Re-post - PUM.Disabled.SecurityCenter

domer7 · May 5, 2013

Hello,

I just cleaned up my computer from a series of issues witht he help from Geeks to Go support staff. One recommendation was to upgrade tothe paid version of MBAM which I did yesterday and then did a Quick Scan. Scan results found:

Registry Data Items Detected: 3

HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Ran another scan - came up clean. Today, I logged on to my computer and ran aMBAM scan immediately - came up clean. Opened IE and Norton showed disabled Intrusion Prevention. Ran another MBAM scan and found:

Registry Data Items Detected: 1

HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Can I prevent the recurring issue? Does this have to do with having the Windows firewall disabled due to having Norton and an AT&T modem - both of which are supposed to have firewall? I was told the Window Security Firewall should be disabled to improve processing performance.

Suggestions?

Thanks,

domer

domer7 · May 10, 2013

Hello,

I am still getting NIS Intrusion Protection being disabled. I have run Malware Bytes Pro and Hijack This scans - Attached below. They do not seem to find anything. Also downloaded dds script. It started to run - got the DOS screen, but then never completed with posted logs. Next steps.....?

MBAM Log

Malwarebytes Anti-Malware (PRO) 1.75.0.1300

www.malwarebytes.org

Database version: v2013.05.10.04

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Steve & Anita :: HOMEMAIN [administrator]

Protection: Enabled

5/10/2013 8:36:57 AM

mbam-log-2013-05-10 (08-36-57).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 288907

Time elapsed: 11 minute(s), 52 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Hijack This Log

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 11:34:26 AM, on 5/10/2013

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\GEARSec.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe

C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE

C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Steve & Anita\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.focusonthefamily.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\18.7.2.3\IPS\IPSBHO.DLL

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dll

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-21-682003330-507921405-725345543-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk

O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {82E5DF24-51E8-47CD-864A-F4BD5005AA73} (iCloud Web App Plugin) - https://www.icloud.com/system/iCloud.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010\RpcAgentSrv.exe

O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1a\Win32\RpcDataSrv.exe

O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1a\RpcSandraSrv.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

--

End of file - 9222 bytes

Thanks,

domer

Maurice Naggar · May 11, 2013

Hello Domer7 and welcome to MalwareBytes forum.

Download DDS and save it to your desktop from http://download.blee...om/sUBs/dds.com here

or http://download.blee...om/sUBs/dds.scr or

http://www.infospyware.net/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Double click dds to run the tool.

DDS will run in a command prompt window and will take 3 to 4 minutes or so.

Follow and answer the prompts as appropriate.

When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop.

Please Copy & Paste contents of the following logs in your next reply:

DDS.txt

Attach.txt

Use NOTEPAD to Copy all contents of each log, then Paste directly into main-body of reply box.

Do -not- use the attach option unless a single log is way-too-large & won't fit.

Download Security Check by screen317 from >>here<<.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

domer7 · May 11, 2013

Hello Maurice,

First, thank you for the help!

I have downloaded dds and tried to run it several times - the DOS box opens, the file starts to run, but never generates the two txt files

I downloaded Security Check and ran it. The checkup.txt notepad was blank.

Next steps?

domer

Maurice Naggar · May 11, 2013

Do as much as possible of the following.

Task 1

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Please download Rkill by Grinler and save it to your desktop.

Link 2
Link 3
Link 4
Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7, right-click on it and Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
If the tool does not run from any of the links provided, please let me know.
If your antivirus program gives a prompt message, respond positive to allow RKILL to run.
If a malware-rogue gives a message regarding RKILL, proceed forward to running RKILL

IF you still have a problem running RKILL, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

When all done, rkill.txt log file will be on your desktop. Copy & Paste contents of Rkill.txt into a reply.

More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html

Task 2

Turn OFF Norton Internet Security so that it does not interfere with the running of DDS.

It is highly likely that NIS is blocking the running of "scripts" and thus blocking DDS.

Download & SAVE to your Desktop Tigzy's RogueKiller >> from here << or
>> from here <<
Quit all programs that you may have started.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7 / 8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on Scan button at upper right of screen.
Wait until the Status box shows "Scan Finished"
Click on Report and copy/paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop
Do NOT press any Fix button.
Exit/Close RogueKiller

Task 3

Now run DDS and copy > paste the 2 logs inline.

Maurice Naggar · May 11, 2013

P.S. You need to click on Follow This topic button at top right, and select Immediate Notification.

domer7 · May 11, 2013

Hello again Maurice,

I was able to download and run both Rkill and RogueKiller. Logs attached below. When running RKill, the DOS box did not disappear, but a pop-up box came up indicating completion of the process and logs were generated.

DDS still will not run to completion. NIS Anti-Virus auto protect is turned off and I exited out of MBAM.

RKill Log

Rkill 2.4.7 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

More Information about Rkill can be found at this link:

http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 05/11/2013 02:28:34 PM in x86 mode.

Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\WINDOWS\System32\GEARSec.exe (PID: 1084) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [incorrect ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 05/11/2013 02:29:15 PM

Execution time: 0 hours(s), 0 minute(s), and 41 seconds(s)

Rogue Killer Log

Rkill 2.4.7 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

More Information about Rkill can be found at this link:

http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 05/11/2013 02:28:34 PM in x86 mode.

Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\WINDOWS\System32\GEARSec.exe (PID: 1084) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [incorrect ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 05/11/2013 02:29:15 PM

Execution time: 0 hours(s), 0 minute(s), and 41 seconds(s)

Thanks Maurice!

domer

Maurice Naggar · May 11, 2013

Look very ....v e r y closely The Roguekiller log should be found in RKreport[1].txt on your Desktop

I must have a copy of it. What you posted was two copies of the Rkill log.

PLUS

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

Close all open windows on the Task Bar. Click the icon (for Vista, or Windows 7 or 8 Right click the icon and Run as Administrator) to start the program.
In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
Exit OTL by clicking the X at top right.

Download Security Check by screen317 and save it to your Desktop: here

Run Security Check
Follow the onscreen instructions inside of the command window.
A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

Then copy/paste the following into your post (in order):

the contents of OTL.txt;
the contents of Extras.txt ; and
the contents of checkup.txt

Be sure to do a Preview prior to pressing Add Reply because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Edited May 11, 2013 by Maurice Naggar

domer7 · May 11, 2013

OOps, sorry about that.

Roguekiller log

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Steve & Anita [Admin rights]

Mode : Scan -- Date : 05/11/2013 14:33:22

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤

[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[12] : NtAlertResumeThread @ 0x805CB024 -> HOOKED (Unknown @ 0x88FA4E90)

SSDT[13] : NtAlertThread @ 0x805CAFD4 -> HOOKED (Unknown @ 0x88FA4F70)

SSDT[17] : NtAllocateVirtualMemory @ 0x8059DF54 -> HOOKED (Unknown @ 0x88FA9E28)

SSDT[19] : NtAssignProcessToJobObject @ 0x805CCB02 -> HOOKED (Unknown @ 0x88FA4638)

SSDT[31] : NtConnectPort @ 0x80599A7E -> HOOKED (Unknown @ 0x89334170)

SSDT[43] : NtCreateMutant @ 0x8060E40A -> HOOKED (Unknown @ 0x88FA4BE0)

SSDT[52] : NtCreateSymbolicLinkObject @ 0x805B9752 -> HOOKED (Unknown @ 0x88F28D80)

SSDT[53] : NtCreateThread @ 0x805C73DE -> HOOKED (Unknown @ 0x88F43860)

SSDT[57] : NtDebugActiveProcess @ 0x8063A956 -> HOOKED (Unknown @ 0x88FA4718)

SSDT[68] : NtDuplicateObject @ 0x805B3A0C -> HOOKED (Unknown @ 0x88FA9F80)

SSDT[83] : NtFreeVirtualMemory @ 0x805A85AE -> HOOKED (Unknown @ 0x88FA9C20)

SSDT[89] : NtImpersonateAnonymousToken @ 0x805EF7E6 -> HOOKED (Unknown @ 0x88FA4CD0)

SSDT[91] : NtImpersonateThread @ 0x805CDC9A -> HOOKED (Unknown @ 0x88FA4DB0)

SSDT[97] : NtLoadDriver @ 0x80579714 -> HOOKED (Unknown @ 0x89335978)

SSDT[108] : NtMapViewOfSection @ 0x805A762E -> HOOKED (Unknown @ 0x88FA9B20)

SSDT[114] : NtOpenEvent @ 0x80605E7E -> HOOKED (Unknown @ 0x88FA4B00)

