Jump to content

Multiple Outgoing Blocks Occurring


Recommended Posts

(Reposting this here from other forums on the advice of DarkSnakeKobra and Firefox, thanks)

For the past few days, Malwarebytes Pro has been blocking hundreds of outgoing IP access attempts.

It doesn’t matter if am browsing (IE8) or not. In fact, when I end all of the processes “iexplore.exe” using taskmanger, new ones start up in a few minutes.

Here’s one example line of hundreds of lines from today’s protection log:

2013/06/10 19:07:39 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

And here’s the result of a quick scan result from today:

Malwarebytes Anti-Malware (PRO) 1.75.0.1300

www.malwarebytes.org

Database version: v2013.06.12.03

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Owner :: GW-5B4ED3A077 [administrator]

Protection: Enabled

6/12/2013 11:06:52 AM

mbam-log-2013-06-12 (11-06-52).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 237780

Time elapsed: 30 minute(s), 44 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

As you can see “no malicious items detected,” but, I am concerned that I have some malware that is attempting to cause my computer to connect to another remote computer. Also my computer is acting sluggishly.

I note that http://whatmyip.co/info/whois/95.211.194.79 shows a location in Amsterdam NL and owned by www.leaseweb.com external.gif

Any suggestions on how to proceed to detect and remove the cause of this?

ps

I have downloaded “checker” and "dds," ran then and have paste the texts of the generated below: (long files)

CheckResults

WIN32_EXIT_CODE : 0

SERVICE_EXIT_CODE : 0

CHECKPOINT : 0

WAIT_HINT : 0

MBAMService:

==============

Type : 16

State : 4 (The service is running.)

WIN32_EXIT_CODE : 0

SERVICE_EXIT_CODE : 0

CHECKPOINT : 0

WAIT_HINT : 0

MBAMScheduler:

==============

Type : 16

State : 4 (The service is running.)

WIN32_EXIT_CODE : 0

SERVICE_EXIT_CODE : 0

CHECKPOINT : 0

WAIT_HINT : 0

<--CAN NOT OPEN SC_HANDLE, SERVICE IS NOT RUNNING FOR: MBAMChameleon

MBAMProtector Registry Values:

==============================

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector

Type REG_DWORD 2

Start REG_DWORD 3

ErrorControl REG_DWORD 1

ImagePath REG_EXPAND_SZ \??\C:\WINDOWS\system32\drivers\mbam.sys

Group REG_SZ FSFilter Anti-Virus

DependOnService REG_MULTI_SZ FltMgr

DependOnGroup REG_DWORD 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector\Instances

DefaultInstance REG_SZ MBAMProtector Instance

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector\Instances\MBAMProtector Instance

Altitude REG_SZ 328800

Flags REG_DWORD 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector\Security

Security REG_BINARY Binary Data

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector\Enum

0 REG_SZ Root\LEGACY_MBAMPROTECTOR\0000

Count REG_DWORD 1

NextInstance REG_DWORD 1

MBAMService Registry Values:

============================

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService

Type REG_DWORD 16

Start REG_DWORD 2

ErrorControl REG_DWORD 1

ImagePath REG_EXPAND_SZ "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe"

DependOnService REG_MULTI_SZ MBAMProtector

DependOnGroup REG_DWORD 0

ObjectName REG_SZ LocalSystem

Description REG_SZ Malwarebytes Anti-Malware service

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService\Security

Security REG_BINARY Binary Data

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService\Enum

0 REG_SZ Root\LEGACY_MBAMSERVICE\0000

Count REG_DWORD 1

NextInstance REG_DWORD 1

MBAMScheduler Registry Values:

==============================

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMScheduler

Type REG_DWORD 16

Start REG_DWORD 2

ErrorControl REG_DWORD 1

ImagePath REG_EXPAND_SZ "C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe"

ObjectName REG_SZ LocalSystem

Description REG_SZ Malwarebytes Anti-Malware scheduler

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMScheduler\Security

Security REG_BINARY Binary Data

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMScheduler\Enum

0 REG_SZ Root\LEGACY_MBAMSCHEDULER\0000

Count REG_DWORD 1

NextInstance REG_DWORD 1

MBAM DLL's and Runtime Files:

=============================

HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.vbalGrid

(Default): REG_SZ vbAccelerator Grid Control

HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.vbalGrid\Clsid

(Default): REG_SZ {C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}

HKEY_CLASSES_ROOT\SSubTimer6.GSubclass

(Default): REG_SZ SSubTimer6.GSubclass

HKEY_CLASSES_ROOT\SSubTimer6.GSubclass\Clsid

(Default): REG_SZ {71A27032-C7D8-11D2-BEF8-525400DFB47A}

HKEY_CLASSES_ROOT\SSubTimer6.CTimer

(Default): REG_SZ SSubTimer6.CTimer

HKEY_CLASSES_ROOT\SSubTimer6.CTimer\Clsid

(Default): REG_SZ {71A27034-C7D8-11D2-BEF8-525400DFB47A}

HKEY_CLASSES_ROOT\SSubTimer6.ISubclass

(Default): REG_SZ SSubTimer6.ISubclass

HKEY_CLASSES_ROOT\SSubTimer6.ISubclass\Clsid

(Default): REG_SZ {71A2702F-C7D8-11D2-BEF8-525400DFB47A}

HKEY_CLASSES_ROOT\mbam.script

(Default): REG_SZ Malwarebytes' Anti-Malware script

HKEY_CLASSES_ROOT\mbam.script\shell

HKEY_CLASSES_ROOT\mbam.script\shell\open

HKEY_CLASSES_ROOT\mbam.script\shell\open\command

(Default): REG_SZ "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" %1

HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}

(Default): REG_SZ SSubTimer6.ISubclass

HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\Implemented Categories

HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}

HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\ProgID

(Default): REG_SZ SSubTimer6.ISubclass

HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\Programmable

HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\TypeLib

(Default): REG_SZ {71A2702D-C7D8-11D2-BEF8-525400DFB47A}

HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\VERSION

(Default): REG_SZ 1.0

HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}

(Default): REG_SZ SSubTimer6.GSubclass

HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\Implemented Categories

HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}

HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\InprocServer32

(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\ssubtmr6.dll

ThreadingModel REG_SZ Apartment

HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\ProgID

(Default): REG_SZ SSubTimer6.GSubclass

HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\Programmable

HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\TypeLib

(Default): REG_SZ {71A2702D-C7D8-11D2-BEF8-525400DFB47A}

HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\VERSION

(Default): REG_SZ 1.0

HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}

(Default): REG_SZ SSubTimer6.CTimer

HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\Implemented Categories

HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}

HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\InprocServer32

(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\ssubtmr6.dll

ThreadingModel REG_SZ Apartment

HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\ProgID

(Default): REG_SZ SSubTimer6.CTimer

HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\Programmable

HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\TypeLib

(Default): REG_SZ {71A2702D-C7D8-11D2-BEF8-525400DFB47A}

HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\VERSION

(Default): REG_SZ 1.0

HKEY_CLASSES_ROOT\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}

HKEY_CLASSES_ROOT\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1

(Default): REG_SZ vbAccelerator VB6 SGrid Control 2.0

HKEY_CLASSES_ROOT\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\0

HKEY_CLASSES_ROOT\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\0\win32

(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\vbalsgrid6.ocx

HKEY_CLASSES_ROOT\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\FLAGS

(Default): REG_SZ 2

HKEY_CLASSES_ROOT\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\HELPDIR

(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware

HKEY_CLASSES_ROOT\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}

HKEY_CLASSES_ROOT\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0

(Default): REG_SZ vbAccelerator VB6 Subclassing and Timer Assistant (with configurable message response, multi-control support + timer bug fix)

HKEY_CLASSES_ROOT\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\0

HKEY_CLASSES_ROOT\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\0\win32

(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\ssubtmr6.dll

HKEY_CLASSES_ROOT\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\FLAGS

(Default): REG_SZ 0

HKEY_CLASSES_ROOT\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\HELPDIR

(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware

HKEY_CLASSES_ROOT\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}

(Default): REG_SZ ISubclass

HKEY_CLASSES_ROOT\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid

(Default): REG_SZ {00020424-0000-0000-C000-000000000046}

HKEY_CLASSES_ROOT\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32

(Default): REG_SZ {00020424-0000-0000-C000-000000000046}

HKEY_CLASSES_ROOT\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\TypeLib

(Default): REG_SZ {71A2702D-C7D8-11D2-BEF8-525400DFB47A}

Version REG_SZ 1.0

HKEY_CLASSES_ROOT\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}

(Default): REG_SZ CTimer

HKEY_CLASSES_ROOT\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid

(Default): REG_SZ {00020420-0000-0000-C000-000000000046}

HKEY_CLASSES_ROOT\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32

(Default): REG_SZ {00020420-0000-0000-C000-000000000046}

HKEY_CLASSES_ROOT\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\TypeLib

(Default): REG_SZ {71A2702D-C7D8-11D2-BEF8-525400DFB47A}

Version REG_SZ 1.0

HKEY_CLASSES_ROOT\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}

(Default): REG_SZ vbalGrid

HKEY_CLASSES_ROOT\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\ProxyStubClsid

(Default): REG_SZ {00020420-0000-0000-C000-000000000046}

HKEY_CLASSES_ROOT\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\ProxyStubClsid32

(Default): REG_SZ {00020420-0000-0000-C000-000000000046}

HKEY_CLASSES_ROOT\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\TypeLib

(Default): REG_SZ {DE8CE233-DD83-481D-844C-C07B96589D3A}

Version REG_SZ 1.1

MBAM Registry Settings and License Info:

========================================

HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes' Anti-Malware

InstallPath REG_SZ C:\Program Files\Malwarebytes' Anti-Malware

Affiliate REG_SZ https://www.cleverbridge.com/342/?scope=checkout&cart=29945

ID XXXXX This is hidden data.

Key XXXX-XXXX-XXXX-XXXX This is hidden data.

updating REG_DWORD 1

silent REG_DWORD 1

dbversion REG_SZ v2013.06.12.03

programversion REG_SZ 1.75.0.1300

hidereg REG_DWORD 0

startipdisabled REG_DWORD 0

useproxy REG_DWORD 0

useauthentication REG_DWORD 0

downloadprogram REG_DWORD 1

advancedheuristics REG_DWORD 1

dbdate REG_SZ Wed, 12 Jun 2013 10:45:12 GMT

detectpup REG_DWORD 2

detectpum REG_DWORD 1

detectp2p REG_DWORD 0

updatewarn REG_DWORD 1

updatewarndays REG_DWORD 7

notifyinstallprogram REG_DWORD 1

SchedulerQueue REG_MULTI_SZ 36872, 30171011, 3467743744, 1, 1 | 30303420, 3211252841

contextmenu REG_DWORD 1

reportthreats REG_DWORD 1

silentipmode REG_DWORD 0

trialpromptshown REG_DWORD 0

startwithwindows REG_DWORD 1

startfsdisabled REG_DWORD 0

autoquarantine REG_DWORD 1

autoquarantinenotify REG_DWORD 1

programbuild REG_SZ consumer

alwaysscanarchives REG_DWORD 1

HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes' Anti-Malware\UUID

There is data here but it is hidden.

HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes' Anti-Malware\UUID

HKEY_CURRENT_USER\SOFTWARE\Malwarebytes' Anti-Malware

language REG_SZ english.lng

firstrun REG_DWORD 1

defaultscan REG_DWORD 0

selectedrives REG_SZ C:\|D:\|I:\|

terminateie REG_DWORD 1

autosavelog REG_DWORD 1

autoupdate REG_DWORD 1

autoscan REG_DWORD 1

updatetime REG_DWORD 21

scantime REG_DWORD 22

alwaysscanmemory REG_DWORD 1

alwaysscanregistry REG_DWORD 1

alwaysscanfiles REG_DWORD 1

alwaysscanheuristics REG_DWORD 1

startminimized REG_DWORD 0

updating REG_DWORD 1

openlog REG_DWORD 1

alwaysscanstartups REG_DWORD 1

HKEY_USERS\S-1-5-18\SOFTWARE\Malwarebytes' Anti-Malware

alwaysscanfiles REG_DWORD 1

alwaysscanheuristics REG_DWORD 1

alwaysscanmemory REG_DWORD 1

alwaysscanregistry REG_DWORD 1

alwaysscanstartups REG_DWORD 1

autosavelog REG_DWORD 1

openlog REG_DWORD 1

contextmenu REG_DWORD 1

defaultscan REG_DWORD 0

reportthreats REG_DWORD 1

terminateie REG_DWORD 0

startwithwindows REG_DWORD 1

startfsdisabled REG_DWORD 0

silentipmode REG_DWORD 0

trialpromptshown REG_DWORD 0

HKEY_USERS\.DEFAULT\SOFTWARE\Malwarebytes' Anti-Malware

alwaysscanfiles REG_DWORD 1

alwaysscanheuristics REG_DWORD 1

alwaysscanmemory REG_DWORD 1

alwaysscanregistry REG_DWORD 1

alwaysscanstartups REG_DWORD 1

autosavelog REG_DWORD 1

openlog REG_DWORD 1

contextmenu REG_DWORD 1

defaultscan REG_DWORD 0

reportthreats REG_DWORD 1

terminateie REG_DWORD 0

startwithwindows REG_DWORD 1

startfsdisabled REG_DWORD 0

silentipmode REG_DWORD 0

trialpromptshown REG_DWORD 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malwarebytes' Anti-Malware_is1

Inno Setup: Setup Version REG_SZ 5.5.3-dev (a)

Inno Setup: App Path REG_SZ C:\Program Files\Malwarebytes' Anti-Malware

InstallLocation REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\

Inno Setup: Icon Group REG_SZ Malwarebytes' Anti-Malware

Inno Setup: User REG_SZ Owner

Inno Setup: Selected Tasks REG_SZ desktopicon

Inno Setup: Deselected Tasks REG_SZ quicklaunchicon

Inno Setup: Language REG_SZ English

DisplayName REG_SZ Malwarebytes Anti-Malware version 1.75.0.1300

DisplayIcon REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

UninstallString REG_SZ "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"

QuietUninstallString REG_SZ "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe" /SILENT

DisplayVersion REG_SZ 1.75.0.1300

Publisher REG_SZ Malwarebytes Corporation

URLInfoAbout REG_SZ http://www.malwarebytes.org

NoModify REG_DWORD 1

NoRepair REG_DWORD 1

InstallDate REG_SZ 20130415

MajorVersion REG_DWORD 1

MinorVersion REG_DWORD 75

Pending File Rename Operations:

================================

If any Malwarebytes Anti-Malware items are listed below, the user must reboot to complete a Malwarebytes Anti-Malware upgrade installation.

Scheduler Queue:

================

Scheduled Item: Update Schedule Options: Flash Scan | Weekly

Start Time: 2011-08-20 21:55 Repeating Every: 1 Recover if missed by: 1

Context Menu Entries:

=====================

HKEY_CLASSES_ROOT\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShlExt

(Default): REG_SZ {57CE581A-0CB6-4266-9CA0-19364C90A0B3}

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\MBAMShlExt

(Default): REG_SZ {57CE581A-0CB6-4266-9CA0-19364C90A0B3}

HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt

(Default): REG_SZ MBAMShlExt Class

HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt\CLSID

(Default): REG_SZ {57CE581A-0CB6-4266-9CA0-19364C90A0B3}

HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt\CurVer

(Default): REG_SZ MBAMExt.MBAMShlExt.1

HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt.1

(Default): REG_SZ MBAMShlExt Class

HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt.1\CLSID

(Default): REG_SZ {57CE581A-0CB6-4266-9CA0-19364C90A0B3}

HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}

(Default): REG_SZ IMBAMShlExt

HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\ProxyStubClsid

(Default): REG_SZ {00020424-0000-0000-C000-000000000046}

HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\ProxyStubClsid32

(Default): REG_SZ {00020424-0000-0000-C000-000000000046}

HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\TypeLib

(Default): REG_SZ {AFF1A83B-6C83-4342-8E68-1648DE06CB65}

Version REG_SZ 1.0

HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}

(Default): REG_SZ MBAMShlExt Class

HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32

(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll

ThreadingModel REG_SZ Apartment

HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\ProgID

(Default): REG_SZ MBAMExt.MBAMShlExt.1

HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\TypeLib

(Default): REG_SZ {AFF1A83B-6C83-4342-8E68-1648DE06CB65}

HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\VersionIndependentProgID

(Default): REG_SZ MBAMExt.MBAMShlExt

HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}

HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0

(Default): REG_SZ MBAMExt 1.0 Type Library

HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0

HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0\win32

(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll

HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\FLAGS

(Default): REG_SZ 0

HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\HELPDIR

(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\

MBAM Drivers:

=============

C:\WINDOWS\system32\drivers\mbam.sys File Size: 22856 BYTES FileVersion: 1.60.2.0

Required Dependencies:

======================

fltmgr:

==============

Type : 2

State : 4 (The service is running.) (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0

SERVICE_EXIT_CODE : 0

CHECKPOINT : 0

WAIT_HINT : 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FltMgr

Type REG_DWORD 2

Start REG_DWORD 0

ErrorControl REG_DWORD 1

Tag REG_DWORD 1

ImagePath REG_EXPAND_SZ system32\drivers\fltmgr.sys

DisplayName REG_SZ FltMgr

Group REG_SZ FSFilter Infrastructure

Description REG_SZ File System Filter Manager Driver

AttachWhenLoaded REG_DWORD 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FltMgr\Security

Security REG_BINARY Binary Data

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FltMgr\Enum

0 REG_SZ Root\LEGACY_FLTMGR\0000

Count REG_DWORD 1

NextInstance REG_DWORD 1

C:\WINDOWS\system32\drivers\fltmgr.sys File Size: 129792 BYTES FileVersion: 5.1.2600.5512

C:\WINDOWS\system32\comctl32.ocx File Size: 608448 BYTES FileVersion: 6.0.81.5

C:\WINDOWS\system32\mscomctl.ocx File Size: 1070152 BYTES FileVersion: 6.1.98.34

C:\WINDOWS\system32\olepro32.dll File Size: 84992 BYTES FileVersion: 5.1.2600.5512

List of MBAM Related Directories:

=================================

C:\Program Files\Malwarebytes' Anti-Malware

7z.dll File Size: 914432 BYTES FileVersion: 9.20.0.0

changes.rtf File Size: 785 BYTES

changes.txt File Size: 200 BYTES

license.rtf File Size: 17916 BYTES

license.txt File Size: 11141 BYTES

mbam.chm File Size: 474148 BYTES

mbam.dll File Size: 527944 BYTES FileVersion: 1.70.0.0

mbam.exe File Size: 887432 BYTES FileVersion: 1.75.0.1

mbamcore.dll File Size: 1127496 BYTES FileVersion: 1.70.0.0

mbamext.dll File Size: 79208 BYTES FileVersion: 1.70.0.0

mbamgui.exe File Size: 532040 BYTES FileVersion: 1.70.0.0

mbamnet.dll File Size: 2191944 BYTES FileVersion: 1.70.0.0

mbampt.exe File Size: 40008 BYTES FileVersion: 1.70.0.0

mbamscheduler.exe File Size: 418376 BYTES FileVersion: 1.70.0.0

mbamservice.exe File Size: 701512 BYTES FileVersion: 1.70.0.0

ssubtmr6.dll File Size: 44664 BYTES FileVersion: 1.1.0.3

unins000.dat File Size: 339405 BYTES

unins000.exe File Size: 712264 BYTES FileVersion: 51.52.0.0

unins000.msg File Size: 11277 BYTES

vbalsgrid6.ocx File Size: 495224 BYTES FileVersion: 2.0.0.40

C:\Program Files\Malwarebytes' Anti-Malware\Chameleon

chameleon.chm File Size: 186068 BYTES

firefox.com File Size: 218184 BYTES

firefox.exe File Size: 218184 BYTES

firefox.pif File Size: 218184 BYTES

firefox.scr File Size: 218184 BYTES

iexplore.exe File Size: 218184 BYTES

mbam-chameleon.com File Size: 218184 BYTES

mbam-chameleon.exe File Size: 218184 BYTES

mbam-chameleon.pif File Size: 218184 BYTES

mbam-chameleon.scr File Size: 218184 BYTES

mbam-killer.exe File Size: 984648 BYTES FileVersion: 1.60.0.47

rundll32.exe File Size: 218184 BYTES

svchost.exe File Size: 218184 BYTES

winlogon.exe File Size: 218184 BYTES

C:\Program Files\Malwarebytes' Anti-Malware\Languages

albanian.lng File Size: 13924 BYTES

arabic.lng File Size: 21894 BYTES

belarusian.lng File Size: 26884 BYTES

bosnian.lng File Size: 27108 BYTES

bulgarian.lng File Size: 27574 BYTES

catalan.lng File Size: 28252 BYTES

chineseSI.lng File Size: 11024 BYTES

chineseTR.lng File Size: 11952 BYTES

croatian.lng File Size: 26670 BYTES

czech.lng File Size: 24874 BYTES

danish.lng File Size: 26582 BYTES

dutch.lng File Size: 28342 BYTES

english.lng File Size: 24542 BYTES

estonian.lng File Size: 25146 BYTES

finnish.lng File Size: 25950 BYTES

french.lng File Size: 29830 BYTES

german.lng File Size: 29894 BYTES

greek.lng File Size: 29300 BYTES

hebrew.lng File Size: 19362 BYTES

hungarian.lng File Size: 28666 BYTES

indonesian.lng File Size: 26854 BYTES

italian.lng File Size: 28194 BYTES

japanese.lng File Size: 16266 BYTES

korean.lng File Size: 14188 BYTES

latvian.lng File Size: 27100 BYTES

lithuanian.lng File Size: 27838 BYTES

macedonian.lng File Size: 28864 BYTES

norwegian.lng File Size: 25116 BYTES

polish.lng File Size: 26644 BYTES

portugueseBR.lng File Size: 28654 BYTES

portuguesePT.lng File Size: 29062 BYTES

romanian.lng File Size: 28290 BYTES

russian.lng File Size: 27302 BYTES

serbian.lng File Size: 26804 BYTES

slovak.lng File Size: 25644 BYTES

slovenian.lng File Size: 24852 BYTES

spanish.lng File Size: 30060 BYTES

swedish.lng File Size: 25992 BYTES

thai.lng File Size: 26092 BYTES

turkish.lng File Size: 25876 BYTES

ukrainian.lng File Size: 13097 BYTES

vietnamese.lng File Size: 29528 BYTES

C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\Malwarebytes\Malwarebytes' Anti-Malware

