Jump to content

Charlie_Whisky

Members
 View Profile  See their activity

  • Posts

    19

  • Joined

  • Last visited

Reputation

0 Neutral
  1. Charlie_Whisky
    Hello Gringo I ran delfile.bat and ComboFix /Uninstall without incident, and, I don't think I every down loaded defogger. Things appear to be running smoothly. Its almost a shame to mess it all up by delving back to the internet again. MSE is an interesting choice; I'll consider this once my license to N360 expires. Maybe now I can keep this old dinosaur computer running for a bit longer... but when its time for a new one, I'll be getting another paid version of MBAM for sure. Many thanks for your help and I am happy to donate. Charlie
  2. Charlie_Whisky
    Hello Gringo, The ESET scan took +7 hrs to complete. ESET reported one threat: F:\H-drive_restore 8-11-09\H_\InspironXP-restore-7-29-06\TRUMPET\TRUMPING.EX_ Win16/Flooder.ICMP.ICMPBomb.A trojan Note that "drive F"" corresponds to a secondary USB connected hard drive that I have connected to this computer.
  3. Charlie_Whisky
    Hello Gringo Running fixit did help in that now my red Xs probelems all appear to be gone, thanks, (note: Fixit does do other things to my IE8 setting that I had to undo but I guess the trade-off is worth it.) Okay, back to trying to run Est. Before downloading it, I tried first disabling Norton 360's virus protection, and that seems to allow Est to download the updated virus file list and lauch into scanming the computer. The scan seems to be taking quite a long time.... I'll let it run overnight and report back.
  4. Charlie_Whisky
    Gringo, I'm back! I downloaded png_fix.zip, and unzipped it. When I right click on pngasso_xp.reg there is no merge option as suggested at the website you directed me to. So instead I selected "open" and clicked on okay for all the prompts. Then I restarted my computer. This did help resolve the red x and blank button problem for IE8 somewhat, but not completely. For example, the two menu rows above the space I am presently typing into now displays images corresponding to the various commands, but, my icon to the left of the box I am typing into still shows a red X, On the otherhand your icon image now is displayed. Moving on to Eset, now the page "http://www.eset.com/us/online-scanner/" mades more sense. I clicked on the button "Run EST Online" and let the program load, and then selected the setting you advised. But, at step 2 of the installation, EST got stuck, giving the error message "Can not update, Is proxy configured?" Any suggestions?
  5. Charlie_Whisky
    Thanks Gringo I'll try this and report back; I'll be off line for a few days
  6. Charlie_Whisky
    Hi Gringo I ran Hijack, but I can not see where to run Eset, on the page where your link sends me to (http://www.eset.com/us/online-scanner/). That is, I see no "Run ESET Online Scanner" button Maybe because this goes to a different page, OR, maybe because, buttons are showing up as red Xs on the Eset page or other pages when I am on IE. For instance, the menu bar above the space that I am typing into is blank. The icon to the left associated with my profile displays a red X. Do you know of a way to get the images of the buttom to display once again?
  7. Charlie_Whisky
    Hello Gringo I ran all of these without incident. the MBAM log and HJ logs are at the end of this post. A commenct about Revo Uninstaller: I found it very time consumming to use b/c I had to click on 7'al hundred boxes corresponding to all the bolded selections; it would be much better if there was a button to simply selects all bolded items. I have not yet install the updated Adbove and Java versions that you pointed to. Feedback 1) I have not seen any IP blocks popup since running Revo to uninstall those 4 programs and CC cleaner; thats a good sign! But I'll have to monitor longer. Here is today's protection log: 2013/06/18 19:22:06 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection 2013/06/18 19:22:06 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully 2013/06/18 19:22:06 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection 2013/06/18 19:23:26 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully 2013/06/18 19:24:29 -0500 GW-5B4ED3A077 Owner IP-BLOCK 79.135.139.182 (Type: outgoing) 2013/06/18 20:57:31 -0500 GW-5B4ED3A077 Owner IP-BLOCK 87.248.186.129 (Type: incoming) 2013/06/18 21:37:27 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection 2013/06/18 21:37:28 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully 2013/06/18 21:37:28 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection 2013/06/18 21:38:51 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully 2) IE still shows red Xs and blank boxes and pictures, so it is not very user friendly Any idea how to restore this?? MBAM Log Malwarebytes Anti-Malware (PRO) 1.75.0.1300 www.malwarebytes.org Database version: v2013.06.16.04 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Owner :: GW-5B4ED3A077 [administrator] Protection: Enabled 6/18/2013 9:40:50 PM mbam-log-2013-06-18 (21-40-50).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 237368 Time elapsed: 17 minute(s), 37 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) Hacklack this log Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 10:00:52 PM, on 6/18/2013 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\cwh.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\VERIZONDM\bin\sprtcmd.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Brother\ControlCenter2\brctrcen.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\VERIZONDM\bin\sprtsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\VERIZONDM\bin\tgsrvc.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Norton 360\Engine\20.4.0.40\ccSvcHst.exe C:\Program Files\Norton 360\Engine\20.4.0.40\ccSvcHst.exe C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Documents and Settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\Hijack this\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6453 O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\20.4.0.40\coIEPlg.dll O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\20.4.0.40\IPS\IPSBHO.DLL O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\20.4.0.40\coIEPlg.dll O4 - HKLM\..\Run: [VERIZONDM] "C:\Program Files\VERIZONDM\bin\sprtcmd.exe" /P VERIZONDM O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: REALTEK RTL8187 Wireless LAN Utility.lnk = ? O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://biz.lgservice.com/DjvuViewer/DjVuControl-6.1.4.cab O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab O16 - DPF: {3A52566B-6018-485B-B713-8B9FF660D8E8} (ilhtrapp Object) - http://71.123.169.42:0/webdvr2.18.2.16_71.0.0.0.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1343697687988 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1343697663689 O16 - DPF: {9282A3AA-4954-46B4-B4AE-F086CE3F1110} (TrustSiteAddMgr Class) - http://71.123.169.42:0/regtrustsite.cab O16 - DPF: {9CA74596-B5BB-4634-971C-F0224115A15F} (tcast control) - http://nba.tom.com/video/tcastV1.cab O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://vexcast.com/download/vexcast.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: cwh - Warranty Corporation of America - C:\WINDOWS\cwh.exe O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe O23 - Service: IHA_MessageCenter - Verizon - C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing) O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\20.4.0.40\ccSvcHst.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\system32\snmptrap.exe (file missing) O23 - Service: SupportSoft Sprocket Service (verizondm) (sprtsvc_verizondm) - SupportSoft, Inc. - C:\Program Files\VERIZONDM\bin\sprtsvc.exe O23 - Service: SupportSoft Repair Service (verizondm) (tgsrvc_verizondm) - SupportSoft, Inc. - C:\Program Files\VERIZONDM\bin\tgsrvc.exe O23 - Service: vToolbarUpdater15.2.0 - Unknown owner - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe O23 - Service: Web Dictate (WebDictateService) - Unknown owner - C:\Program Files\NCH Software\WebDictate\webdictate.exe O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 9854 bytes
  8. Charlie_Whisky
    Hello Gringo I dragged CFscript.txt over Combofix.exe, and it started to run. Combofix.exe asked if I wanted to update and I declined. Combix.exe warned me to suspend N360 antivirus, which I did. Combix.exe then proceeded to run and ended by popping up with the log report at the end of this post. FEEDBACK I don’t see too much change in the responsiveness of the computer. CPU about 1-3% in the present state. MBAM has been blocking, here’s the protection log for today: 2013/06/17 00:11:00 -0500 GW-5B4ED3A077 Owner IP-BLOCK 195.161.7.18 (Type: incoming) 2013/06/17 00:16:05 -0500 GW-5B4ED3A077 Owner IP-BLOCK 91.195.11.13 (Type: incoming) 2013/06/17 01:07:00 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.86.220 (Type: incoming) 2013/06/17 01:07:14 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.117.177.77 (Type: outgoing) 2013/06/17 01:23:36 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.88.119 (Type: incoming) 2013/06/17 01:52:14 -0500 GW-5B4ED3A077 Owner IP-BLOCK 91.188.44.53 (Type: outgoing) 2013/06/17 02:16:35 -0500 GW-5B4ED3A077 Owner IP-BLOCK 91.188.38.83 (Type: incoming) 2013/06/17 02:19:12 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.154 (Type: incoming) 2013/06/17 02:38:41 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.7.184.162 (Type: outgoing) 2013/06/17 02:39:30 -0500 GW-5B4ED3A077 Owner IP-BLOCK 98.142.247.209 (Type: incoming) 2013/06/17 03:36:07 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.17.215 (Type: outgoing) 2013/06/17 03:37:38 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.66.199 (Type: outgoing) 2013/06/17 03:39:04 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.61.171 (Type: incoming) 2013/06/17 03:47:17 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.253.81 (Type: incoming) 2013/06/17 03:51:50 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.186.244 (Type: outgoing) 2013/06/17 03:55:41 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.15.90 (Type: incoming) 2013/06/17 04:06:49 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.253.81 (Type: incoming) 2013/06/17 04:06:50 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.253.81 (Type: incoming) 2013/06/17 04:06:54 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.253.81 (Type: incoming) 2013/06/17 04:07:14 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.253.81 (Type: incoming) 2013/06/17 04:07:15 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.253.81 (Type: incoming) 2013/06/17 04:07:42 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.186.244 (Type: outgoing) 2013/06/17 04:12:08 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.253.81 (Type: incoming) 2013/06/17 04:18:07 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.86.140 (Type: incoming) 2013/06/17 04:34:32 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.65.200 (Type: incoming) 2013/06/17 04:38:17 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.116.158 (Type: outgoing) 2013/06/17 04:51:25 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.59.68 (Type: incoming) 2013/06/17 04:54:39 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.186.244 (Type: outgoing) 2013/06/17 05:03:46 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.86.140 (Type: incoming) 2013/06/17 05:09:39 -0500 GW-5B4ED3A077 Owner IP-BLOCK 91.188.53.16 (Type: incoming) 2013/06/17 05:11:08 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.186.244 (Type: outgoing) 2013/06/17 05:13:27 -0500 GW-5B4ED3A077 Owner IP-BLOCK 94.102.56.145 (Type: incoming) 2013/06/17 05:19:23 -0500 GW-5B4ED3A077 Owner IP-BLOCK 194.165.0.3 (Type: incoming) 2013/06/17 05:25:00 -0500 GW-5B4ED3A077 Owner IP-BLOCK 78.26.187.118 (Type: outgoing) 2013/06/17 05:26:26 -0500 GW-5B4ED3A077 Owner IP-BLOCK 91.188.50.159 (Type: outgoing) 2013/06/17 05:42:47 -0500 GW-5B4ED3A077 Owner IP-BLOCK 194.165.0.3 (Type: incoming) 2013/06/17 06:03:48 -0500 GW-5B4ED3A077 Owner IP-BLOCK 194.165.0.3 (Type: incoming) 2013/06/17 06:11:57 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.86.140 (Type: incoming) 2013/06/17 06:24:05 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.8.222.93 (Type: outgoing) 2013/06/17 06:24:37 -0500 GW-5B4ED3A077 Owner IP-BLOCK 194.165.0.3 (Type: incoming) 2013/06/17 06:32:18 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.64.63 (Type: incoming) 2013/06/17 06:37:46 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.186.244 (Type: outgoing) 2013/06/17 06:38:08 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.240.244 (Type: outgoing) 2013/06/17 06:45:59 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.64.63 (Type: incoming) 2013/06/17 06:46:29 -0500 GW-5B4ED3A077 Owner IP-BLOCK 194.165.0.3 (Type: incoming) 2013/06/17 06:53:32 -0500 GW-5B4ED3A077 Owner IP-BLOCK 91.195.11.90 (Type: outgoing) 2013/06/17 06:54:56 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.114.149 (Type: outgoing) 2013/06/17 07:05:17 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.86.140 (Type: incoming) 2013/06/17 07:08:51 -0500 GW-5B4ED3A077 Owner IP-BLOCK 219.153.111.3 (Type: outgoing) 2013/06/17 07:09:51 -0500 GW-5B4ED3A077 Owner IP-BLOCK 219.153.138.29 (Type: outgoing) 2013/06/17 07:10:06 -0500 GW-5B4ED3A077 Owner IP-BLOCK 194.165.0.3 (Type: incoming) 2013/06/17 07:18:04 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.55.82 (Type: incoming) 2013/06/17 07:24:54 -0500 GW-5B4ED3A077 Owner IP-BLOCK 91.188.41.191 (Type: outgoing) 2013/06/17 07:34:52 -0500 GW-5B4ED3A077 Owner IP-BLOCK 194.165.0.3 (Type: incoming) 2013/06/17 07:40:50 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection 2013/06/17 07:40:50 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully 2013/06/17 07:40:50 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection 2013/06/17 07:42:17 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully 2013/06/17 07:44:05 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.63.17 (Type: incoming) 2013/06/17 07:48:07 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.63.17 (Type: incoming) 2013/06/17 20:04:56 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection 2013/06/17 20:04:56 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully 2013/06/17 20:04:56 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection 2013/06/17 20:06:04 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully 2013/06/17 20:06:58 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.113.37.227 (Type: incoming) 2013/06/17 20:08:05 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.16.95 (Type: incoming) 2013/06/17 20:10:00 -0500 GW-5B4ED3A077 Owner IP-BLOCK 98.142.247.246 (Type: incoming) 2013/06/17 20:21:23 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.113.37.227 (Type: incoming) 2013/06/17 20:28:11 -0500 GW-5B4ED3A077 Owner IP-BLOCK 94.102.51.133 (Type: incoming) 2013/06/17 20:35:47 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.113.37.227 (Type: incoming) 2013/06/17 20:50:11 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.113.37.227 (Type: incoming) 2013/06/17 21:04:35 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.113.37.227 (Type: incoming) 2013/06/17 21:19:00 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.113.37.227 (Type: incoming) 2013/06/17 21:31:11 -0500 GW-5B4ED3A077 Owner IP-BLOCK 94.102.51.133 (Type: incoming) 2013/06/17 21:33:24 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.113.37.227 (Type: incoming) 2013/06/17 21:47:48 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.113.37.227 (Type: incoming) 2013/06/17 21:55:01 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.48.34 (Type: outgoing) 2013/06/17 22:00:21 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection 2013/06/17 22:00:21 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully 2013/06/17 22:00:21 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection 2013/06/17 22:01:22 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully 2013/06/17 22:01:57 -0500 GW-5B4ED3A077 Owner IP-BLOCK 98.142.247.246 (Type: outgoing) 2013/06/17 22:01:59 -0500 GW-5B4ED3A077 Owner IP-BLOCK 98.142.247.246 (Type: outgoing) 2013/06/17 22:02:14 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.113.37.227 (Type: incoming) Note that Combo fix finished at 21:43, there are still outgoing IP blocks after this. Combo Fix report ComboFix 13-06-12.02 - Owner 06/17/2013 21:28:52.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1033 [GMT -5:00] Running from: c:\documents and settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\Combo fix\ComboFix.exe Command switches used :: c:\documents and settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\Batch Files\CFScript.txt AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8} FW: CA Personal Firewall *Disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160} FW: Norton 360 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} . . ((((((((((((((((((((((((( Files Created from 2013-05-18 to 2013-06-18 ))))))))))))))))))))))))))))))) . . 2013-06-16 13:45 . 2013-02-12 00:32 12928 -c----w- c:\windows\system32\dllcache\usb8023x.sys 2013-06-16 13:45 . 2013-02-12 00:32 12928 -c----w- c:\windows\system32\dllcache\usb8023.sys 2013-06-16 02:02 . 2013-06-16 12:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable) 2013-06-16 02:01 . 2013-06-16 02:01 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys 2013-06-15 21:19 . 2013-06-15 21:19 -------- d-----w- C:\_OTL 2013-06-12 22:12 . 2013-06-12 22:12 -------- d-----w- c:\windows\ERUNT 2013-06-12 22:12 . 2013-06-12 22:12 -------- d-----w- C:\JRT 2013-06-12 21:52 . 2013-06-12 21:52 -------- d-----w- c:\documents and settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\AVG SafeGuard toolbar 2013-06-12 21:52 . 2013-06-12 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG SafeGuard toolbar 2013-06-12 21:51 . 2013-06-12 21:51 -------- d-----w- c:\documents and settings\Owner.YOUR-5B4ED3A077\Application Data\AVG SafeGuard toolbar 2013-06-12 21:51 . 2013-06-12 21:50 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys 2013-06-12 21:51 . 2013-06-12 22:06 -------- d-----w- c:\program files\Common Files\AVG Secure Search 2013-06-12 21:51 . 2013-06-12 21:51 -------- d-----w- c:\program files\AVG SafeGuard toolbar 2013-06-12 21:50 . 2013-06-12 21:50 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files 2013-06-10 09:54 . 2013-06-10 09:54 -------- d-----w- c:\documents and settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan 2013-05-21 01:23 . 2013-05-28 00:28 -------- d-----w- C:\hotlink 2013-05-21 01:20 . 2008-11-07 10:53 752496 ----a-w- C:\WindowsXP-KB959658-x86-ENU.exe . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-06-12 02:59 . 2012-04-18 18:39 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-06-12 02:59 . 2011-06-15 01:48 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-05-07 22:30 . 2006-06-17 09:23 920064 ----a-w- c:\windows\system32\wininet.dll 2013-05-07 22:30 . 2006-06-17 09:23 43520 ------w- c:\windows\system32\licmgr10.dll 2013-05-07 22:30 . 2006-06-17 09:23 1469440 ------w- c:\windows\system32\inetcpl.cpl 2013-05-07 21:53 . 2006-06-17 09:23 385024 ------w- c:\windows\system32\html.iec 2013-05-03 01:30 . 2006-06-17 09:23 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe 2013-05-03 00:38 . 2004-08-04 05:59 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe 2013-04-10 01:31 . 2006-06-17 09:23 1876352 ----a-w- c:\windows\system32\win32k.sys 2013-04-05 00:00 . 2011-06-20 01:25 695578 ----a-w- c:\windows\unins000.exe 2013-04-04 19:50 . 2008-08-09 19:09 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2003-12-05 16:41 368640 --sh--r- c:\windows\cwh.exe 2003-12-05 02:16 69632 --sh--r- c:\windows\lnchshll.exe 2003-12-05 02:16 49152 --sh--r- c:\windows\ScrnInt.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-08 323392] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2011-12-01 206120] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648] "SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-24 573440] "SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 413696] "SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512] "ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-11-01 98304] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ REALTEK RTL8187 Wireless LAN Utility.lnk - c:\program files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe /H [2006-11-1 749568] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe /startup [2008-5-26 123904] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "UmxFwHlp"=2 (0x2) "ITMRTSVC"=2 (0x2) "CaCCProvSP"=3 (0x3) "YahooAUService"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\ses2_client_bin_2_8_13g\\seswiz.exe"= "c:\\Program Files\\REALTEK RTL8187 Wireless LAN Driver and Utility\\RtWLan.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Plex\\Plex Media Server\\Plex Media Server.exe"= "c:\\Program Files\\Plex\\Plex Media Server\\PlexScriptHost.exe"= "c:\\Program Files\\Plex\\Plex Media Server\\PlexDlnaServer.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0 "1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1 "1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2 "1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3 "1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4 "1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5 "1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6 "1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7 "1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8 "1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9 "1641:TCP"= 1641:TCP:MioNet Remote Drive Verification "1647:TCP"= 1647:TCP:MioNet Storage Device Configuration "5432:UDP"= 5432:UDP:MioNet Storage Device Discovery "4100:UDP"= 4100:UDP:uPNP Router Control Port "50000:UDP"= 50000:UDP:IHA_MessageCenter "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management . R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\1403010.016\symds.sys [4/8/2013 7:03 PM 367704] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\1403010.016\symefa.sys [4/8/2013 7:03 PM 934488] R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [6/12/2013 4:51 PM 37664] R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\BASHDefs\20130531.001\BHDrvx86.sys [5/31/2013 11:58 AM 1002072] R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\N360\1403010.016\ccsetx86.sys [4/8/2013 7:03 PM 134304] R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\1403010.016\ironx86.sys [4/8/2013 7:03 PM 175264] R2 cwh;cwh;c:\windows\cwh.exe [12/23/2006 3:19 PM 368640] R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [12/12/2011 11:03 AM 352248] R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/10/2012 8:40 PM 418376] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/9/2008 2:09 PM 701512] R2 N360;Norton 360;c:\program files\Norton 360\Engine\20.3.1.22\ccsvchst.exe [4/8/2013 7:02 PM 144520] R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [12/1/2011 6:11 AM 206120] R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [12/1/2011 6:11 AM 185640] R2 vToolbarUpdater15.2.0;vToolbarUpdater15.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe [6/12/2013 4:51 PM 1015984] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2012 10:27 PM 106656] R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\IPSDefs\20130615.001\IDSXpx86.sys [6/17/2013 8:31 PM 373728] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/9/2008 2:09 PM 22856] S0 jwsog;jwsog;c:\windows\system32\drivers\xbjj.sys --> c:\windows\system32\drivers\xbjj.sys [?] S0 plmd;plmd;c:\windows\system32\drivers\xvqfl.sys --> c:\windows\system32\drivers\xvqfl.sys [?] S0 qnmthkg;qnmthkg;c:\windows\system32\drivers\dgwdfd.sys --> c:\windows\system32\drivers\dgwdfd.sys [?] S0 shho;shho;c:\windows\system32\drivers\rtbiatm.sys --> c:\windows\system32\drivers\rtbiatm.sys [?] S3 EraserUtilDrv11210;EraserUtilDrv11210;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11210.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11210.sys [?] S3 ICDSX;Sony IC Recorder (SX);c:\windows\system32\drivers\ICDSX.sys [10/1/2003 5:44 PM 31744] S3 WebDictateService;Web Dictate;c:\program files\NCH Software\WebDictate\webdictate.exe [2/7/2012 10:13 AM 814596] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] vvdsvc REG_MULTI_SZ vvdsvc . Contents of the 'Scheduled Tasks' folder . 2013-06-18 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 02:59] . 2012-02-10 c:\windows\Tasks\expressShakeIcon.job - c:\program files\NCH Software\Express\express.exe [2012-02-07 15:13] . 2013-06-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1542910684-3637753515-2293041949-1006.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09] . 2013-06-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1542910684-3637753515-2293041949-1006.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09] . 2013-03-06 c:\windows\Tasks\scribeShakeIcon.job - c:\program files\NCH Software\Scribe\scribe.exe [2012-02-07 15:12] . 2013-06-17 c:\windows\Tasks\User_Feed_Synchronization-{6F0D77EB-9DFC-4C8F-B264-D6025F8ED514}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 09:31] . . ------- Supplementary Scan ------- . uStart Page = about:blank IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.1 . - - - - ORPHANS REMOVED - - - - . SafeBoot-23202751.sys SafeBoot-71571137.sys . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-06-17 21:40 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360] "ImagePath"="\"c:\program files\Norton 360\Engine\20.3.1.22\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\20.3.1.22\diMaster.dll\" /prefetch:1" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(956) c:\windows\system32\Ati2evxx.dll c:\windows\System32\BCMLogon.dll . - - - - - - - > 'explorer.exe'(5520) c:\windows\system32\WININET.dll c:\progra~1\WINDOW~3\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2013-06-17 21:43:24 ComboFix-quarantined-files.txt 2013-06-18 02:43 ComboFix2.txt 2013-06-13 00:21 . Pre-Run: 76,455,112,704 bytes free Post-Run: 76,793,696,256 bytes free . - - End Of File - - 1F18EFED6EC99D5297C14AA5BA14F1D6 B20939CD98B7710036274839082AE757