SSDT[122] : NtOpenProcess @ 0x805C1462 -> HOOKED (Unknown @ 0x88F43788)

SSDT[123] : NtOpenProcessToken @ 0x805E448C -> HOOKED (Unknown @ 0x88F24C38)

SSDT[125] : NtOpenSection @ 0x8059F8B6 -> HOOKED (Unknown @ 0x88FA4940)

SSDT[128] : NtOpenThread @ 0x805C16EE -> HOOKED (Unknown @ 0x88F436B8)

SSDT[137] : NtProtectVirtualMemory @ 0x805ADBC6 -> HOOKED (Unknown @ 0x88F28E70)

SSDT[206] : NtResumeThread @ 0x805CAE60 -> HOOKED (Unknown @ 0x88FA95D0)

SSDT[213] : NtSetContextThread @ 0x805C9036 -> HOOKED (Unknown @ 0x88FA9870)

SSDT[228] : NtSetInformationProcess @ 0x805C3F20 -> HOOKED (Unknown @ 0x88FA9950)

SSDT[240] : NtSetSystemInformation @ 0x80606AD0 -> HOOKED (Unknown @ 0x88FA47F8)

SSDT[253] : NtSuspendProcess @ 0x805CAF28 -> HOOKED (Unknown @ 0x88FA4A20)

SSDT[254] : NtSuspendThread @ 0x805CAD9A -> HOOKED (Unknown @ 0x88FA96B0)

SSDT[257] : NtTerminateProcess @ 0x805C86EA -> HOOKED (Unknown @ 0x88F8A138)

SSDT[258] : NtTerminateThread @ 0x805C88E4 -> HOOKED (Unknown @ 0x88FA9790)

SSDT[267] : NtUnmapViewOfSection @ 0x805A8444 -> HOOKED (Unknown @ 0x88FA9A40)

SSDT[277] : NtWriteVirtualMemory @ 0x805A99CE -> HOOKED (Unknown @ 0x88FA9D10)

S_SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x887D53C8)

S_SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x887D5C08)

S_SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x887D5B28)

S_SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x887D58C8)

S_SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x887D59A8)

S_SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x887D6398)

S_SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x887D5E40)

S_SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x887D6488)

S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x887D5488)

S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x887D4D98)

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

domer7 · May 11, 2013

Maurice,

Here are the OTL logs. The Security Check log was blank once again.

One question - Do I disable NIS when running every scan or only when directed to? I have only been disabling the Anti-Virus Auto Protect for NIS and exiting MBAM when requested.

OTL log

OTL logfile created on: 5/11/2013 4:02:31 PM - Run 1

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Steve & Anita\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.12 Gb Available Physical Memory | 56.02% Memory free

3.85 Gb Paging File | 3.10 Gb Available in Paging File | 80.50% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 149.04 Gb Total Space | 88.08 Gb Free Space | 59.10% Space Free | Partition Type: NTFS

Computer Name: HOMEMAIN | User Name: Steve & Anita | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/05/11 15:57:17 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steve & Anita\Desktop\OTL.exe

PRC - [2013/04/04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

PRC - [2013/04/04 14:50:32 | 000,532,040 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

PRC - [2011/04/16 17:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\18.7.2.3\ccsvchst.exe

PRC - [2008/10/17 15:52:10 | 000,149,352 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE

PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2008/02/09 17:06:33 | 000,238,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

PRC - [2007/09/18 08:25:43 | 000,181,672 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton SystemWorks Basic Edition\Norton Utilities\Speed Disk\NOPDB.exe

PRC - [2005/11/03 20:08:02 | 000,095,832 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton SystemWorks Basic Edition\Norton Utilities\NPROTECT.EXE

PRC - [2004/11/10 11:44:30 | 001,273,856 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

========== Modules (No Company Name) ==========

MOD - [2011/11/02 00:26:32 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll

MOD - [2011/11/02 00:26:12 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll

MOD - [2005/06/28 13:59:48 | 000,053,248 | ---- | M] () -- C:\Program Files\ArcSoft\PhotoImpression 5\Share\PIHook.dll

MOD - [2003/06/04 23:40:48 | 000,761,856 | ---- | M] () -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpiscn.dll

MOD - [2003/06/04 10:37:54 | 000,147,456 | ---- | M] () -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqe3970.dll

========== Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe -- (Roxio Upnp Server 9)

SRV - File not found [Disabled | Stopped] -- C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe -- (Roxio UPnP Renderer 9)

SRV - [2013/04/28 15:14:54 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)

SRV - [2013/04/04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)

SRV - [2011/04/16 17:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe -- (NIS)

SRV - [2009/08/24 19:01:08 | 000,093,336 | ---- | M] (SiSoftware) [On_Demand | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010\RpcAgentSrv.exe -- (SandraAgentSrv)

SRV - [2008/10/17 15:52:10 | 000,149,352 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)

SRV - [2008/10/17 15:52:10 | 000,149,352 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)

SRV - [2008/08/04 11:20:16 | 003,220,856 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE -- (LiveUpdate)

SRV - [2008/07/11 23:32:17 | 001,245,064 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)

SRV - [2008/02/09 17:06:33 | 000,238,968 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)

SRV - [2008/01/29 16:09:02 | 000,394,704 | ---- | M] (Symantec, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe -- (Symantec RemoteAssist)

SRV - [2007/09/18 08:25:43 | 000,181,672 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton SystemWorks Basic Edition\Norton Utilities\Speed Disk\NOPDB.exe -- (Speed Disk service)

SRV - [2007/02/27 17:20:22 | 001,204,416 | ---- | M] (SiSoftware) [On_Demand | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1a\RpcSandraSrv.exe -- (SandraTheSrv)

SRV - [2007/02/27 17:19:14 | 000,123,064 | ---- | M] (SiSoftware) [On_Demand | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1a\Win32\RpcDataSrv.exe -- (SandraDataSrv)

SRV - [2005/11/03 20:08:02 | 000,095,832 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton SystemWorks Basic Edition\Norton Utilities\NPROTECT.EXE -- (NProtectService)

SRV - [2004/11/10 11:44:30 | 001,273,856 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe -- (Norton Ghost)

SRV - [2004/11/10 10:41:20 | 000,053,248 | ---- | M] (GEAR Software) [Auto | Stopped] -- C:\WINDOWS\system32\gearsec.exe -- (GEARSecurity)

========== Driver Services (SafeList) ==========

DRV - File not found [File_System | System | Stopped] -- -- (UDFReadr)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\SYMNDIS.SYS -- (SYMNDIS)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\SYMIDS.SYS -- (SYMIDS)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\SYMFW.SYS -- (SYMFW)

DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS -- (MRENDIS5)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS -- (MREMPR5)

DRV - File not found [Kernel | System | Stopped] -- -- (Cdralw2k)

DRV - File not found [Kernel | System | Stopped] -- -- (Cdr4_xp)

DRV - [2013/04/12 16:53:06 | 001,000,024 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\BASHDefs\20130502.001\BHDrvx86.sys -- (BHDrvx86)

DRV - [2013/04/04 14:50:32 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)

DRV - [2013/01/18 20:03:52 | 001,603,824 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\VirusDefs\20130510.022\NAVEX15.SYS -- (NAVEX15)

DRV - [2013/01/18 20:03:52 | 000,093,296 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\VirusDefs\20130510.022\NAVENG.SYS -- (NAVENG)

DRV - [2012/08/31 17:27:25 | 000,373,728 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\IPSDefs\20130510.001\IDSXpx86.sys -- (IDSxpx86)

DRV - [2012/08/08 22:07:53 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)

DRV - [2012/08/08 22:07:53 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)

DRV - [2011/07/19 23:08:51 | 000,126,584 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)

DRV - [2011/04/20 18:37:49 | 000,369,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1207020.003\symtdi.sys -- (SYMTDI)

DRV - [2011/03/30 20:00:09 | 000,516,216 | R--- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1207020.003\srtsp.sys -- (SRTSP)

DRV - [2011/03/30 20:00:09 | 000,050,168 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1207020.003\srtspx.sys -- (SRTSPX)

DRV - [2011/03/14 19:31:23 | 000,744,568 | R--- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1207020.003\symefa.sys -- (SymEFA)

DRV - [2011/01/26 23:47:10 | 000,340,088 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1207020.003\symds.sys -- (SymDS)

DRV - [2011/01/26 22:07:05 | 000,136,312 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1207020.003\ironx86.sys -- (SymIRON)