C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs

mbam-log-08-24-2008 (18-59-20).txt File Size: 892 BYTES

mbam-log-2008-09-08 (20-34-11).txt File Size: 1221 BYTES

mbam-log-2008-12-10 (20-48-07).txt File Size: 835 BYTES

mbam-log-2008-12-10 (22-47-31).txt File Size: 1212 BYTES

mbam-log-2008-12-13 (13-04-47).txt File Size: 846 BYTES

mbam-log-2009-01-04 (11-30-09).txt File Size: 2309 BYTES

mbam-log-2009-01-04 (15-21-01).txt File Size: 2762 BYTES

mbam-log-2009-01-04 (16-30-26).txt File Size: 1147 BYTES

mbam-log-2009-01-04 (16-52-09).txt File Size: 832 BYTES

mbam-log-2009-01-04 (17-12-45).txt File Size: 839 BYTES

mbam-log-2009-01-04 (19-11-51).txt File Size: 831 BYTES

mbam-log-2009-01-10 (10-01-23).txt File Size: 842 BYTES

mbam-log-2009-01-10 (17-54-08).txt File Size: 1647 BYTES

mbam-log-2009-01-10 (18-51-28).txt File Size: 845 BYTES

mbam-log-2009-01-10 (21-12-45).txt File Size: 834 BYTES

mbam-log-2009-01-13 (21-04-24).txt File Size: 833 BYTES

mbam-log-2009-01-15 (21-05-01).txt File Size: 894 BYTES

mbam-log-2009-01-16 (21-04-34).txt File Size: 833 BYTES

mbam-log-2009-01-17 (21-04-20).txt File Size: 833 BYTES

mbam-log-2009-01-19 (21-05-01).txt File Size: 833 BYTES

mbam-log-2009-01-21 (21-05-05).txt File Size: 832 BYTES

mbam-log-2009-01-26 (21-06-22).txt File Size: 833 BYTES

mbam-log-2009-01-28 (21-06-42).txt File Size: 833 BYTES

mbam-log-2009-02-01 (21-07-00).txt File Size: 832 BYTES

mbam-log-2009-02-02 (21-08-32).txt File Size: 832 BYTES

mbam-log-2009-02-04 (21-08-13).txt File Size: 832 BYTES

mbam-log-2009-02-05 (21-08-30).txt File Size: 832 BYTES

mbam-log-2009-02-06 (21-02-20).txt File Size: 831 BYTES

mbam-log-2009-02-07 (21-09-11).txt File Size: 831 BYTES

mbam-log-2009-02-09 (21-13-20).txt File Size: 833 BYTES

mbam-log-2009-02-10 (21-06-57).txt File Size: 833 BYTES

mbam-log-2009-02-11 (21-07-10).txt File Size: 832 BYTES

mbam-log-2009-02-13 (21-09-22).txt File Size: 833 BYTES

mbam-log-2009-02-14 (21-06-19).txt File Size: 833 BYTES

mbam-log-2009-02-16 (21-10-58).txt File Size: 834 BYTES

mbam-log-2009-02-17 (22-56-58).txt File Size: 834 BYTES

mbam-log-2009-02-18 (21-02-19).txt File Size: 833 BYTES

mbam-log-2009-02-19 (21-09-04).txt File Size: 832 BYTES

mbam-log-2009-02-20 (21-09-15).txt File Size: 832 BYTES

mbam-log-2009-02-21 (21-29-32).txt File Size: 833 BYTES

mbam-log-2009-02-22 (21-06-40).txt File Size: 833 BYTES

mbam-log-2009-02-23 (21-08-03).txt File Size: 833 BYTES

mbam-log-2009-02-25 (22-50-59).txt File Size: 846 BYTES

mbam-log-2009-02-26 (21-05-52).txt File Size: 905 BYTES

mbam-log-2009-02-27 (21-06-19).txt File Size: 833 BYTES

mbam-log-2009-02-28 (21-06-57).txt File Size: 833 BYTES

mbam-log-2009-03-01 (21-06-46).txt File Size: 832 BYTES

mbam-log-2009-03-02 (21-08-09).txt File Size: 831 BYTES

mbam-log-2009-03-03 (21-09-01).txt File Size: 832 BYTES

mbam-log-2009-03-04 (21-09-02).txt File Size: 832 BYTES

mbam-log-2009-03-05 (22-38-16).txt File Size: 834 BYTES

mbam-log-2009-03-06 (21-19-53).txt File Size: 833 BYTES

mbam-log-2009-03-07 (22-05-32).txt File Size: 833 BYTES

mbam-log-2009-03-08 (21-21-17).txt File Size: 833 BYTES

mbam-log-2009-03-09 (21-12-40).txt File Size: 833 BYTES

mbam-log-2009-03-10 (22-07-30).txt File Size: 921 BYTES

mbam-log-2009-03-11 (21-05-37).txt File Size: 833 BYTES

mbam-log-2009-03-12 (21-05-41).txt File Size: 833 BYTES

mbam-log-2009-03-13 (21-06-17).txt File Size: 833 BYTES

mbam-log-2009-03-14 (21-11-31).txt File Size: 964 BYTES

mbam-log-2009-03-15 (21-07-23).txt File Size: 833 BYTES

mbam-log-2009-03-16 (21-31-00).txt File Size: 833 BYTES

mbam-log-2009-03-17 (22-13-08).txt File Size: 834 BYTES

mbam-log-2009-03-18 (21-10-46).txt File Size: 834 BYTES

mbam-log-2009-03-20 (22-23-23).txt File Size: 1015 BYTES

mbam-log-2009-03-21 (21-11-44).txt File Size: 834 BYTES

mbam-log-2009-03-22 (21-04-48).txt File Size: 833 BYTES

mbam-log-2009-03-23 (21-05-37).txt File Size: 833 BYTES

mbam-log-2009-03-24 (21-33-53).txt File Size: 833 BYTES

mbam-log-2009-03-26 (21-07-15).txt File Size: 832 BYTES

mbam-log-2009-03-27 (21-05-00).txt File Size: 833 BYTES

mbam-log-2009-03-31 (21-26-29).txt File Size: 833 BYTES

mbam-log-2009-04-03 (21-41-23).txt File Size: 832 BYTES

mbam-log-2009-04-05 (21-05-56).txt File Size: 832 BYTES

mbam-log-2009-04-08 (21-08-01).txt File Size: 832 BYTES

mbam-log-2009-04-11 (21-04-23).txt File Size: 833 BYTES

mbam-log-2009-04-12 (21-07-10).txt File Size: 832 BYTES

mbam-log-2009-04-13 (22-07-20).txt File Size: 833 BYTES

mbam-log-2009-04-14 (22-18-07).txt File Size: 833 BYTES

mbam-log-2009-04-16 (21-05-06).txt File Size: 833 BYTES

mbam-log-2009-04-18 (08-19-34).txt File Size: 832 BYTES

mbam-log-2009-04-18 (21-04-58).txt File Size: 833 BYTES

mbam-log-2009-04-19 (21-06-05).txt File Size: 832 BYTES

mbam-log-2009-04-20 (21-04-39).txt File Size: 833 BYTES

mbam-log-2009-04-25 (22-33-37).txt File Size: 833 BYTES

mbam-log-2009-04-26 (21-06-39).txt File Size: 833 BYTES

mbam-log-2009-04-27 (21-49-57).txt File Size: 833 BYTES

mbam-log-2009-04-30 (21-04-47).txt File Size: 833 BYTES

mbam-log-2009-05-02 (21-33-41).txt File Size: 832 BYTES

mbam-log-2009-05-03 (21-12-23).txt File Size: 833 BYTES

mbam-log-2009-05-04 (21-47-45).txt File Size: 832 BYTES

mbam-log-2009-05-13 (21-07-26).txt File Size: 833 BYTES

mbam-log-2009-05-16 (21-05-20).txt File Size: 833 BYTES

mbam-log-2009-05-17 (21-06-04).txt File Size: 832 BYTES

mbam-log-2009-05-21 (21-04-23).txt File Size: 833 BYTES

mbam-log-2009-05-22 (21-03-33).txt File Size: 833 BYTES

mbam-log-2009-05-23 (22-31-37).txt File Size: 834 BYTES

mbam-log-2009-05-24 (21-25-10).txt File Size: 833 BYTES

mbam-log-2009-05-25 (21-09-40).txt File Size: 833 BYTES

mbam-log-2009-05-26 (21-07-59).txt File Size: 833 BYTES

mbam-log-2009-05-28 (21-28-42).txt File Size: 832 BYTES

mbam-log-2009-05-29 (21-07-28).txt File Size: 833 BYTES

mbam-log-2009-05-30 (21-05-22).txt File Size: 833 BYTES

mbam-log-2009-05-31 (21-06-48).txt File Size: 833 BYTES

mbam-log-2009-06-01 (21-06-30).txt File Size: 832 BYTES

mbam-log-2009-06-02 (21-03-31).txt File Size: 832 BYTES

mbam-log-2009-06-04 (21-05-26).txt File Size: 832 BYTES

mbam-log-2009-06-06 (21-19-04).txt File Size: 935 BYTES

mbam-log-2009-06-06 (22-16-46).txt File Size: 1014 BYTES

mbam-log-2009-06-07 (21-06-15).txt File Size: 832 BYTES

mbam-log-2009-06-08 (21-04-20).txt File Size: 832 BYTES

mbam-log-2009-06-13 (21-06-21).txt File Size: 833 BYTES

mbam-log-2009-06-14 (21-04-52).txt File Size: 833 BYTES

mbam-log-2009-06-18 (21-04-48).txt File Size: 833 BYTES

mbam-log-2009-06-19 (21-49-25).txt File Size: 833 BYTES

mbam-log-2009-06-22 (21-07-47).txt File Size: 834 BYTES

mbam-log-2009-06-23 (21-08-12).txt File Size: 833 BYTES

mbam-log-2009-06-25 (21-09-23).txt File Size: 834 BYTES

mbam-log-2009-06-27 (21-08-29).txt File Size: 834 BYTES

mbam-log-2009-06-30 (21-10-53).txt File Size: 835 BYTES

mbam-log-2009-07-03 (21-07-04).txt File Size: 832 BYTES

mbam-log-2009-07-06 (21-08-36).txt File Size: 833 BYTES

mbam-log-2009-07-08 (21-09-09).txt File Size: 832 BYTES

mbam-log-2009-07-11 (21-09-39).txt File Size: 834 BYTES

mbam-log-2009-07-12 (21-06-54).txt File Size: 834 BYTES

mbam-log-2009-07-14 (21-07-27).txt File Size: 834 BYTES

mbam-log-2009-07-15 (21-58-47).txt File Size: 833 BYTES

mbam-log-2009-07-18 (21-07-27).txt File Size: 833 BYTES

mbam-log-2009-07-20 (21-35-45).txt File Size: 833 BYTES

mbam-log-2009-07-21 (21-09-00).txt File Size: 833 BYTES

mbam-log-2009-07-22 (21-11-36).txt File Size: 834 BYTES

mbam-log-2009-07-25 (21-30-33).txt File Size: 833 BYTES

mbam-log-2009-07-27 (21-11-06).txt File Size: 833 BYTES

mbam-log-2009-07-28 (21-19-05).txt File Size: 834 BYTES

mbam-log-2009-07-29 (21-11-32).txt File Size: 834 BYTES

mbam-log-2009-07-30 (21-13-04).txt File Size: 834 BYTES

mbam-log-2009-08-01 (21-09-13).txt File Size: 831 BYTES

mbam-log-2009-08-02 (21-11-00).txt File Size: 833 BYTES

mbam-log-2009-08-04 (21-11-09).txt File Size: 833 BYTES

mbam-log-2009-08-04 (21-21-32).txt File Size: 833 BYTES

mbam-log-2009-08-05 (21-11-36).txt File Size: 834 BYTES

mbam-log-2009-08-06 (21-11-27).txt File Size: 834 BYTES

mbam-log-2009-08-08 (21-06-51).txt File Size: 833 BYTES

mbam-log-2009-08-09 (14-57-18).txt File Size: 832 BYTES

mbam-log-2009-08-09 (16-18-54).txt File Size: 858 BYTES

mbam-log-2009-08-09 (21-10-45).txt File Size: 834 BYTES

mbam-log-2009-08-10 (21-08-23).txt File Size: 834 BYTES

mbam-log-2009-08-11 (21-10-37).txt File Size: 835 BYTES

mbam-log-2009-08-12 (21-20-13).txt File Size: 834 BYTES

mbam-log-2009-08-17 (21-39-55).txt File Size: 834 BYTES

mbam-log-2009-08-18 (21-07-41).txt File Size: 834 BYTES

mbam-log-2009-08-19 (20-18-47).txt File Size: 855 BYTES

mbam-log-2009-08-20 (19-36-18).txt File Size: 864 BYTES

mbam-log-2009-08-21 (21-14-08).txt File Size: 835 BYTES

mbam-log-2009-08-22 (21-09-23).txt File Size: 834 BYTES

mbam-log-2009-08-24 (21-10-14).txt File Size: 834 BYTES

mbam-log-2009-08-26 (21-13-26).txt File Size: 835 BYTES

mbam-log-2009-08-27 (21-07-23).txt File Size: 834 BYTES

mbam-log-2009-08-29 (21-09-57).txt File Size: 834 BYTES

mbam-log-2009-08-30 (21-11-08).txt File Size: 834 BYTES

mbam-log-2009-08-31 (21-12-41).txt File Size: 835 BYTES

mbam-log-2009-09-02 (22-30-07).txt File Size: 835 BYTES

mbam-log-2009-09-06 (21-11-42).txt File Size: 834 BYTES

mbam-log-2009-09-12 (21-08-28).txt File Size: 834 BYTES

mbam-log-2009-09-19 (21-07-51).txt File Size: 834 BYTES

mbam-log-2009-09-21 (21-20-20).txt File Size: 834 BYTES

mbam-log-2009-09-23 (21-22-55).txt File Size: 920 BYTES

mbam-log-2009-09-25 (21-36-31).txt File Size: 834 BYTES

mbam-log-2009-09-28 (21-02-26).txt File Size: 833 BYTES

mbam-log-2009-09-29 (21-10-05).txt File Size: 834 BYTES

mbam-log-2009-09-30 (21-18-19).txt File Size: 835 BYTES

mbam-log-2009-10-01 (21-10-46).txt File Size: 835 BYTES

mbam-log-2009-10-05 (21-12-28).txt File Size: 835 BYTES

mbam-log-2009-10-06 (21-12-11).txt File Size: 834 BYTES

mbam-log-2009-10-10 (21-08-10).txt File Size: 834 BYTES

mbam-log-2009-10-11 (22-47-05).txt File Size: 836 BYTES

mbam-log-2009-10-12 (21-16-08).txt File Size: 834 BYTES

mbam-log-2009-10-13 (21-15-15).txt File Size: 836 BYTES

mbam-log-2009-10-19 (21-33-47).txt File Size: 835 BYTES

mbam-log-2009-10-20 (21-08-03).txt File Size: 835 BYTES

mbam-log-2009-10-21 (21-09-13).txt File Size: 834 BYTES

mbam-log-2009-10-25 (21-09-12).txt File Size: 834 BYTES

mbam-log-2009-10-26 (21-09-08).txt File Size: 834 BYTES

mbam-log-2009-10-27 (22-22-51).txt File Size: 837 BYTES

mbam-log-2009-10-28 (21-09-42).txt File Size: 835 BYTES

mbam-log-2009-10-29 (21-11-00).txt File Size: 836 BYTES

mbam-log-2009-10-30 (21-29-00).txt File Size: 835 BYTES

mbam-log-2009-11-01 (21-10-01).txt File Size: 834 BYTES

mbam-log-2009-11-04 (21-16-58).txt File Size: 835 BYTES

mbam-log-2009-11-07 (21-08-26).txt File Size: 834 BYTES

mbam-log-2009-11-08 (21-17-17).txt File Size: 834 BYTES

mbam-log-2009-11-09 (21-12-20).txt File Size: 835 BYTES

mbam-log-2009-11-12 (21-15-12).txt File Size: 835 BYTES

mbam-log-2009-11-15 (21-08-16).txt File Size: 835 BYTES

mbam-log-2009-11-16 (21-11-12).txt File Size: 835 BYTES

mbam-log-2009-11-18 (21-09-59).txt File Size: 835 BYTES

mbam-log-2009-11-22 (21-12-22).txt File Size: 836 BYTES

mbam-log-2009-11-23 (21-49-03).txt File Size: 836 BYTES

mbam-log-2009-11-24 (21-15-19).txt File Size: 836 BYTES

mbam-log-2009-11-25 (21-14-04).txt File Size: 836 BYTES

mbam-log-2009-11-27 (21-39-24).txt File Size: 836 BYTES

mbam-log-2009-11-28 (21-14-23).txt File Size: 836 BYTES

mbam-log-2009-11-29 (21-18-43).txt File Size: 836 BYTES

mbam-log-2009-11-30 (21-28-23).txt File Size: 835 BYTES

mbam-log-2009-12-02 (21-08-30).txt File Size: 834 BYTES

mbam-log-2009-12-03 (21-23-02).txt File Size: 834 BYTES

mbam-log-2009-12-05 (22-11-12).txt File Size: 888 BYTES

mbam-log-2009-12-06 (21-11-41).txt File Size: 866 BYTES

mbam-log-2009-12-10 (21-10-02).txt File Size: 866 BYTES

mbam-log-2009-12-11 (21-11-18).txt File Size: 867 BYTES

mbam-log-2009-12-12 (21-13-44).txt File Size: 867 BYTES

mbam-log-2009-12-14 (21-15-10).txt File Size: 866 BYTES

mbam-log-2009-12-15 (21-08-39).txt File Size: 866 BYTES

mbam-log-2009-12-17 (21-09-41).txt File Size: 866 BYTES

mbam-log-2009-12-18 (21-10-05).txt File Size: 866 BYTES

mbam-log-2009-12-19 (21-10-32).txt File Size: 867 BYTES

mbam-log-2010-01-01 (18-10-45).txt File Size: 865 BYTES

mbam-log-2010-01-02 (18-11-21).txt File Size: 865 BYTES

mbam-log-2010-01-02 (20-19-15).txt File Size: 881 BYTES

mbam-log-2010-01-03 (21-36-30).txt File Size: 1417 BYTES

mbam-log-2010-01-09 (22-38-02).txt File Size: 1000 BYTES

mbam-log-2010-01-10 (18-13-51).txt File Size: 866 BYTES

mbam-log-2010-01-16 (20-00-46).txt File Size: 1018 BYTES

mbam-log-2010-01-17 (18-03-45).txt File Size: 864 BYTES

mbam-log-2010-01-24 (19-45-25).txt File Size: 866 BYTES

mbam-log-2010-01-26 (21-01-20).txt File Size: 2357 BYTES

mbam-log-2010-02-21 (08-09-50).txt File Size: 864 BYTES

mbam-log-2010-02-22 (22-10-39).txt File Size: 867 BYTES

mbam-log-2010-02-24 (22-11-09).txt File Size: 866 BYTES

mbam-log-2010-02-25 (22-12-09).txt File Size: 866 BYTES

mbam-log-2010-03-02 (22-25-41).txt File Size: 866 BYTES

mbam-log-2010-03-09 (22-16-21).txt File Size: 866 BYTES

mbam-log-2010-03-10 (21-27-22).txt File Size: 866 BYTES

mbam-log-2010-03-12 (22-19-40).txt File Size: 867 BYTES

mbam-log-2010-03-14 (22-17-34).txt File Size: 867 BYTES

mbam-log-2010-03-16 (22-56-16).txt File Size: 867 BYTES

mbam-log-2010-03-20 (22-16-25).txt File Size: 867 BYTES

mbam-log-2010-07-13 (19-11-09).txt File Size: 892 BYTES

mbam-log-2010-11-20 (15-08-20).txt File Size: 1316 BYTES

mbam-log-2011-02-09 (17-43-34).txt File Size: 897 BYTES

mbam-log-2011-02-09 (17-55-45).txt File Size: 898 BYTES

mbam-log-2011-09-03 (21-58-37).txt File Size: 900 BYTES

mbam-log-2011-10-08 (21-58-15).txt File Size: 901 BYTES

mbam-log-2011-10-22 (21-58-17).txt File Size: 902 BYTES

mbam-log-2011-11-19 (21-57-10).txt File Size: 902 BYTES

mbam-log-2011-12-17 (21-57-40).txt File Size: 901 BYTES

mbam-log-2012-01-01 (17-56-28).txt File Size: 1946 BYTES

mbam-log-2012-01-07 (22-02-14).txt File Size: 1926 BYTES

mbam-log-2012-01-13 (21-15-53).txt File Size: 2188 BYTES

mbam-log-2012-01-14 (22-01-15).txt File Size: 1928 BYTES

mbam-log-2012-02-04 (22-09-00).txt File Size: 1926 BYTES

mbam-log-2012-02-11 (21-56-52).txt File Size: 1926 BYTES

mbam-log-2012-02-25 (22-09-46).txt File Size: 1928 BYTES

mbam-log-2012-03-10 (21-57-25).txt File Size: 1926 BYTES

mbam-log-2012-03-17 (21-47-36).txt File Size: 1926 BYTES

mbam-log-2012-03-24 (22-09-13).txt File Size: 1928 BYTES

mbam-log-2012-04-28 (21-51-14).txt File Size: 1926 BYTES

mbam-log-2012-05-19 (21-56-33).txt File Size: 1926 BYTES

mbam-log-2012-05-26 (21-48-06).txt File Size: 1924 BYTES

mbam-log-2012-06-02 (22-01-05).txt File Size: 1926 BYTES

mbam-log-2012-06-16 (22-01-15).txt File Size: 1928 BYTES

mbam-log-2012-06-23 (22-07-34).txt File Size: 1928 BYTES

mbam-log-2012-06-27 (07-59-07).txt File Size: 2138 BYTES

mbam-log-2012-06-29 (17-46-53).txt File Size: 1928 BYTES

mbam-log-2012-07-07 (22-01-11).txt File Size: 1926 BYTES

mbam-log-2012-07-21 (21-57-22).txt File Size: 1926 BYTES

mbam-log-2012-07-28 (21-53-56).txt File Size: 1926 BYTES

mbam-log-2012-08-25 (21-43-33).txt File Size: 1926 BYTES

mbam-log-2012-08-27 (14-27-27).txt File Size: 2274 BYTES

mbam-log-2012-10-06 (21-56-42).txt File Size: 1926 BYTES

mbam-log-2012-10-13 (22-03-29).txt File Size: 1930 BYTES

mbam-log-2012-10-20 (22-05-26).txt File Size: 1930 BYTES

mbam-log-2012-10-27 (21-43-29).txt File Size: 1928 BYTES

mbam-log-2012-11-17 (21-57-20).txt File Size: 1928 BYTES

mbam-log-2012-11-24 (21-59-23).txt File Size: 1928 BYTES

mbam-log-2012-12-03 (21-30-45).txt File Size: 1928 BYTES

mbam-log-2012-12-08 (21-44-56).txt File Size: 1926 BYTES

mbam-log-2012-12-15 (22-03-03).txt File Size: 1930 BYTES

mbam-log-2012-12-30 (14-25-03).txt File Size: 1930 BYTES

mbam-log-2013-01-05 (22-03-45).txt File Size: 1926 BYTES

mbam-log-2013-02-09 (22-10-44).txt File Size: 1926 BYTES

mbam-log-2013-02-16 (21-44-05).txt File Size: 1924 BYTES

mbam-log-2013-02-18 (14-45-15).txt File Size: 1912 BYTES

mbam-log-2013-03-04 (19-26-30).txt File Size: 1924 BYTES

mbam-log-2013-03-09 (22-00-59).txt File Size: 1926 BYTES

mbam-log-2013-03-10 (16-18-28).txt File Size: 1926 BYTES

mbam-log-2013-03-16 (21-41-06).txt File Size: 1924 BYTES

mbam-log-2013-03-23 (22-02-00).txt File Size: 1928 BYTES

mbam-log-2013-04-06 (21-43-10).txt File Size: 1924 BYTES

mbam-log-2013-04-13 (22-11-30).txt File Size: 1928 BYTES

mbam-log-2013-04-15 (20-18-40).txt File Size: 1924 BYTES

mbam-log-2013-05-04 (22-09-35).txt File Size: 1926 BYTES

mbam-log-2013-05-11 (22-07-13).txt File Size: 1928 BYTES

mbam-log-2013-05-18 (22-03-44).txt File Size: 1926 BYTES

mbam-log-2013-06-01 (21-54-02).txt File Size: 1924 BYTES

mbam-log-2013-06-09 (15-03-24).txt File Size: 1924 BYTES

mbam-log-2013-06-09 (15-09-25).txt File Size: 1926 BYTES

mbam-log-2013-06-12 (09-19-28).txt File Size: 1902 BYTES

mbam-log-2013-06-12 (11-06-52).txt File Size: 1930 BYTES

mbam-log-8-9-2008 (13-11-51).txt File Size: 2378 BYTES

mbam-log-8-9-2008 (14-24-47).txt File Size: 2936 BYTES

mbam-log-8-9-2008 (18-41-13).txt File Size: 1119 BYTES

C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine

===============================================================

END OF FILE

DDS results

DS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 8.0.6001.18702

Run by Owner at 11:19:56 on 2013-06-12

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.597 [GMT -5:00]

.

FW: CA Personal Firewall *Disabled*

.

============== Running Processes ================

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\cwh.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Norton 360\Engine\20.3.1.22\ccSvcHst.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\Norton 360\Engine\20.3.1.22\ccSvcHst.exe

C:\Program Files\VERIZONDM\bin\sprtsvc.exe

C:\Program Files\VERIZONDM\bin\tgsrvc.exe

