10 - 2013-04-04 14:50 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2013-06-22 10:35 - 2013-06-22 10:35 - 00000000 ____D C:\_OTL 2013-06-21 18:57 - 2013-07-01 07:31 - 00000000 ____D C:\Documents and Settings\User one\Desktop\MBAM 06.2013 2013-06-16 19:15 - 2013-06-16 19:15 - 00001288 ____A C:\AdwCleaner[s2].txt 2013-06-16 19:14 - 2013-06-16 19:14 - 00001377 ____A C:\AdwCleaner[R1].txt 2013-06-16 18:59 - 2013-06-16 18:59 - 00000000 __HDC C:\Windows\$NtUninstallKB2808679$ 2013-06-16 18:57 - 2013-06-16 18:59 - 00009348 ____A C:\Windows\KB2808679.log 2013-06-16 18:57 - 2013-06-16 18:58 - 00006684 ____A C:\Windows\KB2598845-IE8.log 2013-06-16 18:47 - 2013-06-16 18:48 - 00003485 ____A C:\Windows\ie8Uninst.log 2013-06-16 14:07 - 2013-06-16 14:18 - 00000000 ____D C:\Qoobox 2013-06-16 14:07 - 2013-06-16 14:17 - 00000000 ____D C:\Windows\erdnt 2013-06-16 14:07 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe 2013-06-16 14:07 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe 2013-06-16 14:07 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe 2013-06-16 14:07 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe 2013-06-16 14:07 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe 2013-06-16 14:07 - 2000-08-30 20:00 - 00212480 ____A (SteelWerX) C:\Windows\SWXCACLS.exe 2013-06-16 14:07 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe 2013-06-16 14:07 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe 2013-06-16 14:07 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe 2013-06-16 10:09 - 2013-06-16 10:58 - 00000000 ____D C:\JRT 2013-06-16 10:09 - 2013-06-16 10:09 - 00000000 ____D C:\Windows\ERUNT 2013-06-15 18:50 - 2013-06-15 19:26 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared 2013-06-15 18:50 - 2013-06-15 18:50 - 00142496 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS 2013-06-15 18:50 - 2013-06-15 18:50 - 00007446 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT 2013-06-15 18:50 - 2013-06-15 18:50 - 00000000 ____D C:\Program Files\Symantec 2013-06-15 18:49 - 2013-06-16 10:05 - 00000000 ____D C:\Windows\System32\Drivers\N360 2013-06-15 18:49 - 2013-06-15 18:49 - 00000000 ____D C:\Program Files\Norton Security Suite 2013-06-15 18:45 - 2013-06-15 18:45 - 00001736 ____A C:\Documents and Settings\User one\TmInstall.log 2013-06-15 18:41 - 2013-06-15 18:41 - 00004272 ____A C:\Windows\System32\TmInstall.log 2013-06-15 18:38 - 2013-06-15 18:38 - 00000000 ____D C:\Documents and Settings\User one\My Documents\Symantec 2013-06-15 18:37 - 2013-06-15 18:51 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton 2013-06-15 18:37 - 2013-06-15 18:37 - 00000000 ____D C:\Documents and Settings\All Users\Documents\Norton 2013-06-15 18:23 - 2013-06-15 18:23 - 00000176 ____A C:\Documents and Settings\User one\Desktop\Malwarebytes#2 Desktop.txt 2013-06-15 15:44 - 2013-06-15 15:44 - 00065536 ____A C:\Windows\Minidump\Mini061513-01.dmp 2013-06-14 10:16 - 2013-06-14 10:16 - 00000000 __HDC C:\Windows\$NtUninstallKB2839229$ 2013-06-14 10:13 - 2013-06-14 10:13 - 00010954 ____A C:\Windows\KB2838727-IE8.log 2013-06-14 10:12 - 2013-06-14 10:16 - 00013933 ____A C:\Windows\KB2839229.log ==================== One Month Modified Files and Folders ======== 2013-07-01 07:31 - 2013-07-01 07:31 - 00000000 ____D C:\FRST 2013-07-01 07:31 - 2013-06-21 18:57 - 00000000 ____D C:\Documents and Settings\User one\Desktop\MBAM 06.2013 2013-07-01 07:30 - 2013-07-01 07:30 - 01372463 ____A (Farbar) C:\Documents and Settings\User one\Desktop\FRST.exe 2013-06-30 13:16 - 2008-04-24 01:12 - 01914330 ____A C:\Windows\WindowsUpdate.log 2013-06-29 08:47 - 2010-02-04 21:38 - 00000284 ____A C:\Windows\Tasks\AppleSoftwareUpdate.job 2013-06-24 18:59 - 2006-02-28 08:00 - 00002422 ____A C:\Windows\System32\wpa.dbl 2013-06-24 18:53 - 2013-06-24 18:38 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable) 2013-06-24 18:36 - 2013-06-24 18:36 - 00035144 ____A C:\Windows\System32\Drivers\mbamchameleon.sys 2013-06-23 20:48 - 2008-04-24 21:04 - 00000159 ____A C:\Windows\wiadebug.log 2013-06-23 20:48 - 2008-04-24 21:04 - 00000049 ____A C:\Windows\wiaservc.log 2013-06-23 20:47 - 2011-07-28 19:10 - 00000062 __ASH C:\Documents and Settings\UpdatusUser\Local Settings\desktop.ini 2013-06-23 20:47 - 2008-04-24 01:21 - 00000062 __ASH C:\Documents and Settings\User one\Local Settings\desktop.ini 2013-06-23 20:47 - 2008-04-24 01:16 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini 2013-06-23 20:47 - 2008-04-24 01:16 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-06-23 20:47 - 2008-04-24 01:15 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini 2013-06-23 20:46 - 2010-10-30 10:41 - 01284069 ____A C:\Windows\System32\Drivers\kmxcfg.u2k1 2013-06-23 20:46 - 2010-10-30 10:41 - 00000373 ____A C:\Windows\System32\Drivers\kmxzone.u2k1 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k7 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k6 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k5 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k4 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k3 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k2 2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k0 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k7 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k6 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k5 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k4 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k3 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k2 2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k0 2013-06-23 20:46 - 2010-06-24 17:05 - 00977836 ____A C:\Windows\System32\Drivers\KmxAgent.asc 2013-06-23 20:46 - 2008-04-24 01:21 - 00000178 ___SH C:\Documents and Settings\User one\ntuser.ini 2013-06-23 20:46 - 2008-04-24 01:16 - 00032498 ____A C:\Windows\SchedLgU.Txt 2013-06-23 09:11 - 2013-06-23 09:11 - 00000000 ____D C:\Documents and Settings\User one\Application Data\Malwarebytes 2013-06-23 09:10 - 2013-06-23 09:10 - 00000784 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk 2013-06-23 09:10 - 2013-06-23 09:10 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware 2013-06-23 09:10 - 2013-06-23 09:10 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes 2013-06-22 10:35 - 2013-06-22 10:35 - 00000000 ____D C:\_OTL 2013-06-16 19:37 - 2008-10-06 21:20 - 00000000 ____D C:\Windows\Microsoft.NET 2013-06-16 19:15 - 2013-06-16 19:15 - 00001288 ____A C:\AdwCleaner[s2].txt 2013-06-16 19:14 - 2013-06-16 19:14 - 00001377 ____A C:\AdwCleaner[R1].txt 2013-06-16 19:05 - 2008-04-24 21:02 - 00582984 ____A C:\Windows\System32\PerfStringBackup.INI 2013-06-16 18:59 - 2013-06-16 18:59 - 00000000 __HDC C:\Windows\$NtUninstallKB2808679$ 2013-06-16 18:59 - 2013-06-16 18:57 - 00009348 ____A C:\Windows\KB2808679.log 2013-06-16 18:59 - 2008-05-19 04:50 - 00246872 ____A C:\Windows\updspapi.log 2013-06-16 18:59 - 2008-04-24 21:02 - 02554192 ____A C:\Windows\FaxSetup.log 2013-06-16 18:59 - 2008-04-24 21:02 - 01228157 ____A C:\Windows\ocgen.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00976928 ____A C:\Windows\tsoc.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00847570 ____A C:\Windows\comsetup.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00512700 ____A C:\Windows\ntdtcsetup.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00402633 ____A C:\Windows\iis6.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00139595 ____A C:\Windows\ocmsn.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00127606 ____A C:\Windows\msgsocm.log 2013-06-16 18:59 - 2008-04-24 21:02 - 00001374 ____A C:\Windows\imsins.log 2013-06-16 18:59 - 2008-04-24 21:01 - 00346454 ____A C:\Windows\setupapi.log 2013-06-16 18:58 - 2013-06-16 18:57 - 00006684 ____A C:\Windows\KB2598845-IE8.log 2013-06-16 18:58 - 2011-06-30 21:02 - 00000000 ____D C:\Windows\ie8updates 2013-06-16 18:58 - 2008-04-24 21:02 - 00001374 ____A C:\Windows\imsins.BAK 2013-06-16 18:58 - 2008-04-24 01:31 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Microsoft Help 2013-06-16 18:57 - 2008-04-24 01:13 - 00000000 ____D C:\Windows\$hf_mig$ 2013-06-16 18:48 - 2013-06-16 18:47 - 00003485 ____A C:\Windows\ie8Uninst.log 2013-06-16 14:18 - 2013-06-16 14:07 - 00000000 ____D C:\Qoobox 2013-06-16 14:17 - 2013-06-16 14:07 - 00000000 ____D C:\Windows\erdnt 2013-06-16 14:16 - 2006-02-28 08:00 - 00000227 ____A C:\Windows\system.ini 2013-06-16 10:58 - 2013-06-16 10:09 - 00000000 ____D C:\JRT 2013-06-16 10:09 - 2013-06-16 10:09 - 00000000 ____D C:\Windows\ERUNT 2013-06-16 10:05 - 2013-06-15 18:49 - 00000000 ____D C:\Windows\System32\Drivers\N360 2013-06-16 10:03 - 2013-05-05 13:45 - 00412106 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-725345543-1454471165-682003330-1004-0.dat 2013-06-16 10:03 - 2013-05-05 12:09 - 00207098 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat 2013-06-15 19:26 - 2013-06-15 18:50 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared 2013-06-15 19:05 - 2013-05-05 12:00 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Sonos,_Inc 2013-06-15 18:54 - 2013-05-05 12:00 - 00001700 ____A C:\Documents and Settings\All Users\Desktop\Sonos.lnk 2013-06-15 18:54 - 2013-05-05 12:00 - 00000000 ____D C:\Program Files\Sonos 2013-06-15 18:54 - 2013-05-05 11:59 - 00000000 ____D C:\Documents and Settings\User one\Local Settings\Application Data\Downloaded Installations 2013-06-15 18:51 - 2013-06-15 18:37 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton 2013-06-15 18:50 - 2013-06-15 18:50 - 00142496 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS 2013-06-15 18:50 - 2013-06-15 18:50 - 00007446 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT 2013-06-15 18:50 - 2013-06-15 18:50 - 00000000 ____D C:\Program Files\Symantec 2013-06-15 18:49 - 2013-06-15 18:49 - 00000000 ____D C:\Program Files\Norton Security Suite 2013-06-15 18:45 - 2013-06-15 18:45 - 00001736 ____A C:\Documents and Settings\User one\TmInstall.log 2013-06-15 18:44 - 2008-05-19 04:51 - 00000000 ___DC C:\Windows\$NtUninstallKB920213$ 2013-06-15 18:41 - 2013-06-15 18:41 - 00004272 ____A C:\Windows\System32\TmInstall.log 2013-06-15 18:40 - 2011-07-04 09:55 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Trend Micro 2013-06-15 18:38 - 2013-06-15 18:38 - 00000000 ____D C:\Documents and Settings\User one\My Documents\Symantec 2013-06-15 18:37 - 2013-06-15 18:37 - 00000000 ____D C:\Documents and Settings\All Users\Documents\Norton 2013-06-15 18:23 - 2013-06-15 18:23 - 00000176 ____A C:\Documents and Settings\User one\Desktop\Malwarebytes#2 Desktop.txt 2013-06-15 15:52 - 2008-04-24 01:11 - 00000000 ____D C:\Windows\System32\Restore 2013-06-15 15:44 - 2013-06-15 15:44 - 00065536 ____A C:\Windows\Minidump\Mini061513-01.dmp 2013-06-15 15:44 - 2010-07-12 02:35 - 00000000 ____D C:\Windows\Minidump 2013-06-15 15:44 - 2008-04-24 20:54 - 380952576 ____A C:\Windows\MEMORY.DMP 2013-06-14 10:16 - 2013-06-14 10:16 - 00000000 __HDC C:\Windows\$NtUninstallKB2839229$ 2013-06-14 10:16 - 2013-06-14 10:12 - 00013933 ____A C:\Windows\KB2839229.log 2013-06-14 10:14 - 2008-05-19 04:50 - 73381792 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe 2013-06-14 10:13 - 2013-06-14 10:13 - 00010954 ____A C:\Windows\KB2838727-IE8.log ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== End Of Log ============================ Addition.txt
  11. Gringo- Rootkit found and repaired nothing (first posting). Everything works, still unable to select "Enable Malicious...". aswMBR.txt follows MBAM rootkit report. Thanks again! Malwarebytes Anti-Rootkit BETA 1.06.0.1004 www.malwarebytes.org Database version: v2013.06.24.07 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 User one :: NEW042408 [administrator] 6/24/2013 6:38:13 PM mbar-log-2013-06-24 (18-38-13).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P Scan options disabled: PUP Objects scanned: 257997 Time elapsed: 15 minute(s), 2 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end) ____________________________________________________________________________________________ aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software Run date: 2013-06-24 19:01:35 ----------------------------- 19:01:35.703 OS Version: Windows 5.1.2600 Service Pack 3 19:01:35.703 Number of processors: 2 586 0xF0D 19:01:35.703 ComputerName: NEW042408 UserName: User one 19:01:37.062 Initialize success 19:07:27.843 AVAST engine defs: 13062402 19:07:44.171 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17 19:07:44.171 Disk 0 Vendor: Hitachi_HDS721616PLA380 P22OABEA Size: 152627MB BusType: 3 19:07:44.171 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-22 19:07:44.171 Disk 1 Vendor: Hitachi_HDT725025VLA380 V5DOA7EA Size: 238475MB BusType: 3 19:07:44.218 Disk 0 MBR read successfully 19:07:44.234 Disk 0 MBR scan 19:07:44.234 Disk 0 Windows XP default MBR code 19:07:44.234 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152617 MB offset 63 19:07:44.250 Disk 0 scanning sectors +312560640 19:07:44.265 Disk 0 scanning C:\WINDOWS\system32\drivers 19:07:55.109 Service scanning 19:08:10.250 Modules scanning 19:08:16.250 Disk 0 trace - called modules: 19:08:16.265 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS 19:08:16.265 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a733ab8] 19:08:16.265 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\00000073[0x8a748268] 19:08:16.265 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-17[0x8a736b00] 19:08:16.875 AVAST engine scan C:\WINDOWS 19:08:31.906 AVAST engine scan C:\WINDOWS\system32 19:10:57.468 AVAST engine scan C:\WINDOWS\system32\drivers 19:11:13.312 AVAST engine scan C:\Documents and Settings\User one 19:17:41.156 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User one\Desktop\MBR.dat" 19:17:41.156 The log file has been saved successfully to "C:\Documents and Settings\User one\Desktop\aswMBR.txt" 19:20:36.234 AVAST engine scan C:\Documents and Settings\All Users 19:22:57.734 Scan finished successfully 19:23:12.671 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User one\Desktop\MBR.dat" 19:23:12.671 The log file has been saved successfully to "C:\Documents and Settings\User one\Desktop\aswMBR.txt"
