View Full Version : "Great Arcade Hit"
I pasted the DDS log and aswMBR Log below. I also attached the zipped attach in this thread. I would very much appreciate if you could help me to remove malwares infecting my PC. Many thanks!!
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.25.2
Run by Admin at 18:36:16 on 2013-10-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3579.2572 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\Google Japanese Input\GoogleIMEJaCacheService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Logitech\Vid HD\Vid.exe
C:\Documents and Settings\Admin\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Program Files\Google\Google Japanese Input\GoogleIMEJaRenderer.exe
C:\Program Files\Google\Google Japanese Input\GoogleIMEJaConverter.exe
C:\PROGRA~1\MICROS~3\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ERUNT\ERUNT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.bing.com/sphome.aspx?mkt={SUB_RFC1766}
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Adobe Acrobat Synchronizer] "c:\program files\adobe\acrobat 10.0\acrobat\AdobeCollabSync.exe"
uRun: [Logitech Vid] "c:\program files\logitech\vid hd\Vid.exe" -bootmode
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Google Japanese Input Prelauncher] "c:\program files\google\google japanese input\GoogleIMEJaBroker32.exe" --mode=prelaunch_processes
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\admin\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\admin\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\admin\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: &Search - ?s=100000348&p=ZSYYYYYY68US&si=&a=LVo5k0lPb8Miq9i_rW6QEA&n=2011022213
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {53A8AEF8-5503-4B78-A091-634BB68DEECE} - hxxps://access.upmc.com/SecureAuth4/4420/SecureAuth.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1282325090687
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://agilenteseminar.webex.com/client/WBXclient-T27L10NSP25-10481/event/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://netscreen.upmc.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://netscreen.upmc.com/dana-cached/sc/JuniperSetupClient.cab
TCP: Interfaces\{40533F3E-962B-47A3-972C-1B8176E8887C} : NameServer = 136.142.57.10,128.147.22.101,136.142.188.73
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\30.0.1599.69\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\790rqy0p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289847&CUI=UN41460950402503119&UM=2&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - WhiteSmoke New Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3289847&CUI=UN41460950402503119&UM=2&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289847&SearchSource=2&CUI=UN41460950402503119&UM=2&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\acrobat 10.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 211560]
R1 NEOFLTR_650_16339;Juniper Networks TDI Filter Driver (NEOFLTR_650_16339);c:\windows\system32\drivers\NEOFLTR_650_16339.SYS [2010-10-19 85360]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]
R2 GoogleIMEJaCacheService;Google Japanese Input Cache Service;c:\program files\google\google japanese input\GoogleIMEJaCacheService.exe [2013-10-3 752664]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2012-11-27 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2012-11-27 1369624]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2012-11-22 3290304]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2012-1-18 450848]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2010-8-11 2066968]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-8-11 160424]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-12-18 44800]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2012-11-27 168384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-6-3 162408]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [2012-1-18 22176]
S3 cpuz132;cpuz132;\??\c:\docume~1\admin\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\admin\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2009-6-12 1120752]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
.
=============== Created Last 30 ================
.
2013-10-11 07:43:54 7328304 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ce8b48db-6a45-4c56-87a1-a754d4ebb032}\mpengine.dll
2013-10-11 04:09:04 7328304 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-10-09 16:01:49 -------- d-----w- c:\documents and settings\admin\local settings\application data\Deployment
2013-10-09 04:05:26 25088 ------w- c:\windows\system32\dllcache\hidparse.sys
2013-10-09 04:05:18 46848 ------w- c:\windows\system32\dllcache\irbus.sys
2013-10-09 04:05:05 5376 ------w- c:\windows\system32\dllcache\usbd.sys
2013-10-09 04:05:05 30336 ------w- c:\windows\system32\dllcache\usbehci.sys
2013-10-03 11:54:24 1731608 ----a-w- c:\windows\system32\GIMEJa.ime
2013-10-01 21:24:23 -------- d-----w- c:\windows\system32\wbem\repository\FS
2013-10-01 21:24:23 -------- d-----w- c:\windows\system32\wbem\Repository
2013-10-01 21:19:03 -------- d-----w- c:\program files\Browsersafeguard
2013-10-01 21:18:55 -------- d-----w- c:\documents and settings\admin\local settings\application data\GreatArcadeHits
2013-10-01 21:18:34 -------- d-----w- c:\documents and settings\admin\local settings\application data\CRE
2013-10-01 21:18:31 -------- d-----w- c:\documents and settings\all users\application data\Conduit
2013-10-01 21:18:29 -------- d-----w- c:\program files\WhiteSmoke_New
2013-10-01 21:18:29 -------- d-----w- c:\documents and settings\admin\local settings\application data\Conduit
2013-10-01 21:18:02 -------- d-----w- c:\documents and settings\admin\application data\SwvUpdater
.
==================== Find3M ====================
.
2013-10-09 11:16:08 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-09 11:16:08 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-23 18:33:58 920064 ----a-w- c:\windows\system32\wininet.dll
2013-09-23 18:33:57 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-09-23 18:33:57 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-09-23 18:33:56 18944 ----a-w- c:\windows\system32\corpol.dll
2013-09-23 18:06:48 385024 ----a-w- c:\windows\system32\html.iec
2013-08-29 01:31:44 1878656 ----a-w- c:\windows\system32\win32k.sys
2013-08-09 01:56:45 386560 ----a-w- c:\windows\system32\themeui.dll
2013-08-09 00:55:08 144128 ----a-w- c:\windows\system32\drivers\usbport.sys
2013-08-09 00:55:07 32384 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2013-08-09 00:55:06 5376 ----a-w- c:\windows\system32\drivers\usbd.sys
2013-08-05 13:30:32 1289728 ----a-w- c:\windows\system32\ole32.dll
2013-08-03 18:18:38 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-07-19 05:18:04 102608 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2013-07-17 00:58:17 123008 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2013-07-17 00:58:03 60160 ----a-w- c:\windows\system32\drivers\usbaudio.sys
.
============= FINISH: 18:37:16.01 ===============
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-10-11 18:40:03
-----------------------------
18:40:03.921 OS Version: Windows 5.1.2600 Service Pack 3
18:40:03.921 Number of processors: 4 586 0x170A
18:40:03.921 ComputerName: KT-OFFICE UserName: Admin
18:40:04.375 Initialize success
18:41:35.968 AVAST engine defs: 13101100
18:42:59.375 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
18:42:59.375 Disk 0 Vendor: ST316031 HP35 Size: 152627MB BusType: 3
18:42:59.375 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2
18:42:59.375 Disk 1 Vendor: ST1000DM CC4D Size: 953869MB BusType: 3
18:42:59.500 Disk 0 MBR read successfully
18:42:59.500 Disk 0 MBR scan
18:42:59.531 Disk 0 Windows 7 default MBR code
18:42:59.531 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152625 MB offset 2048
18:42:59.578 Disk 0 scanning sectors +312579760
18:42:59.703 Disk 0 scanning C:\WINDOWS\system32\drivers
18:43:14.343 Service scanning
18:43:29.140 Service MpKsla592803d C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CE8B48DB-6A45-4C56-87A1-A754D4EBB032}\MpKsla592803d.sys **LOCKED** 32
18:43:46.703 Modules scanning
18:43:53.656 Disk 0 trace - called modules:
18:43:53.703 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
18:43:53.718 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b06f8a0]
18:43:53.734 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000063[0x8b023840]
18:43:53.765 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8b039028]
18:43:57.468 AVAST engine scan C:\WINDOWS
18:44:15.328 AVAST engine scan C:\WINDOWS\system32
18:47:55.765 AVAST engine scan C:\WINDOWS\system32\drivers
18:48:12.171 AVAST engine scan C:\Documents and Settings\Admin
18:48:56.562 Disk 0 MBR has been saved successfully to "E:\My Documents\PC cleanup\101113\MBR.dat"
18:48:56.640 The log file has been saved successfully to "E:\My Documents\PC cleanup\101113\aswMBR.txt"
Hi ketssk,
My name is OCD. I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.
Copy and Paste logs directly into the reply window. DO NOT attach the logs unless specifically instructed to do so.
IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.
Please stay with this topic until I let you know that your system appears to be "All Clear"
Important: All tools MUST be run from the Desktop.
=========================
http://i1269.photobucket.com/albums/jj590/OCD-WTT/bullseye_zpse9eaf36e.gif (http://s1269.photobucket.com/user/OCD-WTT/media/bullseye_zpse9eaf36e.gif.html) Security Check
Download Security Check by screen317 from here (http://screen317.spywareinfoforum.org/SecurityCheck.exe) or here (http://screen317.changelog.fr/SecurityCheck.exe).
Save it to your Desktop.
Windows XP : Double click on the icon to run it.
Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
A Notepad document should open automatically called checkup.txt; please post the contents of that document.
=========================
http://i1269.photobucket.com/albums/jj590/OCD-WTT/bullseye_zpse9eaf36e.gif (http://s1269.photobucket.com/user/OCD-WTT/media/bullseye_zpse9eaf36e.gif.html) ComboFix
Refer to the ComboFix User's Guide (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Download ComboFix from the following location:
Link (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Place ComboFix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
You can get help on disabling your protection programs here (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html)
Double click on ComboFix.exe & follow the prompts.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.