C:\Program Files\VERIZONDM\bin\sprtcmd.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

C:\Program Files\DNA\btdna.exe

C:\WINDOWS\system32\regsvr32.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\svchost.exe -k netsvcs

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6453

uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6453

uURLSearchHooks: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - <orphaned>

uURLSearchHooks: Verizon Toolbar: {f8d96645-337c-419b-8792-b6c126145811} - c:\program files\verizontb\verizonDx.dll

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>

BHO: vShare Toolbar: {043C5167-00BB-4324-AF7E-62013FAEDACF} - c:\program files\vshare\vshare_toolbar.dll

BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton 360\engine\20.3.1.22\coieplg.dll

BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton 360\engine\20.3.1.22\ips\ipsbho.dll

BHO: Updater For Verizon Toolbar: {96673559-e653-4cdc-8923-f89347a952c0} - c:\program files\verizontb\auxi\verizonAu.dll

BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -

BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\bae.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: Verizon Toolbar: {f8d96645-337c-419b-8792-b6c126145811} - c:\program files\verizontb\verizonDx.dll

TB: vShare Toolbar: {043C5167-00BB-4324-AF7E-62013FAEDACF} - c:\program files\vshare\vshare_toolbar.dll

TB: vShare Toolbar: {043C5167-00BB-4324-AF7E-62013FAEDACF} - c:\program files\vshare\vshare_toolbar.dll

TB: Verizon Toolbar: {f8d96645-337c-419b-8792-b6c126145811} - c:\program files\verizontb\verizonDx.dll

TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\20.3.1.22\coieplg.dll

uRun: [Power2GoExpress] NA

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [bitTorrent DNA] "c:\program files\dna\btdna.exe"

uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet

uRun: [RtWLan] regsvr32.exe "c:\documents and settings\owner.your-5b4ed3a077\local settings\application data\rtwlan\gjmqsipv.dll"

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

mRun: [VERIZONDM] "c:\program files\verizondm\bin\sprtcmd.exe" /P VERIZONDM

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [sunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [sMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [setDefPrt] c:\program files\brother\brmfl04g\BrStDvPt.exe

mRun: [Reminder] c:\windows\creator\Remind_XP.exe

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun

mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"

mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe

mRun: [capfasem] c:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exe

mRun: [cafwc] c:\program files\ca\ca internet security suite\ca personal firewall\cafw.exe -cl

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay

mRun: [MioNet] c:\program files\mionet\MioNetLauncher.exe /p

mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\realte~1.lnk - c:\program files\realtek rtl8187 wireless lan driver and utility\RtWLan.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} -

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab

DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15030/CTSUEng.cab

DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://biz.lgservice.com/DjvuViewer/DjVuControl-6.1.4.cab

DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install/00/alttiff.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {3A52566B-6018-485B-B713-8B9FF660D8E8} - hxxp://71.123.169.42:0/webdvr2.18.2.16_71.0.0.0.cab

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1343697687988

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1343697663689

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {9282A3AA-4954-46B4-B4AE-F086CE3F1110} - hxxp://71.123.169.42:0/regtrustsite.cab

DPF: {9CA74596-B5BB-4634-971C-F0224115A15F} - hxxp://nba.tom.com/video/tcastV1.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://vexcast.com/download/vexcast.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15030/CTPID.cab

TCP: NameServer = 192.168.1.1

TCP: Interfaces\{481AE3E8-CD00-4ED3-9F1D-6AB6C25A01D6} : DHCPNameServer = 192.168.1.1

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -

Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

.

============= SERVICES / DRIVERS ===============

.

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\1403010.016\symds.sys [2013-4-8 367704]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\1403010.016\symefa.sys [2013-4-8 934488]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.3.0.36\definitions\bashdefs\20130531.001\BHDrvx86.sys [2013-5-31 1002072]

R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\n360\1403010.016\ccsetx86.sys [2013-4-8 134304]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\1403010.016\ironx86.sys [2013-4-8 175264]

R2 cwh;cwh;c:\windows\cwh.exe [2006-12-23 368640]

R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\verizon\iha_messagecenter\bin\Verizon_IHAMessageCenter.exe [2011-12-12 352248]

R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-9-10 418376]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2008-8-9 701512]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 N360;Norton 360;c:\program files\norton 360\engine\20.3.1.22\ccsvchst.exe [2013-4-8 144520]

R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\verizondm\bin\sprtsvc.exe [2011-12-1 206120]

R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\verizondm\bin\tgsrvc.exe [2011-12-1 185640]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-8-28 106656]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.3.0.36\definitions\ipsdefs\20130611.001\IDSXpx86.sys [2013-6-11 373728]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-8-9 22856]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-6-12 40776]

R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.3.0.36\definitions\virusdefs\20130612.002\NAVENG.SYS [2013-6-12 93272]

R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.3.0.36\definitions\virusdefs\20130612.002\NAVEX15.SYS [2013-6-12 1611992]

S0 jwsog;jwsog;c:\windows\system32\drivers\xbjj.sys --> c:\windows\system32\drivers\xbjj.sys [?]

S0 plmd;plmd;c:\windows\system32\drivers\xvqfl.sys --> c:\windows\system32\drivers\xvqfl.sys [?]

S0 qnmthkg;qnmthkg;c:\windows\system32\drivers\dgwdfd.sys --> c:\windows\system32\drivers\dgwdfd.sys [?]

S0 shho;shho;c:\windows\system32\drivers\rtbiatm.sys --> c:\windows\system32\drivers\rtbiatm.sys [?]

S3 EraserUtilDrv11210;EraserUtilDrv11210;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv11210.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv11210.sys [?]

S3 ICDSX;Sony IC Recorder (SX);c:\windows\system32\drivers\ICDSX.sys [2003-10-1 31744]

S3 WebDictateService;Web Dictate;c:\program files\nch software\webdictate\webdictate.exe [2012-2-7 814596]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-6-17 14336]

.

=============== File Associations ===============

.

FileExt: .reg: regfile=regedit.exe "%1" %*

ShellExec: pi11.exe: Open="c:\program files\microsoft digital image 2006\pi.exe" "%1"

ShellExec: switch.exe: Convert with Switch Sound File Converter="c:\program files\nch swift sound\switch\switch" "%L"

.

=============== Created Last 30 ================

.

2013-06-12 15:29:27 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2013-06-10 09:54:40 -------- d-----w- c:\documents and settings\owner.your-5b4ed3a077\local settings\application data\RtWLan

2013-05-21 01:23:01 -------- d-----w- C:\hotlink

2013-05-21 01:20:18 752496 ----a-w- C:\WindowsXP-KB959658-x86-ENU.exe

.

==================== Find3M ====================

.

2013-06-12 02:59:20 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-06-12 02:59:20 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-04-05 00:00:20 695578 ----a-w- c:\windows\unins000.exe

2013-04-04 19:50:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-03-17 23:47:46 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2003-12-05 16:41:00 368640 --sh--r- c:\windows\cwh.exe

2003-12-05 02:16:44 69632 --sh--r- c:\windows\lnchshll.exe

2003-12-05 02:16:46 49152 --sh--r- c:\windows\ScrnInt.exe

.

============= FINISH: 11:29:41.75 ===============

Attach Results

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 11/26/2006 7:38:38 PM

System Uptime: 6/12/2013 10:40:28 AM (1 hours ago)

.

Motherboard: Gateway | |

Processor: AMD Turion 64 X2 Mobile Technology TL-52 | Socket M2/S1G1 | 1595/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 142 GiB total, 71.821 GiB free.

D: is FIXED (FAT32) - 7 GiB total, 4.625 GiB free.

E: is CDROM ()

F: is FIXED (FAT32) - 931 GiB total, 588.271 GiB free.

H: is FIXED (FAT32) - 931 GiB total, 873.102 GiB free.

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Broadcom 802.11g Network Adapter

Device ID: PCI\VEN_14E4&DEV_4311&SUBSYS_046514E4&REV_01\4&25829AB5&0&0028

Manufacturer: Broadcom

Name: Broadcom 802.11g Network Adapter

PNP Device ID: PCI\VEN_14E4&DEV_4311&SUBSYS_046514E4&REV_01\4&25829AB5&0&0028

Service: BCM43XX

.

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}

Description: SigmaTel High Definition Audio CODEC

Device ID: HDAUDIO\FUNC_01&VEN_8384&DEV_7634&SUBSYS_107B0367&REV_1001\4&C38BD79&0&0001

Manufacturer: SigmaTel

Name: SigmaTel High Definition Audio CODEC

PNP Device ID: HDAUDIO\FUNC_01&VEN_8384&DEV_7634&SUBSYS_107B0367&REV_1001\4&C38BD79&0&0001

Service: STHDA

.

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}

Description: MTP Device

Device ID: ROOT\WPD\0000

Manufacturer: (Standard MTP-compliant devices)

Name: MTP Device

PNP Device ID: ROOT\WPD\0000

Service: WUDFRd

.

==== System Restore Points ===================

.

RP1: 4/21/2013 1:18:00 PM - System Checkpoint

RP2: 4/21/2013 1:40:02 PM - Removed Skype™ 5.10

RP3: 4/21/2013 1:40:57 PM - Removed Click to Call with Skype

RP4: 4/21/2013 1:41:16 PM - Removed Click to Call with Skype

RP5: 4/21/2013 1:41:42 PM - Removed Click to Call with Skype

RP6: 4/21/2013 1:42:54 PM - Removed Adobe Reader Japanese Fonts

RP7: 4/21/2013 1:47:56 PM - Posr April 21 2013 clean up

RP8: 4/21/2013 2:02:57 PM - Removed Click to Call with Skype

RP9: 4/21/2013 2:05:01 PM - Removed NetDisk 2.42

RP10: 4/23/2013 7:57:25 PM - System Checkpoint

RP11: 4/24/2013 8:44:34 PM - System Checkpoint

RP12: 4/26/2013 7:01:13 PM - System Checkpoint

RP13: 4/28/2013 10:02:16 AM - System Checkpoint

RP14: 5/1/2013 6:33:36 PM - System Checkpoint

RP15: 5/2/2013 7:08:29 PM - System Checkpoint

RP16: 5/3/2013 7:10:04 PM - System Checkpoint

RP17: 5/4/2013 8:40:23 PM - System Checkpoint

RP18: 5/5/2013 8:46:37 PM - System Checkpoint

RP19: 5/7/2013 7:17:29 PM - System Checkpoint

RP20: 5/11/2013 7:32:05 AM - System Checkpoint

RP21: 5/12/2013 9:29:29 AM - System Checkpoint

RP22: 5/15/2013 7:00:05 PM - System Checkpoint

RP23: 5/17/2013 7:04:47 PM - System Checkpoint

RP24: 5/18/2013 7:48:24 PM - System Checkpoint

RP25: 5/19/2013 8:22:51 PM - System Checkpoint

RP26: 5/20/2013 8:27:52 PM - Installed Windows XP KB959658.

RP27: 5/20/2013 8:30:20 PM - Installed Windows XP KB2661254-v2.

RP28: 5/24/2013 7:02:28 PM - System Checkpoint

RP29: 5/26/2013 10:25:33 AM - System Checkpoint

RP30: 5/27/2013 11:47:44 AM - System Checkpoint

RP31: 5/28/2013 7:53:30 PM - System Checkpoint

RP32: 5/29/2013 8:31:10 PM - System Checkpoint

RP33: 5/31/2013 7:28:35 PM - System Checkpoint

RP34: 6/2/2013 9:32:04 AM - System Checkpoint

RP35: 6/5/2013 8:01:43 AM - System Checkpoint

.

==== Installed Programs ======================

.

7-Zip 9.20

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader 7.0

Adobe Shockwave Player 11

Amazon Kindle For PC

ATI Display Driver

Bonjour

Broadcom 802.11 Network Adapter

Brother BRAdmin Professional 2.49

Brother Driver Deployment Wizard

Brother MFL-Pro Suite

Browser Address Error Redirector

BurnPlugin for Audible

Click to Call with Skype

Compatibility Pack for the 2007 Office system

Creative MediaSource 5

Creative MuVo V100

Creative System Information

Critical Update for Windows Media Player 11 (KB959772)

DNA

DVD Solution

Express Dictate

Express Scribe

GearDrvs

GenoPro Beta 2.b19f

Google Video Player

gtw_logo

High Definition Audio Driver Package - KB888111

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 10 (KB903157)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB2633952)

Hotfix for Windows XP (KB2756822)

Hotfix for Windows XP (KB2779562)

Hotfix for Windows XP (KB915800-v4)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB959658)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

IHA_MessageCenter

IMM4 VCM Codec 3.0.0.2

InfraRecorder

IrfanView (remove only)

Java Auto Updater

Java 6 Update 24

LizardTech DjVu Control (autoinstall)

Lotus NotesSQL 3.01 driver

Lotus SmartSuite - English

Malwarebytes' RogueRemover

Malwarebytes Anti-Malware version 1.75.0.1300

MediaJoin

Microsoft .NET Framework 1.0 Hotfix (KB2572066)

Microsoft .NET Framework 1.0 Hotfix (KB2604042)

Microsoft .NET Framework 1.0 Hotfix (KB2656378)

Microsoft .NET Framework 1.0 Hotfix (KB953295)

Microsoft .NET Framework 1.0 Hotfix (KB979904)

Microsoft .NET Framework 1.0 Security Update (KB2742607)

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2742597)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Digital Image Library 9 - Blocker

Microsoft Digital Image Starter Edition 2006

Microsoft Digital Image Starter Edition 2006 Editor

Microsoft Digital Image Starter Edition 2006 Library

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office File Validation Add-In

Microsoft Office Standard Edition 2003

Microsoft Silverlight

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2005 Redistributable - KB2467175

Microsoft Works

Motorola SM56 Data Fax Modem

Move Media Player

Mp3tag v2.46a

Mplayer 0.6.9

MSN

MSXML 4.0 SP2 (KB925672)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Napster Burn Engine

NCH Speech Recognition Tools

NCH Toolbox

Norton 360

PaperPort

Plex Media Server

Power2Go 4.0

PowerDVD

PowerPaint 2.50

QuickFile5

QuickTime

REALTEK RTL8187 Wireless LAN Driver and Utility

RealUpgrade 1.0

Recovery Software Suite Gateway

Remove Hidden Data Tool

Rhapsody Player Engine

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)

Security Update for Microsoft Windows (KB2564958)

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Windows Internet Explorer 7 (KB2183461)

Security Update for Windows Internet Explorer 7 (KB2360131)

Security Update for Windows Internet Explorer 7 (KB2416400)

Security Update for Windows Internet Explorer 7 (KB2482017)

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB931768)

Security Update for Windows Internet Explorer 7 (KB933566)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Internet Explorer 7 (KB974455)

Security Update for Windows Internet Explorer 7 (KB976325)

Security Update for Windows Internet Explorer 7 (KB978207)

Security Update for Windows Internet Explorer 7 (KB982381)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2530548)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2559049)

Security Update for Windows Internet Explorer 8 (KB2586448)

Security Update for Windows Internet Explorer 8 (KB2618444)

Security Update for Windows Internet Explorer 8 (KB2675157)

Security Update for Windows Internet Explorer 8 (KB2699988)

Security Update for Windows Internet Explorer 8 (KB2744842)

Security Update for Windows Internet Explorer 8 (KB2761465)

Security Update for Windows Internet Explorer 8 (KB2792100)

Security Update for Windows Internet Explorer 8 (KB2797052)

Security Update for Windows Internet Explorer 8 (KB2799329)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Search 4 - KB963093

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2491683)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2584146)

Security Update for Windows XP (KB2585542)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB2598479)

Security Update for Windows XP (KB2603381)

Security Update for Windows XP (KB2618451)

Security Update for Windows XP (KB2620712)

Security Update for Windows XP (KB2621440)

Security Update for Windows XP (KB2624667)

Security Update for Windows XP (KB2631813)

Security Update for Windows XP (KB2633171)

Security Update for Windows XP (KB2639417)

Security Update for Windows XP (KB2646524)

Security Update for Windows XP (KB2653956)

Security Update for Windows XP (KB2655992)

Security Update for Windows XP (KB2659262)

Security Update for Windows XP (KB2661637)

Security Update for Windows XP (KB2676562)

Security Update for Windows XP (KB2685939)

Security Update for Windows XP (KB2686509)

Security Update for Windows XP (KB2691442)

Security Update for Windows XP (KB2695962)

Security Update for Windows XP (KB2698365)

Security Update for Windows XP (KB2705219-v2)

Security Update for Windows XP (KB2707511)

Security Update for Windows XP (KB2712808)

Security Update for Windows XP (KB2718523)

Security Update for Windows XP (KB2719985)

Security Update for Windows XP (KB2723135-v2)

Security Update for Windows XP (KB2724197)

Security Update for Windows XP (KB2727528)

Security Update for Windows XP (KB2731847-v2)

Security Update for Windows XP (KB2753842-v2)

Security Update for Windows XP (KB2757638)

Security Update for Windows XP (KB2758857)

Security Update for Windows XP (KB2770660)

Security Update for Windows XP (KB2778344)

Security Update for Windows XP (KB2779030)

Security Update for Windows XP (KB2780091)

Security Update for Windows XP (KB2799494)

Security Update for Windows XP (KB2802968)

Security Update for Windows XP (KB913433)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981349)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

SigmaTel Audio

Sonic Encoders

Sony Digital Voice Editor 2

Sony Player Plug-in for Windows Media Player

SoundTap Streaming Audio Recorder

STP Viewer 2.3

Switch Sound File Converter

Synaptics Pointing Device Driver

Texas Instruments PCIxx21/x515/xx12 drivers.

