Cannot Enable Malicious Website Blocking

[gringo_pr]

Hello jaymac

I need you to download this script I have made for you --> fixlist.txt

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

Run FRST again but this time press the Fix button just once and wait.

When finished, it will make a log (fixlog.txt) next to FRST. Please copy and paste the content of this file to your reply.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Gringo

[jaymac]

Gringo - Fixlog.txt follows:

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 01-07-2013 01
Ran by User one at 2013-07-01 11:11:01 Run:1
Running from C:\Documents and Settings\User one\Desktop
Boot Mode: Normal

==============================================

HKCU\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} => Key not found.
HKCU\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} => Key not found.

==== End of Fixlog ====

[gringo_pr]

run me a scan again and let me have the new report

gringo

[jaymac]

Gringo- Re-run of FRST.txt follows:

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 01-07-2013 01
Ran by User one (administrator) on 01-07-2013 13:12:22
Running from C:\Documents and Settings\User one\Desktop
Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(CA) C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
(CA) C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
(CA) C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
(CA) C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
(Acronis) C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
(Acronis) C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
(Acronis) C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
(Lexmark International, Inc.) C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
(Lexmark International, Inc.) C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Acronis) C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
( ) C:\WINDOWS\system32\lxczcoms.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
(Symantec Corporation) C:\Program Files\Norton Security Suite\Engine\20.3.1.22\ccSvcHst.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
() C:\WINDOWS\system32\PSIService.exe
(Symantec Corporation) C:\Program Files\Norton Security Suite\Engine\20.3.1.22\ccSvcHst.exe
(Protexis Inc.) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
(Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Secunia) C:\Program Files\Secunia\PSI\sua.exe
() C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jucheck.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [2595480 2007-09-07] (Acronis)
HKLM\...\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe [905056 2007-09-07] (Acronis)
HKLM\...\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [140568 2007-09-07] (Acronis)
HKLM\...\Run: [intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [1532760 2011-06-15] (Intuit Inc. All rights reserved.)
HKLM\...\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [74672 2007-02-08] (Lexmark International, Inc.)
HKLM\...\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s [295856 2007-02-08] ()
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [13895272 2011-05-21] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login [x]
HKLM\...\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet [1632360 2011-05-05] ()
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [253816 2013-03-12] (Oracle Corporation)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-01-28] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152392 2013-02-20] (Apple Inc.)
HKLM\...\RunOnce: [A0] cmd /c "C:\Documents and Settings\User one\Desktop\MBAM 06.2013\mbar-1.06.0.1004\mbar\mbar.exe" /r /s [769096 2013-06-01] (Malwarebytes Corporation)
Winlogon\Notify\PFW: UmxWnp.Dll (CA)
HKCR\...0c966feabec1\InprocServer32: [Default-shell32] %SystemRoot%\system32\shdocvw.dll ATTENTION! ====> ZeroAccess?
HKCR\...409d6c4515e9\InprocServer32: [Default-shell32] %SystemRoot%\system32\SHELL32.dll ATTENTION! ====> ZeroAccess?

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation)
BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\IPS\IPSBHO.DLL (Symantec Corporation)
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation)
Toolbar: HKCU -Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
Handler: ipp - No CLSID Value -
Handler: msdaipp - No CLSID Value -
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default

FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll ()
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @java.com/JavaPlugin,version=10.21.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=14.0.8117.0416 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @RIM.com/WebSLLauncher,version=1.0 - C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: No Name - C:\Documents and Settings\User one\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
FF Extension: LogMeIn, Inc. Remote Access Plugin - C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\Extensions\LogMeInClient@logmein.com
FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF Extension: Default - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF HKLM\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\IPSFFPlgn\
FF Extension: Norton Vulnerability Protection - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\IPSFFPlgn\
FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn\
FF Extension: Norton Toolbar - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn\

========================== Services (Whitelisted) =================

R2 AcrSch2Svc; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [427288 2007-09-07] (Acronis)
R2 lxcz_device; C:\WINDOWS\system32\lxczcoms.exe [537520 2007-02-08] ( )
R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 N360; C:\Program Files\Norton Security Suite\Engine\20.3.1.22\diMaster.dll [554288 2013-03-29] (Symantec Corporation)
R2 nvUpdatusService; C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2214504 2011-05-21] (NVIDIA Corporation)
R2 ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [177704 2007-06-05] ()
S3 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [1328736 2012-09-24] (Secunia)
R2 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [656480 2012-09-24] (Secunia)
R2 TryAndDecideService; C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [492600 2007-09-07] ()
R2 UmxAgent; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [887288 2009-08-04] (CA)
R2 UmxCfg; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [740160 2010-08-24] (CA)
R2 UmxFwHlp; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe [150008 2009-07-31] (CA)
R2 UmxPol; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe [301648 2010-09-17] (CA)
S3 AppMgmt; %SystemRoot%\System32\appmgmts.dll [x]
S3 CaCCProvSP; "C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe" [x]
S2 ccSchedulerSVC; C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe [x]
S4 HidServ; %SystemRoot%\System32\hidserv.dll [x]
R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" [x]

