Issue with Protection

[legaldeejay]

I have Windows XP.  Whenever I restart the computer, website blocking is disabled and I cannot re-enable it.   So then I exit MalwareBytes and restart the program.    Then all protection is disabled.   So then I check filesystem protection and everything is enabled again.   

 

I already posted this in the Malwarebytes Anti-Malware Help forum here: http://forums.malwarebytes.org/index.php?showtopic=128970&p=699986, but was told to come to this section.  I already attached several files in that post.

 

Thank you for your assistance.

[gringo_pr]

Hello legaldeejay

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

• Please do not run any tools unless instructed to do so.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
• Please do not attach logs or use code boxes, just copy and paste the text.
  • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
• Please read every post completely before doing anything.
  • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
• Please provide feedback about your experience as we go.
  • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

I need to get some reports to get a base to start from so I need you to run these programs first.

-Download DDS-

• Please download DDS from one of the links below and save it to your desktop:

  

  Download DDS and save it to your desktop

  Link1

  Link2

  Link3

  • Double-Click on dds.scr and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Gringo

[legaldeejay]

Hi Gringo.   Here are the reports:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.15.2
Run by Andrew at 0:23:27 on 2013-07-08
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2036.1019 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ================
.
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files\Common Files\Research In Motion\Tunnel Manager\PeerManager.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Documents and Settings\Andrew\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
C:\Program Files\Common Files\Research In Motion\Tunnel Manager\mDNSResponder.exe
C:\Program Files\Common Files\Research In Motion\Tunnel Manager\tunmgr.exe
C:\Program Files\r2 Studios\HideOE\HideOE.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COPERN~1\DESKTO~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Downloaded Program Files\LMIGuardian.exe
C:\WINDOWS\System32\wudfhost.exe
C:\PROGRA~1\Creative\SHARED~1\QueManU.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IE to GetRight Helper: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - c:\program files\getright\xx2gr.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: WinZip Courier BHO: {A8FB70FA-0FDF-4601-9DC4-BFA1B357204F} - c:\program files\winzip courier\wzwmcie.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Copernic Desktop Search 2: {968631B6-4729-440D-9BF4-251F5593EC9A} - c:\program files\copernic desktop search 2\DesktopSearchBand203000018.dll
TB: Copernic Desktop Search 2: {968631B6-4729-440D-9BF4-251F5593EC9A} - c:\program files\copernic desktop search 2\DesktopSearchBand203000018.dll
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
EB: Copernic Desktop Search 2: {968631B6-4729-440D-9BF4-251F5593EC9A} - c:\program files\copernic desktop search 2\DesktopSearchBand203000018.dll
EB: Copernic Desktop Search 2: {9C3FCA1F-99E3-48F2-A7F4-DD3931B2F99A} - c:\program files\copernic desktop search 2\DesktopSearchBand203000018.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Copernic Desktop Search 2] "c:\program files\copernic desktop search 2\DesktopSearchService.exe" /tray
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [startupDelayer] "c:\program files\r2 studios\startup delayer\Startup Launcher.exe" /LaunchType=Auto /LaunchApps=Common
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [RIM PeerManager] "c:\program files\common files\research in motion\tunnel manager\PeerManager.exe"
mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\andrew\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\andrew\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\andrew\startm~1\programs\startup\outloo~1.lnk - c:\program files\outlook express\msimn.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.







TCP: Interfaces\{DD52E038-6A0E-43BC-8C88-3087CA9EA8D9} : DHCPNameServer = 192.168.0.1
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\27.0.1453.116\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\andrew\application data\mozilla\firefox\profiles\haz9lobr.default\

FF - prefs.js: network.proxy.ftp - 122.96.59.98
FF - prefs.js: network.proxy.ftp_port - 80
FF - prefs.js: network.proxy.gopher - 116.228.143.186
FF - prefs.js: network.proxy.gopher_port - 80
FF - prefs.js: network.proxy.http - 122.96.59.98
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.socks - 122.96.59.98
FF - prefs.js: network.proxy.socks_port - 80
FF - prefs.js: network.proxy.ssl - 122.96.59.98
FF - prefs.js: network.proxy.ssl_port - 80
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.149\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_169.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2013-06-16 08:55; jid0-zXo3XFGyiDalgkeEO4UYJTUwo2I@jetpack; c:\documents and settings\andrew\application data\mozilla\firefox\profiles\haz9lobr.default\extensions\jid0-zXo3XFGyiDalgkeEO4UYJTUwo2I@jetpack.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [2013-3-6 49376]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [2013-3-6 175176]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-8-22 770344]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-8-22 369584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-8-22 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-3-6 66336]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-8-22 46808]
R2 BlackBerry Device Manager;BlackBerry Device Manager;c:\program files\common files\research in motion\usb drivers\BbDevMgr.exe [2013-3-6 585728]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-5 701512]
R2 RIM MDNS;RIM MDNS;c:\program files\common files\research in motion\tunnel manager\mDNSResponder.exe [2013-6-4 389632]
R2 RIM Tunnel Service;BlackBerry Link Communication Manager;c:\program files\common files\research in motion\tunnel manager\tunmgr.exe [2013-6-4 1263616]
R3 acfva;acfva;c:\windows\system32\drivers\ACFVA32.sys [2012-8-16 86656]
R3 dgcfltr;DGC Filter Driver;c:\windows\system32\drivers\ACFDCP32.sys [2012-8-16 28928]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-22 22856]
R3 rimvndis;BlackBerry Virtual Private Network;c:\windows\system32\drivers\rimvndis.sys [2013-6-4 12800]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-9-10 418376]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2012-9-7 1691480]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2013-06-16 14:50:10 -------- d-----w- c:\documents and settings\andrew\application data\DefaultTab
2013-06-16 14:49:42 -------- d-----w- c:\documents and settings\all users\application data\Tarma Installer
2013-06-14 10:00:16 -------- d-----w- c:\documents and settings\andrew\application data\Research In Motion
2013-06-12 10:05:56 -------- d-----w- c:\documents and settings\andrew\application data\XCPCSync.OEM
2013-06-12 05:54:01 30592 -c--a-w- c:\windows\system32\dllcache\rndismpx.sys
2013-06-12 05:54:01 30592 ----a-w- c:\windows\system32\drivers\rndismpx.sys
2013-06-12 05:45:08 -------- d-----w- c:\documents and settings\andrew\local settings\application data\Research In Motion
2013-06-12 05:44:36 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2013-06-12 05:43:51 -------- d-----w- c:\documents and settings\all users\application data\Research In Motion
2013-06-12 05:42:45 -------- d-----w- c:\program files\common files\XCPCSync.OEM
.
==================== Find3M  ====================
.
2013-06-27 20:19:53 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-06-27 20:19:53 175176 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-06-04 21:12:30 12800 ----a-w- c:\windows\system32\drivers\rimvndis.sys
2013-05-23 13:56:48 507904 ----a-r- c:\windows\system32\btwapi.dll
2013-05-13 03:05:36 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-13 03:05:36 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-09 08:59:10 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-05-09 08:59:09 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-05-09 08:58:37 41664 ----a-w- c:\windows\avastSS.scr
2013-05-07 22:30:06 920064 ----a-w- c:\windows\system32\wininet.dll
2013-05-07 22:30:05 43520 ------w- c:\windows\system32\licmgr10.dll
2013-05-07 22:30:05 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-05-07 21:53:29 385024 ------w- c:\windows\system32\html.iec
2013-05-03 01:30:20 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38:17 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-04-10 01:31:19 1876352 ----a-w- c:\windows\system32\win32k.sys
2006-05-03 15:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 16:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 18:30:52 216064 --sha-r- c:\windows\system32\nbDX.dll
.
============= FINISH:  0:24:02.06 ===============
 