TIPCI

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 7 (KB976749)

Update for Windows Internet Explorer 7 (KB980182)

Update for Windows Internet Explorer 8 (KB2447568)

Update for Windows Internet Explorer 8 (KB2598845)

Update for Windows Internet Explorer 8 (KB2632503)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Media Player 10 (KB910393)

Update for Windows Media Player 10 (KB913800)

Update for Windows Media Player 10 (KB926251)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2492386)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2607712)

Update for Windows XP (KB2616676-v2)

Update for Windows XP (KB2641690)

Update for Windows XP (KB2661254-v2)

Update for Windows XP (KB2718704)

Update for Windows XP (KB2736233)

Update for Windows XP (KB2749655)

Update for Windows XP (KB951978)

Update for Windows XP (KB953356)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Update Rollup 2 for Windows XP Media Center Edition 2005

VC80CRTRedist - 8.0.50727.6195

Verizon Download Manager

Verizon Toolbar

Viewpoint Media Player

VLC media player 2.0.1

vShare Toolbar

Vz In Home Agent

WD Anywhere Backup

Web Dictate

WebFldrs XP

Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Management Framework Core

Windows Media Format 11 runtime

Windows Media Player 11

Windows Search 4.0

Windows XP Media Center Edition 2005 KB2502898

Windows XP Media Center Edition 2005 KB2619340

Windows XP Media Center Edition 2005 KB2628259

Windows XP Media Center Edition 2005 KB925766

Windows XP Media Center Edition 2005 KB973768

Windows XP Service Pack 3

WordPerfect Office 12

.

==== Event Viewer Messages From Past Week ========

.

6/12/2013 10:43:17 AM, error: ati2mtag [45062] - CRT invalid display type

6/12/2013 10:42:56 AM, error: WPDMTPDriver [15300] - MTP WPD Driver has failed to start. Error 0x80070005.

.

==== End Of File ===========================

Link to post
Share on other sites

  • Staff

Hello Charlie_Whisky

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!


  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

    [*]Please do not attach logs or use code boxes, just copy and paste the text.

    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.

    [*]Please read every post completely before doing anything.

    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

    [*]Please provide feedback about your experience as we go.

    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.

-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

When they are complete let me have the two reports and let me know how things are running.

Gringo

Link to post
Share on other sites

Hi Gringo, thanks for helping:

The reports for AdwCleaner and JRT are copied below at the end of this post.

AdwCleaner pretty well ran as you described, rebooted the computer and produced its report.

JRT, when running at the stage “Check Registry,” gave 5 lines of "access is denied" in the open terminal window, but, it still finished its checks and generated the report shown below.

Note that I had both my Norton 360 antivirus and firewall disable and MBAM off while JRT was running (bit nervous about doing that) so, I don’t think that these would cause the “access is denied" messages.

FEEDBACK So how is the computer running now??

I am using two main criterion to suggest that my problem is still present:

1) MBAM is still opening a window saying: “successfully blocked access to a potentially malicious website 95.211.194.79” Type outgoing. “

This window still keeps periodically opening every minute or so.

Here a sample of today’s most recent portion of the protection log, since running AdwCleaner and JRT:

2013/06/12 17:53:03 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:04 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:04 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:06 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:12 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:13 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:14 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:17 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:18 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:18 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:19 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:20 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:21 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:21 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:22 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:23 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:24 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:26 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:27 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:28 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:28 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:28 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:29 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:30 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:31 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:31 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:31 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 17:53:32 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2) Multiple version of iexplore.exe keep opening up, even though I have not start IE

Gringo, I not sure if this is caused by the same problem as (1) but, if I have task manager open, watching the running processes, I will see two or three “image names” corresponding to iexplore.exe. But IE was not started by me and there is no open IE window. If I end these specific processes, then a minute or so later, iexplore.exe reappears as a processes in Task Manager.

Do you have any other suggestions?

AdwCleaner REPORT

# AdwCleaner v2.303 - Logfile created 06/12/2013 at 16:58:37

# Updated 08/06/2013 by Xplode

# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)

# User : Owner - GW-5B4ED3A077

# Boot Mode : Normal

# Running from : C:\Documents and Settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\adwCleaner\AdwCleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

Deleted on reboot : C:\Program Files\Common Files\AVG Secure Search

File Deleted : C:\WINDOWS\system32\conduitEngine.tmp

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Babylon

Folder Deleted : C:\Documents and Settings\All Users\Application Data\boost_interprocess

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint

Folder Deleted : C:\Program Files\Ilivid

Folder Deleted : C:\Program Files\Red Sky

Folder Deleted : C:\Program Files\verizontb

Folder Deleted : C:\Program Files\Viewpoint

Folder Deleted : C:\Program Files\vShare

***** [Registry] *****

Key Deleted : HKCU\Software\Conduit

Key Deleted : HKCU\Software\InstallCore

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{96673559-E653-4CDC-8923-F89347A952C0}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F8D96645-337C-419B-8792-B6C126145811}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{043C5167-00BB-4324-AF7E-62013FAEDACF}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3B7599DF-3D5D-4EF5-BF51-9C2EDA788E83}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{96673559-E653-4CDC-8923-F89347A952C0}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F8D96645-337C-419B-8792-B6C126145811}

Key Deleted : HKCU\Software\Softonic

Key Deleted : HKCU\Software\vShare

Key Deleted : HKCU\Software\YahooPartnerToolbar

Key Deleted : HKCU\Software\Zugo

Key Deleted : HKLM\Software\AVG Security Toolbar

Key Deleted : HKLM\Software\Babylon

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE

Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{043C5167-00BB-4324-AF7E-62013FAEDACF}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3B7599DF-3D5D-4EF5-BF51-9C2EDA788E83}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{96673559-E653-4CDC-8923-F89347A952C0}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F8D96645-337C-419B-8792-B6C126145811}

Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{20ED5AF7-D9C4-409E-9EB3-D2A44A77FB6D}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}

Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap

Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol

Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\vsharechrome

Key Deleted : HKLM\SOFTWARE\Classes\S

Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi

Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2801948

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3E315C81-442B-431C-AEC8-ED189699EC24}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}

Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE

Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1

Key Deleted : HKLM\SOFTWARE\Classes\vShare.IMedixProtocol

Key Deleted : HKLM\SOFTWARE\Classes\vShare.IMedixProtocol.1

Key Deleted : HKLM\SOFTWARE\Classes\vShare.PugiObj

Key Deleted : HKLM\SOFTWARE\Classes\vShare.PugiObj.1

Key Deleted : HKLM\SOFTWARE\Classes\vShare.ScriptHelpers

Key Deleted : HKLM\SOFTWARE\Classes\vShare.ScriptHelpers.1

Key Deleted : HKLM\Software\Conduit

Key Deleted : HKLM\Software\Freeze.com

Key Deleted : HKLM\Software\MetaStream

Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}

Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngine

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\vShare

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{043C5167-00BB-4324-AF7E-62013FAEDACF}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96673559-E653-4CDC-8923-F89347A952C0}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F8D96645-337C-419B-8792-B6C126145811}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3B7599DF-3D5D-4EF5-BF51-9C2EDA788E83}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\vShare

Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin

Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP

Key Deleted : HKLM\Software\Viewpoint

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{043C5167-00BB-4324-AF7E-62013FAEDACF}]

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{F8D96645-337C-419B-8792-B6C126145811}]

Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{043C5167-00BB-4324-AF7E-62013FAEDACF}]

Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]

Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{F8D96645-337C-419B-8792-B6C126145811}]

Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [10282 octets] - [12/06/2013 16:56:38]

AdwCleaner[s1].txt - [10139 octets] - [12/06/2013 16:58:37]

########## EOF - C:\AdwCleaner[s1].txt - [10200 octets] ##########

JRT REPORT

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 4.9.4 (05.06.2013:1)

OS: Microsoft Windows XP x86

Ran by Owner on Wed 06/12/2013 at 17:12:29.48

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{16823B47-26A9-45C0-8429-314E0AE07086}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5B7ABA07-7D53-407C-BA8B-F2F3A3E01E37}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6A35CB2B-7435-417F-A5CB-698DE6E4B3B7}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C0A3DE49-3EF2-482C-BCE7-700D1F6B53BB}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CB6AAD89-B6A3-440A-BA7F-39375C3B3D1D}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{F847030E-B096-432E-816F-D313BB4CA9AB}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{FBA0C2D5-8560-4555-838B-09738CFC3935}

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\babylon"

Successfully deleted: [Folder] "C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\verizontb"

Successfully deleted: [Folder] "C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\vshare"

Successfully deleted: [Folder] "C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\babylon"

Successfully deleted: [Folder] "C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\ilivid player"

Successfully deleted: [Folder] "C:\Program Files\bigfix"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Wed 06/12/2013 at 17:22:27.07

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Link to post
Share on other sites

  • Staff

Hello Charlie_Whisky

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Link to post
Share on other sites

Hello Gringo

The Combo Fix (CF) report is at the end of this post.

As you suspected, CF asked to install the system recovery console before proceeding, so I let it do so.

After CF restarted the computer, Norton 360 popped up with a message Error 8501 421 but I just canceled it. Windows Security Alert popped up messages that there was no firewall and that auto updates was off, but I just ignored it and let CF finish until it popped up its report.

After the report popped up, I re-enabled Norton 360 and did another restart.

FEEDBACK: how is the computer running now??

1) MBAM is no longer continuously popping up the message “successfully blocked access to a potentially malicious website 85.211194.79 Type outgoing. “

There was one or two similar popups but not a continued series

Once again today’s most recent portion of the protection log:

2013/06/12 18:41:39 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 18:41:41 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 18:41:42 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2013/06/12 18:41:43 -0500 GW-5B4ED3A077 Owner MESSAGE Stopping protection

2013/06/12 18:41:43 -0500 GW-5B4ED3A077 Owner MESSAGE Protection stopped successfully

2013/06/12 18:41:43 -0500 GW-5B4ED3A077 Owner MESSAGE Stopping IP protection

2013/06/12 18:41:43 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection stopped successfully

2013/06/12 18:41:46 -0500 GW-5B4ED3A077 Owner MESSAGE Protection stopped

2013/06/12 19:09:09 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection

2013/06/12 19:09:10 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully

2013/06/12 19:09:10 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection

2013/06/12 19:11:05 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully

2013/06/12 19:28:31 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection

2013/06/12 19:28:32 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully

2013/06/12 19:28:32 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection

2013/06/12 19:30:11 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully

2013/06/12 19:47:29 -0500 GW-5B4ED3A077 Owner IP-BLOCK 93.114.44.187 (Type: outgoing)

2013/06/12 20:16:20 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.99.83 (Type: outgoing)

Notice the two different IP addresses that were block once each, but not continuously.

2) Tack Manager shows two versions of iexplore.exe running, even though I didn’t start IE. When I ended those processes, another two started soon afterwards. I’m not sure if this is normal or not.

So some improvement, maybe fixed??

Obviously I need to keep monitoring this, but is there any anything else?

Turn on windows updates and let it update? Rerun anything?

p.s. as I was preparing this reply, MBAM blocked another different out going IP connection:

2013/06/12 20:45:45 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.8.154.220 (Type: outgoing)

Combo Fix REPORT

ComboFix 13-06-12.02 - Owner 06/12/2013 18:53:19.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1126 [GMT -5:00]

Running from: c:\documents and settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\Combo fix\ComboFix.exe

FW: CA Personal Firewall *Disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\WINDOWS

c:\documents and settings\Default User\WINDOWS

c:\documents and settings\Owner.YOUR-5B4ED3A077\Application Data\Adobe\mushimu.exe

c:\documents and settings\Owner.YOUR-5B4ED3A077\Application Data\Google\T-Scan

c:\documents and settings\Owner.YOUR-5B4ED3A077\Application Data\Google\T-Scan\n.gif

c:\documents and settings\Owner.YOUR-5B4ED3A077\Application Data\Google\T-Scan\t.gif

c:\documents and settings\Owner.YOUR-5B4ED3A077\Application Data\Google\T-Scan\y.gif

c:\documents and settings\Owner.YOUR-5B4ED3A077\WINDOWS

c:\windows\system32\config\systemprofile\Application Data\cdf02b3822bf514b

c:\windows\system32\config\systemprofile\Application Data\eaf248b3d7cb021

c:\windows\system32\config\systemprofile\WINDOWS

c:\windows\system32\Nagasoft

c:\windows\system32\Nagasoft\Codecs\asyncflt.ax

c:\windows\system32\Nagasoft\Codecs\atrc.dll

c:\windows\system32\Nagasoft\Codecs\cook.dll

c:\windows\system32\Nagasoft\Codecs\drvc.dll

c:\windows\system32\Nagasoft\Codecs\raac.dll

c:\windows\system32\Nagasoft\Codecs\RealMediaSplitter.ax

c:\windows\system32\Nagasoft\Codecs\WMFDemux.dll

c:\windows\system32\Nagasoft\GifShower.dll

c:\windows\system32\Nagasoft\vjocx.dll

c:\windows\system32\ndisapi.dll

c:\windows\system32\sdjeavd.tmp

c:\windows\system32\SET4C6.tmp

D:\Autorun.inf

F:\AUTORUN.INF

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_vvdsvc

-------\Legacy_vvdsvc

-------\Service_vvdsvc

-------\Service_vvdsvc

.

.

((((((((((((((((((((((((( Files Created from 2013-05-13 to 2013-06-13 )))))))))))))))))))))))))))))))

.

.

2013-06-12 22:12 . 2013-06-12 22:12 -------- d-----w- c:\windows\ERUNT

2013-06-12 22:12 . 2013-06-12 22:12 -------- d-----w- C:\JRT

2013-06-12 21:52 . 2013-06-12 21:52 -------- d-----w- c:\documents and settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\AVG SafeGuard toolbar

2013-06-12 21:52 . 2013-06-12 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG SafeGuard toolbar

2013-06-12 21:51 . 2013-06-12 21:51 -------- d-----w- c:\documents and settings\Owner.YOUR-5B4ED3A077\Application Data\AVG SafeGuard toolbar

2013-06-12 21:51 . 2013-06-12 21:50 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys

2013-06-12 21:51 . 2013-06-12 22:06 -------- d-----w- c:\program files\Common Files\AVG Secure Search

2013-06-12 21:51 . 2013-06-12 21:51 -------- d-----w- c:\program files\AVG SafeGuard toolbar

2013-06-12 21:50 . 2013-06-12 21:50 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files

2013-06-10 09:54 . 2013-06-10 09:54 -------- d-----w- c:\documents and settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan

2013-05-21 01:23 . 2013-05-28 00:28 -------- d-----w- C:\hotlink

2013-05-21 01:20 . 2008-11-07 10:53 752496 ----a-w- C:\WindowsXP-KB959658-x86-ENU.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-06-12 02:59 . 2012-04-18 18:39 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-06-12 02:59 . 2011-06-15 01:48 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-04-05 00:00 . 2011-06-20 01:25 695578 ----a-w- c:\windows\unins000.exe

2013-04-04 19:50 . 2008-08-09 19:09 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-03-17 23:47 . 2012-03-19 01:58 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2003-12-05 16:41 368640 --sh--r- c:\windows\cwh.exe

2003-12-05 02:16 69632 --sh--r- c:\windows\lnchshll.exe

2003-12-05 02:16 49152 --sh--r- c:\windows\ScrnInt.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Power2GoExpress"="NA" [X]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-08 323392]

"RtWLan"="c:\documents and settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan\gjmqsipv.dll" [2012-10-24 731136]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2011-12-01 206120]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]

"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-24 573440]

"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 413696]

"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-11-01 98304]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

REALTEK RTL8187 Wireless LAN Utility.lnk - c:\program files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe /H [2006-11-1 749568]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe /startup [2008-5-26 123904]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows\system32

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"UmxFwHlp"=2 (0x2)

"ITMRTSVC"=2 (0x2)

"CaCCProvSP"=3 (0x3)

"YahooAUService"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\ses2_client_bin_2_8_13g\\seswiz.exe"=

"c:\\Program Files\\REALTEK RTL8187 Wireless LAN Driver and Utility\\RtWLan.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Plex\\Plex Media Server\\Plex Media Server.exe"=

"c:\\Program Files\\Plex\\Plex Media Server\\PlexScriptHost.exe"=

"c:\\Program Files\\Plex\\Plex Media Server\\PlexDlnaServer.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0

"1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1

"1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2

"1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3

"1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4

"1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5

"1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6

"1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7

"1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8

"1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9

"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification

"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration

"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery

"4100:UDP"= 4100:UDP:uPNP Router Control Port

"50000:UDP"= 50000:UDP:IHA_MessageCenter

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\1403010.016\symds.sys [4/8/2013 7:03 PM 367704]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\1403010.016\symefa.sys [4/8/2013 7:03 PM 934488]

R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [6/12/2013 4:51 PM 37664]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\BASHDefs\20130531.001\BHDrvx86.sys [5/31/2013 11:58 AM 1002072]

R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\N360\1403010.016\ccsetx86.sys [4/8/2013 7:03 PM 134304]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\1403010.016\ironx86.sys [4/8/2013 7:03 PM 175264]

R2 cwh;cwh;c:\windows\cwh.exe [12/23/2006 3:19 PM 368640]

R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [12/12/2011 11:03 AM 352248]

R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/10/2012 8:40 PM 418376]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/9/2008 2:09 PM 701512]

R2 N360;Norton 360;c:\program files\Norton 360\Engine\20.3.1.22\ccsvchst.exe [4/8/2013 7:02 PM 144520]

R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [12/1/2011 6:11 AM 206120]

R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [12/1/2011 6:11 AM 185640]

R2 vToolbarUpdater15.2.0;vToolbarUpdater15.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe [6/12/2013 4:51 PM 1015984]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2012 10:27 PM 106656]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\IPSDefs\20130612.001\IDSXpx86.sys [6/12/2013 4:50 PM 373728]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/9/2008 2:09 PM 22856]

S0 jwsog;jwsog;c:\windows\system32\drivers\xbjj.sys --> c:\windows\system32\drivers\xbjj.sys [?]

S0 plmd;plmd;c:\windows\system32\drivers\xvqfl.sys --> c:\windows\system32\drivers\xvqfl.sys [?]

S0 qnmthkg;qnmthkg;c:\windows\system32\drivers\dgwdfd.sys --> c:\windows\system32\drivers\dgwdfd.sys [?]

S0 shho;shho;c:\windows\system32\drivers\rtbiatm.sys --> c:\windows\system32\drivers\rtbiatm.sys [?]

S3 EraserUtilDrv11210;EraserUtilDrv11210;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11210.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11210.sys [?]

S3 ICDSX;Sony IC Recorder (SX);c:\windows\system32\drivers\ICDSX.sys [10/1/2003 5:44 PM 31744]

S3 WebDictateService;Web Dictate;c:\program files\NCH Software\WebDictate\webdictate.exe [2/7/2012 10:13 AM 814596]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

vvdsvc REG_MULTI_SZ vvdsvc

.

Contents of the 'Scheduled Tasks' folder

.

2013-06-12 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 02:59]

.

2012-02-10 c:\windows\Tasks\expressShakeIcon.job

- c:\program files\NCH Software\Express\express.exe [2012-02-07 15:13]

.

2013-06-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1542910684-3637753515-2293041949-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

.

2013-06-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1542910684-3637753515-2293041949-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

.

2013-03-06 c:\windows\Tasks\scribeShakeIcon.job

- c:\program files\NCH Software\Scribe\scribe.exe [2012-02-07 15:12]

.