==================== Drivers (Whitelisted) ====================

R1 BHDrvx86; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130620.001\BHDrvx86.sys [1002072 2013-05-31] (Symantec Corporation)
R1 ccSet_N360; C:\Windows\system32\drivers\N360\1403010.016\ccSetx86.sys [134304 2012-11-15] (Symantec Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2013-06-15] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2013-06-15] (Symantec Corporation)
R3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows ® Server 2003 DDK provider)
R3 IDSxpx86; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130628.001\IDSxpx86.sys [373728 2013-06-14] (Symantec Corporation)
R1 KmxAgent; C:\Windows\System32\DRIVERS\kmxagent.sys [79864 2010-03-22] (CA)
R2 KmxCF; C:\Windows\System32\DRIVERS\KmxCF.sys [146000 2010-09-24] (CA)
R3 KmxCfg; C:\Windows\System32\DRIVERS\kmxcfg.sys [244304 2010-06-09] (CA)
R1 KmxFile; C:\Windows\System32\DRIVERS\KmxFile.sys [61008 2010-09-24] (CA)
R1 KmxFw; C:\Windows\System32\DRIVERS\kmxfw.sys [115792 2010-09-24] (CA)
R2 KmxSbx; C:\Windows\System32\DRIVERS\KmxSbx.sys [61008 2010-09-24] (CA)
R0 KmxStart; C:\Windows\System32\DRIVERS\kmxstart.sys [108112 2010-05-03] (CA)
R3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [35144 2013-06-24] ()
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
R3 NAVENG; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130701.001\NAVENG.SYS [93272 2013-06-15] (Symantec Corporation)
R3 NAVEX15; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130701.001\NAVEX15.SYS [1611992 2013-06-15] (Symantec Corporation)
S3 PSI; C:\Windows\System32\DRIVERS\psi_mf.sys [15544 2011-12-16] (Secunia)
S3 sfng32; C:\Windows\System32\drivers\sfng32.sys [41728 2005-12-02] (Sonic Focus, Inc)
S3 SONYPVU1; C:\Windows\System32\DRIVERS\SONYPVU1.SYS [7552 2001-08-17] (Sony Corporation)
R3 SRTSP; C:\Windows\System32\Drivers\N360\1403010.016\SRTSP.SYS [602712 2013-01-28] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\N360\1403010.016\SRTSPX.SYS [32344 2013-01-28] (Symantec Corporation)
R3 STHDA; C:\Windows\System32\drivers\sthda.sys [1271032 2008-04-10] (IDT, Inc.)
R0 SymDS; C:\Windows\System32\drivers\N360\1403010.016\SYMDS.SYS [367704 2013-01-21] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\N360\1403010.016\SYMEFA.SYS [934488 2013-01-30] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [142496 2013-06-15] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\N360\1403010.016\Ironx86.SYS [175264 2012-07-27] (Symantec Corporation)
R1 SYMTDI; C:\Windows\System32\Drivers\N360\1403010.016\SYMTDI.SYS [394656 2012-07-22] (Symantec Corporation)
R0 tdrpman; C:\Windows\System32\DRIVERS\tdrpman.sys [368736 2008-11-06] (Acronis)
R2 tifsfilter; C:\Windows\System32\DRIVERS\tifsfilt.sys [44384 2008-11-06] (Acronis)
S3 catchme; \??\C:\DOCUME~1\USERON~1\LOCALS~1\Temp\catchme.sys [x]
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
S4 IntelIde; No ImagePath
S3 lmimirr; system32\DRIVERS\lmimirr.sys [x]
S2 MCSTRM; No ImagePath
U3 TlntSvr;
U3 aswMBR; \??\C:\DOCUME~1\USERON~1\LOCALS~1\Temp\aswMBR.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-07-01 11:10 - 2013-07-01 11:10 - 00000634 ____A C:\Documents and Settings\User one\Desktop\Dir 7.1.13 A.txt
2013-07-01 07:31 - 2013-07-01 07:31 - 00000000 ____D C:\FRST
2013-07-01 07:30 - 2013-07-01 07:30 - 01372463 ____A (Farbar) C:\Documents and Settings\User one\Desktop\FRST.exe
2013-06-24 18:38 - 2013-06-24 18:53 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-06-24 18:36 - 2013-06-24 18:36 - 00035144 ____A C:\Windows\System32\Drivers\mbamchameleon.sys