  9. Charlie_Whisky
    Gringo, here it is: Windows IP Configuration Host Name . . . . . . . . . . . . : GW-5B4ED3A077 Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : home Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : home Description . . . . . . . . . . . : Marvell Yukon 88E8038 PCI-E Fast Ethernet Controller Physical Address. . . . . . . . . : 00-E0-B8-B9-C5-78 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.1.2 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1 DHCP Server . . . . . . . . . . . : 192.168.1.1 DNS Servers . . . . . . . . . . . : 192.168.1.1 Lease Obtained. . . . . . . . . . : Monday, June 17, 2013 8:04:39 PM Lease Expires . . . . . . . . . . : Tuesday, June 18, 2013 8:04:39 PM Server: myrouter.home Address: 192.168.1.1 Name: google.com Addresses: 74.125.227.103, 74.125.227.97, 74.125.227.100, 74.125.227.98 74.125.227.104, 74.125.227.101, 74.125.227.99, 74.125.227.96, 74.125.227.105 74.125.227.102, 74.125.227.110 Server: myrouter.home Address: 192.168.1.1 Name: yahoo.com Addresses: 98.139.183.24, 206.190.36.45, 98.138.253.109 Pinging google.com [74.125.227.132] with 32 bytes of data: Reply from 74.125.227.132: bytes=32 time=9ms TTL=57 Reply from 74.125.227.132: bytes=32 time=7ms TTL=57 Ping statistics for 74.125.227.132: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 7ms, Maximum = 9ms, Average = 8ms Pinging yahoo.com [206.190.36.45] with 32 bytes of data: Reply from 206.190.36.45: bytes=32 time=63ms TTL=51 Reply from 206.190.36.45: bytes=32 time=61ms TTL=51 Ping statistics for 206.190.36.45: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 61ms, Maximum = 63ms, Average = 62ms =========================================================================== Interface List 0x1 ........................... MS TCP Loopback interface 0x2 ...00 e0 b8 b9 c5 78 ...... Marvell Yukon 88E8038 PCI-E Fast Ethernet Controller - Packet Scheduler Miniport =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 20 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 169.254.0.0 255.255.0.0 192.168.1.2 192.168.1.2 20 192.168.1.0 255.255.255.0 192.168.1.2 192.168.1.2 20 192.168.1.2 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.1.255 255.255.255.255 192.168.1.2 192.168.1.2 20 224.0.0.0 240.0.0.0 192.168.1.2 192.168.1.2 20 255.255.255.255 255.255.255.255 192.168.1.2 192.168.1.2 1 Default Gateway: 192.168.1.1 =========================================================================== Persistent Routes: None
  10. Charlie_Whisky
    Hello Gringo 1) I ran the Malwarebytes Anti-Rootkit (MAR) as instructed. When trying to do the update, there was an error message: “Failed MBAM IO::writefile” MAR found two pieces of malware and I checked clean and report. But on reboot that was no log file “MABR-log ___) There was a system-log file which is at the end of this post. I reran MAR and again when doing the update, there was athe same error message: “Failed MBAM IO::writefile” This second time MAR found nothing: “Scan finished, no malware found” I have internet access but with IE images/and pictures associated with buttons etc.. are still all blank or red Xs. I ran the fixdamage.exe but this didn’t change the above issue with IE. 2) I ran aswMBR.exe after allowing updates; it didn’t appear to find anything; the report is at the end of this post. FEEDBACK: No significant change from the past few days; I still have multiple ingoing out going blocks. Here’s the entire MBAM protection log for today: 2013/06/16 06:44:59 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection 2013/06/16 06:44:59 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully 2013/06/16 06:44:59 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection 2013/06/16 06:45:41 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully 2013/06/16 07:26:43 -0500 GW-5B4ED3A077 Owner IP-BLOCK 94.242.205.235 (Type: incoming) 2013/06/16 07:29:45 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.108.96 (Type: incoming) 2013/06/16 08:05:44 -0500 GW-5B4ED3A077 Owner IP-BLOCK 124.125.251.183 (Type: outgoing) 2013/06/16 08:15:35 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.224.57 (Type: incoming) 2013/06/16 08:19:58 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.78.229 (Type: outgoing) 2013/06/16 08:34:40 -0500 GW-5B4ED3A077 Owner IP-BLOCK 178.152.5.238 (Type: outgoing) 2013/06/16 08:51:33 -0500 GW-5B4ED3A077 Owner IP-BLOCK 178.90.91.170 (Type: outgoing) 2013/06/16 09:04:44 -0500 GW-5B4ED3A077 Owner IP-BLOCK 219.153.94.46 (Type: outgoing) 2013/06/16 09:05:28 -0500 GW-5B4ED3A077 Owner IP-BLOCK 124.125.251.183 (Type: outgoing) 2013/06/16 09:09:13 -0500 GW-5B4ED3A077 Owner IP-BLOCK 93.114.44.187 (Type: incoming) 2013/06/16 09:20:19 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.127.39 (Type: outgoing) 2013/06/16 09:35:07 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.95.88 (Type: outgoing) 2013/06/16 09:35:23 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.58.32 (Type: outgoing) 2013/06/16 09:35:55 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.78.229 (Type: outgoing) 2013/06/16 09:35:57 -0500 GW-5B4ED3A077 Owner IP-BLOCK 124.125.251.183 (Type: outgoing) 2013/06/16 09:51:53 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.237.238 (Type: outgoing) 2013/06/16 10:07:28 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.42.59 (Type: outgoing) 2013/06/16 10:13:13 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.234.227 (Type: incoming) 2013/06/16 10:23:15 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.7.204.11 (Type: outgoing) 2013/06/16 10:23:59 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.237.238 (Type: outgoing) 2013/06/16 10:31:40 -0500 GW-5B4ED3A077 Owner IP-BLOCK 213.55.114.175 (Type: incoming) 2013/06/16 10:36:04 -0500 GW-5B4ED3A077 Owner IP-BLOCK 41.203.81.234 (Type: incoming) 2013/06/16 10:40:23 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.38.190 (Type: outgoing) 2013/06/16 10:54:02 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.60.45 (Type: outgoing) 2013/06/16 10:55:04 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.17.130 (Type: outgoing) 2013/06/16 11:07:43 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.103.213 (Type: outgoing) 2013/06/16 11:21:42 -0500 GW-5B4ED3A077 Owner IP-BLOCK 222.186.79.125 (Type: incoming) 2013/06/16 11:45:41 -0500 GW-5B4ED3A077 Owner IP-BLOCK 188.95.51.205 (Type: incoming) 2013/06/16 12:07:45 -0500 GW-5B4ED3A077 Owner IP-BLOCK 93.114.44.187 (Type: incoming) 2013/06/16 12:07:52 -0500 GW-5B4ED3A077 Owner IP-BLOCK 93.114.44.187 (Type: incoming) 2013/06/16 12:20:21 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.237.238 (Type: outgoing) 2013/06/16 12:27:41 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.49.139 (Type: incoming) 2013/06/16 12:36:01 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.58.50 (Type: outgoing) 2013/06/16 12:36:07 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.50.27 (Type: outgoing) 2013/06/16 12:36:15 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.3.122 (Type: outgoing) 2013/06/16 13:08:26 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.75.73 (Type: outgoing) 2013/06/16 13:39:13 -0500 GW-5B4ED3A077 Owner IP-BLOCK 213.186.115.249 (Type: outgoing) 2013/06/16 14:07:51 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.24.162 (Type: incoming) 2013/06/16 14:52:48 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.159.32 (Type: outgoing) 2013/06/16 14:53:11 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.248.172.103 (Type: incoming) 2013/06/16 14:53:29 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.237.238 (Type: outgoing) 2013/06/16 15:16:56 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.59.77 (Type: incoming) 2013/06/16 15:28:03 -0500 GW-5B4ED3A077 Owner IP-BLOCK 93.114.44.187 (Type: incoming) 2013/06/16 15:28:15 -0500 GW-5B4ED3A077 Owner IP-BLOCK 93.114.44.187 (Type: incoming) 2013/06/16 15:37:15 -0500 GW-5B4ED3A077 Owner IP-BLOCK 91.188.37.145 (Type: outgoing) 2013/06/16 15:54:56 -0500 GW-5B4ED3A077 Owner IP-BLOCK 188.130.177.20 (Type: incoming) 2013/06/16 16:08:58 -0500 GW-5B4ED3A077 Owner IP-BLOCK 93.114.44.187 (Type: incoming) 2013/06/16 16:13:52 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection 2013/06/16 16:13:52 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully 2013/06/16 16:13:52 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection 2013/06/16 16:14:55 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully 2013/06/16 16:16:00 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.34.13 (Type: outgoing) 2013/06/16 16:30:48 -0500 GW-5B4ED3A077 Owner IP-BLOCK 188.95.51.205 (Type: incoming) 2013/06/16 16:51:43 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection 2013/06/16 16:51:44 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully 2013/06/16 16:51:44 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection 2013/06/16 16:53:10 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully 2013/06/16 16:57:35 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.209.9 (Type: incoming) 2013/06/16 17:23:07 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.51.192 (Type: outgoing) 2013/06/16 17:23:16 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.117.164.173 (Type: outgoing) 2013/06/16 17:38:40 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.237.238 (Type: outgoing) 2013/06/16 18:09:34 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.88.83 (Type: incoming) 2013/06/16 18:23:20 -0500 GW-5B4ED3A077 Owner IP-BLOCK 178.152.3.227 (Type: outgoing) 2013/06/16 18:36:09 -0500 GW-5B4ED3A077 Owner IP-BLOCK 93.174.95.180 (Type: incoming) 2013/06/16 18:38:30 -0500 GW-5B4ED3A077 Owner IP-BLOCK 195.161.127.130 (Type: outgoing) 2013/06/16 18:51:08 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.37.163 (Type: outgoing) 2013/06/16 19:21:56 -0500 GW-5B4ED3A077 Owner IP-BLOCK 124.125.251.183 (Type: outgoing) 2013/06/16 19:24:45 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.192.35 (Type: incoming) 2013/06/16 19:32:46 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.65.200 (Type: incoming) 2013/06/16 19:36:17 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.14.165 (Type: outgoing) 2013/06/16 19:46:37 -0500 GW-5B4ED3A077 Owner MESSAGE Starting database refresh 2013/06/16 19:46:37 -0500 GW-5B4ED3A077 Owner MESSAGE Stopping IP protection 2013/06/16 19:46:37 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection stopped successfully 2013/06/16 19:46:50 -0500 GW-5B4ED3A077 Owner MESSAGE Database refreshed successfully 2013/06/16 19:46:50 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection 2013/06/16 19:47:26 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully 2013/06/16 21:05:03 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.14.165 (Type: outgoing) 2013/06/16 21:28:37 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.88.83 (Type: incoming) 2013/06/16 21:35:50 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.241.140.50 (Type: outgoing) MAR system-log Report --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.06.0.1003 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 Java version: 1.6.0_24 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, H:\ DRIVE_FIXED CPU speed: 1.596000 GHz Memory total: 2011205632, free: 1187840000 ------------ Kernel report ------------ 06/15/2013 21:02:54 ------------ Loaded modules ----------- \WINDOWS\system32\ntkrnlpa.exe \WINDOWS\system32\hal.dll \WINDOWS\system32\KDCOM.DLL \WINDOWS\system32\BOOTVID.dll ACPI.sys \WINDOWS\system32\DRIVERS\WMILIB.SYS pci.sys isapnp.sys ohci1394.sys \WINDOWS\system32\DRIVERS\1394BUS.SYS compbatt.sys \WINDOWS\system32\DRIVERS\BATTC.SYS pciide.sys \WINDOWS\system32\DRIVERS\PCIIDEX.SYS aliide.sys intelide.sys toside.sys viaide.sys cmdide.sys pcmcia.sys MountMgr.sys ftdisk.sys dmload.sys dmio.sys ACPIEC.sys \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS PartMgr.sys VolSnap.sys cpqarray.sys \WINDOWS\system32\DRIVERS\SCSIPORT.SYS atapi.sys aha154x.sys sparrow.sys symc810.sys aic78xx.sys dac960nt.sys ql10wnt.sys amsint.sys asc.sys asc3550.sys mraid35x.sys i2omp.sys ini910u.sys ql1240.sys aic78u2.sys symc8xx.sys sym_hi.sys sym_u3.sys ABP480N5.SYS asc3350p.sys cd20xrnt.sys ultra.sys adpu160m.sys dpti2o.sys ql1080.sys ql1280.sys ql12160.sys perc2.sys perc2hib.sys hpn.sys cbidf2k.sys dac2w2k.sys disk.sys \WINDOWS\system32\DRIVERS\CLASSPNP.SYS fltmgr.sys SYMDS.SYS sr.sys SYMEFA.SYS KSecDD.sys WudfPf.sys Ntfs.sys NDIS.sys sisagp.sys viaagp.sys Mup.sys alim1541.sys amdagp.sys agp440.sys agpCPQ.sys \SystemRoot\system32\DRIVERS\nic1394.sys \SystemRoot\system32\DRIVERS\AmdK8.sys \SystemRoot\system32\DRIVERS\ati2mtag.sys \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS \SystemRoot\system32\DRIVERS\yk51x86.sys \SystemRoot\system32\DRIVERS\usbohci.sys \SystemRoot\system32\DRIVERS\USBPORT.SYS \SystemRoot\system32\DRIVERS\usbehci.sys \SystemRoot\system32\DRIVERS\cdrom.sys \SystemRoot\system32\DRIVERS\HDAudBus.sys \SystemRoot\system32\DRIVERS\i8042prt.