"Great Arcade Hit"

[ketssk]

Thank you again. As you see below, ESET scan detects many files, but all in quarantine or within backup files... Regarding the PC, MS Security Essential did not work well for some reasons (unable to uninstall and re-install...), so I put Symantec Endpoint, which seems to work fine. My PC works okay, though IE7 is slow.... Not sure whether it is baseline or not...

Many thanks again.


Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.21.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Admin :: KT-OFFICE [administrator]

Protection: Enabled

10/21/2013 7:04:43 PM
mbam-log-2013-10-21 (19-04-43).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 248035
Time elapsed: 9 minute(s), 45 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (PUP.Optional.iBryte) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
E:\My Documents\Downloads\Setup.exe (PUP.Optional.iBryte) -> Quarantined and deleted successfully.

(end)



C:\AdwCleaner\Quarantine\C\Documents and Settings\Admin\Application Data\Searchprotect\bin\ChromeModule.dll.vir probably a variant of Win32/Conduit.SearchProtect.C application
C:\AdwCleaner\Quarantine\C\Documents and Settings\Admin\Application Data\Searchprotect\bin\cltmng.exe.vir a variant of Win32/Conduit.SearchProtect.B application
C:\AdwCleaner\Quarantine\C\Documents and Settings\Admin\Application Data\Searchprotect\bin\FirefoxModule.dll.vir probably a variant of Win32/Conduit.SearchProtect.C application
C:\AdwCleaner\Quarantine\C\Documents and Settings\Admin\Application Data\Searchprotect\bin\InternetExplorerModule.dll.vir probably a variant of Win32/Conduit.SearchProtect.C application
C:\AdwCleaner\Quarantine\C\Documents and Settings\Admin\Application Data\Searchprotect\bin\SPRunner.exe.vir a variant of Win32/Conduit.SearchProtect.D application
C:\AdwCleaner\Quarantine\C\Documents and Settings\Admin\Application Data\Searchprotect\ffprotect\application.js.vir Win32/Conduit.SearchProtect.A application
C:\AdwCleaner\Quarantine\C\Documents and Settings\Admin\Application Data\Searchprotect\ffprotect\nsprotector.js.vir Win32/Conduit.SearchProtect.A application
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\bin\ChromeModule.dll.vir probably a variant of Win32/Conduit.SearchProtect.C application
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\bin\cltmng.exe.vir a variant of Win32/Conduit.SearchProtect.B application
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\bin\FirefoxModule.dll.vir probably a variant of Win32/Conduit.SearchProtect.C application
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\bin\InternetExplorerModule.dll.vir probably a variant of Win32/Conduit.SearchProtect.C application
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\bin\SPRunner.exe.vir a variant of Win32/Conduit.SearchProtect.D application
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\ffprotect\application.js.vir Win32/Conduit.SearchProtect.A application
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\ffprotect\nsprotector.js.vir Win32/Conduit.SearchProtect.A application
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP1714\A0243699.exe a variant of Win32/Amonetize.R application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts\Installr\1.bin\F3EZSETP.DLL a variant of Win32/FunWeb.AA application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts\Installr\1.bin\F3PLUGIN.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts\Installr\1.bin\NPFUNWEB.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL Win32/FunWeb application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL Win32/FunWeb application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3HKSTUB.DLL Win32/Toolbar.MyWebSearch.G application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL Win32/Toolbar.MyWebSearch.B application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL Win32/FunWeb application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3REGHK.DLL Win32/Toolbar.MyWebSearch.G application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL Win32/Toolbar.MyWebSearch.D application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE Win32/FunWeb application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL Win32/Toolbar.MyWebSearch.P application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL Win32/FunWeb application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3AUXSTB.DLL Win32/Toolbar.MyWebSearch.H application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3DLGHK.DLL a variant of Win32/Toolbar.MyWebSearch.I application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL Win32/Toolbar.MyWebSearch.P application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL Win32/Toolbar.MyWebSearch.J application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL Win32/Toolbar.MyWebSearch.P application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE Win32/Toolbar.MyWebSearch.J application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE Win32/Toolbar.MyWebSearch.I application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3TPINST.DLL a variant of Win32/Toolbar.MyWebSearch.I application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL a variant of Win32/Toolbar.MyWebSearch.K application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSMLBTN.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL Win32/Toolbar.MyWebSearch.J application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSUABTN.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\setups\My Web Search Installer.exe a variant of Win32/Toolbar.MyWebSearch.K application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\Windows Live\Messenger\msimg32.dll Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\Windows Live\Messenger\riched20.dll Win32/Toolbar.MyWebSearch application
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\Uninstall Fun Web Products.dll a variant of Win32/Toolbar.MyWebSearch.K application

[OCD]

Hi ketssk,

Open System Information by clicking the Start button > All Programs, > Accessories, > System Tools, and then > System Information.
Copy and paste this information in your next reply.