2013-06-23 09:11 - 2013-06-23 09:11 - 00000000 ____D C:\Documents and Settings\User one\Application Data\Malwarebytes
2013-06-23 09:10 - 2013-06-23 09:10 - 00000784 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-06-23 09:10 - 2013-06-23 09:10 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-06-23 09:10 - 2013-06-23 09:10 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2013-06-23 09:10 - 2013-04-04 14:50 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-06-22 10:35 - 2013-06-22 10:35 - 00000000 ____D C:\_OTL
2013-06-21 18:57 - 2013-07-01 11:10 - 00000000 ____D C:\Documents and Settings\User one\Desktop\MBAM 06.2013
2013-06-16 19:15 - 2013-06-16 19:15 - 00001288 ____A C:\AdwCleaner[s2].txt
2013-06-16 19:14 - 2013-06-16 19:14 - 00001377 ____A C:\AdwCleaner[R1].txt
2013-06-16 18:59 - 2013-06-16 18:59 - 00000000 __HDC C:\Windows\$NtUninstallKB2808679$
2013-06-16 18:57 - 2013-06-16 18:59 - 00009348 ____A C:\Windows\KB2808679.log
2013-06-16 18:57 - 2013-06-16 18:58 - 00006684 ____A C:\Windows\KB2598845-IE8.log
2013-06-16 18:47 - 2013-06-16 18:48 - 00003485 ____A C:\Windows\ie8Uninst.log
2013-06-16 14:07 - 2013-06-16 14:18 - 00000000 ____D C:\Qoobox
2013-06-16 14:07 - 2013-06-16 14:17 - 00000000 ____D C:\Windows\erdnt
2013-06-16 14:07 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe
2013-06-16 14:07 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe
2013-06-16 14:07 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2013-06-16 14:07 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2013-06-16 14:07 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2013-06-16 14:07 - 2000-08-30 20:00 - 00212480 ____A (SteelWerX) C:\Windows\SWXCACLS.exe
2013-06-16 14:07 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe
2013-06-16 14:07 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe
2013-06-16 14:07 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe
2013-06-16 10:09 - 2013-06-16 10:58 - 00000000 ____D C:\JRT
2013-06-16 10:09 - 2013-06-16 10:09 - 00000000 ____D C:\Windows\ERUNT
2013-06-15 18:50 - 2013-06-15 19:26 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-06-15 18:50 - 2013-06-15 18:50 - 00142496 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS
2013-06-15 18:50 - 2013-06-15 18:50 - 00007446 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT
2013-06-15 18:50 - 2013-06-15 18:50 - 00000000 ____D C:\Program Files\Symantec
2013-06-15 18:49 - 2013-06-16 10:05 - 00000000 ____D C:\Windows\System32\Drivers\N360
2013-06-15 18:49 - 2013-06-15 18:49 - 00000000 ____D C:\Program Files\Norton Security Suite
2013-06-15 18:45 - 2013-06-15 18:45 - 00001736 ____A C:\Documents and Settings\User one\TmInstall.log
2013-06-15 18:41 - 2013-06-15 18:41 - 00004272 ____A C:\Windows\System32\TmInstall.log
2013-06-15 18:38 - 2013-06-15 18:38 - 00000000 ____D C:\Documents and Settings\User one\My Documents\Symantec
2013-06-15 18:37 - 2013-06-15 18:51 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton
2013-06-15 18:37 - 2013-06-15 18:37 - 00000000 ____D C:\Documents and Settings\All Users\Documents\Norton
2013-06-15 18:23 - 2013-06-15 18:23 - 00000176 ____A C:\Documents and Settings\User one\Desktop\Malwarebytes#2 Desktop.txt
2013-06-15 15:44 - 2013-06-15 15:44 - 00065536 ____A C:\Windows\Minidump\Mini061513-01.dmp
2013-06-14 10:16 - 2013-06-14 10:16 - 00000000 __HDC C:\Windows\$NtUninstallKB2839229$
2013-06-14 10:13 - 2013-06-14 10:13 - 00010954 ____A C:\Windows\KB2838727-IE8.log
2013-06-14 10:12 - 2013-06-14 10:16 - 00013933 ____A C:\Windows\KB2839229.log

