Jump to content

Cannot Enable Malicious Website Blocking


Recommended Posts

  • Staff

Hello jaymac

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!


  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

    [*]Please do not attach logs or use code boxes, just copy and paste the text.

    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.

    [*]Please read every post completely before doing anything.

    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

    [*]Please provide feedback about your experience as we go.

    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.

-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

When they are complete let me have the two reports and let me know how things are running.

Gringo

Link to post
Share on other sites

Gringo- Good to 'meet you' and thanks!

Followed all instructions.

AdwCleaner ran fine.

In shutting down 'protection' to run Junkware removal tool, I shut down MB, system has Norton which doesn't shut down, but disabled virus protect and firewall.

Junkware begins to run fine, just after it finishes checking folders, it starts to check registry. Then Windows Explorer pops open, a Windows protection disabled warning message appears (click balloon to fix), and Junkware removal stops running (I've given it an hour and still same screen).

System is Windows XP SP3. Do I need to uninstall Norton? On my laptop Norton gave me a message that it is incompatible with MBAM for the first time yesterday and both have been in use for several months. Is there a preferred firewall / virus protection program to run with MBAM?

Thanks again - here is adware cleaner text.

# AdwCleaner v2.303 - Logfile created 06/16/2013 at 10:01:40

# Updated 08/06/2013 by Xplode

# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)

# User : User one - NEW042408

# Boot Mode : Normal

# Running from : C:\Documents and Settings\User one\Desktop\AdwCleaner.exe

# Option [Delete]

***** [services] *****

Stopped & Deleted : CltMngSvc

***** [Files / Folders] *****

File Deleted : C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\searchplugins\Babylon.xml

File Deleted : C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\searchplugins\Conduit.xml

File Deleted : C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\searchplugins\delta.xml

File Deleted : C:\END

File Deleted : C:\WINDOWS\Tasks\EPUpdater.job

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Babylon

Folder Deleted : C:\Documents and Settings\User one\Application Data\Babylon

Folder Deleted : C:\Documents and Settings\User one\Application Data\DSite

Folder Deleted : C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\CT3303000

Folder Deleted : C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\extensions\{37a7edb7-afda-4373-9865-02bf8160e677}

Folder Deleted : C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\Smartbar

Folder Deleted : C:\Documents and Settings\User one\Application Data\PriceGong

Folder Deleted : C:\Documents and Settings\User one\Application Data\SearchProtect

Folder Deleted : C:\Documents and Settings\User one\Local Settings\Application Data\Conduit

Folder Deleted : C:\Program Files\Conduit

Folder Deleted : C:\Program Files\SearchProtect

***** [Registry] *****

Key Deleted : HKCU\Software\BabSolution

Key Deleted : HKCU\Software\Conduit

Key Deleted : HKCU\Software\ConduitSearchScopes

Key Deleted : HKCU\Software\InstallCore

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}

Key Deleted : HKCU\Software\PriceGong

Key Deleted : HKCU\Software\SearchProtect

Key Deleted : HKCU\Software\SmartBar

Key Deleted : HKCU\Software\YahooPartnerToolbar

Key Deleted : HKLM\Software\Babylon

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}

Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3303000

Key Deleted : HKLM\Software\Conduit

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Delta

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SearchProtect

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect

Key Deleted : HKLM\Software\SearchProtect

Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [searchprotect]

Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [searchProtectAll]

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.conduit.com/?ctid=CT3303000&octid=CT3303000&SearchSource=61&CUI=UN38385761147885239&UM=2&UP=SPC6F11C3F-4B1C-4D52-BFF4-685F22AFC1FD --> hxxp://www.google.com

-\\ Mozilla Firefox v21.0 (en-US)

File : C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\prefs.js

C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\user.js ... Deleted !

Deleted : user_pref("CT3303000.1000082.isPlayDisplay", "true");

Deleted : user_pref("CT3303000.1000082.state", "{\"state\":\"stopped\",\"text\":\"Californi...\",\"description[...]

Deleted : user_pref("CT3303000.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"true\"}");

Deleted : user_pref("CT3303000.ENABLE_RETURN_WEB_SEARCH_ON_THE_PAGE", "{\"dataType\":\"string\",\"data\":\"tru[...]

Deleted : user_pref("CT3303000.FF19Solved", "true");

Deleted : user_pref("CT3303000.FirstTime", "true");

Deleted : user_pref("CT3303000.FirstTimeFF3", "true");

Deleted : user_pref("CT3303000.PG_ENABLE", "dHJ1ZQ==");

Deleted : user_pref("CT3303000.PG_ENABLE.enc", "dHJ1ZQ==");

Deleted : user_pref("CT3303000.SF_JUST_INSTALLED.enc", "RkFMU0U=");

Deleted : user_pref("CT3303000.SF_STATUS.enc", "RU5BQkxFRA==");

Deleted : user_pref("CT3303000.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT330[...]

Deleted : user_pref("CT3303000.UserID", "UN31659096621887623");

Deleted : user_pref("CT3303000.YTbyClickFavorites.enc", "W10=");

Deleted : user_pref("CT3303000.YTbyClickRecent.enc", "W10=");

Deleted : user_pref("CT3303000.addressBarTakeOverEnabledInHidden", "true");

Deleted : user_pref("CT3303000.autoDisableScopes", -1);

Deleted : user_pref("CT3303000.browser.search.defaultthis.engineName", "true");

Deleted : user_pref("CT3303000.defaultSearch", "true");

Deleted : user_pref("CT3303000.embeddedsData", "[{\"appId\":\"130136188917021865\",\"apiPermissions\":{\"cross[...]

Deleted : user_pref("CT3303000.enableAlerts", "true");

Deleted : user_pref("CT3303000.enableFix404ByUser", "TRUE");

Deleted : user_pref("CT3303000.enableSearchFromAddressBar", "true");

Deleted : user_pref("CT3303000.firstTimeDialogOpened", "true");

Deleted : user_pref("CT3303000.fixPageNotFoundError", "true");

Deleted : user_pref("CT3303000.fixPageNotFoundErrorByUser", "true");

Deleted : user_pref("CT3303000.fixPageNotFoundErrorInHidden", "true");

Deleted : user_pref("CT3303000.fixUrls", true);

Deleted : user_pref("CT3303000.homepageuserchanged", true);

Deleted : user_pref("CT3303000.installDate", "31/5/2013 23:37:33");

Deleted : user_pref("CT3303000.installId", "stub.exe");

Deleted : user_pref("CT3303000.installSessionId", "{42624FAA-E5CF-4125-9E71-0CF28082EA60}");

Deleted : user_pref("CT3303000.installSp", "TRUE");

Deleted : user_pref("CT3303000.installType", "conduitnsisintegration");

Deleted : user_pref("CT3303000.installUsage", "2013-06-14T17:12:07.5222273+03:00");

Deleted : user_pref("CT3303000.installUsageEarly", "2013-06-14T17:12:05.9778174+03:00");

Deleted : user_pref("CT3303000.installerVersion", "1.4.2.3");

Deleted : user_pref("CT3303000.isCheckedStartAsHidden", true);

Deleted : user_pref("CT3303000.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}");

Deleted : user_pref("CT3303000.isFirstTimeToolbarLoading", "false");

Deleted : user_pref("CT3303000.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"false\"}");

Deleted : user_pref("CT3303000.keyword", "true");

Deleted : user_pref("CT3303000.lastNewTabSettings", "{\"isEnabled\":true,\"newTabUrl\":\"hxxp://search.conduit[...]

Deleted : user_pref("CT3303000.lastVersion", "10.16.2.9");

Deleted : user_pref("CT3303000.mam_gk_appStateReportTime.enc", "MTM3MTMyNTQ3MjUyOQ==");

Deleted : user_pref("CT3303000.mam_gk_appState_ACplus.enc", "b2Zm");

Deleted : user_pref("CT3303000.mam_gk_appState_CouponBuddy.enc", "b2Zm");

Deleted : user_pref("CT3303000.mam_gk_appState_Discover.enc", "b2Zm");

Deleted : user_pref("CT3303000.mam_gk_appState_Easytobook.enc", "b2Zm");

Deleted : user_pref("CT3303000.mam_gk_appState_Easytobook_targeted.enc", "b2Zm");

Deleted : user_pref("CT3303000.mam_gk_appState_PriceGong.enc", "b2Zm");

Deleted : user_pref("CT3303000.mam_gk_appState_WindowShopper.enc", "b2Zm");

Deleted : user_pref("CT3303000.mam_gk_appsData.enc", "eyJhcHBzIjpbeyJpZCI6IlByaWNlR29uZyIsInVybCI6Imh0dHA6Ly9w[...]

Deleted : user_pref("CT3303000.mam_gk_appsDefaultEnabled.enc", "bnVsbA==");

Deleted : user_pref("CT3303000.mam_gk_configuration.enc", "eyJjb25maWd1cmF0aW9uIjpbeyJpZCI6IkRpc2NvdmVyIiwiY3J[...]

Deleted : user_pref("CT3303000.mam_gk_currentVersion.enc", "MS44LjAuNA==");

Deleted : user_pref("CT3303000.mam_gk_eventsCache.enc", "eyIyODBmNTAyYi00MmEyLTRiOTgtOTM2NC0zNmUyZTlmNzMwMWIiO[...]

Deleted : user_pref("CT3303000.mam_gk_first_time.enc", "MQ==");

Deleted : user_pref("CT3303000.mam_gk_gadgetOpen.enc", "MA==");

Deleted : user_pref("CT3303000.mam_gk_installer_preapproved.enc", "ZmFsc2U=");

Deleted : user_pref("CT3303000.mam_gk_lastLoginTime.enc", "MTM3MTMyNTQ3MjY4Nw==");

Deleted : user_pref("CT3303000.mam_gk_localization.enc", "eyJnYWRnZXRDb250ZW50UG9saWN5Ijp7IlRleHQiOiJDb250ZW50[...]

Deleted : user_pref("CT3303000.mam_gk_pgUnloadedOnce.enc", "dHJ1ZQ==");

Deleted : user_pref("CT3303000.mam_gk_settings1.8.0.4.enc", "eyJTdGF0dXMiOiJzdWNjZWVkZWQiLCJEYXRhIjp7ImludGVyd[...]

Deleted : user_pref("CT3303000.mam_gk_showCloseButton.enc", "dHJ1ZQ==");

Deleted : user_pref("CT3303000.mam_gk_showWelcomeGadget.enc", "ZmFsc2U=");

Deleted : user_pref("CT3303000.mam_gk_userId.enc", "N2JmZmFlNDItM2QwZC00M2UzLTk5YzUtNDliYmNmNjEzNDFj");

Deleted : user_pref("CT3303000.mam_gk_user_approval_interacted.enc", "MQ==");

Deleted : user_pref("CT3303000.migrateAppsAndComponents", true);

Deleted : user_pref("CT3303000.navigationAliasesJson", "{\"EB_MAIN_FRAME_URL\":\"hxxp%3A%2F%2Fwww.google.com%2[...]

Deleted : user_pref("CT3303000.openThankYouPage", "false");

Deleted : user_pref("CT3303000.openUninstallPage", "true");

Deleted : user_pref("CT3303000.originalHomepage", "about:home");

Deleted : user_pref("CT3303000.originalSearchAddressUrl", "");

Deleted : user_pref("CT3303000.originalSearchEngine", "");

Deleted : user_pref("CT3303000.revertSettingsEnabled", "false");

Deleted : user_pref("CT3303000.search.searchAppId", "130136188917021865");

Deleted : user_pref("CT3303000.search.searchCount", "0");

Deleted : user_pref("CT3303000.searchFromAddressBarEnabledByUser", "true");

Deleted : user_pref("CT3303000.searchInNewTabEnabledByUser", "true");

Deleted : user_pref("CT3303000.searchInNewTabEnabledInHidden", "true");

Deleted : user_pref("CT3303000.searchRevert", "false");

Deleted : user_pref("CT3303000.searchUserMode", "2");

Deleted : user_pref("CT3303000.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"true\"}");

Deleted : user_pref("CT3303000.serviceLayer_service_login_isFirstLoginInvoked", "{\"dataType\":\"boolean\",\"d[...]

Deleted : user_pref("CT3303000.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"4\[...]

Deleted : user_pref("CT3303000.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"d[...]

Deleted : user_pref("CT3303000.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"strin[...]

Deleted : user_pref("CT3303000.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"strin[...]

Deleted : user_pref("CT3303000.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data[...]

Deleted : user_pref("CT3303000.serviceLayer_services_appTrackingFirstTime_lastUpdate", "1371219135188");

Deleted : user_pref("CT3303000.serviceLayer_services_appsMetadata_lastUpdate", "1371325466087");

Deleted : user_pref("CT3303000.serviceLayer_services_gottenAppsContextMenu_lastUpdate", "1371219135075");

Deleted : user_pref("CT3303000.serviceLayer_services_installUsage_ToolbarInstallEarly_lastUpdate", "1371219133[...]

Deleted : user_pref("CT3303000.serviceLayer_services_installUsage_ToolbarInstall_lastUpdate", "1371219135533")[...]

Deleted : user_pref("CT3303000.serviceLayer_services_location_lastUpdate", "1371325581426");

Deleted : user_pref("CT3303000.serviceLayer_services_login_10.16.2.9_lastUpdate", "1371328743514");

Deleted : user_pref("CT3303000.serviceLayer_services_otherAppsContextMenu_lastUpdate", "1371219134918");

Deleted : user_pref("CT3303000.serviceLayer_services_searchAPI_lastUpdate", "1371325578876");

Deleted : user_pref("CT3303000.serviceLayer_services_serviceMap_lastUpdate", "1371325578271");

Deleted : user_pref("CT3303000.serviceLayer_services_toolbarContextMenu_lastUpdate", "1371219134839");

Deleted : user_pref("CT3303000.serviceLayer_services_toolbarSettings_lastUpdate", "1371325465689");

Deleted : user_pref("CT3303000.serviceLayer_services_translation_lastUpdate", "1371325578400");

Deleted : user_pref("CT3303000.settingsINI", true);

Deleted : user_pref("CT3303000.shouldFirstTimeDialog", "false");

Deleted : user_pref("CT3303000.showToolbarPermission", "false");

Deleted : user_pref("CT3303000.smartbar.CTID", "CT3303000");

Deleted : user_pref("CT3303000.smartbar.Uninstall", "0");

Deleted : user_pref("CT3303000.smartbar.homepage", "true");

Deleted : user_pref("CT3303000.smartbar.isHidden", true);

Deleted : user_pref("CT3303000.smartbar.toolbarName", "Vafmusic7 ");

Deleted : user_pref("CT3303000.startPage", "true");

Deleted : user_pref("CT3303000.toolbarBornServerTime", "14-6-2013");

Deleted : user_pref("CT3303000.toolbarCurrentServerTime", "15-6-2013");

Deleted : user_pref("CT3303000.toolbarLoginClientTime", "Fri Jun 14 2013 10:12:15 GMT-0400 (Eastern Standard T[...]