=========================

The other entries will be removed during our clean-up steps.

=========================

ComboFix Script

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the code-box below into it:

Code:

File::
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\Uninstall Fun Web Products.dll

Folder::
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch
F:\Seagate Backup\KT-OFFICE\History\Level2\C\Program Files\Windows Live\Messenger

Save this as CFScript.txt, in the same location as ComboFix.exe




Referring to the picture above, drag CFScript into ComboFix.exe

When finished, please post the C:\ComboFix.txt for further review.

=========================

In your next post please provide the following:

• System Information
• Combofix.txt
• How is the computer running?

[ketssk]

OCD,

Thanks again. Even I took out the MS Security Essential, ComboFix said it is still running for some reasons.... Otherwise it appears okay. And I pasted the requested info below..

Thank you so much again. ketssk


System information

OS Name Microsoft Windows XP Professional
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Name KT-OFFICE
System Manufacturer Hewlett-Packard
System Model HP Compaq 8000 Elite CMT PC
System Type X86-based PC
Processor x86 Family 6 Model 23 Stepping 10 GenuineIntel ~2826 Mhz
BIOS Version/Date Hewlett-Packard 786G7 v01.03, 12/14/2009
SMBIOS Version 2.6
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume1
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.080413-2111)"
User Name KT-OFFICE\Admin
Time Zone Eastern Daylight Time
Total Physical Memory 4,100.00 MB
Available Physical Memory 711.54 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.95 GB
Page File Space 5.33 GB
Page File C:\pagefile.sys