==================== One Month Modified Files and Folders ========

2013-07-01 11:10 - 2013-07-01 11:10 - 00000634 ____A C:\Documents and Settings\User one\Desktop\Dir 7.1.13 A.txt
2013-07-01 11:10 - 2013-06-21 18:57 - 00000000 ____D C:\Documents and Settings\User one\Desktop\MBAM 06.2013
2013-07-01 10:11 - 2008-04-24 01:12 - 01924438 ____A C:\Windows\WindowsUpdate.log
2013-07-01 07:31 - 2013-07-01 07:31 - 00000000 ____D C:\FRST
2013-07-01 07:30 - 2013-07-01 07:30 - 01372463 ____A (Farbar) C:\Documents and Settings\User one\Desktop\FRST.exe
2013-06-29 08:47 - 2010-02-04 21:38 - 00000284 ____A C:\Windows\Tasks\AppleSoftwareUpdate.job
2013-06-24 18:59 - 2006-02-28 08:00 - 00002422 ____A C:\Windows\System32\wpa.dbl
2013-06-24 18:53 - 2013-06-24 18:38 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-06-24 18:36 - 2013-06-24 18:36 - 00035144 ____A C:\Windows\System32\Drivers\mbamchameleon.sys
2013-06-23 20:48 - 2008-04-24 21:04 - 00000159 ____A C:\Windows\wiadebug.log
2013-06-23 20:48 - 2008-04-24 21:04 - 00000049 ____A C:\Windows\wiaservc.log
2013-06-23 20:47 - 2011-07-28 19:10 - 00000062 __ASH C:\Documents and Settings\UpdatusUser\Local Settings\desktop.ini
2013-06-23 20:47 - 2008-04-24 01:21 - 00000062 __ASH C:\Documents and Settings\User one\Local Settings\desktop.ini
2013-06-23 20:47 - 2008-04-24 01:16 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2013-06-23 20:47 - 2008-04-24 01:16 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-23 20:47 - 2008-04-24 01:15 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2013-06-23 20:46 - 2010-10-30 10:41 - 01284069 ____A C:\Windows\System32\Drivers\kmxcfg.u2k1
2013-06-23 20:46 - 2010-10-30 10:41 - 00000373 ____A C:\Windows\System32\Drivers\kmxzone.u2k1
2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k7
2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k6
2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k5
2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k4
2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k3
2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k2
2013-06-23 20:46 - 2010-10-30 10:41 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k0
2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k7
2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k6
2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k5
2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k4
2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k3
2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k2
2013-06-23 20:46 - 2010-10-30 10:41 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k0
2013-06-23 20:46 - 2010-06-24 17:05 - 00977836 ____A C:\Windows\System32\Drivers\KmxAgent.asc
2013-06-23 20:46 - 2008-04-24 01:21 - 00000178 ___SH C:\Documents and Settings\User one\ntuser.ini
2013-06-23 20:46 - 2008-04-24 01:16 - 00032498 ____A C:\Windows\SchedLgU.Txt
2013-06-23 09:11 - 2013-06-23 09:11 - 00000000 ____D C:\Documents and Settings\User one\Application Data\Malwarebytes
2013-06-23 09:10 - 2013-06-23 09:10 - 00000784 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-06-23 09:10 - 2013-06-23 09:10 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-06-23 09:10 - 2013-06-23 09:10 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2013-06-22 10:35 - 2013-06-22 10:35 - 00000000 ____D C:\_OTL
2013-06-16 19:37 - 2008-10-06 21:20 - 00000000 ____D C:\Windows\Microsoft.NET
2013-06-16 19:15 - 2013-06-16 19:15 - 00001288 ____A C:\AdwCleaner[s2].txt
2013-06-16 19:14 - 2013-06-16 19:14 - 00001377 ____A C:\AdwCleaner[R1].txt
2013-06-16 19:05 - 2008-04-24 21:02 - 00582984 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-16 18:59 - 2013-06-16 18:59 - 00000000 __HDC C:\Windows\$NtUninstallKB2808679$
2013-06-16 18:59 - 2013-06-16 18:57 - 00009348 ____A C:\Windows\KB2808679.log
2013-06-16 18:59 - 2008-05-19 04:50 - 00246872 ____A C:\Windows\updspapi.log
2013-06-16 18:59 - 2008-04-24 21:02 - 02554192 ____A C:\Windows\FaxSetup.log
2013-06-16 18:59 - 2008-04-24 21:02 - 01228157 ____A C:\Windows\ocgen.log
2013-06-16 18:59 - 2008-04-24 21:02 - 00976928 ____A C:\Windows\tsoc.log