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\SynTP.sys \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\drivers\tifm21.sys \SystemRoot\system32\DRIVERS\CmBatt.sys \SystemRoot\system32\drivers\nchssvad.sys \SystemRoot\system32\drivers\portcls.sys \SystemRoot\system32\drivers\drmk.sys \SystemRoot\system32\drivers\ks.sys \SystemRoot\system32\DRIVERS\audstub.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\system32\DRIVERS\psched.sys \SystemRoot\system32\DRIVERS\msgpc.sys \SystemRoot\system32\DRIVERS\ptilink.sys \SystemRoot\system32\DRIVERS\raspti.sys \SystemRoot\system32\DRIVERS\rdpdr.sys \SystemRoot\system32\DRIVERS\termdd.sys \SystemRoot\system32\DRIVERS\SymIM.sys \SystemRoot\system32\DRIVERS\swenum.sys \SystemRoot\system32\DRIVERS\update.sys \SystemRoot\system32\DRIVERS\mssmbios.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\system32\DRIVERS\smserial.sys \SystemRoot\System32\Drivers\Modem.SYS \SystemRoot\System32\Drivers\i2omgmt.SYS \SystemRoot\system32\DRIVERS\hidusb.sys \SystemRoot\system32\DRIVERS\HIDCLASS.SYS \SystemRoot\system32\DRIVERS\HIDPARSE.SYS \SystemRoot\system32\drivers\N360\1403010.016\ccSetx86.sys \SystemRoot\system32\drivers\N360\1403010.016\Ironx86.SYS \SystemRoot\System32\Drivers\Fs_Rec.SYS \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \??\C:\WINDOWS\system32\drivers\avgtpx86.sys \SystemRoot\system32\DRIVERS\mouhid.sys \SystemRoot\system32\DRIVERS\USBSTOR.SYS \SystemRoot\system32\DRIVERS\usbccgp.sys \SystemRoot\system32\drivers\usbaudio.sys \SystemRoot\system32\DRIVERS\usbprint.sys \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\Drivers\BrScnUsb.sys \SystemRoot\System32\Drivers\mnmdd.SYS \SystemRoot\System32\Drivers\BrUsbSer.sys \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\System32\Drivers\BrSerIf.sys \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\system32\DRIVERS\rasacd.sys \SystemRoot\system32\DRIVERS\ipsec.sys \SystemRoot\system32\DRIVERS\tcpip.sys \SystemRoot\System32\Drivers\N360\1403010.016\SYMTDI.SYS \SystemRoot\system32\DRIVERS\ipnat.sys \SystemRoot\system32\DRIVERS\wanarp.sys \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS \SystemRoot\system32\DRIVERS\arp1394.sys \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\IPSDefs\20130614.001\IDSxpx86.sys \SystemRoot\system32\DRIVERS\netbt.sys \SystemRoot\System32\drivers\ws2ifsl.sys \SystemRoot\System32\drivers\afd.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\system32\drivers\N360\1403010.016\SRTSPX.SYS \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\System32\Drivers\Fips.SYS \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys \SystemRoot\system32\DRIVERS\kbdhid.sys \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\BASHDefs\20130531.001\BHDrvx86.sys \SystemRoot\System32\Drivers\Fastfat.SYS \SystemRoot\System32\Drivers\dump_atapi.sys \SystemRoot\System32\Drivers\dump_WMILIB.SYS \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\System32\watchdog.sys \SystemRoot\System32\drivers\dxg.sys \SystemRoot\System32\drivers\dxgthk.sys \SystemRoot\System32\ati2dvag.dll \SystemRoot\System32\ati2cqag.dll \SystemRoot\System32\atikvmag.dll \SystemRoot\System32\atiok3x2.dll \SystemRoot\System32\ati3duag.dll \SystemRoot\System32\ativvaxx.dll \SystemRoot\System32\ATMFD.DLL \??\C:\WINDOWS\system32\drivers\mbam.sys \SystemRoot\system32\DRIVERS\AegisP.sys \SystemRoot\system32\DRIVERS\ndisuio.sys \SystemRoot\system32\DRIVERS\mrxdav.sys \SystemRoot\system32\drivers\wdmaud.sys \SystemRoot\system32\drivers\sysaudio.sys \SystemRoot\System32\Drivers\HTTP.sys \SystemRoot\system32\DRIVERS\srv.sys \??\C:\WINDOWS\system32\drivers\pmemnt.sys \SystemRoot\System32\DRIVERS\ipfltdrv.sys \SystemRoot\System32\Drivers\N360\1403010.016\SRTSP.SYS \SystemRoot\System32\Drivers\Cdfs.SYS \SystemRoot\system32\DRIVERS\asyncmac.sys \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\VirusDefs\20130615.008\NAVEX15.SYS \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\VirusDefs\20130615.008\NAVENG.SYS \SystemRoot\system32\drivers\kmixer.sys \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys \??\C:\WINDOWS\system32\drivers\48230029.sys \WINDOWS\system32\ntdll.dll ----------- End ----------- --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.06.0.1003 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 Java version: 1.6.0_24 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, H:\ DRIVE_FIXED CPU speed: 1.595000 GHz Memory total: 2011205632, free: 1567211520 aswMBR REPORT aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software Run date: 2013-06-16 17:01:56 ----------------------------- 17:01:56.718 OS Version: Windows 5.1.2600 Service Pack 3 17:01:56.718 Number of processors: 2 586 0x4802 17:01:56.718 ComputerName: GW-5B4ED3A077 UserName: Owner 17:02:24.015 Initialize success 17:02:24.593 write error "aswCmnB.dll". The process cannot access the file because it is being used by another process. 17:33:19.265 AVAST engine defs: 13061300 19:21:24.343 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 19:21:24.359 Disk 0 Vendor: ST9160821A 3.ALC Size: 152627MB BusType: 3 19:21:24.562 Disk 0 MBR read successfully 19:21:24.562 Disk 0 MBR scan 19:21:24.593 Disk 0 unknown MBR code 19:21:24.609 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 145612 MB offset 14346045 19:21:24.609 Disk 0 Partition 2 00 0B FAT32 RECOVERY 7004 MB offset 63 19:21:24.625 Disk 0 scanning sectors +312560640 19:21:24.843 Disk 0 scanning C:\WINDOWS\system32\drivers 19:21:40.109 Service scanning 19:22:08.000 Modules scanning 19:22:22.203 Disk 0 trace - called modules: 19:22:22.265 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS 19:22:22.281 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a658ab8] 19:22:22.296 3 CLASSPNP.SYS[ba188fd7] -> nt!IofCallDriver -> \Device\000000b2[0x8a682350] 19:22:22.312 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8a680940] 19:22:22.781 AVAST engine scan C:\WINDOWS 19:22:51.546 AVAST engine scan C:\WINDOWS\system32 19:26:40.171 AVAST engine scan C:\WINDOWS\system32\drivers 19:27:05.546 AVAST engine scan C:\Documents and Settings\Owner.YOUR-5B4ED3A077 19:38:46.156 AVAST engine scan C:\Documents and Settings\All Users 19:41:59.828 Scan finished successfully 19:43:32.687 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\aswMBR\MBR.dat" 19:43:32.703 The log file has been saved successfully to "C:\Documents and Settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\aswMBR\aswMBR6-16-2013.txt"
  11. Charlie_Whisky
    Hello Gringo The report log for the custom scan is at the end of this post. I ran the custom scan via OTL.exe without incident. The report didn’t popup after the reboot ,but I found it located where you said it would be. FEEDBACK how is the computer working now?? 1) While preparing this post, I saw MBAM pop up with any block; here’s the whole log for today (repeating the start of the log from my previous post today: 2013/06/15 06:21:45 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection 2013/06/15 06:21:45 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully 2013/06/15 06:21:45 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection 2013/06/15 06:23:13 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully 2013/06/15 06:39:54 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.116.102 (Type: outgoing) 2013/06/15 06:55:10 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.116.102 (Type: outgoing) 2013/06/15 07:22:42 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.55.219 (Type: incoming) 2013/06/15 07:24:57 -0500 GW-5B4ED3A077 Owner IP-BLOCK 109.163.233.156 (Type: outgoing) 2013/06/15 07:37:22 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming) 2013/06/15 07:37:23 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming) 2013/06/15 07:37:52 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming) 2013/06/15 07:37:53 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming) 2013/06/15 07:38:03 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming) 2013/06/15 07:38:04 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming) 2013/06/15 07:40:04 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.247.182.246 (Type: incoming) 2013/06/15 08:01:44 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming) 2013/06/15 08:01:45 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming) 2013/06/15 08:13:37 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming) 2013/06/15 08:13:37 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming) 2013/06/15 08:41:39 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.241.202.53 (Type: incoming) 2013/06/15 08:41:40 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.241.202.53 (Type: incoming) 2013/06/15 08:42:58 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.87.55 (Type: outgoing) 2013/06/15 08:52:12 -0500 GW-5B4ED3A077 Owner IP-BLOCK 80.82.65.249 (Type: incoming) 2013/06/15 08:57:02 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.8.123.214 (Type: outgoing) 2013/06/15 08:59:35 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.220.250 (Type: incoming) 2013/06/15 09:03:39 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.96.53 (Type: incoming) 2013/06/15 09:06:49 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.117.178.203 (Type: incoming) 2013/06/15 09:10:25 -0500 GW-5B4ED3A077 Owner IP-BLOCK 78.26.179.231 (Type: outgoing) 2013/06/15 09:12:16 -0500 GW-5B4ED3A077 Owner IP-BLOCK 195.161.7.23 (Type: incoming) 2013/06/15 09:12:51 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.43.233 (Type: incoming) 2013/06/15 09:56:20 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.113.96 (Type: incoming) 2013/06/15 10:08:53 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.61.113 (Type: incoming) 2013/06/15 10:09:11 -0500 GW-5B4ED3A077 Owner IP-BLOCK 219.153.135.2 (Type: outgoing) 2013/06/15 10:20:20 -0500 GW-5B4ED3A077 Owner IP-BLOCK 194.165.0.6 (Type: incoming) 2013/06/15 10:25:32 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.220.250 (Type: outgoing) 2013/06/15 10:44:26 -0500 GW-5B4ED3A077 Owner IP-BLOCK 91.188.45.202 (Type: incoming) 2013/06/15 10:54:29 -0500 GW-5B4ED3A077 Owner IP-BLOCK 194.143.137.109 (Type: incoming) 2013/06/15 10:55:51 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.237.250 (Type: incoming) 2013/06/15 11:12:37 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.33.170 (Type: incoming) 2013/06/15 11:22:04 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.54.182 (Type: outgoing) 2013/06/15 11:37:21 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.215.119 (Type: incoming) 2013/06/15 11:39:05 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.85.239 (Type: incoming) 2013/06/15 12:45:15 -0500 GW-5B4ED3A077 Owner IP-BLOCK 94.102.56.145 (Type: incoming) 2013/06/15 12:46:44 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.220.250 (Type: incoming) 2013/06/15 12:52:08 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.111.169 (Type: incoming) 2013/06/15 12:52:51 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.117.183.228 (Type: outgoing) 2013/06/15 12:57:14 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.54.54 (Type: incoming) 2013/06/15 13:08:05 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.49.135 (Type: outgoing) 2013/06/15 13:21:51 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.220.250 (Type: outgoing) 2013/06/15 13:37:57 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.22.97 (Type: incoming) 2013/06/15 14:02:55 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.61.4 (Type: incoming) 2013/06/15 14:08:57 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.120.109.123 (Type: outgoing) 2013/06/15 14:09:16 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.99.216 (Type: outgoing) 2013/06/15 14:42:08 -0500 GW-5B4ED3A077 Owner IP-BLOCK 91.195.11.143 (Type: incoming) 2013/06/15 14:47:37 -0500 GW-5B4ED3A077 Owner IP-BLOCK 91.214.44.200 (Type: incoming) 2013/06/15 14:53:07 -0500 GW-5B4ED3A077 Owner IP-BLOCK 85.234.175.115 (Type: outgoing) 2013/06/15 15:07:28 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.220.250 (Type: outgoing) 2013/06/15 15:08:12 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.44.204 (Type: outgoing) 2013/06/15 15:08:17 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.40.176 (Type: outgoing) 2013/06/15 15:24:01 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.116.102 (Type: outgoing) 2013/06/15 15:25:58 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.38.220 (Type: incoming) 2013/06/15 15:39:23 -0500 GW-5B4ED3A077 Owner IP-BLOCK 91.188.33.97 (Type: incoming) 2013/06/15 15:53:52 -0500 GW-5B4ED3A077 Owner IP-BLOCK 46.108.226.217 (Type: outgoing) 2013/06/15 15:53:53 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.63.60 (Type: outgoing) 2013/06/15 15:54:49 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.16.139 (Type: incoming) 2013/06/15 16:00:31 -0500 GW-5B4ED3A077 Owner IP-BLOCK 37.229.128.3 (Type: incoming) 2013/06/15 16:07:38 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.224.50 (Type: outgoing) 2013/06/15 16:16:31 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.7.157 (Type: incoming) 2013/06/15 16:23:55 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection 2013/06/15 16:23:55 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully 2013/06/15 16:23:55 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection 2013/06/15 16:25:14 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully 2013/06/15 16:28:57 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.58.146 (Type: incoming) 2013/06/15 16:28:58 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.58.146 (Type: incoming) At least post-reboot after 16:25 the only two blocks are incoming blocks. ** 2) No iexplore.exe versions running as processes when IE is not open. 3) IE when open it still doesn’t show images/pictures p.s., ** looks like I spoke too soon! After I opening up IE to make this post on the forum, a few more blocks popped up including two outgoing blocks: 2013/06/15 16:42:42 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.116.102 (Type: outgoing) 2013/06/15 16:42:58 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.58.146 (Type: incoming) 2013/06/15 16:42:59 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.58.146 (Type: incoming) 2013/06/15 16:43:23 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.42.82 (Type: outgoing) REPORT FOR Custom Scan (06152013_161917.log) ========== OTL ========== Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1\ deleted successfully. Registry key HKEY_CURRENT_USER\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}\ deleted successfully. Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found. Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found. Registry value HKEY_USERS\S-1-5-21-1542910684-3637753515-2293041949-1006\Software\Microsoft\Windows\CurrentVersion\Run\\Power2GoExpress deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}\ not found. Starting removal of ActiveX control {67DABFBF-D0AB-41FA-9C46-CC0F21721616} C:\WINDOWS\Downloaded Program Files\DivXPlugin.inf moved successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ not found. Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found. Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7} C:\WINDOWS\Downloaded Program Files\gp.inf not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found. Starting removal of ActiveX control vzTCPConfig Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\vzTCPConfig\DownloadInformation\\INF . Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\vzTCPConfig\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\vzTCPConfig\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\skype-ie-addon-data\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91774881-D725-4E58-B298-07617B9B86A8}\ deleted successfully. File {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found not found. Registry key HKEY_USERS\S-1-5-21-1542910684-3637753515-2293041949-1006\Software\Microsoft\Internet Explorer\SearchScopes\{E2297ECC-2E67-4A3C-9426-2413485D513B}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2297ECC-2E67-4A3C-9426-2413485D513B}\ not found. ========== FILES ========== < ipconfig /flushdns /c > Windows IP Configuration Successfully flushed the DNS Resolver Cache. C:\Documents and Settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\OTL\cmd.bat deleted successfully. C:\Documents and Settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\OTL\cmd.txt deleted successfully. ========== COMMANDS ========== [EMPTYJAVA] User: Administrator User: All Users User: Default User User: LocalService User: NetworkService User: Owner User: Owner.YOUR-5B4ED3A077 ->Java cache emptied: 53525803 bytes User: OWNER~1~YOU Total Java Files Cleaned = 51.00 mb [EMPTYFLASH] User: Administrator User: All Users User: Default User User: LocalService User: NetworkService User: Owner User: Owner.YOUR-5B4ED3A077 ->Flash cache emptied: 2608374 bytes User: OWNER~1~YOU Total Flash Files Cleaned = 2.00 mb OTL by OldTimer - Version 3.2.69.0 log created on 06152013_161917
  12. Charlie_Whisky
    Grinco I’ve been doing some background digging into my older protection logs, maybe some of this will help. Back around 5-21 to 5-23, I was getting about 6-7 blocks per day in the log. Then from 5-23 on the number of block increased to 26, 27, 49, 72, 26 per day etc... In the 6-6 log, I found the following item: 2013/06/06 17:06:53 -0500 GW-5B4ED3A077 Owner DETECTION C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Temp\notepad.exe Trojan.Backdoor QUARANTINE In the 6-8 log, I found the following item: 2013/06/08 08:33:08 -0500 GW-5B4ED3A077 Owner DETECTION C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Temp\notepad.exe Trojan.Backdoor QUARANTINE In the 6-9 log, I found the following item: 2013/06/09 14:23:21 -0500 GW-5B4ED3A077 Owner DETECTION C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Temp\notepad.exe Trojan.Backdoor QUARANTINE On each of these days, the number of block was up to around 100 to 200 blocks per day. I remember seeing and deleting these quarantined items, and running scans to make sure the computer was malware free. It was on 6-10 that the number of blocks blew up to several hundred per day, most of them being outgoing blocks to IP: 95.211.194.79 By 6-11, I was getting several hundred outgoing blocks to IP: 95.211.194.79 On 6-12, I started this topic.
  13. Charlie_Whisky
    Hello Gringo The OTL.txt report is at the end of this post. I ran OTL.exe without any apparent issues. FEEDBACK – how is the computer working? Today is about the same as yesterday 1) The MBAM window still popped up with a few outgoing blocks, but its not a continuous stream as before; here’s the protection log from today: 2013/06/15 06:21:45 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection 2013/06/15 06:21:45 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully 2013/06/15 06:21:45 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection 2013/06/15 06:23:13 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully 2013/06/15 06:39:54 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.116.102 (Type: outgoing) 2013/06/15 06:55:10 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.116.102 (Type: outgoing) 2) without opening IE, in task manager, I don’t see any running processes of iexplore.exe. 3) IE, when ope,n no longer displays images/pictures associated with web pages (just red Xs or blank boxes) so it is difficult to navigate web pages, like this page.. OTL REPORT OTL logfile created on: 6/15/2013 6:30:40 AM - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\OTL Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1.87 Gb Total Physical Memory | 1.15 Gb Available Physical Memory | 61.65% Memory free 3.72 Gb Paging File | 3.08 Gb Available in Paging File | 82.78% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 142.20 Gb Total Space | 72.21 Gb Free Space | 50.78% Space Free | Partition Type: NTFS Drive D: | 6.83 Gb Total Space | 4.63 Gb Free Space | 67.74% Space Free | Partition Type: FAT32 Computer Name: GW-5B4ED3A077 | User Name: Owner | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\OTL\OTL.exe (OldTimer Tools) PRC - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe (AVG Secure Search) PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation) PRC - C:\Program Files\Norton 360\Engine\20.3.1.22\ccsvchst.exe (Symantec Corporation) PRC - C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe (Verizon) PRC - C:\Program Files\VERIZONDM\bin\tgsrvc.exe (SupportSoft, Inc.) PRC - C:\Program Files\VERIZONDM\bin\sprtsvc.exe (SupportSoft, Inc.) PRC - C:\Program Files\VERIZONDM\bin\sprtcmd.exe (SupportSoft, Inc.) PRC - C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.) PRC - C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe (Realtek Semiconductor Corp.) PRC - C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.) PRC - C:\Program Files\Brother\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.) PRC - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.) PRC - C:\WINDOWS\cwh.exe (Warranty Corporation of America) ========== Modules (No Company Name) ========== MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\d7ee03714420b252415b952d40ef59e4\System.ServiceProcess.ni.dll () MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management\1a6f9e23985e3159e6dd9827fd81c2fd\System.Management.ni.dll () MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\96b7a0136e9e72e8f4eb0230c20766d2\System.Configuration.ni.dll () MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\fe025743210c22bea2f009e1612c38bf\System.Xml.ni.dll () MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\aeac298c43c77d8860db8e7634d9f2eb\System.ni.dll () MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\eab2340ead8e1a84bdf1a87868659979\mscorlib.ni.dll () MOD - C:\WINDOWS\system32\quartz.dll () MOD - C:\Program Files\Norton 360\Engine\20.3.1.22\wincfi39.dll () MOD - C:\WINDOWS\system32\sbe.dll () MOD - C:\WINDOWS\system32\msdmo.dll () MOD - C:\WINDOWS\system32\devenum.dll () MOD - C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\EnumDevLib.dll () MOD - C:\WINDOWS\system32\bcm1xsup.dll () MOD - C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\acAuth.dll () ========== Services (SafeList) ========== SRV - (SNMPTRAP) -- C:\WINDOWS\system32\snmptrap.exe File not found SRV - (vToolbarUpdater15.2.0) -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe (AVG Secure Search) SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated) SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) SRV - (MBAMScheduler) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation) SRV - (N360) -- C:\Program Files\Norton 360\Engine\20.3.1.22\ccSvcHst.exe (Symantec Corporation) SRV - (IHA_MessageCenter) -- C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe (Verizon) SRV - (WebDictateService) -- C:\Program Files\NCH Software\WebDictate\webdictate.exe (NCH Software) SRV - (tgsrvc_verizondm) -- C:\Program Files\VERIZONDM\bin\tgsrvc.exe (SupportSoft, Inc.) SRV - (sprtsvc_verizondm) -- C:\Program Files\VERIZONDM\bin\sprtsvc.exe (SupportSoft, Inc.) SRV - (PrismXL) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.) SRV - (cwh) -- C:\WINDOWS\cwh.exe (Warranty Corporation of America) SRV - (ICDSPTSV) -- C:\WINDOWS\system32\IcdSptSv.exe (Sony Corporation) ========== Driver Services (SafeList) ========== DRV - (WDICA) -- File not found DRV - (shho) -- system32\drivers\rtbiatm.sys File not found DRV - (qnmthkg) -- system32\drivers\dgwdfd.sys File not found DRV - (plmd) -- system32\drivers\xvqfl.sys File not found DRV - (PDRFRAME) -- File not found DRV - (PDRELI) -- File not found DRV - (PDFRAME) -- File not found DRV - (PDCOMP) -- File not found DRV - (PCIDump) -- File not found DRV - (lbrtfdc) -- File not found DRV - (jwsog) -- system32\drivers\xbjj.sys File not found DRV - (EraserUtilDrv11210) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11210.sys File not found DRV - (Changer) -- File not found DRV - (catchme) -- C:\ComboFix\catchme.sys File not found DRV - (avgtp) -- C:\WINDOWS\system32\drivers\avgtpx86.sys (AVG Technologies) DRV - (BHDrvx86) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\BASHDefs\20130531.001\BHDrvx86.sys (Symantec Corporation) DRV - (NAVEX15) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\VirusDefs\20130613.001\NAVEX15.SYS (Symantec Corporation) DRV - (NAVENG) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\VirusDefs\20130613.001\NAVENG.SYS (Symantec Corporation) DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation) DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation) DRV - (IDSxpx86) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\IPSDefs\20130613.002\IDSXpx86.sys (Symantec Corporation) DRV - (SYMTDI) -- C:\WINDOWS\system32\drivers\N360\1403010.016\symtdi.sys (Symantec Corporation) DRV - (SymEFA) -- C:\WINDOWS\system32\drivers\N360\1403010.016\symefa.sys (Symantec Corporation) DRV - (SRTSP) -- C:\WINDOWS\system32\drivers\N360\1403010.016\srtsp.sys (Symantec Corporation) DRV - (SRTSPX) -- C:\WINDOWS\system32\drivers\N360\1403010.016\srtspx.sys (Symantec Corporation) DRV - (SymDS) -- C:\WINDOWS\system32\drivers\N360\1403010.016\symds.sys (Symantec Corporation) DRV - (SymIMMP) -- C:\WINDOWS\system32\drivers\SymIM.sys (Symantec Corporation) DRV - (SymIM) -- C:\WINDOWS\system32\drivers\SymIM.sys (Symantec Corporation) DRV - (SymIRON) -- C:\WINDOWS\system32\drivers\N360\1403010.016\ironx86.sys (Symantec Corporation) DRV - (ccSet_N360) -- C:\WINDOWS\system32\drivers\N360\1403010.016\ccsetx86.sys (Symantec Corporation) DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation) DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation) DRV - (NCHSSVAD) -- C:\WINDOWS\system32\drivers\nchssvad.sys (NCH Swift Sound) DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.) DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices) DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.) DRV - (smserial) -- C:\WINDOWS\system32\drivers\smserial.sys (Motorola Inc.) DRV - (yukonwxp) -- C:\WINDOWS\system32\drivers\yk51x86.sys (Marvell) DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation) DRV - (tifm21) -- C:\WINDOWS\system32\drivers\tifm21.sys (Texas Instruments) DRV - (ICDSX) -- C:\WINDOWS\system32\drivers\ICDSX.sys (Sony Corporation) DRV - (wanatw) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6453 IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6453 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes,DefaultScope = {7EC915E5-CE4E-47C0-8506-E0CE5B5C8879} IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{01B1BEBE-793E-4A64-BFAE-9E61703C794B}: "URL" = http://duckduckgo.com/?q={searchTerms} IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{3DA52092-75EC-4513-B3C3-DA9628B5D34D}: "URL" = http://www.shopzilla.com/buy/superfind.xpml?search_box=1&sfsk=0&cat_id=1&keyword={searchTerms} IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{5C1B48D4-1670-4617-ADC8-0DDA51F7E33A}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b2ie7 IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{61602A01-D10C-4324-BA0A-1E12C24D7F2A}: "URL" = http://www.scroogle.org/cgi-bin/nbbw.cgi?Gw={searchTerms} IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{7EC915E5-CE4E-47C0-8506-E0CE5B5C8879}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage} IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{9329EF74-770B-47D8-AD0F-0E7B2AE9CA04}: "URL" = http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&camp=1789&creative=9325&keywords={searchTerms} IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{E2297ECC-2E67-4A3C-9426-2413485D513B}: "URL" = http://www.blinkx.com/ie/search-provider/Search-Execute?query={searchTerms} IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll () FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@bittorrent.com/BitTorrentDNA: C:\Program Files\DNA\plugins\npbtdna.dll (BitTorrent, Inc.) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\Move Networks\plugins\npqmp071701000002.dll (Move Networks) FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17: C:\Program Files\Veetle\VLCBroadcast\npvbp.dll File not found FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll File not found FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\Move Networks\plugins\npqmp071701000002.dll (Move Networks) FF - HKCU\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine: C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\nprhapengine.dll File not found FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{96AB4162-6E8C-495D-B3DD-0583314D0AB5}: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{96AB4162-6E8C-495D-B3DD-0583314D0AB5}\ [2009/01/10 10:14:15 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\coFFPlgn\ [2013/06/15 06:24:38 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\IPSFFPlgn\ [2013/03/17 19:01:11 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\moveplayer@movenetworks.com: C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\Move Networks [2010/03/11 10:04:19 | 000,000,000 | ---D | M] [2010/03/28 13:05:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\Mozilla\Extensions O1 HOSTS File: ([2013/06/12 19:09:27 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\20.3.1.22\coieplg.dll (Symantec Corporation) O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\20.3.1.22\ips\ipsbho.dll (Symantec Corporation) O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\WINDOWS\system32\bae.dll (Gateway Inc.) O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\20.3.1.22\coieplg.dll (Symantec Corporation) O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.) O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe () O4 - HKLM..\Run: [Reminder] C:\WINDOWS\creator\Remind_XP.exe (SoftThinks) O4 - HKLM..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe (Brother Industories, Ltd.) O4 - HKLM..\Run: [sigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.) O4 - HKLM..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.) O4 - HKLM..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.) O4 - HKLM..\Run: [VERIZONDM] C:\Program Files\VERIZONDM\bin\sprtcmd.exe (SupportSoft, Inc.) O4 - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006..\Run: [bitTorrent DNA] C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.) O4 - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006..\Run: [Power2GoExpress] NA File not found O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation) O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\REALTEK RTL8187 Wireless LAN Utility.lnk = C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe (Realtek Semiconductor Corp.) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme () O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_24.dll (Sun Microsystems, Inc.) O9 - Extra Button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found O9 - Extra 'Tools' menuitem : Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab (Microsoft Office Template and Media Control) O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} http://www.creative.com/su/ocx/15030/CTSUEng.cab (Creative Software AutoUpdate) O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} http://biz.lgservice.com/DjvuViewer/DjVuControl-6.1.4.cab (DjVuCtl Class) O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} http://www.alternatiff.com/install/00/alttiff.cab (AlternaTIFF ActiveX) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control) O16 - DPF: {3A52566B-6018-485B-B713-8B9FF660D8E8} http://71.123.169.42:0/webdvr2.18.2.16_71.0.0.0.cab (ilhtrapp Object) O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photos.walmart.com/WalmartActivia.cab (Snapfish Activia) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1343697687988 (WUWebControl Class) O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (Reg Error: Key error.) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1343697663689 (MUWebControl Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {9282A3AA-4954-46B4-B4AE-F086CE3F1110} http://71.123.169.42:0/regtrustsite.cab (TrustSiteAddMgr Class) O16 - DPF: {9CA74596-B5BB-4634-971C-F0224115A15F} http://nba.tom.com/video/tcastV1.cab (tcast control) O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} http://vexcast.com/download/vexcast.cab (VodClient Control Class) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://www.creative.com/su/ocx/15030/CTPID.cab (Creative Software AutoUpdate Support Package) O16 - DPF: vzTCPConfig http://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{481AE3E8-CD00-4ED3-9F1D-6AB6C25A01D6}: DhcpNameServer = 192.168.1.1 O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.) O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2013/06/13 21:14:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Desktop\RK_Quarantine [2013/06/13 18:54:33 | 000,000,000 | -HSD | C] -- C:\RECYCLER [2013/06/12 18:50:23 | 000,000,000 | RHSD | C] -- C:\cmdcons [2013/06/12 18:45:39 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2013/06/12 18:45:39 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2013/06/12 18:45:39 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2013/06/12 18:45:39 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2013/06/12 18:44:22 | 000,000,000 | ---D | C] -- C:\Qoobox [2013/06/12 18:42:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt [2013/06/12 17:12:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT [2013/06/12 17:12:09 | 000,000,000 | ---D | C] -- C:\JRT [2013/06/12 16:52:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\AVG SafeGuard toolbar [2013/06/12 16:52:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG SafeGuard toolbar [2013/06/12 16:51:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\AVG SafeGuard toolbar [2013/06/12 16:51:30 | 000,037,664 | ---- | C] (AVG Technologies) -- C:\WINDOWS\System32\drivers\avgtpx86.sys [2013/06/12 16:51:18 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\AVG Secure Search [2013/06/12 16:51:14 | 000,000,000 | ---D | C] -- C:\Program Files\AVG SafeGuard toolbar [2013/06/12 16:50:17 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files [2013/06/10 04:54:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan [2013/05/20 20:23:01 | 000,000,000 | ---D | C] -- C:\hotlink [2013/05/20 20:20:18 | 000,752,496 | ---- | C] (Microsoft Corporation) -- C:\WindowsXP-KB959658-x86-ENU.exe [2006/12/17 13:27:51 | 000,800,272 | ---- | C] (CA) -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\ppctl.dll [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2013/06/15 06:23:06 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{6F0D77EB-9DFC-4C8F-B264-D6025F8ED514}.job [2013/06/15 06:23:00 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2013/06/15 06:21:36 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1542910684-3637753515-2293041949-1006.job [2013/06/15 06:21:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2013/06/13 22:59:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job [2013/06/12 19:09:27 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2013/06/12 18:50:33 | 000,000,337 | RHS- | M] () -- C:\boot.ini [2013/06/12 16:50:33 | 000,037,664 | ---- | M] (AVG Technologies) -- C:\WINDOWS\System32\drivers\avgtpx86.sys [2013/06/12 16:49:14 | 000,000,990 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Desktop\Continue Zip Opener Installation.lnk [2013/06/11 21:59:20 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe [2013/06/11 21:59:20 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl [2013/06/10 20:01:06 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1542910684-3637753515-2293041949-1006.job [2013/05/21 21:46:06 | 000,000,426 | ---- | M] () -- C:\WINDOWS\brwmark.ini [2013/05/19 15:11:24 | 000,002,419 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Vz In-Home Agent.lnk [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files Created - No Company Name ========== [2013/06/12 18:50:33 | 000,000,221 | ---- | C] () -- C:\Boot.bak [2013/06/12 18:50:27 | 000,260,272 | RHS- | C] () -- C:\cmldr [2013/06/12 18:45:39 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe [2013/06/12 18:45:39 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe [2013/06/12 18:45:39 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2013/06/12 18:45:39 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2013/06/12 18:45:39 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2013/06/12 16:49:13 | 000,000,990 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Desktop\Continue Zip Opener Installation.lnk [2012/09/10 21:03:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\DVEdit.INI [2012/09/10 20:28:20 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\IcdSptSvps.dll [2012/05/10 22:23:33 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll [2012/02/29 08:49:41 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat [2011/06/30 14:32:00 | 000,000,016 | ---- | C] () -- C:\WINDOWS\System32\jgldog11.dll [2011/06/19 20:25:14 | 001,970,176 | ---- | C] () -- C:\WINDOWS\System32\vcmimm4.dll [2011/06/19 20:25:13 | 000,695,578 | ---- | C] () -- C:\WINDOWS\unins000.exe [2011/06/19 20:25:13 | 000,002,282 | ---- | C] () -- C:\WINDOWS\unins000.dat [2011/05/22 07:58:29 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini [2011/05/22 07:53:21 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini [2010/03/11 21:21:24 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\usb.dat.bin [2008/08/23 12:13:24 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\wklnhst.dat [2008/05/02 21:43:27 | 000,002,521 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\NMM-MetaData.db [2007/11/29 19:47:29 | 000,016,896 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2007/06/27 21:00:15 | 000,000,023 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\presets.ini [2006/12/03 12:57:58 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\PFP120JPR.{PB [2006/12/03 12:57:58 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\PFP120JCM.{PB [2006/11/26 20:38:56 | 000,000,144 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\fusioncache.dat ========== ZeroAccess Check ========== [2006/06/17 04:37:41 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 19:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 19:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both < End of report >
  14. Charlie_Whisky