  12. Gringo- Still cannot enable malicious website blocking. FSS text follows: Farbar Service Scanner Version: 16-06-2013 Ran by User one (administrator) on 23-06-2013 at 20:51:08 Running from "C:\Documents and Settings\User one\Desktop" Microsoft Windows XP Service Pack 3 (X86) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo.com is accessible. Windows Firewall: ============= Firewall Disabled Policy: ================== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall"=DWORD:0 System Restore: ============ System Restore Disabled Policy: ======================== Security Center: ============ Windows Update: ============ BITS Service is not running. Checking service configuration: The start type of BITS service is set to Demand. The default start type is Auto. The ImagePath of BITS service is OK. The ServiceDll of BITS service is OK. Windows Autoupdate Disabled Policy: ============================ File Check: ======== C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit C:\WINDOWS\system32\netman.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\srsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit C:\WINDOWS\system32\wscsvc.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\wuauserv.dll => MD5 is legit C:\WINDOWS\system32\qmgr.dll => MD5 is legit C:\WINDOWS\system32\es.dll => MD5 is legit C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit C:\WINDOWS\system32\svchost.exe => MD5 is legit C:\WINDOWS\system32\rpcss.dll => MD5 is legit C:\WINDOWS\system32\services.exe => MD5 is legit Extra List: ======= Gpc(3) IPSec(5) NetBT(6) PSched(7) SYMTDI(8) Tcpip(4) 0x080000000500000001000000020000000300000004000000080000000600000007000000 IpSec Tag value is correct. **** End of log ****
  13. Gringo- FSS text follows: Farbar Service Scanner Version: 16-06-2013 Ran by User one (administrator) on 23-06-2013 at 13:01:02 Running from "C:\Documents and Settings\User one\Desktop" Microsoft Windows XP Service Pack 3 (X86) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo.com is accessible. Windows Firewall: ============= Firewall Disabled Policy: ================== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall"=DWORD:0 System Restore: ============ System Restore Disabled Policy: ======================== Security Center: ============ Windows Update: ============ BITS Service is not running. Checking service configuration: The start type of BITS service is set to Demand. The default start type is Auto. The ImagePath of BITS service is OK. The ServiceDll of BITS service is OK. Windows Autoupdate Disabled Policy: ============================ File Check: ======== C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit C:\WINDOWS\system32\netman.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\srsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit C:\WINDOWS\system32\wscsvc.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\wuauserv.dll => MD5 is legit C:\WINDOWS\system32\qmgr.dll => MD5 is legit C:\WINDOWS\system32\es.dll => MD5 is legit C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit C:\WINDOWS\system32\svchost.exe => MD5 is legit C:\WINDOWS\system32\rpcss.dll => MD5 is legit C:\WINDOWS\system32\services.exe => MD5 is legit Extra List: ======= Gpc(3) IPSec(5) NetBT(6) PSched(7) SYMTDI(8) Tcpip(4) 0x080000000500000001000000020000000300000004000000080000000600000007000000 IpSec Tag value is correct. **** End of log ****
  14. Gringo- Done and still no ability to check the box to Enable malicious Website Blocking... -Jeff
  15. Good Morning Gringo- Script ran no problem. Still cannot enable malicious website blocking in MBAM - however, the IE search box dump to "Vafmusic7 Customized Web Search" is gone. I appreciate all the hard work on your end. OTL report follows: ========== OTL ========== Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.2\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.5\ deleted successfully. Registry key HKEY_CURRENT_USER\Software\MozillaPlugins\@adobe.com/FlashPlayer\ deleted successfully. Registry value HKEY_USERS\S-1-5-21-725345543-1454471165-682003330-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0123B506-0AD9-43AA-B0CF-916C122AD4C5} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0123B506-0AD9-43AA-B0CF-916C122AD4C5}\ not found. Registry value HKEY_USERS\S-1-5-21-725345543-1454471165-682003330-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{10134636-E7AF-4AC5-A1DC-C7C44BB97D81} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10134636-E7AF-4AC5-A1DC-C7C44BB97D81}\ not found. Registry key HKEY_USERS\S-1-5-21-725345543-1454471165-682003330-1004\Software\Microsoft\Internet Explorer\SearchScopes\{20B42714-2AE1-4BCA-8F0C-27691DFCBF63}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20B42714-2AE1-4BCA-8F0C-27691DFCBF63}\ not found. ========== FILES ========== < ipconfig /flushdns /c > Windows IP Configuration Successfully flushed the DNS Resolver Cache. C:\Documents and Settings\User one\Desktop\cmd.bat deleted successfully. C:\Documents and Settings\User one\Desktop\cmd.txt deleted successfully. ========== COMMANDS ========== [EMPTYJAVA] User: Administrator User: All Users User: Default User User: LocalService User: NetworkService User: UpdatusUser User: User one ->Java cache emptied: 54081345 bytes Total Java Files Cleaned = 52.00 mb [EMPTYFLASH] User: Administrator User: All Users User: Default User User: LocalService User: NetworkService User: UpdatusUser User: User one ->Flash cache emptied: 14028 bytes Total Flash Files Cleaned = 0.00 mb OTL by OldTimer - Version 3.2.69.0 log created on 06222013_103553
  16. Hey Gringo- OTL.txt output follows: OTL logfile created on: 6/21/2013 7:02:32 PM - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\User one\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 1.14 Gb Available Physical Memory | 57.20% Memory free 3.84 Gb Paging File | 3.19 Gb Available in Paging File | 82.95% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 149.04 Gb Total Space | 112.99 Gb Free Space | 75.81% Space Free | Partition Type: NTFS Drive F: | 232.88 Gb Total Space | 188.06 Gb Free Space | 80.75% Space Free | Partition Type: NTFS Computer Name: NEW042408 | User Name: User one | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\User one\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation) PRC - C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation) PRC - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\ccsvchst.exe (Symantec Corporation) PRC - C:\Program Files\Secunia\PSI\sua.exe (Secunia) PRC - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit) PRC - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (NVIDIA Corporation) PRC - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe (CA) PRC - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe (CA) PRC - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe (CA) PRC - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe (CA) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe () PRC - C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis) PRC - C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis) PRC - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis) PRC - C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis) PRC - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.) PRC - C:\WINDOWS\system32\PSIService.exe () PRC - C:\Program Files\Lexmark 1200 Series\LXCZbmgr.exe (Lexmark International, Inc.) PRC - C:\Program Files\Lexmark 1200 Series\LXCZbmon.exe (Lexmark International, Inc.) PRC - C:\WINDOWS\system32\lxczcoms.exe ( ) ========== Modules (No Company Name) ========== MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\d7ee03714420b252415b952d40ef59e4\System.ServiceProcess.ni.dll () MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\aeac298c43c77d8860db8e7634d9f2eb\System.ni.dll () MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\eab2340ead8e1a84bdf1a87868659979\mscorlib.ni.dll () MOD - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\wincfi39.dll () MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll () MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll () MOD - C:\Program Files\NVIDIA Corporation\nView\nvShell.dll () MOD - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe () MOD - C:\Program Files\Acronis\TrueImageHome\fox.dll () MOD - C:\WINDOWS\system32\PSIService.exe () MOD - C:\WINDOWS\system32\lxczcnv4.dll () ========== Services (SafeList) ========== SRV - (HidServ) -- %SystemRoot%\System32\hidserv.dll File not found SRV - (ccSchedulerSVC) -- C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe File not found SRV - (CaCCProvSP) -- C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe File not found SRV - (AppMgmt) -- %SystemRoot%\System32\appmgmts.dll File not found SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation) SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) SRV - (MBAMScheduler) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation) SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation) SRV - (N360) -- C:\Program Files\Norton Security Suite\Engine\20.3.1.22\ccSvcHst.exe (Symantec Corporation) SRV - (Secunia PSI Agent) -- C:\Program Files\Secunia\PSI\psia.exe (Secunia) SRV - (Secunia Update Agent) -- C:\Program Files\Secunia\PSI\sua.exe (Secunia) SRV - (QBCFMonitorService) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit) SRV - (nvUpdatusService) -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (NVIDIA Corporation) SRV - (UmxPol) -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe (CA) SRV - (UmxCfg) -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe (CA) SRV - (UmxAgent) -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe (CA) SRV - (UmxFwHlp) -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe (CA) SRV - (QBFCService) -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe (Intuit Inc.) SRV - (TryAndDecideService) -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe () SRV - (AcrSch2Svc) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis) SRV - (PSI_SVC_2) -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.) SRV - (ProtexisLicensing) -- C:\WINDOWS\system32\PSIService.exe () SRV - (lxcz_device) -- C:\WINDOWS\system32\lxczcoms.exe ( ) ========== Driver Services (SafeList) ========== DRV - (WDICA) -- File not found DRV - (PDRFRAME) -- File not found DRV - (PDRELI) -- File not found DRV - (PDFRAME) -- File not found DRV - (PDCOMP) -- File not found DRV - (PCIDump) -- File not found DRV - (MCSTRM) -- File not found DRV - (lmimirr) -- system32\DRIVERS\lmimirr.sys File not found DRV - (lbrtfdc) -- File not found DRV - (i2omgmt) -- File not found DRV - (esgiguard) -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys File not found DRV - (Changer) -- File not found DRV - (catchme) -- C:\DOCUME~1\USERON~1\LOCALS~1\Temp\catchme.sys File not found DRV - (NAVEX15) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130621.002\NAVEX15.SYS (Symantec Corporation) DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation) DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation) DRV - (NAVENG) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130621.002\NAVENG.SYS (Symantec Corporation) DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation) DRV - (IDSxpx86) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130620.001\IDSXpx86.sys (Symantec Corporation) DRV - (BHDrvx86) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130531.001\BHDrvx86.sys (Symantec Corporation) DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation) DRV - (SymEFA) -- C:\WINDOWS\system32\drivers\N360\1403010.016\symefa.sys (Symantec Corporation) DRV - (SRTSP) -- C:\WINDOWS\system32\drivers\N360\1403010.016\srtsp.sys (Symantec Corporation) DRV - (SRTSPX) -- C:\WINDOWS\system32\drivers\N360\1403010.016\srtspx.sys (Symantec Corporation) DRV - (SymDS) -- C:\WINDOWS\system32\drivers\N360\1403010.016\symds.sys (Symantec Corporation) DRV - (ccSet_N360) -- C:\WINDOWS\system32\drivers\N360\1403010.016\ccsetx86.sys (Symantec Corporation) DRV - (SymIRON) -- C:\WINDOWS\system32\drivers\N360\1403010.016\ironx86.sys (Symantec Corporation) DRV - (SYMTDI) -- C:\WINDOWS\system32\drivers\N360\1403010.016\symtdi.sys (Symantec Corporation) DRV - (PSI) -- C:\WINDOWS\system32\drivers\psi_mf.sys (Secunia) DRV - (KmxCF) -- C:\WINDOWS\system32\drivers\KmxCF.sys (CA) DRV - (KmxFw) -- C:\WINDOWS\system32\drivers\KmxFw.sys (CA) DRV - (KmxSbx) -- C:\WINDOWS\system32\drivers\KmxSbx.sys (CA) DRV - (KmxFile) -- C:\WINDOWS\system32\drivers\KmxFile.sys (CA) DRV - (KmxCfg) -- C:\WINDOWS\system32\drivers\KmxCfg.sys (CA) DRV - (KmxStart) -- C:\WINDOWS\system32\drivers\KmxStart.sys (CA) DRV - (KmxAgent) -- C:\WINDOWS\system32\drivers\KmxAgent.sys (CA) DRV - (timounter) -- C:\WINDOWS\system32\drivers\timntr.sys (Acronis) DRV - (tifsfilter) -- C:\WINDOWS\system32\drivers\tifsfilt.sys (Acronis) DRV - (snapman) -- C:\WINDOWS\system32\drivers\snapman.sys (Acronis) DRV - (tdrpman) -- C:\WINDOWS\system32\drivers\tdrpman.sys (Acronis) DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (IDT, Inc.) DRV - (sfng32) -- C:\WINDOWS\system32\drivers\sfng32.sys (Sonic Focus, Inc) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-725345543-1454471165-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com IE - HKU\S-1-5-21-725345543-1454471165-682003330-1004\..\SearchScopes,DefaultScope = {20B42714-2AE1-4BCA-8F0C-27691DFCBF63} IE - HKU\S-1-5-21-725345543-1454471165-682003330-1004\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\S-1-5-21-725345543-1454471165-682003330-1004\..