Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Cannot remove ICE (ransomware) infection from XP system [Solved]

Started by lsantil , Jun 23 2013 06:18 PM

  • This topic is locked This topic is locked

#1
lsantil
Posted 23 June 2013 - 06:18 PM

lsantil

    Member

  • Member
  • PipPip
  • 17 posts
I’ve been trying to eliminate a variant of the ICE Cyber Crime Center “ransom” virus from my Windows XP system for almost four days now, and I’ve made almost no headway.

At various times I’ve run (though not always with the latest virus definitions) MS Security Essentials, Symantec Endpoint Protection, Malwarebytes, Kaspersky Rescue Disk, HitmanPro and ComboFix (maybe not so wise?). In some cases I copied these solutions onto a USB drive or CD using another computer, and sometimes even booted from the other media. In other cases the software was already present on my hard drive. But none of these products has been able to remove the virus. (Unfortunately I’ve done a terrible job of documenting my exact steps, always expecting relief to be one keystroke away.)

Let me try to give a clear picture of my current situation:

If I boot Windows normally using any existing (i.e., pre-virus) account, the ICE Cyber Crime Center “ransom” screen appears several seconds after the “Loading your personal settings” message, rendering my system unusable. Clicking Ctrl+Alt+Del followed by the Task Manager button does nothing. The only real working option from that screen is “Shut Down”.

Booting into Safe Mode or Safe Mode with Networking is futile because the “Loading your personal settings” message is followed almost immediately by the message “Logging off”, followed by Windows shutdown.

Booting into Safe Mode with Command Prompt offers my one glimmer of hope --- the boot sequence actually opens a cmd.exe window, from which I have been able to run a variety of commands (except “explorer”, which causes the system to immediately shut down). I can cd over to windows\pchealth\helpctr\binaries and launch msconfig, from where I’ve been able to run System Restores (unfortunately, no relief) and experiment with Startup item settings (also no help).

From the cmd.exe window I am even able to run the “net user” command and create new Windows accounts. And I can boot Windows normally with these new accounts (though the system will run very slowly, like something in the background is chewing up CPU). Of course, a regular user account has limited authority… but, unfortunately, if I return to the command prompt window and add a newly-created account to the Administrators group, the account then acts like any other account in the grip of the virus when I boot Windows normally (ICE screen appears and cannot be defeated).

So… I’m caught in a no-man’s land where I can only logon as Administratror in Safe Mode with Command Prompt ---- which means no access to networking or the Internet. Conversely, I can launch Windows normally from a newly-created user account and enjoy Internet access --- but just not as an Administrator! So this “worst of both worlds scenario” is effectively keeping me from running up-to-date versions of most malware removal tools.

Can anyone please suggest another approach I might take to beat this thing? Some registry manipulation perhaps? (thankfully I can run regedit)

Thanks for your help!

(P.S. The OTL executable seems to have created a second file called Extras.Txt. Should I attach that file as well?)



OTL logfile created on: 6/23/2013 7:08:10 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\loutemp4\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.35 Gb Available Physical Memory | 67.39% Memory free
5.78 Gb Paging File | 5.26 Gb Available in Paging File | 91.07% Paging File free
Paging file location(s): C:\pagefile.sys 4024 4024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.31 Gb Total Space | 97.30 Gb Free Space | 67.42% Space Free | Partition Type: NTFS
Drive F: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 7.47 Gb Total Space | 5.57 Gb Free Space | 74.52% Space Free | Partition Type: FAT32

Computer Name: D3XTMS81 | User Name: loutemp4 | NOT logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/06/23 19:07:27 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\loutemp4\Desktop\OTL.exe
PRC - [2013/01/27 12:11:06 | 000,947,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2013/01/09 03:02:32 | 002,103,128 | ---- | M] (Juniper Networks, Inc.) -- C:\Program Files\Common Files\Juniper Networks\JamUI\Pulse.exe
PRC - [2012/04/25 11:34:46 | 000,115,624 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2012/04/25 11:34:44 | 001,471,904 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2009/05/21 10:55:32 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/11/23 20:26:06 | 002,441,216 | ---- | M] (SEC) -- C:\Program Files\MagicTune Premium\MagicTune.exe
PRC - [2007/03/15 11:09:36 | 000,460,784 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellSupport\DSAgnt.exe
PRC - [2007/01/15 17:18:00 | 000,036,864 | ---- | M] () -- C:\Program Files\MagicTune Premium\GammaTray.exe
PRC - [2006/06/15 08:43:20 | 000,049,152 | ---- | M] (HP) -- C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
PRC - [2006/05/09 20:24:16 | 000,050,760 | ---- | M] (America Online, Inc.) -- C:\Program Files\Common Files\AOL\1133066293\ee\aolsoftware.exe
PRC - [2005/09/08 21:20:46 | 000,464,384 | ---- | M] (Musicmatch, Inc.) -- C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
PRC - [2005/09/08 21:20:46 | 000,102,400 | ---- | M] (Musicmatch, Inc.) -- C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
PRC - [2004/10/04 17:05:04 | 001,044,577 | ---- | M] () -- C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
PRC - [2003/09/17 12:43:36 | 000,057,344 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe


========== Modules (No Company Name) ==========

MOD - [2013/01/10 09:42:07 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\fe025743210c22bea2f009e1612c38bf\System.Xml.ni.dll
MOD - [2013/01/10 09:39:13 | 007,977,984 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\aeac298c43c77d8860db8e7634d9f2eb\System.ni.dll
MOD - [2013/01/10 09:38:46 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\eab2340ead8e1a84bdf1a87868659979\mscorlib.ni.dll
MOD - [2013/01/10 09:14:47 | 003,391,488 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_5f3fff1c\mscorlib.dll
MOD - [2013/01/10 09:14:41 | 000,843,776 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.drawing\1.0.5000.0__b03f5f7f11d50a3a_cff60f84\system.drawing.dll
MOD - [2013/01/10 09:14:29 | 002,088,960 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_52286159\system.xml.dll
MOD - [2013/01/10 09:14:19 | 003,035,136 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_bd611a5d\system.windows.forms.dll
MOD - [2013/01/10 09:14:05 | 001,966,080 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_f223d44f\system.dll
MOD - [2013/01/10 09:13:40 | 001,232,896 | ---- | M] () -- c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll
MOD - [2013/01/10 09:13:38 | 000,471,040 | ---- | M] () -- c:\windows\assembly\gac\system.drawing\1.0.5000.0__b03f5f7f11d50a3a\system.drawing.dll
MOD - [2013/01/10 09:13:34 | 002,064,384 | ---- | M] () -- c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll
MOD - [2008/03/25 00:50:40 | 000,355,112 | ---- | M] () -- C:\WINDOWS\system32\msjetoledb40.dll
MOD - [2007/11/23 20:27:42 | 000,045,056 | ---- | M] () -- C:\Program Files\MagicTune Premium\VESADll.dll
MOD - [2007/11/23 20:27:38 | 000,045,056 | ---- | M] () -- C:\Program Files\MagicTune Premium\IProfile.dll
MOD - [2007/11/23 20:25:02 | 000,065,536 | ---- | M] () -- C:\Program Files\MagicTune Premium\MTResEng.dll
MOD - [2007/11/23 20:24:56 | 000,032,768 | ---- | M] () -- C:\Program Files\MagicTune Premium\HzZone.dll
MOD - [2007/11/23 20:24:52 | 000,040,960 | ---- | M] () -- C:\Program Files\MagicTune Premium\DProfile.dll
MOD - [2007/11/23 20:24:50 | 000,040,960 | ---- | M] () -- C:\Program Files\MagicTune Premium\EProfile.dll
MOD - [2007/11/23 20:24:46 | 000,036,864 | ---- | M] () -- C:\Program Files\MagicTune Premium\DeviceInterface.dll
MOD - [2007/11/23 20:24:42 | 000,032,768 | ---- | M] () -- C:\Program Files\MagicTune Premium\Highlight.dll
MOD - [2007/01/15 17:18:00 | 000,036,864 | ---- | M] () -- C:\Program Files\MagicTune Premium\GammaTray.exe
MOD - [2006/06/15 08:42:34 | 000,053,248 | ---- | M] () -- C:\Program Files\HP\ToolBoxFX\bin\NativeUtils.dll
MOD - [2005/09/01 09:51:14 | 000,122,880 | ---- | M] () -- C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmgit.dll
MOD - [2005/08/16 23:02:54 | 001,339,392 | ---- | M] () -- c:\windows\assembly\gac\system.xml\1.0.5000.0__b77a5c561934e089\system.xml.dll
MOD - [2005/08/16 23:02:54 | 000,323,584 | ---- | M] () -- c:\windows\assembly\gac\system.runtime.remoting\1.0.5000.0__b77a5c561934e089\system.runtime.remoting.dll
MOD - [2005/08/16 23:02:52 | 000,131,072 | ---- | M] () -- c:\windows\assembly\gac\system.runtime.serialization.formatters.soap\1.0.5000.0__b03f5f7f11d50a3a\system.runtime.serialization.formatters.soap.dll
MOD - [2004/10/04 17:05:04 | 001,044,577 | ---- | M] () -- C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
MOD - [2004/06/10 18:51:00 | 000,060,928 | ---- | M] () -- C:\WINDOWS\system32\P17.dll
MOD - [2003/09/23 03:00:00 | 000,106,496 | ---- | M] () -- C:\Program Files\Dell\ShareDLL\djbsdk.dll