2013-06-12 c:\windows\Tasks\User_Feed_Synchronization-{6F0D77EB-9DFC-4C8F-B264-D6025F8ED514}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6453

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB

DPF: {3A52566B-6018-485B-B713-8B9FF660D8E8} - hxxp://71.123.169.42:0/webdvr2.18.2.16_71.0.0.0.cab

DPF: {9282A3AA-4954-46B4-B4AE-F086CE3F1110} - hxxp://71.123.169.42:0/regtrustsite.cab

DPF: {9CA74596-B5BB-4634-971C-F0224115A15F} - hxxp://nba.tom.com/video/tcastV1.cab

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)

HKCU-Run-Messenger (Yahoo!) - c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

HKLM-Run-cctray - c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe

HKLM-Run-capfupgrade - c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe

HKLM-Run-capfasem - c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

HKLM-Run-cafwc - c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe

HKLM-Run-ATICCC - c:\program files\ATI Technologies\ATI.ACE\cli.exe

HKLM-Run-MioNet - c:\program files\MioNet\MioNetLauncher.exe

HKLM-Run-googletalk - c:\program files\Google\Google Talk\googletalk.exe

c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk - c:\program files\BigFix\bigfix.exe /atstartup

MSConfigStartUp-kdfvb - c:\windows\system32\kdfvb.exe

AddRemove-GenoPro Beta - c:\program files\GenoPro Beta\Uninstall.exe

AddRemove-MSNINST - c:\program files\MSN\MsnInstaller\msninst.exe

AddRemove-verizontb - c:\program files\verizontb\uninstall.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-06-12 19:10

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]

"ImagePath"="\"c:\program files\Norton 360\Engine\20.3.1.22\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\20.3.1.22\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(964)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\BCMLogon.dll

.

- - - - - - - > 'explorer.exe'(1756)

c:\windows\system32\WININET.dll

c:\documents and settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan\gjmqsipv.dll

c:\progra~1\WINDOW~3\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\CTsvcCDA.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\windows\system32\SearchIndexer.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\SearchProtocolHost.exe

c:\windows\eHome\ehmsas.exe

c:\windows\system32\regsvr32.exe

c:\program files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe

c:\program files\Windows Desktop Search\WindowsSearch.exe

c:\program files\Internet Explorer\IEXPLORE.EXE

c:\program files\Internet Explorer\IEXPLORE.EXE

c:\windows\system32\SearchFilterHost.exe

.

**************************************************************************

.

Completion time: 2013-06-12 19:21:06 - machine was rebooted

ComboFix-quarantined-files.txt 2013-06-13 00:21

.

Pre-Run: 77,472,980,992 bytes free

Post-Run: 77,502,533,632 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer

.

- - End Of File - - 79B4A49AC43D33545164058E0F336789

B20939CD98B7710036274839082AE757

Link to post
Share on other sites

  • Staff

Hello Charlie_Whisky

I would like you to try and run these next.

TDSSKiller

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  • Put a checkmark beside loaded modules.
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
  • Click the Start Scan button.
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • more than one report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". The one that I need is the larger one. Please copy and paste the contents of that file here.
    Note** this report can be very long - so if the website gives you an error saying it is to long you may attache it
    If the forum still complains about it being to long send me everything that is at the end of the report after where it says
    ==================
    Scan finished
    ==================

and I will see if I want to see the whole report

--RogueKiller--

Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit

  • Quit all programs that you may have started.
  • Please disconnect any external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • the scan will make two reports the one I would like to see is called RKreport[2].txt on your Desktop
  • Exit/Close RogueKiller+

send me the reports made from TDSSKiller and Roguekiller and also let me know how the computer is doing at this time.

Gringo

Link to post
Share on other sites

Hello Gringo

The reports for TDSSKiller (TDSK) and RogueKiller (RK) are at the end of this post.

Update: I can't paste all of TDSK report so I'll just show the end part below.

My first attempt to run TDSK was bit of a bust.

After I clicked on “loaded modules” TDSK rebooted.

A terminal window popped up asking approval to run the program which I accepted. But then the TDSK box didn’t pop up again, so there was no opportunity to click on “loaded modules” or check all the boxes okay etc...

I could tell that TDSK was running because it showed up as a process (and using about 50% of my CPU).

I just let it run.

About an hour later I came back and the process was done. Still nothing popped up though. In the root (C:) I found two files created: TDSSKiller.2.8.16.0_12.06.2013_22.18.36_log (about 4 KB) and a very large file “pagefile” which was a system file (about 2 MB).

This didn’t look much like the process you described. It was late, and so I just shut the computer down and called it a day.

Today, I tried running TDSK again, and this time I had better success, in that the process ran pretty well as you described.

This time after TDSK rebooted and I accepted to run the program, the TDSK box popped up and I was able to click on “loaded modules” and check all the boxes okay.

The program ran for a few minutes and gave its report: all the detected items were suspicious objects only; no malicious objects found.

So all of the default actions were “skip” after clicking on continue there were two reports: TDSSKiller.2.8.16.0_13.06.2013_18.56.27_log (4KB) and TDSSKiller.2.8.16.0_13.06.2013_19.00.01_log (679 KB). it is the second file that is at the end of this post. That big system file “pagefile” is still in the root directory.

For good measure I restarted the computer before moving on to RogueKiller.

RK pretty well ran smoothly. RK detected 6 objects and I selected delete.

The report RKreport[2]_D_06132013_02d2118 (6KB) is at the end of this post.

FEEDBACK how is the computer working??

1) While writing this summary without IE open, I saw the MBAM window pop up a few time (again no longer continuously popping up.

Here is the whole protection log for today so far

2013/06/13 18:50:39 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection

2013/06/13 18:50:39 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully

2013/06/13 18:50:39 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection

2013/06/13 18:52:06 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully

2013/06/13 18:59:15 -0500 GW-5B4ED3A077 ERROR StartServiceCtrlDispatcher failed with error code 1063

2013/06/13 21:07:27 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection

2013/06/13 21:07:27 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully

2013/06/13 21:07:27 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection

2013/06/13 21:08:05 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully

2013/06/13 21:09:56 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.241.217.206 (Type: outgoing)

2013/06/13 21:19:39 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.60.91 (Type: incoming)

2013/06/13 21:22:34 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection

2013/06/13 21:22:34 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully

2013/06/13 21:22:34 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection

2013/06/13 21:23:53 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully

2013/06/13 21:24:07 -0500 GW-5B4ED3A077 Owner IP-BLOCK 220.248.167.194 (Type: outgoing)

2013/06/13 21:42:07 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.60.91 (Type: incoming)

2) Again without IE open I don’t see any versions of iexplore.exe running.

I let the computer run for several minutes to see if iexplore.exe would pop up but nothing so far.

I notice that in this state CPU use is around 1-3% where as yesterday it was around 3-5%, with more spikes.

3) Since yesterday pages on IE don’t show any pictures just blank boxes with red xs; like on this page. I had to go to another computer to post this. So is there a way to restore IE to a normal state, please?

So what is next Gringo??

p.s.,

just as I’m about ready to post this, more blocks by MBAM in the protection log (maybe opening notepad??):

2013/06/13 21:53:29 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.117.183.15 (Type: outgoing)

2013/06/13 22:05:18 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.60.91 (Type: incoming)

2013/06/13 22:07:40 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.113.33.188 (Type: outgoing)

TDSSKiller REPORT

============================================================

19:04:59.0078 0228 Scan finished

19:04:59.0078 0228 ============================================================

19:04:59.0093 3468 Detected object count: 10

19:04:59.0093 3468 Actual detected object count: 10

19:05:36.0468 3468 AegisP ( UnsignedFile.Multi.Generic ) - skipped by user

19:05:36.0468 3468 AegisP ( UnsignedFile.Multi.Generic ) - User select action: Skip

19:05:36.0468 3468 Creative Service for CDROM Access ( UnsignedFile.Multi.Generic ) - skipped by user

19:05:36.0468 3468 Creative Service for CDROM Access ( UnsignedFile.Multi.Generic ) - User select action: Skip

19:05:36.0468 3468 cwh ( UnsignedFile.Multi.Generic ) - skipped by user

19:05:36.0468 3468 cwh ( UnsignedFile.Multi.Generic ) - User select action: Skip

19:05:36.0468 3468 ICDSPTSV ( UnsignedFile.Multi.Generic ) - skipped by user

19:05:36.0468 3468 ICDSPTSV ( UnsignedFile.Multi.Generic ) - User select action: Skip

19:05:36.0484 3468 MHN ( UnsignedFile.Multi.Generic ) - skipped by user

19:05:36.0484 3468 MHN ( UnsignedFile.Multi.Generic ) - User select action: Skip

19:05:36.0484 3468 MHNDRV ( UnsignedFile.Multi.Generic ) - skipped by user

19:05:36.0484 3468 MHNDRV ( UnsignedFile.Multi.Generic ) - User select action: Skip

19:05:36.0484 3468 NCHSSVAD ( UnsignedFile.Multi.Generic ) - skipped by user

19:05:36.0484 3468 NCHSSVAD ( UnsignedFile.Multi.Generic ) - User select action: Skip

19:05:36.0484 3468 PMEM ( UnsignedFile.Multi.Generic ) - skipped by user

19:05:36.0484 3468 PMEM ( UnsignedFile.Multi.Generic ) - User select action: Skip

19:05:36.0484 3468 PrismXL ( UnsignedFile.Multi.Generic ) - skipped by user

19:05:36.0484 3468 PrismXL ( UnsignedFile.Multi.Generic ) - User select action: Skip

19:05:36.0500 3468 WebDictateService ( UnsignedFile.Multi.Generic ) - skipped by user

19:05:36.0500 3468 WebDictateService ( UnsignedFile.Multi.Generic ) - User select action: Skip

19:08:21.0281 3700 Deinitialize success

RogueKiller REPORT

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Owner [Admin rights]

Mode : Remove -- Date : 06/13/2013 21:18:05

| ARK || FAK || MBR |

¤¤¤ Bad processes : 4 ¤¤¤

[DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan\gjmqsipv.dll [x] -> UNLOADED

[sUSP PATH] cwh.exe -- C:\WINDOWS\cwh.exe [-] -> KILLED [TermProc]

[DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan\gjmqsipv.dll [x] -> UNLOADED

[DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan\gjmqsipv.dll [x] -> UNLOADED

¤¤¤ Registry Entries : 5 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : RtWLan (regsvr32.exe "C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan\gjmqsipv.dll") [-] -> DELETED

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)

[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[12] : NtAlertResumeThread @ 0x805D4BDC -> HOOKED (Unknown @ 0x8A36F418)

SSDT[13] : NtAlertThread @ 0x805D4B8C -> HOOKED (Unknown @ 0x8A322CA0)

SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AC2 -> HOOKED (Unknown @ 0x8A34CBE8)

SSDT[19] : NtAssignProcessToJobObject @ 0x805D66A0 -> HOOKED (Unknown @ 0x8A3C5D20)

SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x8A2120E8)

SSDT[43] : NtCreateMutant @ 0x80617718 -> HOOKED (Unknown @ 0x8A500D30)

SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A02 -> HOOKED (Unknown @ 0x8A367630)

SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0x8A54A108)

SSDT[57] : NtDebugActiveProcess @ 0x80643BA8 -> HOOKED (Unknown @ 0x8A359CE8)

SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0x8A4E35E0)

SSDT[83] : NtFreeVirtualMemory @ 0x805B2FBA -> HOOKED (Unknown @ 0x8A503D78)

SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9258 -> HOOKED (Unknown @ 0x8A343D08)

SSDT[91] : NtImpersonateThread @ 0x805D7860 -> HOOKED (Unknown @ 0x8A343DC8)

SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x8A33F330)

SSDT[108] : unknown @ 0x805B2042 -> HOOKED (Unknown @ 0x8A4E0ED8)

SSDT[114] : NtOpenEvent @ 0x8060F0D6 -> HOOKED (Unknown @ 0x8A544D68)

SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0x8A39B5D0)

SSDT[123] : NtOpenProcessToken @ 0x805EDF26 -> HOOKED (Unknown @ 0x8A2D6760)

SSDT[125] : NtOpenSection @ 0x805AA3F4 -> HOOKED (Unknown @ 0x8A34C660)

SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0x8A364D68)

SSDT[137] : NtProtectVirtualMemory @ 0x805B8426 -> HOOKED (Unknown @ 0x8A5045B8)

SSDT[206] : NtResumeThread @ 0x805D4A18 -> HOOKED (Unknown @ 0x8A564E20)

SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0x8A4E17F8)

SSDT[228] : NtSetInformationProcess @ 0x805CDEA0 -> HOOKED (Unknown @ 0x8A319D18)

SSDT[240] : NtSetSystemInformation @ 0x8060FD8E -> HOOKED (Unknown @ 0x8A359DC8)

SSDT[253] : NtSuspendProcess @ 0x805D4AE0 -> HOOKED (Unknown @ 0x8A5496F0)

SSDT[254] : NtSuspendThread @ 0x805D4952 -> HOOKED (Unknown @ 0x8A413A18)

SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0x8A51C268)

SSDT[258] : unknown @ 0x805D24D2 -> HOOKED (Unknown @ 0x8A4D2378)

SSDT[267] : NtUnmapViewOfSection @ 0x805B2E50 -> HOOKED (Unknown @ 0x8A4EBFD0)

SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (Unknown @ 0x8A3A0758)

S_SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8A2D2D90)

S_SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8A61A3B8)

S_SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8A603348)

S_SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8A61A3F0)

S_SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8A2D6D98)

S_SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x8A301230)

S_SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8A603300)

S_SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8A60CEB8)

S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8A2CB160)

S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8A5F4818)

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9160821A +++++

--- User ---

[MBR] 066baec7920b5163c84ce8ef8c6e6d39

[bSP] db63615aa66f3fdfa2e467ad7beb91fe : Legit.B MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 14346045 | Size: 145612 Mo

1 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 7004 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2]_D_06132013_02d2118.txt >>

RKreport[1]_S_06132013_02d2115.txt ; RKreport[2]_D_06132013_02d2118.txt

Link to post
Share on other sites

  • Staff

Hello Charlie_Whisky

Lets get a deeper look into the system and lets see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.

  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later

    [*]Please post the contents of OTL.txt in your next reply.

Gringo

Link to post
Share on other sites

Hello Gringo

The OTL.txt report is at the end of this post.

I ran OTL.exe without any apparent issues.

FEEDBACK – how is the computer working?

Today is about the same as yesterday

1) The MBAM window still popped up with a few outgoing blocks, but its not a continuous stream as before; here’s the protection log from today:

2013/06/15 06:21:45 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection

2013/06/15 06:21:45 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully

2013/06/15 06:21:45 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection

2013/06/15 06:23:13 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully

2013/06/15 06:39:54 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.116.102 (Type: outgoing)

2013/06/15 06:55:10 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.116.102 (Type: outgoing)

2) without opening IE, in task manager, I don’t see any running processes of iexplore.exe.

3) IE, when ope,n no longer displays images/pictures associated with web pages (just red Xs or blank boxes) so it is difficult to navigate web pages, like this page..

OTL REPORT

OTL logfile created on: 6/15/2013 6:30:40 AM - Run 1

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\OTL

Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 1.15 Gb Available Physical Memory | 61.65% Memory free

3.72 Gb Paging File | 3.08 Gb Available in Paging File | 82.78% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 142.20 Gb Total Space | 72.21 Gb Free Space | 50.78% Space Free | Partition Type: NTFS

Drive D: | 6.83 Gb Total Space | 4.63 Gb Free Space | 67.74% Space Free | Partition Type: FAT32

Computer Name: GW-5B4ED3A077 | User Name: Owner | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\OTL\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe (AVG Secure Search)

PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)

PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)

PRC - C:\Program Files\Norton 360\Engine\20.3.1.22\ccsvchst.exe (Symantec Corporation)

PRC - C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe (Verizon)

PRC - C:\Program Files\VERIZONDM\bin\tgsrvc.exe (SupportSoft, Inc.)

PRC - C:\Program Files\VERIZONDM\bin\sprtsvc.exe (SupportSoft, Inc.)

PRC - C:\Program Files\VERIZONDM\bin\sprtcmd.exe (SupportSoft, Inc.)

PRC - C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)

PRC - C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe (Realtek Semiconductor Corp.)

PRC - C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)

PRC - C:\Program Files\Brother\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.)

PRC - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)

PRC - C:\WINDOWS\cwh.exe (Warranty Corporation of America)

========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\d7ee03714420b252415b952d40ef59e4\System.ServiceProcess.ni.dll ()

MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management\1a6f9e23985e3159e6dd9827fd81c2fd\System.Management.ni.dll ()

MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\96b7a0136e9e72e8f4eb0230c20766d2\System.Configuration.ni.dll ()

MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\fe025743210c22bea2f009e1612c38bf\System.Xml.ni.dll ()

MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\aeac298c43c77d8860db8e7634d9f2eb\System.ni.dll ()

MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\eab2340ead8e1a84bdf1a87868659979\mscorlib.ni.dll ()

MOD - C:\WINDOWS\system32\quartz.dll ()

MOD - C:\Program Files\Norton 360\Engine\20.3.1.22\wincfi39.dll ()

MOD - C:\WINDOWS\system32\sbe.dll ()

MOD - C:\WINDOWS\system32\msdmo.dll ()

MOD - C:\WINDOWS\system32\devenum.dll ()

MOD - C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\EnumDevLib.dll ()

MOD - C:\WINDOWS\system32\bcm1xsup.dll ()

MOD - C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\acAuth.dll ()

========== Services (SafeList) ==========

SRV - (SNMPTRAP) -- C:\WINDOWS\system32\snmptrap.exe File not found

SRV - (vToolbarUpdater15.2.0) -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe (AVG Secure Search)

SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)

SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)

SRV - (MBAMScheduler) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)

SRV - (N360) -- C:\Program Files\Norton 360\Engine\20.3.1.22\ccSvcHst.exe (Symantec Corporation)

SRV - (IHA_MessageCenter) -- C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe (Verizon)

SRV - (WebDictateService) -- C:\Program Files\NCH Software\WebDictate\webdictate.exe (NCH Software)

SRV - (tgsrvc_verizondm) -- C:\Program Files\VERIZONDM\bin\tgsrvc.exe (SupportSoft, Inc.)

SRV - (sprtsvc_verizondm) -- C:\Program Files\VERIZONDM\bin\sprtsvc.exe (SupportSoft, Inc.)

SRV - (PrismXL) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)

SRV - (cwh) -- C:\WINDOWS\cwh.exe (Warranty Corporation of America)

SRV - (ICDSPTSV) -- C:\WINDOWS\system32\IcdSptSv.exe (Sony Corporation)

========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found

DRV - (shho) -- system32\drivers\rtbiatm.sys File not found

DRV - (qnmthkg) -- system32\drivers\dgwdfd.sys File not found

DRV - (plmd) -- system32\drivers\xvqfl.sys File not found

DRV - (PDRFRAME) -- File not found

DRV - (PDRELI) -- File not found

DRV - (PDFRAME) -- File not found

DRV - (PDCOMP) -- File not found

DRV - (PCIDump) -- File not found

DRV - (lbrtfdc) -- File not found

DRV - (jwsog) -- system32\drivers\xbjj.sys File not found

DRV - (EraserUtilDrv11210) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11210.sys File not found

DRV - (Changer) -- File not found

DRV - (catchme) -- C:\ComboFix\catchme.sys File not found

DRV - (avgtp) -- C:\WINDOWS\system32\drivers\avgtpx86.sys (AVG Technologies)

DRV - (BHDrvx86) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\BASHDefs\20130531.001\BHDrvx86.sys (Symantec Corporation)

DRV - (NAVEX15) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\VirusDefs\20130613.001\NAVEX15.SYS (Symantec Corporation)

DRV - (NAVENG) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\VirusDefs\20130613.001\NAVENG.SYS (Symantec Corporation)

DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)

DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)

DRV - (IDSxpx86) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\IPSDefs\20130613.002\IDSXpx86.sys (Symantec Corporation)

DRV - (SYMTDI) -- C:\WINDOWS\system32\drivers\N360\1403010.016\symtdi.sys (Symantec Corporation)

DRV - (SymEFA) -- C:\WINDOWS\system32\drivers\N360\1403010.016\symefa.sys (Symantec Corporation)

DRV - (SRTSP) -- C:\WINDOWS\system32\drivers\N360\1403010.016\srtsp.sys (Symantec Corporation)

DRV - (SRTSPX) -- C:\WINDOWS\system32\drivers\N360\1403010.016\srtspx.sys (Symantec Corporation)

DRV - (SymDS) -- C:\WINDOWS\system32\drivers\N360\1403010.016\symds.sys (Symantec Corporation)

DRV - (SymIMMP) -- C:\WINDOWS\system32\drivers\SymIM.sys (Symantec Corporation)

DRV - (SymIM) -- C:\WINDOWS\system32\drivers\SymIM.sys (Symantec Corporation)

DRV - (SymIRON) -- C:\WINDOWS\system32\drivers\N360\1403010.016\ironx86.sys (Symantec Corporation)

DRV - (ccSet_N360) -- C:\WINDOWS\system32\drivers\N360\1403010.016\ccsetx86.sys (Symantec Corporation)

DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)

DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)

DRV - (NCHSSVAD) -- C:\WINDOWS\system32\drivers\nchssvad.sys (NCH Swift Sound)

DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)

DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)

DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)

DRV - (smserial) -- C:\WINDOWS\system32\drivers\smserial.sys (Motorola Inc.)