\SearchScopes\{20B42714-2AE1-4BCA-8F0C-27691DFCBF63}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3303000&CUI=UN38385761147885239&UM=2 IE - HKU\S-1-5-21-725345543-1454471165-682003330-1004\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\S-1-5-21-725345543-1454471165-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-725345543-1454471165-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local IE - HKU\S-1-5-21-725345543-1454471165-682003330-1007\..\SearchScopes,DefaultScope = ========== FireFox ========== FF - prefs.js..browser.startup.homepage: "http://www.google.com/" FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:21.0 FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0 FF - prefs.js..extensions.enabledItems: LogMeInClient@logmein.com:1.0.0.608 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21 FF - prefs.js..extensions.enabledItems: caaphishtoolbar@ca.com:2.0.0.111 FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll () FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.21.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll () FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.2: C:\Program Files\VideoLAN\VLC\npvlc.dll File not found FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.5: C:\Program Files\VideoLAN\VLC\npvlc.dll File not found FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll File not found FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\IPSFFPlgn\ [2013/06/15 18:51:41 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn\ [2013/06/16 19:19:25 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/05/18 14:26:43 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/05/18 14:26:27 | 000,000,000 | ---D | M] [2008/12/05 11:47:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User one\Application Data\Mozilla\Extensions [2013/06/16 10:02:39 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\extensions [2011/03/12 11:25:35 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2013/05/25 10:10:31 | 000,000,000 | ---D | M] (LogMeIn, Inc. Remote Access Plugin) -- C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\extensions\LogMeInClient@logmein.com [2013/05/18 14:26:43 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions [2013/05/18 14:26:43 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2012/06/20 12:14:20 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\mozilla firefox\plugins\npwachk.dll O1 HOSTS File: ([2013/06/16 14:16:21 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\coieplg.dll (Symantec Corporation) O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\ips\ipsbho.dll (Symantec Corporation) O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\coieplg.dll (Symantec Corporation) O3 - HKU\S-1-5-21-725345543-1454471165-682003330-1004\..\Toolbar\WebBrowser: (no name) - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - No CLSID value found. O3 - HKU\S-1-5-21-725345543-1454471165-682003330-1004\..\Toolbar\WebBrowser: (no name) - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No CLSID value found. O3 - HKU\S-1-5-21-725345543-1454471165-682003330-1004\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\coieplg.dll (Symantec Corporation) O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis) O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis) O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.) O4 - HKLM..\Run: [FaxCenterServer] C:\Program Files\Lexmark Fax Solutions\fm3032.exe () O4 - HKLM..\Run: [intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.) O4 - HKLM..\Run: [lxczbmgr.exe] C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe (Lexmark International, Inc.) O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation) O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe () O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-725345543-1454471165-682003330-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-725345543-1454471165-682003330-1004\Software\Policies\Microsoft\Internet Explorer\Recovery present O7 - HKU\S-1-5-21-725345543-1454471165-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-21-725345543-1454471165-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-21-725345543-1454471165-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\S-1-5-21-725345543-1454471165-682003330-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-725345543-1454471165-682003330-1007\Software\Policies\Microsoft\Internet Explorer\Recovery present O7 - HKU\S-1-5-21-725345543-1454471165-682003330-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O15 - HKU\S-1-5-21-725345543-1454471165-682003330-1004\..Trusted Domains: turbotax.com ([]https in Trusted sites) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1211185305437 (WUWebControl Class) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1371423209421 (MUWebControl Class) O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{38EF28CB-69F3-48BB-82B6-3BD71C9BFE72}: DhcpNameServer = 192.168.0.1 O18 - Protocol\Handler\intu-help-qb2 {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O20 - Winlogon\Notify\PFW: DllName - (UmxWnp.Dll) - C:\WINDOWS\System32\UmxWNP.dll (CA) O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2008/04/24 01:13:05 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2013/06/21 18:59:39 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User one\Desktop\OTL.exe [2013/06/21 18:57:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User one\Desktop\MBAM 06.13 [2013/06/16 18:41:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User one\Application Data\Malwarebytes [2013/06/16 18:41:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware [2013/06/16 18:40:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2013/06/16 18:40:58 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2013/06/16 18:40:58 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2013/06/16 14:39:05 | 000,000,000 | -HSD | C] -- C:\RECYCLER [2013/06/16 14:07:51 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2013/06/16 14:07:51 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2013/06/16 14:07:51 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2013/06/16 14:07:51 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2013/06/16 14:07:27 | 000,000,000 | ---D | C] -- C:\Qoobox [2013/06/16 14:07:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt [2013/06/16 10:09:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT [2013/06/16 10:09:32 | 000,000,000 | ---D | C] -- C:\JRT [2013/06/16 00:25:44 | 000,934,488 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\1403010.016\symefa.sys [2013/06/16 00:25:44 | 000,394,656 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\1403010.016\symtdi.sys [2013/06/16 00:25:44 | 000,367,704 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\1403010.016\symds.sys [2013/06/16 00:25:44 | 000,350,368 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\1403010.016\symtdiv.sys [2013/06/16 00:25:44 | 000,338,592 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\1403010.016\symnets.sys [2013/06/16 00:25:44 | 000,032,344 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\1403010.016\srtspx.sys [2013/06/16 00:25:44 | 000,021,400 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\1403010.016\symelam.sys [2013/06/16 00:25:43 | 000,602,712 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\1403010.016\srtsp.sys [2013/06/16 00:25:43 | 000,175,264 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\1403010.016\ironx86.sys [2013/06/16 00:25:43 | 000,134,304 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\1403010.016\ccsetx86.sys [2013/06/16 00:25:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\N360\1403010.016 [2013/06/15 18:50:12 | 000,142,496 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS [2013/06/15 18:50:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared [2013/06/15 18:50:12 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec [2013/06/15 18:49:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\N360 [2013/06/15 18:49:28 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Security Suite [2013/06/15 18:49:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Norton Security Suite [2013/06/15 18:49:07 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller [2013/06/15 18:38:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller [2013/06/15 18:38:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User one\My Documents\Symantec [2013/06/15 18:37:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User one\Start Menu\Programs\Norton [2013/06/15 18:37:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Norton [2013/06/15 18:37:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton [2013/06/01 00:03:51 | 000,000,000 | ---D | C] -- C:\Program Files\Uninstaller [2013/05/31 23:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes [2013/05/31 23:42:57 | 000,000,000 | ---D | C] -- C:\Program Files\iPod [2013/05/31 23:42:53 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes [2013/05/31 23:42:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1 [2013/05/31 23:42:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Apple Computer [2013/05/31 23:42:30 | 006,112,864 | ---- | C] (Apple, Inc.) -- C:\WINDOWS\System32\usbaaplrc.dll [2013/05/31 23:42:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE [2013/05/31 23:42:16 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour [2013/05/31 23:38:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User one\Local Settings\Application Data\Temp [6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2013/06/21 18:59:39 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User one\Desktop\OTL.exe [2013/06/16 19:17:36 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2013/06/16 19:16:28 | 001,284,069 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k1 [2013/06/16 19:16:28 | 000,977,212 | ---- | M] () -- C:\WINDOWS\System32\drivers\KmxAgent.asc [2013/06/16 19:16:28 | 000,000,373 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k1 [2013/06/16 19:16:28 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k7 [2013/06/16 19:16:28 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k6 [2013/06/16 19:16:28 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k5 [2013/06/16 19:16:28 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k4 [2013/06/16 19:16:28 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k3 [2013/06/16 19:16:28 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k2 [2013/06/16 19:16:28 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k0 [2013/06/16 19:16:28 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k7 [2013/06/16 19:16:28 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k6 [2013/06/16 19:16:28 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k5 [2013/06/16 19:16:28 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k4 [2013/06/16 19:16:28 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k3 [2013/06/16 19:16:28 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k2 [2013/06/16 19:16:28 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k0 [2013/06/16 19:07:44 | 000,703,097 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\Cat.DB [2013/06/16 19:05:56 | 000,503,648 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2013/06/16 19:05:56 | 000,087,670 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2013/06/16 18:58:31 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2013/06/16 18:55:20 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2013/06/16 18:41:01 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk [2013/06/16 14:16:21 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2013/06/16 14:01:55 | 000,001,519 | ---- | M] () -- C:\Documents and Settings\User one\Application Data\Microsoft\Internet Explorer\Quick Launch\Notepad.lnk [2013/06/16 10:04:03 | 000,014,818 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\VT20130115.021 [2013/06/15 18:54:17 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Sonos.lnk [2013/06/15 18:50:12 | 000,142,496 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS [2013/06/15 18:50:12 | 000,007,446 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT [2013/06/15 18:50:12 | 000,000,806 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF [2013/06/15 15:44:52 | 380,952,576 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP [2013/05/31 23:48:46 | 000,002,828 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys [2013/05/31 23:43:21 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk [6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2013/06/16 18:41:01 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk [2013/06/16 14:07:51 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe [2013/06/16 14:07:51 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe [2013/06/16 14:07:51 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2013/06/16 14:07:51 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2013/06/16 14:07:51 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2013/06/16 14:01:55 | 000,001,519 | ---- | C] () -- C:\Documents and Settings\User one\Application Data\Microsoft\Internet Explorer\Quick Launch\Notepad.lnk [2013/06/16 10:04:03 | 000,703,097 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\Cat.DB [2013/06/16 10:04:03 | 000,014,818 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\VT20130115.021 [2013/06/16 00:25:44 | 000,009,670 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\symelam.cat [2013/06/16 00:25:44 | 000,007,877 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\symnetv.cat [2013/06/16 00:25:44 | 000,007,601 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\symnet.cat [2013/06/16 00:25:44 | 000,007,583 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\symefa.cat [2013/06/16 00:25:44 | 000,007,577 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\symds.cat [2013/06/16 00:25:44 | 000,003,434 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\symefa.inf [2013/06/16 00:25:44 | 000,002,852 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\symds.inf [2013/06/16 00:25:44 | 