2013-06-16 18:59 - 2008-04-24 21:02 - 00847570 ____A C:\Windows\comsetup.log
2013-06-16 18:59 - 2008-04-24 21:02 - 00512700 ____A C:\Windows\ntdtcsetup.log
2013-06-16 18:59 - 2008-04-24 21:02 - 00402633 ____A C:\Windows\iis6.log
2013-06-16 18:59 - 2008-04-24 21:02 - 00139595 ____A C:\Windows\ocmsn.log
2013-06-16 18:59 - 2008-04-24 21:02 - 00127606 ____A C:\Windows\msgsocm.log
2013-06-16 18:59 - 2008-04-24 21:02 - 00001374 ____A C:\Windows\imsins.log
2013-06-16 18:59 - 2008-04-24 21:01 - 00346454 ____A C:\Windows\setupapi.log
2013-06-16 18:58 - 2013-06-16 18:57 - 00006684 ____A C:\Windows\KB2598845-IE8.log
2013-06-16 18:58 - 2011-06-30 21:02 - 00000000 ____D C:\Windows\ie8updates
2013-06-16 18:58 - 2008-04-24 21:02 - 00001374 ____A C:\Windows\imsins.BAK
2013-06-16 18:58 - 2008-04-24 01:31 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Microsoft Help
2013-06-16 18:57 - 2008-04-24 01:13 - 00000000 ____D C:\Windows\$hf_mig$
2013-06-16 18:48 - 2013-06-16 18:47 - 00003485 ____A C:\Windows\ie8Uninst.log
2013-06-16 14:18 - 2013-06-16 14:07 - 00000000 ____D C:\Qoobox
2013-06-16 14:17 - 2013-06-16 14:07 - 00000000 ____D C:\Windows\erdnt
2013-06-16 14:16 - 2006-02-28 08:00 - 00000227 ____A C:\Windows\system.ini
2013-06-16 10:58 - 2013-06-16 10:09 - 00000000 ____D C:\JRT
2013-06-16 10:09 - 2013-06-16 10:09 - 00000000 ____D C:\Windows\ERUNT
2013-06-16 10:05 - 2013-06-15 18:49 - 00000000 ____D C:\Windows\System32\Drivers\N360
2013-06-16 10:03 - 2013-05-05 13:45 - 00412106 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-725345543-1454471165-682003330-1004-0.dat
2013-06-16 10:03 - 2013-05-05 12:09 - 00207098 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2013-06-15 19:26 - 2013-06-15 18:50 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-06-15 19:05 - 2013-05-05 12:00 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Sonos,_Inc
2013-06-15 18:54 - 2013-05-05 12:00 - 00001700 ____A C:\Documents and Settings\All Users\Desktop\Sonos.lnk
2013-06-15 18:54 - 2013-05-05 12:00 - 00000000 ____D C:\Program Files\Sonos
2013-06-15 18:54 - 2013-05-05 11:59 - 00000000 ____D C:\Documents and Settings\User one\Local Settings\Application Data\Downloaded Installations
2013-06-15 18:51 - 2013-06-15 18:37 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton
2013-06-15 18:50 - 2013-06-15 18:50 - 00142496 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS
2013-06-15 18:50 - 2013-06-15 18:50 - 00007446 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT
2013-06-15 18:50 - 2013-06-15 18:50 - 00000000 ____D C:\Program Files\Symantec
2013-06-15 18:49 - 2013-06-15 18:49 - 00000000 ____D C:\Program Files\Norton Security Suite
2013-06-15 18:45 - 2013-06-15 18:45 - 00001736 ____A C:\Documents and Settings\User one\TmInstall.log
2013-06-15 18:44 - 2008-05-19 04:51 - 00000000 ___DC C:\Windows\$NtUninstallKB920213$
2013-06-15 18:41 - 2013-06-15 18:41 - 00004272 ____A C:\Windows\System32\TmInstall.log
2013-06-15 18:40 - 2011-07-04 09:55 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Trend Micro
2013-06-15 18:38 - 2013-06-15 18:38 - 00000000 ____D C:\Documents and Settings\User one\My Documents\Symantec
2013-06-15 18:37 - 2013-06-15 18:37 - 00000000 ____D C:\Documents and Settings\All Users\Documents\Norton
2013-06-15 18:23 - 2013-06-15 18:23 - 00000176 ____A C:\Documents and Settings\User one\Desktop\Malwarebytes#2 Desktop.txt
2013-06-15 15:52 - 2008-04-24 01:11 - 00000000 ____D C:\Windows\System32\Restore
2013-06-15 15:44 - 2013-06-15 15:44 - 00065536 ____A C:\Windows\Minidump\Mini061513-01.dmp
2013-06-15 15:44 - 2010-07-12 02:35 - 00000000 ____D C:\Windows\Minidump
2013-06-15 15:44 - 2008-04-24 20:54 - 380952576 ____A C:\Windows\MEMORY.DMP
2013-06-14 10:16 - 2013-06-14 10:16 - 00000000 __HDC C:\Windows\$NtUninstallKB2839229$
2013-06-14 10:16 - 2013-06-14 10:12 - 00013933 ____A C:\Windows\KB2839229.log
2013-06-14 10:14 - 2008-05-19 04:50 - 73381792 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-06-14 10:13 - 2013-06-14 10:13 - 00010954 ____A C:\Windows\KB2838727-IE8.log