Deleted : user_pref("CT3303000.versionFromInstaller", "10.16.2.9");

Deleted : user_pref("CT3303000_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\"[...]

Deleted : user_pref("Smartbar.ConduitHomepagesList", "");

Deleted : user_pref("Smartbar.ConduitSearchEngineList", "");

Deleted : user_pref("Smartbar.ConduitSearchUrlList", "");

Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");

Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3303000");

Deleted : user_pref("browser.newtab.url", "hxxp://www1.delta-search.com/?affID=119351&tt=gc_&babsrc=NT_ss&mntr[...]

Deleted : user_pref("browser.search.defaultthis.engineName", "Vafmusic7 Customized Web Search");

Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3303000&CUI[...]

Deleted : user_pref("extensions.delta.admin", false);

Deleted : user_pref("extensions.delta.aflt", "babsst");

Deleted : user_pref("extensions.delta.appId", "{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}");

Deleted : user_pref("extensions.delta.autoRvrt", "false");

Deleted : user_pref("extensions.delta.dfltLng", "en");

Deleted : user_pref("extensions.delta.excTlbr", false);

Deleted : user_pref("extensions.delta.ffxUnstlRst", true);

Deleted : user_pref("extensions.delta.id", "20ea12a0000000000000001cc02bf00c");

Deleted : user_pref("extensions.delta.instlDay", "15843");

Deleted : user_pref("extensions.delta.instlRef", "sst");

Deleted : user_pref("extensions.delta.newTab", false);

Deleted : user_pref("extensions.delta.prdct", "delta");

Deleted : user_pref("extensions.delta.prtnrId", "delta");

Deleted : user_pref("extensions.delta.rvrt", "false");

Deleted : user_pref("extensions.delta.smplGrp", "none");

Deleted : user_pref("extensions.delta.tlbrId", "base");

Deleted : user_pref("extensions.delta.tlbrSrchUrl", "");

Deleted : user_pref("extensions.delta.vrsn", "1.8.21.0");

Deleted : user_pref("extensions.delta.vrsnTs", "1.8.21.014:57:00");

Deleted : user_pref("extensions.delta.vrsni", "1.8.21.0");

Deleted : user_pref("extensions.delta_i.babExt", "");

Deleted : user_pref("extensions.delta_i.babTrack", "affID=119351&tt=gc_");

Deleted : user_pref("extensions.delta_i.srcExt", "ss");

Deleted : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3303000&SearchSource=2&CU[...]

Deleted : user_pref("smartbar.addressBarOwnerCTID", "CT3303000");

Deleted : user_pref("smartbar.conduitHomepageList", "hxxp://search.conduit.com/?ctid=CT3303000&CUI=UN316590966[...]

Deleted : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT[...]

Deleted : user_pref("smartbar.defaultSearchOwnerCTID", "CT3303000");

Deleted : user_pref("smartbar.homePageOwnerCTID", "CT3303000");

Deleted : user_pref("smartbar.machineId", "DOAGUENMXS4ICGMRXYO/5DXKAWVYSIEV8RKOKOMMHVC8P7W5X++N/ZYFBCTVDRN0PF4[...]

Deleted : user_pref("smartbar.originalHomepage", "hxxp://search.conduit.com/?ctid=CT3303000&CUI=UN316590966218[...]

File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zidfj6b8.default\prefs.js

[OK] File is clean.

-\\ Opera v12.15.1748.0

File : C:\Documents and Settings\User one\Application Data\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[s1].txt - [16602 octets] - [16/06/2013 10:01:40]

########## EOF - C:\AdwCleaner[s1].txt - [16663 octets] ##########

Link to post
Share on other sites

  • Staff

Hello jaymac

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Link to post
Share on other sites

Hey Gringo-

Combofix ran no problem. Only discernible problems with computer:

1 - Still cannot enable malicious website blocking in MBAM

2 - IE search box wants to dump me through a "Vafmusic7 Customized Web Search"

Please note I am no trying to run any other programs or access internet other than postings to forum until all is clear.

Following is the Combofix log, and then am pasting todays MBAM log if that will provide any clues.

Thanks yet again!

ComboFix 13-06-15.01 - User one 06/16/2013 14:10:12.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2045.1304 [GMT -4:00]

Running from: c:\documents and settings\User one\Desktop\ComboFix.exe

AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Security Suite *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\409D4DB5B0.sys

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\User one\Application Data\307D0C

c:\windows\system32\B0B54D9D40.dll

c:\windows\system32\SET137.tmp

c:\windows\system32\SETB52.tmp

c:\windows\system32\SETB5E.tmp

.

.

((((((((((((((((((((((((( Files Created from 2013-05-16 to 2013-06-16 )))))))))))))))))))))))))))))))

.

.

2013-06-16 14:09 . 2013-06-16 14:09 -------- d-----w- c:\windows\ERUNT

2013-06-16 14:09 . 2013-06-16 14:58 -------- d-----w- C:\JRT

2013-06-15 22:50 . 2013-06-15 23:26 -------- d-----w- c:\program files\Common Files\Symantec Shared

2013-06-15 22:50 . 2013-06-15 22:50 -------- d-----w- c:\program files\Symantec

2013-06-15 22:50 . 2013-06-15 22:50 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2013-06-15 22:49 . 2013-06-16 14:05 -------- d-----w- c:\windows\system32\drivers\N360

2013-06-15 22:49 . 2013-06-15 22:49 -------- d-----w- c:\program files\Norton Security Suite

2013-06-15 22:49 . 2013-06-15 22:49 -------- d-----w- c:\program files\NortonInstaller

2013-06-15 22:37 . 2013-06-15 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2013-06-15 22:24 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-06-01 04:03 . 2013-06-01 04:03 -------- d-----w- c:\program files\Uninstaller

2013-06-01 03:43 . 2012-08-21 17:01 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2013-06-01 03:42 . 2013-06-01 03:42 -------- d-----w- c:\program files\iPod

2013-06-01 03:42 . 2013-06-01 03:43 -------- d-----w- c:\program files\iTunes

2013-06-01 03:42 . 2013-06-01 03:43 -------- d-----w- c:\documents and settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1

2013-06-01 03:42 . 2013-06-01 03:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer

2013-06-01 03:42 . 2013-06-01 03:43 -------- dc----w- c:\windows\system32\DRVSTORE

2013-06-01 03:42 . 2012-12-13 17:50 6112864 ----a-w- c:\windows\system32\usbaaplrc.dll

2013-06-01 03:42 . 2012-12-13 17:50 45056 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2013-06-01 03:42 . 2013-06-01 03:42 -------- d-----w- c:\program files\Bonjour

2013-06-01 03:38 . 2013-06-01 03:38 -------- d-----w- c:\documents and settings\User one\Local Settings\Application Data\Temp

2013-05-25 14:21 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2013-05-18 19:14 . 2013-05-18 19:14 -------- d-----w- c:\documents and settings\User one\Application Data\TagScanner

2013-05-18 19:14 . 2013-05-18 19:14 -------- d-----w- c:\program files\TagScanner

2013-05-18 18:59 . 2013-05-18 18:59 -------- d-----w- c:\documents and settings\User one\Application Data\DivX

2013-05-18 18:57 . 2013-05-18 18:57 -------- d-----w- c:\documents and settings\User one\Application Data\Codec Pack Packages

2013-05-18 18:57 . 2013-05-18 19:05 -------- d-----w- c:\program files\DivX

2013-05-18 18:57 . 2013-05-18 18:57 -------- d-----w- c:\program files\Lame For Audacity

2013-05-18 18:57 . 2013-05-18 18:57 -------- d-----w- c:\documents and settings\User one\Application Data\LavFilters

2013-05-18 18:57 . 2013-05-18 18:57 -------- d-----w- c:\documents and settings\User one\Application Data\CDXReader

2013-05-18 18:57 . 2011-12-07 23:32 216064 ----a-w- c:\windows\system32\lagarith.dll

2013-05-18 18:57 . 2013-05-18 18:57 -------- d-----w- c:\program files\DSP-worx

2013-05-18 18:57 . 2013-05-18 18:57 715038 ----a-w- c:\windows\unins000.exe

2013-05-18 18:57 . 2013-05-18 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

2013-05-18 18:48 . 2013-05-18 18:48 -------- d-----w- c:\documents and settings\User one\Application Data\FairStars CD Ripper

2013-05-18 18:48 . 2013-05-18 18:48 -------- d-----w- c:\program files\FairStars CD Ripper

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-06-01 03:48 . 2008-11-07 21:54 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys

2013-05-18 18:43 . 2012-05-02 23:34 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-05-18 18:43 . 2011-05-27 12:46 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-05-07 22:30 . 2006-02-28 12:00 920064 ----a-w- c:\windows\system32\wininet.dll

2013-05-07 22:30 . 2006-02-28 12:00 43520 ------w- c:\windows\system32\licmgr10.dll

2013-05-07 22:30 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2013-05-07 21:53 . 2006-02-28 12:00 385024 ------w- c:\windows\system32\html.iec

2013-05-03 01:30 . 2006-02-28 12:00 2149888 ------w- c:\windows\system32\ntoskrnl.exe

2013-05-03 00:38 . 2004-08-03 22:59 2028544 ------w- c:\windows\system32\ntkrnlpa.exe

2013-04-10 01:31 . 2006-02-28 12:00 1876352 ------w- c:\windows\system32\win32k.sys

2013-04-04 09:35 . 2013-04-19 11:31 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-08 2595480]

"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-08 905056]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-08 140568]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-15 1532760]

"lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 74672]

"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272]

"NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-05 1632360]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]

2009-03-27 19:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MBCameraMonitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MBCameraMonitor.lnk

backup=c:\windows\pss\MBCameraMonitor.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^User one^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\User one\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor]

2008-07-10 00:42 37888 ----a-w- c:\program files\Corel\Corel MediaOne\CorelIOMonitor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

2008-08-18 21:53 532808 ----a-w- c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]

2006-09-21 14:36 9138176 ----a-w- c:\program files\Intel Audio Studio\IntelAudioStudio.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2012-10-25 08:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMBBLaunchAgent.exe]

2011-02-18 15:47 79192 ----a-w- c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=

"c:\\WINDOWS\\system32\\lxczcoms.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

"c:\\Program Files\\Winamp\\winamp.exe"=

"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=

"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=

"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=

"c:\\Program Files\\Sonos\\Sonos.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [5/3/2010 2:12 AM 108112]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\1403010.016\symds.sys [6/16/2013 12:25 AM 367704]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\1403010.016\symefa.sys [6/16/2013 12:25 AM 934488]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130531.001\BHDrvx86.sys [5/31/2013 5:15 PM 1002072]

R1 ccSet_N360;Norton Security Suite Settings Manager;c:\windows\system32\drivers\N360\1403010.016\ccsetx86.sys [6/16/2013 12:25 AM 134304]

R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [3/22/2010 1:58 PM 79864]

R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [9/24/2010 11:16 AM 61008]

R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [9/24/2010 11:16 AM 115792]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\1403010.016\ironx86.sys [6/16/2013 12:25 AM 175264]

R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [9/24/2010 11:16 AM 146000]

R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [9/24/2010 11:16 AM 61008]

R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\20.3.1.22\ccsvchst.exe [6/16/2013 12:25 AM 144520]

R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [9/24/2012 8:46 AM 656480]

R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [8/4/2009 10:42 AM 887288]

R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [8/24/2010 12:07 PM 740160]

R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [9/17/2010 12:21 PM 301648]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/15/2013 7:25 PM 106656]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130614.001\IDSXpx86.sys [6/14/2013 2:19 PM 373728]

R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [6/9/2010 6:54 AM 244304]

S2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe --> c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [?]

S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [6/15/2013 6:25 PM 418376]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/15/2013 6:25 PM 701512]

S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/15/2013 6:24 PM 22856]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [12/16/2011 10:19 AM 15544]

S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [9/24/2012 8:46 AM 1328736]

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: turbotax.com

TCP: DhcpNameServer = 192.168.0.1

FF - ProfilePath - c:\documents and settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - ExtSQL: 2013-05-31 23:37; {37a7edb7-afda-4373-9865-02bf8160e677}; c:\documents and settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\extensions\{37a7edb7-afda-4373-9865-02bf8160e677}

FF - ExtSQL: !HIDDEN! 2010-08-19 20:14; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-SysTrayApp - c:\program files\IDT\WDM\sttray.exe

HKLM-Run-DivXMediaServer - c:\program files\DivX\DivX Media Server\DivXMediaServer.exe

AddRemove-com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 - c:\program files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe

AddRemove-DSite - c:\documents and settings\User one\Application Data\DSite\UpdateProc\UpdateTask.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-06-16 14:16

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\docume~1\USERON~1\LOCALS~1\Temp\catchme.dll 53248 bytes executable

.

scan completed successfully

hidden files: 1

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]

"ImagePath"="\"c:\program files\Norton Security Suite\Engine\20.3.1.22\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\20.3.1.22\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]

@="?????????????????? v1"

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]

@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]

@="?????????????????? v2"

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]

@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(804)

c:\windows\system32\UmxWnp.Dll

.

Completion time: 2013-06-16 14:18:18

ComboFix-quarantined-files.txt 2013-06-16 18:18

ComboFix2.txt 2011-06-26 22:42

.

Pre-Run: 121,580,863,488 bytes free

Post-Run: 121,569,873,920 bytes free

.