========== Services (SafeList) ==========

SRV - File not found [Auto | Unknown] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2013/06/17 13:42:22 | 000,106,280 | ---- | M] (SurfRight B.V.) [Auto | Unknown] -- C:\Program Files\HitmanPro\hmpsched.exe -- (HitmanProScheduler)
SRV - [2013/06/12 08:24:14 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Unknown] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/04/04 05:32:53 | 000,181,664 | ---- | M] (Oracle Corporation) [Auto | Unknown] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2013/01/27 12:11:46 | 000,020,456 | ---- | M] (Microsoft Corporation) [Auto | Unknown] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2013/01/09 00:48:30 | 000,162,136 | ---- | M] (Juniper Networks, Inc.) [Auto | Unknown] -- C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe -- (JuniperAccessService)
SRV - [2012/08/10 09:21:55 | 000,487,312 | ---- | M] () [On_Demand | Unknown] -- C:\WINDOWS\DOWNLO~1\DMService.exe -- (DMService)
SRV - [2012/04/25 11:34:46 | 000,108,456 | ---- | M] (Symantec Corporation) [Auto | Unknown] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2012/04/25 11:34:46 | 000,108,456 | ---- | M] (Symantec Corporation) [Auto | Unknown] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2012/04/25 11:34:44 | 001,897,960 | ---- | M] (Symantec Corporation) [Auto | Unknown] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2012/04/25 11:34:44 | 001,846,592 | ---- | M] (Symantec Corporation) [Auto | Unknown] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2012/04/25 11:34:44 | 000,357,808 | ---- | M] (Symantec Corporation) [Disabled | Unknown] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2011/10/23 22:12:42 | 001,029,408 | ---- | M] (NETGEAR) [Auto | Unknown] -- C:\Program Files\NETGEAR Genie\bin\NETGEARGenieDaemon.exe -- (NETGEARGenieDaemon)
SRV - [2011/02/07 18:40:08 | 003,093,944 | ---- | M] (Symantec Corporation) [On_Demand | Unknown] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2011/02/07 18:40:08 | 000,558,520 | ---- | M] (Symantec Corporation) [Auto | Unknown] -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)
SRV - [2010/11/25 06:05:00 | 000,150,928 | ---- | M] (Microsoft Corporation) [Auto | Unknown] -- C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe -- (uagqecsvc)
SRV - [2009/09/29 09:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Unknown] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008/08/13 18:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Unknown] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter)
SRV - [2008/04/13 20:12:09 | 000,088,576 | ---- | M] (Microsoft Corporation) [Unknown (-1) | Unknown] -- C:\WINDOWS\system32\wbem\wmiaprpl.dll -- (WmiApRpl)
SRV - [2007/08/23 16:05:18 | 000,045,056 | ---- | M] () [Auto | Unknown] -- C:\Program Files\MagicTune Premium\MagicTuneEngine.exe -- (MagicTuneEngine)
SRV - [2007/07/02 00:21:24 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Unknown] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2007/03/07 15:47:46 | 000,076,848 | ---- | M] () [On_Demand | Unknown] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Unknown] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2004/11/02 16:59:50 | 000,316,544 | ---- | M] (Symantec Corporation) [Auto | Unknown] -- C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -- (SymWSC)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Unknown] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Unknown] -- system32\DRIVERS\wanatw4.sys -- (wanatw)
DRV - File not found [Kernel | On_Demand | Unknown] -- system32\DRIVERS\wg111v2.sys -- (RTLWUSB)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Unknown] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\Drivers\MmedFilter.sys -- (MmedFilter)
DRV - File not found [Kernel | System | Unknown] -- -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\default\LOCALS~1\Temp\krdpdre.sys -- (krdpdre)
DRV - File not found [Kernel | Auto | Unknown] -- C:\WINDOWS\system32\Drivers\DP.sys -- (DP1112)
DRV - File not found [Kernel | System | Unknown] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (bvrp_pci)
DRV - File not found [Kernel | System | Unknown] -- -- (aswTdi)
DRV - File not found [Kernel | System | Unknown] -- -- (aswSP)
DRV - File not found [File_System | System | Unknown] -- -- (aswSnx)
DRV - File not found [Kernel | System | Unknown] -- -- (aswRdr)
DRV - File not found [File_System | Auto | Unknown] -- -- (aswMon2)
DRV - File not found [File_System | Auto | Unknown] -- -- (aswFsBlk)
DRV - File not found [Kernel | System | Unknown] -- -- (Aavmker4)
DRV - [2013/06/20 22:59:58 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2013/05/21 04:00:00 | 001,611,992 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Unknown] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20130623.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2013/05/21 04:00:00 | 000,093,272 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Unknown] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20130623.002\NAVENG.SYS -- (NAVENG)
DRV - [2012/12/07 05:15:38 | 000,091,248 | ---- | M] (Juniper Networks, Inc.) [Kernel | System | Unknown] -- C:\WINDOWS\system32\drivers\jnprTdi_730_29921.sys -- (jnprTdi_730_29921)
DRV - [2012/12/05 04:29:30 | 000,446,712 | ---- | M] (Juniper Networks, Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\jnprna5.sys -- (JNPRNA)
DRV - [2012/08/08 04:00:00 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Unknown] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/08/08 04:00:00 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Unknown] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/05/11 22:00:40 | 000,036,776 | ---- | M] (Juniper Networks, Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\jnprvamgr.sys -- (JnprVaMgr)
DRV - [2012/04/26 20:07:02 | 000,126,584 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2012/04/25 11:34:46 | 000,321,016 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2012/04/25 11:34:46 | 000,287,352 | ---- | M] (Symantec Corporation) [File_System | System | Unknown] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2012/04/25 11:34:46 | 000,043,768 | ---- | M] (Symantec Corporation) [Kernel | System | Unknown] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2012/04/25 11:34:40 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Unknown] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2012/04/25 11:34:40 | 000,188,080 | ---- | M] (Symantec Corporation) [Kernel | System | Unknown] -- C:\WINDOWS\system32\drivers\symtdi.sys -- (SYMTDI)
DRV - [2012/04/25 11:34:40 | 000,026,416 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\symredrv.sys -- (SYMREDRV)
DRV - [2012/04/25 11:34:40 | 000,023,888 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\COH_Mon.sys -- (COH_Mon)
DRV - [2010/12/16 15:43:22 | 000,084,336 | ---- | M] (Juniper Networks) [Kernel | System | Unknown] -- C:\WINDOWS\system32\drivers\NEOFLTR_700_17289.SYS -- (NEOFLTR_700_17289)
DRV - [2010/12/08 00:25:31 | 000,016,968 | ---- | M] () [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\hitmanpro35.sys -- (hitmanpro35)
DRV - [2008/04/13 20:12:09 | 000,088,576 | ---- | M] (Microsoft Corporation) [Unknown (-1) | Unknown (-1) | Unknown] -- C:\WINDOWS\system32\wbem\wmiaprpl.dll -- (WmiApRpl)
DRV - [2007/11/23 20:19:14 | 000,013,056 | ---- | M] (Samsung Electronics, Inc. ) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\MTiCtwl.sys -- (MagicTune)
DRV - [2007/02/25 12:10:48 | 000,005,376 | ---- | M] (Gteko Ltd.) [Kernel | Auto | Unknown] -- C:\WINDOWS\system32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2006/10/05 16:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Unknown] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/06/12 06:36:30 | 000,009,344 | ---- | M] (Hewlett Packard) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\hpfxbulk.sys -- (HPFXBULK)
DRV - [2005/08/04 06:10:18 | 001,273,344 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/10/04 16:57:16 | 000,379,488 | ---- | M] (NETGEAR, Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\wg111nd5.sys -- (wg111nd5)
DRV - [2004/10/04 16:57:14 | 000,016,292 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\PCANDIS5.SYS -- (PCANDIS5)
DRV - [2004/10/04 16:57:12 | 000,015,781 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Unknown] -- C:\WINDOWS\system32\drivers\mdc8021x.sys -- (MDC8021X)
DRV - [2004/06/16 05:52:40 | 000,061,157 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)
DRV - [2004/06/09 19:16:00 | 000,840,960 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\P17.sys -- (P17)
DRV - [2004/03/06 06:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)
DRV - [2004/03/06 06:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)
DRV - [2004/03/06 06:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)
DRV - [2003/09/22 15:48:00 | 000,130,192 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2003/09/22 15:47:00 | 000,178,672 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2003/03/05 20:19:00 | 000,015,840 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Unknown] -- C:\WINDOWS\system32\drivers\Pfmodnt.sys -- (PfModNT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
IE - HKCU\..\URLSearchHook: {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - No CLSID value found
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.21.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.46: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.46: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.46: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)


[2011/04/16 00:22:20 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/22 20:13:24 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/09/21 23:35:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/12/21 04:56:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2008/06/18 03:43:04 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010/12/06 08:34:31 | 000,001,919 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing-zugo.xml
[2010/11/11 19:26:20 | 000,002,210 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\websearch.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR - Extension: Docs = C:\Documents and Settings\loutemp4\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.0.0.6_0\
CHR - Extension: Google Drive = C:\Documents and Settings\loutemp4\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\
CHR - Extension: YouTube = C:\Documents and Settings\loutemp4\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Documents and Settings\loutemp4\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Gmail = C:\Documents and Settings\loutemp4\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2013/06/20 13:38:57 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [combofix] C:\ComboFix\CF5139.3XE (Microsoft Corporation)
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133066293\ee\aolsoftware.exe (America Online, Inc.)
O4 - HKLM..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe ()
O4 - HKLM..\Run: [JunosPulse] C:\Program Files\Common Files\Juniper Networks\JamUI\Pulse.exe (Juniper Networks, Inc.)
O4 - HKLM..\Run: [MimBoot] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot.exe (Musicmatch, Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [P17Helper] C:\WINDOWS\System32\P17.dll ()
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [ToolBoxFX] C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe (HP)
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.EXE (Creative Technology Ltd.)
O4 - HKLM..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u File not found
O4 - HKCU..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
O4 - HKCU..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" File not found
O4 - HKLM..\RunOnce: [*Restore] C:\WINDOWS\System32\restore\rstrui.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [combofix] C:\ComboFix\CF5139.3XE (Microsoft Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\RunOnceEx: [flags] Reg Error: Invalid data type. File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk = C:\Program Files\MagicTune Premium\GammaTray.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell....iler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} http://www.classlink...FILES/wfica.cab (Citrix ICA Client)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1133059359261 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.21.2)
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} https://owa.markelco.../WhlCompMgr.cab (Forefront UAG client components)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} http://scan.networkm...-ship-WD.V1.cab (Pure Networks Security Scan)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_37)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.21.2)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://www.popcap.co...aploader_v6.cab (PopCapLoader Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.we...bex/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://my.markelcor...perSetupSP1.cab (JuniperSetupControlXP Class)
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} http://pccheckup.del...ll/gtdownde.cab (Dell PC Checkup Installer Control)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://my.markelcor...SetupClient.cab (JuniperSetupClientControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{97A2D01D-706C-42BC-86B5-8D2B8A6093EF}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BC2022F4-FD03-4BF5-A57C-C7872A4A6CEE}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\WRNotifier: DllName - (WRLogonNTF.dll) - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\loutemp4\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\loutemp4\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 06:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/05/06 08:26:23 | 000,000,309 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (SsiEfr.e)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/06/23 19:07:21 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\loutemp4\Desktop\OTL.exe
[2013/06/23 19:02:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\loutemp4\Application Data\Adobe
[2013/06/23 19:02:49 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\loutemp4\PrivacIE
[2013/06/23 15:06:53 | 000,728,448 | ---- | C] (Enigma Software Group USA, LLC.) -- C:\Documents and Settings\loutemp4\My Documents\SpyHunter-Installer.exe
[2013/06/22 11:27:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\loutemp4\Local Settings\Application Data\Google
[2013/06/22 11:21:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\loutemp4\Local Settings\Application Data\BVRP Software
[2013/06/22 11:17:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\loutemp4\Local Settings\Application Data\AOL
[2013/06/22 11:17:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\loutemp4\Application Data\GTek
[2013/06/22 11:17:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\loutemp4\Local Settings\Application Data\Apple Computer
[2013/06/22 11:17:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\loutemp4\Local Settings\Application Data\SupportSoft
[2013/06/22 11:17:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\loutemp4\Application Data\HP
[2013/06/22 11:17:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\loutemp4\Application Data\Juniper Networks
[2013/06/22 11:17:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\loutemp4\Application Data\Real
[2013/06/22 11:15:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\loutemp4\Local Settings\Application Data\Symantec
[2013/06/22 11:15:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\loutemp4\Application Data\Macromedia
[2013/06/22 11:15:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\loutemp4\Application Data\Identities
[2013/06/22 11:15:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\loutemp4\Application Data\Creative
[2013/06/22 11:15:20 | 000,000,000 | --SD | C] -- C:\Documents and Settings\loutemp4\Application Data\Microsoft
[2013/06/22 11:15:20 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\loutemp4\SendTo
[2013/06/22 11:15:20 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\loutemp4\Recent
[2013/06/22 11:15:20 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\loutemp4\Application Data
[2013/06/22 11:15:20 | 000,000,000 | R--D | C] -- C:\Documents and Settings\loutemp4\Start Menu\Programs\Startup
[2013/06/22 11:15:20 | 000,000,000 | R--D | C] -- C:\Documents and Settings\loutemp4\Start Menu
[2013/06/22 11:15:20 | 000,000,000 | R--D | C] -- C:\Documents and Settings\loutemp4\My Documents\My Pictures
[2013/06/22 11:15:20 | 000,000,000 | R--D | C] -- C:\Documents and Settings\loutemp4\My Documents\My Music
[2013/06/22 11:15:20 | 000,000,000 | R--D | C] -- C:\Documents and Settings\loutemp4\My Documents
[2013/06/22 11:15:20 | 000,000,000 | R--D | C] -- C:\Documents and Settings\loutemp4\Favorites
[2013/06/22 11:15:20 | 000,000,000 | R--D | C] -- C:\Documents and Settings\loutemp4\Start Menu\Programs\Accessories
[2013/06/22 11:15:20 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\loutemp4\IETldCache
[2013/06/22 11:15:20 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\loutemp4\Cookies
[2013/06/22 11:15:20 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\loutemp4\Templates
[2013/06/22 11:15:20 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\loutemp4\PrintHood
[2013/06/22 11:15:20 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\loutemp4\NetHood
[2013/06/22 11:15:20 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\loutemp4\Local Settings
[2013/06/22 11:15:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\loutemp4\Local Settings\Application Data\Wildtangent
[2013/06/22 11:15:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\loutemp4\Application Data\Sun
[2013/06/22 11:15:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\loutemp4\Local Settings\Application Data\Musicmatch
[2013/06/22 11:15:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\loutemp4\Local Settings\Application Data\Microsoft
[2013/06/22 11:15:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\loutemp4\Desktop
[2013/06/22 11:15:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\loutemp4\Start Menu\Programs\Dell Accessories
[2013/06/22 11:15:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\loutemp4\Start Menu\Programs\Dell
[2013/06/22 11:15:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\loutemp4\My Documents\CCWin
[2013/06/22 11:15:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\loutemp4\Local Settings\Application Data\ApplicationHistory
[2013/06/22 11:15:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\loutemp4\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142030}
[2013/06/20 22:47:15 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/06/20 22:35:43 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2013/06/20 18:08:05 | 010,285,040 | ---- | C] (Malwarebytes Corporation ) -- C:\mbam-setup-1.75.0.1300.exe
[2013/06/20 14:06:34 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0
[2013/06/20 13:38:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2013/06/20 13:21:33 | 000,000,000 | --SD | C] -- C:\ComboFix
[2013/06/17 01:01:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\HitmanPro
[2013/06/17 01:01:14 | 000,000,000 | ---D | C] -- C:\Program Files\HitmanPro
[2013/06/17 01:01:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[28 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/06/23 19:07:27 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\loutemp4\Desktop\OTL.exe
[2013/06/23 18:43:00 | 000,000,888 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/06/23 18:24:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/06/23 15:21:09 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/06/23 15:19:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/06/23 15:19:19 | 2145,538,048 | -HS- | M] () -- C:\hiberfil.sys
[2013/06/23 15:07:00 | 000,728,448 | ---- | M] (Enigma Software Group USA, LLC.) -- C:\Documents and Settings\loutemp4\My Documents\SpyHunter-Installer.exe
[2013/06/23 14:35:59 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/06/22 11:28:31 | 000,001,831 | ---- | M] () -- C:\Documents and Settings\loutemp4\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/06/22 11:28:31 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\loutemp4\Desktop\Google Chrome.lnk
[2013/06/22 11:18:49 | 000,002,528 | ---- | M] () -- C:\Documents and Settings\loutemp4\Application Data\$_hpcst$.hpc
[2013/06/22 11:16:34 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\loutemp4\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2013/06/22 11:16:22 | 000,000,782 | ---- | M] () -- C:\Documents and Settings\loutemp4\Desktop\Windows Media Player.lnk
[2013/06/22 11:16:12 | 000,001,478 | ---- | M] () -- C:\Documents and Settings\loutemp4\Application Data\Microsoft\Internet Explorer\Quick Launch\Media Center.lnk
[2013/06/20 22:59:58 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/06/20 22:21:55 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/06/20 21:54:43 | 000,000,353 | -HS- | M] () -- C:\boot.ini
[2013/06/20 18:08:44 | 000,000,071 | ---- | M] () -- C:\.directory
[2013/06/20 18:08:10 | 010,285,040 | ---- | M] (Malwarebytes Corporation ) -- C:\mbam-setup-1.75.0.1300.exe
[2013/06/20 14:13:37 | 000,001,076 | ---- | M] () -- C:\WINDOWS\System32\.crusader
[2013/06/20 14:11:34 | 001,097,634 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\2433f433
[2013/06/20 13:38:57 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2013/06/17 13:42:22 | 000,001,610 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HitmanPro.lnk
[2013/06/13 08:48:07 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/06/05 11:02:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[28 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/06/23 15:19:19 | 2145,538,048 | -HS- | C] () -- C:\hiberfil.sys
[2013/06/22 11:18:49 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\loutemp4\Application Data\$_hpcst$.hpc
[2013/06/22 11:16:34 | 000,000,803 | ---- | C] () -- C:\Documents and Settings\loutemp4\Start Menu\Programs\Internet Explorer.lnk
[2013/06/22 11:16:33 | 000,001,831 | ---- | C] () -- C:\Documents and Settings\loutemp4\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/06/22 11:16:33 | 000,001,813 | ---- | C] () -- C:\Documents and Settings\loutemp4\Desktop\Google Chrome.lnk
[2013/06/22 11:16:22 | 000,000,788 | ---- | C] () -- C:\Documents and Settings\loutemp4\Start Menu\Programs\Windows Media Player.lnk
[2013/06/22 11:16:22 | 000,000,782 | ---- | C] () -- C:\Documents and Settings\loutemp4\Desktop\Windows Media Player.lnk
[2013/06/22 11:15:24 | 000,002,007 | ---- | C] () -- C:\Documents and Settings\loutemp4\Application Data\Microsoft\Internet Explorer\Quick Launch\Play Games.lnk
[2013/06/22 11:15:24 | 000,001,769 | ---- | C] () -- C:\Documents and Settings\loutemp4\Application Data\Microsoft\Internet Explorer\Quick Launch\Musicmatch Jukebox.lnk
[2013/06/22 11:15:24 | 000,001,478 | ---- | C] () -- C:\Documents and Settings\loutemp4\Application Data\Microsoft\Internet Explorer\Quick Launch\Media Center.lnk
[2013/06/22 11:15:24 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\loutemp4\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2013/06/22 11:15:24 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\loutemp4\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickTime Player.lnk
[2013/06/22 11:15:24 | 000,000,669 | ---- | C] () -- C:\Documents and Settings\loutemp4\Application Data\Microsoft\Internet Explorer\Quick Launch\America Online 9.0.lnk
[2013/06/22 11:15:24 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\loutemp4\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2013/06/22 11:15:23 | 000,001,298 | ---- | C] () -- C:\Documents and Settings\loutemp4\Desktop\Media Center.lnk
[2013/06/22 11:15:23 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\loutemp4\Local Settings\Application Data\fusioncache.dat
[2013/06/22 11:15:21 | 000,001,503 | ---- | C] () -- C:\Documents and Settings\loutemp4\Start Menu\Programs\Remote Assistance.lnk
[2013/06/22 11:15:21 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\loutemp4\Start Menu\Programs\Outlook Express.lnk
[2013/06/20 22:21:55 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/06/20 21:54:32 | 000,001,659 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Smart Wizard Wireless Settings.lnk
[2013/06/20 21:54:32 | 000,000,513 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk
[2013/06/20 18:08:44 | 000,000,071 | ---- | C] () -- C:\.directory
[2013/06/20 14:11:34 | 001,097,634 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\2433f433
[2013/06/17 01:01:20 | 000,001,610 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HitmanPro.lnk
[2013/05/18 22:27:55 | 002,250,054 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.bmp
[2013/05/18 22:27:33 | 000,350,795 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.jpg
[2012/02/16 11:00:58 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2005/12/28 23:34:41 | 000,001,347 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/12/20 22:35:05 | 000,000,360 | ---- | C] () -- C:\Program Files\desktop.ica