DRV - [2009/12/30 10:20:56 | 000,027,064 | ---- | M] (VS Revo Group) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\revoflt.sys -- (Revoflt)

DRV - [2009/08/14 06:45:24 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)

DRV - [2009/08/14 06:45:24 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)

DRV - [2009/06/30 10:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)

DRV - [2009/06/17 09:56:32 | 000,028,560 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LUsbFilt.sys -- (LUsbFilt)

DRV - [2009/06/17 09:56:16 | 000,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)

DRV - [2009/06/17 09:56:06 | 000,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)

DRV - [2009/06/17 09:55:18 | 000,020,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd)

DRV - [2008/09/05 14:31:42 | 000,447,024 | ---- | M] (Symantec Corporation) [Kernel | Disabled | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)

DRV - [2008/07/02 21:50:17 | 000,010,344 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)

DRV - [2006/10/10 06:17:57 | 000,081,780 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NPDRIVER.SYS -- (NPDriver)

DRV - [2006/05/03 09:50:42 | 001,540,608 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

DRV - [2005/11/03 19:43:42 | 000,090,272 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SdDriver.SYS -- (SDdriver)

DRV - [2005/05/20 16:01:32 | 000,025,600 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidKE.Sys -- (LHidKe)

DRV - [2005/05/20 16:01:26 | 000,068,352 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouKE.Sys -- (LMouKE)

DRV - [2005/05/20 16:01:00 | 000,036,480 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidUsbK.sys -- (LHidUsbK)

DRV - [2005/05/20 16:00:48 | 000,054,528 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\L8042mou.Sys -- (L8042mou)

DRV - [2005/02/23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)

DRV - [2004/11/10 11:49:56 | 000,046,800 | ---- | M] (PowerQuest Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\PQIMount.sys -- (PQIMount)

DRV - [2004/11/10 11:30:20 | 000,138,801 | ---- | M] (StorageCraft) [File_System | Boot | Running] -- C:\WINDOWS\System32\drivers\PQV2i.sys -- (PQV2i)

DRV - [2004/10/07 18:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)

DRV - [2004/08/18 16:21:00 | 000,189,568 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)

DRV - [2004/03/19 05:02:08 | 000,613,244 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM)

DRV - [2004/02/23 20:08:52 | 000,400,384 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)

DRV - [2003/12/19 02:00:00 | 000,006,656 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cinemsup.sys -- (Cinemsup)

DRV - [2003/10/31 04:22:38 | 000,077,312 | ---- | M] (VIA Technologies inc,.ltd) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\viasraid.sys -- (viasraid)

DRV - [2003/08/05 19:43:04 | 000,159,744 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\Fasttx2k.sys -- (fasttx2k)

DRV - [2003/04/19 02:32:04 | 000,004,736 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tandpl.sys -- (tandpl)

DRV - [2003/03/04 02:50:00 | 000,073,134 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouFlt2.Sys -- (LMouFlt2)

DRV - [2003/03/04 02:50:00 | 000,053,870 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042pr2.Sys -- (L8042pr2)

DRV - [2003/03/02 19:44:26 | 000,007,552 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\enodpl.sys -- (enodpl)

DRV - [2002/10/15 22:41:06 | 000,102,220 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sonypvs1.sys -- (sonypvs1)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...referrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.focusonthefamily.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 14 A3 6F 2E 3C 3D CE 01 [binary data]

IE - HKCU\..\SearchScopes,DefaultScope = {F1F5A2C9-FFD1-4C0F-A7FE-57135955C4EE}

IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC

IE - HKCU\..\SearchScopes\{F1F5A2C9-FFD1-4C0F-A7FE-57135955C4EE}: "URL" = http://www.google.co...{outputEncoding?}

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll ()

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Motive, Inc.)

FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Steve & Anita\Application Data\Move Networks\plugins\npqmp071505000010.dll (Move Networks)

FF - HKLM\Software\MozillaPlugins\@pandasecurity.com/activescan: C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll (Panda Security)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Steve & Anita\Application Data\Move Networks\plugins\npqmp071505000010.dll (Move Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2009/11/17 11:00:17 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\IPSFFPlgn\ [2012/02/04 15:34:43 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\coFFPlgn_2011_7_13_2 [2013/05/11 12:31:38 | 000,000,000 | ---D | M]

FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\moveplayer@movenetworks.com: C:\Documents and Settings\Steve & Anita\Application Data\Move Networks [2009/09/29 15:08:42 | 000,000,000 | ---D | M]

[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)

CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}

CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}

CHR - homepage: http://www.google.com

CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\26.0.1410.64\PepperFlash\pepflashplayer.dll

CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer

CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\26.0.1410.64\ppGoogleNaClPluginChrome.dll

CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\26.0.1410.64\pdf.dll

CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll

CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll

CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll

CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll

CHR - plugin: Move Streaming Media Player (Enabled) = C:\Documents and Settings\Steve & Anita\Application Data\Move Networks\plugins\npqmp071505000010.dll

CHR - plugin: Motive Plugin (Enabled) = C:\Program Files\Common Files\Motive\npMotive.dll

CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll

CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll

CHR - plugin: Panda ActiveScan 2.0 (Enabled) = C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll

CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll

CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll

CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll

CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

CHR - Extension: Google Docs = C:\Documents and Settings\Steve & Anita\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.0.0.6_0\

CHR - Extension: Google Docs = C:\Documents and Settings\Steve & Anita\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0\

CHR - Extension: Google Drive = C:\Documents and Settings\Steve & Anita\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\

CHR - Extension: Google Drive = C:\Documents and Settings\Steve & Anita\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\

CHR - Extension: YouTube = C:\Documents and Settings\Steve & Anita\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\

CHR - Extension: YouTube = C:\Documents and Settings\Steve & Anita\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\

CHR - Extension: Google Search = C:\Documents and Settings\Steve & Anita\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\

CHR - Extension: Google Search = C:\Documents and Settings\Steve & Anita\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\

CHR - Extension: Gmail = C:\Documents and Settings\Steve & Anita\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2013/04/19 13:19:50 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\18.7.2.3\coieplg.dll (Symantec Corporation)

O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\18.7.2.3\ips\ipsbho.dll (Symantec Corporation)

O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found

O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.7.2.3\coieplg.dll (Symantec Corporation)

O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.

O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {00000000-0000-0000-0000-000000000000} - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.7.2.3\coieplg.dll (Symantec Corporation)

O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE (Symantec Corporation)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O9 - Extra Button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk ()

O9 - Extra 'Tools' menuitem : Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk ()

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O15 - HKCU\..Trusted Domains: vetcentric.com ([]https in Trusted sites)

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...n/ieawsdc32.cab (Microsoft Office Template and Media Control)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)

O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} https://support.micr...ActiveX/odc.cab (Microsoft PID Sniffer)

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.s...abs/tgctlsr.cab (Reg Error: Key error.)

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail....es/MSNPUpld.cab (MSN Photo Upload Tool)

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symant...ex/symdlmgr.cab (Symantec Download Manager)

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)

O16 - DPF: {82E5DF24-51E8-47CD-864A-F4BD5005AA73} https://www.icloud.c...stem/iCloud.cab (iCloud Web App Plugin)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6CE2CB9D-B559-4F0C-AEA9-3F0D829E0F77}: DhcpNameServer = 192.168.1.254

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/04/09 18:31:37 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/05/11 15:57:15 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Steve & Anita\Desktop\OTL.exe

[2013/05/11 14:36:00 | 000,688,779 | R--- | C] (Swearware) -- C:\Documents and Settings\Steve & Anita\Desktop\dds.pif

[2013/05/11 14:31:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Steve & Anita\Desktop\RK_Quarantine

[2013/05/11 14:22:46 | 001,752,992 | ---- | C] (Bleeping Computer, LLC) -- C:\Documents and Settings\Steve & Anita\Desktop\rkill.com

[2013/04/28 15:37:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Steve & Anita\Application Data\FastStone

[2013/04/28 15:36:27 | 000,000,000 | ---D | C] -- C:\Program Files\FastStone Image Viewer

[2013/04/28 15:36:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\FastStone Image Viewer

[2013/04/24 10:35:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Steve & Anita\My Documents\Contacts

[2013/04/19 18:30:25 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Steve & Anita\Desktop\HijackThis.exe

[2013/04/19 18:01:18 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Steve & Anita\Recent

[2013/04/19 18:00:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome

[2013/04/19 17:58:48 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner

[2013/04/19 17:13:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Steve & Anita\Local Settings\Application Data\VS Revo Group