- - End Of File - - 497DCA613D86027E552829E26D2FE79E

8F558EB6672622401DA993E1E865C861

______________________________________________________________

2013/06/16 10:04:59 -0400 NEW042408 MESSAGE Starting protection

2013/06/16 10:04:59 -0400 NEW042408 MESSAGE Protection started successfully

2013/06/16 10:04:59 -0400 NEW042408 MESSAGE Starting IP protection

2013/06/16 10:04:59 -0400 NEW042408 ERROR IP protection failed: PfMakeLog failed with error code 21

2013/06/16 10:07:22 -0400 NEW042408 User one MESSAGE Starting database refresh

2013/06/16 10:07:30 -0400 NEW042408 User one MESSAGE Database refreshed successfully

2013/06/16 10:08:36 -0400 NEW042408 User one MESSAGE Stopping protection

2013/06/16 10:08:36 -0400 NEW042408 User one MESSAGE Protection stopped successfully

2013/06/16 10:08:37 -0400 NEW042408 User one MESSAGE Protection stopped

2013/06/16 10:51:42 -0400 NEW042408 MESSAGE Starting protection

2013/06/16 10:51:42 -0400 NEW042408 MESSAGE Protection started successfully

2013/06/16 10:51:42 -0400 NEW042408 MESSAGE Starting IP protection

2013/06/16 10:51:42 -0400 NEW042408 ERROR IP protection failed: PfMakeLog failed with error code 21

2013/06/16 10:57:30 -0400 NEW042408 User one MESSAGE Stopping protection

2013/06/16 10:57:30 -0400 NEW042408 User one MESSAGE Protection stopped successfully

2013/06/16 10:57:31 -0400 NEW042408 User one MESSAGE Protection stopped

2013/06/16 11:00:49 -0400 NEW042408 User one MESSAGE Starting protection

2013/06/16 11:00:49 -0400 NEW042408 User one MESSAGE Protection started successfully

2013/06/16 11:00:49 -0400 NEW042408 User one MESSAGE Starting IP protection

2013/06/16 11:00:49 -0400 NEW042408 User one ERROR IP protection failed: PfMakeLog failed with error code 21

2013/06/16 11:00:52 -0400 NEW042408 User one MESSAGE Starting IP protection

2013/06/16 11:00:52 -0400 NEW042408 User one ERROR IP protection failed: PfMakeLog failed with error code 21

2013/06/16 11:00:56 -0400 NEW042408 User one MESSAGE Starting IP protection

2013/06/16 11:00:56 -0400 NEW042408 User one ERROR IP protection failed: PfMakeLog failed with error code 21

2013/06/16 11:01:03 -0400 NEW042408 User one MESSAGE Starting IP protection

2013/06/16 11:01:03 -0400 NEW042408 User one ERROR IP protection failed: PfMakeLog failed with error code 21

2013/06/16 14:06:18 -0400 NEW042408 User one MESSAGE Stopping protection

2013/06/16 14:06:18 -0400 NEW042408 User one MESSAGE Protection stopped successfully

2013/06/16 14:06:19 -0400 NEW042408 User one MESSAGE Protection stopped

2013/06/16 14:22:51 -0400 NEW042408 MESSAGE Starting protection

2013/06/16 14:22:52 -0400 NEW042408 MESSAGE Protection started successfully

2013/06/16 14:22:52 -0400 NEW042408 MESSAGE Starting IP protection

2013/06/16 14:22:52 -0400 NEW042408 User one ERROR IP protection failed: PfMakeLog failed with error code 21

2013/06/16 14:24:49 -0400 NEW042408 User one MESSAGE Starting IP protection

2013/06/16 14:24:49 -0400 NEW042408 User one ERROR IP protection failed: PfMakeLog failed with error code 21

2013/06/16 14:25:01 -0400 NEW042408 User one MESSAGE Starting IP protection

2013/06/16 14:25:01 -0400 NEW042408 User one ERROR IP protection failed: PfMakeLog failed with error code 21

2013/06/16 14:25:10 -0400 NEW042408 User one MESSAGE Starting IP protection

2013/06/16 14:25:10 -0400 NEW042408 User one ERROR IP protection failed: PfMakeLog failed with error code 21

2013/06/16 14:25:21 -0400 NEW042408 User one MESSAGE Stopping protection

2013/06/16 14:25:21 -0400 NEW042408 User one MESSAGE Protection stopped successfully

2013/06/16 14:25:23 -0400 NEW042408 User one MESSAGE Starting IP protection

2013/06/16 14:25:23 -0400 NEW042408 User one ERROR IP protection failed: PfMakeLog failed with error code 21

2013/06/16 14:25:26 -0400 NEW042408 User one MESSAGE Starting protection

2013/06/16 14:25:26 -0400 NEW042408 User one MESSAGE Protection started successfully

2013/06/16 14:26:53 -0400 NEW042408 User one MESSAGE Starting IP protection

2013/06/16 14:26:53 -0400 NEW042408 User one ERROR IP protection failed: PfMakeLog failed with error code 21

Link to post
Share on other sites

  • Staff

Hello jaymac

I would like you to try and run these next.

TDSSKiller

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  • Put a checkmark beside loaded modules.
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
  • Click the Start Scan button.
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • more than one report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". The one that I need is the larger one. Please copy and paste the contents of that file here.
    Note** this report can be very long - so if the website gives you an error saying it is to long you may attache it
    If the forum still complains about it being to long send me everything that is at the end of the report after where it says
    ==================
    Scan finished
    ==================

and I will see if I want to see the whole report

--RogueKiller--

Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit

  • Quit all programs that you may have started.
  • Please disconnect any external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • the scan will make two reports the one I would like to see is called RKreport[2].txt on your Desktop
  • Exit/Close RogueKiller+

send me the reports made from TDSSKiller and Roguekiller and also let me know how the computer is doing at this time.

Gringo

Link to post
Share on other sites

Gringo-

Programs ran no problem, except no RKreport[2].txt - only RKreport[0].txt and RKreport[1].txt.

continuing problems with computer:

1 - Still cannot enable malicious website blocking in MBAM

2 - IE search box wants to dump me through a "Vafmusic7 Customized Web Search"

TDSS killer report attached and both Roguekiller reports follow. Thank you again...

__________________________________________________

Rogue [0]

RogueKiller V8.6.0 [Jun 15 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo...13-roguekiller/

Website : http://tigzy.geeksto...roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP

Started in : Normal mode

User : User one [Admin rights]

Mode : Scan -- Date : 06/16/2013 16:53:48

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤

[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[WALLPAPER] HKCU\[...]\Desktop : Wallpaper () -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

[Address] SSDT[12] : NtAlertResumeThread @ 0x805D4C0C -> HOOKED (Unknown @ 0x89121138)

[Address] SSDT[13] : NtAlertThread @ 0x805D4BBC -> HOOKED (Unknown @ 0x89121008)

[Address] SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AEE -> HOOKED (Unknown @ 0x89B8F078)

[Address] SSDT[19] : NtAssignProcessToJobObject @ 0x805D66D0 -> HOOKED (Unknown @ 0x8911C0C8)

[Address] SSDT[31] : NtConnectPort @ 0x805A4604 -> HOOKED (Unknown @ 0x8A60CA60)

[Address] SSDT[41] : NtCreateKey @ 0x8062426A -> HOOKED (C:\WINDOWS\System32\DRIVERS\KmxSbx.sys @ 0xB28F5FFE)

[Address] SSDT[43] : NtCreateMutant @ 0x80617822 -> HOOKED (Unknown @ 0x89120090)

[Address] SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A2E -> HOOKED (C:\WINDOWS\System32\DRIVERS\KmxSbx.sys @ 0xB28F6ECB)

[Address] SSDT[53] : NtCreateThread @ 0x805D1068 -> HOOKED (Unknown @ 0x891312B8)

[Address] SSDT[57] : NtDebugActiveProcess @ 0x80643CB2 -> HOOKED (Unknown @ 0x8911C1A8)

[Address] SSDT[68] : NtDuplicateObject @ 0x805BE03C -> HOOKED (Unknown @ 0x898D30D8)

[Address] SSDT[83] : NtFreeVirtualMemory @ 0x805B2FE6 -> HOOKED (Unknown @ 0x8913A228)

[Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9362 -> HOOKED (Unknown @ 0x89120180)

[Address] SSDT[91] : NtImpersonateThread @ 0x805D7890 -> HOOKED (Unknown @ 0x89121058)

[Address] SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x89922368)

[Address] SSDT[105] : NtMakeTemporaryObject @ 0x805BC608 -> HOOKED (C:\WINDOWS\System32\DRIVERS\KmxSbx.sys @ 0xB28F721C)

[Address] SSDT[108] : unknown @ 0x805B206E -> HOOKED (Unknown @ 0x8913A128)

[Address] SSDT[114] : NtOpenEvent @ 0x8060F1E0 -> HOOKED (Unknown @ 0x8916A3C0)

[Address] SSDT[119] : NtOpenKey @ 0x80625648 -> HOOKED (C:\WINDOWS\System32\DRIVERS\KmxSbx.sys @ 0xB28F5F62)

[Address] SSDT[122] : NtOpenProcess @ 0x805CB486 -> HOOKED (Unknown @ 0x89B90008)

[Address] SSDT[123] : NtOpenProcessToken @ 0x805EE030 -> HOOKED (Unknown @ 0x898D3058)

[Address] SSDT[125] : NtOpenSection @ 0x805AA420 -> HOOKED (C:\WINDOWS\System32\DRIVERS\KmxSbx.sys @ 0xB28F6BF0)

[Address] SSDT[128] : NtOpenThread @ 0x805CB712 -> HOOKED (Unknown @ 0x89B90090)

[Address] SSDT[137] : NtProtectVirtualMemory @ 0x805B8452 -> HOOKED (Unknown @ 0x89B60A18)

[Address] SSDT[206] : NtResumeThread @ 0x805D4A48 -> HOOKED (Unknown @ 0x89137100)

[Address] SSDT[213] : NtSetContextThread @ 0x805D2C4A -> HOOKED (Unknown @ 0x891381A0)

[Address] SSDT[228] : NtSetInformationProcess @ 0x805CDED0 -> HOOKED (Unknown @ 0x8912D308)

[Address] SSDT[240] : NtSetSystemInformation @ 0x8060FE98 -> HOOKED (C:\WINDOWS\System32\DRIVERS\KmxSbx.sys @ 0xB28F6FF8)

[Address] SSDT[253] : NtSuspendProcess @ 0x805D4B10 -> HOOKED (Unknown @ 0x8916A2E0)

[Address] SSDT[254] : NtSuspendThread @ 0x805D4982 -> HOOKED (Unknown @ 0x891371E0)

[Address] SSDT[257] : NtTerminateProcess @ 0x805D2308 -> HOOKED (Unknown @ 0x89B750E8)

[Address] SSDT[258] : unknown @ 0x805D2502 -> HOOKED (Unknown @ 0x891380C0)

[Address] SSDT[267] : NtUnmapViewOfSection @ 0x805B2E7C -> HOOKED (Unknown @ 0x8912D3F8)

[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805B4400 -> HOOKED (Unknown @ 0x89B7A078)

[Address] Shadow SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x891363B8)

[Address] Shadow SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x898F1FD0)

[Address] Shadow SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x898F1F10)

[Address] Shadow SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x89B5AEE0)

[Address] Shadow SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x89B5AFC0)

[Address] Shadow SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x89B88968)

[Address] Shadow SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x898F1E20)

[Address] Shadow SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x89B88A58)

[Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x89056198)

[Address] Shadow SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8A68B3A8)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDS721616PLA380 +++++

--- User ---

[MBR] 10e7876afd05b27fb0f2fdc8d46500dc

[bSP] 510dfe14d0a8e962db18c9cee0f42396 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152617 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: Hitachi HDS721616PLA380 +++++

--- User ---

[MBR] 5912793c752af5741bd6b1a17a909187

[bSP] 9267eb2cb8f4bcdb02bb2707e7f15685 : Empty MBR Code

Partition table:

0 - [ACTIVE] EXTEN (0x05) [VISIBLE] Offset (sectors): 16065 | Size: 238464 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[0]_S_06162013_165348.txt >>

____________________________________________________

Rogue [1]

________________________________________________

RogueKiller V8.6.0 [Jun 15 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo...13-roguekiller/

Website : http://tigzy.geeksto...roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP

Started in : Normal mode

User : User one [Admin rights]

Mode : Remove -- Date : 06/16/2013 16:54:20

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤

[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

[WALLPAPER] HKCU\[...]\Desktop : Wallpaper () -> REPLACED (C:\WINDOWS\web\wallpaper\Bliss.bmp)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

[Address] SSDT[12] : NtAlertResumeThread @ 0x805D4C0C -> HOOKED (Unknown @ 0x89121138)

[Address] SSDT[13] : NtAlertThread @ 0x805D4BBC -> HOOKED (Unknown @ 0x89121008)

[Address] SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AEE -> HOOKED (Unknown @ 0x89B8F078)

[Address] SSDT[19] : NtAssignProcessToJobObject @ 0x805D66D0 -> HOOKED (Unknown @ 0x8911C0C8)

[Address] SSDT[31] : NtConnectPort @ 0x805A4604 -> HOOKED (Unknown @ 0x8A60CA60)

[Address] SSDT[41] : NtCreateKey @ 0x8062426A -> HOOKED (C:\WINDOWS\System32\DRIVERS\KmxSbx.sys @ 0xB28F5FFE)

[Address] SSDT[43] : NtCreateMutant @ 0x80617822 -> HOOKED (Unknown @ 0x89120090)

[Address] SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A2E -> HOOKED (C:\WINDOWS\System32\DRIVERS\KmxSbx.sys @ 0xB28F6ECB)

[Address] SSDT[53] : NtCreateThread @ 0x805D1068 -> HOOKED (Unknown @ 0x891312B8)

[Address] SSDT[57] : NtDebugActiveProcess @ 0x80643CB2 -> HOOKED (Unknown @ 0x8911C1A8)

[Address] SSDT[68] : NtDuplicateObject @ 0x805BE03C -> HOOKED (Unknown @ 0x898D30D8)

[Address] SSDT[83] : NtFreeVirtualMemory @ 0x805B2FE6 -> HOOKED (Unknown @ 0x8913A228)

[Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9362 -> HOOKED (Unknown @ 0x89120180)

[Address] SSDT[91] : NtImpersonateThread @ 0x805D7890 -> HOOKED (Unknown @ 0x89121058)

[Address] SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x89922368)

[Address] SSDT[105] : NtMakeTemporaryObject @ 0x805BC608 -> HOOKED (C:\WINDOWS\System32\DRIVERS\KmxSbx.sys @ 0xB28F721C)

[Address] SSDT[108] : unknown @ 0x805B206E -> HOOKED (Unknown @ 0x8913A128)

[Address] SSDT[114] : NtOpenEvent @ 0x8060F1E0 -> HOOKED (Unknown @ 0x8916A3C0)

[Address] SSDT[119] : NtOpenKey @ 0x80625648 -> HOOKED (C:\WINDOWS\System32\DRIVERS\KmxSbx.sys @ 0xB28F5F62)

[Address] SSDT[122] : NtOpenProcess @ 0x805CB486 -> HOOKED (Unknown @ 0x89B90008)

[Address] SSDT[123] : NtOpenProcessToken @ 0x805EE030 -> HOOKED (Unknown @ 0x898D3058)

[Address] SSDT[125] : NtOpenSection @ 0x805AA420 -> HOOKED (C:\WINDOWS\System32\DRIVERS\KmxSbx.sys @ 0xB28F6BF0)

[Address] SSDT[128] : NtOpenThread @ 0x805CB712 -> HOOKED (Unknown @ 0x89B90090)

[Address] SSDT[137] : NtProtectVirtualMemory @ 0x805B8452 -> HOOKED (Unknown @ 0x89B60A18)

[Address] SSDT[206] : NtResumeThread @ 0x805D4A48 -> HOOKED (Unknown @ 0x89137100)