========== ZeroAccess Check ==========

[2005/08/16 06:39:16 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2009/04/29 00:46:52 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 08:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 20:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2010/08/26 20:11:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2007/06/19 21:48:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2005/08/16 22:54:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DIGStream
[2008/10/19 21:59:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2013/06/17 14:22:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2012/05/09 11:08:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Juniper Networks
[2013/04/07 13:55:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2006/07/23 20:44:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2008/03/01 21:14:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2013/03/16 10:10:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TaxCut
[2007/02/28 19:02:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2013/06/22 11:17:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\loutemp4\Application Data\Juniper Networks

========== Purity Check ==========



< End of report >
  • 0

Advertisements

#2
gringo_pr
Posted 23 June 2013 - 11:32 PM

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello lsantil

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

I would like you to run this custom script for me now and when it is complete please let me have the report and a status update for the computer.

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image text box.
    :OTL
IE - HKCU\..\URLSearchHook: {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - No CLSID value found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
O4 - HKLM..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u File not found
O4 - HKCU..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" File not found
O4 - HKLM..\RunOnceEx: [flags] Reg Error: Invalid data type. File not found
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O20 - Winlogon\Notify\WRNotifier: DllName - (WRLogonNTF.dll) - File not found
C:\Documents and Settings\All Users\Application Data\2433f433  
[2013/05/18 22:27:55 | 002,250,054 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.bmp
[2013/05/18 22:27:33 | 000,350,795 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.jpg

:Files
ipconfig /flushdns /c

:Commands
[PURITY]
[emptyjava]
[EMPTYFLASH]
[reboot]
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

    Note** if the report does not popup after the computer reboots you can find it here in this folder - C:\_OTL\MovedFiles

    It will be named - mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss - are numbers representing the date and time the fix was run.

Let me know How things are doing

Gringo
]
  • 0

#3
lsantil
Posted 24 June 2013 - 12:22 PM

lsantil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thank for your help, Gringo!

I did as you instructed and ran the special OTL script (log output below). My system still goes directly to the ICE "ransom" screen if I boot Windows normally using any pre-existing (pre-infection) Windows account. And though I can boot into Safe Mode with Command Prompt, I still cannot boot into Safe Mode with Networking (system shuts down).

========== OTL ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{4D25F926-B9FE-4682-BF72-8AB8210D6D75} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}\ not found.
Registry delete failed. HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ scheduled to be deleted on reboot.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Registry delete failed. HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=\ scheduled to be deleted on reboot.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Registry delete failed. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\UserFaultCheck scheduled to be deleted on reboot.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\OE_OEM deleted successfully.
Registry delete failed. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\\flags scheduled to be deleted on reboot.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf not found.
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ scheduled to be deleted on reboot.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\DownloadInformation\\INF .
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ scheduled to be deleted on reboot.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ scheduled to be deleted on reboot.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier\ scheduled to be deleted on reboot.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
File move failed. C:\Documents and Settings\All Users\Application Data\1.bmp scheduled to be moved on reboot.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
File move failed. C:\Documents and Settings\All Users\Application Data\1.jpg scheduled to be moved on reboot.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\loutemp4\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\loutemp4\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: Administrator

User: All Users

User: default

User: Default User

User: Guest

User: LocalService

User: loutemp

User: loutemp2

User: loutemp3

User: loutemp4

User: NetworkService

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: default

User: Default User
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
->Flash cache emptied: 56502 bytes

User: Guest

User: LocalService

User: loutemp

User: loutemp2

User: loutemp3

User: loutemp4
->Flash cache emptied: 57104 bytes

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 06242013_122851
  • 0

#4
gringo_pr
Posted 24 June 2013 - 05:37 PM

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello lsantil

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
  • 0

#5
lsantil
Posted 24 June 2013 - 06:45 PM

lsantil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Gringo... I have not run ComboFix yet as you instructed because I am unable to "turn off" Symantec Endpoint Protection. I'm guessing that this is because I am not running with an Administrator account (which the infection prevents me from doing).

I can, however, boot to Safe Mode with Command Prompt as Administrator. Is there any way to disable Symantec Endpoint Protection from a cmd.exe window?

Or should I just bypass that step and try running ComboFix with the AV software still enabled?
  • 0

#6
gringo_pr
Posted 24 June 2013 - 08:19 PM

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
go ahead and run combofix


gringo
  • 0

#7
lsantil
Posted 24 June 2013 - 09:12 PM

lsantil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Gringo... when I try to run ComboFix I get the error "You need to be an Administrator ro run ComboFix!" And unfortunately I cannot boot to Windows normally with an administrator account (the infection recognizes the administrator account and immediately shuts down Windows).

However, I can boot to Safe Mode with Command Prompt as Administrator. Should I try to boot to Safe Mode that way and then run ComboFix from a cmd.exe window?
  • 0

#8
gringo_pr
Posted 24 June 2013 - 09:26 PM

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello lsantil

I do not know if that will work

Lets try this



Please download Farbar Recovery Scan Tool and save it to your desktop.


Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


Gringo
  • 0

#9
lsantil
Posted 25 June 2013 - 05:14 AM

lsantil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thanks so much, Gringo.

Here are the two Farbar reports:


Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 25-06-2013 01
Ran by loutemp4 (ATTENTION: The logged in user is not administrator) on 25-06-2013 07:01:32
Running from C:\Documents and Settings\loutemp4\Desktop
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(HP) C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
(SEC) C:\Program Files\MagicTune Premium\MagicTune.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Musicmatch, Inc.) C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Musicmatch, Inc.) C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
(InstallShield Software Corporation) C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
(Intel Corporation) C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
(America Online, Inc.) C:\Program Files\Common Files\AOL\1133066293\ee\AOLSoftware.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehtray.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
(Microsoft Corporation) C:\WINDOWS\eHome\ehmsas.exe
(Sonic Solutions) C:\WINDOWS\system32\dla\tfswctrl.exe
(SupportSoft, Inc.) C:\Program Files\Dell Support Center\bin\sprtcmd.exe
(Creative Technology Ltd) C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
(Symantec Corporation) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
(Microsoft Corporation) C:\PROGRA~1\MI3AA1~1\rapimgr.exe
(Gteko Ltd.) C:\Program Files\DellSupport\DSAgnt.exe
(Microsoft Corporation) C:\Program Files\Microsoft ActiveSync\wcescomm.exe
() C:\Program Files\MagicTune Premium\GammaTray.exe
() C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u [x]
HKLM\...\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE [90112 2000-05-11] (Creative Technology Ltd.)
HKLM\...\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on [49152 2006-06-15] (HP)
HKLM\...\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [185896 2008-04-30] (RealNetworks, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [253816 2013-03-12] (Oracle Corporation)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [413696 2008-05-27] (Apple Inc.)
HKLM\...\Run: [P17Helper] Rundll32 P17.dll,P17Helper [x]
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [947152 2013-01-27] (Microsoft Corporation)
HKLM\...\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe [8192 2005-09-08] (Musicmatch, Inc.)
HKLM\...\Run: [JunosPulse] C:\Program Files\Common Files\Juniper Networks\JamUI\Pulse.exe -tray [2103128 2013-01-09] (Juniper Networks, Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [289064 2008-07-30] (Apple Inc.)
HKLM\...\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start [81920 2005-06-10] (InstallShield Software Corporation)
HKLM\...\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup [249856 2005-06-10] (InstallShield Software Corporation)
HKLM\...\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe [221184 2003-09-03] (Intel Corporation)
HKLM\...\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1 [618496 2007-12-23] ()
HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2005-02-16] (Hewlett-Packard Co.)
HKLM\...\Run: [HostManager] C:\Program Files\Common Files\AOL\1133066293\ee\AOLSoftware.exe [50760 2006-05-09] (America Online, Inc.)
HKLM\...\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe [64512 2005-08-05] (Microsoft Corporation)
HKLM\...\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [49152 2006-04-06] (CyberLink Corp.)
HKLM\...\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [16384 2007-11-15] ( )
HKLM\...\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe [127035 2004-12-06] (Sonic Solutions)
HKLM\...\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [206064 2009-05-21] (SupportSoft, Inc.)
HKLM\...\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r [57344 2003-09-17] (Creative Technology Ltd)
HKLM\...\Run: [combofix] C:\ComboFix\CF5139.3XE /c C:\ComboFix\Combobatch.bat [x]
HKLM\...\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [115624 2012-04-25] (Symantec Corporation)
HKLM\...\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [344064 2005-08-05] (ATI Technologies, Inc.)
HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [116040 2008-07-22] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\RunOnce: [*Restore] C:\WINDOWS\system32\restore\rstrui.exe -i [380416 2008-04-13] (Microsoft Corporation)
HKLM\...\Runonce: [combofix] C:\ComboFix\CF5139.3XE /c C:\ComboFixCombobatch.bat [x]
HKLM\...\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)
HKLM\...\runonceex: [flags] 8 [x]
Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)
Winlogon\Notify\WRNotifier: WRLogonNTF.dll [X]
HKCU\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [460784 2007-03-15] (Gteko Ltd.)
HKCU\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [413696 2008-05-27] (Apple Inc.)
HKCU\...\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [1289000 2006-11-13] (Microsoft Corporation)
MountPoints2: {361ac05d-0e0d-11da-9aa9-806d6172696f} - E:\setup.exe
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk
ShortcutTarget: GammaTray.lnk -> C:\Program Files\MagicTune Premium\GammaTray.exe ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Smart Wizard Wireless Settings.lnk
ShortcutTarget: Smart Wizard Wireless Settings.lnk -> C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe ()
BootExecute: autocheck autochk * SsiEfr.e