ComboFix 13-10-21.01 - Admin 10/22/2013 22:21:43.3.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3579.2411 [GMT -4:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: e:\my documents\PC cleanup\102213\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
FILE ::
"f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\Uninstall Fun Web Products.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
F:\autorun.inf
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts\Installr\1.bin\F3EZSETP.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts\Installr\1.bin\F3PLUGIN.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts\Installr\1.bin\NPFUNWEB.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts\Installr\Cache\12FD6F19.exe
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts\Installr\Cache\files.ini
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts\PopSwatr\History\notallow
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\FunWebProducts\Shared\Cache\WebfettiBtn.html
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\CHROME.MANIFEST
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\chrome\M3FFXTBR.JAR
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3HKSTUB.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3REGHK.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\INSTALL.RDF
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3AUXSTB.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3DLGHK.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3FFTBPR.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3MEDINT.EXE
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3PATCH.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\M3TPINST.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSMLBTN.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\MWSUABTN.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Cache\039E05F3.bin
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Cache\039E0680.bmp
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Cache\039E069F.bin
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Cache\039E06BE.bin
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Cache\12FE0771
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Cache\12FE0F22
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Cache\12FE0F70.bin
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Cache\12FE0FFD.bmp
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Cache\12FE127D.bin
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Cache\12FE129C.bin
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Cache\12FE12BC.exe
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Cache\files.ini
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Game\CHESS.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\History\search3
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\icons\CM.ICO
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\icons\MFC.ICO
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\icons\PSS.ICO
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\icons\SMILEY.ICO
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\icons\WB.ICO
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\8_step1.gif
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\autoup.gif
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\autoup.htm
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkez.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkgr.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkgs.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bklf.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkrg.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkwebfet.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkzc.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkzl.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkzn.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkzq.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkzr.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkzu.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkzv.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkzw.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\bkzwinky.jpg
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\blubtn2d.png
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\blubtn2r.png
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\blubtn3d.png
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\blubtn3r.png
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\center.htm
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\index.htm
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\mid_dots.gif
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\protect.htm
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\rebut4.htm
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\rebut4b.htm
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\rebut4c.htm
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\shield.png
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\shocked.gif
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\stop.gif
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\systray.htm
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\systrayp.htm
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\tp_grad.gif
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Message\COMMON\warn.gif
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Overlay\COMMON.F3S
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\Settings\s_pid.dat
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\MyWebSearch\bar\setups\My Web Search Installer.exe
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\Uninstall Fun Web Products.dll
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\Windows Live\Messenger
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\Windows Live\Messenger\msimg32.dll
f:\seagate backup\KT-OFFICE\History\Level2\C\Program Files\Windows Live\Messenger\riched20.dll
.
.
((((((((((((((((((((((((( Files Created from 2013-09-23 to 2013-10-23 )))))))))))))))))))))))))))))))
.
.
2013-10-22 20:39 . 2013-10-22 20:39 -------- d-----w- c:\program files\Common Files\Java
2013-10-22 20:38 . 2013-10-22 20:38 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-10-22 00:33 . 2013-10-22 00:33 -------- d-----w- c:\program files\ESET
2013-10-22 00:29 . 2013-10-22 00:29 63115 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2013-10-22 00:29 . 2013-10-22 00:29 9310 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2013-10-22 00:29 . 2013-10-22 00:29 8646 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2013-10-22 00:29 . 2013-10-22 00:29 8613 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2013-10-22 00:29 . 2013-10-22 00:29 6429 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2013-10-22 00:29 . 2013-10-22 00:29 5927 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2013-10-22 00:29 . 2013-10-22 00:29 4599 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2013-10-22 00:29 . 2013-10-22 00:29 1651 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2013-10-22 00:29 . 2013-10-22 00:29 6910 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2013-10-22 00:29 . 2013-10-22 00:29 18541 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2013-10-22 00:29 . 2013-10-22 00:29 8288 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2013-10-22 00:29 . 2013-10-22 00:29 6208 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2013-10-22 00:28 . 2013-10-22 00:28 7271 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2013-10-22 00:28 . 2013-10-22 00:28 51852 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2013-10-22 00:28 . 2013-10-22 00:28 23327 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2013-10-22 00:28 . 2013-10-22 00:28 20719 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2013-10-22 00:28 . 2013-10-22 00:28 8782 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2013-10-21 23:03 . 2013-10-21 23:03 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2013-10-21 23:03 . 2013-10-21 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-10-21 23:03 . 2013-10-21 23:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-10-21 23:03 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-10-20 16:10 . 2013-10-20 16:10 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2013-10-20 16:09 . 2013-10-20 16:09 420240 ----a-w- c:\windows\system32\SymVPN.dll
2013-10-20 16:09 . 2013-10-20 16:09 361360 ----a-w- c:\windows\system32\sysfer.dll
2013-10-20 16:09 . 2013-10-20 16:09 33264 ----a-w- c:\windows\system32\drivers\WGX.SYS
2013-10-20 16:09 . 2013-10-20 16:09 136592 ----a-w- c:\windows\system32\FwsVpn.dll
2013-10-20 16:09 . 2013-10-20 16:09 114080 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2013-10-20 16:09 . 2013-10-20 16:09 11152 ----a-w- c:\windows\system32\sysferThunk.dll
2013-10-20 16:09 . 2013-10-20 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1992-12.com.symantec
2013-10-20 16:09 . 2013-10-20 16:09 -------- d-----w- c:\windows\system32\drivers\SEP
2013-10-20 16:09 . 2013-10-20 16:10 -------- d-----w- c:\program files\Symantec
2013-10-20 16:07 . 2013-10-20 16:07 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Akamai
2013-10-20 15:46 . 2013-10-20 15:46 -------- d-----w- c:\program files\Microsoft Download Manager
2013-10-20 15:26 . 2013-10-20 15:26 -------- d-----w- c:\windows\system32\wbem\Repository
2013-10-19 23:59 . 2013-10-19 23:59 -------- d-----w- c:\documents and settings\Admin\Application Data\ElevatedDiagnostics
2013-10-19 23:58 . 2013-10-19 23:58 -------- d-----w- C:\MATS
2013-10-19 23:37 . 2013-10-14 06:39 7796464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2F9B0D1-3B9D-4BAB-9398-C36F8CF88576}\mpengine.dll
2013-10-18 04:13 . 2013-10-14 06:39 7796464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-10-17 02:00 . 2013-10-17 02:00 -------- d-----w- c:\windows\ERUNT
2013-10-16 23:29 . 2013-10-16 23:30 -------- d-----w- C:\AdwCleaner
2013-10-09 16:01 . 2013-10-09 16:03 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Deployment
2013-10-09 14:58 . 2013-10-09 14:58 4879744 ----a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2013-10-09 14:58 . 2013-10-09 14:58 4879744 ----a-w- c:\program files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2013-10-09 04:05 . 2013-07-03 02:12 25088 ------w- c:\windows\system32\dllcache\hidparse.sys
2013-10-09 04:05 . 2013-07-17 00:58 46848 ------w- c:\windows\system32\dllcache\irbus.sys
2013-10-09 04:05 . 2013-08-09 00:55 5376 ------w- c:\windows\system32\dllcache\usbd.sys
2013-10-09 04:05 . 2009-03-18 11:02 30336 ------w- c:\windows\system32\dllcache\usbehci.sys
2013-10-08 11:49 . 2013-10-08 11:50 -------- d-----w- c:\program files\ERUNT
2013-10-03 11:54 . 2013-10-03 11:54 1731608 ----a-w- c:\windows\system32\GIMEJa.ime
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-22 20:38 . 2010-08-20 14:56 145408 ----a-w- c:\windows\system32\javacpl.cpl
2013-10-09 11:16 . 2012-04-23 19:49 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-09 11:16 . 2011-05-17 19:04 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-23 18:33 . 2008-04-14 09:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-09-23 18:33 . 2008-04-14 09:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-09-23 18:33 . 2008-04-14 09:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-09-23 18:33 . 2008-04-14 09:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-09-23 18:06 . 2008-04-14 09:00 385024 ----a-w- c:\windows\system32\html.iec
2013-08-29 01:31 . 2008-04-14 09:00 1878656 ----a-w- c:\windows\system32\win32k.sys
2013-08-09 01:56 . 2008-04-14 09:00 386560 ----a-w- c:\windows\system32\themeui.dll
2013-08-09 00:55 . 2008-04-14 09:00 144128 ----a-w- c:\windows\system32\drivers\usbport.sys
2013-08-09 00:55 . 2010-08-19 00:24 32384 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2013-08-09 00:55 . 2008-04-14 09:00 5376 ----a-w- c:\windows\system32\drivers\usbd.sys
2013-08-05 13:30 . 2008-04-14 09:00 1289728 ----a-w- c:\windows\system32\ole32.dll
2013-08-03 18:18 . 2006-10-19 01:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" [2013-09-03 1272704]
"Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2011-01-13 6129496]
"Akamai NetSession Interface"="c:\documents and settings\Admin\Local Settings\Application Data\Akamai\netsession_win.exe" [2013-06-05 4489472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-24 796696]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-03 18665472]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-21 525824]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-02 98304]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2013-09-03 41336]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2013-09-03 840568]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"Google Japanese Input Prelauncher"="c:\program files\Google\Google Japanese Input\GoogleIMEJaBroker32.exe" [2013-10-03 1457688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-11-29 151952]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
.
c:\documents and settings\Admin\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Admin\Application Data\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0210411]
Ime File REG_SZ GIMEJA.IME
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-10-06 05:52 59240 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-11-29 05:49 151952 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2011-11-11 18:08 205336 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-06-03 20:27 19603048 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\windows\\system32\\mshta.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Admin\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Admin\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\12.1.3001.165.105\\Bin\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\12.1.3001.165.105\\Bin\\snac.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\SEP\0C010BB9\00A5.105\x86\SymDS.sys [5/25/2013 10:21 AM 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\SEP\0C010BB9\00A5.105\x86\SymEFA.sys [5/25/2013 10:21 AM 934488]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Definitions\BASHDefs\20130924.011\BHDrvx86.sys [9/24/2013 12:38 AM 1002072]
R1 ccSettings_{0807952E-B22C-403B-A5F9-93CF778D514E};Symantec Endpoint Protection 12.1.3001.165.105 Settings Manager;c:\windows\system32\drivers\SEP\0C010BB9\00A5.105\x86\ccSetx86.sys [5/25/2013 10:21 AM 134744]
R1 NEOFLTR_650_16339;Juniper Networks TDI Filter Driver (NEOFLTR_650_16339);c:\windows\system32\drivers\NEOFLTR_650_16339.SYS [10/19/2010 5:36 PM 85360]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\SEP\0C010BB9\00A5.105\x86\Ironx86.sys [5/25/2013 10:21 AM 175264]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
R2 GoogleIMEJaCacheService;Google Japanese Input Cache Service;c:\program files\Google\Google Japanese Input\GoogleIMEJaCacheService.exe [10/3/2013 7:54 AM 752664]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [10/21/2013 7:03 PM 418376]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/21/2013 7:03 PM 701512]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 11:09 PM 11032]
R2 SepMasterService;Symantec Endpoint Protection;c:\program files\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHst.exe [5/25/2013 10:21 AM 144368]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [1/18/2012 2:44 AM 450848]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [8/11/2010 5:57 AM 2066968]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [8/11/2010 5:46 AM 160424]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/21/2013 1:23 PM 108120]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Definitions\IPSDefs\20131018.011\IDSXpx86.sys [10/20/2013 12:12 PM 380824]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/18/2007 1:46 PM 44800]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/21/2013 7:03 PM 22856]
S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [10/9/2013 10:58 AM 3275136]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [6/3/2013 4:21 PM 162408]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [1/18/2012 2:44 AM 22176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [6/12/2009 11:13 PM 1120752]
S3 SyDvCtrl;SyDvCtrl;c:\program files\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\SyDvCtrl32.sys [5/25/2013 10:21 AM 28576]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ERASERUTILREBOOTDRV
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-17 08:35 1185744 ----a-w- c:\program files\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-23 11:16]
.
2013-10-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-20 16:12]
.
2013-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-20 16:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: upmc.com
TCP: Interfaces\{40533F3E-962B-47A3-972C-1B8176E8887C}: NameServer = 136.142.57.10,128.147.22.101,136.142.188.73
DPF: {53A8AEF8-5503-4B78-A091-634BB68DEECE} - hxxps://access.upmc.com/SecureAuth4/4420/SecureAuth.cab
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\790rqy0p.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-22 22:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SepMasterService]
"ImagePath"="\"c:\program files\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\" /m \"c:\program files\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\sms.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SmcService]
"ImagePath"="\"c:\program files\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\Smc.exe\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1268)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'winlogon.exe'(3024)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2013-10-22 22:31:10
ComboFix-quarantined-files.txt 2013-10-23 02:31
ComboFix2.txt 2013-10-18 23:11
ComboFix3.txt 2013-10-16 16:57
ComboFix4.txt 2013-10-15 23:09
.
Pre-Run: 111,495,540,736 bytes free
Post-Run: 111,869,161,472 bytes free
.
- - End Of File - - 80DC4B345029D0B41585B1BF5BC500D9
A36C5E4F47E84449FF07ED3517B43A31