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 8/22/2011 8:56:16 PM
System Uptime: 7/7/2013 9:51:44 AM (15 hours ago)
.
Motherboard: Intel Corporation |  | DG31PR
Processor: Intel Pentium III Xeon processor | J3E1 | 3166/1333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 233 GiB total, 189.833 GiB free.
D: is CDROM ()
E: is CDROM (UDF1.02)
F: is FIXED (NTFS) - 233 GiB total, 123.608 GiB free.
Z: is NetworkDisk (NTFS) - 13 GiB total, 10.753 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP710: 4/9/2013 5:06:43 AM - System Checkpoint
RP711: 4/10/2013 5:55:00 AM - Software Distribution Service 3.0
RP712: 4/11/2013 7:15:58 AM - System Checkpoint
RP713: 4/12/2013 7:18:59 AM - System Checkpoint
RP714: 4/13/2013 7:22:20 AM - System Checkpoint
RP715: 4/13/2013 2:33:31 PM - Installed iTunes
RP716: 4/14/2013 3:53:57 PM - System Checkpoint
RP717: 4/15/2013 4:24:37 PM - System Checkpoint
RP718: 4/16/2013 5:24:36 PM - System Checkpoint
RP719: 4/17/2013 6:03:14 PM - System Checkpoint
RP720: 4/18/2013 6:14:54 PM - System Checkpoint
RP721: 4/19/2013 6:56:41 PM - System Checkpoint
RP722: 4/20/2013 11:33:47 AM - Revo Uninstaller's restore point - HP FWUpdateEDO2
RP723: 4/20/2013 11:34:47 AM - Revo Uninstaller's restore point - HP Deskjet 3520 series Basic Device Software
RP724: 4/20/2013 11:36:05 AM - Revo Uninstaller's restore point - HP Deskjet 3520 series Setup Guide
RP725: 4/20/2013 11:37:02 AM - Revo Uninstaller's restore point - HP Update
RP726: 4/20/2013 11:37:10 AM - Removed HP Update.
RP727: 4/20/2013 11:38:10 AM - Revo Uninstaller's restore point - HP Deskjet 3520 series Help
RP728: 4/20/2013 11:39:02 AM - Revo Uninstaller's restore point - HP Photo Creations
RP729: 4/20/2013 1:05:13 PM - Software Distribution Service 3.0
RP730: 4/21/2013 1:17:36 PM - System Checkpoint
RP731: 4/22/2013 2:09:52 PM - System Checkpoint
RP732: 4/23/2013 6:23:06 PM - System Checkpoint
RP733: 4/24/2013 8:03:54 PM - System Checkpoint
RP734: 4/25/2013 8:13:09 PM - System Checkpoint
RP735: 4/26/2013 8:43:10 PM - System Checkpoint
RP736: 4/27/2013 8:56:20 PM - System Checkpoint
RP737: 4/28/2013 9:05:44 PM - System Checkpoint
RP738: 4/30/2013 1:36:12 AM - System Checkpoint
RP739: 5/1/2013 1:57:21 AM - System Checkpoint
RP740: 5/2/2013 5:41:11 AM - System Checkpoint
RP741: 5/3/2013 6:49:28 AM - System Checkpoint
RP742: 5/4/2013 7:21:14 AM - System Checkpoint
RP743: 5/5/2013 8:06:59 AM - System Checkpoint
RP744: 5/6/2013 9:22:47 AM - System Checkpoint
RP745: 5/7/2013 9:58:11 AM - System Checkpoint
RP746: 5/8/2013 8:39:56 PM - System Checkpoint
RP747: 5/10/2013 2:32:51 AM - System Checkpoint
RP748: 5/11/2013 7:01:52 AM - System Checkpoint
RP749: 5/12/2013 2:58:41 PM - System Checkpoint
RP750: 5/13/2013 3:22:05 PM - System Checkpoint
RP751: 5/14/2013 3:27:50 PM - System Checkpoint
RP752: 5/15/2013 4:22:27 PM - System Checkpoint
RP753: 5/15/2013 8:59:39 PM - Software Distribution Service 3.0
RP754: 5/16/2013 9:56:45 PM - System Checkpoint
RP755: 5/18/2013 1:35:29 AM - System Checkpoint
RP756: 5/19/2013 2:06:47 AM - System Checkpoint
RP757: 5/19/2013 7:26:24 AM - Software Distribution Service 3.0
RP758: 5/20/2013 8:52:20 AM - System Checkpoint
RP759: 5/21/2013 9:17:37 AM - System Checkpoint
RP760: 5/22/2013 11:05:52 AM - System Checkpoint
RP761: 5/23/2013 11:10:13 AM - System Checkpoint
RP762: 5/24/2013 12:08:09 PM - System Checkpoint
RP763: 5/25/2013 1:03:15 PM - System Checkpoint
RP764: 5/25/2013 7:20:51 PM - Revo Uninstaller's restore point - Torque
RP765: 5/26/2013 11:37:36 PM - System Checkpoint
RP766: 5/28/2013 1:44:19 AM - System Checkpoint
RP767: 5/29/2013 1:56:07 AM - System Checkpoint
RP768: 5/30/2013 2:51:48 AM - System Checkpoint
RP769: 5/31/2013 3:23:38 AM - System Checkpoint
RP770: 6/1/2013 10:53:14 AM - System Checkpoint
RP771: 6/2/2013 11:39:06 AM - System Checkpoint
RP772: 6/3/2013 12:01:40 PM - System Checkpoint
RP773: 6/4/2013 12:09:30 PM - System Checkpoint
RP774: 6/5/2013 10:39:09 PM - System Checkpoint
RP775: 6/6/2013 10:56:12 PM - System Checkpoint
RP776: 6/7/2013 11:35:41 PM - System Checkpoint
RP777: 6/9/2013 12:36:27 AM - System Checkpoint
RP778: 6/10/2013 1:00:42 AM - System Checkpoint
RP779: 6/11/2013 1:14:33 AM - System Checkpoint
RP780: 6/11/2013 9:31:05 PM - Software Distribution Service 3.0
RP781: 6/12/2013 1:42:10 AM - Installed BlackBerry Link.
RP782: 6/13/2013 2:57:12 AM - Software Distribution Service 3.0
RP783: 6/13/2013 11:03:07 PM - Revo Uninstaller's restore point - BlackBerry Desktop Software 5.0
RP784: 6/13/2013 11:03:46 PM - Removed BlackBerry Desktop Software 5.0.
RP785: 6/13/2013 11:06:01 PM - Revo Uninstaller's restore point - BlackBerry Link
RP786: 6/13/2013 11:07:22 PM - Removed BlackBerry Link.
RP787: 6/14/2013 5:57:49 AM - Installed BlackBerry Link.
RP788: 6/15/2013 6:49:58 AM - System Checkpoint
RP789: 6/15/2013 9:49:25 AM - Revo Uninstaller's restore point - Torque
RP790: 6/16/2013 11:08:26 AM - Revo Uninstaller's restore point - DefaultTab
RP791: 6/16/2013 11:08:43 AM - Revo Uninstaller's restore point - DefaultTab
RP792: 6/16/2013 11:18:09 AM - Revo Uninstaller's restore point - Torque
RP793: 6/16/2013 11:18:54 AM - Revo Uninstaller's restore point - WebCake 3.00
RP794: 6/17/2013 12:05:55 PM - System Checkpoint
RP795: 6/18/2013 12:59:43 PM - System Checkpoint
RP796: 6/19/2013 8:47:48 PM - System Checkpoint
RP797: 6/21/2013 1:50:28 AM - System Checkpoint
RP798: 6/22/2013 2:22:50 AM - System Checkpoint
RP799: 6/23/2013 6:16:48 AM - System Checkpoint
RP800: 6/24/2013 6:53:36 AM - System Checkpoint
RP801: 6/25/2013 6:58:45 AM - System Checkpoint
RP802: 6/26/2013 6:27:22 AM - Revo Uninstaller's restore point - Torque
RP803: 6/26/2013 6:29:34 AM - Revo Uninstaller's restore point - Torque
RP804: 6/27/2013 7:06:35 AM - System Checkpoint
RP805: 6/28/2013 7:43:25 AM - System Checkpoint
RP806: 7/7/2013 1:38:35 AM - System Checkpoint
.
==== Installed Programs ======================
.
µTorrent
AC-3 ACM Codec
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.6)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
avast! Free Antivirus
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.4
BlackBerry Link
Bonjour
CCleaner
Compatibility Pack for the 2007 Office system
Copernic Desktop Search 2
Creative System Information
DivX Setup
DJ3525FWUpdateAlert
Dropbox
DVD Decrypter (Remove Only)
DVDStyler v1.7.4
eCopy Desktop 9.2
Effectrix 1.4
Exact Audio Copy 1.0beta2
File Writer output plugin for WinAMP 2 v1.21b (remove only)
Free Music Zilla
GEAR 32bit Driver Installer
GetRight
Google Chrome
Google Update Helper
HideOE v1.1 (build 12)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HP Deskjet 3520 series Basic Device Software
HP Deskjet 3520 series Help
HP Deskjet 3520 series Setup Guide
HP Photo Creations
HPDiagnosticAlert
ID3-TagIT 3
ImgBurn
Intel® Graphics Media Accelerator Driver
iTunes
Java 7 Update 15
Java Auto Updater
K-Lite Codec Pack 7.7.0 (Standard)
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Compact Framework 2.0 SP2
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2742597)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office File Validation Add-In
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
MixMeister Fusion 7.4.4
Mozilla Firefox 22.0 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
News Rover -- Usenet newsreader
OneTouch 4.0
Pantech USB Driver for Android phones ver1
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Recuva
Revo Uninstaller 1.94
Roxio Creator 9.1 XE
Roxio Drag-to-Disc
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2792100)
Security Update for Windows Internet Explorer 8 (KB2797052)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows Internet Explorer 8 (KB2809289)
Security Update for Windows Internet Explorer 8 (KB2817183)
Security Update for Windows Internet Explorer 8 (KB2829530)
Security Update for Windows Internet Explorer 8 (KB2838727)
Security Update for Windows Internet Explorer 8 (KB2847204)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2753842)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2778344)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2799494)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB2808735)
Security Update for Windows XP (KB2813170)
Security Update for Windows XP (KB2813345)
Security Update for Windows XP (KB2820197)
Security Update for Windows XP (KB2820917)
Security Update for Windows XP (KB2829361)
Security Update for Windows XP (KB2839229)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Sonic Foundry Sound Forge 6.0e
Sonic Update Manager
Spybot - Search & Destroy
SpywareBlaster 5.0
Startup Delayer v3.0 (build 326)
Streamripper (Remove only)
SUPER © v2011.build.48 (April 23, 2011) version v2011.build.48
SureThing CD Labeler
SyncBack
Tag&Rename 3.1.5
Tweak UI
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB Modem
VC80CRTRedist - 8.0.50727.6195
Virtual DJ Pro Full - Atomix Productions
VirtualDJ PRO Full
VLC media player 2.0.7
WBFS Manager 3.0
WebFldrs XP
Winamp
Winamp Detector Plug-in
Winamp Essentials Pack
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer Clean Up
Windows Internet Explorer 8
Windows Media Format 11 runtime
WinRAR 4.01 (32-bit)
WinZip 15.5
WinZip Courier
WordPerfect Office 12
WordPerfect Office 12 - Small Business Edition Software Bundle
WordPerfect Office 12 - Small Business Edition, Task Manager
WordPerfect OfficeReady
XP Home Permissions Manager
ZEN Media Explorer
.
==== Event Viewer Messages From Past Week ========
.
7/7/2013 9:56:19 AM, error: Service Control Manager [7009]  - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
7/7/2013 9:56:19 AM, error: Service Control Manager [7000]  - The Application Layer Gateway Service service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
7/7/2013 9:55:23 AM, error: Service Control Manager [7009]  - Timeout (30000 milliseconds) waiting for the BlackBerry Link Communication Manager service to connect.
7/7/2013 9:55:23 AM, error: Service Control Manager [7000]  - The BlackBerry Link Communication Manager service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
7/7/2013 9:49:56 AM, error: Service Control Manager [7034]  - The MBAMService service terminated unexpectedly.  It has done this 1 time(s).
7/7/2013 5:36:17 PM, error: MRxSmb [8003]  - The master browser has received a server announcement from the computer LAPTOP-DELL that believes that it is the master browser for the domain on transport NetBT_Tcpip_{DD52E038-6A0E-43. The master browser is stopping or an election is being forced.
.
==== End Of File ===========================
 