DRV - (yukonwxp) -- C:\WINDOWS\system32\drivers\yk51x86.sys (Marvell)

DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)

DRV - (tifm21) -- C:\WINDOWS\system32\drivers\tifm21.sys (Texas Instruments)

DRV - (ICDSX) -- C:\WINDOWS\system32\drivers\ICDSX.sys (Sony Corporation)

DRV - (wanatw) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope =

IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6453

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6453

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes,DefaultScope = {7EC915E5-CE4E-47C0-8506-E0CE5B5C8879}

IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{01B1BEBE-793E-4A64-BFAE-9E61703C794B}: "URL" = http://duckduckgo.com/?q={searchTerms}

IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{3DA52092-75EC-4513-B3C3-DA9628B5D34D}: "URL" = http://www.shopzilla.com/buy/superfind.xpml?search_box=1&sfsk=0&cat_id=1&keyword={searchTerms}

IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{5C1B48D4-1670-4617-ADC8-0DDA51F7E33A}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b2ie7

IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{61602A01-D10C-4324-BA0A-1E12C24D7F2A}: "URL" = http://www.scroogle.org/cgi-bin/nbbw.cgi?Gw={searchTerms}

IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{7EC915E5-CE4E-47C0-8506-E0CE5B5C8879}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}

IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{9329EF74-770B-47D8-AD0F-0E7B2AE9CA04}: "URL" = http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&camp=1789&creative=9325&keywords={searchTerms}

IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{E2297ECC-2E67-4A3C-9426-2413485D513B}: "URL" = http://www.blinkx.com/ie/search-provider/Search-Execute?query={searchTerms}

IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll ()

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)

FF - HKLM\Software\MozillaPlugins\@bittorrent.com/BitTorrentDNA: C:\Program Files\DNA\plugins\npbtdna.dll (BitTorrent, Inc.)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\Move Networks\plugins\npqmp071701000002.dll (Move Networks)

FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17: C:\Program Files\Veetle\VLCBroadcast\npvbp.dll File not found

FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll File not found

FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\Move Networks\plugins\npqmp071701000002.dll (Move Networks)

FF - HKCU\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine: C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\nprhapengine.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{96AB4162-6E8C-495D-B3DD-0583314D0AB5}: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{96AB4162-6E8C-495D-B3DD-0583314D0AB5}\ [2009/01/10 10:14:15 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\coFFPlgn\ [2013/06/15 06:24:38 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\IPSFFPlgn\ [2013/03/17 19:01:11 | 000,000,000 | ---D | M]

FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\moveplayer@movenetworks.com: C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\Move Networks [2010/03/11 10:04:19 | 000,000,000 | ---D | M]

[2010/03/28 13:05:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\Mozilla\Extensions

O1 HOSTS File: ([2013/06/12 19:09:27 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\20.3.1.22\coieplg.dll (Symantec Corporation)

O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\20.3.1.22\ips\ipsbho.dll (Symantec Corporation)

O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found

O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\WINDOWS\system32\bae.dll (Gateway Inc.)

O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\20.3.1.22\coieplg.dll (Symantec Corporation)

O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.)

O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()

O4 - HKLM..\Run: [Reminder] C:\WINDOWS\creator\Remind_XP.exe (SoftThinks)

O4 - HKLM..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe (Brother Industories, Ltd.)

O4 - HKLM..\Run: [sigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)

O4 - HKLM..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)

O4 - HKLM..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)

O4 - HKLM..\Run: [VERIZONDM] C:\Program Files\VERIZONDM\bin\sprtcmd.exe (SupportSoft, Inc.)

O4 - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006..\Run: [bitTorrent DNA] C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)

O4 - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006..\Run: [Power2GoExpress] NA File not found

O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)

O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\REALTEK RTL8187 Wireless LAN Utility.lnk = C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe (Realtek Semiconductor Corp.)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_24.dll (Sun Microsystems, Inc.)

O9 - Extra Button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found

O9 - Extra 'Tools' menuitem : Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab (Microsoft Office Template and Media Control)

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} http://www.creative.com/su/ocx/15030/CTSUEng.cab (Creative Software AutoUpdate)

O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} http://biz.lgservice.com/DjvuViewer/DjVuControl-6.1.4.cab (DjVuCtl Class)

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} http://www.alternatiff.com/install/00/alttiff.cab (AlternaTIFF ActiveX)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {3A52566B-6018-485B-B713-8B9FF660D8E8} http://71.123.169.42:0/webdvr2.18.2.16_71.0.0.0.cab (ilhtrapp Object)

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photos.walmart.com/WalmartActivia.cab (Snapfish Activia)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1343697687988 (WUWebControl Class)

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (Reg Error: Key error.)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1343697663689 (MUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {9282A3AA-4954-46B4-B4AE-F086CE3F1110} http://71.123.169.42:0/regtrustsite.cab (TrustSiteAddMgr Class)

O16 - DPF: {9CA74596-B5BB-4634-971C-F0224115A15F} http://nba.tom.com/video/tcastV1.cab (tcast control)

O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} http://vexcast.com/download/vexcast.cab (VodClient Control Class)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://www.creative.com/su/ocx/15030/CTPID.cab (Creative Software AutoUpdate Support Package)

O16 - DPF: vzTCPConfig http://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{481AE3E8-CD00-4ED3-9F1D-6AB6C25A01D6}: DhcpNameServer = 192.168.1.1

O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/06/13 21:14:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Desktop\RK_Quarantine

[2013/06/13 18:54:33 | 000,000,000 | -HSD | C] -- C:\RECYCLER

[2013/06/12 18:50:23 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2013/06/12 18:45:39 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2013/06/12 18:45:39 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2013/06/12 18:45:39 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2013/06/12 18:45:39 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2013/06/12 18:44:22 | 000,000,000 | ---D | C] -- C:\Qoobox

[2013/06/12 18:42:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt

[2013/06/12 17:12:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT

[2013/06/12 17:12:09 | 000,000,000 | ---D | C] -- C:\JRT

[2013/06/12 16:52:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\AVG SafeGuard toolbar

[2013/06/12 16:52:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG SafeGuard toolbar

[2013/06/12 16:51:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\AVG SafeGuard toolbar

[2013/06/12 16:51:30 | 000,037,664 | ---- | C] (AVG Technologies) -- C:\WINDOWS\System32\drivers\avgtpx86.sys

[2013/06/12 16:51:18 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\AVG Secure Search

[2013/06/12 16:51:14 | 000,000,000 | ---D | C] -- C:\Program Files\AVG SafeGuard toolbar

[2013/06/12 16:50:17 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files

[2013/06/10 04:54:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan

[2013/05/20 20:23:01 | 000,000,000 | ---D | C] -- C:\hotlink

[2013/05/20 20:20:18 | 000,752,496 | ---- | C] (Microsoft Corporation) -- C:\WindowsXP-KB959658-x86-ENU.exe

[2006/12/17 13:27:51 | 000,800,272 | ---- | C] (CA) -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\ppctl.dll

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/06/15 06:23:06 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{6F0D77EB-9DFC-4C8F-B264-D6025F8ED514}.job

[2013/06/15 06:23:00 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2013/06/15 06:21:36 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1542910684-3637753515-2293041949-1006.job

[2013/06/15 06:21:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2013/06/13 22:59:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job

[2013/06/12 19:09:27 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2013/06/12 18:50:33 | 000,000,337 | RHS- | M] () -- C:\boot.ini

[2013/06/12 16:50:33 | 000,037,664 | ---- | M] (AVG Technologies) -- C:\WINDOWS\System32\drivers\avgtpx86.sys

[2013/06/12 16:49:14 | 000,000,990 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Desktop\Continue Zip Opener Installation.lnk

[2013/06/11 21:59:20 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe

[2013/06/11 21:59:20 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl

[2013/06/10 20:01:06 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1542910684-3637753515-2293041949-1006.job

[2013/05/21 21:46:06 | 000,000,426 | ---- | M] () -- C:\WINDOWS\brwmark.ini

[2013/05/19 15:11:24 | 000,002,419 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Vz In-Home Agent.lnk

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/06/12 18:50:33 | 000,000,221 | ---- | C] () -- C:\Boot.bak

[2013/06/12 18:50:27 | 000,260,272 | RHS- | C] () -- C:\cmldr

[2013/06/12 18:45:39 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2013/06/12 18:45:39 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2013/06/12 18:45:39 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2013/06/12 18:45:39 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2013/06/12 18:45:39 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2013/06/12 16:49:13 | 000,000,990 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Desktop\Continue Zip Opener Installation.lnk

[2012/09/10 21:03:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\DVEdit.INI

[2012/09/10 20:28:20 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\IcdSptSvps.dll

[2012/05/10 22:23:33 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll

[2012/02/29 08:49:41 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

[2011/06/30 14:32:00 | 000,000,016 | ---- | C] () -- C:\WINDOWS\System32\jgldog11.dll

[2011/06/19 20:25:14 | 001,970,176 | ---- | C] () -- C:\WINDOWS\System32\vcmimm4.dll

[2011/06/19 20:25:13 | 000,695,578 | ---- | C] () -- C:\WINDOWS\unins000.exe

[2011/06/19 20:25:13 | 000,002,282 | ---- | C] () -- C:\WINDOWS\unins000.dat

[2011/05/22 07:58:29 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini

[2011/05/22 07:53:21 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini

[2010/03/11 21:21:24 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\usb.dat.bin

[2008/08/23 12:13:24 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\wklnhst.dat

[2008/05/02 21:43:27 | 000,002,521 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\NMM-MetaData.db

[2007/11/29 19:47:29 | 000,016,896 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2007/06/27 21:00:15 | 000,000,023 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\presets.ini

[2006/12/03 12:57:58 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\PFP120JPR.{PB

[2006/12/03 12:57:58 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\PFP120JCM.{PB

[2006/11/26 20:38:56 | 000,000,144 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\fusioncache.dat

========== ZeroAccess Check ==========

[2006/06/17 04:37:41 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 19:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]

"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 19:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Both

< End of report >

Link to post
Share on other sites

Grinco

I’ve been doing some background digging into my older protection logs, maybe some of this will help.

Back around 5-21 to 5-23, I was getting about 6-7 blocks per day in the log.

Then from 5-23 on the number of block increased to 26, 27, 49, 72, 26 per day etc...

In the 6-6 log, I found the following item:

2013/06/06 17:06:53 -0500 GW-5B4ED3A077 Owner DETECTION C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Temp\notepad.exe Trojan.Backdoor QUARANTINE

In the 6-8 log, I found the following item:

2013/06/08 08:33:08 -0500 GW-5B4ED3A077 Owner DETECTION C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Temp\notepad.exe Trojan.Backdoor QUARANTINE

In the 6-9 log, I found the following item:

2013/06/09 14:23:21 -0500 GW-5B4ED3A077 Owner DETECTION C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Temp\notepad.exe Trojan.Backdoor QUARANTINE

On each of these days, the number of block was up to around 100 to 200 blocks per day.

I remember seeing and deleting these quarantined items, and running scans to make sure the computer was malware free.

It was on 6-10 that the number of blocks blew up to several hundred per day, most of them being outgoing blocks to IP: 95.211.194.79

By 6-11, I was getting several hundred outgoing blocks to IP: 95.211.194.79

On 6-12, I started this topic.

Link to post
Share on other sites

  • Staff

Hello Charlie_Whisky

I would like you to run this custom script for me now and when it is complete please give me the report and a status update for the computer.

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the customFix.png text box.

    :OTL
    FF - HKLM\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17: C:\Program Files\Veetle\VLCBroadcast\npvbp.dll File not found
    FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll File not found
    FF - HKCU\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine: C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\nprhapengine.dll File not found
    O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O4 - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006..\Run: [Power2GoExpress] NA File not found
    O9 - Extra Button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found
    O9 - Extra 'Tools' menuitem : Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx...owserPlugin.cab (Reg Error: Key error.)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
    O16 - DPF: vzTCPConfig http://my.verizon.co...vzTCPConfig.CAB (Reg Error: Key error.)
    O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found
    IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{E2297ECC-2E67-4A3C-9426-2413485D513B}: "URL" = http://www.blinkx.co...y={searchTerms}
    :Files
    ipconfig /flushdns /c

    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    [reboot]


  • Then click the Run Fix button at the top.
  • Click btnOK.png.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.
    Note** if the report does not popup after the computer reboots you can find it here in this folder - C:\_OTL\MovedFiles
    It will be named - mmddyyyy_hhmmss.log
    Where mmddyyyy_hhmmss - are numbers representing the date and time the fix was run.

Let me know How things are doing

Gringo

Link to post
Share on other sites

Hello Gringo

The report log for the custom scan is at the end of this post.

I ran the custom scan via OTL.exe without incident.

The report didn’t popup after the reboot ,but I found it located where you said it would be.

FEEDBACK how is the computer working now??

1) While preparing this post, I saw MBAM pop up with any block; here’s the whole log for today (repeating the start of the log from my previous post today:

2013/06/15 06:21:45 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection

2013/06/15 06:21:45 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully

2013/06/15 06:21:45 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection

2013/06/15 06:23:13 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully

2013/06/15 06:39:54 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.116.102 (Type: outgoing)

2013/06/15 06:55:10 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.116.102 (Type: outgoing)

2013/06/15 07:22:42 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.55.219 (Type: incoming)

2013/06/15 07:24:57 -0500 GW-5B4ED3A077 Owner IP-BLOCK 109.163.233.156 (Type: outgoing)

2013/06/15 07:37:22 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming)

2013/06/15 07:37:23 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming)

2013/06/15 07:37:52 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming)

2013/06/15 07:37:53 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming)

2013/06/15 07:38:03 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming)

2013/06/15 07:38:04 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming)

2013/06/15 07:40:04 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.247.182.246 (Type: incoming)

2013/06/15 08:01:44 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming)

2013/06/15 08:01:45 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming)

2013/06/15 08:13:37 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming)

2013/06/15 08:13:37 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming)

2013/06/15 08:41:39 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.241.202.53 (Type: incoming)

2013/06/15 08:41:40 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.241.202.53 (Type: incoming)

2013/06/15 08:42:58 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.87.55 (Type: outgoing)

2013/06/15 08:52:12 -0500 GW-5B4ED3A077 Owner IP-BLOCK 80.82.65.249 (Type: incoming)

2013/06/15 08:57:02 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.8.123.214 (Type: outgoing)

2013/06/15 08:59:35 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.220.250 (Type: incoming)

2013/06/15 09:03:39 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.96.53 (Type: incoming)

2013/06/15 09:06:49 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.117.178.203 (Type: incoming)

2013/06/15 09:10:25 -0500 GW-5B4ED3A077 Owner IP-BLOCK 78.26.179.231 (Type: outgoing)

2013/06/15 09:12:16 -0500 GW-5B4ED3A077 Owner IP-BLOCK 195.161.7.23 (Type: incoming)

2013/06/15 09:12:51 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.43.233 (Type: incoming)

2013/06/15 09:56:20 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.113.96 (Type: incoming)

2013/06/15 10:08:53 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.61.113 (Type: incoming)

2013/06/15 10:09:11 -0500 GW-5B4ED3A077 Owner IP-BLOCK 219.153.135.2 (Type: outgoing)

2013/06/15 10:20:20 -0500 GW-5B4ED3A077 Owner IP-BLOCK 194.165.0.6 (Type: incoming)

2013/06/15 10:25:32 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.220.250 (Type: outgoing)

2013/06/15 10:44:26 -0500 GW-5B4ED3A077 Owner IP-BLOCK 91.188.45.202 (Type: incoming)

2013/06/15 10:54:29 -0500 GW-5B4ED3A077 Owner IP-BLOCK 194.143.137.109 (Type: incoming)

2013/06/15 10:55:51 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.237.250 (Type: incoming)

2013/06/15 11:12:37 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.33.170 (Type: incoming)

2013/06/15 11:22:04 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.54.182 (Type: outgoing)

2013/06/15 11:37:21 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.215.119 (Type: incoming)

2013/06/15 11:39:05 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.85.239 (Type: incoming)

2013/06/15 12:45:15 -0500 GW-5B4ED3A077 Owner IP-BLOCK 94.102.56.145 (Type: incoming)

2013/06/15 12:46:44 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.220.250 (Type: incoming)

2013/06/15 12:52:08 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.111.169 (Type: incoming)

2013/06/15 12:52:51 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.117.183.228 (Type: outgoing)

2013/06/15 12:57:14 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.54.54 (Type: incoming)

2013/06/15 13:08:05 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.49.135 (Type: outgoing)

2013/06/15 13:21:51 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.220.250 (Type: outgoing)

2013/06/15 13:37:57 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.22.97 (Type: incoming)

2013/06/15 14:02:55 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.61.4 (Type: incoming)

2013/06/15 14:08:57 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.120.109.123 (Type: outgoing)

2013/06/15 14:09:16 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.99.216 (Type: outgoing)

2013/06/15 14:42:08 -0500 GW-5B4ED3A077 Owner IP-BLOCK 91.195.11.143 (Type: incoming)

2013/06/15 14:47:37 -0500 GW-5B4ED3A077 Owner IP-BLOCK 91.214.44.200 (Type: incoming)

2013/06/15 14:53:07 -0500 GW-5B4ED3A077 Owner IP-BLOCK 85.234.175.115 (Type: outgoing)

2013/06/15 15:07:28 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.220.250 (Type: outgoing)

2013/06/15 15:08:12 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.44.204 (Type: outgoing)

2013/06/15 15:08:17 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.40.176 (Type: outgoing)

2013/06/15 15:24:01 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.116.102 (Type: outgoing)

2013/06/15 15:25:58 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.38.220 (Type: incoming)

2013/06/15 15:39:23 -0500 GW-5B4ED3A077 Owner IP-BLOCK 91.188.33.97 (Type: incoming)

2013/06/15 15:53:52 -0500 GW-5B4ED3A077 Owner IP-BLOCK 46.108.226.217 (Type: outgoing)

2013/06/15 15:53:53 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.63.60 (Type: outgoing)

2013/06/15 15:54:49 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.16.139 (Type: incoming)

2013/06/15 16:00:31 -0500 GW-5B4ED3A077 Owner IP-BLOCK 37.229.128.3 (Type: incoming)

2013/06/15 16:07:38 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.224.50 (Type: outgoing)

2013/06/15 16:16:31 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.7.157 (Type: incoming)

2013/06/15 16:23:55 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection

2013/06/15 16:23:55 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully

2013/06/15 16:23:55 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection

2013/06/15 16:25:14 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully

2013/06/15 16:28:57 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.58.146 (Type: incoming)

2013/06/15 16:28:58 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.58.146 (Type: incoming)

At least post-reboot after 16:25 the only two blocks are incoming blocks. **

2) No iexplore.exe versions running as processes when IE is not open.

3) IE when open it still doesn’t show images/pictures

p.s., ** looks like I spoke too soon! After I opening up IE to make this post on the forum, a few more blocks popped up including two outgoing blocks:

2013/06/15 16:42:42 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.116.102 (Type: outgoing)

2013/06/15 16:42:58 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.58.146 (Type: incoming)

2013/06/15 16:42:59 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.58.146 (Type: incoming)

2013/06/15 16:43:23 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.42.82 (Type: outgoing)

REPORT FOR Custom Scan (06152013_161917.log)

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1\ deleted successfully.

Registry key HKEY_CURRENT_USER\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}\ deleted successfully.

Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.

Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.

Registry value HKEY_USERS\S-1-5-21-1542910684-3637753515-2293041949-1006\Software\Microsoft\Windows\CurrentVersion\Run\\Power2GoExpress deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}\ not found.

Starting removal of ActiveX control {67DABFBF-D0AB-41FA-9C46-CC0F21721616}

C:\WINDOWS\Downloaded Program Files\DivXPlugin.inf moved successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ not found.

Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}

C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.

Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}

C:\WINDOWS\Downloaded Program Files\gp.inf not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.

Starting removal of ActiveX control vzTCPConfig

Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\vzTCPConfig\DownloadInformation\\INF .

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\vzTCPConfig\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\vzTCPConfig\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\skype-ie-addon-data\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91774881-D725-4E58-B298-07617B9B86A8}\ deleted successfully.

File {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found not found.

Registry key HKEY_USERS\S-1-5-21-1542910684-3637753515-2293041949-1006\Software\Microsoft\Internet Explorer\SearchScopes\{E2297ECC-2E67-4A3C-9426-2413485D513B}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2297ECC-2E67-4A3C-9426-2413485D513B}\ not found.

========== FILES ==========

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Documents and Settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\OTL\cmd.bat deleted successfully.

C:\Documents and Settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\OTL\cmd.txt deleted successfully.

========== COMMANDS ==========

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: Owner

User: Owner.YOUR-5B4ED3A077

->Java cache emptied: 53525803 bytes

User: OWNER~1~YOU

Total Java Files Cleaned = 51.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: Owner

User: Owner.YOUR-5B4ED3A077

->Flash cache emptied: 2608374 bytes

User: OWNER~1~YOU

Total Flash Files Cleaned = 2.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 06152013_161917

Link to post
Share on other sites

  • Staff

Hello Charlie_Whisky

Malwarebytes Anti-Rootkit

1.Download Malwarebytes Anti-Rootkit

2.Unzip the contents to a folder in a convenient location.

3.Open the folder where the contents were unzipped and run mbar.exe

4.Follow the instructions in the wizard to update and allow the program to scan your computer for threats.

5.Click on the Cleanup button to remove any threats and reboot if prompted to do so.

6.Wait while the system shuts down and the cleanup process is performed.

7.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.

8.If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

  • •Internet access
    •Windows Update
    •Windows Firewall

9.If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.

10.Verify that your system is now functioning normally.

Please download aswMBR to your desktop.

  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

When you are complete please send me both reports

Gringo

Link to post
Share on other sites

Hello Gringo

1) I ran the Malwarebytes Anti-Rootkit (MAR) as instructed.

When trying to do the update, there was an error message: “Failed MBAM IO::writefile”

MAR found two pieces of malware and I checked clean and report.

But on reboot that was no log file “MABR-log ___) There was a system-log file which is at the end of this post.

I reran MAR and again when doing the update, there was athe same error message: “Failed MBAM IO::writefile”

This second time MAR found nothing: “Scan finished, no malware found”

I have internet access but with IE images/and pictures associated with buttons etc.. are still all blank or red Xs.

I ran the fixdamage.exe but this didn’t change the above issue with IE.

2) I ran aswMBR.exe after allowing updates; it didn’t appear to find anything; the report is at the end of this post.

FEEDBACK: No significant change from the past few days; I still have multiple ingoing out going blocks.

Here’s the entire MBAM protection log for today:

2013/06/16 06:44:59 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection

2013/06/16 06:44:59 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully

2013/06/16 06:44:59 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection

2013/06/16 06:45:41 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully

2013/06/16 07:26:43 -0500 GW-5B4ED3A077 Owner IP-BLOCK 94.242.205.235 (Type: incoming)

2013/06/16 07:29:45 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.108.96 (Type: incoming)

2013/06/16 08:05:44 -0500 GW-5B4ED3A077 Owner IP-BLOCK 124.125.251.183 (Type: outgoing)

2013/06/16 08:15:35 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.224.57 (Type: incoming)

2013/06/16 08:19:58 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.78.229 (Type: outgoing)

2013/06/16 08:34:40 -0500 GW-5B4ED3A077 Owner IP-BLOCK 178.152.5.238 (Type: outgoing)

2013/06/16 08:51:33 -0500 GW-5B4ED3A077 Owner IP-BLOCK 178.90.91.170 (Type: outgoing)

2013/06/16 09:04:44 -0500 GW-5B4ED3A077 Owner IP-BLOCK 219.153.94.46 (Type: outgoing)

2013/06/16 09:05:28 -0500 GW-5B4ED3A077 Owner IP-BLOCK 124.125.251.183 (Type: outgoing)

2013/06/16 09:09:13 -0500 GW-5B4ED3A077 Owner IP-BLOCK 93.114.44.187 (Type: incoming)

2013/06/16 09:20:19 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.127.39 (Type: outgoing)

2013/06/16 09:35:07 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.95.88 (Type: outgoing)

2013/06/16 09:35:23 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.58.32 (Type: outgoing)

2013/06/16 09:35:55 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.78.229 (Type: outgoing)

2013/06/16 09:35:57 -0500 GW-5B4ED3A077 Owner IP-BLOCK 124.125.251.183 (Type: outgoing)

2013/06/16 09:51:53 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.237.238 (Type: outgoing)

2013/06/16 10:07:28 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.42.59 (Type: outgoing)

2013/06/16 10:13:13 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.234.227 (Type: incoming)

2013/06/16 10:23:15 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.7.204.11 (Type: outgoing)

2013/06/16 10:23:59 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.237.238 (Type: outgoing)

2013/06/16 10:31:40 -0500 GW-5B4ED3A077 Owner IP-BLOCK 213.55.114.175 (Type: incoming)

2013/06/16 10:36:04 -0500 GW-5B4ED3A077 Owner IP-BLOCK 41.203.81.234 (Type: incoming)

2013/06/16 10:40:23 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.38.190 (Type: outgoing)

2013/06/16 10:54:02 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.60.45 (Type: outgoing)

2013/06/16 10:55:04 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.17.130 (Type: outgoing)

2013/06/16 11:07:43 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.103.213 (Type: outgoing)

2013/06/16 11:21:42 -0500 GW-5B4ED3A077 Owner IP-BLOCK 222.186.79.125 (Type: incoming)

2013/06/16 11:45:41 -0500 GW-5B4ED3A077 Owner IP-BLOCK 188.95.51.205 (Type: incoming)

2013/06/16 12:07:45 -0500 GW-5B4ED3A077 Owner IP-BLOCK 93.114.44.187 (Type: incoming)

2013/06/16 12:07:52 -0500 GW-5B4ED3A077 Owner IP-BLOCK 93.114.44.187 (Type: incoming)

2013/06/16 12:20:21 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.237.238 (Type: outgoing)

2013/06/16 12:27:41 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.49.139 (Type: incoming)

2013/06/16 12:36:01 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.58.50 (Type: outgoing)

2013/06/16 12:36:07 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.50.27 (Type: outgoing)

2013/06/16 12:36:15 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.3.122 (Type: outgoing)

2013/06/16 13:08:26 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.75.73 (Type: outgoing)

2013/06/16 13:39:13 -0500 GW-5B4ED3A077 Owner IP-BLOCK 213.186.115.249 (Type: outgoing)

2013/06/16 14:07:51 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.24.162 (Type: incoming)

2013/06/16 14:52:48 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.159.32 (Type: outgoing)

2013/06/16 14:53:11 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.248.172.103 (Type: incoming)

2013/06/16 14:53:29 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.237.238 (Type: outgoing)

2013/06/16 15:16:56 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.59.77 (Type: incoming)

2013/06/16 15:28:03 -0500 GW-5B4ED3A077 Owner IP-BLOCK 93.114.44.187 (Type: incoming)

2013/06/16 15:28:15 -0500 GW-5B4ED3A077 Owner IP-BLOCK 93.114.44.187 (Type: incoming)

2013/06/16 15:37:15 -0500 GW-5B4ED3A077 Owner IP-BLOCK 91.188.37.145 (Type: outgoing)

2013/06/16 15:54:56 -0500 GW-5B4ED3A077 Owner IP-BLOCK 188.130.177.20 (Type: incoming)

2013/06/16 16:08:58 -0500 GW-5B4ED3A077 Owner IP-BLOCK 93.114.44.187 (Type: incoming)

2013/06/16 16:13:52 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection

2013/06/16 16:13:52 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully

2013/06/16 16:13:52 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection

2013/06/16 16:14:55 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully

2013/06/16 16:16:00 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.34.13 (Type: outgoing)

2013/06/16 16:30:48 -0500 GW-5B4ED3A077 Owner IP-BLOCK 188.95.51.205 (Type: incoming)

2013/06/16 16:51:43 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection

2013/06/16 16:51:44 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully

2013/06/16 16:51:44 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection

2013/06/16 16:53:10 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully

2013/06/16 16:57:35 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.209.9 (Type: incoming)

2013/06/16 17:23:07 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.51.192 (Type: outgoing)

2013/06/16 17:23:16 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.117.164.173 (Type: outgoing)

2013/06/16 17:38:40 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.237.238 (Type: outgoing)

2013/06/16 18:09:34 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.88.83 (Type: incoming)

2013/06/16 18:23:20 -0500 GW-5B4ED3A077 Owner IP-BLOCK 178.152.3.227 (Type: outgoing)

2013/06/16 18:36:09 -0500 GW-5B4ED3A077 Owner IP-BLOCK 93.174.95.180 (Type: incoming)

2013/06/16 18:38:30 -0500 GW-5B4ED3A077 Owner IP-BLOCK 195.161.127.130 (Type: outgoing)

2013/06/16 18:51:08 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.37.163 (Type: outgoing)

2013/06/16 19:21:56 -0500 GW-5B4ED3A077 Owner IP-BLOCK 124.125.251.183 (Type: outgoing)

2013/06/16 19:24:45 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.192.35 (Type: incoming)

2013/06/16 19:32:46 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.65.200 (Type: incoming)

2013/06/16 19:36:17 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.14.165 (Type: outgoing)

2013/06/16 19:46:37 -0500 GW-5B4ED3A077 Owner MESSAGE Starting database refresh

2013/06/16 19:46:37 -0500 GW-5B4ED3A077 Owner MESSAGE Stopping IP protection

2013/06/16 19:46:37 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection stopped successfully

2013/06/16 19:46:50 -0500 GW-5B4ED3A077 Owner MESSAGE Database refreshed successfully

2013/06/16 19:46:50 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection

2013/06/16 19:47:26 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully

2013/06/16 21:05:03 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.14.165 (Type: outgoing)

2013/06/16 21:28:37 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.88.83 (Type: incoming)

2013/06/16 21:35:50 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.241.140.50 (Type: outgoing)

MAR system-log Report

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.06.0.1003

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_24

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, H:\ DRIVE_FIXED

CPU speed: 1.596000 GHz

Memory total: 2011205632, free: 1187840000

------------ Kernel report ------------

06/15/2013 21:02:54

------------ Loaded modules -----------

\WINDOWS\system32\ntkrnlpa.exe

\WINDOWS\system32\hal.dll

\WINDOWS\system32\KDCOM.DLL

\WINDOWS\system32\BOOTVID.dll

ACPI.sys

\WINDOWS\system32\DRIVERS\WMILIB.SYS

pci.sys

isapnp.sys

ohci1394.sys

\WINDOWS\system32\DRIVERS\1394BUS.SYS

compbatt.sys

\WINDOWS\system32\DRIVERS\BATTC.SYS

pciide.sys

\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

aliide.sys

intelide.sys

toside.sys

viaide.sys

cmdide.sys

pcmcia.sys

MountMgr.sys

ftdisk.sys

dmload.sys

dmio.sys

ACPIEC.sys

\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS

PartMgr.sys

VolSnap.sys

cpqarray.sys

\WINDOWS\system32\DRIVERS\SCSIPORT.SYS

atapi.sys

aha154x.sys

sparrow.sys

symc810.sys

aic78xx.sys

dac960nt.sys

ql10wnt.sys

amsint.sys

asc.sys

asc3550.sys

mraid35x.sys

i2omp.sys

ini910u.sys

ql1240.sys

aic78u2.sys

symc8xx.sys

sym_hi.sys

sym_u3.sys

ABP480N5.SYS

asc3350p.sys

cd20xrnt.sys

ultra.sys

adpu160m.sys

dpti2o.sys

ql1080.sys

ql1280.sys

ql12160.sys

perc2.sys

perc2hib.sys

hpn.sys

cbidf2k.sys

dac2w2k.sys

disk.sys

\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

fltmgr.sys

SYMDS.SYS

sr.sys

SYMEFA.SYS

KSecDD.sys

WudfPf.sys

Ntfs.sys

NDIS.sys

sisagp.sys

viaagp.sys

Mup.sys

alim1541.sys

amdagp.sys

agp440.sys

agpCPQ.sys

\SystemRoot\system32\DRIVERS\nic1394.sys

\SystemRoot\system32\DRIVERS\AmdK8.sys

\SystemRoot\system32\DRIVERS\ati2mtag.sys

\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

\SystemRoot\system32\DRIVERS\yk51x86.sys

\SystemRoot\system32\DRIVERS\usbohci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\i8042prt.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\SynTP.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\drivers\tifm21.sys

\SystemRoot\system32\DRIVERS\CmBatt.sys

\SystemRoot\system32\drivers\nchssvad.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ks.sys

\SystemRoot\system32\DRIVERS\audstub.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\DRIVERS\psched.sys

\SystemRoot\system32\DRIVERS\msgpc.sys

\SystemRoot\system32\DRIVERS\ptilink.sys

\SystemRoot\system32\DRIVERS\raspti.sys

\SystemRoot\system32\DRIVERS\rdpdr.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\SymIM.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\update.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\smserial.sys

\SystemRoot\System32\Drivers\Modem.SYS

\SystemRoot\System32\Drivers\i2omgmt.SYS

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\drivers\N360\1403010.016\ccSetx86.sys

\SystemRoot\system32\drivers\N360\1403010.016\Ironx86.SYS

\SystemRoot\System32\Drivers\Fs_Rec.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\??\C:\WINDOWS\system32\drivers\avgtpx86.sys

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\drivers\usbaudio.sys

\SystemRoot\system32\DRIVERS\usbprint.sys

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\Drivers\BrScnUsb.sys

\SystemRoot\System32\Drivers\mnmdd.SYS

\SystemRoot\System32\Drivers\BrUsbSer.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\System32\Drivers\BrSerIf.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\rasacd.sys

\SystemRoot\system32\DRIVERS\ipsec.sys

\SystemRoot\system32\DRIVERS\tcpip.sys

\SystemRoot\System32\Drivers\N360\1403010.016\SYMTDI.SYS

\SystemRoot\system32\DRIVERS\ipnat.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

\SystemRoot\system32\DRIVERS\arp1394.sys

\??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\IPSDefs\20130614.001\IDSxpx86.sys

\SystemRoot\system32\DRIVERS\netbt.sys

\SystemRoot\System32\drivers\ws2ifsl.sys

\SystemRoot\System32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\drivers\N360\1403010.016\SRTSPX.SYS

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\System32\Drivers\Fips.SYS

\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

\SystemRoot\system32\DRIVERS\kbdhid.sys

\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

\??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\BASHDefs\20130531.001\BHDrvx86.sys

\SystemRoot\System32\Drivers\Fastfat.SYS

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_WMILIB.SYS

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\watchdog.sys

\SystemRoot\System32\drivers\dxg.sys

\SystemRoot\System32\drivers\dxgthk.sys

\SystemRoot\System32\ati2dvag.dll

\SystemRoot\System32\ati2cqag.dll

\SystemRoot\System32\atikvmag.dll

\SystemRoot\System32\atiok3x2.dll

\SystemRoot\System32\ati3duag.dll

\SystemRoot\System32\ativvaxx.dll

\SystemRoot\System32\ATMFD.DLL

\??\C:\WINDOWS\system32\drivers\mbam.sys

\SystemRoot\system32\DRIVERS\AegisP.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\mrxdav.sys

\SystemRoot\system32\drivers\wdmaud.sys

\SystemRoot\system32\drivers\sysaudio.sys

\SystemRoot\System32\Drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\srv.sys

\??\C:\WINDOWS\system32\drivers\pmemnt.sys

\SystemRoot\System32\DRIVERS\ipfltdrv.sys

\SystemRoot\System32\Drivers\N360\1403010.016\SRTSP.SYS

\SystemRoot\System32\Drivers\Cdfs.SYS

\SystemRoot\system32\DRIVERS\asyncmac.sys

\??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\VirusDefs\20130615.008\NAVEX15.SYS

\??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\VirusDefs\20130615.008\NAVENG.SYS

\SystemRoot\system32\drivers\kmixer.sys

\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys

\??\C:\WINDOWS\system32\drivers\48230029.sys

\WINDOWS\system32\ntdll.dll

----------- End -----------

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.06.0.1003

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_24

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, H:\ DRIVE_FIXED

CPU speed: 1.595000 GHz

Memory total: 2011205632, free: 1567211520

aswMBR REPORT

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software

Run date: 2013-06-16 17:01:56

-----------------------------

17:01:56.718 OS Version: Windows 5.1.2600 Service Pack 3

17:01:56.718 Number of processors: 2 586 0x4802

17:01:56.718 ComputerName: GW-5B4ED3A077 UserName: Owner

17:02:24.015 Initialize success

17:02:24.593 write error "aswCmnB.dll". The process cannot access the file because it is being used by another process.

17:33:19.265 AVAST engine defs: 13061300

19:21:24.343 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4

19:21:24.359 Disk 0 Vendor: ST9160821A 3.ALC Size: 152627MB BusType: 3

19:21:24.562 Disk 0 MBR read successfully

19:21:24.562 Disk 0 MBR scan

19:21:24.593 Disk 0 unknown MBR code

19:21:24.609 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 145612 MB offset 14346045

19:21:24.609 Disk 0 Partition 2 00 0B FAT32 RECOVERY 7004 MB offset 63

19:21:24.625 Disk 0 scanning sectors +312560640

19:21:24.843 Disk 0 scanning C:\WINDOWS\system32\drivers

19:21:40.109 Service scanning

19:22:08.000 Modules scanning

19:22:22.203 Disk 0 trace - called modules:

19:22:22.265 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS

19:22:22.281 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a658ab8]

19:22:22.296 3 CLASSPNP.SYS[ba188fd7] -> nt!IofCallDriver -> \Device\000000b2[0x8a682350]

19:22:22.312 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8a680940]

19:22:22.781 AVAST engine scan C:\WINDOWS

19:22:51.546 AVAST engine scan C:\WINDOWS\system32

19:26:40.171 AVAST engine scan C:\WINDOWS\system32\drivers

19:27:05.546 AVAST engine scan C:\Documents and Settings\Owner.YOUR-5B4ED3A077

19:38:46.156 AVAST engine scan C:\Documents and Settings\All Users

19:41:59.828 Scan finished successfully

19:43:32.687 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\aswMBR\MBR.dat"

19:43:32.703 The log file has been saved successfully to "C:\Documents and Settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\aswMBR\aswMBR6-16-2013.txt"

Link to post
Share on other sites

  • Staff

Create and Run Batch File

  • Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:

@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0

  • Save this as router.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.
    It should look like this: batfileicon.gif <--XP
    Double-click on router.bat to run it. it will open notepad when done please post back the results

gringo

Link to post
Share on other sites

Gringo, here it is:

 

Windows IP Configuration

 

        Host Name . . . . . . . . . . . . : GW-5B4ED3A077

        Primary Dns Suffix  . . . . . . . :

        Node Type . . . . . . . . . . . . : Unknown

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No

        DNS Suffix Search List. . . . . . : home

 

Ethernet adapter Local Area Connection:

 

        Connection-specific DNS Suffix  . : home

        Description . . . . . . . . . . . : Marvell Yukon 88E8038 PCI-E Fast Ethernet Controller

        Physical Address. . . . . . . . . : 00-E0-B8-B9-C5-78

        Dhcp Enabled. . . . . . . . . . . : Yes

        Autoconfiguration Enabled . . . . : Yes

        IP Address. . . . . . . . . . . . : 192.168.1.2

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 192.168.1.1

        DHCP Server . . . . . . . . . . . : 192.168.1.1

        DNS Servers . . . . . . . . . . . : 192.168.1.1

        Lease Obtained. . . . . . . . . . : Monday, June 17, 2013 8:04:39 PM

        Lease Expires . . . . . . . . . . : Tuesday, June 18, 2013 8:04:39 PM

Server:  myrouter.home
Address:  192.168.1.1

Name:    google.com
Addresses:  74.125.227.103, 74.125.227.97, 74.125.227.100, 74.125.227.98
   74.125.227.104, 74.125.227.101, 74.125.227.99, 74.125.227.96, 74.125.227.105
   74.125.227.102, 74.125.227.110

Server:  myrouter.home
Address:  192.168.1.1

Name:    yahoo.com
Addresses:  98.139.183.24, 206.190.36.45, 98.138.253.109

 

Pinging google.com [74.125.227.132] with 32 bytes of data:

 

Reply from 74.125.227.132: bytes=32 time=9ms TTL=57

Reply from 74.125.227.132: bytes=32 time=7ms TTL=57

 

Ping statistics for 74.125.227.132:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 7ms, Maximum = 9ms, Average = 8ms

 

Pinging yahoo.com [206.190.36.45] with 32 bytes of data:

 

Reply from 206.190.36.45: bytes=32 time=63ms TTL=51

Reply from 206.190.36.45: bytes=32 time=61ms TTL=51

 

Ping statistics for 206.190.36.45:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 61ms, Maximum = 63ms, Average = 62ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 e0 b8 b9 c5 78 ...... Marvell Yukon 88E8038 PCI-E Fast Ethernet Controller - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.2   20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1   1
      169.254.0.0      255.255.0.0      192.168.1.2     192.168.1.2   20
      192.168.1.0    255.255.255.0      192.168.1.2     192.168.1.2   20
      192.168.1.2  255.255.255.255        127.0.0.1       127.0.0.1   20
    192.168.1.255  255.255.255.255      192.168.1.2     192.168.1.2   20
        224.0.0.0        240.0.0.0      192.168.1.2     192.168.1.2   20
  255.255.255.255  255.255.255.255      192.168.1.2     192.168.1.2   1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None

Link to post
Share on other sites

  • Staff

Hello Charlie_Whisky

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache:: 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

CFScriptB-4.gif

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
Link to post
Share on other sites

Hello Gringo

 

I dragged CFscript.txt over Combofix.exe, and it started to run.

 

Combofix.exe asked if I wanted to update and I declined.

 

Combix.exe warned me to suspend N360 antivirus, which I did.

 

Combix.exe then proceeded to run and ended by popping up with the log  report at the end of this post.

 

FEEDBACK

 

I don’t see too much change in the responsiveness of the computer.  CPU about 1-3% in the present state. 

 

 

MBAM has been blocking, here’s the protection log for today:

 

2013/06/17 00:11:00 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         195.161.7.18 (Type: incoming)

2013/06/17 00:16:05 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         91.195.11.13 (Type: incoming)

2013/06/17 01:07:00 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         218.10.86.220 (Type: incoming)

2013/06/17 01:07:14 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         212.117.177.77 (Type: outgoing)

2013/06/17 01:23:36 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         89.28.88.119 (Type: incoming)

2013/06/17 01:52:14 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         91.188.44.53 (Type: outgoing)

2013/06/17 02:16:35 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         91.188.38.83 (Type: incoming)

2013/06/17 02:19:12 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         218.9.39.154 (Type: incoming)

2013/06/17 02:38:41 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         218.7.184.162 (Type: outgoing)

2013/06/17 02:39:30 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         98.142.247.209 (Type: incoming)

2013/06/17 03:36:07 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         89.28.17.215 (Type: outgoing)

2013/06/17 03:37:38 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         89.28.66.199 (Type: outgoing)

2013/06/17 03:39:04 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         31.133.61.171 (Type: incoming)

2013/06/17 03:47:17 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         58.240.253.81 (Type: incoming)

2013/06/17 03:51:50 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         58.240.186.244 (Type: outgoing)

2013/06/17 03:55:41 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         89.28.15.90 (Type: incoming)

2013/06/17 04:06:49 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         58.240.253.81 (Type: incoming)

2013/06/17 04:06:50 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         58.240.253.81 (Type: incoming)

2013/06/17 04:06:54 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         58.240.253.81 (Type: incoming)

2013/06/17 04:07:14 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         58.240.253.81 (Type: incoming)

2013/06/17 04:07:15 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         58.240.253.81 (Type: incoming)

2013/06/17 04:07:42 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         58.240.186.244 (Type: outgoing)

2013/06/17 04:12:08 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         58.240.253.81 (Type: incoming)

2013/06/17 04:18:07 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         218.10.86.140 (Type: incoming)

2013/06/17 04:34:32 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         218.10.65.200 (Type: incoming)

2013/06/17 04:38:17 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         89.28.116.158 (Type: outgoing)

2013/06/17 04:51:25 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         89.28.59.68 (Type: incoming)

2013/06/17 04:54:39 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         58.240.186.244 (Type: outgoing)

2013/06/17 05:03:46 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         218.10.86.140 (Type: incoming)

2013/06/17 05:09:39 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         91.188.53.16 (Type: incoming)

2013/06/17 05:11:08 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         58.240.186.244 (Type: outgoing)

2013/06/17 05:13:27 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         94.102.56.145 (Type: incoming)

2013/06/17 05:19:23 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         194.165.0.3 (Type: incoming)

2013/06/17 05:25:00 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         78.26.187.118 (Type: outgoing)

2013/06/17 05:26:26 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         91.188.50.159 (Type: outgoing)

2013/06/17 05:42:47 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         194.165.0.3 (Type: incoming)

2013/06/17 06:03:48 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         194.165.0.3 (Type: incoming)

2013/06/17 06:11:57 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         218.10.86.140 (Type: incoming)

2013/06/17 06:24:05 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         218.8.222.93 (Type: outgoing)

2013/06/17 06:24:37 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         194.165.0.3 (Type: incoming)

2013/06/17 06:32:18 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         89.28.64.63 (Type: incoming)

2013/06/17 06:37:46 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         58.240.186.244 (Type: outgoing)

2013/06/17 06:38:08 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         218.9.240.244 (Type: outgoing)

2013/06/17 06:45:59 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         89.28.64.63 (Type: incoming)

2013/06/17 06:46:29 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         194.165.0.3 (Type: incoming)

2013/06/17 06:53:32 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         91.195.11.90 (Type: outgoing)

2013/06/17 06:54:56 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         89.28.114.149 (Type: outgoing)

2013/06/17 07:05:17 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         218.10.86.140 (Type: incoming)

2013/06/17 07:08:51 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         219.153.111.3 (Type: outgoing)

2013/06/17 07:09:51 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         219.153.138.29 (Type: outgoing)

2013/06/17 07:10:06 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         194.165.0.3 (Type: incoming)

2013/06/17 07:18:04 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         31.133.55.82 (Type: incoming)

2013/06/17 07:24:54 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         91.188.41.191 (Type: outgoing)

2013/06/17 07:34:52 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         194.165.0.3 (Type: incoming)

2013/06/17 07:40:50 -0500          GW-5B4ED3A077          Owner   MESSAGE        Starting protection

2013/06/17 07:40:50 -0500          GW-5B4ED3A077          Owner   MESSAGE        Protection started successfully

2013/06/17 07:40:50 -0500          GW-5B4ED3A077          Owner   MESSAGE        Starting IP protection

2013/06/17 07:42:17 -0500          GW-5B4ED3A077          Owner   MESSAGE        IP Protection started successfully

2013/06/17 07:44:05 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         218.10.63.17 (Type: incoming)

2013/06/17 07:48:07 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         218.10.63.17 (Type: incoming)

2013/06/17 20:04:56 -0500          GW-5B4ED3A077          Owner   MESSAGE        Starting protection

2013/06/17 20:04:56 -0500          GW-5B4ED3A077          Owner   MESSAGE        Protection started successfully

2013/06/17 20:04:56 -0500          GW-5B4ED3A077          Owner   MESSAGE        Starting IP protection

2013/06/17 20:06:04 -0500          GW-5B4ED3A077          Owner   MESSAGE        IP Protection started successfully

2013/06/17 20:06:58 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         212.113.37.227 (Type: incoming)

2013/06/17 20:08:05 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         89.28.16.95 (Type: incoming)

2013/06/17 20:10:00 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         98.142.247.246 (Type: incoming)

2013/06/17 20:21:23 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         212.113.37.227 (Type: incoming)

2013/06/17 20:28:11 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         94.102.51.133 (Type: incoming)

2013/06/17 20:35:47 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         212.113.37.227 (Type: incoming)

2013/06/17 20:50:11 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         212.113.37.227 (Type: incoming)

2013/06/17 21:04:35 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         212.113.37.227 (Type: incoming)

2013/06/17 21:19:00 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         212.113.37.227 (Type: incoming)

2013/06/17 21:31:11 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         94.102.51.133 (Type: incoming)

2013/06/17 21:33:24 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         212.113.37.227 (Type: incoming)

2013/06/17 21:47:48 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         212.113.37.227 (Type: incoming)

2013/06/17 21:55:01 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         31.133.48.34 (Type: outgoing)

2013/06/17 22:00:21 -0500          GW-5B4ED3A077          Owner   MESSAGE        Starting protection

2013/06/17 22:00:21 -0500          GW-5B4ED3A077          Owner   MESSAGE        Protection started successfully

2013/06/17 22:00:21 -0500          GW-5B4ED3A077          Owner   MESSAGE        Starting IP protection

2013/06/17 22:01:22 -0500          GW-5B4ED3A077          Owner   MESSAGE        IP Protection started successfully

2013/06/17 22:01:57 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         98.142.247.246 (Type: outgoing)

2013/06/17 22:01:59 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         98.142.247.246 (Type: outgoing)

2013/06/17 22:02:14 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         212.113.37.227 (Type: incoming)

 

Note that Combo fix finished at 21:43, there are still outgoing IP blocks after this. 

 

Combo Fix report

 

ComboFix 13-06-12.02 - Owner 06/17/2013  21:28:52.2.2 - x86

Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1918.1033 [GMT -5:00]

Running from: c:\documents and settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\Combo fix\ComboFix.exe

Command switches used :: c:\documents and settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\Batch Files\CFScript.txt

AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

FW: CA Personal Firewall *Disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}

FW: Norton 360 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

.

(((((((((((((((((((((((((   Files Created from 2013-05-18 to 2013-06-18  )))))))))))))))))))))))))))))))

.

.

2013-06-16 13:45 . 2013-02-12 00:32      12928 -c----w-            c:\windows\system32\dllcache\usb8023x.sys

2013-06-16 13:45 . 2013-02-12 00:32      12928 -c----w-            c:\windows\system32\dllcache\usb8023.sys

2013-06-16 02:02 . 2013-06-16 12:38      --------  d-----w-           c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)

2013-06-16 02:01 . 2013-06-16 02:01      35144 ----a-w-            c:\windows\system32\drivers\mbamchameleon.sys

2013-06-15 21:19 . 2013-06-15 21:19      --------  d-----w-           C:\_OTL

2013-06-12 22:12 . 2013-06-12 22:12      --------  d-----w-           c:\windows\ERUNT

2013-06-12 22:12 . 2013-06-12 22:12      --------  d-----w-           C:\JRT

2013-06-12 21:52 . 2013-06-12 21:52      --------  d-----w-           c:\documents and settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\AVG SafeGuard toolbar

2013-06-12 21:52 . 2013-06-12 21:52      --------  d-----w-           c:\documents and settings\All Users\Application Data\AVG SafeGuard toolbar

2013-06-12 21:51 . 2013-06-12 21:51      --------  d-----w-           c:\documents and settings\Owner.YOUR-5B4ED3A077\Application Data\AVG SafeGuard toolbar

2013-06-12 21:51 . 2013-06-12 21:50      37664 ----a-w-           c:\windows\system32\drivers\avgtpx86.sys

2013-06-12 21:51 . 2013-06-12 22:06      --------  d-----w-           c:\program files\Common Files\AVG Secure Search

2013-06-12 21:51 . 2013-06-12 21:51      --------  d-----w-           c:\program files\AVG SafeGuard toolbar

2013-06-12 21:50 . 2013-06-12 21:50      --------  d--h--w-          c:\documents and settings\All Users\Application Data\Common Files

2013-06-10 09:54 . 2013-06-10 09:54      --------  d-----w-           c:\documents and settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan

2013-05-21 01:23 . 2013-05-28 00:28      --------  d-----w-           C:\hotlink

2013-05-21 01:20 . 2008-11-07 10:53      752496           ----a-w-           C:\WindowsXP-KB959658-x86-ENU.exe

.

.

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-06-12 02:59 . 2012-04-18 18:39      692104           ----a-w-            c:\windows\system32\FlashPlayerApp.exe

2013-06-12 02:59 . 2011-06-15 01:48      71048 ----a-w-            c:\windows\system32\FlashPlayerCPLApp.cpl

2013-05-07 22:30 . 2006-06-17 09:23      920064           ----a-w-           c:\windows\system32\wininet.dll

2013-05-07 22:30 . 2006-06-17 09:23      43520 ------w-            c:\windows\system32\licmgr10.dll

2013-05-07 22:30 . 2006-06-17 09:23      1469440        ------w-            c:\windows\system32\inetcpl.cpl

2013-05-07 21:53 . 2006-06-17 09:23      385024           ------w-            c:\windows\system32\html.iec

2013-05-03 01:30 . 2006-06-17 09:23      2149888        ----a-w-           c:\windows\system32\ntoskrnl.exe

2013-05-03 00:38 . 2004-08-04 05:59      2028544        ----a-w-           c:\windows\system32\ntkrnlpa.exe

2013-04-10 01:31 . 2006-06-17 09:23      1876352        ----a-w-           c:\windows\system32\win32k.sys

2013-04-05 00:00 . 2011-06-20 01:25      695578           ----a-w-           c:\windows\unins000.exe

2013-04-04 19:50 . 2008-08-09 19:09      22856 ----a-w-           c:\windows\system32\drivers\mbam.sys

2003-12-05 16:41     368640           --sh--r-            c:\windows\cwh.exe

2003-12-05 02:16     69632 --sh--r-            c:\windows\lnchshll.exe

2003-12-05 02:16     49152 --sh--r-            c:\windows\ScrnInt.exe

.

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-08 323392]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2011-12-01 206120]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]

"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-24 573440]

"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 413696]

"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-11-01 98304]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

REALTEK RTL8187 Wireless LAN Utility.lnk - c:\program files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe /H [2006-11-1 749568]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe  /startup [2008-5-26 123904]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"UmxFwHlp"=2 (0x2)

"ITMRTSVC"=2 (0x2)

"CaCCProvSP"=3 (0x3)

"YahooAUService"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\ses2_client_bin_2_8_13g\\seswiz.exe"=

"c:\\Program Files\\REALTEK RTL8187 Wireless LAN Driver and Utility\\RtWLan.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Plex\\Plex Media Server\\Plex Media Server.exe"=

"c:\\Program Files\\Plex\\Plex Media Server\\PlexScriptHost.exe"=

"c:\\Program Files\\Plex\\Plex Media Server\\PlexDlnaServer.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0

"1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1

"1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2

"1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3

"1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4

"1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5

"1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6

"1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7

"1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8

"1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9

"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification

"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration

"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery

"4100:UDP"= 4100:UDP:uPNP Router Control Port

"50000:UDP"= 50000:UDP:IHA_MessageCenter

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\1403010.016\symds.sys [4/8/2013 7:03 PM 367704]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\1403010.016\symefa.sys [4/8/2013 7:03 PM 934488]

R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [6/12/2013 4:51 PM 37664]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\BASHDefs\20130531.001\BHDrvx86.sys [5/31/2013 11:58 AM 1002072]

R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\N360\1403010.016\ccsetx86.sys [4/8/2013 7:03 PM 134304]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\1403010.016\ironx86.sys [4/8/2013 7:03 PM 175264]

R2 cwh;cwh;c:\windows\cwh.exe [12/23/2006 3:19 PM 368640]

R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [12/12/2011 11:03 AM 352248]

R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/10/2012 8:40 PM 418376]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/9/2008 2:09 PM 701512]

R2 N360;Norton 360;c:\program files\Norton 360\Engine\20.3.1.22\ccsvchst.exe [4/8/2013 7:02 PM 144520]

R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [12/1/2011 6:11 AM 206120]

R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [12/1/2011 6:11 AM 185640]

R2 vToolbarUpdater15.2.0;vToolbarUpdater15.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe [6/12/2013 4:51 PM 1015984]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2012 10:27 PM 106656]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\IPSDefs\20130615.001\IDSXpx86.sys [6/17/2013 8:31 PM 373728]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/9/2008 2:09 PM 22856]

S0 jwsog;jwsog;c:\windows\system32\drivers\xbjj.sys --> c:\windows\system32\drivers\xbjj.sys [?]

S0 plmd;plmd;c:\windows\system32\drivers\xvqfl.sys --> c:\windows\system32\drivers\xvqfl.sys [?]

S0 qnmthkg;qnmthkg;c:\windows\system32\drivers\dgwdfd.sys --> c:\windows\system32\drivers\dgwdfd.sys [?]

S0 shho;shho;c:\windows\system32\drivers\rtbiatm.sys --> c:\windows\system32\drivers\rtbiatm.sys [?]

S3 EraserUtilDrv11210;EraserUtilDrv11210;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11210.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11210.sys [?]

S3 ICDSX;Sony IC Recorder (SX);c:\windows\system32\drivers\ICDSX.sys [10/1/2003 5:44 PM 31744]

S3 WebDictateService;Web Dictate;c:\program files\NCH Software\WebDictate\webdictate.exe [2/7/2012 10:13 AM 814596]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

vvdsvc            REG_MULTI_SZ      vvdsvc

.

Contents of the 'Scheduled Tasks' folder

.

2013-06-18 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 02:59]

.

2012-02-10 c:\windows\Tasks\expressShakeIcon.job

- c:\program files\NCH Software\Express\express.exe [2012-02-07 15:13]

.

2013-06-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1542910684-3637753515-2293041949-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

.

2013-06-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1542910684-3637753515-2293041949-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

.

2013-03-06 c:\windows\Tasks\scribeShakeIcon.job

- c:\program files\NCH Software\Scribe\scribe.exe [2012-02-07 15:12]

.

2013-06-17 c:\windows\Tasks\User_Feed_Synchronization-{6F0D77EB-9DFC-4C8F-B264-D6025F8ED514}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-23202751.sys

SafeBoot-71571137.sys

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-06-17 21:40

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ... 

.

scanning hidden autostart entries ...

.

scanning hidden files ... 

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]

"ImagePath"="\"c:\program files\Norton 360\Engine\20.3.1.22\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\20.3.1.22\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(956)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\BCMLogon.dll

.

- - - - - - - > 'explorer.exe'(5520)

c:\windows\system32\WININET.dll

c:\progra~1\WINDOW~3\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2013-06-17  21:43:24

ComboFix-quarantined-files.txt  2013-06-18 02:43

ComboFix2.txt  2013-06-13 00:21

.

Pre-Run: 76,455,112,704 bytes free

Post-Run: 76,793,696,256 bytes free

.

- - End Of File - - 1F18EFED6EC99D5297C14AA5BA14F1D6

B20939CD98B7710036274839082AE757

Link to post
Share on other sites

  • Staff

Hello

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

  • Programs to remove
    • Adobe Reader 7.0

      Browser Address Error Redirector

      DNA

      Java™ 6 Update 24

  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe reader

  • Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html

    After installing the latest Adobe Reader, uninstall all previous versions.

    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    • If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be careful not to install anything to do with AskBar.

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close
Clean Out Temp Files
  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here CCleaner

    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.
: Malwarebytes' Anti-Malware :

I see You have MBAM installed on the computer - that is great!! it is a very good program! I would like you to run a quick scan for me now

  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidentally close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

  • Go Here to download HijackThis program
  • Save HijackThis to your desktop.
  • Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
  • Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
  • copy and paste hijackthis report into the topic
"information and logs"
  • In your next post I need the following
    • Log From MBAM
    • report from Hijackthis
    • let me know of any problems you may have had
    • How is the computer doing now?
Gringo
Link to post
Share on other sites

Hello Gringo

 

I ran all of these without incident. the MBAM log and HJ logs are at the end of this post.

 

A commenct about Revo Uninstaller:  I found it very time consumming to use b/c I had to click on 7'al hundred boxes corresponding to all the bolded selections; it would be much better if there was a button to simply selects all bolded items.

 

I have not yet install the updated Adbove and Java versions that you pointed to.

 

Feedback

 

1) I have not seen any IP blocks popup since running Revo to uninstall those 4 programs and CC cleaner; thats a good sign!  But I'll have to monitor longer.

Here is today's protection log:

2013/06/18 19:22:06 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection
2013/06/18 19:22:06 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully
2013/06/18 19:22:06 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection
2013/06/18 19:23:26 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully
2013/06/18 19:24:29 -0500 GW-5B4ED3A077 Owner IP-BLOCK 79.135.139.182 (Type: outgoing)
2013/06/18 20:57:31 -0500 GW-5B4ED3A077 Owner IP-BLOCK 87.248.186.129 (Type: incoming)
2013/06/18 21:37:27 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection
2013/06/18 21:37:28 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully
2013/06/18 21:37:28 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection
2013/06/18 21:38:51 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully

 

2) IE still shows red Xs and blank boxes and pictures, so it is not very user friendly  Any idea how to restore this??

 

MBAM Log

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.16.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: GW-5B4ED3A077 [administrator]

Protection: Enabled

6/18/2013 9:40:50 PM
mbam-log-2013-06-18 (21-40-50).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 237368
Time elapsed: 17 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

 

 

Hacklack this log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:00:52 PM, on 6/18/2013
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\cwh.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\VERIZONDM\bin\sprtcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\VERIZONDM\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VERIZONDM\bin\tgsrvc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Norton 360\Engine\20.4.0.40\ccSvcHst.exe
C:\Program Files\Norton 360\Engine\20.4.0.40\ccSvcHst.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6453
O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\20.4.0.40\coIEPlg.dll
O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\20.4.0.40\IPS\IPSBHO.DLL
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\20.4.0.40\coIEPlg.dll
O4 - HKLM\..\Run: [VERIZONDM] "C:\Program Files\VERIZONDM\bin\sprtcmd.exe" /P VERIZONDM
O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: REALTEK RTL8187 Wireless LAN Utility.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://biz.lgservice.com/DjvuViewer/DjVuControl-6.1.4.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {3A52566B-6018-485B-B713-8B9FF660D8E8} (ilhtrapp Object) - http://71.123.169.42:0/webdvr2.18.2.16_71.0.0.0.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1343697687988
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1343697663689
O16 - DPF: {9282A3AA-4954-46B4-B4AE-F086CE3F1110} (TrustSiteAddMgr Class) - http://71.123.169.42:0/regtrustsite.cab
O16 - DPF: {9CA74596-B5BB-4634-971C-F0224115A15F} (tcast control) - http://nba.tom.com/video/tcastV1.cab
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://vexcast.com/download/vexcast.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: cwh - Warranty Corporation of America - C:\WINDOWS\cwh.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: IHA_MessageCenter - Verizon - C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\20.4.0.40\ccSvcHst.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\system32\snmptrap.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (verizondm) (sprtsvc_verizondm) - SupportSoft, Inc. - C:\Program Files\VERIZONDM\bin\sprtsvc.exe
O23 - Service: SupportSoft Repair Service (verizondm) (tgsrvc_verizondm) - SupportSoft, Inc. - C:\Program Files\VERIZONDM\bin\tgsrvc.exe
O23 - Service: vToolbarUpdater15.2.0 - Unknown owner - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe
O23 - Service: Web Dictate (WebDictateService) - Unknown owner - C:\Program Files\NCH Software\WebDictate\webdictate.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9854 bytes

Link to post
Share on other sites

  • Staff

Greetings

revo is not always like that but that will show you how bad some uninstallers are - that is what is left over after uninstalling

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional

These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis (rightclick and run as admin)
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):
    • O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

      O4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

      O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

      O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe

      O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

      O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    • NOTE**You can research each of those lines >here< and see if you want to keep them or not

      just copy the name between the brackets and paste into the search space

      O4 - HKLM\..\Run: [IntelliPoint]

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish
When the scan is complete
  • If no threats were found
    • put a checkmark in "Uninstall application on close"
    • close program
    • report to me that nothing was found
  • If threats were found
    • click on "list of threats found"
    • click on "export to text file" and save it as ESET SCAN and save to the desktop
    • Click on back
    • put a checkmark in "Uninstall application on close"
    • click on finish
    • close program
    • copy and paste the report here
Gringo
Link to post
Share on other sites

Hi Gringo

 

I ran Hijack, but I can not see where to run Eset, on the page where your link sends me to (http://www.eset.com/us/online-scanner/). That is, I see no "Run ESET Online Scanner" button

 

Maybe because this goes to a different page, OR, maybe because, buttons are showing up as red Xs on the Eset page or other pages when I am on IE.  For instance, the menu bar above the space that I am typing into is blank.  The icon to the left associated with my profile displays a red X.  Do you know of a way to get the images of the buttom to display once again?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.