000,001,468 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\symnetv.inf [2013/06/16 00:25:44 | 000,001,440 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\symnet.inf [2013/06/16 00:25:44 | 000,000,996 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\symelam.inf [2013/06/16 00:25:43 | 000,007,611 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\ccsetx86.cat [2013/06/16 00:25:43 | 000,007,593 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\iron.cat [2013/06/16 00:25:43 | 000,007,581 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\srtspx.cat [2013/06/16 00:25:43 | 000,007,577 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\srtsp.cat [2013/06/16 00:25:43 | 000,001,389 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\srtspx.inf [2013/06/16 00:25:43 | 000,001,389 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\srtsp.inf [2013/06/16 00:25:43 | 000,000,827 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\ccsetx86.inf [2013/06/16 00:25:43 | 000,000,737 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\iron.inf [2013/06/16 00:25:20 | 000,014,818 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\symvtcer.dat [2013/06/16 00:25:20 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\isolate.ini [2013/06/15 18:50:13 | 000,007,446 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT [2013/06/15 18:50:13 | 000,000,806 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF [2013/05/31 23:43:21 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk [2013/05/18 14:57:22 | 000,216,064 | ---- | C] ( ) -- C:\WINDOWS\System32\lagarith.dll [2013/05/18 14:57:21 | 000,715,038 | ---- | C] () -- C:\WINDOWS\unins000.exe [2013/05/18 14:57:21 | 000,001,791 | ---- | C] () -- C:\WINDOWS\unins000.dat [2013/05/05 13:45:33 | 000,412,106 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-725345543-1454471165-682003330-1004-0.dat [2013/05/05 12:09:57 | 000,207,098 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat [2013/03/10 16:02:45 | 000,000,142 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.400.32.bc [2012/02/18 09:01:43 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll [2011/07/28 19:09:20 | 000,273,344 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin [2011/07/28 19:09:20 | 000,273,344 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin [2011/07/28 19:09:20 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin [2011/06/17 09:56:38 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\User one\defogger_reenable [2009/12/07 01:27:50 | 000,870,128 | ---- | C] () -- C:\Documents and Settings\User one\Application Data\mcs.rma [2008/11/07 18:00:48 | 000,094,208 | ---- | C] () -- C:\Documents and Settings\User one\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2008/11/07 17:54:12 | 000,002,828 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys ========== ZeroAccess Check ========== [2008/10/06 21:21:13 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shdocvw.dll -- [2011/02/17 09:51:57 | 001,510,400 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 08:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 20:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== Alternate Data Streams ========== @Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\blastcln.exe:SummaryInformation < End of report >
  17. Morning Gringo, and thanks. Check results follow: mbam-check result log version: 2.0.0.1000 Malwarebytes Version: REG_SZ 1.75.0.1300 Date Log Created: 06/17/13 Time Log Created: 08:33:50 User Account type: Administrator 32 bit Operating System Product Name: REG_SZ Microsoft Windows XP Current Build Number: 2600 Current Version Number: 5.1 Current CSDVersion: Service Pack 3 OS Product Info: Home Edition Proxy Status: No proxy is Set Proxy Override: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ ProxyOverride REG_SZ *.local LAN Settings: ============= No Settings are Set <--NOT DETECTING SETTING AUTOMATICALLY SystemPartition: ================ HKEY_LOCAL_MACHINE\SYSTEM\Setup\ SystemPartition REG_SZ \Device\HarddiskVolume1 Balloon Tips Status: ==================== Enabled Time Format Settings: ===================== Should be: h:mm:ss tt AM PM : Currently: REG_SZ h:mm:ss tt REG_SZ AM REG_SZ PM REG_SZ : Language and Regional Settings: =============================== ACP: Language is English (United States) MACCP: Language is English (United States) OEMCP: Language is English (United States) Startup Folders for Error_Expanding_Variables Check: ==================================================== All Users Startup Folder Exists. Current User's startup Folder Exists. Terminal Services Status for (null) entries in PM logs and GetUserToken errors: =============================================================================== TERMService: ============== Type : 32 State : 4 (The service is running.) (State is stopped) WIN32_EXIT_CODE : 0 SERVICE_EXIT_CODE : 0 CHECKPOINT : 0 WAIT_HINT : 0 TermService Start is set to: 3 (Manual Startup) Compatibility Flag Settings (Any MBAM file listings should be removed): ======================================================================= Malwarebytes Anti-Malware Shell Extension Block Check: ====================================================== HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked MBAM Startup Entries: ===================== HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Service and Driver Status: ========================== MBAMProtector: ============== Type : 2 State : 4 (The service is running.) (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 SERVICE_EXIT_CODE : 0 CHECKPOINT : 0 WAIT_HINT : 0 MBAMService: ============== Type : 16 State : 4 (The service is running.) WIN32_EXIT_CODE : 0 SERVICE_EXIT_CODE : 0 CHECKPOINT : 0 WAIT_HINT : 0 MBAMScheduler: ============== Type : 16 State : 4 (The service is running.) WIN32_EXIT_CODE : 0 SERVICE_EXIT_CODE : 0 CHECKPOINT : 0 WAIT_HINT : 0 <--CAN NOT OPEN SC_HANDLE, SERVICE IS NOT RUNNING FOR: MBAMChameleon MBAMProtector Registry Values: ============================== HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector Type REG_DWORD 2 Start REG_DWORD 3 ErrorControl REG_DWORD 1 ImagePath REG_EXPAND_SZ \??\C:\WINDOWS\system32\drivers\mbam.sys Group REG_SZ FSFilter Anti-Virus DependOnService REG_MULTI_SZ FltMgr DependOnGroup REG_DWORD 0 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector\Instances DefaultInstance REG_SZ MBAMProtector Instance HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector\Instances\MBAMProtector Instance Altitude REG_SZ 328800 Flags REG_DWORD 0 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector\Security Security REG_BINARY Binary Data HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector\Enum 0 REG_SZ Root\LEGACY_MBAMPROTECTOR\0000 Count REG_DWORD 1 NextInstance REG_DWORD 1 MBAMService Registry Values: ============================ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService Type REG_DWORD 16 Start REG_DWORD 2 ErrorControl REG_DWORD 1 ImagePath REG_EXPAND_SZ "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" DependOnService REG_MULTI_SZ MBAMProtector DependOnGroup REG_DWORD 0 ObjectName REG_SZ LocalSystem Description REG_SZ Malwarebytes Anti-Malware service HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService\Security Security REG_BINARY Binary Data HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService\Enum 0 REG_SZ Root\LEGACY_MBAMSERVICE\0000 Count REG_DWORD 1 NextInstance REG_DWORD 1 MBAMScheduler Registry Values: ============================== HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMScheduler Type REG_DWORD 16 Start REG_DWORD 2 ErrorControl REG_DWORD 1 ImagePath REG_EXPAND_SZ "C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe" ObjectName REG_SZ LocalSystem Description REG_SZ Malwarebytes Anti-Malware scheduler HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMScheduler\Security Security REG_BINARY Binary Data HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMScheduler\Enum 0 REG_SZ Root\LEGACY_MBAMSCHEDULER\0000 Count REG_DWORD 1 NextInstance REG_DWORD 1 MBAM DLL's and Runtime Files: ============================= HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.vbalGrid (Default): REG_SZ vbAccelerator Grid Control HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.vbalGrid\Clsid (Default): REG_SZ {C5DA1F2B-B2BF-4DFC-BC9A-439133543A67} HKEY_CLASSES_ROOT\SSubTimer6.GSubclass (Default): REG_SZ SSubTimer6.GSubclass HKEY_CLASSES_ROOT\SSubTimer6.GSubclass\Clsid (Default): REG_SZ {71A27032-C7D8-11D2-BEF8-525400DFB47A} HKEY_CLASSES_ROOT\SSubTimer6.CTimer (Default): REG_SZ SSubTimer6.CTimer HKEY_CLASSES_ROOT\SSubTimer6.CTimer\Clsid (Default): REG_SZ {71A27034-C7D8-11D2-BEF8-525400DFB47A} HKEY_CLASSES_ROOT\SSubTimer6.ISubclass (Default): REG_SZ SSubTimer6.ISubclass HKEY_CLASSES_ROOT\SSubTimer6.ISubclass\Clsid (Default): REG_SZ {71A2702F-C7D8-11D2-BEF8-525400DFB47A} HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A} (Default): REG_SZ SSubTimer6.ISubclass HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\Implemented Categories HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\ProgID (Default): REG_SZ SSubTimer6.ISubclass HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\Programmable HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\TypeLib (Default): REG_SZ {71A2702D-C7D8-11D2-BEF8-525400DFB47A} HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\VERSION (Default): REG_SZ 1.0 HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A} (Default): REG_SZ SSubTimer6.GSubclass HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\Implemented Categories HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\InprocServer32 (Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\ssubtmr6.dll ThreadingModel REG_SZ Apartment HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\ProgID (Default): REG_SZ SSubTimer6.GSubclass HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\Programmable HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\TypeLib (Default): REG_SZ {71A2702D-C7D8-11D2-BEF8-525400DFB47A} HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\VERSION (Default): REG_SZ 1.0 HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A} (Default): REG_SZ SSubTimer6.CTimer HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\Implemented Categories HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\InprocServer32 (Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\ssubtmr6.dll ThreadingModel REG_SZ Apartment HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\ProgID (Default): REG_SZ SSubTimer6.CTimer HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\Programmable HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\TypeLib (Default): REG_SZ {71A2702D-C7D8-11D2-BEF8-525400DFB47A} HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\VERSION (Default): REG_SZ 1.0 HKEY_CLASSES_ROOT\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A} HKEY_CLASSES_ROOT\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1 (Default): REG_SZ vbAccelerator VB6 SGrid Control 2.0 HKEY_CLASSES_ROOT\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\0 HKEY_CLASSES_ROOT\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\0\win32 (Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\vbalsgrid6.ocx HKEY_CLASSES_ROOT\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\FLAGS (Default): REG_SZ 2 HKEY_CLASSES_ROOT\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\HELPDIR (Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware HKEY_CLASSES_ROOT\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A} HKEY_CLASSES_ROOT\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0 (Default): REG_SZ vbAccelerator VB6 Subclassing and Timer Assistant (with configurable message response, multi-control support + timer bug fix) HKEY_CLASSES_ROOT\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\0 HKEY_CLASSES_ROOT\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\0\win32 (Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\ssubtmr6.dll HKEY_CLASSES_ROOT\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\FLAGS (Default): REG_SZ 0 HKEY_CLASSES_ROOT\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\HELPDIR (Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware HKEY_CLASSES_ROOT\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A} (Default): REG_SZ ISubclass HKEY_CLASSES_ROOT\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid (Default): REG_SZ {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32 (Default): REG_SZ {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\TypeLib (Default): REG_SZ {71A2702D-C7D8-11D2-BEF8-525400DFB47A} Version REG_SZ 1.0 HKEY_CLASSES_ROOT\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A} (Default): REG_SZ CTimer HKEY_CLASSES_ROOT\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid (Default): REG_SZ {00020420-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32 (Default): REG_SZ {00020420-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\TypeLib (Default): REG_SZ {71A2702D-C7D8-11D2-BEF8-525400DFB47A} Version REG_SZ 1.0 HKEY_CLASSES_ROOT\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB} (Default): REG_SZ vbalGrid HKEY_CLASSES_ROOT\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\ProxyStubClsid (Default): REG_SZ {00020420-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\ProxyStubClsid32 (Default): REG_SZ {00020420-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\TypeLib (Default): REG_SZ {DE8CE233-DD83-481D-844C-C07B96589D3A} Version REG_SZ 1.1 MBAM Registry Settings and License Info: ======================================== HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes' Anti-Malware advancedheuristics REG_DWORD 1 downloadprogram REG_DWORD 1 hidereg REG_DWORD 0 detectp2p REG_DWORD 0 detectpum REG_DWORD 1 detectpup REG_DWORD 2 updatewarn REG_DWORD 1 updatewarndays REG_DWORD 7 useproxy REG_DWORD 0 