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
HKLM SearchScopes: DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.c...ferrer:source?}
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.c...ferrer:source?}
HKCU SearchScopes: DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.c...Box&Form=IE8SRC
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.c...Box&Form=IE8SRC
BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)
BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell....iler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} http://www.classlink...FILES/wfica.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1133059359261
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab
DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} https://owa.markelco.../WhlCompMgr.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab
DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} http://scan.networkm...-ship-WD.V1.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://www.popcap.co...aploader_v6.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.we...bex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://my.markelcor...perSetupSP1.cab
DPF: {E856B973-45FD-4559-8F82-EAB539144667} http://pccheckup.del...ll/gtdownde.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://my.markelcor...SetupClient.cab
Handler: ipp - No CLSID Value -
Handler: msdaipp - No CLSID Value -
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [147456] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

Chrome:
=======
CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR Extension: (Docs) - C:\Documents and Settings\loutemp4\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.0.0.6_0
CHR Extension: (Google Drive) - C:\Documents and Settings\loutemp4\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0
CHR Extension: (YouTube) - C:\Documents and Settings\loutemp4\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0
CHR Extension: (Google Search) - C:\Documents and Settings\loutemp4\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0
CHR Extension: (Gmail) - C:\Documents and Settings\loutemp4\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0

========================== Services (Whitelisted) =================

R2 Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [116040 2008-07-22] (Apple Inc.)
R2 Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [558520 2011-02-07] (Symantec Corporation)
R2 ccEvtMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108456 2012-04-25] (Symantec Corporation)
R2 ccSetMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108456 2012-04-25] (Symantec Corporation)
R2 Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.EXE [44032 1999-12-13] (Creative Technology Ltd)
S3 DMService; C:\WINDOWS\DOWNLO~1\DMService.exe [487312 2012-08-10] (Microsoft Corporation)
S3 DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [76848 2007-03-07] ()
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [106280 2013-06-17] (SurfRight B.V.)
R2 JuniperAccessService; C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [162136 2013-01-09] (Juniper Networks, Inc.)
S3 LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [3093944 2011-02-07] (Symantec Corporation)
R2 MagicTuneEngine; C:\Program Files\MagicTune Premium\MagicTuneEngine.exe [45056 2007-08-23] ()
R2 McrdSvc; C:\WINDOWS\ehome\mcrdsvc.exe [99328 2005-08-05] (Microsoft Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] (Microsoft Corporation)
S2 NETGEARGenieDaemon; C:\Program Files\NETGEAR Genie\bin\NETGEARGenieDaemon.exe [1029408 2011-10-23] (NETGEAR)
S3 NetSvc; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [147456 2004-11-19] (Intel® Corporation)
R2 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [1897960 2012-04-25] (Symantec Corporation)
S4 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [357808 2012-04-25] (Symantec Corporation)
R2 sprtsvc_dellsupportcenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe [201968 2008-08-13] (SupportSoft, Inc.)
R2 Symantec AntiVirus; C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [1846592 2012-04-25] (Symantec Corporation)
S2 SymWSC; C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe [316544 2004-11-02] (Symantec Corporation)
R2 uagqecsvc; C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe [150928 2010-11-25] (Microsoft Corporation)
R2 Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [24652 2007-01-04] (Viewpoint Corporation)
R2 WMDM PMSP Service; C:\WINDOWS\system32\MsPMSPSv.exe [53520 2000-06-26] (Microsoft Corporation)
S2 avast! Antivirus; "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" [x]
R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" [x]

==================== Drivers (Whitelisted) ====================

R2 AegisP; C:\Windows\System32\DRIVERS\AegisP.sys [21035 2007-05-22] (Meetinghouse Data Communications)
R3 ati2mtag; C:\Windows\System32\DRIVERS\ati2mtag.sys [1273344 2005-08-04] (ATI Technologies Inc.)
S3 COH_Mon; C:\WINDOWS\system32\Drivers\COH_Mon.sys [23888 2012-04-25] (Symantec Corporation)
R2 drvnddm; C:\Windows\System32\drivers\drvnddm.sys [40480 2004-11-23] (Sonic Solutions)
S3 DSproct; C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys [4736 2006-10-05] (Gteko Ltd.)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-08-08] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-08-08] (Symantec Corporation)
S3 hitmanpro35; C:\WINDOWS\system32\drivers\hitmanpro35.sys [16968 2010-12-08] ()
S3 hitmanpro37; C:\WINDOWS\system32\drivers\hitmanpro37.sys [30464 2013-06-24] ()
S3 HPFXBULK; C:\Windows\System32\drivers\hpfxbulk.sys [9344 2006-06-12] (Hewlett Packard)
R3 IntelC51; C:\Windows\System32\DRIVERS\IntelC51.sys [1233525 2004-03-06] (Intel Corporation)
R3 IntelC52; C:\Windows\System32\DRIVERS\IntelC52.sys [647929 2004-03-06] (Intel Corporation)
R3 IntelC53; C:\Windows\System32\DRIVERS\IntelC53.sys [61157 2004-06-16] (Intel Corporation)
R3 JNPRNA; C:\Windows\System32\DRIVERS\jnprna5.sys [446712 2012-12-05] (Juniper Networks, Inc.)
R1 jnprTdi_730_29921; C:\WINDOWS\system32\Drivers\jnprTdi_730_29921.sys [91248 2012-12-07] (Juniper Networks, Inc.)
R3 JnprVaMgr; C:\Windows\System32\DRIVERS\jnprvamgr.sys [36776 2012-05-11] (Juniper Networks, Inc.)
R3 MagicTune; C:\Windows\System32\drivers\MTiCtwl.sys [13056 2007-11-23] (Samsung Electronics, Inc. )
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\mbamswissarmy.sys [40776 2013-06-20] (Malwarebytes Corporation)
R2 MDC8021X; C:\Windows\System32\DRIVERS\mdc8021x.sys [15781 2004-10-04] (Meetinghouse Data Communications)
R3 mohfilt; C:\Windows\System32\DRIVERS\mohfilt.sys [37048 2004-03-06] (Intel Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)
R3 NAVENG; C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20130623.002\NAVENG.SYS [93272 2013-05-21] (Symantec Corporation)
R3 NAVEX15; C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20130623.002\NAVEX15.SYS [1611992 2013-05-21] (Symantec Corporation)
R1 NEOFLTR_700_17289; C:\WINDOWS\system32\Drivers\NEOFLTR_700_17289.SYS [84336 2010-12-16] (Juniper Networks)
R3 P17; C:\Windows\System32\drivers\P17.sys [840960 2004-06-09] (Creative Technology Ltd.)
S3 PCANDIS5; C:\WINDOWS\system32\PCANDIS5.SYS [16292 2004-10-04] (Printing Communications Assoc., Inc. (PCAUSA))
R2 PfModNT; C:\WINDOWS\system32\drivers\PfModNT.sys [15840 2003-03-05] (Creative Technology Ltd.)
R1 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [421424 2012-04-25] (Symantec Corporation)
R1 SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [287352 2012-04-25] (Symantec Corporation)
S3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [321016 2012-04-25] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [43768 2012-04-25] (Symantec Corporation)
R1 sscdbhk5; C:\Windows\System32\drivers\sscdbhk5.sys [5627 2004-07-14] (Sonic Solutions)
R1 ssrtln; C:\Windows\System32\drivers\ssrtln.sys [23545 2004-07-14] (Sonic Solutions)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [126584 2012-04-26] (Symantec Corporation)
R3 SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [26416 2012-04-25] (Symantec Corporation)
R1 SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [188080 2012-04-25] (Symantec Corporation)
R2 tfsnboio; C:\Windows\System32\dla\tfsnboio.sys [25883 2004-12-06] (Sonic Solutions)
R2 tfsncofs; C:\Windows\System32\dla\tfsncofs.sys [34843 2004-12-06] (Sonic Solutions)
R2 tfsndrct; C:\Windows\System32\dla\tfsndrct.sys [4123 2004-12-06] (Sonic Solutions)
R2 tfsndres; C:\Windows\System32\dla\tfsndres.sys [2239 2004-12-06] (Sonic Solutions)
R2 tfsnifs; C:\Windows\System32\dla\tfsnifs.sys [86586 2004-12-06] (Sonic Solutions)
R2 tfsnopio; C:\Windows\System32\dla\tfsnopio.sys [15227 2004-12-06] (Sonic Solutions)
R2 tfsnpool; C:\Windows\System32\dla\tfsnpool.sys [6363 2004-12-06] (Sonic Solutions)
R2 tfsnudf; C:\Windows\System32\dla\tfsnudf.sys [98714 2004-12-06] (Sonic Solutions)
R2 tfsnudfa; C:\Windows\System32\dla\tfsnudfa.sys [100603 2004-12-06] (Sonic Solutions)
S3 wceusbsh; C:\Windows\System32\DRIVERS\wceusbsh.sys [28672 2006-11-06] (Microsoft Corporation)
S3 wg111nd5; C:\Windows\System32\DRIVERS\wg111nd5.sys [379488 2004-10-04] (NETGEAR, Inc.)
S1 Aavmker4; No ImagePath
S4 Abiosdsk; No ImagePath
S2 aswFsBlk; No ImagePath
S2 aswMon2; No ImagePath
S1 aswRdr; No ImagePath
S1 aswSnx; No ImagePath
S1 aswSP; No ImagePath
S1 aswTdi; No ImagePath
S4 Atdisk; No ImagePath
S3 bvrp_pci; No ImagePath
S3 catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys [x]
S1 Changer; No ImagePath
S2 DP1112; \??\C:\WINDOWS\system32\Drivers\DP.sys [x]
S3 krdpdre; \??\C:\DOCUME~1\default\LOCALS~1\Temp\krdpdre.sys [x]
S1 lbrtfdc; No ImagePath
S3 MmedFilter; \??\C:\WINDOWS\system32\Drivers\MmedFilter.sys [x]
S1 PCIDump; No ImagePath
S3 PDCOMP; No ImagePath
S3 PDFRAME; No ImagePath
S3 PDRELI; No ImagePath
S3 PDRFRAME; No ImagePath
S3 RTLWUSB; system32\DRIVERS\wg111v2.sys [x]
S4 Simbad; No ImagePath
S3 wanatw; system32\DRIVERS\wanatw4.sys [x]
S3 WDICA; No ImagePath

==================== NetSvcs (Whitelisted) ===================

NETSVC: MHN -> C:\Windows\System32\mhn.dll (Microsoft Corporation)