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

[gringo_pr]

HitmanPro

• Please download HitmanPro.
• Launch the program by double clicking on the icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).
• Click on the next button. You must agree with the terms of EULA.
• Check the box beside "No, I only want to perform a one-time scan to check this computer".
• Click on the next button.
• The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.
• When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
• Click on the next button.
• Click on the "Export scan results to XML file".
• Save that file to your desktop and zip and attach it in your next reply.

[jaymac]

Gringo-

 

Hitman found no entries. Clicking on next button did NOT take me to screen with "Export scan results to XML file" option. Clicking next again allowed me to save a log, but that was it.  

 

Wife apparently went into computer to delete the programs she thought she downloaded around the time the computer became infected (Taqgeditor and Fair CD Ripper).  She saw CA firewall still in there and tried to uninstall that.  As a result, computer started getting error messages and she tried to restore everything she uninstalled (what is there to not understand about do not touch the computer until it is fixed I do not understand)?!

 

Now getteing error message (apparently for all update checks):

 

The Instruction at "0x5ff3cbc2" referred at memory "0x0029fe8". The memory could not be "read". Click ok to terminate program.

 

This message is showing for:

mbamgui.exe

nwiz.exe

OtTask.exe

AdobeARM.exe

ADSDaemon.exe

Reader_s1.exe

 

The Hitman pro was downloaded and run after all of this. The log is as follows:

 

 

HitmanPro 3.7.6.201www.hitmanpro.comComputer name . . . . : NEW042408Windows . . . . . . . : 5.1.3.2600.X86/2User name . . . . . . : NEW042408\User oneLicense . . . . . . . : FreeScan date . . . . . . : 2013-07-03 09:27:14Scan mode . . . . . . : NormalScan duration . . . . : 5m 40sDisk access mode . . : Direct disk access (SRB)Cloud . . . . . . . . : InternetReboot . . . . . . . : NoThreats . . . . . . . : 0Traces . . . . . . . : 148Objects scanned . . . : 659,526Files scanned . . . . : 29,376Remnants scanned . . : 143,737 files / 486,413 keysCookies _____________________________________________________________________C:\Documents and Settings\User one\Cookies\02C8L52D.txtC:\Documents and Settings\User one\Cookies\07678UJD.txtC:\Documents and Settings\User one\Cookies\2J4R9QNH.txtC:\Documents and Settings\User one\Cookies\2UMJDQLG.txtC:\Documents and Settings\User one\Cookies\4KUQ5H7L.txtC:\Documents and Settings\User one\Cookies\4QMLHSIW.txtC:\Documents and Settings\User one\Cookies\80RSYR4X.txtC:\Documents and Settings\User one\Cookies\8SDM2LC2.txtC:\Documents and Settings\User one\Cookies\AFT1Z9X7.txtC:\Documents and Settings\User one\Cookies\BKT1FTTA.txtC:\Documents and Settings\User one\Cookies\BTBZQ0X7.txtC:\Documents and Settings\User one\Cookies\HK3EUQ4O.txtC:\Documents and Settings\User one\Cookies\I22MPZUF.txtC:\Documents and Settings\User one\Cookies\I2M2ZJ65.txtC:\Documents and Settings\User one\Cookies\R59OQ1WE.txtC:\Documents and Settings\User one\Cookies\R6013630.txtC:\Documents and Settings\User one\Cookies\SCBSMFIY.txtC:\Documents and Settings\User one\Cookies\TWRFW3MS.txtC:\Documents and Settings\User one\Cookies\user one@excite[1].txtC:\Documents and Settings\User one\Cookies\UULSZCLE.txtC:\Documents and Settings\User one\Cookies\XIMDN6T0.txt

[gringo_pr]

Hello

I want you to download this file - http://download.bleepingcomputer.com/win-services/xp/BITS.reg

save the file to your desktop and double click to run

Gringo

[jaymac]

Gringo-  

 

Did so. Said it was successful. Still got the same error, rebooted, error continues. - Jeff

[AdvancedSetup]

Sorry for the delay.   Did you still need help with this?

[gringo_pr]

Hello

Lets see if this will fix what is wrong with the computer

Complete Internet Repair

• Please download http://datumza.com/downloads/ Complete Internet Repair 1.3.2.1322 (32Bit) and save it to your desktop

  and save it to your desktop

• Double click the icon and select Run
• Click Extract
• Double click the Complete Internet Repair folder on your desktop
• Double click the CIntRep.exe icon
• Place a checkmark next to the following entries:
  • Reset Internet Protocol (TCP/IP)
  • Repair Winsock (Reset Catalog)
  • Renew Internet Connections
  • Flush DNS Resolver Cache
  • Repair Internet Explorer 6.0.2900
  • Clear Windows Update History
  • Repair Windows / Automatic Updates
  • Repair SSL / HTTPS / Cryptography
  • Reset Windows Firewall Configuration
  • Restore the default hosts file
  • Repair Workgroup Computers view
• Click Go!
• Ignore any error messages for now
• Click OK to reboot your computer
• Check your internet access

Please let me know if this worked

Gringo

[jaymac]

Gringo-  

 

Thanks!  Ran repair. Have always had internet access, just getting that error message for all programs at computer startup, and again for each program as I open or close.  