---------------------------------------------------------------------------------------------
NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
=========================
In your next post please provide the following:
check-up.txt
Combofix.txt
How is the computer running at the moment?
Thank you so much, OCD!! Here it is!!
•check-up.txt
Results of screen317's Security Check version 0.99.74
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
MVPS Hosts File
Spybot - Search & Destroy
Java(TM) 6 Update 18
Java 7 Update 25
Java Card Security for HP ProtectTools
Java version out of Date!
Adobe Flash Player 11.9.900.117
Mozilla Firefox (3.6.8) Firefox out of Date!
Google Chrome 29.0.1547.76
Google Chrome 30.0.1599.69
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
Spybot Teatimer.exe is disabled!
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 6%
````````````````````End of Log``````````````````````
•Combofix.txt
ComboFix 13-10-15.02 - Admin 10/15/2013 19:01:11.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3579.2675 [GMT -4:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Admin\Application Data\JuniperExtXP.exe
c:\documents and settings\Admin\Application Data\Lazyed
c:\documents and settings\Admin\Application Data\Lazyed\ygewu.say
c:\documents and settings\Admin\WINDOWS
c:\documents and settings\All Users\Application Data\670BAD4DF0.sys
C:\END
c:\windows\system32\OLD13.tmp
c:\windows\system32\OLDF.tmp
c:\windows\system32\SET2DE.tmp
c:\windows\system32\SET2DF.tmp
c:\windows\system32\SET2F2.tmp
c:\windows\system32\SET2FA.tmp
c:\windows\system32\SET302.tmp
c:\windows\system32\SET326.tmp
c:\windows\system32\SET34D.tmp
c:\windows\system32\SET34E.tmp
c:\windows\system32\SET350.tmp
c:\windows\system32\SET352.tmp
c:\windows\system32\SET360.tmp
c:\windows\system32\SET36F.tmp
c:\windows\system32\SET38C.tmp
c:\windows\system32\SET3AC.tmp
c:\windows\system32\SET3BF.tmp
c:\windows\system32\SET3C0.tmp
c:\windows\system32\SET3C3.tmp
c:\windows\system32\SET3D3.tmp
c:\windows\system32\SET3DD.tmp
c:\windows\system32\SET3DE.tmp
c:\windows\system32\SET3E4.tmp
c:\windows\system32\SET403.tmp
c:\windows\system32\SET404.tmp
c:\windows\system32\SET405.tmp
c:\windows\system32\SET410.tmp
c:\windows\system32\SET436.tmp
c:\windows\system32\SET567.tmp
c:\windows\system32\SET579.tmp
c:\windows\system32\SET969.tmp
c:\windows\system32\SETABD.tmp
c:\windows\vcredist_x86.exe
c:\windows\wininit.ini
F:\Autorun.inf
F:\Setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-09-15 to 2013-10-15 )))))))))))))))))))))))))))))))
.
.
2013-10-15 07:43 . 2013-09-05 05:02 7328304 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{15F95961-1F5D-4EA5-9008-61BDC3B6201B}\mpengine.dll
2013-10-15 04:08 . 2013-09-05 05:02 7328304 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-10-09 16:01 . 2013-10-09 16:03 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Deployment
2013-10-09 04:05 . 2013-07-03 02:12 25088 ------w- c:\windows\system32\dllcache\hidparse.sys
2013-10-09 04:05 . 2013-07-17 00:58 46848 ------w- c:\windows\system32\dllcache\irbus.sys
2013-10-09 04:05 . 2013-08-09 00:55 5376 ------w- c:\windows\system32\dllcache\usbd.sys
2013-10-09 04:05 . 2009-03-18 11:02 30336 ------w- c:\windows\system32\dllcache\usbehci.sys
2013-10-08 11:49 . 2013-10-08 11:50 -------- d-----w- c:\program files\ERUNT
2013-10-03 11:54 . 2013-10-03 11:54 1731608 ----a-w- c:\windows\system32\GIMEJa.ime
2013-10-01 21:24 . 2013-10-01 21:24 -------- d-----w- c:\windows\system32\wbem\Repository
2013-10-01 21:19 . 2013-10-01 21:24 -------- d-----w- c:\program files\Browsersafeguard
2013-10-01 21:18 . 2013-10-01 21:24 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\GreatArcadeHits
2013-10-01 21:18 . 2013-10-01 21:18 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\CRE
2013-10-01 21:18 . 2013-10-01 21:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Conduit
2013-10-01 21:18 . 2013-10-01 21:24 -------- d-----w- c:\program files\WhiteSmoke_New
2013-10-01 21:18 . 2013-10-01 21:24 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Conduit
2013-10-01 21:18 . 2013-10-01 21:24 -------- d-----w- c:\documents and settings\Admin\Application Data\SwvUpdater
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-09 11:16 . 2012-04-23 19:49 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-09 11:16 . 2011-05-17 19:04 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-23 18:33 . 2008-04-14 09:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-09-23 18:33 . 2008-04-14 09:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-09-23 18:33 . 2008-04-14 09:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-09-23 18:33 . 2008-04-14 09:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-09-23 18:06 . 2008-04-14 09:00 385024 ----a-w- c:\windows\system32\html.iec
2013-08-29 01:31 . 2008-04-14 09:00 1878656 ----a-w- c:\windows\system32\win32k.sys
2013-08-09 01:56 . 2008-04-14 09:00 386560 ----a-w- c:\windows\system32\themeui.dll
2013-08-09 00:55 . 2008-04-14 09:00 144128 ----a-w- c:\windows\system32\drivers\usbport.sys
2013-08-09 00:55 . 2010-08-19 00:24 32384 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2013-08-09 00:55 . 2008-04-14 09:00 5376 ----a-w- c:\windows\system32\drivers\usbd.sys
2013-08-05 13:30 . 2008-04-14 09:00 1289728 ----a-w- c:\windows\system32\ole32.dll
2013-08-03 18:18 . 2006-10-19 01:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-07-19 05:18 . 2013-07-19 05:18 102608 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" [2013-09-03 1272704]
"Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2011-01-13 6129496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-24 796696]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-03 18665472]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-21 525824]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-02 98304]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2013-09-03 41336]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2013-09-03 840568]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"Google Japanese Input Prelauncher"="c:\program files\Google\Google Japanese Input\GoogleIMEJaBroker32.exe" [2013-10-03 1457688]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-06-20 995176]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-10-25 421888]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-11-29 151952]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
c:\documents and settings\Admin\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Admin\Application Data\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0210411]
Ime File REG_SZ GIMEJA.IME
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-10-06 05:52 59240 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-11-29 05:49 151952 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2011-11-11 18:08 205336 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-06-03 20:27 19603048 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\windows\\system32\\mshta.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Admin\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 NEOFLTR_650_16339;Juniper Networks TDI Filter Driver (NEOFLTR_650_16339);c:\windows\system32\drivers\NEOFLTR_650_16339.SYS [10/19/2010 5:36 PM 85360]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
R2 GoogleIMEJaCacheService;Google Japanese Input Cache Service;c:\program files\Google\Google Japanese Input\GoogleIMEJaCacheService.exe [10/3/2013 7:54 AM 752664]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 11:09 PM 11032]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [11/27/2012 8:48 AM 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [11/27/2012 8:48 AM 1369624]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [1/18/2012 2:44 AM 450848]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [8/11/2010 5:57 AM 2066968]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [8/11/2010 5:46 AM 160424]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/18/2007 1:46 PM 44800]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [11/27/2012 8:48 AM 168384]
S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [11/22/2012 11:29 AM 3290304]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [6/3/2013 4:21 PM 162408]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [1/18/2012 2:44 AM 22176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [6/12/2009 11:13 PM 1120752]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-04 19:29 1185744 ----a-w- c:\program files\Google\Chrome\Application\30.0.1599.69\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-23 11:16]
.
2013-10-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-10-09 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2012-11-27 19:08]
.
2013-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-20 16:12]
.
2013-10-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-20 16:12]
.
2013-10-15 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-06-20 22:05]
.
2013-10-09 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2012-11-27 19:07]
.
2013-10-01 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2012-11-27 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: upmc.com
TCP: Interfaces\{40533F3E-962B-47A3-972C-1B8176E8887C}: NameServer = 136.142.57.10,128.147.22.101,136.142.188.73
DPF: {53A8AEF8-5503-4B78-A091-634BB68DEECE} - hxxps://access.upmc.com/SecureAuth4/4420/SecureAuth.cab
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\790rqy0p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289847&CUI=UN41460950402503119&UM=2&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - WhiteSmoke New Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3289847&CUI=UN41460950402503119&UM=2&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289847&SearchSource=2&CUI=UN41460950402503119&UM=2&q=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
Notify-SDWinLogon - SDWinLogon.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-15 19:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(868)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'winlogon.exe'(316)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\l3codeca.acm
c:\windows\system32\sirenacm.dll
.