==================== One Month Created Files and Folders ========

2013-06-25 07:01 - 2013-06-25 07:01 - 00000000 ____D C:\FRST
2013-06-25 06:59 - 2013-06-25 06:59 - 01370263 ____A (Farbar) C:\Documents and Settings\loutemp4\Desktop\FRST.exe
2013-06-24 21:07 - 2013-06-24 21:07 - 05082330 ____A (Swearware) C:\Documents and Settings\loutemp4\Desktop\ComboFix.exe
2013-06-24 14:00 - 2013-06-24 14:00 - 00030464 ____A C:\Windows\System32\Drivers\hitmanpro37.sys
2013-06-24 12:28 - 2013-06-24 12:28 - 00000000 ____D C:\_OTL
2013-06-23 19:30 - 2013-06-23 19:30 - 00050168 ____A C:\Documents and Settings\loutemp4\My Documents\Extras.Txt
2013-06-23 19:28 - 2013-06-23 19:28 - 00100730 ____A C:\Documents and Settings\loutemp4\My Documents\OTL.Txt
2013-06-23 19:12 - 2013-06-23 19:12 - 00100730 ____A C:\Documents and Settings\loutemp4\Desktop\OTL.Txt
2013-06-23 19:12 - 2013-06-23 19:12 - 00050168 ____A C:\Documents and Settings\loutemp4\Desktop\Extras.Txt
2013-06-23 19:07 - 2013-06-23 19:07 - 00602112 ____A (OldTimer Tools) C:\Documents and Settings\loutemp4\Desktop\OTL.exe
2013-06-23 19:02 - 2013-06-23 19:02 - 00000000 __SHD C:\Documents and Settings\loutemp4\PrivacIE
2013-06-23 19:02 - 2013-06-23 19:02 - 00000000 ____D C:\Documents and Settings\loutemp4\Application Data\Adobe
2013-06-23 15:06 - 2013-06-23 15:07 - 00728448 ____A (Enigma Software Group USA, LLC.) C:\Documents and Settings\loutemp4\My Documents\SpyHunter-Installer.exe
2013-06-22 11:27 - 2013-06-22 11:27 - 00000000 ____D C:\Documents and Settings\loutemp4\Local Settings\Application Data\Google
2013-06-22 11:21 - 2013-06-22 11:21 - 00000000 ____D C:\Documents and Settings\loutemp4\Local Settings\Application Data\BVRP Software
2013-06-22 11:18 - 2013-06-22 11:18 - 00002528 ____A C:\Documents and Settings\loutemp4\Application Data\$_hpcst$.hpc
2013-06-22 11:17 - 2013-06-22 11:17 - 00000000 ____D C:\Documents and Settings\loutemp4\Local Settings\Application Data\SupportSoft
2013-06-22 11:17 - 2013-06-22 11:17 - 00000000 ____D C:\Documents and Settings\loutemp4\Local Settings\Application Data\Apple Computer
2013-06-22 11:17 - 2013-06-22 11:17 - 00000000 ____D C:\Documents and Settings\loutemp4\Local Settings\Application Data\AOL
2013-06-22 11:17 - 2013-06-22 11:17 - 00000000 ____D C:\Documents and Settings\loutemp4\Application Data\Real
2013-06-22 11:17 - 2013-06-22 11:17 - 00000000 ____D C:\Documents and Settings\loutemp4\Application Data\Juniper Networks
2013-06-22 11:17 - 2013-06-22 11:17 - 00000000 ____D C:\Documents and Settings\loutemp4\Application Data\HP
2013-06-22 11:17 - 2013-06-22 11:17 - 00000000 ____D C:\Documents and Settings\loutemp4\Application Data\GTek
2013-06-22 11:16 - 2013-06-22 11:28 - 00001813 ____A C:\Documents and Settings\loutemp4\Desktop\Google Chrome.lnk
2013-06-22 11:16 - 2013-06-22 11:16 - 00000782 ____A C:\Documents and Settings\loutemp4\Desktop\Windows Media Player.lnk
2013-06-22 11:15 - 2013-06-24 14:03 - 00000062 __ASH C:\Documents and Settings\loutemp4\Local Settings\desktop.ini
2013-06-22 11:15 - 2013-06-24 13:55 - 00000178 ___SH C:\Documents and Settings\loutemp4\ntuser.ini
2013-06-22 11:15 - 2013-06-22 11:15 - 00000000 ____D C:\Documents and Settings\loutemp4\Local Settings\Application Data\Symantec
2013-06-22 11:15 - 2012-05-10 08:56 - 00000000 __SHD C:\Documents and Settings\loutemp4\IETldCache
2013-06-22 11:15 - 2011-03-16 09:48 - 00000000 ____D C:\Documents and Settings\loutemp4\Application Data\Macromedia
2013-06-22 11:15 - 2005-11-08 23:20 - 00000000 ____D C:\Documents and Settings\loutemp4\Application Data\Creative
2013-06-22 11:15 - 2005-11-08 23:15 - 00000000 ____D C:\Documents and Settings\loutemp4\Local Settings\Application Data\Wildtangent
2013-06-22 11:15 - 2005-11-08 23:15 - 00000000 ____D C:\Documents and Settings\loutemp4\Local Settings\Application Data\Musicmatch
2013-06-22 11:15 - 2005-11-08 23:14 - 00000000 ____D C:\Documents and Settings\loutemp4\My Documents\CCWin
2013-06-22 11:15 - 2005-11-08 23:03 - 00000000 ____D C:\Documents and Settings\loutemp4\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142030}
2013-06-22 11:15 - 2005-11-08 23:03 - 00000000 ____D C:\Documents and Settings\loutemp4\Application Data\Sun
2013-06-22 11:15 - 2005-08-16 22:52 - 00000136 ____A C:\Documents and Settings\loutemp4\Local Settings\Application Data\fusioncache.dat
2013-06-22 11:15 - 2005-08-16 06:52 - 00001298 ____A C:\Documents and Settings\loutemp4\Desktop\Media Center.lnk
2013-06-22 11:15 - 2005-08-16 06:33 - 00000062 __ASH C:\Documents and Settings\loutemp4\Application Data\desktop.ini
2013-06-20 22:47 - 2013-06-20 22:59 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2013-06-20 22:21 - 2013-06-20 22:21 - 00000784 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-06-20 18:08 - 2013-06-20 18:08 - 10285040 ____A (Malwarebytes Corporation ) C:\mbam-setup-1.75.0.1300.exe
2013-06-20 18:08 - 2013-06-20 18:08 - 00000071 ____A C:\.directory
2013-06-20 14:11 - 2013-06-20 14:11 - 01097634 ____A C:\Documents and Settings\All Users\Application Data\2433f433
2013-06-20 14:06 - 2013-06-20 18:57 - 00000000 ___AD C:\Kaspersky Rescue Disk 10.0
2013-06-20 13:21 - 2013-06-20 22:45 - 00000000 ___SD C:\ComboFix
2013-06-18 21:09 - 2013-06-18 21:09 - 00070400 ____A C:\Windows\System32\GDIPFONTCACHEV1.DAT
2013-06-17 01:01 - 2013-06-17 14:22 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro
2013-06-17 01:01 - 2013-06-17 13:42 - 00001610 ____A C:\Documents and Settings\All Users\Desktop\HitmanPro.lnk
2013-06-17 01:01 - 2013-06-17 13:42 - 00000000 ____D C:\Program Files\HitmanPro
2013-06-13 09:01 - 2013-06-13 09:01 - 00000000 __HDC C:\Windows\$NtUninstallKB2839229$
2013-06-13 08:45 - 2013-06-13 08:48 - 00015298 ____A C:\Windows\KB2838727-IE8.log
2013-06-12 07:51 - 2013-06-13 09:01 - 00020250 ____A C:\Windows\KB2839229.log

==================== One Month Modified Files and Folders ========

2013-06-25 07:01 - 2013-06-25 07:01 - 00000000 ____D C:\FRST
2013-06-25 06:59 - 2013-06-25 06:59 - 01370263 ____A (Farbar) C:\Documents and Settings\loutemp4\Desktop\FRST.exe
2013-06-25 00:24 - 2012-04-27 23:46 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-24 23:43 - 2013-05-05 00:38 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-24 22:46 - 2005-08-16 06:40 - 01291747 ____A C:\Windows\WindowsUpdate.log
2013-06-24 21:07 - 2013-06-24 21:07 - 05082330 ____A (Swearware) C:\Documents and Settings\loutemp4\Desktop\ComboFix.exe
2013-06-24 14:04 - 2013-05-05 00:38 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-24 14:03 - 2013-06-22 11:15 - 00000062 __ASH C:\Documents and Settings\loutemp4\Local Settings\desktop.ini
2013-06-24 14:03 - 2005-08-16 06:49 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-24 14:03 - 2005-08-16 06:38 - 00000000 ____D C:\Windows\Registration
2013-06-24 14:03 - 2005-08-16 06:35 - 00000159 ____A C:\Windows\wiadebug.log
2013-06-24 14:03 - 2005-08-16 06:35 - 00000049 ____A C:\Windows\wiaservc.log
2013-06-24 14:00 - 2013-06-24 14:00 - 00030464 ____A C:\Windows\System32\Drivers\hitmanpro37.sys
2013-06-24 14:00 - 2005-08-16 06:49 - 00032510 ____A C:\Windows\SchedLgU.Txt
2013-06-24 14:00 - 2005-08-16 06:18 - 00002206 ____A C:\Windows\System32\wpa.dbl
2013-06-24 13:55 - 2013-06-22 11:15 - 00000178 ___SH C:\Documents and Settings\loutemp4\ntuser.ini
2013-06-24 12:28 - 2013-06-24 12:28 - 00000000 ____D C:\_OTL
2013-06-23 20:18 - 2005-08-16 06:38 - 00000000 ____D C:\Windows\System32\FxsTmp
2013-06-23 19:30 - 2013-06-23 19:30 - 00050168 ____A C:\Documents and Settings\loutemp4\My Documents\Extras.Txt
2013-06-23 19:28 - 2013-06-23 19:28 - 00100730 ____A C:\Documents and Settings\loutemp4\My Documents\OTL.Txt
2013-06-23 19:12 - 2013-06-23 19:12 - 00100730 ____A C:\Documents and Settings\loutemp4\Desktop\OTL.Txt
2013-06-23 19:12 - 2013-06-23 19:12 - 00050168 ____A C:\Documents and Settings\loutemp4\Desktop\Extras.Txt
2013-06-23 19:07 - 2013-06-23 19:07 - 00602112 ____A (OldTimer Tools) C:\Documents and Settings\loutemp4\Desktop\OTL.exe
2013-06-23 19:02 - 2013-06-23 19:02 - 00000000 __SHD C:\Documents and Settings\loutemp4\PrivacIE
2013-06-23 19:02 - 2013-06-23 19:02 - 00000000 ____D C:\Documents and Settings\loutemp4\Application Data\Adobe
2013-06-23 15:19 - 2009-02-23 10:13 - 00000000 __SHD C:\Windows\CSC
2013-06-23 15:07 - 2013-06-23 15:06 - 00728448 ____A (Enigma Software Group USA, LLC.) C:\Documents and Settings\loutemp4\My Documents\SpyHunter-Installer.exe
2013-06-22 11:28 - 2013-06-22 11:16 - 00001813 ____A C:\Documents and Settings\loutemp4\Desktop\Google Chrome.lnk
2013-06-22 11:27 - 2013-06-22 11:27 - 00000000 ____D C:\Documents and Settings\loutemp4\Local Settings\Application Data\Google
2013-06-22 11:21 - 2013-06-22 11:21 - 00000000 ____D C:\Documents and Settings\loutemp4\Local Settings\Application Data\BVRP Software
2013-06-22 11:18 - 2013-06-22 11:18 - 00002528 ____A C:\Documents and Settings\loutemp4\Application Data\$_hpcst$.hpc
2013-06-22 11:17 - 2013-06-22 11:17 - 00000000 ____D C:\Documents and Settings\loutemp4\Local Settings\Application Data\SupportSoft
2013-06-22 11:17 - 2013-06-22 11:17 - 00000000 ____D C:\Documents and Settings\loutemp4\Local Settings\Application Data\Apple Computer
2013-06-22 11:17 - 2013-06-22 11:17 - 00000000 ____D C:\Documents and Settings\loutemp4\Local Settings\Application Data\AOL
2013-06-22 11:17 - 2013-06-22 11:17 - 00000000 ____D C:\Documents and Settings\loutemp4\Application Data\Real
2013-06-22 11:17 - 2013-06-22 11:17 - 00000000 ____D C:\Documents and Settings\loutemp4\Application Data\Juniper Networks
2013-06-22 11:17 - 2013-06-22 11:17 - 00000000 ____D C:\Documents and Settings\loutemp4\Application Data\HP
2013-06-22 11:17 - 2013-06-22 11:17 - 00000000 ____D C:\Documents and Settings\loutemp4\Application Data\GTek
2013-06-22 11:16 - 2013-06-22 11:16 - 00000782 ____A C:\Documents and Settings\loutemp4\Desktop\Windows Media Player.lnk
2013-06-22 11:15 - 2013-06-22 11:15 - 00000000 ____D C:\Documents and Settings\loutemp4\Local Settings\Application Data\Symantec
2013-06-20 22:59 - 2013-06-20 22:47 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2013-06-20 22:45 - 2013-06-20 13:21 - 00000000 ___SD C:\ComboFix
2013-06-20 22:21 - 2013-06-20 22:21 - 00000784 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-06-20 21:54 - 2005-12-28 23:43 - 00000000 ____D C:\Windows\pss
2013-06-20 21:54 - 2005-11-08 22:49 - 00000353 __ASH C:\boot.ini
2013-06-20 21:54 - 2005-08-16 06:18 - 00000650 ____A C:\Windows\win.ini
2013-06-20 21:54 - 2005-08-16 06:18 - 00000227 ____A C:\Windows\system.ini
2013-06-20 18:57 - 2013-06-20 14:06 - 00000000 ___AD C:\Kaspersky Rescue Disk 10.0
2013-06-20 18:52 - 2010-11-21 18:58 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-06-20 18:08 - 2013-06-20 18:08 - 10285040 ____A (Malwarebytes Corporation ) C:\mbam-setup-1.75.0.1300.exe
2013-06-20 18:08 - 2013-06-20 18:08 - 00000071 ____A C:\.directory
2013-06-20 14:13 - 2010-12-08 00:20 - 00001076 ____A C:\Windows\System32\.crusader
2013-06-20 14:11 - 2013-06-20 14:11 - 01097634 ____A C:\Documents and Settings\All Users\Application Data\2433f433
2013-06-20 13:41 - 2010-11-26 15:44 - 00000000 ____D C:\Qoobox
2013-06-20 13:40 - 2005-11-09 04:49 - 43483136 ____A C:\Windows\System32\config\SOFTWARE.bak
2013-06-20 13:40 - 2005-11-09 04:44 - 12582912 ____A C:\Windows\System32\config\SYSTEM.bak
2013-06-20 13:40 - 2005-08-16 00:27 - 00774144 ____A C:\Windows\System32\config\DEFAULT.bak
2013-06-20 13:40 - 2005-08-16 00:27 - 00262144 ____A C:\Windows\System32\config\SAM.bak
2013-06-20 13:40 - 2005-08-16 00:27 - 00065536 ____A C:\Windows\System32\config\SECURITY.bak
2013-06-20 13:39 - 2010-11-26 16:42 - 00008192 ___AH C:\Windows\System32\config\SECURITY.tmp.LOG
2013-06-20 13:39 - 2010-11-26 15:45 - 00000000 ____D C:\Windows\ERDNT
2013-06-19 22:34 - 2005-12-29 22:19 - 00000000 ____D C:\Program Files\Microsoft ActiveSync
2013-06-18 21:09 - 2013-06-18 21:09 - 00070400 ____A C:\Windows\System32\GDIPFONTCACHEV1.DAT
2013-06-17 14:22 - 2013-06-17 01:01 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro
2013-06-17 13:42 - 2013-06-17 01:01 - 00001610 ____A C:\Documents and Settings\All Users\Desktop\HitmanPro.lnk
2013-06-17 13:42 - 2013-06-17 01:01 - 00000000 ____D C:\Program Files\HitmanPro
2013-06-13 09:01 - 2013-06-13 09:01 - 00000000 __HDC C:\Windows\$NtUninstallKB2839229$
2013-06-13 09:01 - 2013-06-12 07:51 - 00020250 ____A C:\Windows\KB2839229.log
2013-06-13 09:01 - 2005-08-16 06:33 - 03090117 ____A C:\Windows\FaxSetup.log
2013-06-13 09:01 - 2005-08-16 06:33 - 01488203 ____A C:\Windows\ocgen.log
2013-06-13 09:01 - 2005-08-16 06:33 - 01416314 ____A C:\Windows\tsoc.log
2013-06-13 09:01 - 2005-08-16 06:33 - 01353747 ____A C:\Windows\iis6.log
2013-06-13 09:01 - 2005-08-16 06:33 - 01001631 ____A C:\Windows\comsetup.log
2013-06-13 09:01 - 2005-08-16 06:33 - 00941982 ____A C:\Windows\msmqinst.log
2013-06-13 09:01 - 2005-08-16 06:33 - 00607311 ____A C:\Windows\ntdtcsetup.log
2013-06-13 09:01 - 2005-08-16 06:33 - 00554893 ____A C:\Windows\netfxocm.log
2013-06-13 09:01 - 2005-08-16 06:33 - 00350112 ____A C:\Windows\plusoc.log
2013-06-13 09:01 - 2005-08-16 06:33 - 00324469 ____A C:\Windows\MedCtrOC.log
2013-06-13 09:01 - 2005-08-16 06:33 - 00170397 ____A C:\Windows\ehOCGen.log
2013-06-13 09:01 - 2005-08-16 06:33 - 00166345 ____A C:\Windows\ocmsn.log
2013-06-13 09:01 - 2005-08-16 06:33 - 00155395 ____A C:\Windows\tabletoc.log
2013-06-13 09:01 - 2005-08-16 06:33 - 00154578 ____A C:\Windows\msgsocm.log
2013-06-13 09:01 - 2005-08-16 06:33 - 00001374 ____A C:\Windows\imsins.log
2013-06-13 08:48 - 2013-06-13 08:45 - 00015298 ____A C:\Windows\KB2838727-IE8.log
2013-06-13 08:48 - 2005-11-28 10:13 - 73381792 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-06-13 08:48 - 2005-08-16 06:33 - 00001374 ____A C:\Windows\imsins.BAK
2013-06-13 08:47 - 2005-08-16 23:04 - 00473478 ____A C:\Windows\updspapi.log
2013-06-12 08:24 - 2012-04-27 23:46 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-06-12 08:24 - 2011-05-29 23:20 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-06-05 11:02 - 2006-12-12 00:09 - 00000284 ____A C:\Windows\Tasks\AppleSoftwareUpdate.job
2013-06-01 11:19 - 2005-08-16 06:22 - 00000000 ____D C:\Windows\Help