 

Error message still continues.  While running fix kept getting error message "cannot find 'netsh' ".  Still cannot "enable ..." and when this last round of errors popped up, the "System Restore" could not restore to an earlier point.

 

Did I just make your headache worse?

 

Thanks again - Jeff

[gringo_pr]

Download Windows Repair (all in one) from here.

Install the program then run

Go to step 3 and allow it to run SFC

On the start repairs tab click start

Select the following items and tick restart system when finished

Reset Registry Permissions

Reset File Permissions

Register System Files

Repair WMI

Repair Windows Firewall

Repair Internet Explorer

Repair Hosts File

Remove Policies Set By Infections

Repair Missing Start menu Icons

Repair Icons

Repair Winsock & DNS Cache

Remove Temp Files

Repair Proxy Settings

Unhide Non System Files

Repair Windows Updates

Set windows Services To Default

Repair MSI (windows Installer)

Repair File Associations

Repair windows Safe mode

After that come back and tell me if that has made a difference.

Gringo

[jaymac]

Gringo-

 

SFC would not work. Claimed the disk I had in was not the right disk.  Ran repair.  Aforementioned error message kept preventing fix script from running properly.

 

Now, in addition to previous problems, I no longer have internet access (no servers can be located for any bookmarked pages), Malwarebytes control panel will not open (runtime error), Norton Shuts down (claims error report to Microsoft is sent when option chosen), and worst of all, System Restore will not run and it will to reed my recovery disk.

[gringo_pr]

Run system restore to before this happened

gringo

[jaymac]

gringo-

 

As I said in my last statement- System Restore does not work. Either get a blank dialogue box or error message "The procedure entry point GetIUriPriv coulnd not be located in the dynamic link library urlmon.dll.

[gringo_pr]

Hello jaymac

I would like you to download an updated version of combofix.

update combofix

• Delete the version of combofix you have now on your desktop and download a new one from here
  • Link 1

    Link 2

    Link 3

  **Note: It is important that it is saved directly to your desktop**

  1. Close any open browsers.

  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  Double click on combofix.exe & follow the prompts.

  When finished, it will produce a report for you.

  Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

  Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

• In your next post I need the following
• Log from Combofix
• let me know of any problems you may have had
• How is the computer doing now?

Gringo

[jaymac]

Gringo-

 

Downloaded latest combofix to laptop, used thumbnail to transfer to infected computer.  Turned off MBAM and Norton shuts itself down everytim I but due to aforementioned runtime error.  Ran combofix, it said Norton AntiVirus was still running - with no way for me to stop it as the control panel will not open.  So I uninstalled norton and continued with Combofix.  

 

During the run I continuously got the error "The Instruction at "0x5ff3cbc2" referred at memory "0x0029fe8". The memory could not be "read". Click ok to terminate program." 

 

The computer is still the same, MBAM will no longer open, no internet access and the error message above.

 

Combofix log follows but is probably useless: 

 

 