    Hello Gringo The reports for TDSSKiller (TDSK) and RogueKiller (RK) are at the end of this post. Update: I can't paste all of TDSK report so I'll just show the end part below. My first attempt to run TDSK was bit of a bust. After I clicked on “loaded modules” TDSK rebooted. A terminal window popped up asking approval to run the program which I accepted. But then the TDSK box didn’t pop up again, so there was no opportunity to click on “loaded modules” or check all the boxes okay etc... I could tell that TDSK was running because it showed up as a process (and using about 50% of my CPU). I just let it run. About an hour later I came back and the process was done. Still nothing popped up though. In the root (C:) I found two files created: TDSSKiller.2.8.16.0_12.06.2013_22.18.36_log (about 4 KB) and a very large file “pagefile” which was a system file (about 2 MB). This didn’t look much like the process you described. It was late, and so I just shut the computer down and called it a day. Today, I tried running TDSK again, and this time I had better success, in that the process ran pretty well as you described. This time after TDSK rebooted and I accepted to run the program, the TDSK box popped up and I was able to click on “loaded modules” and check all the boxes okay. The program ran for a few minutes and gave its report: all the detected items were suspicious objects only; no malicious objects found. So all of the default actions were “skip” after clicking on continue there were two reports: TDSSKiller.2.8.16.0_13.06.2013_18.56.27_log (4KB) and TDSSKiller.2.8.16.0_13.06.2013_19.00.01_log (679 KB). it is the second file that is at the end of this post. That big system file “pagefile” is still in the root directory. For good measure I restarted the computer before moving on to RogueKiller. RK pretty well ran smoothly. RK detected 6 objects and I selected delete. The report RKreport[2]_D_06132013_02d2118 (6KB) is at the end of this post. FEEDBACK how is the computer working?? 1) While writing this summary without IE open, I saw the MBAM window pop up a few time (again no longer continuously popping up. Here is the whole protection log for today so far 2013/06/13 18:50:39 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection 2013/06/13 18:50:39 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully 2013/06/13 18:50:39 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection 2013/06/13 18:52:06 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully 2013/06/13 18:59:15 -0500 GW-5B4ED3A077 ERROR StartServiceCtrlDispatcher failed with error code 1063 2013/06/13 21:07:27 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection 2013/06/13 21:07:27 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully 2013/06/13 21:07:27 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection 2013/06/13 21:08:05 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully 2013/06/13 21:09:56 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.241.217.206 (Type: outgoing) 2013/06/13 21:19:39 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.60.91 (Type: incoming) 2013/06/13 21:22:34 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection 2013/06/13 21:22:34 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully 2013/06/13 21:22:34 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection 2013/06/13 21:23:53 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully 2013/06/13 21:24:07 -0500 GW-5B4ED3A077 Owner IP-BLOCK 220.248.167.194 (Type: outgoing) 2013/06/13 21:42:07 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.60.91 (Type: incoming) 2) Again without IE open I don’t see any versions of iexplore.exe running. I let the computer run for several minutes to see if iexplore.exe would pop up but nothing so far. I notice that in this state CPU use is around 1-3% where as yesterday it was around 3-5%, with more spikes. 3) Since yesterday pages on IE don’t show any pictures just blank boxes with red xs; like on this page. I had to go to another computer to post this. So is there a way to restore IE to a normal state, please? So what is next Gringo?? p.s., just as I’m about ready to post this, more blocks by MBAM in the protection log (maybe opening notepad??): 2013/06/13 21:53:29 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.117.183.15 (Type: outgoing) 2013/06/13 22:05:18 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.60.91 (Type: incoming) 2013/06/13 22:07:40 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.113.33.188 (Type: outgoing) TDSSKiller REPORT ============================================================ 19:04:59.0078 0228 Scan finished 19:04:59.0078 0228 ============================================================ 19:04:59.0093 3468 Detected object count: 10 19:04:59.0093 3468 Actual detected object count: 10 19:05:36.0468 3468 AegisP ( UnsignedFile.Multi.Generic ) - skipped by user 19:05:36.0468 3468 AegisP ( UnsignedFile.Multi.Generic ) - User select action: Skip 19:05:36.0468 3468 Creative Service for CDROM Access ( UnsignedFile.Multi.Generic ) - skipped by user 19:05:36.0468 3468 Creative Service for CDROM Access ( UnsignedFile.Multi.Generic ) - User select action: Skip 19:05:36.0468 3468 cwh ( UnsignedFile.Multi.Generic ) - skipped by user 19:05:36.0468 3468 cwh ( UnsignedFile.Multi.Generic ) - User select action: Skip 19:05:36.0468 3468 ICDSPTSV ( UnsignedFile.Multi.Generic ) - skipped by user 19:05:36.0468 3468 ICDSPTSV ( UnsignedFile.Multi.Generic ) - User select action: Skip 19:05:36.0484 3468 MHN ( UnsignedFile.Multi.Generic ) - skipped by user 19:05:36.0484 3468 MHN ( UnsignedFile.Multi.Generic ) - User select action: Skip 19:05:36.0484 3468 MHNDRV ( UnsignedFile.Multi.Generic ) - skipped by user 19:05:36.0484 3468 MHNDRV ( UnsignedFile.Multi.Generic ) - User select action: Skip 19:05:36.0484 3468 NCHSSVAD ( UnsignedFile.Multi.Generic ) - skipped by user 19:05:36.0484 3468 NCHSSVAD ( UnsignedFile.Multi.Generic ) - User select action: Skip 19:05:36.0484 3468 PMEM ( UnsignedFile.Multi.Generic ) - skipped by user 19:05:36.0484 3468 PMEM ( UnsignedFile.Multi.Generic ) - User select action: Skip 19:05:36.0484 3468 PrismXL ( UnsignedFile.Multi.Generic ) - skipped by user 19:05:36.0484 3468 PrismXL ( UnsignedFile.Multi.Generic ) - User select action: Skip 19:05:36.0500 3468 WebDictateService ( UnsignedFile.Multi.Generic ) - skipped by user 19:05:36.0500 3468 WebDictateService ( UnsignedFile.Multi.Generic ) - User select action: Skip 19:08:21.0281 3700 Deinitialize success RogueKiller REPORT RogueKiller V8.5.4 [Mar 18 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : Owner [Admin rights] Mode : Remove -- Date : 06/13/2013 21:18:05 | ARK || FAK || MBR | ¤¤¤ Bad processes : 4 ¤¤¤ [DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan\gjmqsipv.dll [x] -> UNLOADED [sUSP PATH] cwh.exe -- C:\WINDOWS\cwh.exe [-] -> KILLED [TermProc] [DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan\gjmqsipv.dll [x] -> UNLOADED [DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan\gjmqsipv.dll [x] -> UNLOADED ¤¤¤ Registry Entries : 5 ¤¤¤ [RUN][sUSP PATH] HKCU\[...]\Run : RtWLan (regsvr32.exe "C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan\gjmqsipv.dll") [-] -> DELETED [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED [HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1) [HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0) [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0) ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ SSDT[12] : NtAlertResumeThread @ 0x805D4BDC -> HOOKED (Unknown @ 0x8A36F418) SSDT[13] : NtAlertThread @ 0x805D4B8C -> HOOKED (Unknown @ 0x8A322CA0) SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AC2 -> HOOKED (Unknown @ 0x8A34CBE8) SSDT[19] : NtAssignProcessToJobObject @ 0x805D66A0 -> HOOKED (Unknown @ 0x8A3C5D20) SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x8A2120E8) SSDT[43] : NtCreateMutant @ 0x80617718 -> HOOKED (Unknown @ 0x8A500D30) SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A02 -> HOOKED (Unknown @ 0x8A367630) SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0x8A54A108) SSDT[57] : NtDebugActiveProcess @ 0x80643BA8 -> HOOKED (Unknown @ 0x8A359CE8) SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0x8A4E35E0) SSDT[83] : NtFreeVirtualMemory @ 0x805B2FBA -> HOOKED (Unknown @ 0x8A503D78) SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9258 -> HOOKED (Unknown @ 0x8A343D08) SSDT[91] : NtImpersonateThread @ 0x805D7860 -> HOOKED (Unknown @ 0x8A343DC8) SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x8A33F330) SSDT[108] : unknown @ 0x805B2042 -> HOOKED (Unknown @ 0x8A4E0ED8) SSDT[114] : NtOpenEvent @ 0x8060F0D6 -> HOOKED (Unknown @ 0x8A544D68) SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0x8A39B5D0) SSDT[123] : NtOpenProcessToken @ 0x805EDF26 -> HOOKED (Unknown @ 0x8A2D6760) SSDT[125] : NtOpenSection @ 0x805AA3F4 -> HOOKED (Unknown @ 0x8A34C660) SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0x8A364D68) SSDT[137] : NtProtectVirtualMemory @ 0x805B8426 -> HOOKED (Unknown @ 0x8A5045B8) SSDT[206] : NtResumeThread @ 0x805D4A18 -> HOOKED (Unknown @ 0x8A564E20) SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0x8A4E17F8) SSDT[228] : NtSetInformationProcess @ 0x805CDEA0 -> HOOKED (Unknown @ 0x8A319D18) SSDT[240] : NtSetSystemInformation @ 0x8060FD8E -> HOOKED (Unknown @ 0x8A359DC8) SSDT[253] : NtSuspendProcess @ 0x805D4AE0 -> HOOKED (Unknown @ 0x8A5496F0) SSDT[254] : NtSuspendThread @ 0x805D4952 -> HOOKED (Unknown @ 0x8A413A18) SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0x8A51C268) SSDT[258] : unknown @ 0x805D24D2 -> HOOKED (Unknown @ 0x8A4D2378) SSDT[267] : NtUnmapViewOfSection @ 0x805B2E50 -> HOOKED (Unknown @ 0x8A4EBFD0) SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (Unknown @ 0x8A3A0758) S_SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8A2D2D90) S_SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8A61A3B8) S_SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8A603348) S_SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8A61A3F0) S_SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8A2D6D98) S_SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x8A301230) S_SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8A603300) S_SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8A60CEB8) S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8A2CB160) S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8A5F4818) ¤¤¤ HOSTS File: ¤¤¤ --> C:\WINDOWS\system32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ST9160821A +++++ --- User --- [MBR] 066baec7920b5163c84ce8ef8c6e6d39 [bSP] db63615aa66f3fdfa2e467ad7beb91fe : Legit.B MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 14346045 | Size: 145612 Mo 1 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 7004 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[2]_D_06132013_02d2118.txt >> RKreport[1]_S_06132013_02d2115.txt ; RKreport[2]_D_06132013_02d2118.txt
  15. Charlie_Whisky
    Hello Gringo The Combo Fix (CF) report is at the end of this post. As you suspected, CF asked to install the system recovery console before proceeding, so I let it do so. After CF restarted the computer, Norton 360 popped up with a message Error 8501 421 but I just canceled it. Windows Security Alert popped up messages that there was no firewall and that auto updates was off, but I just ignored it and let CF finish until it popped up its report. After the report popped up, I re-enabled Norton 360 and did another restart. FEEDBACK: how is the computer running now?? 1) MBAM is no longer continuously popping up the message “successfully blocked access to a potentially malicious website 85.211194.79 Type outgoing. “ There was one or two similar popups but not a continued series Once again today’s most recent portion of the protection log: 2013/06/12 18:41:39 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing) 2013/06/12 18:41:41 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing) 2013/06/12 18:41:42 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing) 2013/06/12 18:41:43 -0500 GW-5B4ED3A077 Owner MESSAGE Stopping protection 2013/06/12 18:41:43 -0500 GW-5B4ED3A077 Owner MESSAGE Protection stopped successfully 2013/06/12 18:41:43 -0500 GW-5B4ED3A077 Owner MESSAGE Stopping IP protection 2013/06/12 18:41:43 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection stopped successfully 2013/06/12 18:41:46 -0500 GW-5B4ED3A077 Owner MESSAGE Protection stopped 2013/06/12 19:09:09 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection 2013/06/12 19:09:10 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully 2013/06/12 19:09:10 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection 2013/06/12 19:11:05 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully 2013/06/12 19:28:31 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection 2013/06/12 19:28:32 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully 2013/06/12 19:28:32 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection 2013/06/12 19:30:11 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully 2013/06/12 19:47:29 -0500 GW-5B4ED3A077 Owner IP-BLOCK 93.114.44.187 (Type: outgoing) 2013/06/12 20:16:20 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.99.83 (Type: outgoing) Notice the two different IP addresses that were block once each, but not continuously. 