[Address] SSDT[213] : NtSetContextThread @ 0x805D2C4A -> HOOKED (Unknown @ 0x891381A0)

[Address] SSDT[228] : NtSetInformationProcess @ 0x805CDED0 -> HOOKED (Unknown @ 0x8912D308)

[Address] SSDT[240] : NtSetSystemInformation @ 0x8060FE98 -> HOOKED (C:\WINDOWS\System32\DRIVERS\KmxSbx.sys @ 0xB28F6FF8)

[Address] SSDT[253] : NtSuspendProcess @ 0x805D4B10 -> HOOKED (Unknown @ 0x8916A2E0)

[Address] SSDT[254] : NtSuspendThread @ 0x805D4982 -> HOOKED (Unknown @ 0x891371E0)

[Address] SSDT[257] : NtTerminateProcess @ 0x805D2308 -> HOOKED (Unknown @ 0x89B750E8)

[Address] SSDT[258] : unknown @ 0x805D2502 -> HOOKED (Unknown @ 0x891380C0)

[Address] SSDT[267] : NtUnmapViewOfSection @ 0x805B2E7C -> HOOKED (Unknown @ 0x8912D3F8)

[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805B4400 -> HOOKED (Unknown @ 0x89B7A078)

[Address] Shadow SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x891363B8)

[Address] Shadow SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x898F1FD0)

[Address] Shadow SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x898F1F10)

[Address] Shadow SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x89B5AEE0)

[Address] Shadow SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x89B5AFC0)

[Address] Shadow SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x89B88968)

[Address] Shadow SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x898F1E20)

[Address] Shadow SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x89B88A58)

[Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x89056198)

[Address] Shadow SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8A68B3A8)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDS721616PLA380 +++++

--- User ---

[MBR] 10e7876afd05b27fb0f2fdc8d46500dc

[bSP] 510dfe14d0a8e962db18c9cee0f42396 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152617 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: Hitachi HDS721616PLA380 +++++

--- User ---

[MBR] 5912793c752af5741bd6b1a17a909187

[bSP] 9267eb2cb8f4bcdb02bb2707e7f15685 : Empty MBR Code

Partition table:

0 - [ACTIVE] EXTEN (0x05) [VISIBLE] Offset (sectors): 16065 | Size: 238464 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_D_06162013_165420.txt >>

RKreport[0]_S_06162013_165348.txt

TDSSKiller.2.8.16.0_16.06.2013_16.43.25_log.txt

Link to post
Share on other sites

  • Staff

You will need to perform a clean uninstall using our tool. If using the PRO version, locate the confirmation email that was sent by Cleverbridge at the time of purchase so that you have your ID and Key handy for the reinstall.

• Download and run "mbam-clean.exe" from here: http://downloads.malwarebytes.org/file/mbam_clean'>http://downloads.malwarebytes.org/file/mbam_clean

• It will ask to restart your computer, please allow it to do so (this is very important)

Next, download the latest version of Malwarebytes Anti-Malware via the link below:

http://downloads.malwarebytes.org/file/mbam

NOTE - All downloads and set up files are the Free version, registration with your ID & key will activate the Pro features.

Save the file to your desktop then double-click it to begin installation. If you're using the PRO version you will need to re-register.

Launch Malwarebytes Anti-Malware by double clicking the desktop icon. When the program opens, click on the Activate button at the bottom of the window.

In the next window that pops open, copy/paste the ID and license key directly from the confirmation email into the proper fields.

** Please make sure you are only including the letters and numbers and not the words ID or Key.

Finally, make sure you are not including additional spaces before or after the ID and Key.

Click the Activate button once again. If done correctly you should see the word (PRO) in the Malwarebyte's Anti-Malware header.

To help us provide better service please reply to this email, It lets us know that you have recieved the email.

Also let me know with the instructions given you were able to resolve your issue so I may close the ticket.

Link to post
Share on other sites

Morning Gringo, and thanks. Check results follow:

mbam-check result log version: 2.0.0.1000

Malwarebytes Version: REG_SZ 1.75.0.1300

Date Log Created: 06/17/13

Time Log Created: 08:33:50

User Account type: Administrator

32 bit Operating System

Product Name: REG_SZ Microsoft Windows XP

Current Build Number: 2600

Current Version Number: 5.1

Current CSDVersion: Service Pack 3

OS Product Info: Home Edition

Proxy Status: No proxy is Set

Proxy Override:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\

ProxyOverride REG_SZ *.local

LAN Settings:

=============

No Settings are Set <--NOT DETECTING SETTING AUTOMATICALLY

SystemPartition:

================

HKEY_LOCAL_MACHINE\SYSTEM\Setup\

SystemPartition REG_SZ \Device\HarddiskVolume1

Balloon Tips Status:

====================

Enabled

Time Format Settings:

=====================

Should be:

h:mm:ss tt

AM

PM

:

Currently:

REG_SZ h:mm:ss tt

REG_SZ AM

REG_SZ PM

REG_SZ :

Language and Regional Settings:

===============================

ACP: Language is English (United States)

MACCP: Language is English (United States)

OEMCP: Language is English (United States)

Startup Folders for Error_Expanding_Variables Check:

====================================================

All Users Startup Folder Exists.

Current User's startup Folder Exists.

Terminal Services Status for (null) entries in PM logs and GetUserToken errors:

===============================================================================

TERMService:

==============

Type : 32

State : 4 (The service is running.) (State is stopped)

WIN32_EXIT_CODE : 0

SERVICE_EXIT_CODE : 0

CHECKPOINT : 0

WAIT_HINT : 0

TermService Start is set to: 3 (Manual Startup)

Compatibility Flag Settings (Any MBAM file listings should be removed):

=======================================================================

Malwarebytes Anti-Malware Shell Extension Block Check:

======================================================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked

MBAM Startup Entries:

=====================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Service and Driver Status:

==========================

MBAMProtector:

==============

Type : 2

State : 4 (The service is running.) (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0

SERVICE_EXIT_CODE : 0

CHECKPOINT : 0

WAIT_HINT : 0

MBAMService:

==============

Type : 16

State : 4 (The service is running.)

WIN32_EXIT_CODE : 0

SERVICE_EXIT_CODE : 0

CHECKPOINT : 0

WAIT_HINT : 0

MBAMScheduler:

==============

Type : 16

State : 4 (The service is running.)

WIN32_EXIT_CODE : 0

SERVICE_EXIT_CODE : 0

CHECKPOINT : 0

WAIT_HINT : 0

<--CAN NOT OPEN SC_HANDLE, SERVICE IS NOT RUNNING FOR: MBAMChameleon

MBAMProtector Registry Values:

==============================

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector

Type REG_DWORD 2

Start REG_DWORD 3

ErrorControl REG_DWORD 1

ImagePath REG_EXPAND_SZ \??\C:\WINDOWS\system32\drivers\mbam.sys

Group REG_SZ FSFilter Anti-Virus

DependOnService REG_MULTI_SZ FltMgr

DependOnGroup REG_DWORD 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector\Instances

DefaultInstance REG_SZ MBAMProtector Instance

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector\Instances\MBAMProtector Instance

Altitude REG_SZ 328800

Flags REG_DWORD 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector\Security

Security REG_BINARY Binary Data

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector\Enum

0 REG_SZ Root\LEGACY_MBAMPROTECTOR\0000

Count REG_DWORD 1

NextInstance REG_DWORD 1

MBAMService Registry Values:

============================

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService

Type REG_DWORD 16

Start REG_DWORD 2

ErrorControl REG_DWORD 1

ImagePath REG_EXPAND_SZ "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe"

DependOnService REG_MULTI_SZ MBAMProtector

DependOnGroup REG_DWORD 0

ObjectName REG_SZ LocalSystem

Description REG_SZ Malwarebytes Anti-Malware service

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService\Security

Security REG_BINARY Binary Data

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService\Enum

0 REG_SZ Root\LEGACY_MBAMSERVICE\0000

Count REG_DWORD 1

NextInstance REG_DWORD 1

MBAMScheduler Registry Values:

==============================

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMScheduler

Type REG_DWORD 16

Start REG_DWORD 2

ErrorControl REG_DWORD 1

ImagePath REG_EXPAND_SZ "C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe"

ObjectName REG_SZ LocalSystem

Description REG_SZ Malwarebytes Anti-Malware scheduler

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMScheduler\Security

Security REG_BINARY Binary Data

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMScheduler\Enum

0 REG_SZ Root\LEGACY_MBAMSCHEDULER\0000

Count REG_DWORD 1

NextInstance REG_DWORD 1

MBAM DLL's and Runtime Files:

=============================

HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.vbalGrid

(Default): REG_SZ vbAccelerator Grid Control

HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.vbalGrid\Clsid

(Default): REG_SZ {C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}

HKEY_CLASSES_ROOT\SSubTimer6.GSubclass

(Default): REG_SZ SSubTimer6.GSubclass

HKEY_CLASSES_ROOT\SSubTimer6.GSubclass\Clsid

(Default): REG_SZ {71A27032-C7D8-11D2-BEF8-525400DFB47A}

HKEY_CLASSES_ROOT\SSubTimer6.CTimer

(Default): REG_SZ SSubTimer6.CTimer

HKEY_CLASSES_ROOT\SSubTimer6.CTimer\Clsid

(Default): REG_SZ {71A27034-C7D8-11D2-BEF8-525400DFB47A}

HKEY_CLASSES_ROOT\SSubTimer6.ISubclass

(Default): REG_SZ SSubTimer6.ISubclass

HKEY_CLASSES_ROOT\SSubTimer6.ISubclass\Clsid

(Default): REG_SZ {71A2702F-C7D8-11D2-BEF8-525400DFB47A}

HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}

(Default): REG_SZ SSubTimer6.ISubclass

HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\Implemented Categories

HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}

HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\ProgID

(Default): REG_SZ SSubTimer6.ISubclass

HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\Programmable

HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\TypeLib

(Default): REG_SZ {71A2702D-C7D8-11D2-BEF8-525400DFB47A}

HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\VERSION

(Default): REG_SZ 1.0

HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}

(Default): REG_SZ SSubTimer6.GSubclass

HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\Implemented Categories

HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}

HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\InprocServer32

(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\ssubtmr6.dll

ThreadingModel REG_SZ Apartment

HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\ProgID

(Default): REG_SZ SSubTimer6.GSubclass

HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\Programmable

HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\TypeLib

(Default): REG_SZ {71A2702D-C7D8-11D2-BEF8-525400DFB47A}

HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\VERSION

(Default): REG_SZ 1.0

HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}

(Default): REG_SZ SSubTimer6.CTimer

HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\Implemented Categories

HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}

HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\InprocServer32

(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\ssubtmr6.dll

ThreadingModel REG_SZ Apartment

HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\ProgID

(Default): REG_SZ SSubTimer6.CTimer

HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\Programmable

HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\TypeLib

(Default): REG_SZ {71A2702D-C7D8-11D2-BEF8-525400DFB47A}

HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\VERSION

(Default): REG_SZ 1.0

HKEY_CLASSES_ROOT\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}

HKEY_CLASSES_ROOT\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1

(Default): REG_SZ vbAccelerator VB6 SGrid Control 2.0

HKEY_CLASSES_ROOT\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\0

HKEY_CLASSES_ROOT\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\0\win32

(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\vbalsgrid6.ocx

HKEY_CLASSES_ROOT\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\FLAGS

(Default): REG_SZ 2

HKEY_CLASSES_ROOT\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\HELPDIR

(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware

HKEY_CLASSES_ROOT\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}

HKEY_CLASSES_ROOT\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0

(Default): REG_SZ vbAccelerator VB6 Subclassing and Timer Assistant (with configurable message response, multi-control support + timer bug fix)

HKEY_CLASSES_ROOT\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\0

HKEY_CLASSES_ROOT\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\0\win32

(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\ssubtmr6.dll

HKEY_CLASSES_ROOT\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\FLAGS

(Default): REG_SZ 0

HKEY_CLASSES_ROOT\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\HELPDIR

(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware

HKEY_CLASSES_ROOT\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}

(Default): REG_SZ ISubclass

HKEY_CLASSES_ROOT\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid

(Default): REG_SZ {00020424-0000-0000-C000-000000000046}

HKEY_CLASSES_ROOT\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32

(Default): REG_SZ {00020424-0000-0000-C000-000000000046}

HKEY_CLASSES_ROOT\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\TypeLib

(Default): REG_SZ {71A2702D-C7D8-11D2-BEF8-525400DFB47A}

Version REG_SZ 1.0

HKEY_CLASSES_ROOT\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}

(Default): REG_SZ CTimer

HKEY_CLASSES_ROOT\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid

(Default): REG_SZ {00020420-0000-0000-C000-000000000046}

HKEY_CLASSES_ROOT\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32

(Default): REG_SZ {00020420-0000-0000-C000-000000000046}

HKEY_CLASSES_ROOT\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\TypeLib

(Default): REG_SZ {71A2702D-C7D8-11D2-BEF8-525400DFB47A}

Version REG_SZ 1.0

HKEY_CLASSES_ROOT\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}

(Default): REG_SZ vbalGrid

HKEY_CLASSES_ROOT\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\ProxyStubClsid

(Default): REG_SZ {00020420-0000-0000-C000-000000000046}

HKEY_CLASSES_ROOT\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\ProxyStubClsid32

(Default): REG_SZ {00020420-0000-0000-C000-000000000046}

HKEY_CLASSES_ROOT\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\TypeLib

(Default): REG_SZ {DE8CE233-DD83-481D-844C-C07B96589D3A}

Version REG_SZ 1.1

MBAM Registry Settings and License Info:

========================================

HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes' Anti-Malware

advancedheuristics REG_DWORD 1

downloadprogram REG_DWORD 1

hidereg REG_DWORD 0

detectp2p REG_DWORD 0

detectpum REG_DWORD 1

detectpup REG_DWORD 2

updatewarn REG_DWORD 1

updatewarndays REG_DWORD 7

useproxy REG_DWORD 0

useauthentication REG_DWORD 0

contextmenu REG_DWORD 1

reportthreats REG_DWORD 1

startwithwindows REG_DWORD 1

startfsdisabled REG_DWORD 0

startipdisabled REG_DWORD 0

silentipmode REG_DWORD 0

autoquarantine REG_DWORD 1

notifyinstallprogram REG_DWORD 1

trialpromptshown REG_DWORD 1

autoquarantinenotify REG_DWORD 1

alwaysscanarchives REG_DWORD 1

InstallPath REG_SZ C:\Program Files\Malwarebytes' Anti-Malware

dbdate REG_SZ Sun, 16 Jun 2013 20:29:17 GMT

dbversion REG_SZ v2013.06.16.04

programversion REG_SZ 1.75.0.1300

programbuild REG_SZ consumer

trialended REG_DWORD 0

SchedulerQueue REG_MULTI_SZ 6148, 30304928, 3375955312, 1, 23 | 30304996, 11501902

ID XXXXX-XXXXX This is hidden data.