useauthentication REG_DWORD 0 contextmenu REG_DWORD 1 reportthreats REG_DWORD 1 startwithwindows REG_DWORD 1 startfsdisabled REG_DWORD 0 startipdisabled REG_DWORD 0 silentipmode REG_DWORD 0 autoquarantine REG_DWORD 1 notifyinstallprogram REG_DWORD 1 trialpromptshown REG_DWORD 1 autoquarantinenotify REG_DWORD 1 alwaysscanarchives REG_DWORD 1 InstallPath REG_SZ C:\Program Files\Malwarebytes' Anti-Malware dbdate REG_SZ Sun, 16 Jun 2013 20:29:17 GMT dbversion REG_SZ v2013.06.16.04 programversion REG_SZ 1.75.0.1300 programbuild REG_SZ consumer trialended REG_DWORD 0 SchedulerQueue REG_MULTI_SZ 6148, 30304928, 3375955312, 1, 23 | 30304996, 11501902 ID XXXXX-XXXXX This is hidden data. Key XXXX-XXXX-XXXX-XXXX This is hidden data. HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes' Anti-Malware (Trial) TrialId There is data here but it is hidden. StartDate REG_SZ Sun, 16 Jun 2013 22:41:21 UTC EndDate REG_SZ Sun, 30 Jun 2013 22:41:21 UTC HKEY_CURRENT_USER\SOFTWARE\Malwarebytes' Anti-Malware alwaysscanfiles REG_DWORD 1 alwaysscanheuristics REG_DWORD 1 alwaysscanmemory REG_DWORD 1 alwaysscanregistry REG_DWORD 1 alwaysscanstartups REG_DWORD 1 autosavelog REG_DWORD 1 openlog REG_DWORD 1 defaultscan REG_DWORD 0 terminateie REG_DWORD 0 Language REG_SZ English.lng selectedrives REG_SZ C:\|F:\| HKEY_USERS\S-1-5-18\SOFTWARE\Malwarebytes' Anti-Malware alwaysscanfiles REG_DWORD 1 alwaysscanheuristics REG_DWORD 1 alwaysscanmemory REG_DWORD 1 alwaysscanregistry REG_DWORD 1 alwaysscanstartups REG_DWORD 1 autosavelog REG_DWORD 1 openlog REG_DWORD 1 defaultscan REG_DWORD 0 terminateie REG_DWORD 0 HKEY_USERS\.DEFAULT\SOFTWARE\Malwarebytes' Anti-Malware alwaysscanfiles REG_DWORD 1 alwaysscanheuristics REG_DWORD 1 alwaysscanmemory REG_DWORD 1 alwaysscanregistry REG_DWORD 1 alwaysscanstartups REG_DWORD 1 autosavelog REG_DWORD 1 openlog REG_DWORD 1 defaultscan REG_DWORD 0 terminateie REG_DWORD 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malwarebytes' Anti-Malware_is1 Inno Setup: Setup Version REG_SZ 5.5.3-dev (a) Inno Setup: App Path REG_SZ C:\Program Files\Malwarebytes' Anti-Malware InstallLocation REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\ Inno Setup: Icon Group REG_SZ Malwarebytes' Anti-Malware Inno Setup: User REG_SZ User one Inno Setup: Selected Tasks REG_SZ desktopicon Inno Setup: Deselected Tasks REG_SZ quicklaunchicon Inno Setup: Language REG_SZ English DisplayName REG_SZ Malwarebytes Anti-Malware version 1.75.0.1300 DisplayIcon REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe UninstallString REG_SZ "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe" QuietUninstallString REG_SZ "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe" /SILENT DisplayVersion REG_SZ 1.75.0.1300 Publisher REG_SZ Malwarebytes Corporation URLInfoAbout REG_SZ http://www.malwarebytes.org NoModify REG_DWORD 1 NoRepair REG_DWORD 1 InstallDate REG_SZ 20130616 MajorVersion REG_DWORD 1 MinorVersion REG_DWORD 75 Pending File Rename Operations: ================================ If any Malwarebytes Anti-Malware items are listed below, the user must reboot to complete a Malwarebytes Anti-Malware upgrade installation. Scheduler Queue: ================ Scheduled Item: Update Schedule Options: | Daily | Random Start Time: 2013-06-16 14:50 Repeating Every: 1 Recover if missed by: 23 Context Menu Entries: ===================== HKEY_CLASSES_ROOT\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShlExt (Default): REG_SZ {57CE581A-0CB6-4266-9CA0-19364C90A0B3} HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\MBAMShlExt (Default): REG_SZ {57CE581A-0CB6-4266-9CA0-19364C90A0B3} HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt (Default): REG_SZ MBAMShlExt Class HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt\CLSID (Default): REG_SZ {57CE581A-0CB6-4266-9CA0-19364C90A0B3} HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt\CurVer (Default): REG_SZ MBAMExt.MBAMShlExt.1 HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt.1 (Default): REG_SZ MBAMShlExt Class HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt.1\CLSID (Default): REG_SZ {57CE581A-0CB6-4266-9CA0-19364C90A0B3} HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE} (Default): REG_SZ IMBAMShlExt HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\ProxyStubClsid (Default): REG_SZ {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\ProxyStubClsid32 (Default): REG_SZ {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\TypeLib (Default): REG_SZ {AFF1A83B-6C83-4342-8E68-1648DE06CB65} Version REG_SZ 1.0 HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3} (Default): REG_SZ MBAMShlExt Class HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32 (Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll ThreadingModel REG_SZ Apartment HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\ProgID (Default): REG_SZ MBAMExt.MBAMShlExt.1 HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\TypeLib (Default): REG_SZ {AFF1A83B-6C83-4342-8E68-1648DE06CB65} HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\VersionIndependentProgID (Default): REG_SZ MBAMExt.MBAMShlExt HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65} HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0 (Default): REG_SZ MBAMExt 1.0 Type Library HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0 HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0\win32 (Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\FLAGS (Default): REG_SZ 0 HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\HELPDIR (Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\ MBAM Drivers: ============= C:\WINDOWS\system32\drivers\mbam.sys File Size: 22856 BYTES FileVersion: 1.60.2.0 Required Dependencies: ====================== fltmgr: ============== Type : 2 State : 4 (The service is running.) (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 SERVICE_EXIT_CODE : 0 CHECKPOINT : 0 WAIT_HINT : 0 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FltMgr Type REG_DWORD 2 Start REG_DWORD 0 ErrorControl REG_DWORD 1 Tag REG_DWORD 1 ImagePath REG_EXPAND_SZ system32\drivers\fltmgr.sys DisplayName REG_SZ FltMgr Group REG_SZ FSFilter Infrastructure Description REG_SZ File System Filter Manager Driver AttachWhenLoaded REG_DWORD 1 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FltMgr\Security Security REG_BINARY Binary Data HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FltMgr\Enum 0 REG_SZ Root\LEGACY_FLTMGR\0000 Count REG_DWORD 1 NextInstance REG_DWORD 1 C:\WINDOWS\system32\drivers\fltmgr.sys File Size: 129792 BYTES FileVersion: 5.1.2600.5512 C:\WINDOWS\system32\comctl32.ocx File Size: 608448 BYTES FileVersion: 6.0.81.5 C:\WINDOWS\system32\mscomctl.ocx File Size: 1070152 BYTES FileVersion: 6.1.98.34 C:\WINDOWS\system32\olepro32.dll File Size: 84992 BYTES FileVersion: 5.1.2600.5512 List of MBAM Related Directories: ================================= C:\Program Files\Malwarebytes' Anti-Malware 7z.dll File Size: 914432 BYTES FileVersion: 9.20.0.0 changes.txt File Size: 200 BYTES license.rtf File Size: 17916 BYTES mbam.chm File Size: 474148 BYTES mbam.dll File Size: 527944 BYTES FileVersion: 1.70.0.0 mbam.exe File Size: 887432 BYTES FileVersion: 1.75.0.1 mbamcore.dll File Size: 1127496 BYTES FileVersion: 1.70.0.0 mbamext.dll File Size: 80968 BYTES FileVersion: 1.70.0.0 mbamgui.exe File Size: 532040 BYTES FileVersion: 1.70.0.0 mbamnet.dll File Size: 2191944 BYTES FileVersion: 1.70.0.0 mbampt.exe File Size: 40008 BYTES FileVersion: 1.70.0.0 mbamscheduler.exe File Size: 418376 BYTES FileVersion: 1.70.0.0 mbamservice.exe File Size: 701512 BYTES FileVersion: 1.70.0.0 ssubtmr6.dll File Size: 46416 BYTES FileVersion: 1.1.0.3 unins000.dat File Size: 15697 BYTES unins000.exe File Size: 712264 BYTES FileVersion: 51.52.0.0 unins000.msg File Size: 11277 BYTES vbalsgrid6.ocx File Size: 496976 BYTES FileVersion: 2.0.0.40 C:\Program Files\Malwarebytes' Anti-Malware\Chameleon chameleon.chm File Size: 186068 BYTES firefox.com File Size: 218184 BYTES firefox.exe File Size: 218184 BYTES firefox.pif File Size: 218184 BYTES firefox.scr File Size: 218184 BYTES iexplore.exe File Size: 218184 BYTES mbam-chameleon.com File Size: 218184 BYTES mbam-chameleon.exe File Size: 218184 BYTES mbam-chameleon.pif File Size: 218184 BYTES mbam-chameleon.scr File Size: 218184 BYTES mbam-killer.exe File Size: 896072 BYTES rundll32.exe File Size: 218184 BYTES svchost.exe File Size: 218184 BYTES winlogon.exe File Size: 218184 BYTES C:\Program Files\Malwarebytes' Anti-Malware\Languages arabic.lng File Size: 21894 BYTES belarusian.lng File Size: 26884 BYTES bosnian.lng File Size: 27108 BYTES bulgarian.lng File Size: 27574 BYTES catalan.lng File Size: 28252 BYTES chineseSI.lng File Size: 11024 BYTES chineseTR.lng File Size: 11952 BYTES croatian.lng File Size: 26670 BYTES czech.lng File Size: 24874 BYTES danish.lng File Size: 26582 BYTES dutch.lng File Size: 28342 BYTES english.lng File Size: 24542 BYTES estonian.lng File Size: 25146 BYTES finnish.lng File Size: 25950 BYTES french.lng File Size: 29830 BYTES german.lng File Size: 29894 BYTES greek.lng File Size: 29300 BYTES hebrew.lng File Size: 19362 BYTES hungarian.lng File Size: 28666 BYTES indonesian.lng File Size: 26854 BYTES italian.lng File Size: 28194 BYTES japanese.lng File Size: 16266 BYTES korean.lng File Size: 14188 BYTES latvian.lng File Size: 27100 BYTES lithuanian.lng File Size: 27838 BYTES norwegian.lng File Size: 25116 BYTES polish.lng File Size: 26644 BYTES portugueseBR.lng File Size: 28654 BYTES portuguesePT.lng File Size: 29062 BYTES romanian.lng File Size: 28290 BYTES russian.lng File Size: 27302 BYTES serbian.lng File Size: 26804 BYTES slovak.lng File Size: 25644 BYTES slovenian.lng File Size: 24852 BYTES spanish.lng File Size: 30060 BYTES swedish.lng File Size: 25992 BYTES thai.lng File Size: 26092 BYTES turkish.lng File Size: 25876 BYTES vietnamese.lng File Size: 29528 BYTES C:\Documents and Settings\User one\Application Data\Malwarebytes\Malwarebytes' Anti-Malware C:\Documents and Settings\User one\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs C:\Documents and Settings\User one\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine =============================================================== END OF FILE
  18. Gringo- After using programs to remove / clean re-install, still have same 2 remaining issues including no ability to enable malicious website blocking. Thanks
  19. Gringo- Programs ran no problem, except no RKreport[2].txt - only RKreport[0].txt and RKreport[1].txt. continuing problems with computer: 1 - Still cannot enable malicious website blocking in MBAM 2 - IE search box wants to dump me through a "Vafmusic7 Customized Web Search" TDSS killer report attached and both Roguekiller reports follow. Thank you again... __________________________________________________ Rogue [0] RogueKiller V8.6.0 [Jun 15 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo...13-roguekiller/ Website : http://tigzy.geeksto...roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP Started in : Normal mode User : User one [Admin rights] Mode : Scan -- Date : 06/16/2013 16:53:48 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 3 ¤¤¤ [HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [WALLPAPER] HKCU\[...]\Desktop : Wallpaper () -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ [Address] SSDT[12] : NtAlertResumeThread @ 0x805D4C0C -> HOOKED (Unknown @ 0x89121138) [Address] SSDT[13] : NtAlertThread @ 0x805D4BBC -> HOOKED (Unknown @ 0x89121008) [Address] SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AEE -> HOOKED (Unknown @ 0x89B8F078) [Address] SSDT[19] : NtAssignProcessToJobObject @ 0x805D66D0 -> HOOKED (Unknown @ 0x8911C0C8) [Address] SSDT[31] : NtConnectPort @ 0x805A4604 -> HOOKED (Unknown @ 0x8A60CA60) [Address] SSDT[41] : NtCreateKey @ 0x8062426A -> HOOKED (C:\WINDOWS\System32\DRIVERS\KmxSbx.sys @ 0xB28F5FFE) [Address] SSDT[43] : NtCreateMutant @ 0x80617822 -> HOOKED (Unknown @ 0x89120090) [Address] SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A2E -> HOOKED (C:\WINDOWS\System32\DRIVERS\KmxSbx.sys @ 0xB28F6ECB) [Address] SSDT[53] : NtCreateThread @ 0x805D1068 -> HOOKED (Unknown @ 0x891312B8) [Address] SSDT[57] : NtDebugActiveProcess @ 0x80643CB2 -> HOOKED (Unknown @ 0x8911C1A8) [Address] SSDT[68] : NtDuplicateObject @ 0x805BE03C -> HOOKED (Unknown @ 0x898D30D8) [Address] SSDT[83] : NtFreeVirtualMemory @ 0x805B2FE6 -> HOOKED (Unknown @ 0x8913A228) [Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9362 -> HOOKED (Unknown @ 0x89120180) [Address] SSDT[91] : NtImpersonateThread @ 0x805D7890 -> HOOKED (Unknown @ 0x89121058) [Address] SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x89922368) [Address] SSDT[105] : NtMakeTemporaryObject @ 0x805BC608 -> HOOKED (C:\WINDOWS\System32\DRIVERS\KmxSbx.sys @ 0xB28F721C) [Address] SSDT[108] : unknown @ 0x805B206E -> HOOKED (Unknown @ 0x8913A128) [Address] SSDT[114] : NtOpenEvent @ 0x8060F1E0 -> HOOKED (Unknown @ 0x8916A3C0) [Address] SSDT[119] : NtOpenKey @ 0x80625648 -> HOOKED (C:\WINDOWS\System32\DRIVERS\KmxSbx.sys @ 0xB28F5F62) [Address] SSDT[122] : NtOpenProcess @ 0x805CB486 -> HOOKED (Unknown @ 0x89B90008) [Address] SSDT[123] : NtOpenProcessToken @ 0x805EE030 -> HOOKED (Unknown @ 0x898D3058) [Address] SSDT[125] : NtOpenSection @ 0x805AA420 -> HOOKED (C:\WINDOWS\System32\DRIVERS\KmxSbx.sys @ 0xB28F6BF0) [Address] SSDT[128] : NtOpenThread @ 0x805CB712 -> HOOKED (Unknown @ 0x89B90090) [Address] SSDT[137] : NtProtectVirtualMemory @ 0x805B8452 -> HOOKED (Unknown @ 0x89B60A18) [Address] SSDT[206] : NtResumeThread @ 0x805D4A48 -> HOOKED (Unknown @ 0x89137100) [Address] SSDT[213] : NtSetContextThread @ 0x805D2C4A -> HOOKED (Unknown @ 0x891381A0) [Address] SSDT[228] : NtSetInformationProcess @ 0x805CDED0 -> HOOKED (Unknown @ 0x8912D308) [Address] SSDT[240] : NtSetSystemInformation @ 0x8060FE98 -> HOOKED (C:\WINDOWS\System32\DRIVERS\KmxSbx.sys @ 0xB28F6FF8) [Address] SSDT[253] : NtSuspendProcess @ 