Completion time: 2013-10-15 19:09:00
ComboFix-quarantined-files.txt 2013-10-15 23:08
.
Pre-Run: 112,899,612,672 bytes free
Post-Run: 113,983,049,728 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - F383CE3399A12FDCD36BF0D5379BD0AE
A36C5E4F47E84449FF07ED3517B43A31
•How is the computer running at the moment?
My Google Chrome starts with the following page, even I set www.google.com/ as my home page to begin with....
http://search.conduit.com/?ctid=CT3289847&SearchSource=48&CUI=UN50227725930787618&UM=2
Hi ketssk,
http://i1269.photobucket.com/albums/jj590/OCD-WTT/bullseye_zpse9eaf36e.gif (http://s1269.photobucket.com/user/OCD-WTT/media/bullseye_zpse9eaf36e.gif.html) ComboFix Script
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the code-box below into it:
ClearJavaCache::
Folder::
c:\documents and settings\Admin\Local Settings\Application Data\GreatArcadeHits
c:\documents and settings\All Users\Application Data\Conduit
c:\program files\WhiteSmoke_New
c:\documents and settings\Admin\Local Settings\Application Data\Conduit
c:\documents and settings\Admin\Application Data\SwvUpdater
c:\program files\Browsersafeguard
Firefox::
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289847&CUI=UN41460950402503119&UM=2&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - WhiteSmoke New Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3289847&CUI=UN41460950402503119&UM=2&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289847&SearchSource=2&CUI=UN41460950402503119&UM=2&q=
Save this as CFScript.txt, in the same location as ComboFix.exe
http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, please post the C:\ComboFix.txt for further review.
=========================
http://i1269.photobucket.com/albums/jj590/OCD-WTT/bullseye_zpse9eaf36e.gif (http://s1269.photobucket.com/user/OCD-WTT/media/bullseye_zpse9eaf36e.gif.html) Reboot
=========================
http://i1269.photobucket.com/albums/jj590/OCD-WTT/bullseye_zpse9eaf36e.gif (http://s1269.photobucket.com/user/OCD-WTT/media/bullseye_zpse9eaf36e.gif.html) AdwCleaner v3: Scan & Clean (http://www.bleepingcomputer.com/download/adwcleaner/)
Windows XP : Double click on the icon to run it.
Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
Click on the Scan button.
AdwCleaner will begin to scan your computer like it did before.
After the scan has finished...
Click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
After rebooting, a log file report (AdwCleaner[S0].txt) will open automatically.
Copy and paste the contents of that log file in your next reply.
A copy of that log file will also be saved in the C:\AdwCleaner folder.
=========================
http://i1269.photobucket.com/albums/jj590/OCD-WTT/bullseye_zpse9eaf36e.gif (http://s1269.photobucket.com/user/OCD-WTT/media/bullseye_zpse9eaf36e.gif.html) Junkware Removal Tool
Download Junkware Removal Tool (http://thisisudax.org/downloads/JRT.exe) to your desktop.
Windows XP : Double click on the icon to run it.
Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
Shut down your protection software now to avoid potential conflicts.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.
=========================
http://i1269.photobucket.com/albums/jj590/OCD-WTT/bullseye_zpse9eaf36e.gif (http://s1269.photobucket.com/user/OCD-WTT/media/bullseye_zpse9eaf36e.gif.html) Re-run OTL (it should be located on your desktop).
Windows XP : Double click on the icon to run it.
Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Uncheck the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open one notepad window. OTL.Txt. (No Extras.txt will be produced)
Note:The log can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of the file, and post it with your next reply.
=========================
We will address the Chrome start page after I review these logs
In your next post please provide the following:
Combofix.txt
AdwCleaner[S0].txt
JRT.txt
OTL.txt
Thanks again, OCT. I did ComboFix Script and AdwCleaner v3: Scan & Clean, and it was fine; however, I completely lost the Internet connection after I did Junkware Removal Tool.. Now I restored the system before ComboFix and my Internet connect was restored... For some reasons, my Googlechrome appears to be back to normal...
I pasted Combofix.txt, AdwCleaner[S0].txt, and JRT.txt for your review. Thank you again!!!
ComboFix 13-10-15.02 - Admin 10/16/2013 12:51:36.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3579.2718 [GMT -4:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: e:\my documents\PC cleanup\101613\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Admin\Application Data\SwvUpdater
c:\documents and settings\Admin\Application Data\SwvUpdater\Updater.xml
c:\documents and settings\Admin\Local Settings\Application Data\Conduit
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847.1000082.currentList.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847.1000082.localStations.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847.1000082.nowPlaying.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847.1000082.publisherStations.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847.130068661007799818.search.selectedEngineId.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847.130068661007799818.search.settings.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847.130068661007799818.search.user-enlargeBoxSettings.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847.appOptions.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847.installUsage.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847.installUsageEarly.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847.NOTIFICATION_ID.notifications-service_1774897.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847.NOTIFICATION_ID.notifications-servicemap.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847.NotificationSettings.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847.searchProtectorData.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847_10.20.1.8.serviceLayer_services_appsMetadata.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847_10.20.1.8.serviceLayer_services_appTrackingFirstTime.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847_10.20.1.8.serviceLayer_services_Configuration.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847_10.20.1.8.serviceLayer_services_gottenAppsContextMenu.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847_10.20.1.8.serviceLayer_services_login.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847_10.20.1.8.serviceLayer_services_otherAppsContextMenu.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847_10.20.1.8.serviceLayer_services_searchAPI.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847_10.20.1.8.serviceLayer_services_serviceMap.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847_10.20.1.8.serviceLayer_services_toolbarContextMenu.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847_10.20.1.8.serviceLayer_services_toolbarSettings.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847_10.20.1.8.serviceLayer_services_translation.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847_RAW.serviceLayer_services_appsMetadata.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847_RAW.serviceLayer_services_appTrackingFirstTime.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847_RAW.serviceLayer_services_Configuration.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847_RAW.serviceLayer_services_gottenAppsContextMenu.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847_RAW.serviceLayer_services_login.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847_RAW.serviceLayer_services_otherAppsContextMenu.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847_RAW.serviceLayer_services_searchAPI.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847_RAW.serviceLayer_services_serviceMap.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847_RAW.serviceLayer_services_toolbarContextMenu.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847_RAW.serviceLayer_services_toolbarSettings.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\CT3289847_RAW.serviceLayer_services_translation.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\toolbar_initializing_logger.txt.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\ToolbarFullUserID.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\ToolbarUserId.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\uninstallData.txt
c:\documents and settings\Admin\Local Settings\Application Data\Conduit\ChromeExtData\klibnahbojhkanfgaglnlalfkgpcppfi(2)\Repository(2)\uninstallUrl.txt
c:\documents and settings\Admin\Local Settings\Application Data\GreatArcadeHits
c:\documents and settings\Admin\Local Settings\Application Data\GreatArcadeHits\{B21F5E31-B8E8-41CD-B74C-168A71A10E49}\chrome\content\application.js
c:\documents and settings\Admin\Local Settings\Application Data\GreatArcadeHits\{B21F5E31-B8E8-41CD-B74C-168A71A10E49}\chrome\content\overlay.xul
c:\documents and settings\Admin\Local Settings\Application Data\GreatArcadeHits\{B21F5E31-B8E8-41CD-B74C-168A71A10E49}\chrome\content\page.js
c:\documents and settings\Admin\Local Settings\Application Data\GreatArcadeHits\{B21F5E31-B8E8-41CD-B74C-168A71A10E49}\chrome\content\static.js
c:\documents and settings\Admin\Local Settings\Application Data\GreatArcadeHits\{B21F5E31-B8E8-41CD-B74C-168A71A10E49}\icon.png
c:\documents and settings\Admin\Local Settings\Application Data\GreatArcadeHits\{B21F5E31-B8E8-41CD-B74C-168A71A10E49}\install.rdf
c:\documents and settings\Admin\Local Settings\Application Data\GreatArcadeHits\cookies.js
c:\documents and settings\Admin\Local Settings\Application Data\GreatArcadeHits\gahff.xpi
c:\documents and settings\Admin\Local Settings\Application Data\GreatArcadeHits\Play Games online on GreatArcadeHits.com.url
c:\documents and settings\Admin\Local Settings\Application Data\GreatArcadeHits\premium.pem
c:\documents and settings\Admin\Local Settings\Application Data\GreatArcadeHits\static.js
c:\documents and settings\All Users\Application Data\Conduit
c:\documents and settings\All Users\Application Data\Conduit\IE\CT3289847\configutaion.json
c:\program files\Browsersafeguard
c:\program files\Browsersafeguard\install.log
c:\program files\Browsersafeguard\TrustedRoot.cer
c:\program files\WhiteSmoke_New
c:\program files\WhiteSmoke_New\GottenAppsContextMenu.xml
c:\program files\WhiteSmoke_New\OtherAppsContextMenu.xml
c:\program files\WhiteSmoke_New\SharedAppsContextMenu.xml
c:\program files\WhiteSmoke_New\ToolbarContextMenu.xml
F:\autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2013-09-16 to 2013-10-16 )))))))))))))))))))))))))))))))
.