Key XXXX-XXXX-XXXX-XXXX This is hidden data.

HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes' Anti-Malware (Trial)

TrialId There is data here but it is hidden.

StartDate REG_SZ Sun, 16 Jun 2013 22:41:21 UTC

EndDate REG_SZ Sun, 30 Jun 2013 22:41:21 UTC

HKEY_CURRENT_USER\SOFTWARE\Malwarebytes' Anti-Malware

alwaysscanfiles REG_DWORD 1

alwaysscanheuristics REG_DWORD 1

alwaysscanmemory REG_DWORD 1

alwaysscanregistry REG_DWORD 1

alwaysscanstartups REG_DWORD 1

autosavelog REG_DWORD 1

openlog REG_DWORD 1

defaultscan REG_DWORD 0

terminateie REG_DWORD 0

Language REG_SZ English.lng

selectedrives REG_SZ C:\|F:\|

HKEY_USERS\S-1-5-18\SOFTWARE\Malwarebytes' Anti-Malware

alwaysscanfiles REG_DWORD 1

alwaysscanheuristics REG_DWORD 1

alwaysscanmemory REG_DWORD 1

alwaysscanregistry REG_DWORD 1

alwaysscanstartups REG_DWORD 1

autosavelog REG_DWORD 1

openlog REG_DWORD 1

defaultscan REG_DWORD 0

terminateie REG_DWORD 0

HKEY_USERS\.DEFAULT\SOFTWARE\Malwarebytes' Anti-Malware

alwaysscanfiles REG_DWORD 1

alwaysscanheuristics REG_DWORD 1

alwaysscanmemory REG_DWORD 1

alwaysscanregistry REG_DWORD 1

alwaysscanstartups REG_DWORD 1

autosavelog REG_DWORD 1

openlog REG_DWORD 1

defaultscan REG_DWORD 0

terminateie REG_DWORD 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malwarebytes' Anti-Malware_is1

Inno Setup: Setup Version REG_SZ 5.5.3-dev (a)

Inno Setup: App Path REG_SZ C:\Program Files\Malwarebytes' Anti-Malware

InstallLocation REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\

Inno Setup: Icon Group REG_SZ Malwarebytes' Anti-Malware

Inno Setup: User REG_SZ User one

Inno Setup: Selected Tasks REG_SZ desktopicon

Inno Setup: Deselected Tasks REG_SZ quicklaunchicon

Inno Setup: Language REG_SZ English

DisplayName REG_SZ Malwarebytes Anti-Malware version 1.75.0.1300

DisplayIcon REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

UninstallString REG_SZ "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"

QuietUninstallString REG_SZ "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe" /SILENT

DisplayVersion REG_SZ 1.75.0.1300

Publisher REG_SZ Malwarebytes Corporation

URLInfoAbout REG_SZ http://www.malwarebytes.org

NoModify REG_DWORD 1

NoRepair REG_DWORD 1

InstallDate REG_SZ 20130616

MajorVersion REG_DWORD 1

MinorVersion REG_DWORD 75

Pending File Rename Operations:

================================

If any Malwarebytes Anti-Malware items are listed below, the user must reboot to complete a Malwarebytes Anti-Malware upgrade installation.

Scheduler Queue:

================

Scheduled Item: Update Schedule Options: | Daily | Random

Start Time: 2013-06-16 14:50 Repeating Every: 1 Recover if missed by: 23

Context Menu Entries:

=====================

HKEY_CLASSES_ROOT\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShlExt

(Default): REG_SZ {57CE581A-0CB6-4266-9CA0-19364C90A0B3}

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\MBAMShlExt

(Default): REG_SZ {57CE581A-0CB6-4266-9CA0-19364C90A0B3}

HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt

(Default): REG_SZ MBAMShlExt Class

HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt\CLSID

(Default): REG_SZ {57CE581A-0CB6-4266-9CA0-19364C90A0B3}

HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt\CurVer

(Default): REG_SZ MBAMExt.MBAMShlExt.1

HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt.1

(Default): REG_SZ MBAMShlExt Class

HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt.1\CLSID

(Default): REG_SZ {57CE581A-0CB6-4266-9CA0-19364C90A0B3}

HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}

(Default): REG_SZ IMBAMShlExt

HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\ProxyStubClsid

(Default): REG_SZ {00020424-0000-0000-C000-000000000046}

HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\ProxyStubClsid32

(Default): REG_SZ {00020424-0000-0000-C000-000000000046}

HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\TypeLib

(Default): REG_SZ {AFF1A83B-6C83-4342-8E68-1648DE06CB65}

Version REG_SZ 1.0

HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}

(Default): REG_SZ MBAMShlExt Class

HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32

(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll

ThreadingModel REG_SZ Apartment

HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\ProgID

(Default): REG_SZ MBAMExt.MBAMShlExt.1

HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\TypeLib

(Default): REG_SZ {AFF1A83B-6C83-4342-8E68-1648DE06CB65}

HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\VersionIndependentProgID

(Default): REG_SZ MBAMExt.MBAMShlExt

HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}

HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0

(Default): REG_SZ MBAMExt 1.0 Type Library

HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0

HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0\win32

(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll

HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\FLAGS

(Default): REG_SZ 0

HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\HELPDIR

(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\

MBAM Drivers:

=============

C:\WINDOWS\system32\drivers\mbam.sys File Size: 22856 BYTES FileVersion: 1.60.2.0

Required Dependencies:

======================

fltmgr:

==============

Type : 2

State : 4 (The service is running.) (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0

SERVICE_EXIT_CODE : 0

CHECKPOINT : 0

WAIT_HINT : 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FltMgr

Type REG_DWORD 2

Start REG_DWORD 0

ErrorControl REG_DWORD 1

Tag REG_DWORD 1

ImagePath REG_EXPAND_SZ system32\drivers\fltmgr.sys

DisplayName REG_SZ FltMgr

Group REG_SZ FSFilter Infrastructure

Description REG_SZ File System Filter Manager Driver

AttachWhenLoaded REG_DWORD 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FltMgr\Security

Security REG_BINARY Binary Data

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FltMgr\Enum

0 REG_SZ Root\LEGACY_FLTMGR\0000

Count REG_DWORD 1

NextInstance REG_DWORD 1

C:\WINDOWS\system32\drivers\fltmgr.sys File Size: 129792 BYTES FileVersion: 5.1.2600.5512

C:\WINDOWS\system32\comctl32.ocx File Size: 608448 BYTES FileVersion: 6.0.81.5

C:\WINDOWS\system32\mscomctl.ocx File Size: 1070152 BYTES FileVersion: 6.1.98.34

C:\WINDOWS\system32\olepro32.dll File Size: 84992 BYTES FileVersion: 5.1.2600.5512

List of MBAM Related Directories:

=================================

C:\Program Files\Malwarebytes' Anti-Malware

7z.dll File Size: 914432 BYTES FileVersion: 9.20.0.0

changes.txt File Size: 200 BYTES

license.rtf File Size: 17916 BYTES

mbam.chm File Size: 474148 BYTES

mbam.dll File Size: 527944 BYTES FileVersion: 1.70.0.0

mbam.exe File Size: 887432 BYTES FileVersion: 1.75.0.1

mbamcore.dll File Size: 1127496 BYTES FileVersion: 1.70.0.0

mbamext.dll File Size: 80968 BYTES FileVersion: 1.70.0.0

mbamgui.exe File Size: 532040 BYTES FileVersion: 1.70.0.0

mbamnet.dll File Size: 2191944 BYTES FileVersion: 1.70.0.0

mbampt.exe File Size: 40008 BYTES FileVersion: 1.70.0.0

mbamscheduler.exe File Size: 418376 BYTES FileVersion: 1.70.0.0

mbamservice.exe File Size: 701512 BYTES FileVersion: 1.70.0.0

ssubtmr6.dll File Size: 46416 BYTES FileVersion: 1.1.0.3

unins000.dat File Size: 15697 BYTES

unins000.exe File Size: 712264 BYTES FileVersion: 51.52.0.0

unins000.msg File Size: 11277 BYTES

vbalsgrid6.ocx File Size: 496976 BYTES FileVersion: 2.0.0.40

C:\Program Files\Malwarebytes' Anti-Malware\Chameleon

chameleon.chm File Size: 186068 BYTES

firefox.com File Size: 218184 BYTES

firefox.exe File Size: 218184 BYTES

firefox.pif File Size: 218184 BYTES

firefox.scr File Size: 218184 BYTES

iexplore.exe File Size: 218184 BYTES

mbam-chameleon.com File Size: 218184 BYTES

mbam-chameleon.exe File Size: 218184 BYTES

mbam-chameleon.pif File Size: 218184 BYTES

mbam-chameleon.scr File Size: 218184 BYTES

mbam-killer.exe File Size: 896072 BYTES

rundll32.exe File Size: 218184 BYTES

svchost.exe File Size: 218184 BYTES

winlogon.exe File Size: 218184 BYTES

C:\Program Files\Malwarebytes' Anti-Malware\Languages

arabic.lng File Size: 21894 BYTES

belarusian.lng File Size: 26884 BYTES

bosnian.lng File Size: 27108 BYTES

bulgarian.lng File Size: 27574 BYTES

catalan.lng File Size: 28252 BYTES

chineseSI.lng File Size: 11024 BYTES

chineseTR.lng File Size: 11952 BYTES

croatian.lng File Size: 26670 BYTES

czech.lng File Size: 24874 BYTES

danish.lng File Size: 26582 BYTES

dutch.lng File Size: 28342 BYTES

english.lng File Size: 24542 BYTES

estonian.lng File Size: 25146 BYTES

finnish.lng File Size: 25950 BYTES

french.lng File Size: 29830 BYTES

german.lng File Size: 29894 BYTES

greek.lng File Size: 29300 BYTES

hebrew.lng File Size: 19362 BYTES

hungarian.lng File Size: 28666 BYTES

indonesian.lng File Size: 26854 BYTES

italian.lng File Size: 28194 BYTES

japanese.lng File Size: 16266 BYTES

korean.lng File Size: 14188 BYTES

latvian.lng File Size: 27100 BYTES

lithuanian.lng File Size: 27838 BYTES

norwegian.lng File Size: 25116 BYTES

polish.lng File Size: 26644 BYTES

portugueseBR.lng File Size: 28654 BYTES

portuguesePT.lng File Size: 29062 BYTES

romanian.lng File Size: 28290 BYTES

russian.lng File Size: 27302 BYTES

serbian.lng File Size: 26804 BYTES

slovak.lng File Size: 25644 BYTES

slovenian.lng File Size: 24852 BYTES

spanish.lng File Size: 30060 BYTES

swedish.lng File Size: 25992 BYTES

thai.lng File Size: 26092 BYTES

turkish.lng File Size: 25876 BYTES

vietnamese.lng File Size: 29528 BYTES

C:\Documents and Settings\User one\Application Data\Malwarebytes\Malwarebytes' Anti-Malware

C:\Documents and Settings\User one\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs

C:\Documents and Settings\User one\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine

===============================================================

END OF FILE

Link to post
Share on other sites

  • Staff

Hello jaymac

Lets get a deeper look into the system and lets see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.

  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.
Gringo
Link to post
Share on other sites

Hey Gringo-

 

OTL.txt output follows:

 

 

OTL logfile created on: 6/21/2013 7:02:32 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\User one\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.14 Gb Available Physical Memory | 57.20% Memory free
3.84 Gb Paging File | 3.19 Gb Available in Paging File | 82.95% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 112.99 Gb Free Space | 75.81% Space Free | Partition Type: NTFS
Drive F: | 232.88 Gb Total Space | 188.06 Gb Free Space | 80.75% Space Free | Partition Type: NTFS

Computer Name: NEW042408 | User Name: User one | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\User one\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
PRC - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\ccsvchst.exe (Symantec Corporation)
PRC - C:\Program Files\Secunia\PSI\sua.exe (Secunia)
PRC - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)
PRC - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (NVIDIA Corporation)
PRC - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe (CA)
PRC - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe (CA)
PRC - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe (CA)
PRC - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe (CA)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe ()
PRC - C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
PRC - C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
PRC - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis)
PRC - C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
PRC - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)
PRC - C:\WINDOWS\system32\PSIService.exe ()
PRC - C:\Program Files\Lexmark 1200 Series\LXCZbmgr.exe (Lexmark International, Inc.)
PRC - C:\Program Files\Lexmark 1200 Series\LXCZbmon.exe (Lexmark International, Inc.)
PRC - C:\WINDOWS\system32\lxczcoms.exe ( )


========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\d7ee03714420b252415b952d40ef59e4\System.ServiceProcess.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\aeac298c43c77d8860db8e7634d9f2eb\System.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\eab2340ead8e1a84bdf1a87868659979\mscorlib.ni.dll ()
MOD - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\wincfi39.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files\NVIDIA Corporation\nView\nvShell.dll ()
MOD - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe ()
MOD - C:\Program Files\Acronis\TrueImageHome\fox.dll ()
MOD - C:\WINDOWS\system32\PSIService.exe ()
MOD - C:\WINDOWS\system32\lxczcnv4.dll ()


========== Services (SafeList) ==========

SRV - (HidServ) -- %SystemRoot%\System32\hidserv.dll File not found
SRV - (ccSchedulerSVC) -- C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe File not found
SRV - (CaCCProvSP) -- C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe File not found
SRV - (AppMgmt) -- %SystemRoot%\System32\appmgmts.dll File not found
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MBAMScheduler) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
SRV - (N360) -- C:\Program Files\Norton Security Suite\Engine\20.3.1.22\ccSvcHst.exe (Symantec Corporation)
SRV - (Secunia PSI Agent) -- C:\Program Files\Secunia\PSI\psia.exe (Secunia)
SRV - (Secunia Update Agent) -- C:\Program Files\Secunia\PSI\sua.exe (Secunia)
SRV - (QBCFMonitorService) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)
SRV - (nvUpdatusService) -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (NVIDIA Corporation)
SRV - (UmxPol) -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe (CA)
SRV - (UmxCfg) -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe (CA)
SRV - (UmxAgent) -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe (CA)
SRV - (UmxFwHlp) -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe (CA)
SRV - (QBFCService) -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe (Intuit Inc.)
SRV - (TryAndDecideService) -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe ()
SRV - (AcrSch2Svc) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis)
SRV - (PSI_SVC_2) -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)
SRV - (ProtexisLicensing) -- C:\WINDOWS\system32\PSIService.exe ()
SRV - (lxcz_device) -- C:\WINDOWS\system32\lxczcoms.exe ( )