 

 

[gringo_pr]

Hello legaldeejay

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click on Delete.
• Confirm each time with Ok.
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[s1].txt as well.

-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

When they are complete let me have the two reports and let me know how things are running.

Gringo

[legaldeejay]

Ok, here are the results.  By the way, something I should have mentioned is that when the computer restarts, the MalwareBytes icon in the system tray is blue initially, and then it becomes gray.  

 

# AdwCleaner v2.304 - Logfile created 07/10/2013 at 22:12:37
# Updated 03/07/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Andrew - JNCSDESKTOP
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Andrew\Desktop\AdwCleaner.exe
# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

File Deleted : C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\j1ymxi4b.default\extensions\addon@defaulttab.com.xpi
Folder Deleted : C:\Documents and Settings\All Users\Application Data\InstallMate
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Premium
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma Installer
Folder Deleted : C:\Documents and Settings\Andrew\Application Data\DefaultTab

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\DefaultTab
Key Deleted : HKCU\Software\Default Tab
Key Deleted : HKCU\Software\Headlight
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A5A2A90-3B30-4E6E-A955-2F232C6EF517}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A5A2A90-3B30-4E6E-A955-2F232C6EF517}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AF6B0594-6008-4327-93E5-608AD710A6FA}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKCU\Software\Zugo
Key Deleted : HKLM\SOFTWARE\Classes\AppID\DefaultTabBHO.DLL
Key Deleted : HKLM\Software\Default Tab
Key Deleted : HKLM\Software\Headlight
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\Software\Tarma Installer

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v22.0 (en-US)

File : C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\haz9lobr.default\prefs.js

C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\haz9lobr.default\user.js ... Deleted !