[2013/04/19 17:13:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\VS Revo Group

[2013/04/19 17:13:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Revo Uninstaller Pro

[2013/04/19 17:13:05 | 000,027,064 | ---- | C] (VS Revo Group) -- C:\WINDOWS\System32\drivers\revoflt.sys

[2013/04/19 17:13:03 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group

[2013/04/17 21:02:42 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2013/04/16 14:03:37 | 000,000,000 | ---D | C] -- C:\Program Files\WinZip

[2013/04/15 08:52:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2011/12/27 13:36:56 | 069,341,552 | ---- | C] (Apple Inc.) -- C:\Program Files\iTunesSetup.exe

========== Files - Modified Within 30 Days ==========

[2013/05/11 16:11:03 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2013/05/11 16:00:59 | 000,890,825 | ---- | M] () -- C:\Documents and Settings\Steve & Anita\Desktop\SecurityCheck.exe

[2013/05/11 15:57:53 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Steve & Anita\Desktop\Microsoft Office Word 2007.lnk

[2013/05/11 15:57:17 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steve & Anita\Desktop\OTL.exe

[2013/05/11 14:45:40 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job

[2013/05/11 14:36:02 | 000,688,779 | R--- | M] (Swearware) -- C:\Documents and Settings\Steve & Anita\Desktop\dds.pif

[2013/05/11 14:23:50 | 000,816,128 | ---- | M] () -- C:\Documents and Settings\Steve & Anita\Desktop\RogueKiller.exe

[2013/05/11 14:22:52 | 001,752,992 | ---- | M] (Bleeping Computer, LLC) -- C:\Documents and Settings\Steve & Anita\Desktop\rkill.com

[2013/05/11 14:14:48 | 000,773,002 | ---- | M] () -- C:\Documents and Settings\Steve & Anita\Desktop\SF Contact Prescription 2013.jpg

[2013/05/11 12:33:54 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2013/05/11 12:32:02 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2013/05/11 12:30:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2013/05/10 14:32:35 | 002,682,648 | ---- | M] () -- C:\Documents and Settings\Steve & Anita\Desktop\SF Relo Agreement.jpg

[2013/05/10 14:30:26 | 001,145,803 | ---- | M] () -- C:\Documents and Settings\Steve & Anita\Desktop\SF Relo Form.jpg

[2013/05/10 11:34:26 | 000,009,223 | ---- | M] () -- C:\Documents and Settings\Steve & Anita\Desktop\hijackthis log 5-10-13

[2013/05/10 10:33:16 | 000,000,550 | ---- | M] () -- C:\WINDOWS\tasks\Norton Internet Security - Steve & Anita - Full System Scan.job

[2013/05/03 11:22:29 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk

[2013/05/01 15:13:58 | 000,000,312 | ---- | M] () -- C:\Documents and Settings\Steve & Anita\My Documents\spider.sav

[2013/04/29 12:50:51 | 000,000,278 | ---- | M] () -- C:\WINDOWS\hpqcopy.INI

[2013/04/29 10:07:27 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Steve & Anita\Desktop\Microsoft Office Excel 2007.lnk

[2013/04/28 15:36:29 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\FastStone Image Viewer.lnk

[2013/04/28 15:14:53 | 000,691,592 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe

[2013/04/28 15:14:52 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl

[2013/04/27 14:29:01 | 000,354,201 | ---- | M] () -- C:\Documents and Settings\Steve & Anita\My Documents\DPE.DUS

[2013/04/27 14:21:19 | 000,071,003 | -H-- | M] () -- C:\Documents and Settings\Steve & Anita\My Documents\hpothb07.tif

[2013/04/22 11:49:54 | 000,003,394 | ---- | M] () -- C:\Documents and Settings\Steve & Anita\Desktop\attachments_2013_04_22.zip

[2013/04/22 09:25:53 | 000,198,552 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2013/04/19 18:30:26 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Steve & Anita\Desktop\HijackThis.exe

[2013/04/19 18:25:16 | 000,001,831 | ---- | M] () -- C:\Documents and Settings\Steve & Anita\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk

[2013/04/19 18:00:16 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk

[2013/04/19 13:19:50 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2013/04/17 21:02:51 | 000,000,327 | RHS- | M] () -- C:\boot.ini

[2013/04/14 16:56:44 | 000,796,114 | ---- | M] () -- C:\Documents and Settings\Steve & Anita\My Documents\CAReturn2012.pdf

[2013/04/13 16:47:41 | 000,611,475 | ---- | M] () -- C:\Documents and Settings\Steve & Anita\My Documents\CAReturn540Schedule2012.pdf

[2013/04/12 08:56:05 | 001,072,544 | ---- | M] () -- C:\WINDOWS\System32\nvdrsdb0.bin

[2013/04/12 08:56:05 | 000,000,001 | ---- | M] () -- C:\WINDOWS\System32\nvdrssel.bin

[2013/04/12 08:55:32 | 001,072,544 | ---- | M] () -- C:\WINDOWS\System32\nvdrsdb1.bin

[2013/04/12 08:55:31 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\nvdrswr.lk

[2013/04/12 08:49:23 | 000,196,687 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml

[2013/04/11 18:50:02 | 002,123,870 | ---- | M] () -- C:\Documents and Settings\Steve & Anita\My Documents\Teeny Lamothe Interview - Cherry Pie Recipes.mht

========== Files Created - No Company Name ==========

[2013/05/11 14:23:47 | 000,816,128 | ---- | C] () -- C:\Documents and Settings\Steve & Anita\Desktop\RogueKiller.exe

[2013/05/11 14:14:48 | 000,773,002 | ---- | C] () -- C:\Documents and Settings\Steve & Anita\Desktop\SF Contact Prescription 2013.jpg

[2013/05/11 07:52:41 | 000,890,825 | ---- | C] () -- C:\Documents and Settings\Steve & Anita\Desktop\SecurityCheck.exe

[2013/05/10 14:30:26 | 001,145,803 | ---- | C] () -- C:\Documents and Settings\Steve & Anita\Desktop\SF Relo Form.jpg

[2013/05/10 14:29:45 | 002,682,648 | ---- | C] () -- C:\Documents and Settings\Steve & Anita\Desktop\SF Relo Agreement.jpg

[2013/05/10 11:34:26 | 000,009,223 | ---- | C] () -- C:\Documents and Settings\Steve & Anita\Desktop\hijackthis log 5-10-13

[2013/05/03 11:22:29 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk

[2013/04/28 15:36:28 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\FastStone Image Viewer.lnk

[2013/04/22 11:49:45 | 000,003,394 | ---- | C] () -- C:\Documents and Settings\Steve & Anita\Desktop\attachments_2013_04_22.zip

[2013/04/20 18:36:27 | 000,354,201 | ---- | C] () -- C:\Documents and Settings\Steve & Anita\My Documents\DPE.DUS

[2013/04/19 18:00:16 | 000,001,831 | ---- | C] () -- C:\Documents and Settings\Steve & Anita\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk

[2013/04/19 18:00:15 | 000,001,813 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk

[2013/04/19 17:56:46 | 000,000,900 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2013/04/19 17:56:45 | 000,000,896 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2013/04/19 17:45:22 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader XI.lnk

[2013/04/17 21:02:51 | 000,000,211 | ---- | C] () -- C:\Boot.bak

[2013/04/17 21:02:48 | 000,260,272 | RHS- | C] () -- C:\cmldr

[2013/04/13 16:47:41 | 000,611,475 | ---- | C] () -- C:\Documents and Settings\Steve & Anita\My Documents\CAReturn540Schedule2012.pdf

[2013/04/13 16:39:07 | 000,796,114 | ---- | C] () -- C:\Documents and Settings\Steve & Anita\My Documents\CAReturn2012.pdf

[2013/04/12 08:55:32 | 001,072,544 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin

[2013/04/12 08:55:32 | 001,072,544 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin

[2013/04/12 08:55:31 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin

[2013/04/12 08:55:31 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\nvdrswr.lk

[2013/04/11 18:49:55 | 002,123,870 | ---- | C] () -- C:\Documents and Settings\Steve & Anita\My Documents\Teeny Lamothe Interview - Cherry Pie Recipes.mht

[2013/02/08 05:03:08 | 002,816,504 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data

[2012/02/28 19:48:50 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll

[2011/03/06 17:14:14 | 000,000,329 | ---- | C] () -- C:\Documents and Settings\Steve & Anita\Application Data\burnaware.ini