.
2013-10-16 11:30 . 2013-09-05 05:02 7328304 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{93044524-E8E6-4F75-88D0-A2548F7685F8}\mpengine.dll
2013-10-16 07:00 . 2013-10-16 07:00 -------- d-----w- c:\windows\LastGood
2013-10-15 07:43 . 2013-09-05 05:02 7328304 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-10-09 16:01 . 2013-10-09 16:03 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Deployment
2013-10-09 04:05 . 2013-07-03 02:12 25088 ------w- c:\windows\system32\dllcache\hidparse.sys
2013-10-09 04:05 . 2013-07-17 00:58 46848 ------w- c:\windows\system32\dllcache\irbus.sys
2013-10-09 04:05 . 2013-08-09 00:55 5376 ------w- c:\windows\system32\dllcache\usbd.sys
2013-10-09 04:05 . 2009-03-18 11:02 30336 ------w- c:\windows\system32\dllcache\usbehci.sys
2013-10-08 11:49 . 2013-10-08 11:50 -------- d-----w- c:\program files\ERUNT
2013-10-03 11:54 . 2013-10-03 11:54 1731608 ----a-w- c:\windows\system32\GIMEJa.ime
2013-10-01 21:24 . 2013-10-01 21:24 -------- d-----w- c:\windows\system32\wbem\Repository
2013-10-01 21:18 . 2013-10-01 21:18 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\CRE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-09 11:16 . 2012-04-23 19:49 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-09 11:16 . 2011-05-17 19:04 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-23 18:33 . 2008-04-14 09:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-09-23 18:33 . 2008-04-14 09:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-09-23 18:33 . 2008-04-14 09:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-09-23 18:33 . 2008-04-14 09:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-09-23 18:06 . 2008-04-14 09:00 385024 ----a-w- c:\windows\system32\html.iec
2013-08-29 01:31 . 2008-04-14 09:00 1878656 ----a-w- c:\windows\system32\win32k.sys
2013-08-09 01:56 . 2008-04-14 09:00 386560 ----a-w- c:\windows\system32\themeui.dll
2013-08-09 00:55 . 2008-04-14 09:00 144128 ----a-w- c:\windows\system32\drivers\usbport.sys
2013-08-09 00:55 . 2010-08-19 00:24 32384 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2013-08-09 00:55 . 2008-04-14 09:00 5376 ----a-w- c:\windows\system32\drivers\usbd.sys
2013-08-05 13:30 . 2008-04-14 09:00 1289728 ----a-w- c:\windows\system32\ole32.dll
2013-08-03 18:18 . 2006-10-19 01:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-07-19 05:18 . 2013-07-19 05:18 102608 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" [2013-09-03 1272704]
"Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2011-01-13 6129496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-24 796696]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-03 18665472]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-21 525824]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-02 98304]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2013-09-03 41336]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2013-09-03 840568]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"Google Japanese Input Prelauncher"="c:\program files\Google\Google Japanese Input\GoogleIMEJaBroker32.exe" [2013-10-03 1457688]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-08-12 995176]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-10-25 421888]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-11-29 151952]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
c:\documents and settings\Admin\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Admin\Application Data\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0210411]
Ime File REG_SZ GIMEJA.IME
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-10-06 05:52 59240 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-11-29 05:49 151952 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2011-11-11 18:08 205336 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-06-03 20:27 19603048 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\windows\\system32\\mshta.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Admin\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 NEOFLTR_650_16339;Juniper Networks TDI Filter Driver (NEOFLTR_650_16339);c:\windows\system32\drivers\NEOFLTR_650_16339.SYS [10/19/2010 5:36 PM 85360]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
R2 GoogleIMEJaCacheService;Google Japanese Input Cache Service;c:\program files\Google\Google Japanese Input\GoogleIMEJaCacheService.exe [10/3/2013 7:54 AM 752664]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 11:09 PM 11032]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [11/27/2012 8:48 AM 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [11/27/2012 8:48 AM 1369624]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [1/18/2012 2:44 AM 450848]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [8/11/2010 5:57 AM 2066968]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [8/11/2010 5:46 AM 160424]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/18/2007 1:46 PM 44800]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [11/27/2012 8:48 AM 168384]
S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [11/22/2012 11:29 AM 3290304]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [6/3/2013 4:21 PM 162408]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [1/18/2012 2:44 AM 22176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [6/12/2009 11:13 PM 1120752]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPFILTER
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-04 19:29 1185744 ----a-w- c:\program files\Google\Chrome\Application\30.0.1599.69\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-23 11:16]
.
2013-10-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-10-09 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2012-11-27 19:08]
.
2013-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-20 16:12]
.
2013-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-20 16:12]
.
2013-10-16 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-08-12 14:12]
.
2013-10-16 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2012-11-27 19:07]
.
2013-10-01 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2012-11-27 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: upmc.com
TCP: Interfaces\{40533F3E-962B-47A3-972C-1B8176E8887C}: NameServer = 136.142.57.10,128.147.22.101,136.142.188.73
DPF: {53A8AEF8-5503-4B78-A091-634BB68DEECE} - hxxps://access.upmc.com/SecureAuth4/4420/SecureAuth.cab
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\790rqy0p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289847&CUI=UN41460950402503119&UM=2&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - WhiteSmoke New Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3289847&CUI=UN41460950402503119&UM=2&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289847&SearchSource=2&CUI=UN41460950402503119&UM=2&q=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-16 12:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(868)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'winlogon.exe'(316)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\l3codeca.acm
c:\windows\system32\sirenacm.dll
.
Completion time: 2013-10-16 12:57:40
ComboFix-quarantined-files.txt 2013-10-16 16:57
ComboFix2.txt 2013-10-15 23:09
.
Pre-Run: 113,800,630,272 bytes free
Post-Run: 114,029,473,792 bytes free
.
- - End Of File - - AD63B4D4625B4846AD31B74A41E21D7A
A36C5E4F47E84449FF07ED3517B43A31
# AdwCleaner v3.008 - Report created 16/10/2013 at 19:30:05
# Updated 17/10/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Admin - KT-OFFICE
# Running from : C:\Documents and Settings\Admin\Desktop\AdwCleaner.exe
# Option : Clean
***** [ Services ] *****
Service Deleted : CltMngSvc
***** [ Files / Folders ] *****
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Conduit
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\Searchprotect
Folder Deleted : C:\Program Files\SweetPacks_A5
Folder Deleted : C:\WINDOWS\system32\WNLT
Folder Deleted : C:\Documents and Settings\Admin\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\Admin\Local Settings\Application Data\SweetPacks_A5
Folder Deleted : C:\DOCUME~1\Admin\LOCALS~1\Temp\CT3314312
Folder Deleted : C:\Documents and Settings\Admin\Application Data\PriceGong
Folder Deleted : C:\Documents and Settings\Admin\Application Data\Searchprotect
Folder Deleted : C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\790rqy0p.default\CT3289847
Folder Deleted : C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\790rqy0p.default\CT3314312
Folder Deleted : C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\790rqy0p.default\Extensions\{739df940-c5ee-4bab-9d7e-270894ae687a}
Folder Deleted : C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\790rqy0p.default\Extensions\{93ec97bf-fe43-4bca-a735-5c5d6a0a40c4}
[!] Folder Deleted : C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\eibleipkbineaadpnemmalkahodjhdbd
File Deleted : C:\END
File Deleted : C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\790rqy0p.default\searchplugins\Conduit.xml
File Deleted : C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\790rqy0p.default\searchplugins\mywebsearch.xml
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Deleted : HKCU\Software\Google\Chrome\Extensions\eibleipkbineaadpnemmalkahodjhdbd
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\eibleipkbineaadpnemmalkahodjhdbd
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [SearchProtect]
Key Deleted : HKCU\Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [SearchProtectAll]
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3314312
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [ConduitFloatingPlugin_eibleipkbineaadpnemmalkahodjhdbd]
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{93EC97BF-FE43-4BCA-A735-5C5D6A0A40C4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4634A024-1754-4A6D-B4C0-4968168E3B7B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{93EC97BF-FE43-4BCA-A735-5C5D6A0A40C4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{93EC97BF-FE43-4BCA-A735-5C5D6A0A40C4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{93EC97BF-FE43-4BCA-A735-5C5D6A0A40C4}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{08858AF6-42AD-4914-95D2-AC3AB0DC8E28}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{4634A024-1754-4A6D-B4C0-4968168E3B7B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6B994EF6-8100-4B0F-9A17-2B10014C89A8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6C86D484-F3EC-4AD0-9104-4D2E17082426}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{93EC97BF-FE43-4BCA-A735-5C5D6A0A40C4}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{93EC97BF-FE43-4BCA-A735-5C5D6A0A40C4}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{93EC97BF-FE43-4BCA-A735-5C5D6A0A40C4}]
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\ImInstaller
Key Deleted : HKCU\Software\PriceGong
Key Deleted : HKCU\Software\SearchProtect
Key Deleted : HKCU\Software\smartbar
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\SweetPacks_A5
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\Software\SweetPacks_A5
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SearchProtect
***** [ Browsers ] *****
-\\ Internet Explorer v8.0.6001.18702
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]
-\\ Mozilla Firefox v3.6.8 (en-US)
[ File : C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\790rqy0p.default\prefs.js ]
Line Deleted : user_pref("CT3289847.FF19Solved", "true");
Line Deleted : user_pref("CT3289847.UserID", "UN41460950402503119");
Line Deleted : user_pref("CT3289847.browser.search.defaultthis.engineName", "true");
Line Deleted : user_pref("CT3289847.fullUserID", "UN41460950402503119.IN.20131001171822");
Line Deleted : user_pref("CT3289847.installDate", "01/10/2013 17:18:25");
Line Deleted : user_pref("CT3289847.installSessionId", "{92F9615F-38D1-4117-8C40-07832B6F80B5}");
Line Deleted : user_pref("CT3289847.installSp", "false");
Line Deleted : user_pref("CT3289847.installerVersion", "1.7.1.4");
Line Deleted : user_pref("CT3289847.keyword", "true");
Line Deleted : user_pref("CT3289847.originalHomepage", "hxxp://www.google.com/");
Line Deleted : user_pref("CT3289847.originalSearchAddressUrl", "hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZSYYYYYY68US&ptb=LVo5k0lPb8Miq9i_rW6QEA&ind=2011022213&ptnrS=ZSYYYYYY68US&si=&n=77ddc385&psa=[...]