Deleted : user_pref("extensions.proxytool.referers", "www.google.com,google.com,yahoo.com,bing.com,ask.com,cur[...]

File : C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\j1ymxi4b.default\prefs.js

C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\j1ymxi4b.default\user.js ... Deleted !

[OK] File is clean.

-\\ Google Chrome v27.0.1453.116

File : C:\Documents and Settings\Andrew\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[s1].txt - [3022 octets] - [10/07/2013 22:12:37]

########## EOF - C:\AdwCleaner[s1].txt - [3082 octets] ##########

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.0.6 (07.10.2013:3)
OS: Microsoft Windows XP x86
Ran by Andrew on Wed 07/10/2013 at 22:21:20.93
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6BC8E2B2-FC95-4C8A-9A7E-132CC385BF0A}

 

~~~ Files

 

~~~ Folders

 

~~~ FireFox

Successfully deleted: [File] "C:\Documents and Settings\Andrew\Application Data\mozilla\firefox\profiles\haz9lobr.default\extensions\jid0-BN7BWJJe8J1FsJ00Q6loA43AvyQ@jetpack.xpi"
Successfully deleted: [Folder] C:\Documents and Settings\Andrew\Application Data\mozilla\firefox\profiles\haz9lobr.default\extensions\LogMeInClient@logmein.com

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 07/10/2013 at 22:23:33.37
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[legaldeejay]

Something else too.   If I exit out of MalwareBytes completely by exiting from the system tray, when I restart the program, it opens but there is no icon in the system tray.  And all protection is disabled.   But when I check filesystem protection, both that and website blocking are enabled and the blue icon appears again in the system tray

[gringo_pr]

Hello legaldeejay

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

• Link 1

  Link 2

  Link 3

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

• In your next post I need the following
• Log from Combofix
• let me know of any problems you may have had
• How is the computer doing now?

Gringo

[legaldeejay]

OK, here is the logfile, but it's not fixed.   Still get the gray icon in system tray, have to exit, then restart program and check filesystem protection which enables all protection.   Do you see an infection?

 

ComboFix 13-07-09.01 - Andrew 07/10/2013  22:38:13.1.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2036.1374 [GMT -4:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\RAIDTest
c:\windows\system32\out.txt
c:\windows\system32\regobj.dll
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-11 to 2013-07-11  )))))))))))))))))))))))))))))))
.
.
2013-07-11 02:21 . 2013-07-11 02:21 -------- d-----w- c:\windows\ERUNT
2013-07-10 04:26 . 2013-07-10 04:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2013-06-14 10:00 . 2013-06-15 04:29 -------- d-----w- c:\documents and settings\Andrew\Application Data\Research In Motion
2013-06-12 10:05 . 2013-06-14 10:00 -------- d-----w- c:\documents and settings\Andrew\Application Data\XCPCSync.OEM
2013-06-12 05:54 . 2008-04-14 04:26 30592 -c--a-w- c:\windows\system32\dllcache\rndismpx.sys
2013-06-12 05:54 . 2008-04-14 04:26 30592 ----a-w- c:\windows\system32\drivers\rndismpx.sys
2013-06-12 05:45 . 2013-06-12 05:45 -------- d-----w- c:\documents and settings\Andrew\Local Settings\Application Data\Research In Motion
2013-06-12 05:44 . 2008-03-21 17:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2013-06-12 05:43 . 2013-06-12 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2013-06-12 05:42 . 2013-06-14 09:58 -------- d-----w- c:\program files\Common Files\XCPCSync.OEM
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-27 20:19 . 2013-03-06 04:51 175176 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-06-27 20:19 . 2011-08-23 01:43 369584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-06-27 20:19 . 2011-08-23 01:43 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-06-08 03:55 . 2008-04-14 04:07 385024 ------w- c:\windows\system32\html.iec
2013-06-07 21:56 . 2008-04-14 09:42 920064 ----a-w- c:\windows\system32\wininet.dll
2013-06-07 21:56 . 2008-04-14 09:41 43520 ------w- c:\windows\system32\licmgr10.dll
2013-06-07 21:56 . 2008-04-14 09:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-06-04 21:12 . 2013-06-04 21:12 12800 ----a-w- c:\windows\system32\drivers\rimvndis.sys
2013-06-04 07:23 . 2008-04-14 09:42 562688 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 01:40 . 2008-04-14 05:00 1876736 ----a-w- c:\windows\system32\win32k.sys
2013-05-23 13:56 . 2013-05-23 13:56 507904 ----a-r- c:\windows\system32\btwapi.dll
2013-05-13 03:05 . 2012-07-25 01:58 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-13 03:05 . 2011-08-23 03:59 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-09 08:59 . 2013-03-06 04:50 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-05-09 08:59 . 2011-08-23 01:43 56080 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-05-09 08:59 . 2013-03-06 04:50 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-05-09 08:59 . 2011-08-23 01:43 49760 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-05-09 08:59 . 2011-08-23 01:43 29816 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-05-09 08:58 . 2011-08-23 01:43 41664 ----a-w- c:\windows\avastSS.scr
2013-05-09 08:58 . 2011-08-23 01:43 229648 ----a-w- c:\windows\system32\aswBoot.exe
2013-05-09 04:28 . 2006-10-19 01:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-05-03 01:30 . 2008-04-14 04:54 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2008-04-14 00:01 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2006-05-03 15:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 16:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 18:30 216064 --sha-r- c:\windows\system32\nbDX.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-05-09 08:58 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-10 05:37 130736 ----a-w- c:\documents and settings\Andrew\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-10 05:37 130736 ----a-w- c:\documents and settings\Andrew\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-10 05:37 130736 ----a-w- c:\documents and settings\Andrew\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-10 05:37 130736 ----a-w- c:\documents and settings\Andrew\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Copernic Desktop Search 2"="c:\program files\Copernic Desktop Search 2\DesktopSearchService.exe" [2008-03-03 1583624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-05-09 4858968]
"StartupDelayer"="c:\program files\r2 Studios\Startup Delayer\Startup Launcher.exe" [2013-03-07 1081856]
"RTHDCPL"="RTHDCPL.EXE" [2010-09-14 19576424]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2013-03-06 442896]
"RIM PeerManager"="c:\program files\Common Files\Research In Motion\Tunnel Manager\PeerManager.exe" [2013-06-04 4273664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
.
c:\documents and settings\Andrew\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Andrew\Application Data\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
Outlook Express.lnk - c:\program files\Outlook Express\msimn.exe [2011-8-22 60416]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PictureMover.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Snapfish PictureMover.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Snapfish PictureMover.lnk