[2011/01/03 22:15:25 | 000,001,534 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ss.ini

[2010/10/27 20:27:44 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\Steve & Anita\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini

[2010/10/27 20:22:43 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini

[2010/08/07 19:48:43 | 000,000,064 | ---- | C] () -- C:\Documents and Settings\Steve & Anita\default.pls

[2010/07/04 13:22:27 | 008,892,928 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\atscie.msi

[2010/01/07 00:41:44 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Steve & Anita\Local Settings\Application Data\imageCache8_UNI.db

[2009/12/17 12:28:46 | 012,177,408 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sandra.mda

[2009/12/06 13:25:47 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\Steve & Anita\Application Data\DMX.bmk

[2009/12/04 08:41:42 | 000,315,692 | ---- | C] () -- C:\Documents and Settings\Steve & Anita\Local Settings\Application Data\rx_image.Cache

[2008/07/11 23:30:45 | 000,006,568 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate

[2007/03/09 20:39:09 | 000,000,120 | ---- | C] () -- C:\Documents and Settings\Steve & Anita\Application Data\FixVTS.ini

[2007/02/08 20:31:55 | 016,133,564 | ---- | C] () -- C:\Documents and Settings\Steve & Anita\Local Settings\Application Data\imageCache7.db

[2006/04/14 21:25:15 | 000,335,360 | ---- | C] () -- C:\Documents and Settings\Steve & Anita\Local Settings\Application Data\audioCache8_UNI.db

[2006/04/11 20:49:42 | 000,003,135 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

[2006/04/10 21:57:23 | 000,064,512 | ---- | C] () -- C:\Documents and Settings\Steve & Anita\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2006/04/09 23:22:30 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Steve & Anita\Local Settings\Application Data\fusioncache.dat

========== ZeroAccess Check ==========

[2006/04/09 23:21:19 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

"" = %SystemRoot%\system32\shdocvw.dll -- [2009/12/21 22:21:02 | 001,509,888 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]

"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 05:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 17:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Apartment

========== LOP Check ==========

[2012/05/24 21:52:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\18242

[2013/02/03 21:49:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1

[2011/03/19 21:20:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\312FD

[2012/11/08 23:26:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\3AEA

[2007/12/24 19:55:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Age of Empires 3

[2011/05/15 16:53:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ashampoo

[2009/11/16 13:17:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus

[2006/06/13 20:25:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund

[2007/03/22 21:44:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON

[2011/03/06 17:28:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iMesh

[2006/11/29 00:45:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MediaLife

[2009/05/03 13:44:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCSettings

[2010/03/20 21:19:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PhotoShow Shared Assets

[2010/03/20 21:57:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc

[2007/02/06 22:43:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems

[2010/03/20 21:37:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall

[2013/04/19 17:13:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\VS Revo Group

[2013/04/16 22:37:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip

[2011/12/27 13:41:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

[2011/05/01 17:07:29 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{8A4124D0-6AF6-4584-A7BF-4CDFECF4B129}

[2012/05/24 21:34:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve & Anita\Application Data\Ashampoo

[2010/01/12 11:18:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve & Anita\Application Data\Auslogics

[2013/04/19 18:01:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve & Anita\Application Data\Azureus

[2009/11/24 17:50:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve & Anita\Application Data\Backup MyPC Deluxe

[2010/03/31 14:17:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve & Anita\Application Data\ElevatedDiagnostics

[2006/04/09 23:22:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve & Anita\Application Data\IsolatedStorage

[2007/03/22 21:50:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve & Anita\Application Data\Leadertech

[2006/08/16 09:04:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve & Anita\Application Data\MediaLife

[2010/03/20 21:19:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve & Anita\Application Data\Simple Star

[2012/07/14 15:49:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve & Anita\Application Data\Tific

[2007/02/06 22:43:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve & Anita\Application Data\Ulead Systems

[2012/05/23 22:27:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve & Anita\Application Data\uTorrent

========== Purity Check ==========

< End of report >

Extras.txt in next reply

domer

domer7 · May 11, 2013

Extras.txt log

OTL Extras logfile created on: 5/11/2013 4:02:31 PM - Run 1

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Steve & Anita\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.12 Gb Available Physical Memory | 56.02% Memory free

3.85 Gb Paging File | 3.10 Gb Available in Paging File | 80.50% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 149.04 Gb Total Space | 88.08 Gb Free Space | 59.10% Space Free | Partition Type: NTFS

Computer Name: HOMEMAIN | User Name: Steve & Anita | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)

https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [browse with FastStone] -- "C:\Program Files\FastStone Image Viewer\FSViewer.exe" "%1" ()

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [Print_Directory_Listing] -- printdir.bat "%1" ()

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 1

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0965D484-1777-4BA5-8C3A-095A6B0D2696}_is1" = Driver Sweeper 1.5.5

"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics

"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel

"{0F429FF7-8C47-40D7-AF6F-D8B090233D04}" = Image Data Converter SR

"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate

"{1C08A24C-B168-407E-A826-68FAF5F20710}" = Age of Empires III - The WarChiefs

"{20C53FA2-4307-4671-A93F-9463B29DFCF1}" = Symantec Technical Support Web Controls

"{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}" = Logitech SetPoint

"{31478BE1-CDE5-4753-A8B2-F6D4BC1FBE09}" = Component Framework

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{3BEBC95D-FDBA-480B-93E8-9B4E9E41733C}" = MapSend Topo 3D USA

"{3C759736-8347-4031-BB9C-D75ADFE6B101}" = Norton Ghost 9.0

"{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}" = ccCommon

"{459699C3-9430-4381-964B-4248D87B49F9}" = Apple Mobile Device Support

"{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin

"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml

"{590D4F8F-98FE-47FA-AC2B-3F22FDCF7C09}" = ShareIns

"{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}" = Sony USB Driver

"{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1" = Revo Uninstaller Pro 3.0.2

"{6A7867BA-B7CA-4CC9-ACAB-85BA46865EE5}" = Norton Utilities

"{707D28BF-E145-4a9b-B97E-94FA586D05F3}" = Norton SystemWorks Basic Edition

"{72DF62BD-FF36-424E-AA5F-D89BAFF2C249}" = RollerCoaster Tycoon 2

"{77364F85-6219-4CB8-AAA0-6D53368D683D}" = Connection Keep Alive

"{77772678-817F-4401-9301-ED1D01A8DA56}" = SPBBC 32bit

"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update

"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour

"{796ADAFF-7C5B-4CED-BA11-55A3644F1E0D}" = HP Photo and Imaging 2.2 - Scanjet 3970 Series

"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX

"{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}" = Age of Empires III

"{7FCC4EDC-6EE2-4309-ABD7-85F2667A7B90}" = WebEx Support Manager for Internet Explorer

"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8FB495A1-4A3F-4C1D-BD27-3F3AB2E66763}" = iMesh

"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007

"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In

"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007

"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{92A40DC2-0ECD-4602-A79E-1DC53545C6EE}" = eXplorist Wizard

"{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}" = Norton Protection Center

"{9E23C48E-5483-4971-BA50-089F2FABCD66}" = Norton SystemWorks

"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A498D9EB-927B-459B-85D6-DD6EF8C2C564}" = erLT

"{A586D09E-1D2C-11D3-9A6B-00105A98B681}" = Microsoft Picture It! Express 2000

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AC76BA86-7AD7-1033-7B44-AB0000000001}" = Adobe Reader XI (11.0.02)

"{B0261E53-B6F1-474A-864B-E7C3CBF468E0}" = iTunes

"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR

"{B376402D-58EA-45EA-BD50-DD924EB67A70}" = HP Memories Disc

"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C3113E55-7BCB-4de3-8EBF-60E6CE6B2096}_is1" = SiSoftware Sandra Lite XI.SP1a (Win64/32/CE)

"{C3113E55-7BCB-4de3-8EBF-60E6CE6B2296}_is1" = SiSoftware Sandra Lite 2010

"{CA31120D-2101-484D-9FF1-195DE96FE346}" = Norton Cleanup

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CCE825DB-347A-4004-A186-5F4A6FDD8547}" = Apple Application Support

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D1725BDB-BA2B-4503-A8CB-F5C835D743FA}" = MSRedist

"{D433ABC3-0CD8-4BB0-B6A9-84501B4B47B7}" = ArcSoft PhotoImpression 5

"{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC}" = iPod for Windows 2005-09-23