2) Tack Manager shows two versions of iexplore.exe running, even though I didn’t start IE. When I ended those processes, another two started soon afterwards. I’m not sure if this is normal or not. So some improvement, maybe fixed?? Obviously I need to keep monitoring this, but is there any anything else? Turn on windows updates and let it update? Rerun anything? p.s. as I was preparing this reply, MBAM blocked another different out going IP connection: 2013/06/12 20:45:45 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.8.154.220 (Type: outgoing) Combo Fix REPORT ComboFix 13-06-12.02 - Owner 06/12/2013 18:53:19.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1126 [GMT -5:00] Running from: c:\documents and settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\Combo fix\ComboFix.exe FW: CA Personal Firewall *Disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Administrator\WINDOWS c:\documents and settings\Default User\WINDOWS c:\documents and settings\Owner.YOUR-5B4ED3A077\Application Data\Adobe\mushimu.exe c:\documents and settings\Owner.YOUR-5B4ED3A077\Application Data\Google\T-Scan c:\documents and settings\Owner.YOUR-5B4ED3A077\Application Data\Google\T-Scan\n.gif c:\documents and settings\Owner.YOUR-5B4ED3A077\Application Data\Google\T-Scan\t.gif c:\documents and settings\Owner.YOUR-5B4ED3A077\Application Data\Google\T-Scan\y.gif c:\documents and settings\Owner.YOUR-5B4ED3A077\WINDOWS c:\windows\system32\config\systemprofile\Application Data\cdf02b3822bf514b c:\windows\system32\config\systemprofile\Application Data\eaf248b3d7cb021 c:\windows\system32\config\systemprofile\WINDOWS c:\windows\system32\Nagasoft c:\windows\system32\Nagasoft\Codecs\asyncflt.ax c:\windows\system32\Nagasoft\Codecs\atrc.dll c:\windows\system32\Nagasoft\Codecs\cook.dll c:\windows\system32\Nagasoft\Codecs\drvc.dll c:\windows\system32\Nagasoft\Codecs\raac.dll c:\windows\system32\Nagasoft\Codecs\RealMediaSplitter.ax c:\windows\system32\Nagasoft\Codecs\WMFDemux.dll c:\windows\system32\Nagasoft\GifShower.dll c:\windows\system32\Nagasoft\vjocx.dll c:\windows\system32\ndisapi.dll c:\windows\system32\sdjeavd.tmp c:\windows\system32\SET4C6.tmp D:\Autorun.inf F:\AUTORUN.INF . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_vvdsvc -------\Legacy_vvdsvc -------\Service_vvdsvc -------\Service_vvdsvc . . ((((((((((((((((((((((((( Files Created from 2013-05-13 to 2013-06-13 ))))))))))))))))))))))))))))))) . . 2013-06-12 22:12 . 2013-06-12 22:12 -------- d-----w- c:\windows\ERUNT 2013-06-12 22:12 . 2013-06-12 22:12 -------- d-----w- C:\JRT 2013-06-12 21:52 . 2013-06-12 21:52 -------- d-----w- c:\documents and settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\AVG SafeGuard toolbar 2013-06-12 21:52 . 2013-06-12 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG SafeGuard toolbar 2013-06-12 21:51 . 2013-06-12 21:51 -------- d-----w- c:\documents and settings\Owner.YOUR-5B4ED3A077\Application Data\AVG SafeGuard toolbar 2013-06-12 21:51 . 2013-06-12 21:50 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys 2013-06-12 21:51 . 2013-06-12 22:06 -------- d-----w- c:\program files\Common Files\AVG Secure Search 2013-06-12 21:51 . 2013-06-12 21:51 -------- d-----w- c:\program files\AVG SafeGuard toolbar 2013-06-12 21:50 . 2013-06-12 21:50 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files 2013-06-10 09:54 . 2013-06-10 09:54 -------- d-----w- c:\documents and settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan 2013-05-21 01:23 . 2013-05-28 00:28 -------- d-----w- C:\hotlink 2013-05-21 01:20 . 2008-11-07 10:53 752496 ----a-w- C:\WindowsXP-KB959658-x86-ENU.exe . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-06-12 02:59 . 2012-04-18 18:39 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-06-12 02:59 . 2011-06-15 01:48 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-04-05 00:00 . 2011-06-20 01:25 695578 ----a-w- c:\windows\unins000.exe 2013-04-04 19:50 . 2008-08-09 19:09 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2013-03-17 23:47 . 2012-03-19 01:58 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2003-12-05 16:41 368640 --sh--r- c:\windows\cwh.exe 2003-12-05 02:16 69632 --sh--r- c:\windows\lnchshll.exe 2003-12-05 02:16 49152 --sh--r- c:\windows\ScrnInt.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Power2GoExpress"="NA" [X] "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-08 323392] "RtWLan"="c:\documents and settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan\gjmqsipv.dll" [2012-10-24 731136] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2011-12-01 206120] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648] "SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-24 573440] "SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 413696] "SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512] "ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-11-01 98304] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ REALTEK RTL8187 Wireless LAN Utility.lnk - c:\program files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe /H [2006-11-1 749568] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe /startup [2008-5-26 123904] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C: HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows\system32 . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "UmxFwHlp"=2 (0x2) "ITMRTSVC"=2 (0x2) "CaCCProvSP"=3 (0x3) "YahooAUService"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\ses2_client_bin_2_8_13g\\seswiz.exe"= "c:\\Program Files\\REALTEK RTL8187 Wireless LAN Driver and Utility\\RtWLan.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Plex\\Plex Media Server\\Plex Media Server.exe"= "c:\\Program Files\\Plex\\Plex Media Server\\PlexScriptHost.exe"= "c:\\Program Files\\Plex\\Plex Media Server\\PlexDlnaServer.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0 "1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1 "1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2 "1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3 "1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4 "1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5 "1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6 "1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7 "1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8 "1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9 "1641:TCP"= 1641:TCP:MioNet Remote Drive Verification "1647:TCP"= 1647:TCP:MioNet Storage Device Configuration "5432:UDP"= 5432:UDP:MioNet Storage Device Discovery "4100:UDP"= 4100:UDP:uPNP Router Control Port "50000:UDP"= 50000:UDP:IHA_MessageCenter "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management . R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\1403010.016\symds.sys [4/8/2013 7:03 PM 367704] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\1403010.016\symefa.sys [4/8/2013 7:03 PM 934488] R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [6/12/2013 4:51 PM 37664] R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\BASHDefs\20130531.001\BHDrvx86.sys [5/31/2013 11:58 AM 1002072] R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\N360\1403010.016\ccsetx86.sys [4/8/2013 7:03 PM 134304] R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\1403010.016\ironx86.sys [4/8/2013 7:03 PM 175264] R2 cwh;cwh;c:\windows\cwh.exe [12/23/2006 3:19 PM 368640] R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [12/12/2011 11:03 AM 352248] R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/10/2012 8:40 PM 418376] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/9/2008 2:09 PM 701512] R2 N360;Norton 360;c:\program files\Norton 360\Engine\20.3.1.22\ccsvchst.exe [4/8/2013 7:02 PM 144520] R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [12/1/2011 6:11 AM 206120] R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [12/1/2011 6:11 AM 185640] R2 vToolbarUpdater15.2.0;vToolbarUpdater15.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe [6/12/2013 4:51 PM 1015984] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2012 10:27 PM 106656] R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\IPSDefs\20130612.001\IDSXpx86.sys [6/12/2013 4:50 PM 373728] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/9/2008 2:09 PM 22856] S0 jwsog;jwsog;c:\windows\system32\drivers\xbjj.sys --> c:\windows\system32\drivers\xbjj.sys [?] S0 plmd;plmd;c:\windows\system32\drivers\xvqfl.sys --> c:\windows\system32\drivers\xvqfl.sys [?] S0 qnmthkg;qnmthkg;c:\windows\system32\drivers\dgwdfd.sys --> c:\windows\system32\drivers\dgwdfd.sys [?] S0 shho;shho;c:\windows\system32\drivers\rtbiatm.sys --> c:\windows\system32\drivers\rtbiatm.sys [?] S3 EraserUtilDrv11210;EraserUtilDrv11210;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11210.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11210.sys [?] S3 ICDSX;Sony IC Recorder (SX);c:\windows\system32\drivers\ICDSX.sys [10/1/2003 5:44 PM 31744] S3 WebDictateService;Web Dictate;c:\program files\NCH Software\WebDictate\webdictate.exe [2/7/2012 10:13 AM 814596] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] vvdsvc REG_MULTI_SZ vvdsvc . Contents of the 'Scheduled Tasks' folder . 2013-06-12 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 02:59] . 2012-02-10 c:\windows\Tasks\expressShakeIcon.job - c:\program files\NCH Software\Express\express.exe [2012-02-07 15:13] . 2013-06-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1542910684-3637753515-2293041949-1006.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09] . 2013-06-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1542910684-3637753515-2293041949-1006.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09] . 2013-03-06 c:\windows\Tasks\scribeShakeIcon.job - c:\program files\NCH Software\Scribe\scribe.exe [2012-02-07 15:12] . 2013-06-12 c:\windows\Tasks\User_Feed_Synchronization-{6F0D77EB-9DFC-4C8F-B264-D6025F8ED514}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 09:31] . . ------- Supplementary Scan ------- . uStart Page = about:blank uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6453 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.1 DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB DPF: {3A52566B-6018-485B-B713-8B9FF660D8E8} - hxxp://71.123.169.42:0/webdvr2.18.2.16_71.0.0.0.cab DPF: {9282A3AA-4954-46B4-B4AE-F086CE3F1110} - hxxp://71.123.169.42:0/regtrustsite.cab DPF: {9CA74596-B5BB-4634-971C-F0224115A15F} - hxxp://nba.tom.com/video/tcastV1.cab . - - - - ORPHANS REMOVED - - - - . URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file) HKCU-Run-Messenger (Yahoo!) - c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe HKLM-Run-cctray - c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe HKLM-Run-capfupgrade - c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe HKLM-Run-capfasem - c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe HKLM-Run-cafwc - c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe HKLM-Run-ATICCC - c:\program files\ATI Technologies\ATI.ACE\cli.exe HKLM-Run-MioNet - c:\program files\MioNet\MioNetLauncher.exe HKLM-Run-googletalk - c:\program files\Google\Google Talk\googletalk.exe c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk - c:\program files\BigFix\bigfix.exe /atstartup MSConfigStartUp-kdfvb - c:\windows\system32\kdfvb.exe AddRemove-GenoPro Beta - c:\program files\GenoPro Beta\Uninstall.exe AddRemove-MSNINST - c:\program files\MSN\MsnInstaller\msninst.exe AddRemove-verizontb - c:\program files\verizontb\uninstall.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-06-12 19:10 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360] "ImagePath"="\"c:\program files\Norton 360\Engine\20.3.1.22\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\20.3.1.22\diMaster.dll\" /prefetch:1" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(964) c:\windows\system32\Ati2evxx.dll c:\windows\System32\BCMLogon.dll . - - - - - - - > 'explorer.exe'(1756) c:\windows\system32\WININET.dll c:\documents and settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan\gjmqsipv.dll c:\progra~1\WINDOW~3\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\windows\System32\WLTRYSVC.EXE c:\windows\System32\bcmwltry.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\CTsvcCDA.exe c:\windows\eHome\ehRecvr.exe c:\windows\eHome\ehSched.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS c:\windows\system32\SearchIndexer.exe c:\windows\ehome\mcrdsvc.exe c:\windows\system32\wscntfy.exe c:\windows\system32\dllhost.exe c:\windows\system32\SearchProtocolHost.exe c:\windows\eHome\ehmsas.exe c:\windows\system32\regsvr32.exe c:\program files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe c:\program files\Windows Desktop Search\WindowsSearch.exe c:\program files\Internet Explorer\IEXPLORE.EXE c:\program files\Internet Explorer\IEXPLORE.EXE c:\windows\system32\SearchFilterHost.exe . ************************************************************************** . Completion time: 2013-06-12 19:21:06 - machine was rebooted ComboFix-quarantined-files.txt 2013-06-13 00:21 . Pre-Run: 77,472,980,992 bytes free Post-Run: 77,502,533,632 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer . - - End Of File - - 79B4A49AC43D33545164058E0F336789 B20939CD98B7710036274839082AE757
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.