[OCD]

Hi ketssk,

ATF Cleaner by Atribune

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Download - ATF Cleaner

• Windows XP : Double click on the icon to run it.
• Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"

Under Main choose: Select All
Click the Empty Selected button.

• If you use Firefox browser
  
  Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

• If you use Opera browser
  
  Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

=========================

Disk Defragmenter for XP

• Open My Computer.
• Right-click the local disk volume that you want to defragment, and then click Properties.
• On the Tools tab, click Defragment Now.
• Click Defragment.

=========================

In your next post please provide the following:

• Defrag results
• How is the computer running, any remaining issues?

[OCD]

Hi ketssk,

Just checking in to see if you still need help?

[ketssk]

OCD- I think you resolved the issue. Thank you so much!!!! Ketssk

Edit- Admin

Towards the end of a cleanup please make sure you follow through with any final log requested, even if it appears to you that your computer is back to normal operation, and when asked to post back one more time please do so. As much as we like our members we would rather not see you back in a few weeks because the disinfecting wasn't finished and final instructions given.

http://forums.spybot.info/showthread...ull=1#post1092

[OCD]

Hi ketssk,

It's important that you follow through with the remainder of the steps I will outline. Absence of symptoms doesn't necessarily translate into malware free. We are making progress so please stay with me until I give you the "all clean" sign.

[OCD]

Hi ketssk,

Do you still need assistance?

[OCD]

Due to inactivity this topic will be closed.