"{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility

"{DE1A361F-31DC-4AC5-ABBA-2323BC505880}" = LexarMedia ImageRescue Software

"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag

"{DF8195AF-8E6F-4487-A0EE-196F7E3F4B8A}" = COWON Media Center - jetAudio Basic VX

"{E80F62FF-5D3C-4A19-8409-9721F2928206}" = LiveUpdate (Symantec Corporation)

"{EA9FAF16-0E5C-42C4-9742-9AF8D5F6D69B}" = ATI Catalyst Control Center

"{FB55BB78-2BC2-43E9-80FF-517A8D1AE3AD}" = Norton SystemWorks

"{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}" = EPSON Print CD

"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

"ActiveScan 2.0" = Panda ActiveScan 2.0

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin

"Adobe Shockwave Player" = Adobe Shockwave Player 11.5

"All ATI Software" = ATI - Software Uninstall Utility

"Ashampoo Burning Studio 2010 Advanced_is1" = Ashampoo Burning Studio 2010 Advanced

"ATI Display Driver" = ATI Display Driver

"ATT-PRT22" = ATT-PRT22

"CCleaner" = CCleaner

"doPDF 6 printer_is1" = doPDF 6.3 printer

"DVD Decrypter" = DVD Decrypter (Remove Only)

"DVD Shrink_is1" = DVD Shrink 3.2

"EPSON Printer and Utilities" = EPSON Printer Software

"ERUNT_is1" = ERUNT 1.1j

"FastStone Image Viewer" = FastStone Image Viewer 4.8

"Google Chrome" = Google Chrome

"Greeting Card Creator 32" = Greeting Card Creator 32

"Heavenly Harmony_is1" = Heavenly Harmony 1.0.3

"HijackThis" = HijackThis 2.0.2

"HOMESTUDENTR" = Microsoft Office Home and Student 2007

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie8" = Windows Internet Explorer 8

"Impossible Creatures 1.0" = Impossible Creatures

"InstallShield_{1C08A24C-B168-407E-A826-68FAF5F20710}" = Age of Empires III - The WarChiefs

"InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin

"InstallShield_{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}" = Age of Empires III

"InstallShield_{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC}" = iPod for Windows 2005-09-23

"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300

"Mavis Beacon Teaches Typing 16" = Mavis Beacon Teaches Typing 16

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Money Matters 2005" = Money Matters 2005

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"MSN Music Assistant" = MSN Music Assistant

"NIS" = Norton Internet Security

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"NVIDIA Drivers" = NVIDIA Drivers

"PestPatrol" = PestPatrol

"Pinball Arcade 1.0" = Microsoft Pinball Arcade

"PsuedoLiveUpdate" = LiveUpdate (Symantec Corporation)

"Referentia Learning System" = Referentia Learning System

"SetupPPUpdater" = SetupPPUpdater

"Silent Package Run-Time Sample" = EPSON Stylus Photo R260 User's Guide

"SymSetup.{707D28BF-E145-4a9b-B97E-94FA586D05F3}" = Norton SystemWorks (Symantec Corporation)

"The Basketball IntelliGym" = The Basketball IntelliGym

"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

"WIC" = Windows Imaging Component

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"Move Media Player" = Move Media Player

========== Last 20 Event Log Errors ==========

[ Application Events ]

Error - 5/6/2013 11:35:31 AM | Computer Name = HOMEMAIN | Source = WinMgmt | ID = 28

Description = WinMgmt could not initialize the core parts. This could be due to

a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient

disk space or insufficient memory.

Error - 5/6/2013 11:35:31 AM | Computer Name = HOMEMAIN | Source = SecurityCenter | ID = 1802

Description = The Windows Security Center Service was unable to establish event

queries with WMI to monitor third party AntiVirus and Firewall.

Error - 5/7/2013 12:21:59 PM | Computer Name = HOMEMAIN | Source = WinMgmt | ID = 28

Description = WinMgmt could not initialize the core parts. This could be due to

a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient

disk space or insufficient memory.

Error - 5/7/2013 12:21:59 PM | Computer Name = HOMEMAIN | Source = SecurityCenter | ID = 1802

Description = The Windows Security Center Service was unable to establish event

queries with WMI to monitor third party AntiVirus and Firewall.

Error - 5/10/2013 10:36:07 AM | Computer Name = HOMEMAIN | Source = WinMgmt | ID = 28

Description = WinMgmt could not initialize the core parts. This could be due to

a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient

disk space or insufficient memory.

Error - 5/10/2013 10:36:08 AM | Computer Name = HOMEMAIN | Source = SecurityCenter | ID = 1802

Description = The Windows Security Center Service was unable to establish event

queries with WMI to monitor third party AntiVirus and Firewall.

Error - 5/11/2013 10:31:04 AM | Computer Name = HOMEMAIN | Source = WinMgmt | ID = 28

Description = WinMgmt could not initialize the core parts. This could be due to

a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient

disk space or insufficient memory.

Error - 5/11/2013 10:31:04 AM | Computer Name = HOMEMAIN | Source = SecurityCenter | ID = 1802

Description = The Windows Security Center Service was unable to establish event

queries with WMI to monitor third party AntiVirus and Firewall.

Error - 5/11/2013 3:33:05 PM | Computer Name = HOMEMAIN | Source = WinMgmt | ID = 28

Description = WinMgmt could not initialize the core parts. This could be due to

a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient

disk space or insufficient memory.

Error - 5/11/2013 3:33:05 PM | Computer Name = HOMEMAIN | Source = SecurityCenter | ID = 1802

Description = The Windows Security Center Service was unable to establish event

queries with WMI to monitor third party AntiVirus and Firewall.

[ OSession Events ]

Error - 7/28/2011 2:51:55 PM | Computer Name = HOMEMAIN | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 0, Application Name: Microsoft Office Word, Application Version:

12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 259

seconds with 120 seconds of active time. This session ended with a crash.

[ System Events ]

Error - 4/15/2013 11:46:56 AM | Computer Name = HOMEMAIN | Source = Service Control Manager | ID = 7023

Description = The Computer Browser service terminated with the following error:

%%1060

Error - 4/15/2013 11:46:56 AM | Computer Name = HOMEMAIN | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

UDFReadr

Error - 4/15/2013 12:51:52 PM | Computer Name = HOMEMAIN | Source = Service Control Manager | ID = 7031

Description = The Symantec Event Manager service terminated unexpectedly. It has

done this 1 time(s). The following corrective action will be taken in 200 milliseconds:

Restart the service.

Error - 4/15/2013 12:51:52 PM | Computer Name = HOMEMAIN | Source = Service Control Manager | ID = 7031

Description = The Symantec Settings Manager service terminated unexpectedly. It

has done this 1 time(s). The following corrective action will be taken in 100

milliseconds: Restart the service.

Error - 4/15/2013 12:51:52 PM | Computer Name = HOMEMAIN | Source = Service Control Manager | ID = 7009

Description = Timeout (30000 milliseconds) waiting for the Symantec Settings Manager

service to connect.

Error - 4/15/2013 12:51:52 PM | Computer Name = HOMEMAIN | Source = Service Control Manager | ID = 7031

Description = The Apple Mobile Device service terminated unexpectedly. It has done

this 1 time(s). The following corrective action will be taken in 60000 milliseconds:

Restart the service.

Error - 4/15/2013 9:16:07 PM | Computer Name = HOMEMAIN | Source = PlugPlayManager | ID = 12

Description = The device 'DVDROM 1 2X' (IDE\CdRomDVDROM_1_2X_____________________________11______\5&6a6be80&0&0.0.0)

disappeared from the system without first being prepared for removal.

Error - 4/16/2013 3:00:15 PM | Computer Name = HOMEMAIN | Source = sr | ID = 1

Description = The System Restore filter encountered the unexpected error '0xC0000001'

while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring

the volume.

Error - 4/16/2013 3:05:38 PM | Computer Name = HOMEMAIN | Source = System Error | ID = 1003

Description = Error code 1000007f, parameter1 00000008, parameter2 80042000, parameter3

00000000, parameter4 00000000.

Error - 4/24/2013 12:30:39 PM | Computer Name = HOMEMAIN | Source = PlugPlayManager | ID = 12

Description = The device 'DVDROM 1 2X' (IDE\CdRomDVDROM_1_2X_____________________________11______\5&6a6be80&0&0.0.0)

disappeared from the system without first being prepared for removal.

< End of report >

Maurice Naggar · May 12, 2013

Your logs showed some peer-to-peer filesharing apps: Azureus + uTorrent

I do not recommend the use of P-2-P programs since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.