0x805D4B10 -> HOOKED (Unknown @ 0x8916A2E0) [Address] SSDT[254] : NtSuspendThread @ 0x805D4982 -> HOOKED (Unknown @ 0x891371E0) [Address] SSDT[257] : NtTerminateProcess @ 0x805D2308 -> HOOKED (Unknown @ 0x89B750E8) [Address] SSDT[258] : unknown @ 0x805D2502 -> HOOKED (Unknown @ 0x891380C0) [Address] SSDT[267] : NtUnmapViewOfSection @ 0x805B2E7C -> HOOKED (Unknown @ 0x8912D3F8) [Address] SSDT[277] : NtWriteVirtualMemory @ 0x805B4400 -> HOOKED (Unknown @ 0x89B7A078) [Address] Shadow SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x891363B8) [Address] Shadow SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x898F1FD0) [Address] Shadow SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x898F1F10) [Address] Shadow SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x89B5AEE0) [Address] Shadow SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x89B5AFC0) [Address] Shadow SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x89B88968) [Address] Shadow SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x898F1E20) [Address] Shadow SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x89B88A58) [Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x89056198) [Address] Shadow SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8A68B3A8) ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: Hitachi HDS721616PLA380 +++++ --- User --- [MBR] 10e7876afd05b27fb0f2fdc8d46500dc [bSP] 510dfe14d0a8e962db18c9cee0f42396 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152617 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: Hitachi HDS721616PLA380 +++++ --- User --- [MBR] 5912793c752af5741bd6b1a17a909187 [bSP] 9267eb2cb8f4bcdb02bb2707e7f15685 : Empty MBR Code Partition table: 0 - [ACTIVE] EXTEN (0x05) [VISIBLE] Offset (sectors): 16065 | Size: 238464 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[0]_S_06162013_165348.txt >> ____________________________________________________ Rogue [1] ________________________________________________ RogueKiller V8.6.0 [Jun 15 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo...13-roguekiller/ Website : http://tigzy.geeksto...roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP Started in : Normal mode User : User one [Admin rights] Mode : Remove -- Date : 06/16/2013 16:54:20 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 3 ¤¤¤ [HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0) [WALLPAPER] HKCU\[...]\Desktop : Wallpaper () -> REPLACED (C:\WINDOWS\web\wallpaper\Bliss.bmp) ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ [Address] SSDT[12] : NtAlertResumeThread @ 0x805D4C0C -> HOOKED (Unknown @ 0x89121138) [Address] SSDT[13] : NtAlertThread @ 0x805D4BBC -> HOOKED (Unknown @ 0x89121008) [Address] SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AEE -> HOOKED (Unknown @ 0x89B8F078) [Address] SSDT[19] : NtAssignProcessToJobObject @ 0x805D66D0 -> HOOKED (Unknown @ 0x8911C0C8) [Address] SSDT[31] : NtConnectPort @ 0x805A4604 -> HOOKED (Unknown @ 0x8A60CA60) [Address] SSDT[41] : NtCreateKey @ 0x8062426A -> HOOKED (C:\WINDOWS\System32\DRIVERS\KmxSbx.sys @ 0xB28F5FFE) [Address] SSDT[43] : NtCreateMutant @ 0x80617822 -> HOOKED (Unknown @ 0x89120090) [Address] SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A2E -> HOOKED (C:\WINDOWS\System32\DRIVERS\KmxSbx.sys @ 0xB28F6ECB) [Address] SSDT[53] : NtCreateThread @ 0x805D1068 -> HOOKED (Unknown @ 0x891312B8) [Address] SSDT[57] : NtDebugActiveProcess @ 0x80643CB2 -> HOOKED (Unknown @ 0x8911C1A8) [Address] SSDT[68] : NtDuplicateObject @ 0x805BE03C -> HOOKED (Unknown @ 0x898D30D8) [Address] SSDT[83] : NtFreeVirtualMemory @ 0x805B2FE6 -> HOOKED (Unknown @ 0x8913A228) [Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9362 -> HOOKED (Unknown @ 0x89120180) [Address] SSDT[91] : NtImpersonateThread @ 0x805D7890 -> HOOKED (Unknown @ 0x89121058) [Address] SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x89922368) [Address] SSDT[105] : NtMakeTemporaryObject @ 0x805BC608 -> HOOKED (C:\WINDOWS\System32\DRIVERS\KmxSbx.sys @ 0xB28F721C) [Address] SSDT[108] : unknown @ 0x805B206E -> HOOKED (Unknown @ 0x8913A128) [Address] SSDT[114] : NtOpenEvent @ 0x8060F1E0 -> HOOKED (Unknown @ 0x8916A3C0) [Address] SSDT[119] : NtOpenKey @ 0x80625648 -> HOOKED (C:\WINDOWS\System32\DRIVERS\KmxSbx.sys @ 0xB28F5F62) [Address] SSDT[122] : NtOpenProcess @ 0x805CB486 -> HOOKED (Unknown @ 0x89B90008) [Address] SSDT[123] : NtOpenProcessToken @ 0x805EE030 -> HOOKED (Unknown @ 0x898D3058) [Address] SSDT[125] : NtOpenSection @ 0x805AA420 -> HOOKED (C:\WINDOWS\System32\DRIVERS\KmxSbx.sys @ 0xB28F6BF0) [Address] SSDT[128] : NtOpenThread @ 0x805CB712 -> HOOKED (Unknown @ 0x89B90090) [Address] SSDT[137] : NtProtectVirtualMemory @ 0x805B8452 -> HOOKED (Unknown @ 0x89B60A18) [Address] SSDT[206] : NtResumeThread @ 0x805D4A48 -> HOOKED (Unknown @ 0x89137100) [Address] SSDT[213] : NtSetContextThread @ 0x805D2C4A -> HOOKED (Unknown @ 0x891381A0) [Address] SSDT[228] : NtSetInformationProcess @ 0x805CDED0 -> HOOKED (Unknown @ 0x8912D308) [Address] SSDT[240] : NtSetSystemInformation @ 0x8060FE98 -> HOOKED (C:\WINDOWS\System32\DRIVERS\KmxSbx.sys @ 0xB28F6FF8) [Address] SSDT[253] : NtSuspendProcess @ 0x805D4B10 -> HOOKED (Unknown @ 0x8916A2E0) [Address] SSDT[254] : NtSuspendThread @ 0x805D4982 -> HOOKED (Unknown @ 0x891371E0) [Address] SSDT[257] : NtTerminateProcess @ 0x805D2308 -> HOOKED (Unknown @ 0x89B750E8) [Address] SSDT[258] : unknown @ 0x805D2502 -> HOOKED (Unknown @ 0x891380C0) [Address] SSDT[267] : NtUnmapViewOfSection @ 0x805B2E7C -> HOOKED (Unknown @ 0x8912D3F8) [Address] SSDT[277] : NtWriteVirtualMemory @ 0x805B4400 -> HOOKED (Unknown @ 0x89B7A078) [Address] Shadow SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x891363B8) [Address] Shadow SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x898F1FD0) [Address] Shadow SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x898F1F10) [Address] Shadow SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x89B5AEE0) [Address] Shadow SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x89B5AFC0) [Address] Shadow SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x89B88968) [Address] Shadow SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x898F1E20) [Address] Shadow SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x89B88A58) [Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x89056198) [Address] Shadow SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8A68B3A8) ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: Hitachi HDS721616PLA380 +++++ --- User --- [MBR] 10e7876afd05b27fb0f2fdc8d46500dc [bSP] 510dfe14d0a8e962db18c9cee0f42396 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152617 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: Hitachi HDS721616PLA380 +++++ --- User --- [MBR] 5912793c752af5741bd6b1a17a909187 [bSP] 9267eb2cb8f4bcdb02bb2707e7f15685 : Empty MBR Code Partition table: 0 - [ACTIVE] EXTEN (0x05) [VISIBLE] Offset (sectors): 16065 | Size: 238464 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1]_D_06162013_165420.txt >> RKreport[0]_S_06162013_165348.txt TDSSKiller.2.8.16.0_16.06.2013_16.43.25_log.txt
  20. Hey Gringo- Combofix ran no problem. Only discernible problems with computer: 1 - Still cannot enable malicious website blocking in MBAM 2 - IE search box wants to dump me through a "Vafmusic7 Customized Web Search" Please note I am no trying to run any other programs or access internet other than postings to forum until all is clear. Following is the Combofix log, and then am pasting todays MBAM log if that will provide any clues. Thanks yet again! ComboFix 13-06-15.01 - User one 06/16/2013 14:10:12.2.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2045.1304 [GMT -4:00] Running from: c:\documents and settings\User one\Desktop\ComboFix.exe AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Security Suite *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\409D4DB5B0.sys c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\User one\Application Data\307D0C c:\windows\system32\B0B54D9D40.dll c:\windows\system32\SET137.tmp c:\windows\system32\SETB52.tmp c:\windows\system32\SETB5E.tmp . . ((((((((((((((((((((((((( Files Created from 2013-05-16 to 2013-06-16 ))))))))))))))))))))))))))))))) . . 2013-06-16 14:09 . 2013-06-16 14:09 -------- d-----w- c:\windows\ERUNT 2013-06-16 14:09 . 2013-06-16 14:58 -------- d-----w- C:\JRT 2013-06-15 22:50 . 2013-06-15 23:26 -------- d-----w- c:\program files\Common Files\Symantec Shared 2013-06-15 22:50 . 2013-06-15 22:50 -------- d-----w- c:\program files\Symantec 2013-06-15 22:50 . 2013-06-15 22:50 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2013-06-15 22:49 . 2013-06-16 14:05 -------- d-----w- c:\windows\system32\drivers\N360 2013-06-15 22:49 . 2013-06-15 22:49 -------- d-----w- c:\program files\Norton Security Suite 2013-06-15 22:49 . 2013-06-15 22:49 -------- d-----w- c:\program files\NortonInstaller 2013-06-15 22:37 . 2013-06-15 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2013-06-15 22:24 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2013-06-01 04:03 . 2013-06-01 04:03 -------- d-----w- c:\program files\Uninstaller 2013-06-01 03:43 . 2012-08-21 17:01 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys 2013-06-01 03:42 . 2013-06-01 03:42 -------- d-----w- c:\program files\iPod 2013-06-01 03:42 . 2013-06-01 03:43 -------- d-----w- c:\program files\iTunes 2013-06-01 03:42 . 2013-06-01 03:43 -------- d-----w- c:\documents and settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1 2013-06-01 03:42 . 2013-06-01 03:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer 2013-06-01 03:42 . 2013-06-01 03:43 -------- dc----w- c:\windows\system32\DRVSTORE 2013-06-01 03:42 . 2012-12-13 17:50 6112864 ----a-w- c:\windows\system32\usbaaplrc.dll 2013-06-01 03:42 . 2012-12-13 17:50 45056 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2013-06-01 03:42 . 2013-06-01 03:42 -------- d-----w- c:\program files\Bonjour 2013-06-01 03:38 . 2013-06-01 03:38 -------- d-----w- c:\documents and settings\User one\Local Settings\Application Data\Temp 2013-05-25 14:21 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll 2013-05-18 19:14 . 2013-05-18 19:14 -------- d-----w- c:\documents and settings\User one\Application Data\TagScanner 2013-05-18 19:14 . 2013-05-18 19:14 -------- d-----w- c:\program files\TagScanner 2013-05-18 18:59 . 2013-05-18 18:59 -------- d-----w- c:\documents and settings\User one\Application Data\DivX 2013-05-18 18:57 . 2013-05-18 18:57 -------- d-----w- c:\documents and settings\User one\Application Data\Codec Pack Packages 2013-05-18 18:57 . 2013-05-18 19:05 -------- d-----w- c:\program files\DivX 2013-05-18 18:57 . 2013-05-18 18:57 -------- d-----w- c:\program files\Lame For Audacity 2013-05-18 18:57 . 2013-05-18 18:57 -------- d-----w- c:\documents and settings\User one\Application Data\LavFilters 2013-05-18 18:57 . 2013-05-18 18:57 -------- d-----w- c:\documents and settings\User one\Application Data\CDXReader 2013-05-18 18:57 . 2011-12-07 23:32 216064 ----a-w- c:\windows\system32\lagarith.dll 2013-05-18 18:57 . 2013-05-18 18:57 -------- d-----w- c:\program files\DSP-worx 2013-05-18 18:57 . 2013-05-18 18:57 715038 ----a-w- c:\windows\unins000.exe 2013-05-18 18:57 . 2013-05-18 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX 2013-05-18 18:48 . 2013-05-18 18:48 -------- d-----w- c:\documents and settings\User one\Application Data\FairStars CD Ripper 2013-05-18 18:48 . 2013-05-18 18:48 -------- d-----w- c:\program files\FairStars CD Ripper . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-06-01 03:48 . 2008-11-07 21:54 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys 2013-05-18 18:43 . 2012-05-02 23:34 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-05-18 18:43 . 2011-05-27 12:46 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-05-07 22:30 . 2006-02-28 12:00 920064 ----a-w- c:\windows\system32\wininet.dll 2013-05-07 22:30 . 2006-02-28 12:00 43520 ------w- c:\windows\system32\licmgr10.dll 2013-05-07 22:30 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2013-05-07 21:53 . 2006-02-28 12:00 385024 ------w- c:\windows\system32\html.iec 2013-05-03 01:30 . 2006-02-28 12:00 2149888 ------w- c:\windows\system32\ntoskrnl.exe 2013-05-03 00:38 . 2004-08-03 22:59 2028544 ------w- c:\windows\system32\ntkrnlpa.exe 2013-04-10 01:31 . 2006-02-28 12:00 1876352 ------w- c:\windows\system32\win32k.sys 2013-04-04 09:35 . 2013-04-19 11:31 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-08 2595480] "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-08 905056] "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-08 140568] "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-15 1532760] "lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 74672] "FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272] "NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208] "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-05 1632360] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] 2009-03-27 19:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MBCameraMonitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MBCameraMonitor.lnk backup=c:\windows\pss\MBCameraMonitor.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk backup=c:\windows\pss\Windows Search.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^User one^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] path=c:\documents and settings\User one\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor] 2008-07-10 00:42 37888 ----a-w- c:\program files\Corel\Corel MediaOne\CorelIOMonitor.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader] 2008-08-18 21:53 532808 ----a-w- c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio] 2006-09-21 14:36 9138176 ----a-w- c:\program files\Intel Audio Studio\IntelAudioStudio.