Line Deleted : user_pref("CT3289847.originalSearchEngine", "");
Line Deleted : user_pref("CT3289847.originalSearchEngineName", "Bing");
Line Deleted : user_pref("CT3289847.searchRevert", "true");
Line Deleted : user_pref("CT3289847.searchUserMode", "2");
Line Deleted : user_pref("CT3289847.smartbar.homepage", "true");
Line Deleted : user_pref("CT3289847.versionFromInstaller", "10.20.1.8");
Line Deleted : user_pref("CT3289847.xpeMode", "0");
Line Deleted : user_pref("CT3314312.FF19Solved", "true");
Line Deleted : user_pref("CT3314312.UserID", "UN14543847841697112");
Line Deleted : user_pref("CT3314312.browser.search.defaultthis.engineName", "true");
Line Deleted : user_pref("CT3314312.fullUserID", "UN14543847841697112.IN.20131016192112");
Line Deleted : user_pref("CT3314312.installDate", "16/10/2013 19:21:13");
Line Deleted : user_pref("CT3314312.installSessionId", "{A6902B0D-DC68-4FEB-9B63-17DA9489AAA0}");
Line Deleted : user_pref("CT3314312.installSp", "TRUE");
Line Deleted : user_pref("CT3314312.installerVersion", "1.7.1.7");
Line Deleted : user_pref("CT3314312.keyword", "true");
Line Deleted : user_pref("CT3314312.originalHomepage", "hxxp://search.conduit.com/?ctid=CT3289847&CUI=UN41460950402503119&UM=2&SearchSource=13");
Line Deleted : user_pref("CT3314312.originalSearchAddressUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289847&SearchSource=2&CUI=UN41460950402503119&UM=2&q=");
Line Deleted : user_pref("CT3314312.originalSearchEngine", "WhiteSmoke New Customized Web Search");
Line Deleted : user_pref("CT3314312.originalSearchEngineName", "WhiteSmoke New Customized Web Search");
Line Deleted : user_pref("CT3314312.searchRevert", "false");
Line Deleted : user_pref("CT3314312.searchUserMode", "2");
Line Deleted : user_pref("CT3314312.smartbar.homepage", "true");
Line Deleted : user_pref("CT3314312.versionFromInstaller", "10.20.3.20");
Line Deleted : user_pref("CT3314312.xpeMode", "0");
Line Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289847&SearchSource=2&CUI=UN41460950402503119&UM=2&q=");
Line Deleted : user_pref("browser.search.defaultenginename", "SweetPacks A5 Customized Web Search");
Line Deleted : user_pref("browser.search.defaultthis.engineName", "SweetPacks A5 Customized Web Search");
Line Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3314312&CUI=UN14543847841697112&UM=2&SearchSource=3&q={searchTerms}");
Line Deleted : user_pref("browser.search.selectedEngine", "SweetPacks A5 Customized Web Search");
Line Deleted : user_pref("browser.startup.homepage", "hxxp://search.conduit.com/?ctid=CT3314312&CUI=UN14543847841697112&UM=2&SearchSource=13");
Line Deleted : user_pref("dom.ipc.plugins.enabled.npmywebs.dll", false);
Line Deleted : user_pref("extensions.mywebsearch.prevKwdEnabled", true);
Line Deleted : user_pref("extensions.mywebsearch.prevKwdURL", "hxxp://www.bing.com/search?FORM=BABTDF&PC=BBLN&q=");
Line Deleted : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3314312&SearchSource=2&CUI=UN14543847841697112&UM=2&q=");
Line Deleted : user_pref("smartbar.addressBarOwnerCTID", "CT3314312");
Line Deleted : user_pref("smartbar.conduitHomepageList", "hxxp://search.conduit.com/?ctid=CT3289847&CUI=UN41460950402503119&UM=2&SearchSource=13,hxxp://search.conduit.com/?ctid=CT3314312&CUI=UN14543847841697112&UM=2[...]
Line Deleted : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289847&SearchSource=2&CUI=UN41460950402503119&UM=2&q=,hxxp://search.conduit.com/ResultsExt.aspx?cti[...]
Line Deleted : user_pref("smartbar.defaultSearchOwnerCTID", "CT3314312");
Line Deleted : user_pref("smartbar.homePageOwnerCTID", "CT3314312");
Line Deleted : user_pref("smartbar.machineId", "CX4Z1OR7WUBBKGQAGFFCLCTKB6EVNYZ72L7+VBLZ3K0FABGTEGCKZD6BEEDBFRN3CJP030RMK5O1QX3/FQ3CTW");
-\\ Google Chrome v30.0.1599.69
[ File : C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]
Deleted : homepage
Deleted : icon_url
Deleted : search_url
Deleted : suggest_url
Deleted : keyword
Deleted : urls_to_restore_on_startup
*************************
AdwCleaner[R0].txt - [11621 octets] - [16/10/2013 19:29:25]
AdwCleaner[S0].txt - [11524 octets] - [16/10/2013 19:30:05]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [11585 octets] ##########
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.7 (10.15.2013:2)
OS: Microsoft Windows XP x86
Ran by Admin on Wed 10/16/2013 at 22:05:50.93
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values
~~~ Registry Keys
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{1FFF3315-4EAB-4878-9BBB-273C189D2542}
~~~ Files
~~~ Folders
Successfully deleted: [Folder] "C:\Documents and Settings\Admin\Local Settings\Application Data\cre"
Successfully deleted: [Folder] "C:\Program Files\browsersafeguard"
~~~ Chrome
Successfully deleted: [Folder] C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 10/16/2013 at 22:08:42.79
Computer was rebooted
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hi ketssk,
Now I restored the system before ComboFix and my Internet connect was restored
You did a System Restore back to before all the tools were run?
Did you reboot after the scans?
Thanks again for your quick response.
1: I restored BEFORE Combo Fix Script; but after the initial Combo Fix.
2: Yes, I rebooted every time after those procedures... In this time, I rebooted twice, but I cannot connect to the Internet through IE or Google Chrome, but the system restoration restored my Internet connection...
Hi ketssk,
OK, thanks for the clarification. Please re-run ComboFix and post a new log.
Thanks again. Here it is.
ComboFix 13-10-16.02 - Admin 10/18/2013 19:03:40.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3579.2707 [GMT -4:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
F:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2013-09-18 to 2013-10-18 )))))))))))))))))))))))))))))))
.
.
2013-10-18 04:13 . 2013-10-14 06:39 7796464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{358213B5-120B-4767-BDE9-01266AAEE7F7}\mpengine.dll
2013-10-17 13:06 . 2013-10-14 06:39 7796464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-10-17 02:43 . 2013-10-17 02:43 -------- d-----w- c:\windows\system32\wbem\Repository
2013-10-17 02:00 . 2013-10-17 02:00 -------- d-----w- c:\windows\ERUNT
2013-10-16 23:29 . 2013-10-16 23:30 -------- d-----w- C:\AdwCleaner
2013-10-09 16:01 . 2013-10-09 16:03 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Deployment
2013-10-09 04:05 . 2013-07-03 02:12 25088 ------w- c:\windows\system32\dllcache\hidparse.sys
2013-10-09 04:05 . 2013-07-17 00:58 46848 ------w- c:\windows\system32\dllcache\irbus.sys
2013-10-09 04:05 . 2013-08-09 00:55 5376 ------w- c:\windows\system32\dllcache\usbd.sys
2013-10-09 04:05 . 2009-03-18 11:02 30336 ------w- c:\windows\system32\dllcache\usbehci.sys
2013-10-08 11:49 . 2013-10-08 11:50 -------- d-----w- c:\program files\ERUNT
2013-10-03 11:54 . 2013-10-03 11:54 1731608 ----a-w- c:\windows\system32\GIMEJa.ime
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-09 11:16 . 2012-04-23 19:49 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-09 11:16 . 2011-05-17 19:04 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-23 18:33 . 2008-04-14 09:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-09-23 18:33 . 2008-04-14 09:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-09-23 18:33 . 2008-04-14 09:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-09-23 18:33 . 2008-04-14 09:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-09-23 18:06 . 2008-04-14 09:00 385024 ----a-w- c:\windows\system32\html.iec
2013-08-29 01:31 . 2008-04-14 09:00 1878656 ----a-w- c:\windows\system32\win32k.sys
2013-08-09 01:56 . 2008-04-14 09:00 386560 ----a-w- c:\windows\system32\themeui.dll
2013-08-09 00:55 . 2008-04-14 09:00 144128 ----a-w- c:\windows\system32\drivers\usbport.sys
2013-08-09 00:55 . 2010-08-19 00:24 32384 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2013-08-09 00:55 . 2008-04-14 09:00 5376 ----a-w- c:\windows\system32\drivers\usbd.sys
2013-08-05 13:30 . 2008-04-14 09:00 1289728 ----a-w- c:\windows\system32\ole32.dll
2013-08-03 18:18 . 2006-10-19 01:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" [2013-09-03 1272704]
"Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2011-01-13 6129496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-24 796696]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-03 18665472]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-21 525824]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-02 98304]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2013-09-03 41336]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2013-09-03 840568]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"Google Japanese Input Prelauncher"="c:\program files\Google\Google Japanese Input\GoogleIMEJaBroker32.exe" [2013-10-03 1457688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-10-25 421888]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-11-29 151952]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-08-12 995176]
.
c:\documents and settings\Admin\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Admin\Application Data\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0210411]
Ime File REG_SZ GIMEJA.IME
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-10-06 05:52 59240 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-11-29 05:49 151952 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2011-11-11 18:08 205336 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-06-03 20:27 19603048 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\windows\\system32\\mshta.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Admin\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 NEOFLTR_650_16339;Juniper Networks TDI Filter Driver (NEOFLTR_650_16339);c:\windows\system32\drivers\NEOFLTR_650_16339.SYS [10/19/2010 5:36 PM 85360]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
R2 GoogleIMEJaCacheService;Google Japanese Input Cache Service;c:\program files\Google\Google Japanese Input\GoogleIMEJaCacheService.exe [10/3/2013 7:54 AM 752664]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 11:09 PM 11032]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [11/27/2012 8:48 AM 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [11/27/2012 8:48 AM 1369624]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [1/18/2012 2:44 AM 450848]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [8/11/2010 5:57 AM 2066968]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [8/11/2010 5:46 AM 160424]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/18/2007 1:46 PM 44800]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [11/27/2012 8:48 AM 168384]
S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [11/22/2012 11:29 AM 3290304]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [6/3/2013 4:21 PM 162408]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [1/18/2012 2:44 AM 22176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [6/12/2009 11:13 PM 1120752]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-17 08:35 1185744 ----a-w- c:\program files\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-23 11:16]
.
2013-10-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-10-18 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2012-11-27 19:08]
.
2013-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-20 16:12]
.
2013-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-20 16:12]
.
2013-10-18 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-08-12 14:12]
.
2013-10-16 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2012-11-27 19:07]
.
2013-10-01 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2012-11-27 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: upmc.com
TCP: Interfaces\{40533F3E-962B-47A3-972C-1B8176E8887C}: NameServer = 136.142.57.10,128.147.22.101,136.142.188.73
DPF: {53A8AEF8-5503-4B78-A091-634BB68DEECE} - hxxps://access.upmc.com/SecureAuth4/4420/SecureAuth.cab
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\790rqy0p.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-18 19:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(872)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2013-10-18 19:11:45
ComboFix-quarantined-files.txt 2013-10-18 23:11
ComboFix2.txt 2013-10-16 16:57
ComboFix3.txt 2013-10-15 23:09
.
Pre-Run: 114,492,661,760 bytes free
Post-Run: 114,638,381,056 bytes free
.
- - End Of File - - FF35C6202992ADD37F0A2C4DE8B3408C
A36C5E4F47E84449FF07ED3517B43A31
Hi ketssk,
http://i1269.photobucket.com/albums/jj590/OCD-WTT/bullseye_zpse9eaf36e.gif (http://s1269.photobucket.com/user/OCD-WTT/media/bullseye_zpse9eaf36e.gif.html) Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam-download.php) to your desktop.
Right click mbam-setup.exe and select "Run as Administrator" and follow the prompts to install the program.
At the end, be sure a check-mark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan as shown below.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
=========================
http://i1269.photobucket.com/albums/jj590/OCD-WTT/bullseye_zpse9eaf36e.gif (http://s1269.photobucket.com/user/OCD-WTT/media/bullseye_zpse9eaf36e.gif.html) ESET Online Scanner
*Note:
It is recommended to disable on-board antivirus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your anti-spyware programs.
** You need to run your browser with Administrator Rights, to do so right click your browsers short cut and select "Run as Administrator".
= = = = = = = = = = = = = = = = = = = =
Go here to run ESET Online Scanner (http://www.eset.eu/online-scanner)
(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Disable your Antivirus software. You can usually do this with its Notification Tray icon near the clock
Click Start
Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is Checked.
Click Scan.
Wait for the scan to finish.
When the scan completes, click List of found threats
click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
Include the contents of this report in your next reply
Note - when ESET doesn't find any threats, no report will be created.
Push the back button.
Push Finish
Re-enable your Antivirus software.
=========================
In your next post please provide the following:
MBAM log
ESET's log.txt
How's the computer running, any symptoms?
Thank you again. As you see below, ESET scan detects many files, but all in quarantine or within backup files... Regarding the PC, MS Security Essential did not work well for some reasons (unable to uninstall and re-install...), so I put Symantec Endpoint, which seems to work fine. My PC works okay, though IE7 is slow.... Not sure whether it is baseline or not...
Many thanks again.
Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org
Database version: v2013.10.21.09
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Admin :: KT-OFFICE [administrator]
Protection: Enabled
10/21/2013 7:04:43 PM
mbam-log-2013-10-21 (19-04-43).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 248035
Time elapsed: 9 minute(s), 45 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (PUP.Optional.iBryte) -> Quarantined and deleted successfully.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
E:\My Documents\Downloads\Setup.exe (PUP.Optional.iBryte) -> Quarantined and deleted successfully.
(end)
C:\AdwCleaner\Quarantine\C\Documents and Settings\Admin\Application Data\Searchprotect\bin\ChromeModule.dll.vir probably a variant of Win32/Conduit.SearchProtect.C application
C:\AdwCleaner\Quarantine\C\Documents and Settings\Admin\Application Data\Searchprotect\bin\cltmng.exe.vir a variant of Win32/Conduit.SearchProtect.B application
C:\AdwCleaner\Quarantine\C\Documents and Settings\Admin\Application Data\Searchprotect\bin\FirefoxModule.dll.vir probably a variant of Win32/Conduit.SearchProtect.C application
C:\AdwCleaner\Quarantine\C\Documents and Settings\Admin\Application Data\Searchprotect\bin\InternetExplorerModule.dll.vir probably a variant of Win32/Conduit.SearchProtect.C application
C:\AdwCleaner\Quarantine\C\Documents and Settings\Admin\Application Data\Searchprotect\bin\SPRunner.exe.vir a variant of Win32/Conduit.SearchProtect.D application
C:\AdwCleaner\Quarantine\C\Documents and Settings\Admin\Application Data\Searchprotect\ffprotect\application.js.vir Win32/Conduit.SearchProtect.A application
C:\AdwCleaner\Quarantine\C\Documents and Settings\Admin\Application Data\Searchprotect\ffprotect\nsprotector.js.vir Win32/Conduit.SearchProtect.A application
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\bin\ChromeModule.dll.vir probably a variant of Win32/Conduit.SearchProtect.C application
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\bin\cltmng.exe.vir a variant of Win32/Conduit.SearchProtect.B application
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\bin\FirefoxModule.dll.vir probably a variant of Win32/Conduit.SearchProtect.C application
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\bin\InternetExplorerModule.dll.vir probably a variant of Win32/Conduit.SearchProtect.C application
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\bin\SPRunner.exe.vir a variant of Win32/Conduit.SearchProtect.D application
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\ffprotect\application.js.vir Win32/Conduit.SearchProtect.A application
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\ffprotect\nsprotector.js.vir Win32/Conduit.SearchProtect.A application
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP1714\A0243699.exe a variant of Win32/Amonetize.R application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts\Installr\1.bin\F3EZSETP.DLL a variant of Win32/FunWeb.AA application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts\Installr\1.bin\F3PLUGIN.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts\Installr\1.bin\NPFUNWEB.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL Win32/FunWeb application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL Win32/FunWeb application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3HKSTUB.DLL Win32/Toolbar.MyWebSearch.G application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL Win32/Toolbar.MyWebSearch.B application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL Win32/FunWeb application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3REGHK.DLL Win32/Toolbar.MyWebSearch.G application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL Win32/Toolbar.MyWebSearch.D application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE Win32/FunWeb application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL Win32/Toolbar.MyWebSearch.P application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL Win32/FunWeb application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3AUXSTB.DLL Win32/Toolbar.MyWebSearch.H application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3DLGHK.DLL a variant of Win32/Toolbar.MyWebSearch.I application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL Win32/Toolbar.MyWebSearch.P application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL Win32/Toolbar.MyWebSearch.J application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL Win32/Toolbar.MyWebSearch.P application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE Win32/Toolbar.MyWebSearch.J application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE Win32/Toolbar.MyWebSearch.I application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3TPINST.DLL a variant of Win32/Toolbar.MyWebSearch.I application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL a variant of Win32/Toolbar.MyWebSearch.K application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSMLBTN.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL Win32/Toolbar.MyWebSearch.J application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSUABTN.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\setups\My Web Search Installer.exe a variant of Win32/Toolbar.MyWebSearch.K application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\Windows Live\Messenger\msimg32.dll Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\Windows Live\Messenger\riched20.dll Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\Uninstall Fun Web Products.dll a variant of Win32/Toolbar.MyWebSearch.K application
Hi ketssk,
Open System Information by clicking the Start button http://i1269.photobucket.com/albums/jj590/OCD-WTT/start.jpg (http://s1269.photobucket.com/user/OCD-WTT/media/start.jpg.html) > All Programs, > Accessories, > System Tools, and then > System Information.
Copy and paste this information in your next reply.
=========================
The other entries will be removed during our clean-up steps.
=========================
http://i1269.photobucket.com/albums/jj590/OCD-WTT/bullseye_zpse9eaf36e.gif (http://s1269.photobucket.com/user/OCD-WTT/media/bullseye_zpse9eaf36e.gif.html) ComboFix Script
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the code-box below into it:
File::
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\Uninstall Fun Web Products.dll
Folder::
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\Windows Live\Messenger
Save this as CFScript.txt, in the same location as ComboFix.exe
http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, please post the C:\ComboFix.txt for further review.
=========================
In your next post please provide the following:
System Information
Combofix.txt
How is the computer running?
OCD,
Thanks again. Even I took out the MS Security Essential, ComboFix said it is still running for some reasons.... Otherwise it appears okay. And I pasted the requested info below..
Thank you so much again. ketssk
System information
OS Name Microsoft Windows XP Professional
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Name KT-OFFICE
System Manufacturer Hewlett-Packard
System Model HP Compaq 8000 Elite CMT PC
System Type X86-based PC
Processor x86 Family 6 Model 23 Stepping 10 GenuineIntel ~2826 Mhz
BIOS Version/Date Hewlett-Packard 786G7 v01.03, 12/14/2009
SMBIOS Version 2.6
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume1
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.080413-2111)"
User Name KT-OFFICE\Admin
Time Zone Eastern Daylight Time
Total Physical Memory 4,100.00 MB
Available Physical Memory 711.54 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.95 GB
Page File Space 5.33 GB
Page File C:\pagefile.sys
ComboFix 13-10-21.01 - Admin 10/22/2013 22:21:43.3.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3579.2411 [GMT -4:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: e:\my documents\PC cleanup\102213\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
FILE ::
"f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\Uninstall Fun Web Products.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
F:\autorun.inf
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts\Installr\1.bin\F3EZSETP.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts\Installr\1.bin\F3PLUGIN.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts\Installr\1.bin\NPFUNWEB.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts\Installr\Cache\12FD6F19.exe
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts\Installr\Cache\files.ini
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts\PopSwatr\History\notallow
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts\Shared\Cache\WebfettiBtn.html
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\CHROME.MANIFEST
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\chrome\M3FFXTBR.JAR
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3HKSTUB.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3REGHK.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\INSTALL.RDF
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3AUXSTB.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3DLGHK.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3FFTBPR.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3MEDINT.EXE
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3PATCH.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3TPINST.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSMLBTN.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSUABTN.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Cache\039E05F3.bin
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Cache\039E0680.bmp
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Cache\039E069F.bin
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Cache\039E06BE.bin
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Cache\12FE0771
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Cache\12FE0F22
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Cache\12FE0F70.bin
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Cache\12FE0FFD.bmp
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Cache\12FE127D.bin
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Cache\12FE129C.bin
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Cache\12FE12BC.exe
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Cache\files.ini
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Game\CHESS.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\History\search3
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\icons\CM.ICO
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\icons\MFC.ICO
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\icons\PSS.ICO
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\icons\SMILEY.ICO
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\icons\WB.ICO
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\8_step1.gif
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\autoup.gif
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\autoup.htm
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkez.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkgr.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkgs.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bklf.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkrg.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkwebfet.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkzc.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkzl.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkzn.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkzq.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkzr.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkzu.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkzv.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkzw.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkzwinky.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\blubtn2d.png
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\blubtn2r.png
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\blubtn3d.png
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\blubtn3r.png
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\center.htm
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\index.htm
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\mid_dots.gif
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\protect.htm
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\rebut4.htm
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\rebut4b.htm
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\rebut4c.htm
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\shield.png
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\shocked.gif
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\stop.gif
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\systray.htm
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\systrayp.htm
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\tp_grad.gif
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\warn.gif
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Overlay\COMMON.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Settings\s_pid.dat
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\setups\My Web Search Installer.exe
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\Uninstall Fun Web Products.dll
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\Windows Live\Messenger
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\Windows Live\Messenger\msimg32.dll
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\Windows Live\Messenger\riched20.dll
.
.
((((((((((((((((((((((((( Files Created from 2013-09-23 to 2013-10-23 )))))))))))))))))))))))))))))))
.
.
2013-10-22 20:39 . 2013-10-22 20:39 -------- d-----w- c:\program files\Common Files\Java
2013-10-22 20:38 . 2013-10-22 20:38 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-10-22 00:33 . 2013-10-22 00:33 -------- d-----w- c:\program files\ESET
2013-10-22 00:29 . 2013-10-22 00:29 63115 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2013-10-22 00:29 . 2013-10-22 00:29 9310 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2013-10-22 00:29 . 2013-10-22 00:29 8646 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2013-10-22 00:29 . 2013-10-22 00:29 8613 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2013-10-22 00:29 . 2013-10-22 00:29 6429 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2013-10-22 00:29 . 2013-10-22 00:29 5927 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2013-10-22 00:29 . 2013-10-22 00:29 4599 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2013-10-22 00:29 . 2013-10-22 00:29 1651 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2013-10-22 00:29 . 2013-10-22 00:29 6910 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2013-10-22 00:29 . 2013-10-22 00:29 18541 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2013-10-22 00:29 . 2013-10-22 00:29 8288 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2013-10-22 00:29 . 2013-10-22 00:29 6208 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2013-10-22 00:28 . 2013-10-22 00:28 7271 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2013-10-22 00:28 . 2013-10-22 00:28 51852 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2013-10-22 00:28 . 2013-10-22 00:28 23327 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2013-10-22 00:28 . 2013-10-22 00:28 20719 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2013-10-22 00:28 . 2013-10-22 00:28 8782 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2013-10-21 23:03 . 2013-10-21 23:03 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2013-10-21 23:03 . 2013-10-21 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-10-21 23:03 . 2013-10-21 23:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-10-21 23:03 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-10-20 16:10 . 2013-10-20 16:10 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2013-10-20 16:09 . 2013-10-20 16:09 420240 ----a-w- c:\windows\system32\SymVPN.dll
2013-10-20 16:09 . 2013-10-20 16:09 361360 ----a-w- c:\windows\system32\sysfer.dll
2013-10-20 16:09 . 2013-10-20 16:09 33264 ----a-w- c:\windows\system32\drivers\WGX.SYS
2013-10-20 16:09 . 2013-10-20 16:09 136592 ----a-w- c:\windows\system32\FwsVpn.dll
2013-10-20 16:09 . 2013-10-20 16:09 114080 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2013-10-20 16:09 . 2013-10-20 16:09 11152 ----a-w- c:\windows\system32\sysferThunk.dll
2013-10-20 16:09 . 2013-10-20 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1992-12.com.symantec
2013-10-20 16:09 . 2013-10-20 16:09 -------- d-----w- c:\windows\system32\drivers\SEP
2013-10-20 16:09 . 2013-10-20 16:10 -------- d-----w- c:\program files\Symantec