ComboFix 13-07-09.01 - User one 07/10/2013 14:05:24.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2045.1422 [GMT -4:00]
Running from: c:\documents and settings\User one\Desktop\ComboFix.exe
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((( Files Created from 2013-06-10 to 2013-07-10 )))))))))))))))))))))))))))))))
.
.
2013-07-09 21:56 . 2013-07-09 23:00 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-07-09 19:04 . 2013-07-09 21:50 181064 ----a-w- c:\windows\PSEXESVC.EXE
2013-07-09 18:58 . 2013-07-09 18:58 -------- d-----w- C:\RegBackup
2013-07-09 18:54 . 2001-08-18 02:36 102400 -c--a-w- c:\windows\system32\dllcache\binlsvc.dll
2013-07-09 18:53 . 2004-08-04 02:32 10880 -c--a-w- c:\windows\system32\dllcache\admjoy.sys
2013-07-09 18:52 . 2001-08-17 18:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2013-07-05 10:41 . 2013-07-05 10:41 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-07-05 10:41 . 2013-07-05 10:41 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-07-03 13:12 . 2013-07-03 13:12 -------- d-----w- c:\documents and settings\User one\Application Data\Malwarebytes
2013-07-03 13:05 . 2013-07-03 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-07-03 13:05 . 2013-07-03 13:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-07-03 13:05 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-07-03 12:32 . 2013-07-03 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2013-07-01 11:31 . 2013-07-01 11:31 -------- d-----w- C:\FRST
2013-06-24 22:38 . 2013-06-24 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-06-22 14:35 . 2013-06-22 14:35 -------- d-----w- C:\_OTL
2013-06-16 14:09 . 2013-06-16 14:09 -------- d-----w- c:\windows\ERUNT
2013-06-16 14:09 . 2013-06-16 14:58 -------- d-----w- C:\JRT
2013-06-15 22:50 . 2013-07-10 18:01 -------- d-----w- c:\program files\Common Files\Symantec Shared
2013-06-15 22:49 . 2013-07-10 18:01 -------- d-----w- c:\program files\Norton Security Suite
2013-06-15 22:37 . 2013-06-15 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-05 10:41 . 2012-06-23 17:27 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-07-05 10:41 . 2010-08-03 00:28 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-01 03:48 . 2008-11-07 21:54 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2013-05-18 18:57 . 2013-05-18 18:57 715038 ----a-w- c:\windows\unins000.exe
2013-05-18 18:43 . 2012-05-02 23:34 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-18 18:43 . 2011-05-27 12:46 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-07 22:30 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-05-07 22:30 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-05-07 21:53 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-05-03 01:30 . 2006-02-28 12:00 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2004-08-03 22:59 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-08 2595480]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-08 905056]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-08 140568]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-15 1532760]
"lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 74672]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
"NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-05 1632360]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2009-03-27 19:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\UmxSbxExw.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MBCameraMonitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MBCameraMonitor.lnk
backup=c:\windows\pss\MBCameraMonitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^User one^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\User one\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor]
2008-07-10 00:42 37888 ----a-w- c:\program files\Corel\Corel MediaOne\CorelIOMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2008-08-18 21:53 532808 ----a-w- c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
2006-09-21 14:36 9138176 ----a-w- c:\program files\Intel Audio Studio\IntelAudioStudio.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 08:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMBBLaunchAgent.exe]
2011-02-18 15:47 79192 ----a-w- c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\lxczcoms.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Sonos\\Sonos.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [5/3/2010 2:12 AM 108112]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [3/22/2010 1:58 PM 79864]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [9/24/2010 11:16 AM 61008]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [9/24/2010 11:16 AM 115792]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [9/24/2010 11:16 AM 146000]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [9/24/2010 11:16 AM 61008]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [9/24/2012 8:46 AM 656480]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [8/4/2009 10:42 AM 887288]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [8/24/2010 12:07 PM 740160]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [9/17/2010 12:21 PM 301648]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [6/9/2010 6:54 AM 244304]
R4 BHDrvx86;BHDrvx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130702.001\BHDrvx86.sys --> c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130702.001\BHDrvx86.sys [?]
R4 ccSet_N360;Norton Security Suite Settings Manager;c:\windows\system32\drivers\N360\1403010.016\ccSetx86.sys --> c:\windows\system32\drivers\N360\1403010.016\ccSetx86.sys [?]
R4 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130706.002\IDSxpx86.sys --> c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130706.002\IDSxpx86.sys [?]
R4 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\1403010.016\SYMDS.SYS --> c:\windows\system32\drivers\N360\1403010.016\SYMDS.SYS [?]
R4 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\1403010.016\SYMEFA.SYS --> c:\windows\system32\drivers\N360\1403010.016\SYMEFA.SYS [?]
S2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe --> c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [?]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [7/3/2013 9:05 AM 418376]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/3/2013 9:05 AM 701512]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/3/2013 9:05 AM 22856]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/9/2013 5:56 PM 40776]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [12/16/2011 10:19 AM 15544]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [9/24/2012 8:46 AM 1328736]
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\

FF - ExtSQL: 2013-06-15 19:57; {BBDA0591-3099-440a-AA10-41764D9DB4DB}; c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\IPSFFPlgn
FF - ExtSQL: 2013-06-16 14:23; {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}; c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn
FF - ExtSQL: !HIDDEN! 2010-08-19 20:14; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-54485046.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-10 14:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\UmxWnp.Dll
.
- - - - - - - > 'explorer.exe'(3712)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll
c:\windows\system32\WindowsPowerShell\v1.0\pwrshsip.dll
c:\program files\Microsoft Silverlight\xapauthenticodesip.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
Completion time: 2013-07-10 14:12:29
ComboFix-quarantined-files.txt 2013-07-10 18:12
ComboFix2.txt 2011-06-26 22:42
.
Pre-Run: 120,488,923,136 bytes free
Post-Run: 120,472,100,864 bytes free
.
- - End Of File - - 2A3691B054F1F827D0EF9E12A5CCDD11
8F558EB6672622401DA993E1E865C861

[gringo_pr]

Hello

I am suspecting that this is more of a corruption problem than a malware problem - lets see if we make a new user profile if things are the same

http://www.wikihow.com/Create-a-New-User-Account-in-Windows-XP

Gringo

[jaymac]

Gringo-

 

User Accounts in control panel does not function either by double clicking or right clicking and selecting open.

 

In trying to add the user through the command prompt, it messages -"'net' is not recognized as an internal or external command, operable program or batch file."

 

Getting an ax ready to put the pc out of its misery soon....

[gringo_pr]

Hello jaymac

I think it is time to throw in the towel on this one - I think you best bet is to reinstall XP to clear out the corruption that has taken place

gringo

[gringo_pr]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.