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2012-10-25 08:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMBBLaunchAgent.exe] 2011-02-18 15:47 79192 ----a-w- c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"= "c:\\WINDOWS\\system32\\lxczcoms.exe"= "c:\\Program Files\\Opera\\opera.exe"= "c:\\Program Files\\Winamp\\winamp.exe"= "c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"= "c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"= "c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"= "c:\\Program Files\\Sonos\\Sonos.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management . R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [5/3/2010 2:12 AM 108112] R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\1403010.016\symds.sys [6/16/2013 12:25 AM 367704] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\1403010.016\symefa.sys [6/16/2013 12:25 AM 934488] R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130531.001\BHDrvx86.sys [5/31/2013 5:15 PM 1002072] R1 ccSet_N360;Norton Security Suite Settings Manager;c:\windows\system32\drivers\N360\1403010.016\ccsetx86.sys [6/16/2013 12:25 AM 134304] R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [3/22/2010 1:58 PM 79864] R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [9/24/2010 11:16 AM 61008] R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [9/24/2010 11:16 AM 115792] R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\1403010.016\ironx86.sys [6/16/2013 12:25 AM 175264] R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [9/24/2010 11:16 AM 146000] R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [9/24/2010 11:16 AM 61008] R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\20.3.1.22\ccsvchst.exe [6/16/2013 12:25 AM 144520] R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [9/24/2012 8:46 AM 656480] R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [8/4/2009 10:42 AM 887288] R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [8/24/2010 12:07 PM 740160] R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [9/17/2010 12:21 PM 301648] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/15/2013 7:25 PM 106656] R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130614.001\IDSXpx86.sys [6/14/2013 2:19 PM 373728] R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [6/9/2010 6:54 AM 244304] S2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe --> c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [?] S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [6/15/2013 6:25 PM 418376] S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/15/2013 6:25 PM 701512] S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/15/2013 6:24 PM 22856] S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [12/16/2011 10:19 AM 15544] S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [9/24/2012 8:46 AM 1328736] . Contents of the 'Scheduled Tasks' folder . 2013-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: turbotax.com TCP: DhcpNameServer = 192.168.0.1 FF - ProfilePath - c:\documents and settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - ExtSQL: 2013-05-31 23:37; {37a7edb7-afda-4373-9865-02bf8160e677}; c:\documents and settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\extensions\{37a7edb7-afda-4373-9865-02bf8160e677} FF - ExtSQL: !HIDDEN! 2010-08-19 20:14; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension . - - - - ORPHANS REMOVED - - - - . HKLM-Run-SysTrayApp - c:\program files\IDT\WDM\sttray.exe HKLM-Run-DivXMediaServer - c:\program files\DivX\DivX Media Server\DivXMediaServer.exe AddRemove-com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 - c:\program files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe AddRemove-DSite - c:\documents and settings\User one\Application Data\DSite\UpdateProc\UpdateTask.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-06-16 14:16 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . c:\docume~1\USERON~1\LOCALS~1\Temp\catchme.dll 53248 bytes executable . scan completed successfully hidden files: 1 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360] "ImagePath"="\"c:\program files\Norton Security Suite\Engine\20.3.1.22\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\20.3.1.22\diMaster.dll\" /prefetch:1" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*] @="?????????????????? v1" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID] @="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*] @="?????????????????? v2" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID] @="{9BE31822-FDAD-461B-AD51-BE1D1C159921}" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(804) c:\windows\system32\UmxWnp.Dll . Completion time: 2013-06-16 14:18:18 ComboFix-quarantined-files.txt 2013-06-16 18:18 ComboFix2.txt 2011-06-26 22:42 . Pre-Run: 121,580,863,488 bytes free Post-Run: 121,569,873,920 bytes free . - - End Of File - - 497DCA613D86027E552829E26D2FE79E 8F558EB6672622401DA993E1E865C861 ______________________________________________________________ 2013/06/16 10:04:59 -0400 NEW042408 MESSAGE Starting protection 2013/06/16 10:04:59 -0400 NEW042408 MESSAGE Protection started successfully 2013/06/16 10:04:59 -0400 NEW042408 MESSAGE Starting IP protection 2013/06/16 10:04:59 -0400 NEW042408 ERROR IP protection failed: PfMakeLog failed with error code 21 2013/06/16 10:07:22 -0400 NEW042408 User one MESSAGE Starting database refresh 2013/06/16 10:07:30 -0400 NEW042408 User one MESSAGE Database refreshed successfully 2013/06/16 10:08:36 -0400 NEW042408 User one MESSAGE Stopping protection 2013/06/16 10:08:36 -0400 NEW042408 User one MESSAGE Protection stopped successfully 2013/06/16 10:08:37 -0400 NEW042408 User one MESSAGE Protection stopped 2013/06/16 10:51:42 -0400 NEW042408 MESSAGE Starting protection 2013/06/16 10:51:42 -0400 NEW042408 MESSAGE Protection started successfully 2013/06/16 10:51:42 -0400 NEW042408 MESSAGE Starting IP protection 2013/06/16 10:51:42 -0400 NEW042408 ERROR IP protection failed: PfMakeLog failed with error code 21 2013/06/16 10:57:30 -0400 NEW042408 User one MESSAGE Stopping protection 2013/06/16 10:57:30 -0400 NEW042408 User one MESSAGE Protection stopped successfully 2013/06/16 10:57:31 -0400 NEW042408 User one MESSAGE Protection stopped 2013/06/16 11:00:49 -0400 NEW042408 User one MESSAGE Starting protection 2013/06/16 11:00:49 -0400 NEW042408 User one MESSAGE Protection started successfully 2013/06/16 11:00:49 -0400 NEW042408 User one MESSAGE Starting IP protection 2013/06/16 11:00:49 -0400 NEW042408 User one ERROR IP protection failed: PfMakeLog failed with error code 21 2013/06/16 11:00:52 -0400 NEW042408 User one MESSAGE Starting IP protection 2013/06/16 11:00:52 -0400 NEW042408 User one ERROR IP protection failed: PfMakeLog failed with error code 21 2013/06/16 11:00:56 -0400 NEW042408 User one MESSAGE Starting IP protection 2013/06/16 11:00:56 -0400 NEW042408 User one ERROR IP protection failed: PfMakeLog failed with error code 21 2013/06/16 11:01:03 -0400 NEW042408 User one MESSAGE Starting IP protection 2013/06/16 11:01:03 -0400 NEW042408 User one ERROR IP protection failed: PfMakeLog failed with error code 21 2013/06/16 14:06:18 -0400 NEW042408 User one MESSAGE Stopping protection 2013/06/16 14:06:18 -0400 NEW042408 User one MESSAGE Protection stopped successfully 2013/06/16 14:06:19 -0400 NEW042408 User one MESSAGE Protection stopped 2013/06/16 14:22:51 -0400 NEW042408 MESSAGE Starting protection 2013/06/16 14:22:52 -0400 NEW042408 MESSAGE Protection started successfully 2013/06/16 14:22:52 -0400 NEW042408 MESSAGE Starting IP protection 2013/06/16 14:22:52 -0400 NEW042408 User one ERROR IP protection failed: PfMakeLog failed with error code 21 2013/06/16 14:24:49 -0400 NEW042408 User one MESSAGE Starting IP protection 2013/06/16 14:24:49 -0400 NEW042408 User one ERROR IP protection failed: PfMakeLog failed with error code 21 2013/06/16 14:25:01 -0400 NEW042408 User one MESSAGE Starting IP protection 2013/06/16 14:25:01 -0400 NEW042408 User one ERROR IP protection failed: PfMakeLog failed with error code 21 2013/06/16 14:25:10 -0400 NEW042408 User one MESSAGE Starting IP protection 2013/06/16 14:25:10 -0400 NEW042408 User one ERROR IP protection failed: PfMakeLog failed with error code 21 2013/06/16 14:25:21 -0400 NEW042408 User one MESSAGE Stopping protection 2013/06/16 14:25:21 -0400 NEW042408 User one MESSAGE Protection stopped successfully 2013/06/16 14:25:23 -0400 NEW042408 User one MESSAGE Starting IP protection 2013/06/16 14:25:23 -0400 NEW042408 User one ERROR IP protection failed: PfMakeLog failed with error code 21 2013/06/16 14:25:26 -0400 NEW042408 User one MESSAGE Starting protection 2013/06/16 14:25:26 -0400 NEW042408 User one MESSAGE Protection started successfully 2013/06/16 14:26:53 -0400 NEW042408 User one MESSAGE Starting IP protection 2013/06/16 14:26:53 -0400 NEW042408 User one ERROR IP protection failed: PfMakeLog failed with error code 21
  21. Gringo- Good to 'meet you' and thanks! Followed all instructions. AdwCleaner ran fine. In shutting down 'protection' to run Junkware removal tool, I shut down MB, system has Norton which doesn't shut down, but disabled virus protect and firewall. Junkware begins to run fine, just after it finishes checking folders, it starts to check registry. Then Windows Explorer pops open, a Windows protection disabled warning message appears (click balloon to fix), and Junkware removal stops running (I've given it an hour and still same screen). System is Windows XP SP3. Do I need to uninstall Norton? On my laptop Norton gave me a message that it is incompatible with MBAM for the first time yesterday and both have been in use for several months. Is there a preferred firewall / virus protection program to run with MBAM? Thanks again - here is adware cleaner text. # AdwCleaner v2.303 - Logfile created 06/16/2013 at 10:01:40 # Updated 08/06/2013 by Xplode # Operating system : Microsoft Windows XP Service Pack 3 (32 bits) # User : User one - NEW042408 # Boot Mode : Normal # Running from : C:\Documents and Settings\User one\Desktop\AdwCleaner.exe # Option [Delete] ***** [services] ***** Stopped & Deleted : CltMngSvc ***** [Files / Folders] ***** File Deleted : C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\searchplugins\Babylon.xml File Deleted : C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\searchplugins\Conduit.xml File Deleted : C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\searchplugins\delta.xml File Deleted : C:\END File Deleted : C:\WINDOWS\Tasks\EPUpdater.job Folder Deleted : C:\Documents and Settings\All Users\Application Data\Babylon Folder Deleted : C:\Documents and Settings\User one\Application Data\Babylon Folder Deleted : C:\Documents and Settings\User one\Application Data\DSite Folder Deleted : C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\CT3303000 Folder Deleted : C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\extensions\{37a7edb7-afda-4373-9865-02bf8160e677} Folder Deleted : C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\Smartbar Folder Deleted : C:\Documents and Settings\User one\Application Data\PriceGong Folder Deleted : C:\Documents and Settings\User one\Application Data\SearchProtect Folder Deleted : C:\Documents and Settings\User one\Local Settings\Application Data\Conduit Folder Deleted : C:\Program Files\Conduit Folder Deleted : C:\Program Files\SearchProtect ***** [Registry] ***** Key Deleted : HKCU\Software\BabSolution Key Deleted : HKCU\Software\Conduit Key Deleted : HKCU\Software\ConduitSearchScopes Key Deleted : HKCU\Software\InstallCore Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9} Key Deleted : HKCU\Software\PriceGong Key Deleted : HKCU\Software\SearchProtect Key Deleted : HKCU\Software\SmartBar Key Deleted : HKCU\Software\YahooPartnerToolbar Key Deleted : HKLM\Software\Babylon Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5} Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3303000 Key Deleted : HKLM\Software\Conduit Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Delta Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SearchProtect Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966 Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect Key Deleted : HKLM\Software\SearchProtect Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [searchprotect] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [searchProtectAll] ***** [internet Browsers] ***** -\\ Internet Explorer v8.0.6001.18702 Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.conduit.com/?ctid=CT3303000&octid=CT3303000&SearchSource=61&CUI=UN38385761147885239&UM=2&UP=SPC6F11C3F-4B1C-4D52-BFF4-685F22AFC1FD --> hxxp://www.google.com -\\ Mozilla Firefox v21.0 (en-US) File : C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\prefs.js C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\user.js ... Deleted ! Deleted : user_pref("CT3303000.1000082.isPlayDisplay", "true"); Deleted : user_pref("CT3303000.1000082.state", "{\"state\":\"stopped\",\"text\":\"Californi...\",\"description[...] Deleted : user_pref("CT3303000.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"true\"}"); Deleted : user_pref("CT3303000.ENABLE_RETURN_WEB_SEARCH_ON_THE_PAGE", "{\"dataType\":\"string\",\"data\":\"tru[...] Deleted : user_pref("CT3303000.FF19Solved", "true"); Deleted : user_pref("CT3303000.FirstTime", "true"); Deleted : user_pref("CT3303000.FirstTimeFF3", "true"); Deleted : user_pref("CT3303000.PG_ENABLE", "dHJ1ZQ=="); Deleted : user_pref("CT3303000.PG_ENABLE.enc", "dHJ1ZQ=="); Deleted : user_pref("CT3303000.SF_JUST_INSTALLED.enc", "RkFMU0U="); Deleted : user_pref("CT3303000.SF_STATUS.enc", "RU5BQkxFRA=="); Deleted : user_pref("CT3303000.