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe
[2005-08-16 06:18] - [2008-04-13 20:12] - 1033728 ____A (Microsoft Corporation)

C:\Windows\System32\winlogon.exe
[2005-08-16 06:18] - [2008-04-13 20:12] - 0507904 ____A (Microsoft Corporation)

C:\Windows\System32\svchost.exe
[2005-08-16 06:18] - [2008-04-13 20:12] - 0014336 ____A (Microsoft Corporation)

C:\Windows\System32\services.exe
[2005-08-16 06:18] - [2009-02-06 07:11] - 0110592 ____A (Microsoft Corporation)

C:\Windows\System32\User32.dll
[2005-08-16 06:18] - [2008-04-13 20:12] - 0578560 ____A (Microsoft Corporation)

C:\Windows\System32\userinit.exe
[2005-08-16 06:18] - [2008-04-13 20:12] - 0026112 ____A (Microsoft Corporation)

C:\Windows\System32\Drivers\volsnap.sys
[2005-08-16 06:18] - [2008-04-13 14:41] - 0052352 ____A (Microsoft Corporation)


==================== End Of Log ============================



Additional scan result of Farbar Recovery Scan Tool (x86) Version: 25-06-2013 01
Ran by loutemp4 at 2013-06-25 07:02:07
Running from C:\Documents and Settings\loutemp4\Desktop
Boot Mode: Normal
==========================================================


==================== Installed Programs =======================

Ad-Aware SE Personal (Version: 1.06)
Adobe AIR (Version: 2.5.1.17730)
Adobe Anchor Service CS3 (Version: 1.0)
Adobe Asset Services CS3 (Version: 3)
Adobe Bridge CS3 (Version: 2)
Adobe Bridge Start Meeting (Version: 1.0)
Adobe Camera Raw 4.0 (Version: 4.0)
Adobe CMaps (Version: 1.0)
Adobe Color - Photoshop Specific (Version: 1.0)
Adobe Color Common Settings (Version: 1.0)
Adobe Color EU Extra Settings (Version: 1.0)
Adobe Color JA Extra Settings (Version: 1.0)
Adobe Color NA Recommended Settings (Version: 1.0)
Adobe Default Language CS3 (Version: 1.0)
Adobe Device Central CS3 (Version: 1.0)
Adobe ExtendScript Toolkit 2 (Version: 2.0)
Adobe Flash Player 10 Plugin (Version: 10.0.32.18)
Adobe Flash Player 11 ActiveX (Version: 11.7.700.224)
Adobe Fonts All (Version: 1.0)
Adobe Help Viewer CS3 (Version: 1)
Adobe Linguistics CS3 (Version: 3.0.0)
Adobe PDF Library Files (Version: 8.0)
Adobe Photoshop CS3 (Version: 10)
Adobe Photoshop CS3 (Version: 10.0)
Adobe Reader X (10.1.7) (Version: 10.1.7)
Adobe Setup (Version: 1.0)
Adobe Shockwave Player 11 (Version: 11)
Adobe Stock Photos CS3 (Version: 1.5)
Adobe Type Support (Version: 1.0)
Adobe Update Manager CS3 (Version: 5.1.0)
Adobe Version Cue CS3 Client (Version: 3)
Adobe WinSoft Linguistics Plugin (Version: 1.0)
Adobe XMP Panels CS3 (Version: 1.0)
AIM 6
Amazon MP3 Downloader 1.0.12 (Version: 1.0.12)
AnswerWorks 5.0 English Runtime (Version: 008.000.0003)
AOLIcon (Version: 1.00.0000)
Apple Mobile Device Support (Version: 2.0.1.5)
Apple Software Update (Version: 2.1.1.116)
ATI Control Panel (Version: 6.14.10.5160)
ATI Display Driver (Version: 8.162-050803a2-025672C-Dell)
AutoUpdate (Version: 1.1)
avast! Free Antivirus (Version: 6.0.1091.0)
Bonjour (Version: 1.0.104)
Cisco WebEx Meetings
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
CorePLS_Full_QFolder (Version: 1.00.0000)
CorePLS_Min_QFolder (Version: 1.00.0000)
Coupon Printer for Windows (Version: 4.0)
Coupon Printer for Windows (Version: 5.0.0.1)
Creative MediaSource
Dell Digital Jukebox Driver
Dell Driver Reset Tool (Version: 1.02.0000)
Dell Resource CD (Version: 1.00.0000)
Dell Support Center (Support Software) (Version: 2.2.09085)
Dell System Restore (Version: 2.00.0000)
DellConnect (Version: 1.00.522)
DellSupport (Version: 6.0.3062)
Digital Content Portal (Version: 1.00.0000)
DivX (Version: 6.2.2)
DivX Converter (Version: 6.1.1)
DivX Player (Version: 6.2.0)
DivX Web Player (Version: 1.0.0)
EducateU (Version: 1.00.0000)
EPSON CX7400 User's Guide
EPSON Printer Software
EPSON Scan
EPSON Stylus CX7400 Series Scanner Driver Update
ESPNMotion (Version: 2.1.6.0011)
Exact Audio Copy 0.99pb3 (Version: 0.99pb3)
GemMaster Mystic
Google Chrome (Version: 27.0.1453.116)
Google Update Helper (Version: 1.3.21.145)
H&R Block Deluxe + Efile + State 2010 (Version: 10.04.6402)
H&R Block Deluxe + Efile + State 2011 (Version: 11.05.6901)
H&R Block Deluxe + Efile + State 2012 (Version: 12.05.7803)
H&R Block New Jersey 2010 (Version: 1.10.3001)
H&R Block New Jersey 2011 (Version: 1.11.3401)
H&R Block New Jersey 2012 (Version: 1.12.6301)
High Definition Audio Driver Package - KB835221 (Version: 20040219.000000)
HitmanPro 3.7 (Version: 3.7.6.201)
HP Care Pack Core (Version: 1.0.0.0)
HP Care Pack Products (Version: 1.0.0.0)
HP LaserJet P2015 Series 1.0 (Version: 1.0)
HP Software Update (Version: 3.0.6.003)
hppFonts (Version: 000.106.00040)
hppIOFiles (Version: 001.001.00024)
hppLJP2015 (Version: 000.104.00224)
hppManualsP2015 (Version: 000.104.00210)
hppTLBXFXP2015 (Version: 001.000.00012)
hppWebRegMM (Version: 000.001.00001)
hpzTLBXFX (Version: 002.002.00170)
Intel® 537EP V9x DF PCI Modem
Intel® PRO Network Connections Drivers
Intel® PROSet for Wired Connections (Version: 9.20.0000)
Internet Explorer Default Page (Version: 1.00.03)
Internet Lottery 1.2.0
iPod for Windows 2005-09-23 (Version: 4.3.0)
IrfanView (remove only)
iTunes (Version: 7.7.1.11)
Java 7 Update 21 (Version: 7.0.210)
Java Auto Updater (Version: 2.1.9.5)
Java™ 6 Update 37 (Version: 6.0.370)
Juniper Networks Secure Application Manager (Version: 7.0.0.17289)
Junos Pulse 3.1 (Version: 3.1.31097)
Junos Pulse Core Components (Version: 3.1.31097)
Junos Pulse Drivers Add-On (Version: 3.1.31097)
Junos Pulse Host Checker Plugin Add-On (Version: 3.1.31097)
Junos Pulse Tunnel Manager Add-On (Version: 3.1.31097)
Junos Pulse UAC/NC Components (Version: 3.1.31097)
Learn2 Player (Uninstall Only)
LiveUpdate 3.3 (Symantec Corporation) (Version: 3.3.0.102)
MagicTune Premium (Version: 1.0 Beta)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Memories Viewer 6
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.0 Hotfix (KB2572066)
Microsoft .NET Framework 1.0 Hotfix (KB2604042)
Microsoft .NET Framework 1.0 Hotfix (KB2656378)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.0 Security Update (KB2698035)
Microsoft .NET Framework 1.0 Security Update (KB2742607)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2742597)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft ActiveSync (Version: 4.5.5096.0)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Forefront UAG endpoint components v4.0.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Plus! Digital Media Edition Installer (Version: 1.1.0.3514)
Microsoft Plus! Photo Story 2 LE (Version: 1.1.0.3463)
Microsoft Security Client (Version: 4.2.0223.1)
Microsoft Security Essentials (Version: 4.2.223.1)
Microsoft Silverlight (Version: 5.1.20125.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Modem Event Monitor
Modem Helper (Version: 2.40)
Modem On Hold (Version: 1.12)
Musicmatch for Windows Media Player (Version: 0.00.000)
Musicmatch® Jukebox (Version: 10.10.0097)
NETGEAR Genie
NETGEAR WG111 Software
Norton WMI Update (Version: 2005.1.2.20)
Otto
PDF Settings (Version: 1.0)
Pdf995 (installed by H&R Block)
PdfEdit995 (installed by H&R Block)
PowerDVD 5.9
Product_SF_Full_QFolder (Version: 1.00.0000)
Product_SF_Min_QFolder (Version: 1.00.0000)
QuickTime (Version: 7.50.61.0)
RealPlayer
Replay Media Catcher 3.01 (Version: 3.01)
Snood for Windows version 3.52-W
Sonic DLA (Version: 4.95)
Sonic Encoders (Version: 1.00)
Sonic MyDVD LE (Version: 6.1.1)
Sonic RecordNow Audio (Version: 2.0.0)
Sonic RecordNow Copy (Version: 2.0.0)
Sonic RecordNow Data (Version: 2.0.0.1)
Sonic Update Manager (Version: 3.0.0)
Sound Blaster Live! 24-bit
Spybot - Search & Destroy (Version: 1.6.2)
Symantec Endpoint Protection (Version: 11.0.7000.975)
TurboTax 2008
TurboTax 2008 WinPerFedFormset (Version: 008.000.0338)
TurboTax 2008 WinPerProgramHelp (Version: 008.000.0218)
TurboTax 2008 WinPerReleaseEngine (Version: 008.000.0190)
TurboTax 2008 WinPerTaxSupport (Version: 008.000.1000)
TurboTax 2008 WinPerUserEducation (Version: 008.000.0428)
TurboTax 2008 wnjiper (Version: 008.000.0112)
TurboTax 2008 wrapper (Version: 008.000.0065)
TurboTax 2009
TurboTax 2009 WinPerFedFormset (Version: 009.000.2163)
TurboTax 2009 WinPerReleaseEngine (Version: 009.000.0328)
TurboTax 2009 WinPerTaxSupport (Version: 009.000.0238)
TurboTax 2009 wnjiper (Version: 009.000.0775)
TurboTax 2009 wrapper (Version: 009.000.0145)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Windows Internet Explorer 7 (KB976749) (Version: 1)
Update for Windows Internet Explorer 7 (KB980182) (Version: 1)
Update for Windows Internet Explorer 8 (KB2598845) (Version: 1)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB2736233) (Version: 1)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB951072-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
Update Rollup 2 for Windows XP Media Center Edition 2005
VC8 CRT (Version: 8.0.50727.762)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Visualizer Photo Resize (Version: 3.00.0000)
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.5.0540.0)
Windows Genuine Advantage v1.3.0254.0 (Version: 1.3.0254.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Installer Clean Up (Version: 3.00.00.0000)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows Media Player 10 (Version: 9.00.3636)
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Media Player Firefox Plugin (Version: 1.0.0.8)
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB2619340
Windows XP Media Center Edition 2005 KB2628259
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3 (Version: 20080414.031525)
WinRAR archiver
WinZip (Version: 10.0 (6685))
XviD 1.2.-127 +SMP Alpha uninstall (Version: 1.1)