2013-10-20 16:07 . 2013-10-20 16:07 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Akamai
2013-10-20 15:46 . 2013-10-20 15:46 -------- d-----w- c:\program files\Microsoft Download Manager
2013-10-20 15:26 . 2013-10-20 15:26 -------- d-----w- c:\windows\system32\wbem\Repository
2013-10-19 23:59 . 2013-10-19 23:59 -------- d-----w- c:\documents and settings\Admin\Application Data\ElevatedDiagnostics
2013-10-19 23:58 . 2013-10-19 23:58 -------- d-----w- C:\MATS
2013-10-19 23:37 . 2013-10-14 06:39 7796464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2F9B0D1-3B9D-4BAB-9398-C36F8CF88576}\mpengine.dll
2013-10-18 04:13 . 2013-10-14 06:39 7796464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-10-17 02:00 . 2013-10-17 02:00 -------- d-----w- c:\windows\ERUNT
2013-10-16 23:29 . 2013-10-16 23:30 -------- d-----w- C:\AdwCleaner
2013-10-09 16:01 . 2013-10-09 16:03 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Deployment
2013-10-09 14:58 . 2013-10-09 14:58 4879744 ----a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2013-10-09 14:58 . 2013-10-09 14:58 4879744 ----a-w- c:\program files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2013-10-09 04:05 . 2013-07-03 02:12 25088 ------w- c:\windows\system32\dllcache\hidparse.sys
2013-10-09 04:05 . 2013-07-17 00:58 46848 ------w- c:\windows\system32\dllcache\irbus.sys
2013-10-09 04:05 . 2013-08-09 00:55 5376 ------w- c:\windows\system32\dllcache\usbd.sys
2013-10-09 04:05 . 2009-03-18 11:02 30336 ------w- c:\windows\system32\dllcache\usbehci.sys
2013-10-08 11:49 . 2013-10-08 11:50 -------- d-----w- c:\program files\ERUNT
2013-10-03 11:54 . 2013-10-03 11:54 1731608 ----a-w- c:\windows\system32\GIMEJa.ime
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-22 20:38 . 2010-08-20 14:56 145408 ----a-w- c:\windows\system32\javacpl.cpl
2013-10-09 11:16 . 2012-04-23 19:49 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-09 11:16 . 2011-05-17 19:04 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-23 18:33 . 2008-04-14 09:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-09-23 18:33 . 2008-04-14 09:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-09-23 18:33 . 2008-04-14 09:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-09-23 18:33 . 2008-04-14 09:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-09-23 18:06 . 2008-04-14 09:00 385024 ----a-w- c:\windows\system32\html.iec
2013-08-29 01:31 . 2008-04-14 09:00 1878656 ----a-w- c:\windows\system32\win32k.sys
2013-08-09 01:56 . 2008-04-14 09:00 386560 ----a-w- c:\windows\system32\themeui.dll
2013-08-09 00:55 . 2008-04-14 09:00 144128 ----a-w- c:\windows\system32\drivers\usbport.sys
2013-08-09 00:55 . 2010-08-19 00:24 32384 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2013-08-09 00:55 . 2008-04-14 09:00 5376 ----a-w- c:\windows\system32\drivers\usbd.sys
2013-08-05 13:30 . 2008-04-14 09:00 1289728 ----a-w- c:\windows\system32\ole32.dll
2013-08-03 18:18 . 2006-10-19 01:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" [2013-09-03 1272704]
"Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2011-01-13 6129496]
"Akamai NetSession Interface"="c:\documents and settings\Admin\Local Settings\Application Data\Akamai\netsession_win.exe" [2013-06-05 4489472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-24 796696]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-03 18665472]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-21 525824]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-02 98304]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2013-09-03 41336]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2013-09-03 840568]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"Google Japanese Input Prelauncher"="c:\program files\Google\Google Japanese Input\GoogleIMEJaBroker32.exe" [2013-10-03 1457688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-11-29 151952]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
.
c:\documents and settings\Admin\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Admin\Application Data\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0210411]
Ime File REG_SZ GIMEJA.IME
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-10-06 05:52 59240 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-11-29 05:49 151952 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2011-11-11 18:08 205336 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-06-03 20:27 19603048 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\windows\\system32\\mshta.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Admin\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Admin\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\12.1.3001.165.105\\Bin\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\12.1.3001.165.105\\Bin\\snac.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\SEP\0C010BB9\00A5.105\x86\SymDS.sys [5/25/2013 10:21 AM 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\SEP\0C010BB9\00A5.105\x86\SymEFA.sys [5/25/2013 10:21 AM 934488]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Definitions\BASHDefs\20130924.011\BHDrvx86.sys [9/24/2013 12:38 AM 1002072]
R1 ccSettings_{0807952E-B22C-403B-A5F9-93CF778D514E};Symantec Endpoint Protection 12.1.3001.165.105 Settings Manager;c:\windows\system32\drivers\SEP\0C010BB9\00A5.105\x86\ccSetx86.sys [5/25/2013 10:21 AM 134744]
R1 NEOFLTR_650_16339;Juniper Networks TDI Filter Driver (NEOFLTR_650_16339);c:\windows\system32\drivers\NEOFLTR_650_16339.SYS [10/19/2010 5:36 PM 85360]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\SEP\0C010BB9\00A5.105\x86\Ironx86.sys [5/25/2013 10:21 AM 175264]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
R2 GoogleIMEJaCacheService;Google Japanese Input Cache Service;c:\program files\Google\Google Japanese Input\GoogleIMEJaCacheService.exe [10/3/2013 7:54 AM 752664]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [10/21/2013 7:03 PM 418376]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/21/2013 7:03 PM 701512]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 11:09 PM 11032]
R2 SepMasterService;Symantec Endpoint Protection;c:\program files\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHst.exe [5/25/2013 10:21 AM 144368]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [1/18/2012 2:44 AM 450848]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [8/11/2010 5:57 AM 2066968]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [8/11/2010 5:46 AM 160424]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/21/2013 1:23 PM 108120]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Definitions\IPSDefs\20131018.011\IDSXpx86.sys [10/20/2013 12:12 PM 380824]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/18/2007 1:46 PM 44800]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/21/2013 7:03 PM 22856]
S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [10/9/2013 10:58 AM 3275136]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [6/3/2013 4:21 PM 162408]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [1/18/2012 2:44 AM 22176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [6/12/2009 11:13 PM 1120752]
S3 SyDvCtrl;SyDvCtrl;c:\program files\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\SyDvCtrl32.sys [5/25/2013 10:21 AM 28576]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ERASERUTILREBOOTDRV
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-17 08:35 1185744 ----a-w- c:\program files\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-23 11:16]
.
2013-10-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-20 16:12]
.
2013-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-20 16:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: upmc.com
TCP: Interfaces\{40533F3E-962B-47A3-972C-1B8176E8887C}: NameServer = 136.142.57.10,128.147.22.101,136.142.188.73
DPF: {53A8AEF8-5503-4B78-A091-634BB68DEECE} - hxxps://access.upmc.com/SecureAuth4/4420/SecureAuth.cab
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\790rqy0p.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-22 22:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SepMasterService]
"ImagePath"="\"c:\program files\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\" /m \"c:\program files\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\sms.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SmcService]
"ImagePath"="\"c:\program files\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\Smc.exe\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1268)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'winlogon.exe'(3024)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2013-10-22 22:31:10
ComboFix-quarantined-files.txt 2013-10-23 02:31
ComboFix2.txt 2013-10-18 23:11
ComboFix3.txt 2013-10-16 16:57
ComboFix4.txt 2013-10-15 23:09
.
Pre-Run: 111,495,540,736 bytes free
Post-Run: 111,869,161,472 bytes free
.
- - End Of File - - 80DC4B345029D0B41585B1BF5BC500D9
A36C5E4F47E84449FF07ED3517B43A31
Hi ketssk,
http://i1269.photobucket.com/albums/jj590/OCD-WTT/bullseye_zpse9eaf36e.gif (http://s1269.photobucket.com/user/OCD-WTT/media/bullseye_zpse9eaf36e.gif.html) ATF Cleaner by Atribune
Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.
Download - ATF Cleaner (http://forums.whatthetech.com/downloads.html&req=download&code=confirm_download&id=17)
Windows XP : Double click on the icon to run it.
Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.
=========================
http://i1269.photobucket.com/albums/jj590/OCD-WTT/bullseye_zpse9eaf36e.gif (http://s1269.photobucket.com/user/OCD-WTT/media/bullseye_zpse9eaf36e.gif.html) Disk Defragmenter for XP
Open My Computer.
Right-click the local disk volume that you want to defragment, and then click Properties.
On the Tools tab, click Defragment Now.
Click Defragment.
=========================
In your next post please provide the following:
Defrag results
How is the computer running, any remaining issues?
Hi ketssk,
Just checking in to see if you still need help?
OCD- I think you resolved the issue. Thank you so much!!!! Ketssk
Edit- Admin
Towards the end of a cleanup please make sure you follow through with any final log requested, even if it appears to you that your computer is back to normal operation, and when asked to post back one more time please do so. As much as we like our members http://forums.spybot.info/images/smilies/smile.png we would rather not see you back in a few weeks because the disinfecting wasn't finished and final instructions given.
http://forums.spybot.info/showthread.php?288-quot-BEFORE-You-POST-quot-(Please-read-this-Procedure-Before-Requesting-Assistance)&p=1092&viewfull=1#post1092
Hi ketssk,
It's important that you follow through with the remainder of the steps I will outline. Absence of symptoms doesn't necessarily translate into malware free. We are making progress so please stay with me until I give you the "all clean" sign. :bigthumb:
Hi ketssk,
Do you still need assistance?
Due to inactivity this topic will be closed.