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (MCSTRM) -- File not found
DRV - (lmimirr) -- system32\DRIVERS\lmimirr.sys File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (esgiguard) -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\USERON~1\LOCALS~1\Temp\catchme.sys File not found
DRV - (NAVEX15) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130621.002\NAVEX15.SYS (Symantec Corporation)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (NAVENG) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130621.002\NAVENG.SYS (Symantec Corporation)
DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (IDSxpx86) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130620.001\IDSXpx86.sys (Symantec Corporation)
DRV - (BHDrvx86) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130531.001\BHDrvx86.sys (Symantec Corporation)
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (SymEFA) -- C:\WINDOWS\system32\drivers\N360\1403010.016\symefa.sys (Symantec Corporation)
DRV - (SRTSP) -- C:\WINDOWS\system32\drivers\N360\1403010.016\srtsp.sys (Symantec Corporation)
DRV - (SRTSPX) -- C:\WINDOWS\system32\drivers\N360\1403010.016\srtspx.sys (Symantec Corporation)
DRV - (SymDS) -- C:\WINDOWS\system32\drivers\N360\1403010.016\symds.sys (Symantec Corporation)
DRV - (ccSet_N360) -- C:\WINDOWS\system32\drivers\N360\1403010.016\ccsetx86.sys (Symantec Corporation)
DRV - (SymIRON) -- C:\WINDOWS\system32\drivers\N360\1403010.016\ironx86.sys (Symantec Corporation)
DRV - (SYMTDI) -- C:\WINDOWS\system32\drivers\N360\1403010.016\symtdi.sys (Symantec Corporation)
DRV - (PSI) -- C:\WINDOWS\system32\drivers\psi_mf.sys (Secunia)
DRV - (KmxCF) -- C:\WINDOWS\system32\drivers\KmxCF.sys (CA)
DRV - (KmxFw) -- C:\WINDOWS\system32\drivers\KmxFw.sys (CA)
DRV - (KmxSbx) -- C:\WINDOWS\system32\drivers\KmxSbx.sys (CA)
DRV - (KmxFile) -- C:\WINDOWS\system32\drivers\KmxFile.sys (CA)
DRV - (KmxCfg) -- C:\WINDOWS\system32\drivers\KmxCfg.sys (CA)
DRV - (KmxStart) -- C:\WINDOWS\system32\drivers\KmxStart.sys (CA)
DRV - (KmxAgent) -- C:\WINDOWS\system32\drivers\KmxAgent.sys (CA)
DRV - (timounter) -- C:\WINDOWS\system32\drivers\timntr.sys (Acronis)
DRV - (tifsfilter) -- C:\WINDOWS\system32\drivers\tifsfilt.sys (Acronis)
DRV - (snapman) -- C:\WINDOWS\system32\drivers\snapman.sys (Acronis)
DRV - (tdrpman) -- C:\WINDOWS\system32\drivers\tdrpman.sys (Acronis)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (IDT, Inc.)
DRV - (sfng32) -- C:\WINDOWS\system32\drivers\sfng32.sys (Sonic Focus, Inc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-725345543-1454471165-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-21-725345543-1454471165-682003330-1004\..\SearchScopes,DefaultScope = {20B42714-2AE1-4BCA-8F0C-27691DFCBF63}
IE - HKU\S-1-5-21-725345543-1454471165-682003330-1004\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-725345543-1454471165-682003330-1004\..\SearchScopes\{20B42714-2AE1-4BCA-8F0C-27691DFCBF63}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3303000&CUI=UN38385761147885239&UM=2
IE - HKU\S-1-5-21-725345543-1454471165-682003330-1004\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-725345543-1454471165-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-725345543-1454471165-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-21-725345543-1454471165-682003330-1007\..\SearchScopes,DefaultScope =

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:21.0
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: LogMeInClient@logmein.com:1.0.0.608
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: caaphishtoolbar@ca.com:2.0.0.111
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.21.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.2: C:\Program Files\VideoLAN\VLC\npvlc.dll File not found
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.5: C:\Program Files\VideoLAN\VLC\npvlc.dll File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\IPSFFPlgn\ [2013/06/15 18:51:41 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn\ [2013/06/16 19:19:25 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/05/18 14:26:43 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/05/18 14:26:27 | 000,000,000 | ---D | M]

[2008/12/05 11:47:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User one\Application Data\Mozilla\Extensions
[2013/06/16 10:02:39 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\extensions
[2011/03/12 11:25:35 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2013/05/25 10:10:31 | 000,000,000 | ---D | M] (LogMeIn, Inc. Remote Access Plugin) -- C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\extensions\LogMeInClient@logmein.com
[2013/05/18 14:26:43 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2013/05/18 14:26:43 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2012/06/20 12:14:20 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\mozilla firefox\plugins\npwachk.dll

O1 HOSTS File: ([2013/06/16 14:16:21 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\coieplg.dll (Symantec Corporation)
O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\coieplg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-725345543-1454471165-682003330-1004\..\Toolbar\WebBrowser: (no name) - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - No CLSID value found.
O3 - HKU\S-1-5-21-725345543-1454471165-682003330-1004\..\Toolbar\WebBrowser: (no name) - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No CLSID value found.
O3 - HKU\S-1-5-21-725345543-1454471165-682003330-1004\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\coieplg.dll (Symantec Corporation)
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [FaxCenterServer] C:\Program Files\Lexmark Fax Solutions\fm3032.exe ()
O4 - HKLM..\Run: [intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [lxczbmgr.exe] C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe (Lexmark International, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-725345543-1454471165-682003330-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-725345543-1454471165-682003330-1004\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-725345543-1454471165-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-725345543-1454471165-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-725345543-1454471165-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-725345543-1454471165-682003330-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-725345543-1454471165-682003330-1007\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-725345543-1454471165-682003330-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-725345543-1454471165-682003330-1004\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1211185305437 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1371423209421 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{38EF28CB-69F3-48BB-82B6-3BD71C9BFE72}: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\intu-help-qb2 {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\PFW: DllName - (UmxWnp.Dll) - C:\WINDOWS\System32\UmxWNP.dll (CA)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/24 01:13:05 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/06/21 18:59:39 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User one\Desktop\OTL.exe
[2013/06/21 18:57:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User one\Desktop\MBAM 06.13
[2013/06/16 18:41:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User one\Application Data\Malwarebytes
[2013/06/16 18:41:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/06/16 18:40:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2013/06/16 18:40:58 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2013/06/16 18:40:58 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013/06/16 14:39:05 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2013/06/16 14:07:51 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013/06/16 14:07:51 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013/06/16 14:07:51 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013/06/16 14:07:51 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013/06/16 14:07:27 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/06/16 14:07:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2013/06/16 10:09:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2013/06/16 10:09:32 | 000,000,000 | ---D | C] -- C:\JRT
[2013/06/16 00:25:44 | 000,934,488 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\1403010.016\symefa.sys
[2013/06/16 00:25:44 | 000,394,656 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\1403010.016\symtdi.sys
[2013/06/16 00:25:44 | 000,367,704 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\1403010.016\symds.sys
[2013/06/16 00:25:44 | 000,350,368 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\1403010.016\symtdiv.sys
[2013/06/16 00:25:44 | 000,338,592 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\1403010.016\symnets.sys
[2013/06/16 00:25:44 | 000,032,344 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\1403010.016\srtspx.sys
[2013/06/16 00:25:44 | 000,021,400 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\1403010.016\symelam.sys
[2013/06/16 00:25:43 | 000,602,712 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\1403010.016\srtsp.sys
[2013/06/16 00:25:43 | 000,175,264 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\1403010.016\ironx86.sys
[2013/06/16 00:25:43 | 000,134,304 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\1403010.016\ccsetx86.sys
[2013/06/16 00:25:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\N360\1403010.016
[2013/06/15 18:50:12 | 000,142,496 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2013/06/15 18:50:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2013/06/15 18:50:12 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2013/06/15 18:49:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\N360
[2013/06/15 18:49:28 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Security Suite
[2013/06/15 18:49:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Norton Security Suite
[2013/06/15 18:49:07 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2013/06/15 18:38:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2013/06/15 18:38:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User one\My Documents\Symantec
[2013/06/15 18:37:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User one\Start Menu\Programs\Norton
[2013/06/15 18:37:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Norton
[2013/06/15 18:37:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2013/06/01 00:03:51 | 000,000,000 | ---D | C] -- C:\Program Files\Uninstaller
[2013/05/31 23:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2013/05/31 23:42:57 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2013/05/31 23:42:53 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2013/05/31 23:42:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
[2013/05/31 23:42:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Apple Computer
[2013/05/31 23:42:30 | 006,112,864 | ---- | C] (Apple, Inc.) -- C:\WINDOWS\System32\usbaaplrc.dll
[2013/05/31 23:42:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2013/05/31 23:42:16 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2013/05/31 23:38:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User one\Local Settings\Application Data\Temp
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/06/21 18:59:39 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User one\Desktop\OTL.exe
[2013/06/16 19:17:36 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/06/16 19:16:28 | 001,284,069 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k1
[2013/06/16 19:16:28 | 000,977,212 | ---- | M] () -- C:\WINDOWS\System32\drivers\KmxAgent.asc
[2013/06/16 19:16:28 | 000,000,373 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k1
[2013/06/16 19:16:28 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k7
[2013/06/16 19:16:28 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k6
[2013/06/16 19:16:28 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k5
[2013/06/16 19:16:28 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k4
[2013/06/16 19:16:28 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k3
[2013/06/16 19:16:28 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k2
[2013/06/16 19:16:28 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k0
[2013/06/16 19:16:28 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k7
[2013/06/16 19:16:28 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k6
[2013/06/16 19:16:28 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k5
[2013/06/16 19:16:28 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k4
[2013/06/16 19:16:28 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k3
[2013/06/16 19:16:28 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k2
[2013/06/16 19:16:28 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k0
[2013/06/16 19:07:44 | 000,703,097 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\Cat.DB
[2013/06/16 19:05:56 | 000,503,648 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/06/16 19:05:56 | 000,087,670 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/06/16 18:58:31 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/06/16 18:55:20 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/06/16 18:41:01 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/06/16 14:16:21 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2013/06/16 14:01:55 | 000,001,519 | ---- | M] () -- C:\Documents and Settings\User one\Application Data\Microsoft\Internet Explorer\Quick Launch\Notepad.lnk
[2013/06/16 10:04:03 | 000,014,818 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\VT20130115.021
[2013/06/15 18:54:17 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Sonos.lnk
[2013/06/15 18:50:12 | 000,142,496 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2013/06/15 18:50:12 | 000,007,446 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2013/06/15 18:50:12 | 000,000,806 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2013/06/15 15:44:52 | 380,952,576 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2013/05/31 23:48:46 | 000,002,828 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2013/05/31 23:43:21 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/06/16 18:41:01 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/06/16 14:07:51 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013/06/16 14:07:51 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013/06/16 14:07:51 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013/06/16 14:07:51 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013/06/16 14:07:51 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013/06/16 14:01:55 | 000,001,519 | ---- | C] () -- C:\Documents and Settings\User one\Application Data\Microsoft\Internet Explorer\Quick Launch\Notepad.lnk
[2013/06/16 10:04:03 | 000,703,097 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\Cat.DB
[2013/06/16 10:04:03 | 000,014,818 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\VT20130115.021
[2013/06/16 00:25:44 | 000,009,670 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\symelam.cat
[2013/06/16 00:25:44 | 000,007,877 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\symnetv.cat
[2013/06/16 00:25:44 | 000,007,601 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\symnet.cat
[2013/06/16 00:25:44 | 000,007,583 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\symefa.cat
[2013/06/16 00:25:44 | 000,007,577 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\symds.cat
[2013/06/16 00:25:44 | 000,003,434 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\symefa.inf
[2013/06/16 00:25:44 | 000,002,852 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\symds.inf
[2013/06/16 00:25:44 | 000,001,468 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\symnetv.inf
[2013/06/16 00:25:44 | 000,001,440 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\symnet.inf
[2013/06/16 00:25:44 | 000,000,996 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\symelam.inf
[2013/06/16 00:25:43 | 000,007,611 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\ccsetx86.cat
[2013/06/16 00:25:43 | 000,007,593 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\iron.cat
[2013/06/16 00:25:43 | 000,007,581 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\srtspx.cat
[2013/06/16 00:25:43 | 000,007,577 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\srtsp.cat
[2013/06/16 00:25:43 | 000,001,389 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\srtspx.inf
[2013/06/16 00:25:43 | 000,001,389 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\srtsp.inf
[2013/06/16 00:25:43 | 000,000,827 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\ccsetx86.inf
[2013/06/16 00:25:43 | 000,000,737 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\iron.inf
[2013/06/16 00:25:20 | 000,014,818 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\symvtcer.dat
[2013/06/16 00:25:20 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\1403010.016\isolate.ini
[2013/06/15 18:50:13 | 000,007,446 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2013/06/15 18:50:13 | 000,000,806 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2013/05/31 23:43:21 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2013/05/18 14:57:22 | 000,216,064 | ---- | C] ( ) -- C:\WINDOWS\System32\lagarith.dll
[2013/05/18 14:57:21 | 000,715,038 | ---- | C] () -- C:\WINDOWS\unins000.exe
[2013/05/18 14:57:21 | 000,001,791 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2013/05/05 13:45:33 | 000,412,106 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-725345543-1454471165-682003330-1004-0.dat
[2013/05/05 12:09:57 | 000,207,098 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2013/03/10 16:02:45 | 000,000,142 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.400.32.bc
[2012/02/18 09:01:43 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/07/28 19:09:20 | 000,273,344 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2011/07/28 19:09:20 | 000,273,344 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2011/07/28 19:09:20 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2011/06/17 09:56:38 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\User one\defogger_reenable
[2009/12/07 01:27:50 | 000,870,128 | ---- | C] () -- C:\Documents and Settings\User one\Application Data\mcs.rma
[2008/11/07 18:00:48 | 000,094,208 | ---- | C] () -- C:\Documents and Settings\User one\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/07 17:54:12 | 000,002,828 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys

========== ZeroAccess Check ==========

[2008/10/06 21:21:13 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2011/02/17 09:51:57 | 001,510,400 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 08:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 20:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\blastcln.exe:SummaryInformation

< End of report >

Link to post
Share on other sites

  • Staff

Hello jaymac

I would like you to run this custom script for me now and when it is complete please give me the report and a status update for the computer.

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the customFix.png text box.