backup=c:\windows\pss\Snapfish PictureMover.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^Dropbox.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^Free Music Zilla.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^Monitor Ink Alerts - HP Deskjet 3520 series.lnk]
path=c:\documents and settings\Andrew\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Deskjet 3520 series.lnk
backup=c:\windows\pss\Monitor Ink Alerts - HP Deskjet 3520 series.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-12-03 07:35 946352 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-01-28 17:08 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTCheck]
2007-11-06 15:08 397312 ------w- c:\program files\Creative\ZEN Media Explorer\CTCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
2007-07-17 15:03 868352 ------w- c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2007-08-30 09:23 113136 ----a-w- c:\program files\Roxio\CinePlayer\DMXLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eCopy Scan Inbox Monitor]
2008-01-29 22:40 79112 ----a-w- c:\program files\eCopy\Desktop 9.2\Bin\InboxMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDP2eD]
2008-01-29 22:28 144648 ----a-w- c:\program files\eCopy\Desktop 9.2\Bin\eDP2eD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-07-12 04:00 162584 ----a-r- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2001-12-14 16:17 196608 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-07-12 04:00 142104 ----a-r- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2008-10-24 13:14 206112 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2008-10-24 13:14 206112 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2008-10-24 13:14 79136 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-02-20 16:35 152392 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-07-12 04:00 138008 ----a-r- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2007-07-27 13:10 1133040 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-08-09 16:07 227824 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"c:\\Program Files\\Common Files\\Roxio Shared\\9.0\\SharedCOM\\RoxLiveShare9.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Andrew\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [3/6/2013 12:50 AM 49376]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [3/6/2013 12:51 AM 175176]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/22/2011 9:43 PM 770344]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/22/2011 9:43 PM 369584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/22/2011 9:43 PM 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [3/6/2013 12:50 AM 66336]
R2 BlackBerry Device Manager;BlackBerry Device Manager;c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [3/6/2013 3:24 PM 585728]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/10/2012 11:16 PM 418376]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/5/2012 8:05 AM 701512]
R2 RIM MDNS;RIM MDNS;c:\program files\Common Files\Research In Motion\Tunnel Manager\mDNSResponder.exe [6/4/2013 5:13 PM 389632]
R2 RIM Tunnel Service;BlackBerry Link Communication Manager;c:\program files\Common Files\Research In Motion\Tunnel Manager\tunmgr.exe [6/4/2013 5:13 PM 1263616]
R3 acfva;acfva;c:\windows\system32\drivers\ACFVA32.sys [8/16/2012 6:01 AM 86656]
R3 dgcfltr;DGC Filter Driver;c:\windows\system32\drivers\ACFDCP32.sys [8/16/2012 6:01 AM 28928]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/22/2011 9:48 PM 22856]
R3 rimvndis;BlackBerry Virtual Private Network;c:\windows\system32\drivers\rimvndis.sys [6/4/2013 5:12 PM 12800]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/7/2012 12:38 AM 1691480]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-20 19:03 1165776 ----a-w- c:\program files\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-10 c:\windows\Tasks\0day CD Pool Search.job
- c:\program files\Internet Explorer\iexplore.exe [2011-08-23 18:09]
.
2013-06-27 c:\windows\Tasks\Anti-Malware.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2011-08-23 18:50]
.
2013-07-07 c:\windows\Tasks\Avast Report.job
- c:\documents and settings\All Users\Application Data\AVAST Software\Avast\report\Full System Scan.txt [2012-03-26 02:13]
.
2013-07-11 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-07-01 08:58]
.
2013-06-18 c:\windows\Tasks\Beatport.job
- c:\program files\Mozilla Firefox\firefox.exe [2013-06-26 02:52]
.
2013-06-28 c:\windows\Tasks\CCleaner Update.job
- c:\program files\CCleaner\CCleaner.exe [2013-06-19 14:13]
.
2013-07-10 c:\windows\Tasks\CCleaner.job
- c:\program files\CCleaner\CCleaner.exe [2013-06-19 14:13]
.
2013-07-10 c:\windows\Tasks\CD Pool Usenet.job
- c:\program files\Internet Explorer\iexplore.exe [2011-08-23 18:09]
.
2013-07-09 c:\windows\Tasks\Crooklyn Clan DJZ.job
- c:\program files\Internet Explorer\iexplore.exe [2011-08-23 18:09]
.
2013-07-09 c:\windows\Tasks\Crooklyn Clan Soundarea.job
- c:\program files\Mozilla Firefox\firefox.exe [2013-06-26 02:52]
.
2013-07-10 c:\windows\Tasks\Crooklyn Clan TJ's.job
- c:\program files\Mozilla Firefox\firefox.exe [2013-06-26 02:52]
.
2013-07-08 c:\windows\Tasks\DJ Robson Michel.job
- c:\program files\Internet Explorer\iexplore.exe [2011-08-23 18:09]
.
2013-07-08 c:\windows\Tasks\DMC FilesTube.job
- c:\program files\Internet Explorer\iexplore.exe [2011-08-23 18:09]
.
2013-06-28 c:\windows\Tasks\Funkymix DJZ.job
- c:\program files\Internet Explorer\iexplore.exe [2011-08-23 18:09]
.
2013-06-27 c:\windows\Tasks\Funkymix Soundarea.job
- c:\program files\Mozilla Firefox\firefox.exe [2013-06-26 02:52]
.
2013-06-28 c:\windows\Tasks\Funkymix TJ's.job
- c:\program files\Mozilla Firefox\firefox.exe [2013-06-26 02:52]
.
2013-07-07 c:\windows\Tasks\GetRight.job
- c:\program files\GetRight\GetRight.exe [2012-04-25 20:16]
.
2013-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-23 01:43]
.
2013-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-23 01:43]
.
2013-06-28 c:\windows\Tasks\Mastermix FilesTube.job
- c:\program files\Internet Explorer\iexplore.exe [2011-08-23 18:09]
.
2013-06-28 c:\windows\Tasks\Pulse87.job
- c:\program files\Streamripper\streamripper.exe [2009-03-31 04:10]
.
2013-07-07 c:\windows\Tasks\shutdown.job
- c:\windows\system32\shutdown.exe [2008-04-14 09:42]
.
2013-07-10 c:\windows\Tasks\Soundz for the People DJZ.job
- c:\program files\Internet Explorer\iexplore.exe [2011-08-23 18:09]
.
2013-07-11 c:\windows\Tasks\Soundz for the People Soundarea.job
- c:\program files\Mozilla Firefox\firefox.exe [2013-06-26 02:52]
.
2013-07-10 c:\windows\Tasks\Soundz for the People TJ's.job
- c:\program files\Mozilla Firefox\firefox.exe [2013-06-26 02:52]
.
2013-07-08 c:\windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2011-08-24 19:31]
.
2013-06-28 c:\windows\Tasks\Spywareblaster.job
- c:\program files\SpywareBlaster\spywareblaster.exe [2011-08-23 19:29]
.
2013-07-10 c:\windows\Tasks\SyncBack Backup Mp3 Files.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2011-09-01 19:42]
.
2013-07-10 c:\windows\Tasks\SyncBack Backup.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2011-09-01 19:42]
.
2013-06-27 c:\windows\Tasks\Tiesto Club Life.job
- c:\program files\Internet Explorer\iexplore.exe [2011-08-23 18:09]
.
2013-07-07 c:\windows\Tasks\Ultimix DJZ.job
- c:\program files\Internet Explorer\iexplore.exe [2011-08-23 18:09]
.
2013-07-08 c:\windows\Tasks\Ultimix Soundarea.job
- c:\program files\Mozilla Firefox\firefox.exe [2013-06-26 02:52]
.
2013-07-07 c:\windows\Tasks\Ultimix TJ's.job
- c:\program files\Mozilla Firefox\firefox.exe [2013-06-26 02:52]
.
2012-04-29 c:\windows\Tasks\Winamp.job
- c:\program files\Winamp\winamp.exe [2011-10-26 18:49]
.
2013-07-07 c:\windows\Tasks\X-Mix Dance DJZ.job
- c:\program files\Internet Explorer\iexplore.exe [2011-08-23 18:09]
.
2013-07-08 c:\windows\Tasks\X-Mix Dance Soundarea.job
- c:\program files\Mozilla Firefox\firefox.exe [2013-06-26 02:52]
.
2013-07-08 c:\windows\Tasks\X-Mix TJ's.job
- c:\program files\Mozilla Firefox\firefox.exe [2013-06-26 02:52]
.
2013-07-07 c:\windows\Tasks\X-Mix Urban DJZ.job
- c:\program files\Internet Explorer\iexplore.exe [2011-08-23 18:09]
.
2013-07-08 c:\windows\Tasks\X-Mix Urban Soundarea.job
- c:\program files\Mozilla Firefox\firefox.exe [2013-06-26 02:52]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\j1ymxi4b.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-BlackBerryAutoUpdate - c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
MSConfigStartUp-HP Software Update - c:\program files\Hp\HP Software Update\HPWuSchd2.exe
AddRemove-Virtual DJ Pro Full - Atomix Productions - c:\progra~1\VIRTUA~1.0\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-10 22:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1816)
c:\windows\system32\WININET.dll
c:\documents and settings\Andrew\Application Data\Dropbox\bin\DropboxExt.19.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\windows\RTHDCPL.EXE
c:\documents and settings\Andrew\Application Data\Dropbox\bin\Dropbox.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\program files\Visioneer\OneTouch 4.0\OtService.exe
c:\windows\system32\wscntfy.exe
c:\program files\r2 Studios\HideOE\HideOE.exe
.
**************************************************************************
.
Completion time: 2013-07-10  22:50:12 - machine was rebooted
ComboFix-quarantined-files.txt  2013-07-11 02:50
.
Pre-Run: 204,625,686,528 bytes free
Post-Run: 204,656,979,968 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30
.
- - End Of File - - AA503BE9C05710C65AABAC193F249D58
8F558EB6672622401DA993E1E865C861
 

[legaldeejay]

OK another update.   After rebooting several times, the problem seems to have gone away, BUT, if I exit MalwareBytes, and then restart the program, all protection is disabled.   The program should be starting with protection enabled, no?   If there is no infection you can find, then perhaps I just need to uninstall and reinstall the program?

[gringo_pr]

Hello legaldeejay

I would like you to try and run these next.

TDSSKiller

Please download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
• Put a checkmark beside loaded modules.
• A reboot will be needed to apply the changes. Do it.
• TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
• Then click on Change parameters in TDSSKiller.
• Check all boxes then click OK.
• Click the Start Scan button.
• The scan should take no longer than 2 minutes.
• If a suspicious object is detected, the default action will be Skip, click on Continue.
• If malicious objects are found, they will show in the Scan results
• Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

  Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

• more than one report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". The one that I need is the larger one. Please copy and paste the contents of that file here.

  Note** this report can be very long - so if the website gives you an error saying it is to long you may attache it

  If the forum still complains about it being to long send me everything that is at the end of the report after where it says

  ==================

  Scan finished

  ==================

and I will see if I want to see the whole report

--RogueKiller--

Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit

• Quit all programs that you may have started.
• Please disconnect any external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select "Run as Administrator to start"
• For Windows XP, double-click to start.
• Wait until Prescan has finished ...
• Then Click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• click on "delete"
• Wait until the Status box shows "Deleting Finished"
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• the scan will make two reports the one I would like to see is called RKreport[2].txt on your Desktop
• Exit/Close RogueKiller+

send me the reports made from TDSSKiller and Roguekiller and also let me know how the computer is doing at this time.

Gringo

[legaldeejay]

Before I do this, I'm now having an issue with Internet Explorer 8.   It is closing automatically when I open it.

[gringo_pr]

Hello legaldeejay

first I would like you to go here and click on the fixit button - http://support.microsoft.com/kb/923737

Then I want you to do the following

• Start Internet Explorer.
• click on "safety"
• click on "Delete Browsing History"
• make sure all boxes are checked
• click on "Delete"
• click on "Tools",
• click "Internet Options".
• On the "Advanced" tab, click "Reset"
• put a check mark next to "Delete Personal Settings"
• click "Reset" to confirm
• when complete click the "Close" button
• restart IE

Gringo

[legaldeejay]

I tried the Fix it button and resetting within IE8 but an error message about running a DLL as an app appeared and I could not do it.  At this point, I am tempted to uninstall and reinstall IE8, or do a System Restore.   What do you think?

[gringo_pr]

Hello

go with the reinstall of IE first then if it is still a no go then do the system restore

gringo

[legaldeejay]

The reinstall did not work.   What is strange is that I can access this site in IE8 through the link in the e-mail, but when starting IE8 normally, it will close after a few seconds.   

 

I ran TDSSkiller and it found Rookit.Boot.sinowal.b.   See attached log file which is too large to post here.   If I do a System Restore, will that bring the rootkit back?

 

TDSSKiller.2.8.16.0_11.07.2013_00.48.25_log.txt

[gringo_pr]

Hello legaldeejay

Hold off on the system restore - run this bellow and if after it is done ie still closes I want you to reset it like we did before

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

 

ClearJavaCache:: 

Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

• In your next post I need the following
  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

[legaldeejay]

Still no changes.    Here is the log.   OK for me to do System Restore? 

 

ComboFix 13-07-09.01 - Andrew 07/11/2013   6:58.2.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2036.1517 [GMT -4:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\out.txt
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-11 to 2013-07-11  )))))))))))))))))))))))))))))))
.
.
2013-07-11 06:20 . 2013-07-11 06:21 -------- dc-h--w- c:\windows\ie8
2013-07-11 06:14 . 2013-07-11 06:14 -------- d-----w- c:\program files\Microsoft Download Manager
2013-07-11 02:21 . 2013-07-11 02:21 -------- d-----w- c:\windows\ERUNT
2013-07-10 04:26 . 2013-07-10 04:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2013-06-14 10:00 . 2013-06-15 04:29 -------- d-----w- c:\documents and settings\Andrew\Application Data\Research In Motion
2013-06-12 10:05 . 2013-06-14 10:00 -------- d-----w- c:\documents and settings\Andrew\Application Data\XCPCSync.OEM
2013-06-12 05:54 . 2008-04-14 04:26 30592 -c--a-w- c:\windows\system32\dllcache\rndismpx.sys
2013-06-12 05:54 . 2008-04-14 04:26 30592 ----a-w- c:\windows\system32\drivers\rndismpx.sys
2013-06-12 05:45 . 2013-06-12 05:45 -------- d-----w- c:\documents and settings\Andrew\Local Settings\Application Data\Research In Motion
2013-06-12 05:44 . 2008-03-21 17:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2013-06-12 05:43 . 2013-06-12 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2013-06-12 05:42 . 2013-06-14 09:58 -------- d-----w- c:\program files\Common Files\XCPCSync.OEM
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-27 20:19 . 2013-03-06 04:51 175176 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-06-27 20:19 . 2011-08-23 01:43 369584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-06-27 20:19 . 2011-08-23 01:43 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-06-08 03:55 . 2008-04-14 04:07 385024 ------w- c:\windows\system32\html.iec
2013-06-07 21:56 . 2008-04-14 09:42 920064 ----a-w- c:\windows\system32\wininet.dll
2013-06-07 21:56 . 2008-04-14 09:41 43520 ------w- c:\windows\system32\licmgr10.dll
2013-06-07 21:56 . 2008-04-14 09:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-06-04 21:12 . 2013-06-04 21:12 12800 ----a-w- c:\windows\system32\drivers\rimvndis.sys
2013-06-04 07:23 . 2008-04-14 09:42 562688 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 01:40 . 2008-04-14 05:00 1876736 ----a-w- c:\windows\system32\win32k.sys
2013-05-23 13:56 . 2013-05-23 13:56 507904 ----a-r- c:\windows\system32\btwapi.dll
2013-05-13 03:05 . 2012-07-25 01:58 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-13 03:05 . 2011-08-23 03:59 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-09 08:59 . 2013-03-06 04:50 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-05-09 08:59 . 2011-08-23 01:43 56080 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-05-09 08:59 . 2013-03-06 04:50 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-05-09 08:59 . 2011-08-23 01:43 49760 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-05-09 08:59 . 2011-08-23 01:43 29816 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-05-09 08:58 . 2011-08-23 01:43 41664 ----a-w- c:\windows\avastSS.scr
2013-05-09 08:58 . 2011-08-23 01:43 229648 ----a-w- c:\windows\system32\aswBoot.exe
2013-05-09 04:28 . 2006-10-19 01:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-05-03 01:30 . 2008-04-14 04:54 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2008-04-14 00:01 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2006-05-03 15:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 16:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 18:30 216064 --sha-r- c:\windows\system32\nbDX.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-05-09 08:58 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-10 05:37 130736 ----a-w- c:\documents and settings\Andrew\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-10 05:37 130736 ----a-w- c:\documents and settings\Andrew\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-10 05:37 130736 ----a-w- c:\documents and settings\Andrew\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-10 05:37 130736 ----a-w- c:\documents and settings\Andrew\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Copernic Desktop Search 2"="c:\program files\Copernic Desktop Search 2\DesktopSearchService.exe" [2008-03-03 1583624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-05-09 4858968]
"StartupDelayer"="c:\program files\r2 Studios\Startup Delayer\Startup Launcher.exe" [2013-03-07 1081856]
"RTHDCPL"="RTHDCPL.EXE" [2010-09-14 19576424]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2013-03-06 442896]
"RIM PeerManager"="c:\program files\Common Files\Research In Motion\Tunnel Manager\PeerManager.exe" [2013-06-04 4273664]
.
c:\documents and settings\Andrew\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Andrew\Application Data\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
Outlook Express.lnk - c:\program files\Outlook Express\msimn.exe [2011-8-22 60416]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PictureMover.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Snapfish PictureMover.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Snapfish PictureMover.lnk
backup=c:\windows\pss\Snapfish PictureMover.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^Dropbox.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^Free Music Zilla.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^Monitor Ink Alerts - HP Deskjet 3520 series.lnk]
path=c:\documents and settings\Andrew\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Deskjet 3520 series.lnk
backup=c:\windows\pss\Monitor Ink Alerts - HP Deskjet 3520 series.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-12-03 07:35 946352 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-01-28 17:08 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTCheck]
2007-11-06 15:08 397312 ------w- c:\program files\Creative\ZEN Media Explorer\CTCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
2007-07-17 15:03 868352 ------w- c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2007-08-30 09:23 113136 ----a-w- c:\program files\Roxio\CinePlayer\DMXLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eCopy Scan Inbox Monitor]
2008-01-29 22:40 79112 ----a-w- c:\program files\eCopy\Desktop 9.2\Bin\InboxMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDP2eD]
2008-01-29 22:28 144648 ----a-w- c:\program files\eCopy\Desktop 9.2\Bin\eDP2eD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-07-12 04:00 162584 ----a-r- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2001-12-14 16:17 196608 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-07-12 04:00 142104 ----a-r- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2008-10-24 13:14 206112 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2008-10-24 13:14 206112 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2008-10-24 13:14 79136 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-02-20 16:35 152392 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-07-12 04:00 138008 ----a-r- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2007-07-27 13:10 1133040 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-08-09 16:07 227824 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"c:\\Program Files\\Common Files\\Roxio Shared\\9.0\\SharedCOM\\RoxLiveShare9.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Andrew\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [3/6/2013 12:50 AM 49376]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [3/6/2013 12:51 AM 175176]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/22/2011 9:43 PM 770344]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/22/2011 9:43 PM 369584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/22/2011 9:43 PM 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [3/6/2013 12:50 AM 66336]
R2 BlackBerry Device Manager;BlackBerry Device Manager;c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [3/6/2013 3:24 PM 585728]
R2 RIM MDNS;RIM MDNS;c:\program files\Common Files\Research In Motion\Tunnel Manager\mDNSResponder.exe [6/4/2013 5:13 PM 389632]
R3 acfva;acfva;c:\windows\system32\drivers\ACFVA32.sys [8/16/2012 6:01 AM 86656]
R3 dgcfltr;DGC Filter Driver;c:\windows\system32\drivers\ACFDCP32.sys [8/16/2012 6:01 AM 28928]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/10/2012 11:16 PM 418376]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/5/2012 8:05 AM 701512]
S2 RIM Tunnel Service;BlackBerry Link Communication Manager;c:\program files\Common Files\Research In Motion\Tunnel Manager\tunmgr.exe [6/4/2013 5:13 PM 1263616]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/7/2012 12:38 AM 1691480]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/22/2011 9:48 PM 22856]
S3 rimvndis;BlackBerry Virtual Private Network;c:\windows\system32\drivers\rimvndis.sys [6/4/2013 5:12 PM 12800]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-20 19:03 1165776 ----a-w- c:\program files\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-10 c:\windows\Tasks\0day CD Pool Search.job
- c:\program files\Internet Explorer\iexplore.exe [2011-08-23 18:09]
.
2013-07-07 c:\windows\Tasks\Avast Report.job
- c:\documents and settings\All Users\Application Data\AVAST Software\Avast\report\Full System Scan.txt [2012-03-26 02:13]
.
2013-07-11 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-07-01 08:58]
.
2013-06-18 c:\windows\Tasks\Beatport.job
- c:\program files\Mozilla Firefox\firefox.exe [2013-06-26 02:52]
.
2013-06-28 c:\windows\Tasks\CCleaner Update.job
- c:\program files\CCleaner\CCleaner.exe [2013-06-19 14:13]
.
2013-07-11 c:\windows\Tasks\CCleaner.job
- c:\program files\CCleaner\CCleaner.exe [2013-06-19 14:13]
.
2013-07-11 c:\windows\Tasks\CD Pool Usenet.job
- c:\program files\Internet Explorer\iexplore.exe [2011-08-23 18:09]
.
2013-07-11 c:\windows\Tasks\Crooklyn Clan DJZ.job
- c:\program files\Internet Explorer\iexplore.exe [2011-08-23 18:09]
.
2013-07-09 c:\windows\Tasks\Crooklyn Clan Soundarea.job
- c:\program files\Mozilla Firefox\firefox.exe [2013-06-26 02:52]
.
2013-07-10 c:\windows\Tasks\Crooklyn Clan TJ's.job
- c:\program files\Mozilla Firefox\firefox.exe [2013-06-26 02:52]
.
2013-07-08 c:\windows\Tasks\DJ Robson Michel.job
- c:\program files\Internet Explorer\iexplore.exe [2011-08-23 18:09]
.
2013-07-08 c:\windows\Tasks\DMC FilesTube.job
- c:\program files\Internet Explorer\iexplore.exe [2011-08-23 18:09]
.
2013-06-28 c:\windows\Tasks\Funkymix DJZ.job
- c:\program files\Internet Explorer\iexplore.exe [2011-08-23 18:09]
.
2013-06-27 c:\windows\Tasks\Funkymix Soundarea.job
- c:\program files\Mozilla Firefox\firefox.exe [2013-06-26 02:52]
.
2013-06-28 c:\windows\Tasks\Funkymix TJ's.job
- c:\program files\Mozilla Firefox\firefox.exe [2013-06-26 02:52]
.
2013-07-07 c:\windows\Tasks\GetRight.job
- c:\program files\GetRight\GetRight.exe [2012-04-25 20:16]
.
2013-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-23 01:43]
.
2013-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-23 01:43]
.
2013-06-28 c:\windows\Tasks\Mastermix FilesTube.job
- c:\program files\Internet Explorer\iexplore.exe [2011-08-23 18:09]
.
2013-06-28 c:\windows\Tasks\Pulse87.job
- c:\program files\Streamripper\streamripper.exe [2009-03-31 04:10]
.
2013-07-07 c:\windows\Tasks\shutdown.job
- c:\windows\system32\shutdown.exe [2008-04-14 09:42]
.
2013-07-10 c:\windows\Tasks\Soundz for the People DJZ.job
- c:\program files\Internet Explorer\iexplore.exe [2011-08-23 18:09]
.
2013-07-11 c:\windows\Tasks\Soundz for the People Soundarea.job
- c:\program files\Mozilla Firefox\firefox.exe [2013-06-26 02:52]
.
2013-07-10 c:\windows\Tasks\Soundz for the People TJ's.job
- c:\program files\Mozilla Firefox\firefox.exe [2013-06-26 02:52]
.
2013-07-08 c:\windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2011-08-24 19:31]
.
2013-06-28 c:\windows\Tasks\Spywareblaster.job
- c:\program files\SpywareBlaster\spywareblaster.exe [2011-08-23 19:29]
.
2013-07-11 c:\windows\Tasks\SyncBack Backup Mp3 Files.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2011-09-01 19:42]
.
2013-07-11 c:\windows\Tasks\SyncBack Backup.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2011-09-01 19:42]
.
2013-07-11 c:\windows\Tasks\Tiesto Club Life.job
- c:\program files\Internet Explorer\iexplore.exe [2011-08-23 18:09]
.
2013-07-07 c:\windows\Tasks\Ultimix DJZ.job
- c:\program files\Internet Explorer\iexplore.exe [2011-08-23 18:09]
.
2013-07-08 c:\windows\Tasks\Ultimix Soundarea.job
- c:\program files\Mozilla Firefox\firefox.exe [2013-06-26 02:52]
.
2013-07-07 c:\windows\Tasks\Ultimix TJ's.job
- c:\program files\Mozilla Firefox\firefox.exe [2013-06-26 02:52]
.
2012-04-29 c:\windows\Tasks\Winamp.job
- c:\program files\Winamp\winamp.exe [2011-10-26 18:49]
.
2013-07-07 c:\windows\Tasks\X-Mix Dance DJZ.job
- c:\program files\Internet Explorer\iexplore.exe [2011-08-23 18:09]
.
2013-07-08 c:\windows\Tasks\X-Mix Dance Soundarea.job
- c:\program files\Mozilla Firefox\firefox.exe [2013-06-26 02:52]
.
2013-07-08 c:\windows\Tasks\X-Mix TJ's.job
- c:\program files\Mozilla Firefox\firefox.exe [2013-06-26 02:52]
.
2013-07-07 c:\windows\Tasks\X-Mix Urban DJZ.job
- c:\program files\Internet Explorer\iexplore.exe [2011-08-23 18:09]
.
2013-07-08 c:\windows\Tasks\X-Mix Urban Soundarea.job
- c:\program files\Mozilla Firefox\firefox.exe [2013-06-26 02:52]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\haz9lobr.default\

FF - prefs.js: network.proxy.ftp - 116.236.216.116
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 116.228.143.186
FF - prefs.js: network.proxy.gopher_port - 80
FF - prefs.js: network.proxy.http - 116.236.216.116
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 116.236.216.116
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 116.236.216.116
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-68556778.sys
SafeBoot-79053961.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-11 07:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-07-11  07:05:31
ComboFix-quarantined-files.txt  2013-07-11 11:05
.
Pre-Run: 221,391,306,752 bytes free
Post-Run: 221,398,990,848 bytes free
.
- - End Of File - - DD0ACA124E6B4C03CF47D38DC5FAB027
8F558EB6672622401DA993E1E865C861
 

[legaldeejay]

Now the process is getting frustrating because there seems to be no reason for IE8 to now suddenly be behaving like this, unless it's due to the rootkit which was removed. If I do a System Restore, will I have to do all the tests again? Sorry about the rant.

[gringo_pr]

Hello legaldeejay

I would like you to go to this page - Troubleshooting and Internet Explorer’s (No Add-ons) Mode

Step 1 is going to show you how to run IE without any add/ons, If by running IE this way the problem goes away Then we can go to step 2

Step 2 will show you how to find the add/on that is causing the problem and then how to remove it

Gringo

[legaldeejay]

Hi, I decided to do a reformat.  I can't even do a System Restore now.  This tells me I should be starting over.   Thank you for your assistance.

[gringo_pr]

Thank you for letting me know

Gringo

[legaldeejay]

I have another question.   Assuming MalwareBytes was enabled and working the way it was supposed to, and I also have Avast anti-virus software, how does a rootkit like still still infect a system?

[gringo_pr]

They come up with some very sneaky ways to get on the system - allot of time it is thru user interaction

clicking a link in an email

allowing a fake update

Gringo

[AdvancedSetup]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.