Risks of File-Sharing Technology.

P2P file sharing: Know the risks

Forum policy on peer-to-peer-programs:

If you're using Peer 2 Peer software such as uTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

http://forums.malwarebytes.org/index.php?showtopic=97700

Task 2

Download and Save McAfee Stinger to your Desktop

http://www.mcafee.com/us/downloads/free-tools/stinger.aspx

Close all browsers before starting. Disable your antivirus program and anti-malware,if any.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

On Windows 7 & Vista systems, Right Click and select Run as Administrator.

On XP, double-click to start it.

The GUI interface will look like this

The C drive is the default for scanning.

Press the Preferences button. In the top right-block "On virus detection", click Rename

In the bottom block "Heuristic network check for suspicious files" select High

Click the Scan Now button.

When done, use the File menu and select Save report to file

Stinger.txt is the log report and will be saved to your Desktop. I will need a copy of that log.

RE-Enable your anti-virus program.

Stinger is a standalone utility used to detect and remove specific malware. It is not a full scan for all types of malware or viruses.

It is not intended as virus protection.

Task 3

Download, & save & then run the MS Safety scanner

http://www.microsoft.com/security/scanner/en-us/default.aspx

Let me know the result.

Note: The Microsoft Safety Scanner expires 10 days after being downloaded. To rerun a scan with the latest anti-malware definitions, download and run the Microsoft Safety Scanner again.

Note: Any data files that are infected may only be cleaned by deleting the file entirely, which means there is a potential for data loss.

The safety scanner log should be called msert.txt

It should be located in the same folder as where you had msert.exe

If not there, then look for it under c:\windows

Task 4

Close any open documents that you may have open, as well as any of your app windows.

Start NOTEPAD

Start NOTEPAD. Check and make sure "word wrap" is off.

From Notepad main menu bar, Select F (format) and make sure Word Wrap is NOT checked.

IF it -is- checkmarked, click that one time so that it is un-checked.

Please copy/paste the lines in bold below to Notepad:

@Echo on

pushd\windows\system32

sc config winmgmt start= auto

sc start winmgmt

popd

shutdown -r -t 1

del %0

Save as Domer.bat to your desktop.

Double-click Domer.bat file to run it. Your computer will reboot. This runs in a command prompt window & will run very quickly & Restart the system.

domer7 · May 12, 2013

Good morning Maurice,

I have a major issue when booting up this morning. When I logged on to Windows, the computer rebooted immediately, then Noton Internet Security is now sayin my subscription has run out, also the Windows firewall was disabled. I have enabled the Windows firewall, but am very nervous being onthe internet with the issues I am seeing with Norton.

I removed the P2P items last night. Azueus and uTorrent were remnant folders. iMesh was supposedly removed by Revo Uninstaller, but the folder still had the exe file. When I tried to use Revo to remove it, my computer froze up. I finally got Windows Task Manager to reboot the computer, then used the Control Panel Add/Delete Programs function to remove iMesh.

I ran McAfee Stinger. The settings you asked to have checked were somewhat different than described - mainly there was no Heuristic Network Check option, but one call GTI. I checked HIGH for that one. I ran both Quick Scan and Custom Scan as you did not designate and the Quick SCan showed nothing. The custom scan took about two hours. Log Files were created as HTML documents.

Ran MS Scanner last night also. Cannot find a log file for that scan. When I was searching for that log file in my Windows folder I noticed several other txt files created at the time my computer froze up. They are named:

SchedLgU

Setupapi

Wiadebug

Wiaserve

WindowsUpdate

I am very concerned and would like to know what your thoughts are as to what is hppening with my computer.

Stinger Quick Scan

Quick Scan Report File

Virus Scan Information

McAfee® Labs Stinger™ Version 11.0.0.288 built on May 10 2013 at 12:41:18

Virus data file v1000.0 created on May 10, 2013

Ready to scan for 6231 Viruses, Trojans and variants.

Scan initiated on Saturday, May 11, 2013 20:20:56

Rootkit scan result : Not Scanned.

Scan completed on Saturday, May 11, 2013 20:26:54

Custom Scan

Custom Scan Report File

Virus Scan Information

McAfee® Labs Stinger™ Version 11.0.0.288 built on May 10 2013 at 12:41:18

Virus data file v1000.0 created on May 10, 2013

Ready to scan for 6231 Viruses, Trojans and variants.

Scan initiated on Saturday, May 11, 2013 20:28:14

Rootkit scan result : Not Scanned.

Scan completed on Saturday, May 11, 2013 22:59:08

domer

domer7 · May 12, 2013

Maurice,

I just noticed my system tray Norton icon shows everything OK once again.

It has been suggested I convert to Microsoft Security Essential as my AV protection. Is this the time to do it? I don't want to make too many changes until things are sorted out, but I don't know what is happening at this point.

domer

Maurice Naggar · May 12, 2013

Hold off on any switch of antivirus program, until I advise you (later) of how to do it.

You will want to print out or copy these instructions to Notepad for offline reference!

These steps are for member Domer7 only. If you are a casual viewer, do NOT try this on your system!

If you are not Domer7 and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

If you have a prior copy of Combofix, delete it now !

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on Combo-Fix.exe accept the EULA & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

Notes:

[1] IF after Combofix reboot you get the message

Illegal operation attempted on registry key that has been marked for deletion

....please reboot the computer, this should resolve the problem. You may have reboot the pc a second time if needed.

[2] Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

[3]When all done, IF Combofix did not do a Restart...then ... I need for you to Restart the system fresh

Reply & Copy / Paste the contents of C:\Combofix.txt log

and tell me, How is the system now

RE-Enable your AntiVirus and AntiSpyware applications.

domer7 · May 12, 2013

Hi Maurice,

I have run ComboFix. Log below. In my concerned state with the issues this morning, I failed to disable the AV and MBAM programs. Unsure if this affected ComboFix.

ComboFix Log

ComboFix 13-05-12.01 - Steve & Anita 05/12/2013 9:21.3.1 - x86

Running from: c:\documents and settings\Steve & Anita\Desktop\Combo-Fix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Steve & Anita\My Documents\DPE.DUS

.

((((((((((((((((((((((((( Files Created from 2013-04-12 to 2013-05-12 )))))))))))))))))))))))))))))))

.

2013-05-12 03:22 . 2013-05-12 03:22 167344 ----a-w- c:\windows\system32\mfevtps.exe.f764.deleteme

2013-05-12 03:20 . 2013-05-12 03:20 -------- d-----w- C:\Stinger_Quarantine

2013-05-12 03:17 . 2013-05-12 06:02 -------- d-----w- c:\program files\stinger

2013-05-12 01:49 . 2013-05-12 01:49 -------- d-----w- c:\documents and settings\Steve & Anita\Local Settings\Application Data\PackageAware

2013-04-28 22:37 . 2013-04-28 22:37 -------- d-----w- c:\documents and settings\Steve & Anita\Application Data\FastStone

2013-04-28 22:36 . 2013-04-28 22:36 -------- d-----w- c:\program files\FastStone Image Viewer

2013-04-20 00:58 . 2013-04-20 00:58 -------- d-----w- c:\program files\CCleaner

2013-04-20 00:13 . 2013-04-20 00:13 -------- d-----w- c:\documents and settings\Steve & Anita\Local Settings\Application Data\VS Revo Group

2013-04-20 00:13 . 2013-04-20 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\VS Revo Group

2013-04-20 00:13 . 2009-12-30 18:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys

2013-04-20 00:13 . 2013-04-20 00:13 -------- d-----w- c:\program files\VS Revo Group

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-04-28 22:14 . 2012-03-29 01:43 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-04-28 22:14 . 2011-06-13 05:26 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-04-04 21:50 . 2010-01-12 04:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-03-08 08:36 . 2003-03-31 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll

2013-03-07 01:28 . 2003-03-31 12:00 2193408 ------w- c:\windows\system32\ntoskrnl.exe

2013-03-07 00:50 . 2002-08-29 01:04 2070016 ------w- c:\windows\system32\ntkrnlpa.exe

2013-03-02 02:06 . 2005-10-21 19:51 916480 ----a-w- c:\windows\system32\wininet.dll

2013-03-02 02:06 . 2003-03-31 12:00 43520 ------w- c:\windows\system32\licmgr10.dll

2013-03-02 02:06 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2013-03-02 01:25 . 2003-03-31 12:00 1867264 ------w- c:\windows\system32\win32k.sys

2013-03-02 01:08 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec

2013-02-27 07:56 . 2006-04-10 01:29 2067456 ------w- c:\windows\system32\mstscax.dll

2013-02-12 00:32 . 2004-08-04 06:04 12928 ------w- c:\windows\system32\drivers\usb8023x.sys

2013-02-12 00:32 . 2003-03-31 12:00 12928 ------w- c:\windows\system32\drivers\usb8023.sys

2011-12-27 20:37 . 2011-12-27 20:36 69341552 ----a-w- c:\program files\iTunesSetup.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Steve & Anita^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]

path=c:\documents and settings\Steve & Anita\Start Menu\Programs\Startup\Logitech . Product Registration.lnk

backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Steve & Anita^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]

path=c:\documents and settings\Steve & Anita\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk

backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2012-12-18 19:08 946352 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]

2006-01-03 00:41 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

2008-10-17 22:52 51048 ------w- c:\program files\Common Files\Symantec Shared\CCAPP.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CookiePatrol]

2005-01-10 16:35 73728 ------w- c:\progra~1\PESTPA~1\CookiePatrol.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2004-07-28 00:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2005-06-10 18:44 81920 ------w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2012-12-12 21:57 152544 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]

2005-05-20 22:46 28160 ----a-w- c:\windows\KHALMNPR.Exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]

2005-05-20 22:46 28160 ----a-w- c:\windows\KHALMNPR.Exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]

2003-03-04 09:50 19968 ----a-r- c:\windows\Logi_MwX.Exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]

2004-11-10 19:03 1126400 ----a-w- c:\program files\Symantec\Norton Ghost\Agent\GhostTray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSWosCheck]

2007-09-18 15:22 25472 ------w- c:\program files\Norton SystemWorks Basic Edition\osCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2009-09-28 02:19 13918208 ------w- c:\windows\system32\nvcpl.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

2009-09-28 02:19 86016 ------w- c:\windows\system32\nvmctray.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrol Control Center]

2004-11-15 18:49 98304 ------w- c:\progra~1\PESTPA~1\PPControl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPMemCheck]

2003-04-19 15:53 148480 ------w- c:\progra~1\PESTPA~1\PPMemCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ptipbmf]

2003-06-20 07:06 118784 ------w- c:\windows\system32\ptipbmf.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]

2002-04-17 17:42 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

2004-02-26 08:53 65024 ------r- c:\windows\SOUNDMAN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]

2008-04-14 00:12 143360 ------w- c:\windows\system32\mobsync.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"RoxWatch"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [x]

R3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2010\RpcAgentSrv.exe [x]

S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [x]

S0 PQV2i;PQV2i; [x]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1207020.003\SYMDS.SYS [x]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1207020.003\SYMEFA.SYS [x]

S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [x]

S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\BASHDefs\20130502.001\BHDrvx86.sys [x]

S1 PQIMount;PQIMount; [x]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1207020.003\Ironx86.SYS [x]

S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]

S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe [x]

S2 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~1\NORTON~1\NPROTECT.EXE [x]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]

S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\IPSDefs\20130510.001\IDSxpx86.sys [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-04-20 00:59 1642448 ----a-w- c:\program files\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2013-05-12 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 22:14]

.

2013-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2013-04-20 00:56]

.

2013-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2013-04-20 00:56]

.

2013-05-10 c:\windows\Tasks\Norton Internet Security - Steve & Anita - Full System Scan.job

- c:\program files\Norton Internet Security\Engine\18.7.2.3\navw32.exe [2012-06-11 00:01]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.focusonthefamily.com/

uInternet Settings,ProxyOverride = *.local

Trusted Zone: vetcentric.com

TCP: DhcpNameServer = 192.168.1.254

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

MSConfigStartUp-nmctxth - c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_03\bin\jusched.exe

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-05-12 09:32

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NIS]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.7.2.3\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(832)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2013-05-12 09:35:31

ComboFix-quarantined-files.txt 2013-05-12 16:35

.

Pre-Run: 94,262,882,304 bytes free

Post-Run: 94,199,328,768 bytes free

.

- - End Of File - - B3DE6D45B4857A254CA1EC586CCD9793

Maurice Naggar · May 12, 2013

In my concerned state with the issues this morning, I failed to disable the AV and MBAM programs. Unsure if this affected ComboFix.

Understood. Please relax a bit. We are making some headway. Continue to have patience.

In the folder C:\Qoobox you should see a log-file named ComboFix-quarantined-files.txt

Kindly Copy & Paste its contents into a new reply.

You have the DDS from before. Do a new run of DDS. Accept the EULA and copy and paste the two logs directly into a new reply.

If your antivirus burps and interferes, turn it off and try DDS one more time.

I'd like to see the DDS logs for review and inspection.

domer7 · May 12, 2013

Maurice,

Attached is the Combo-Fix quarantine log.

Once again DDS did not generate a log file.

I will be away from the computer for the next 5-6 hours.

Once again I appreciate the help!!

Combo-Fix log

2013-05-12 16:34:15 . 2013-05-12 16:34:15 636 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-SunJavaUpdateSched.reg.dat

2013-05-12 16:34:14 . 2013-05-12 16:34:14 658 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-nmctxth.reg.dat

2013-05-12 16:33:55 . 2013-05-12 16:33:55 173 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat

2013-05-12 16:29:28 . 2013-05-12 16:29:28 6,968 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2013-05-12 16:17:02 . 2013-05-12 16:17:02 51 ----a-w- C:\Qoobox\Quarantine\catchme.log

2013-04-21 01:36:27 . 2013-04-27 21:29:01 354,201 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Steve & Anita\My Documents\DPE.DUS.vir

Maurice Naggar · May 12, 2013

This are for XP systems only & only for Domer7 <<<---

Download and save this zip file to your DESKTOP http://www.dougknox..../xp_txt_fix.zip

Download and save this zip file to your DESKTOP http://www.dougknox..../xp_regfile.zip

Extract the contents, one by one, of each of the two zip files.

go to Start, type in

REGEDIT

and press Enter-key

from main menu, select File

then select IMPORT

navigate the dialog (click on DESKTOP icon on left to select it)

type in xp_regfile.reg in the Filename text-box and click Open button.

Once the merge is complete, you will see a confirmation message.

Click OK when done.

from main menu, select File

then select IMPORT

navigate the dialog (click on DESKTOP icon on left to select it)

type in xp_txt_fix.reg in the Filename text-box and click Open button.

Once the merge is complete, you will see a confirmation message.

Click OK when done.

Exit/close Regedit.

Logoff and Restart Windows fresh.

Next, turn OFF your antivirus program and any real-time security program {except for firewall}

Now, then run DDS

I need to see the two logs from it, for review.

there are several "versions" of DDS you can try. If 1 does not work, try the next 1 in this list

Download DDS and save it to your desktop from http://download.blee...om/sUBs/dds.com here

or http://download.blee...om/sUBs/dds.scr

or

http://www.infospyware.net/sUBs/dds

Make sure you look at your monitor, and accept the EULA and allow the run when prompted !

domer7 · May 13, 2013

Maurice,

I have imported and run both registry edit commands, then logged out and back into Windows.

I tried to run all three versions of DDS but all react the same - after pressing run, the program runs for a few seconds, the message regarding the log files being generated comes up,the the DOS box disappears and the icon I ran the program from is highlighted - no further action occurs. I never get tot he EULA acceptance screen. The last time I tried torun both the scr and dos versions with nearly everything from NIS turned off except the Firewall.

domer

Maurice Naggar · May 13, 2013

You must realize that that behavior & that many failures is "very unusual" and not a good sign.

Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.

Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

domer7 · May 13, 2013

Also, on another note, my computer was a bit slow when booting up and printing off the next steps for the latest registry changes. After the reg edit, logging out and logging back into Windows, it is running much smoother.

IE is loading up fine and running fairly quickly - even with my dated computer.

domer7 · May 13, 2013

Maurice,

log.txt

Logfile of random's system information tool 1.09 (written by random/random)

Run by Steve & Anita at 2013-05-12 21:29:17

WIN_XP Service Pack 3

System drive C: has 89 GB (58%) free of 153 GB

Total RAM: 2047 MB (60% free)

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 9:29:33 PM, on 5/12/2013

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\GEARSec.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe

C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE

C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Documents and Settings\Steve & Anita\Desktop\RSIT.exe

C:\Documents and Settings\Steve & Anita\Desktop\Steve & Anita.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.focusonthefamily.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\18.7.2.3\IPS\IPSBHO.DLL

O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)