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT330[...] Deleted : user_pref("CT3303000.UserID", "UN31659096621887623"); Deleted : user_pref("CT3303000.YTbyClickFavorites.enc", "W10="); Deleted : user_pref("CT3303000.YTbyClickRecent.enc", "W10="); Deleted : user_pref("CT3303000.addressBarTakeOverEnabledInHidden", "true"); Deleted : user_pref("CT3303000.autoDisableScopes", -1); Deleted : user_pref("CT3303000.browser.search.defaultthis.engineName", "true"); Deleted : user_pref("CT3303000.defaultSearch", "true"); Deleted : user_pref("CT3303000.embeddedsData", "[{\"appId\":\"130136188917021865\",\"apiPermissions\":{\"cross[...] Deleted : user_pref("CT3303000.enableAlerts", "true"); Deleted : user_pref("CT3303000.enableFix404ByUser", "TRUE"); Deleted : user_pref("CT3303000.enableSearchFromAddressBar", "true"); Deleted : user_pref("CT3303000.firstTimeDialogOpened", "true"); Deleted : user_pref("CT3303000.fixPageNotFoundError", "true"); Deleted : user_pref("CT3303000.fixPageNotFoundErrorByUser", "true"); Deleted : user_pref("CT3303000.fixPageNotFoundErrorInHidden", "true"); Deleted : user_pref("CT3303000.fixUrls", true); Deleted : user_pref("CT3303000.homepageuserchanged", true); Deleted : user_pref("CT3303000.installDate", "31/5/2013 23:37:33"); Deleted : user_pref("CT3303000.installId", "stub.exe"); Deleted : user_pref("CT3303000.installSessionId", "{42624FAA-E5CF-4125-9E71-0CF28082EA60}"); Deleted : user_pref("CT3303000.installSp", "TRUE"); Deleted : user_pref("CT3303000.installType", "conduitnsisintegration"); Deleted : user_pref("CT3303000.installUsage", "2013-06-14T17:12:07.5222273+03:00"); Deleted : user_pref("CT3303000.installUsageEarly", "2013-06-14T17:12:05.9778174+03:00"); Deleted : user_pref("CT3303000.installerVersion", "1.4.2.3"); Deleted : user_pref("CT3303000.isCheckedStartAsHidden", true); Deleted : user_pref("CT3303000.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}"); Deleted : user_pref("CT3303000.isFirstTimeToolbarLoading", "false"); Deleted : user_pref("CT3303000.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"false\"}"); Deleted : user_pref("CT3303000.keyword", "true"); Deleted : user_pref("CT3303000.lastNewTabSettings", "{\"isEnabled\":true,\"newTabUrl\":\"hxxp://search.conduit[...] Deleted : user_pref("CT3303000.lastVersion", "10.16.2.9"); Deleted : user_pref("CT3303000.mam_gk_appStateReportTime.enc", "MTM3MTMyNTQ3MjUyOQ=="); Deleted : user_pref("CT3303000.mam_gk_appState_ACplus.enc", "b2Zm"); Deleted : user_pref("CT3303000.mam_gk_appState_CouponBuddy.enc", "b2Zm"); Deleted : user_pref("CT3303000.mam_gk_appState_Discover.enc", "b2Zm"); Deleted : user_pref("CT3303000.mam_gk_appState_Easytobook.enc", "b2Zm"); Deleted : user_pref("CT3303000.mam_gk_appState_Easytobook_targeted.enc", "b2Zm"); Deleted : user_pref("CT3303000.mam_gk_appState_PriceGong.enc", "b2Zm"); Deleted : user_pref("CT3303000.mam_gk_appState_WindowShopper.enc", "b2Zm"); Deleted : user_pref("CT3303000.mam_gk_appsData.enc", "eyJhcHBzIjpbeyJpZCI6IlByaWNlR29uZyIsInVybCI6Imh0dHA6Ly9w[...] Deleted : user_pref("CT3303000.mam_gk_appsDefaultEnabled.enc", "bnVsbA=="); Deleted : user_pref("CT3303000.mam_gk_configuration.enc", "eyJjb25maWd1cmF0aW9uIjpbeyJpZCI6IkRpc2NvdmVyIiwiY3J[...] Deleted : user_pref("CT3303000.mam_gk_currentVersion.enc", "MS44LjAuNA=="); Deleted : user_pref("CT3303000.mam_gk_eventsCache.enc", "eyIyODBmNTAyYi00MmEyLTRiOTgtOTM2NC0zNmUyZTlmNzMwMWIiO[...] Deleted : user_pref("CT3303000.mam_gk_first_time.enc", "MQ=="); Deleted : user_pref("CT3303000.mam_gk_gadgetOpen.enc", "MA=="); Deleted : user_pref("CT3303000.mam_gk_installer_preapproved.enc", "ZmFsc2U="); Deleted : user_pref("CT3303000.mam_gk_lastLoginTime.enc", "MTM3MTMyNTQ3MjY4Nw=="); Deleted : user_pref("CT3303000.mam_gk_localization.enc", "eyJnYWRnZXRDb250ZW50UG9saWN5Ijp7IlRleHQiOiJDb250ZW50[...] Deleted : user_pref("CT3303000.mam_gk_pgUnloadedOnce.enc", "dHJ1ZQ=="); Deleted : user_pref("CT3303000.mam_gk_settings1.8.0.4.enc", "eyJTdGF0dXMiOiJzdWNjZWVkZWQiLCJEYXRhIjp7ImludGVyd[...] Deleted : user_pref("CT3303000.mam_gk_showCloseButton.enc", "dHJ1ZQ=="); Deleted : user_pref("CT3303000.mam_gk_showWelcomeGadget.enc", "ZmFsc2U="); Deleted : user_pref("CT3303000.mam_gk_userId.enc", "N2JmZmFlNDItM2QwZC00M2UzLTk5YzUtNDliYmNmNjEzNDFj"); Deleted : user_pref("CT3303000.mam_gk_user_approval_interacted.enc", "MQ=="); Deleted : user_pref("CT3303000.migrateAppsAndComponents", true); Deleted : user_pref("CT3303000.navigationAliasesJson", "{\"EB_MAIN_FRAME_URL\":\"hxxp%3A%2F%2Fwww.google.com%2[...] Deleted : user_pref("CT3303000.openThankYouPage", "false"); Deleted : user_pref("CT3303000.openUninstallPage", "true"); Deleted : user_pref("CT3303000.originalHomepage", "about:home"); Deleted : user_pref("CT3303000.originalSearchAddressUrl", ""); Deleted : user_pref("CT3303000.originalSearchEngine", ""); Deleted : user_pref("CT3303000.revertSettingsEnabled", "false"); Deleted : user_pref("CT3303000.search.searchAppId", "130136188917021865"); Deleted : user_pref("CT3303000.search.searchCount", "0"); Deleted : user_pref("CT3303000.searchFromAddressBarEnabledByUser", "true"); Deleted : user_pref("CT3303000.searchInNewTabEnabledByUser", "true"); Deleted : user_pref("CT3303000.searchInNewTabEnabledInHidden", "true"); Deleted : user_pref("CT3303000.searchRevert", "false"); Deleted : user_pref("CT3303000.searchUserMode", "2"); Deleted : user_pref("CT3303000.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"true\"}"); Deleted : user_pref("CT3303000.serviceLayer_service_login_isFirstLoginInvoked", "{\"dataType\":\"boolean\",\"d[...] Deleted : user_pref("CT3303000.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"4\[...] Deleted : user_pref("CT3303000.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"d[...] Deleted : user_pref("CT3303000.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"strin[...] Deleted : user_pref("CT3303000.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"strin[...] Deleted : user_pref("CT3303000.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data[...] Deleted : user_pref("CT3303000.serviceLayer_services_appTrackingFirstTime_lastUpdate", "1371219135188"); Deleted : user_pref("CT3303000.serviceLayer_services_appsMetadata_lastUpdate", "1371325466087"); Deleted : user_pref("CT3303000.serviceLayer_services_gottenAppsContextMenu_lastUpdate", "1371219135075"); Deleted : user_pref("CT3303000.serviceLayer_services_installUsage_ToolbarInstallEarly_lastUpdate", "1371219133[...] Deleted : user_pref("CT3303000.serviceLayer_services_installUsage_ToolbarInstall_lastUpdate", "1371219135533")[...] Deleted : user_pref("CT3303000.serviceLayer_services_location_lastUpdate", "1371325581426"); Deleted : user_pref("CT3303000.serviceLayer_services_login_10.16.2.9_lastUpdate", "1371328743514"); Deleted : user_pref("CT3303000.serviceLayer_services_otherAppsContextMenu_lastUpdate", "1371219134918"); Deleted : user_pref("CT3303000.serviceLayer_services_searchAPI_lastUpdate", "1371325578876"); Deleted : user_pref("CT3303000.serviceLayer_services_serviceMap_lastUpdate", "1371325578271"); Deleted : user_pref("CT3303000.serviceLayer_services_toolbarContextMenu_lastUpdate", "1371219134839"); Deleted : user_pref("CT3303000.serviceLayer_services_toolbarSettings_lastUpdate", "1371325465689"); Deleted : user_pref("CT3303000.serviceLayer_services_translation_lastUpdate", "1371325578400"); Deleted : user_pref("CT3303000.settingsINI", true); Deleted : user_pref("CT3303000.shouldFirstTimeDialog", "false"); Deleted : user_pref("CT3303000.showToolbarPermission", "false"); Deleted : user_pref("CT3303000.smartbar.CTID", "CT3303000"); Deleted : user_pref("CT3303000.smartbar.Uninstall", "0"); Deleted : user_pref("CT3303000.smartbar.homepage", "true"); Deleted : user_pref("CT3303000.smartbar.isHidden", true); Deleted : user_pref("CT3303000.smartbar.toolbarName", "Vafmusic7 "); Deleted : user_pref("CT3303000.startPage", "true"); Deleted : user_pref("CT3303000.toolbarBornServerTime", "14-6-2013"); Deleted : user_pref("CT3303000.toolbarCurrentServerTime", "15-6-2013"); Deleted : user_pref("CT3303000.toolbarLoginClientTime", "Fri Jun 14 2013 10:12:15 GMT-0400 (Eastern Standard T[...] Deleted : user_pref("CT3303000.versionFromInstaller", "10.16.2.9"); Deleted : user_pref("CT3303000_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\"[...] Deleted : user_pref("Smartbar.ConduitHomepagesList", ""); Deleted : user_pref("Smartbar.ConduitSearchEngineList", ""); Deleted : user_pref("Smartbar.ConduitSearchUrlList", ""); Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", ""); Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3303000"); Deleted : user_pref("browser.newtab.url", "hxxp://www1.delta-search.com/?affID=119351&tt=gc_&babsrc=NT_ss&mntr[...] Deleted : user_pref("browser.search.defaultthis.engineName", "Vafmusic7 Customized Web Search"); Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3303000&CUI[...] Deleted : user_pref("extensions.delta.admin", false); Deleted : user_pref("extensions.delta.aflt", "babsst"); Deleted : user_pref("extensions.delta.appId", "{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}"); Deleted : user_pref("extensions.delta.autoRvrt", "false"); Deleted : user_pref("extensions.delta.dfltLng", "en"); Deleted : user_pref("extensions.delta.excTlbr", false); Deleted : user_pref("extensions.delta.ffxUnstlRst", true); Deleted : user_pref("extensions.delta.id", "20ea12a0000000000000001cc02bf00c"); Deleted : user_pref("extensions.delta.instlDay", "15843"); Deleted : user_pref("extensions.delta.instlRef", "sst"); Deleted : user_pref("extensions.delta.newTab", false); Deleted : user_pref("extensions.delta.prdct", "delta"); Deleted : user_pref("extensions.delta.prtnrId", "delta"); Deleted : user_pref("extensions.delta.rvrt", "false"); Deleted : user_pref("extensions.delta.smplGrp", "none"); Deleted : user_pref("extensions.delta.tlbrId", "base"); Deleted : user_pref("extensions.delta.tlbrSrchUrl", ""); Deleted : user_pref("extensions.delta.vrsn", "1.8.21.0"); Deleted : user_pref("extensions.delta.vrsnTs", "1.8.21.014:57:00"); Deleted : user_pref("extensions.delta.vrsni", "1.8.21.0"); Deleted : user_pref("extensions.delta_i.babExt", ""); Deleted : user_pref("extensions.delta_i.babTrack", "affID=119351&tt=gc_"); Deleted : user_pref("extensions.delta_i.srcExt", "ss"); Deleted : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3303000&SearchSource=2&CU[...] Deleted : user_pref("smartbar.addressBarOwnerCTID", "CT3303000"); Deleted : user_pref("smartbar.conduitHomepageList", "hxxp://search.conduit.com/?ctid=CT3303000&CUI=UN316590966[...] Deleted : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT[...] Deleted : user_pref("smartbar.defaultSearchOwnerCTID", "CT3303000"); Deleted : user_pref("smartbar.homePageOwnerCTID", "CT3303000"); Deleted : user_pref("smartbar.machineId", "DOAGUENMXS4ICGMRXYO/5DXKAWVYSIEV8RKOKOMMHVC8P7W5X++N/ZYFBCTVDRN0PF4[...] Deleted : user_pref("smartbar.originalHomepage", "hxxp://search.conduit.com/?ctid=CT3303000&CUI=UN316590966218[...] File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zidfj6b8.default\prefs.js [OK] File is clean. -\\ Opera v12.15.1748.0 File : C:\Documents and Settings\User one\Application Data\Opera\Opera\operaprefs.ini [OK] File is clean. ************************* AdwCleaner[s1].txt - [16602 octets] - [16/06/2013 10:01:40] ########## EOF - C:\AdwCleaner[s1].txt - [16663 octets] ##########
  22. Wife downloaded a bunch of malware that breezed through trend micro titanium. bought and ran MBAM, but cannot select "Enable Malicious Website Blocking" - I believe pc is still infected. TIA for your help! attach.txt dds.txt
  23. All programs removed and updated. New firewall installed. Appears to be no known issues at the moment. Thank you so much for your help! YOU ROCK!
  24. Thank you yet again! It looks as if all programs re-appeared after running combo-fix, etc. The ESET Scanner found one last trojan file. I have not run any programs and have kept the infected computer offline out of paranoia - I use it moset often for banking, tax work, etc. I keep data files on separate physical drives (internal F: or remote) which do not appear to have been affected and was waiting for an all clear before pulling up data files. In addition to running a Secunia scan and updating software, I plan on ditching the CA and migrating to Malware pro and Trend-micro Titanium (for firewall and anti-virus) - unless there is something else you would recommend? Appreciate your input! log.txt and checkup.txt follow- ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6427 # api_version=3.0.2 # EOSSerial=7e6355b2de4f574eb4c676dffd0cfe1f # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-07-01 01:50:28 # local_time=2011-06-30 09:50:28 (-0500, Eastern Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=4864 16777215 100 0 97375222 97375222 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=118137 # found=1 # cleaned=1 # scan_time=2278 C:\System Volume Information\_restore{038BE3DB-E75A-4E10-A979-49F9C3E0412C}\RP918\A0076097.sys Win32/Olmasco.E trojan (deleted - quarantined) 00000000000000000000000000000000 C Results of screen317's Security Check version 0.99.17 Windows XP Service Pack 3 Internet Explorer 8 `````````````````````````````` Antivirus/Firewall Check: ESET Online Scanner v3 CA Personal Firewall ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware Java 6 Update 21 Java 6 Update 7 Out of date Java installed! Adobe Flash Player 9 (Out of date Flash Player installed!) Adobe Flash Player 10.3.181.22 Mozilla Firefox (x86 en-US..) ```````````````````````````````` Process Check: objlist.exe by Laurent ``````````End of Log````````````
  25. Posted Wrong MBAM log - this is correct - SORRY.... Malwarebytes' Anti-Malware 1.51.0.1200 www.malwarebytes.org Database version: 6955 Windows 5.1.2600 Service Pack 3 Internet Explorer 6.0.2900.5512 6/26/2011 6:19:30 PM mbam-log-2011-06-26 (18-19-30).txt Scan type: Quick scan Objects scanned: 173831 Time elapsed: 7 minute(s), 39 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 5 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hidec.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pev.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swreg.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swsc.exe (Security.Hijack) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.