    :OTLFF - user.js - File not foundFF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not foundFF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.2: C:\Program Files\VideoLAN\VLC\npvlc.dll File not foundFF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.5: C:\Program Files\VideoLAN\VLC\npvlc.dll File not foundFF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll File not foundO3 - HKU\S-1-5-21-725345543-1454471165-682003330-1004\..\Toolbar\WebBrowser: (no name) - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - No CLSID value found.O3 - HKU\S-1-5-21-725345543-1454471165-682003330-1004\..\Toolbar\WebBrowser: (no name) - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No CLSID value found.IE - HKU\S-1-5-21-725345543-1454471165-682003330-1004\..\SearchScopes\{20B42714-2AE1-4BCA-8F0C-27691DFCBF63}: "URL" = http://search.condui...ultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3303000&CUI=UN38385761147885239&UM=2:Filesipconfig /flushdns /c:Commands[PURITY][emptyjava][EMPTYFLASH][reboot]
  • Then click the Run Fix button at the top.
  • Click btnOK.png.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

    Note** if the report does not popup after the computer reboots you can find it here in this folder - C:\_OTL\MovedFiles

    It will be named - mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss - are numbers representing the date and time the fix was run.

Let me know How things are doing

Gringo

Link to post
Share on other sites

Good Morning Gringo-

Script ran no problem. Still cannot enable malicious website blocking in MBAM   - however, the IE search box dump to "Vafmusic7 Customized Web Search" is gone.  I appreciate all the hard work on your end. OTL report follows:

 

 

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.2\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.5\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\MozillaPlugins\@adobe.com/FlashPlayer\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-725345543-1454471165-682003330-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0123B506-0AD9-43AA-B0CF-916C122AD4C5} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0123B506-0AD9-43AA-B0CF-916C122AD4C5}\ not found.
Registry value HKEY_USERS\S-1-5-21-725345543-1454471165-682003330-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{10134636-E7AF-4AC5-A1DC-C7C44BB97D81} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10134636-E7AF-4AC5-A1DC-C7C44BB97D81}\ not found.
Registry key HKEY_USERS\S-1-5-21-725345543-1454471165-682003330-1004\Software\Microsoft\Internet Explorer\SearchScopes\{20B42714-2AE1-4BCA-8F0C-27691DFCBF63}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20B42714-2AE1-4BCA-8F0C-27691DFCBF63}\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\User one\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\User one\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: UpdatusUser

User: User one
->Java cache emptied: 54081345 bytes

Total Java Files Cleaned = 52.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: UpdatusUser

User: User one
->Flash cache emptied: 14028 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 06222013_103553

Link to post
Share on other sites

  • Staff

You will need to perform a clean uninstall using our tool. If using the PRO version, locate the confirmation email that was sent by Cleverbridge at the time of purchase so that you have your ID and Key handy for the reinstall.

• Download and run "mbam-clean.exe" from here: http://downloads.malwarebytes.org/file/mbam_clean

• It will ask to restart your computer, please allow it to do so (this is very important)

Next, download the latest version of Malwarebytes Anti-Malware via the link below:

http://downloads.malwarebytes.org/file/mbam

NOTE - All downloads and set up files are the Free version, registration with your ID & key will activate the Pro features.

Save the file to your desktop then double-click it to begin installation. If you're using the PRO version you will need to re-register.

Launch Malwarebytes Anti-Malware by double clicking the desktop icon. When the program opens, click on the Activate button at the bottom of the window.

In the next window that pops open, copy/paste the ID and license key directly from the confirmation email into the proper fields.

** Please make sure you are only including the letters and numbers and not the words ID or Key.

Finally, make sure you are not including additional spaces before or after the ID and Key.

Click the Activate button once again. If done correctly you should see the word (PRO) in the Malwarebyte's Anti-Malware header.

Link to post
Share on other sites

  • Staff

Hello

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
Gringo
Link to post
Share on other sites

Gringo-

 

FSS text follows:

 

 

Farbar Service Scanner Version: 16-06-2013
Ran by User one (administrator) on 23-06-2013 at 13:01:02
Running from "C:\Documents and Settings\User one\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============


Windows Update:
============
BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) SYMTDI(8) Tcpip(4)
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****

Link to post
Share on other sites

Gringo-

 

Still cannot enable malicious website blocking.  FSS text follows:

 

 

Farbar Service Scanner Version: 16-06-2013
Ran by User one (administrator) on 23-06-2013 at 20:51:08
Running from "C:\Documents and Settings\User one\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============


Windows Update:
============
BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) SYMTDI(8) Tcpip(4)
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****

Link to post
Share on other sites

  • Staff

Hello jaymac

Malwarebytes Anti-Rootkit

1.Download Malwarebytes Anti-Rootkit

2.Unzip the contents to a folder in a convenient location.

3.Open the folder where the contents were unzipped and run mbar.exe

4.Follow the instructions in the wizard to update and allow the program to scan your computer for threats.

5.Click on the Cleanup button to remove any threats and reboot if prompted to do so.

6.Wait while the system shuts down and the cleanup process is performed.

7.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.

8.If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

  • •Internet access

    •Windows Update

    •Windows Firewall

9.If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.

10.Verify that your system is now functioning normally.

Please download aswMBR to your desktop.

  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
When you are complete please send me both reports

Gringo

Link to post
Share on other sites

Gringo- 

 

Rootkit found and repaired nothing (first posting).  Everything works, still unable to select "Enable Malicious...".  

 

aswMBR.txt follows MBAM rootkit report.   Thanks again!

 

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.06.24.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
User one :: NEW042408 [administrator]

6/24/2013 6:38:13 PM
mbar-log-2013-06-24 (18-38-13).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 257997
Time elapsed: 15 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

____________________________________________________________________________________________

 

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-06-24 19:01:35
-----------------------------
19:01:35.703 OS Version: Windows 5.1.2600 Service Pack 3
19:01:35.703 Number of processors: 2 586 0xF0D
19:01:35.703 ComputerName: NEW042408 UserName: User one
19:01:37.062 Initialize success
19:07:27.843 AVAST engine defs: 13062402
19:07:44.171 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
19:07:44.171 Disk 0 Vendor: Hitachi_HDS721616PLA380 P22OABEA Size: 152627MB BusType: 3
19:07:44.171 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-22
19:07:44.171 Disk 1 Vendor: Hitachi_HDT725025VLA380 V5DOA7EA Size: 238475MB BusType: 3
19:07:44.218 Disk 0 MBR read successfully
19:07:44.234 Disk 0 MBR scan
19:07:44.234 Disk 0 Windows XP default MBR code
19:07:44.234 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152617 MB offset 63
19:07:44.250 Disk 0 scanning sectors +312560640
19:07:44.265 Disk 0 scanning C:\WINDOWS\system32\drivers
19:07:55.109 Service scanning
19:08:10.250 Modules scanning
19:08:16.250 Disk 0 trace - called modules:
19:08:16.265 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
19:08:16.265 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a733ab8]
19:08:16.265 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\00000073[0x8a748268]
19:08:16.265 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-17[0x8a736b00]
19:08:16.875 AVAST engine scan C:\WINDOWS
19:08:31.906 AVAST engine scan C:\WINDOWS\system32
19:10:57.468 AVAST engine scan C:\WINDOWS\system32\drivers
19:11:13.312 AVAST engine scan C:\Documents and Settings\User one
19:17:41.156 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User one\Desktop\MBR.dat"
19:17:41.156 The log file has been saved successfully to "C:\Documents and Settings\User one\Desktop\aswMBR.txt"
19:20:36.234 AVAST engine scan C:\Documents and Settings\All Users
19:22:57.734 Scan finished successfully
19:23:12.671 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User one\Desktop\MBR.dat"
19:23:12.671 The log file has been saved successfully to "C:\Documents and Settings\User one\Desktop\aswMBR.txt"

 

Link to post
Share on other sites

  • Staff

Hello jaymac

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Gringo
Link to post
Share on other sites

Gringo - thanks again.  FRST below and Addition attached:

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 01-07-2013 01
Ran by User one (administrator) on 01-07-2013 07:31:40
Running from C:\Documents and Settings\User one\Desktop
Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(CA) C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
(CA) C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
(CA) C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
(CA) C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
(Acronis) C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
(Acronis) C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
(Acronis) C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
(Lexmark International, Inc.) C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
(Lexmark International, Inc.) C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Acronis) C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
( ) C:\WINDOWS\system32\lxczcoms.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
(Symantec Corporation) C:\Program Files\Norton Security Suite\Engine\20.3.1.22\ccSvcHst.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
() C:\WINDOWS\system32\PSIService.exe
(Symantec Corporation) C:\Program Files\Norton Security Suite\Engine\20.3.1.22\ccSvcHst.exe
(Protexis Inc.) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
(Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Secunia) C:\Program Files\Secunia\PSI\sua.exe
() C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jucheck.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [2595480 2007-09-07] (Acronis)
HKLM\...\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe [905056 2007-09-07] (Acronis)
HKLM\...\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [140568 2007-09-07] (Acronis)
HKLM\...\Run: [intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [1532760 2011-06-15] (Intuit Inc. All rights reserved.)
HKLM\...\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [74672 2007-02-08] (Lexmark International, Inc.)
HKLM\...\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s [295856 2007-02-08] ()
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [13895272 2011-05-21] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login [x]
HKLM\...\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet [1632360 2011-05-05] ()
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [253816 2013-03-12] (Oracle Corporation)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-01-28] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152392 2013-02-20] (Apple Inc.)
HKLM\...\RunOnce: [A0] cmd /c "C:\Documents and Settings\User one\Desktop\MBAM 06.2013\mbar-1.06.0.1004\mbar\mbar.exe" /r /s [769096 2013-06-01] (Malwarebytes Corporation)
Winlogon\Notify\PFW: UmxWnp.Dll (CA)
HKCR\...0c966feabec1\InprocServer32: [Default-shell32] %SystemRoot%\system32\shdocvw.dll ATTENTION! ====> ZeroAccess?
HKCR\...409d6c4515e9\InprocServer32: [Default-shell32] %SystemRoot%\system32\SHELL32.dll ATTENTION! ====> ZeroAccess?

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation)
BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\IPS\IPSBHO.DLL (Symantec Corporation)
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation)
Toolbar: HKCU -Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
Handler: ipp - No CLSID Value -
Handler: msdaipp - No CLSID Value -
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default

FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll ()
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @java.com/JavaPlugin,version=10.21.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=14.0.8117.0416 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @RIM.com/WebSLLauncher,version=1.0 - C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: No Name - C:\Documents and Settings\User one\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
FF Extension: LogMeIn, Inc. Remote Access Plugin - C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\Extensions\LogMeInClient@logmein.com
FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF Extension: Default - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF HKLM\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\IPSFFPlgn\
FF Extension: Norton Vulnerability Protection - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\IPSFFPlgn\
FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn\
FF Extension: Norton Toolbar - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn\

========================== Services (Whitelisted) =================

R2 AcrSch2Svc; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [427288 2007-09-07] (Acronis)
R2 lxcz_device; C:\WINDOWS\system32\lxczcoms.exe [537520 2007-02-08] ( )
R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 N360; C:\Program Files\Norton Security Suite\Engine\20.3.1.22\diMaster.dll [554288 2013-03-29] (Symantec Corporation)
R2 nvUpdatusService; C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2214504 2011-05-21] (NVIDIA Corporation)
R2 ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [177704 2007-06-05] ()
S3 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [1328736 2012-09-24] (Secunia)
R2 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [656480 2012-09-24] (Secunia)
R2 TryAndDecideService; C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [492600 2007-09-07] ()
R2 UmxAgent; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [887288 2009-08-04] (CA)
R2 UmxCfg; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [740160 2010-08-24] (CA)
R2 UmxFwHlp; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe [150008 2009-07-31] (CA)
R2 UmxPol; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe [301648 2010-09-17] (CA)
S3 AppMgmt; %SystemRoot%\System32\appmgmts.dll [x]
S3 CaCCProvSP; "C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe" [x]
S2 ccSchedulerSVC; C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe [x]
S4 HidServ; %SystemRoot%\System32\hidserv.dll [x]
R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" [x]