==================== Restore Points =========================

Could not list Restore Points.


==================== Scheduled Tasks (whitelisted) =============

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\AppleSoftwareUpdate.job => C:\Program Files\Apple Software Update\SoftwareUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Faulty Device Manager Devices =============

Name:
Description:
Class Guid:
Manufacturer:
Service: NPF
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (06/25/2013 06:56:59 AM) (Source: SescLU) (User: )
Description: LiveUpdate returned a non-critical error. Available content updates may have failed to install.

Error: (06/24/2013 02:03:41 PM) (Source: MSSHA) (User: )
Description: The Windows Security Health Agent could not be initialized.
Failure Code: 80070424.

Error: (06/24/2013 01:58:32 PM) (Source: MSSHA) (User: )
Description: The Windows Security Health Agent could not be initialized.
Failure Code: 80070424.

Error: (06/24/2013 00:30:48 PM) (Source: MSSHA) (User: )
Description: The Windows Security Health Agent could not be initialized.
Failure Code: 80070424.

Error: (06/21/2013 07:24:49 PM) (Source: MSSHA) (User: )
Description: The Windows Security Health Agent could not be initialized.
Failure Code: 80070424.

Error: (06/20/2013 08:45:33 PM) (Source: MSSHA) (User: )
Description: The Windows Security Health Agent could not be initialized.
Failure Code: 80070424.

Error: (06/20/2013 05:57:40 PM) (Source: MSSHA) (User: )
Description: The Windows Security Health Agent could not be initialized.
Failure Code: 80070424.

Error: (06/19/2013 09:30:49 PM) (Source: MSSHA) (User: )
Description: The Windows Security Health Agent could not be initialized.
Failure Code: 80070424.

Error: (06/19/2013 07:37:00 PM) (Source: Automatic LiveUpdate Scheduler) (User: NT AUTHORITY)
Description: Information Level: error

Initialization of the COM subsystem failed. Error code: 0x8007041D

Error: (06/19/2013 07:32:05 PM) (Source: MSSHA) (User: )
Description: The Windows Security Health Agent could not be initialized.
Failure Code: 80070424.


System errors:
=============
Error: (06/24/2013 10:46:16 PM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 1.153.258.0

Update Source: %NT AUTHORITY59

Update Stage: 4.2.0223.00

Source Path: 4.2.0223.01

Signature Type: %NT AUTHORITY602

Update Type: %NT AUTHORITY604

User: NT AUTHORITY\SYSTEM

Current Engine Version: %NT AUTHORITY605

Previous Engine Version: %NT AUTHORITY606

Error code: %NT AUTHORITY607

Error description: %NT AUTHORITY608

Error: (06/24/2013 08:42:58 PM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 1.153.258.0

Update Source: %NT AUTHORITY59

Update Stage: 4.2.0223.00

Source Path: 4.2.0223.01

Signature Type: %NT AUTHORITY602

Update Type: %NT AUTHORITY604

User: NT AUTHORITY\SYSTEM

Current Engine Version: %NT AUTHORITY605

Previous Engine Version: %NT AUTHORITY606

Error code: %NT AUTHORITY607

Error description: %NT AUTHORITY608

Error: (06/24/2013 02:13:39 PM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 1.153.258.0

Update Source: %NT AUTHORITY59

Update Stage: 4.2.0223.00

Source Path: 4.2.0223.01

Signature Type: %NT AUTHORITY602

Update Type: %NT AUTHORITY604

User: NT AUTHORITY\SYSTEM

Current Engine Version: %NT AUTHORITY605

Previous Engine Version: %NT AUTHORITY606

Error code: %NT AUTHORITY607

Error description: %NT AUTHORITY608

Error: (06/24/2013 02:03:47 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Aavmker4
aswRdr
aswSnx
aswSP
aswTdi

Error: (06/24/2013 02:03:44 PM) (Source: Service Control Manager) (User: )
Description: The NETGEARGenieDaemon service failed to start due to the following error:
%%1053

Error: (06/24/2013 02:03:44 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the NETGEARGenieDaemon service to connect.

Error: (06/24/2013 02:03:44 PM) (Source: Service Control Manager) (User: )
Description: The DP1112 service failed to start due to the following error:
%%2

Error: (06/24/2013 02:03:44 PM) (Source: Service Control Manager) (User: )
Description: The avast! Antivirus service depends on the avast! Standard Shield Support service which failed to start because of the following error:
%%2

Error: (06/24/2013 02:03:44 PM) (Source: Service Control Manager) (User: )
Description: The avast! Standard Shield Support service failed to start due to the following error:
%%2

Error: (06/24/2013 02:03:44 PM) (Source: Service Control Manager) (User: )
Description: The aswFsBlk service failed to start due to the following error:
%%2


Microsoft Office Sessions:
=========================
Error: (06/25/2013 06:56:59 AM) (Source: SescLU)(User: )
Description: LiveUpdate returned a non-critical error. Available content updates may have failed to install.

Error: (06/24/2013 02:03:41 PM) (Source: MSSHA)(User: )
Description: 80070424

Error: (06/24/2013 01:58:32 PM) (Source: MSSHA)(User: )
Description: 80070424

Error: (06/24/2013 00:30:48 PM) (Source: MSSHA)(User: )
Description: 80070424

Error: (06/21/2013 07:24:49 PM) (Source: MSSHA)(User: )
Description: 80070424

Error: (06/20/2013 08:45:33 PM) (Source: MSSHA)(User: )
Description: 80070424

Error: (06/20/2013 05:57:40 PM) (Source: MSSHA)(User: )
Description: 80070424

Error: (06/19/2013 09:30:49 PM) (Source: MSSHA)(User: )
Description: 80070424

Error: (06/19/2013 07:37:00 PM) (Source: Automatic LiveUpdate Scheduler)(User: NT AUTHORITY)
Description: errorInitialization of the COM subsystem failed. Error code: 0x8007041D

Error: (06/19/2013 07:32:05 PM) (Source: MSSHA)(User: )
Description: 80070424


==================== Memory info ===========================

Percentage of memory in use: 38%
Total physical RAM: 2046.07 MB
Available physical RAM: 1256.2 MB
Total Pagefile: 5916.84 MB
Available Pagefile: 5288.82 MB
Total Virtual: 2047.88 MB
Available Virtual: 1952.24 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:144.31 GB) (Free:97.31 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive f: (HITMANPRO) (Removable) (Total:3.76 GB) (Free:3.74 GB) FAT32

==================== MBR & Partition Table ==================

==================== End Of Log ============================
  • 0

#10
gringo_pr
Posted 25 June 2013 - 12:08 PM

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello lsantil



I need you to download this script I have made for you --> Attached File  fixlist.txt   201bytes   154 downloads

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

Run FRST again but this time press the Fix button just once and wait.


When finished, it will make a log (fixlog.txt) next to FRST. Please copy and paste the content of this file to your reply.


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


Gringo
  • 0

Advertisements

#11
lsantil
Posted 25 June 2013 - 09:10 PM

lsantil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Eureka! I think my infection is gone! (although I haven't yet checked everything that I would like to check)

I have to admit that I was not encouraged when I looked at the fix log (below). But of course I have no idea what I am looking at!

Gringo, thank you so very much!!

Is there any follow-up cleanup that I should do?

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 25-06-2013 01
Ran by loutemp4 at 2013-06-25 20:50:00 Run:1
Running from C:\Documents and Settings\loutemp4\Desktop
Boot Mode: Normal

==============================================

krdpdre => Service not found.
Could not move C:\Documents and Settings\All Users\Application Data\2433f433. => Scheduled to move on reboot.

=========== Result of Scheduled Files to move ===========
C:\Documents and Settings\All Users\Application Data\2433f433 => File could not move.

==== End of Fixlog ====
  • 0

#12
gringo_pr
Posted 26 June 2013 - 12:13 AM

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello lsantil

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
  • 0

#13
lsantil
Posted 26 June 2013 - 07:03 PM

lsantil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Gringo... ComboFix log is below. I had no problems running it.

Computer seems to be working fine.

Thanks again so much for your help! Going to make a contribution to show my appreciation.