==================== Drivers (Whitelisted) ====================

R1 BHDrvx86; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130620.001\BHDrvx86.sys [1002072 2013-05-31] (Symantec Corporation)
R1 ccSet_N360; C:\Windows\system32\drivers\N360\1403010.016\ccSetx86.sys [134304 2012-11-15] (Symantec Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2013-06-15] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2013-06-15] (Symantec Corporation)
R3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows ® Server 2003 DDK provider)
R3 IDSxpx86; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130628.001\IDSxpx86.sys [373728 2013-06-14] (Symantec Corporation)
R1 KmxAgent; C:\Windows\System32\DRIVERS\kmxagent.sys [79864 2010-03-22] (CA)
R2 KmxCF; C:\Windows\System32\DRIVERS\KmxCF.sys [146000 2010-09-24] (CA)
R3 KmxCfg; C:\Windows\System32\DRIVERS\kmxcfg.sys [244304 2010-06-09] (CA)
R1 KmxFile; C:\Windows\System32\DRIVERS\KmxFile.sys [61008 2010-09-24] (CA)
R1 KmxFw; C:\Windows\System32\DRIVERS\kmxfw.sys [115792 2010-09-24] (CA)
R2 KmxSbx; C:\Windows\System32\DRIVERS\KmxSbx.sys [61008 2010-09-24] (CA)
R0 KmxStart; C:\Windows\System32\DRIVERS\kmxstart.sys [108112 2010-05-03] (CA)
R3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [35144 2013-06-24] ()
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
R3 NAVENG; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130630.003\NAVENG.SYS [93272 2013-06-15] (Symantec Corporation)
R3 NAVEX15; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130630.003\NAVEX15.SYS [1611992 2013-06-15] (Symantec Corporation)
S3 PSI; C:\Windows\System32\DRIVERS\psi_mf.sys [15544 2011-12-16] (Secunia)
S3 sfng32; C:\Windows\System32\drivers\sfng32.sys [41728 2005-12-02] (Sonic Focus, Inc)
S3 SONYPVU1; C:\Windows\System32\DRIVERS\SONYPVU1.SYS [7552 2001-08-17] (Sony Corporation)
R3 SRTSP; C:\Windows\System32\Drivers\N360\1403010.016\SRTSP.SYS [602712 2013-01-28] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\N360\1403010.016\SRTSPX.SYS [32344 2013-01-28] (Symantec Corporation)
R3 STHDA; C:\Windows\System32\drivers\sthda.sys [1271032 2008-04-10] (IDT, Inc.)
R0 SymDS; C:\Windows\System32\drivers\N360\1403010.016\SYMDS.SYS [367704 2013-01-21] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\N360\1403010.016\SYMEFA.SYS [934488 2013-01-30] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [142496 2013-06-15] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\N360\1403010.016\Ironx86.SYS [175264 2012-07-27] (Symantec Corporation)
R1 SYMTDI; C:\Windows\System32\Drivers\N360\1403010.016\SYMTDI.SYS [394656 2012-07-22] (Symantec Corporation)
R0 tdrpman; C:\Windows\System32\DRIVERS\tdrpman.sys [368736 2008-11-06] (Acronis)
R2 tifsfilter; C:\Windows\System32\DRIVERS\tifsfilt.sys [44384 2008-11-06] (Acronis)
S3 catchme; \??\C:\DOCUME~1\USERON~1\LOCALS~1\Temp\catchme.sys [x]
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
S4 IntelIde; No ImagePath
S3 lmimirr; system32\DRIVERS\lmimirr.sys [x]
S2 MCSTRM; No ImagePath
U3 TlntSvr;
U3 aswMBR; \??\C:\DOCUME~1\USERON~1\LOCALS~1\Temp\aswMBR.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-07-01 07:31 - 2013-07-01 07:31 - 00000000 ____D C:\FRST
2013-07-01 07:30 - 2013-07-01 07:30 - 01372463 ____A (Farbar) C:\Documents and Settings\User one\Desktop\FRST.exe
2013-06-24 18:38 - 2013-06-24 18:53 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-06-24 18:36 - 2013-06-24 18:36 - 00035144 ____A C:\Windows\System32\Drivers\mbamchameleon.sys
2013-06-23 09:11 - 2013-06-23 09:11 - 00000000 ____D C:\Documents and Settings\User one\Application Data\Malwarebytes
2013-06-23 09:10 - 2013-06-23 09:10 - 00000784 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-06-23 09:10 - 2013-06-23 09:10 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-06-23 09:10 - 2013-06-23 09:10 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2013-06-23 09:10 - 2013-04-04 14:50 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-06-22 10:35 - 2013-06-22 10:35 - 00000000 ____D C:\_OTL
2013-06-21 18:57 - 2013-07-01 07:31 - 00000000 ____D C:\Documents and Settings\User one\Desktop\MBAM 06.2013
2013-06-16 19:15 - 2013-06-16 19:15 - 00001288 ____A C:\AdwCleaner[s2].txt
2013-06-16 19:14 - 2013-06-16 19:14 - 00001377 ____A C:\AdwCleaner[R1].txt
2013-06-16 18:59 - 2013-06-16 18:59 - 00000000 __HDC C:\Windows\$NtUninstallKB2808679$
2013-06-16 18:57 - 2013-06-16 18:59 - 00009348 ____A C:\Windows\KB2808679.log
2013-06-16 18:57 - 2013-06-16 18:58 - 00006684 ____A C:\Windows\KB2598845-IE8.log
2013-06-16 18:47 - 2013-06-16 18:48 - 00003485 ____A C:\Windows\ie8Uninst.log
2013-06-16 14:07 - 2013-06-16 14:18 - 00000000 ____D C:\Qoobox
2013-06-16 14:07 - 2013-06-16 14:17 - 00000000 ____D C:\Windows\erdnt
2013-06-16 14:07 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe
2013-06-16 14:07 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe
2013-06-16 14:07 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2013-06-16 14:07 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2013-06-16 14:07 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2013-06-16 14:07 - 2000-08-30 20:00 - 00212480 ____A (SteelWerX) C:\Windows\SWXCACLS.exe
2013-06-16 14:07 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe
2013-06-16 14:07 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe
2013-06-16 14:07 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe
2013-06-16 10:09 - 2013-06-16 10:58 - 00000000 ____D C:\JRT
2013-06-16 10:09 - 2013-06-16 10:09 - 00000000 ____D C:\Windows\ERUNT
2013-06-15 18:50 - 2013-06-15 19:26 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-06-15 18:50 - 2013-06-15 18:50 - 00142496 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS
2013-06-15 18:50 - 2013-06-15 18:50 - 00007446 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT
2013-06-15 18:50 - 2013-06-15 18:50 - 00000000 ____D C:\Program Files\Symantec
2013-06-15 18:49 - 2013-06-16 10:05 - 00000000 ____D C:\Windows\System32\Drivers\N360
2013-06-15 18:49 - 2013-06-15 18:49 - 00000000 ____D C:\Program Files\Norton Security Suite
2013-06-15 18:45 - 2013-06-15 18:45 - 00001736 ____A C:\Documents and Settings\User one\TmInstall.log
2013-06-15 18:41 - 2013-06-15 18:41 - 00004272 ____A C:\Windows\System32\TmInstall.log
2013-06-15 18:38 - 2013-06-15 18:38 - 00000000 ____D C:\Documents and Settings\User one\My Documents\Symantec
2013-06-15 18:37 - 2013-06-15 18:51 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton
2013-06-15 18:37 - 2013-06-15 18:37 - 00000000 ____D C:\Documents and Settings\All Users\Documents\Norton
2013-06-15 18:23 - 2013-06-15 18:23 - 00000176 ____A C:\Documents and Settings\User one\Desktop\Malwarebytes#2 Desktop.txt
2013-06-15 15:44 - 2013-06-15 15:44 - 00065536 ____A C:\Windows\Minidump\Mini061513-01.dmp
2013-06-14 10:16 - 2013-06-14 10:16 - 00000000 __HDC C:\Windows\$NtUninstallKB2839229$
2013-06-14 10:13 - 2013-06-14 10:13 - 00010954 ____A C:\Windows\KB2838727-IE8.log
2013-06-14 10:12 - 2013-06-14 10:16 - 00013933 ____A C:\Windows\KB2839229.log

==================== One Month Modified Files and Folders ========

2013-07-01 07:31 - 2013-07-01 07:31 - 00000000 ____D C:\FRST
2013-07-01 07:31 - 2013-06-21 18:57 - 00000000 ____D C:\Documents and Settings\User one\Desktop\MBAM 06.2013
2013-07-01 07:30 - 2013-07-01 07:30 - 01372463 ____A (Farbar) C:\Documents and Settings\User one\Desktop\FRST.exe
2013-06-30 13:16 - 2008-04-24 01:12 - 01914330 ____A C:\Windows\WindowsUpdate.log
2013-06-29 08:47 - 2010-02-04 21:38 - 00000284 ____A C:\Windows\Tasks\AppleSoftwareUpdate.job
2013-06-24 18:59 - 2006-02-28 08:00 - 00002422 ____A C:\Windows\System32\wpa.dbl
2013-06-24 18:53 - 2013-06-24 18:38 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-06-24 18:36 - 2013-06-24 18:36 - 00035144 ____A C:\Windows\System32\Drivers\mbamchameleon.sys
2013-06-23 20:48 - 2008-04-24 21:04 - 00000159 ____A C:\Windows\wiadebug.log
2013-06-23 20:48 - 2008-04-24 21:04 - 00000049 ____A C:\Windows\wiaservc.log
2013-06-23 20:47 - 2011-07-28 19:10 - 00000062 __ASH C:\Documents and Settings\UpdatusUser\Local Settings\desktop.ini
2013-06-23 20:47 - 2008-04-24 01:21 - 00000062 __ASH C:\Documents and Settings\User one\Local Settings\desktop.ini
2013-06-23 20:47 - 2008-04-24 01:16 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2013-06-23 20:47 - 2008-04-24 01:16 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-23 20:47 - 2008-04-24 01:15 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2013-06-23 20:46 - 2010-10-30 10:41 - 01284069 ____A C:\Windows\System32\Drivers\kmxcfg.u2k1
2013-06-23 20:46 - 2010-10-30 10:41 - 00000373 ____A C:\Windows\System32\Drivers\kmxzone.u2k1
2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k7
2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k6
2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k5
2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k4
2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k3
2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k2
2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k0
2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k7
2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k6
2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k5
2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k4
2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k3
2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k2
2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k0
2013-06-23 20:46 - 2010-06-24 17:05 - 00977836 ____A C:\Windows\System32\Drivers\KmxAgent.asc
2013-06-23 20:46 - 2008-04-24 01:21 - 00000178 ___SH C:\Documents and Settings\User one\ntuser.ini
2013-06-23 20:46 - 2008-04-24 01:16 - 00032498 ____A C:\Windows\SchedLgU.Txt
2013-06-23 09:11 - 2013-06-23 09:11 - 00000000 ____D C:\Documents and Settings\User one\Application Data\Malwarebytes
2013-06-23 09:10 - 2013-06-23 09:10 - 00000784 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-06-23 09:10 - 2013-06-23 09:10 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-06-23 09:10 - 2013-06-23 09:10 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2013-06-22 10:35 - 2013-06-22 10:35 - 00000000 ____D C:\_OTL
2013-06-16 19:37 - 2008-10-06 21:20 - 00000000 ____D C:\Windows\Microsoft.NET
2013-06-16 19:15 - 2013-06-16 19:15 - 00001288 ____A C:\AdwCleaner[s2].txt
2013-06-16 19:14 - 2013-06-16 19:14 - 00001377 ____A C:\AdwCleaner[R1].txt
2013-06-16 19:05 - 2008-04-24 21:02 - 00582984 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-16 18:59 - 2013-06-16 18:59 - 00000000 __HDC C:\Windows\$NtUninstallKB2808679$
2013-06-16 18:59 - 2013-06-16 18:57 - 00009348 ____A C:\Windows\KB2808679.log
2013-06-16 18:59 - 2008-05-19 04:50 - 00246872 ____A C:\Windows\updspapi.log
2013-06-16 18:59 - 2008-04-24 21:02 - 02554192 ____A C:\Windows\FaxSetup.log
2013-06-16 18:59 - 2008-04-24 21:02 - 01228157 ____A C:\Windows\ocgen.log
2013-06-16 18:59 - 2008-04-24 21:02 - 00976928 ____A C:\Windows\tsoc.log
2013-06-16 18:59 - 2008-04-24 21:02 - 00847570 ____A C:\Windows\comsetup.log
2013-06-16 18:59 - 2008-04-24 21:02 - 00512700 ____A C:\Windows\ntdtcsetup.log
2013-06-16 18:59 - 2008-04-24 21:02 - 00402633 ____A C:\Windows\iis6.log
2013-06-16 18:59 - 2008-04-24 21:02 - 00139595 ____A C:\Windows\ocmsn.log
2013-06-16 18:59 - 2008-04-24 21:02 - 00127606 ____A C:\Windows\msgsocm.log
2013-06-16 18:59 - 2008-04-24 21:02 - 00001374 ____A C:\Windows\imsins.log
2013-06-16 18:59 - 2008-04-24 21:01 - 00346454 ____A C:\Windows\setupapi.log
2013-06-16 18:58 - 2013-06-16 18:57 - 00006684 ____A C:\Windows\KB2598845-IE8.log
2013-06-16 18:58 - 2011-06-30 21:02 - 00000000 ____D C:\Windows\ie8updates
2013-06-16 18:58 - 2008-04-24 21:02 - 00001374 ____A C:\Windows\imsins.BAK
2013-06-16 18:58 - 2008-04-24 01:31 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Microsoft Help
2013-06-16 18:57 - 2008-04-24 01:13 - 00000000 ____D C:\Windows\$hf_mig$
2013-06-16 18:48 - 2013-06-16 18:47 - 00003485 ____A C:\Windows\ie8Uninst.log
2013-06-16 14:18 - 2013-06-16 14:07 - 00000000 ____D C:\Qoobox
2013-06-16 14:17 - 2013-06-16 14:07 - 00000000 ____D C:\Windows\erdnt
2013-06-16 14:16 - 2006-02-28 08:00 - 00000227 ____A C:\Windows\system.ini
2013-06-16 10:58 - 2013-06-16 10:09 - 00000000 ____D C:\JRT
2013-06-16 10:09 - 2013-06-16 10:09 - 00000000 ____D C:\Windows\ERUNT
2013-06-16 10:05 - 2013-06-15 18:49 - 00000000 ____D C:\Windows\System32\Drivers\N360
2013-06-16 10:03 - 2013-05-05 13:45 - 00412106 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-725345543-1454471165-682003330-1004-0.dat
2013-06-16 10:03 - 2013-05-05 12:09 - 00207098 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2013-06-15 19:26 - 2013-06-15 18:50 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-06-15 19:05 - 2013-05-05 12:00 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Sonos,_Inc
2013-06-15 18:54 - 2013-05-05 12:00 - 00001700 ____A C:\Documents and Settings\All Users\Desktop\Sonos.lnk
2013-06-15 18:54 - 2013-05-05 12:00 - 00000000 ____D C:\Program Files\Sonos
2013-06-15 18:54 - 2013-05-05 11:59 - 00000000 ____D C:\Documents and Settings\User one\Local Settings\Application Data\Downloaded Installations
2013-06-15 18:51 - 2013-06-15 18:37 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton
2013-06-15 18:50 - 2013-06-15 18:50 - 00142496 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS
2013-06-15 18:50 - 2013-06-15 18:50 - 00007446 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT
2013-06-15 18:50 - 2013-06-15 18:50 - 00000000 ____D C:\Program Files\Symantec
2013-06-15 18:49 - 2013-06-15 18:49 - 00000000 ____D C:\Program Files\Norton Security Suite
2013-06-15 18:45 - 2013-06-15 18:45 - 00001736 ____A C:\Documents and Settings\User one\TmInstall.log
2013-06-15 18:44 - 2008-05-19 04:51 - 00000000 ___DC C:\Windows\$NtUninstallKB920213$
2013-06-15 18:41 - 2013-06-15 18:41 - 00004272 ____A C:\Windows\System32\TmInstall.log
2013-06-15 18:40 - 2011-07-04 09:55 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Trend Micro
2013-06-15 18:38 - 2013-06-15 18:38 - 00000000 ____D C:\Documents and Settings\User one\My Documents\Symantec
2013-06-15 18:37 - 2013-06-15 18:37 - 00000000 ____D C:\Documents and Settings\All Users\Documents\Norton
2013-06-15 18:23 - 2013-06-15 18:23 - 00000176 ____A C:\Documents and Settings\User one\Desktop\Malwarebytes#2 Desktop.txt
2013-06-15 15:52 - 2008-04-24 01:11 - 00000000 ____D C:\Windows\System32\Restore
2013-06-15 15:44 - 2013-06-15 15:44 - 00065536 ____A C:\Windows\Minidump\Mini061513-01.dmp
2013-06-15 15:44 - 2010-07-12 02:35 - 00000000 ____D C:\Windows\Minidump
2013-06-15 15:44 - 2008-04-24 20:54 - 380952576 ____A C:\Windows\MEMORY.DMP
2013-06-14 10:16 - 2013-06-14 10:16 - 00000000 __HDC C:\Windows\$NtUninstallKB2839229$
2013-06-14 10:16 - 2013-06-14 10:12 - 00013933 ____A C:\Windows\KB2839229.log
2013-06-14 10:14 - 2008-05-19 04:50 - 73381792 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-06-14 10:13 - 2013-06-14 10:13 - 00010954 ____A C:\Windows\KB2838727-IE8.log

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

Addition.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.