Lou


ComboFix 13-06-26.01 - default 06/26/2013 20:21:10.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1310 [GMT -4:00]
Running from: c:\documents and settings\default\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\2433f433
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\2433f433
c:\documents and settings\default\firefox.exe
c:\documents and settings\default\g2mdlhlpx.exe
c:\documents and settings\default\iexplore.exe
c:\documents and settings\default\java.exe
c:\documents and settings\default\msconfig.exe
c:\documents and settings\default\spoolsv.exe
c:\documents and settings\loutemp3\Desktop\Internet Explorer.lnk
c:\windows\system32\Packet.dll
c:\windows\system32\SETA17.tmp
c:\windows\system32\SETA18.tmp
c:\windows\system32\SETA4F.tmp
c:\windows\system32\SETA5B.tmp
c:\windows\system32\wpcap.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2013-05-27 to 2013-06-27 )))))))))))))))))))))))))))))))
.
.
2013-06-26 13:28 . 2013-06-12 04:18 7068072 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4FE6B144-15A3-4869-8B05-F462BC18FDBB}\mpengine.dll
2013-06-25 11:01 . 2013-06-26 00:54 -------- d-----w- C:\FRST
2013-06-24 16:28 . 2013-06-24 16:28 -------- d-----w- C:\_OTL
2013-06-21 02:47 . 2013-06-21 02:59 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-06-20 22:08 . 2013-06-20 22:08 10285040 ----a-w- C:\mbam-setup-1.75.0.1300.exe
2013-06-20 18:06 . 2013-06-20 22:57 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2013-06-20 17:54 . 2013-06-12 04:18 7068072 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-06-20 02:34 . 2013-06-20 02:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2013-06-18 00:55 . 2013-06-18 02:44 -------- d-----w- c:\documents and settings\loutemp
2013-06-17 05:01 . 2013-06-17 17:42 -------- d-----w- c:\program files\HitmanPro
2013-06-17 05:01 . 2013-06-17 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2013-06-17 02:35 . 2013-06-17 02:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-12 12:24 . 2012-04-28 03:46 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-12 12:24 . 2011-05-30 03:20 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-07 22:30 . 2005-08-16 10:18 920064 ----a-w- c:\windows\system32\wininet.dll
2013-05-07 22:30 . 2005-08-16 10:18 43520 ------w- c:\windows\system32\licmgr10.dll
2013-05-07 22:30 . 2005-08-16 10:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-05-07 21:53 . 2005-08-16 10:18 385024 ------w- c:\windows\system32\html.iec
2013-05-03 01:30 . 2005-08-16 10:18 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2004-08-04 04:59 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-05-02 06:06 . 2011-04-15 20:14 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-10 01:31 . 2005-08-16 10:18 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 18:50 . 2010-11-22 01:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-04 09:35 . 2013-05-23 01:05 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"NETGEARGenie"="c:\program files\NETGEAR Genie\bin\NETGEARGenie.exe" [2011-10-24 1087264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-06-15 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-01 185896]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"P17Helper"="P17.dll" [2004-06-10 60928]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"JunosPulse"="c:\program files\Common Files\Juniper Networks\JamUI\Pulse.exe" [2013-01-09 2103128]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-12-24 618496]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"HostManager"="c:\program files\Common Files\AOL\1133066293\ee\AOLSoftware.exe" [2006-05-10 50760]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2012-04-25 115624]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2008-11-16 36864]
Smart Wizard Wireless Settings.lnk - c:\program files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe [2007-6-8 1044577]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1133066293\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1133066293\\ee\\aim6.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\default\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\NETGEAR Genie\\bin\\NETGEARGenie.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"4821:UDP"= 4821:UDP:Windows Media Format SDK (iexplore.exe)
"4820:UDP"= 4820:UDP:Windows Media Format SDK (iexplore.exe)
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R1 jnprTdi_730_29921;Juniper Networks TDI Filter Driver (jnprTdi_730_29921);c:\windows\system32\drivers\jnprTdi_730_29921.sys [2/17/2013 3:50 PM 91248]
R1 NEOFLTR_700_17289;Juniper Networks TDI Filter Driver (NEOFLTR_700_17289);c:\windows\system32\drivers\NEOFLTR_700_17289.SYS [5/9/2012 11:08 AM 84336]
R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [6/17/2013 1:42 PM 106280]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [1/9/2013 12:48 AM 162136]
R2 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\program files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe [8/10/2012 9:22 AM 150928]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/28/2007 7:02 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/23/2013 2:54 PM 106656]
R3 JNPRNA;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna5.sys [2/17/2013 3:49 PM 446712]
R3 JnprVaMgr;Juniper Networks Virtual Adapter Manager Service;c:\windows\system32\drivers\jnprvamgr.sys [8/15/2012 8:11 PM 36776]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 DP1112;DP1112;\??\c:\windows\system32\Drivers\DP.sys --> c:\windows\system32\Drivers\DP.sys [?]
S2 NETGEARGenieDaemon;NETGEARGenieDaemon;c:\program files\NETGEAR Genie\bin\NETGEARGenieDaemon.exe [10/23/2011 10:12 PM 1029408]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [4/25/2012 11:34 AM 23888]
S3 DMService;Microsoft Forefront UAG Endpoint Component Manager;c:\windows\DOWNLO~1\DMService.exe [8/10/2012 9:21 AM 487312]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [12/8/2010 12:01 AM 16968]
S3 krdpdre;krdpdre;\??\c:\docume~1\default\LOCALS~1\Temp\krdpdre.sys --> c:\docume~1\default\LOCALS~1\Temp\krdpdre.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/20/2013 10:47 PM 40776]
S3 MmedFilter;MmedFilter;\??\c:\windows\system32\Drivers\MmedFilter.sys --> c:\windows\system32\Drivers\MmedFilter.sys [?]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys --> c:\windows\system32\DRIVERS\wg111v2.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-21 03:46 1165776 ----a-w- c:\program files\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-28 12:24]
.
2013-06-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2013-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-05-05 04:38]
.
2013-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-05-05 04:38]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
Trusted Zone: markelcorp.com\email
Trusted Zone: musicmatch.com\online
TCP: DhcpNameServer = 192.168.1.1
DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} - hxxp://scan.networkmagic.com/nmscan/download/WebDiag.4.5.8056.1-ship-WD.V1.cab
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - c:\docume~1\default\LOCALS~1\Temp\xyybbcpjanfnrcihp.dll
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-26 20:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-796141095-1812469103-3440069415-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-06-26 20:39:13
ComboFix-quarantined-files.txt 2013-06-27 00:38
ComboFix2.txt 2011-04-23 00:06
ComboFix3.txt 2010-12-08 02:51
ComboFix4.txt 2010-12-07 03:41
ComboFix5.txt 2013-06-20 17:21
.
Pre-Run: 104,579,112,960 bytes free
Post-Run: 105,409,232,896 bytes free
.
- - End Of File - - B4B9DEF9DEB87DC31A08E0726B95ACA3
8F558EB6672622401DA993E1E865C861
  • 0

#14
gringo_pr
Posted 26 June 2013 - 07:28 PM

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello lsantil

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo
  • 0

#15
lsantil
Posted 27 June 2013 - 08:40 PM

lsantil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Okay, Gringo, had no problems running ComboFix as you instructed (log is below).

Computer seems to be running just fine... no issues!


ComboFix 13-06-27.02 - default 06/27/2013 21:43:32.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1280 [GMT -4:00]
Running from: c:\documents and settings\default\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\default\Desktop\CFScript.txt
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((( Files Created from 2013-05-28 to 2013-06-28 )))))))))))))))))))))))))))))))
.
.
2013-06-28 00:58 . 2013-06-12 04:18 7068072 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{37D6D02E-EE78-490D-9559-486B4606FBB1}\mpengine.dll
2013-06-27 02:54 . 2013-06-27 02:54 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-06-26 13:28 . 2013-06-12 04:18 7068072 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-06-25 11:01 . 2013-06-26 00:54 -------- d-----w- C:\FRST
2013-06-24 16:28 . 2013-06-24 16:28 -------- d-----w- C:\_OTL
2013-06-21 02:47 . 2013-06-21 02:59 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-06-20 22:08 . 2013-06-20 22:08 10285040 ----a-w- C:\mbam-setup-1.75.0.1300.exe
2013-06-20 18:06 . 2013-06-20 22:57 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2013-06-20 02:34 . 2013-06-20 02:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2013-06-18 00:55 . 2013-06-18 02:44 -------- d-----w- c:\documents and settings\loutemp
2013-06-17 05:01 . 2013-06-17 17:42 -------- d-----w- c:\program files\HitmanPro
2013-06-17 05:01 . 2013-06-17 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2013-06-17 02:35 . 2013-06-17 02:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-27 02:54 . 2012-08-08 03:17 867240 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-06-27 02:54 . 2012-08-08 03:17 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-06-27 02:54 . 2010-05-23 00:13 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-12 12:24 . 2012-04-28 03:46 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-12 12:24 . 2011-05-30 03:20 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-07 22:30 . 2005-08-16 10:18 920064 ----a-w- c:\windows\system32\wininet.dll
2013-05-07 22:30 . 2005-08-16 10:18 43520 ------w- c:\windows\system32\licmgr10.dll
2013-05-07 22:30 . 2005-08-16 10:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-05-07 21:53 . 2005-08-16 10:18 385024 ------w- c:\windows\system32\html.iec
2013-05-03 01:30 . 2005-08-16 10:18 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2004-08-04 04:59 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-05-02 06:06 . 2011-04-15 20:14 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-10 01:31 . 2005-08-16 10:18 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 18:50 . 2010-11-22 01:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"NETGEARGenie"="c:\program files\NETGEAR Genie\bin\NETGEARGenie.exe" [2011-10-24 1087264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-06-15 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-01 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"P17Helper"="P17.dll" [2004-06-10 60928]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"JunosPulse"="c:\program files\Common Files\Juniper Networks\JamUI\Pulse.exe" [2013-01-09 2103128]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-12-24 618496]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"HostManager"="c:\program files\Common Files\AOL\1133066293\ee\AOLSoftware.exe" [2006-05-10 50760]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2012-04-25 115624]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2008-11-16 36864]
Smart Wizard Wireless Settings.lnk - c:\program files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe [2007-6-8 1044577]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1133066293\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1133066293\\ee\\aim6.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\default\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\NETGEAR Genie\\bin\\NETGEARGenie.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"4821:UDP"= 4821:UDP:Windows Media Format SDK (iexplore.exe)
"4820:UDP"= 4820:UDP:Windows Media Format SDK (iexplore.exe)
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R1 jnprTdi_730_29921;Juniper Networks TDI Filter Driver (jnprTdi_730_29921);c:\windows\system32\drivers\jnprTdi_730_29921.sys [2/17/2013 3:50 PM 91248]
R1 NEOFLTR_700_17289;Juniper Networks TDI Filter Driver (NEOFLTR_700_17289);c:\windows\system32\drivers\NEOFLTR_700_17289.SYS [5/9/2012 11:08 AM 84336]
R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [6/17/2013 1:42 PM 106280]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [1/9/2013 12:48 AM 162136]
R2 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\program files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe [8/10/2012 9:22 AM 150928]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/28/2007 7:02 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/23/2013 2:54 PM 106656]
R3 JNPRNA;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna5.sys [2/17/2013 3:49 PM 446712]
R3 JnprVaMgr;Juniper Networks Virtual Adapter Manager Service;c:\windows\system32\drivers\jnprvamgr.sys [8/15/2012 8:11 PM 36776]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 DP1112;DP1112;\??\c:\windows\system32\Drivers\DP.sys --> c:\windows\system32\Drivers\DP.sys [?]
S2 NETGEARGenieDaemon;NETGEARGenieDaemon;c:\program files\NETGEAR Genie\bin\NETGEARGenieDaemon.exe [10/23/2011 10:12 PM 1029408]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [4/25/2012 11:34 AM 23888]
S3 DMService;Microsoft Forefront UAG Endpoint Component Manager;c:\windows\DOWNLO~1\DMService.exe [8/10/2012 9:21 AM 487312]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [12/8/2010 12:01 AM 16968]
S3 krdpdre;krdpdre;\??\c:\docume~1\default\LOCALS~1\Temp\krdpdre.sys --> c:\docume~1\default\LOCALS~1\Temp\krdpdre.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/20/2013 10:47 PM 40776]
S3 MmedFilter;MmedFilter;\??\c:\windows\system32\Drivers\MmedFilter.sys --> c:\windows\system32\Drivers\MmedFilter.sys [?]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys --> c:\windows\system32\DRIVERS\wg111v2.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
*NewlyCreated* - PCANDIS5
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-21 03:46 1165776 ----a-w- c:\program files\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-28 12:24]
.
2013-06-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2013-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-05-05 04:38]
.
2013-06-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-05-05 04:38]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
Trusted Zone: markelcorp.com\email
Trusted Zone: musicmatch.com\online
TCP: DhcpNameServer = 192.168.1.1
DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} - hxxp://scan.networkmagic.com/nmscan/download/WebDiag.4.5.8056.1-ship-WD.V1.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-27 22:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-796141095-1812469103-3440069415-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2856)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-06-27 22:03:04
ComboFix-quarantined-files.txt 2013-06-28 02:03
ComboFix2.txt 2013-06-27 00:39
ComboFix3.txt 2011-04-23 00:06
ComboFix4.txt 2010-12-08 02:51
ComboFix5.txt 2013-06-28 01:40
.
Pre-Run: 105,048,236,032 bytes free
Post-Run: 105,306,243,072 bytes free
.
- - End Of File - - 3CFE4BD762D04E92616735D9564B1747
8F558EB6672622401DA993E1E865C861
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP