Continuation of trojans removal

[annajean]

Some weeks ago, I started to clean my father's computer in the following topic, but I had to go back home and could not progress until now:

 

https://forums.malwarebytes.org/index.php?showtopic=132373

 

During this time, it seemed like he used his computer a few times, so I ran all the steps again yesterday(with fresh downloads of all programs). MWB did not find any new infections. The new Roguekiller log is below. The latest step I completed was to run Combofix. The first time around, it hung on creating the logfile (possibly because I let it run overnight) but I ran it again this morning, resulting in the following logfile (next message).

 

The computer has been working very well; fast and responsive.  However I am concerned because it was used during my absence, before the cleaning was complete. 

 

Roguekiller logfile:

RogueKiller V8.7.4 [Oct 16 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : HC [Admin rights]
Mode : Scan -- Date : 10/20/2013 00:42:01
| ARK || FAK || MBR |

¤¤¤ Bad processes : 3 ¤¤¤
[sUSP PATH] MXOALDR.EXE -- C:\WINDOWS\MXOALDR.EXE [7] -> KILLED [TermProc]
[sUSP PATH] iexplore.exe -- I:\Documents and Settings\HC2\Desktop\iexplore.exe [7] -> KILLED [TermProc]
[sUSP PATH] iexplore.exe -- I:\Documents and Settings\HC2\Desktop\iexplore.exe [7] -> KILLED [TermThr]

¤¤¤ Registry Entries : 3 ¤¤¤
[RUN][sUSP PATH] HKLM\[...]\Run : MXOBG (C:\WINDOWS\MXOALDR.EXE [7]) -> FOUND
[PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyServer (sysmatrix.net:3) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V1][sUSP PATH] Disk Defragmenter.job : C:\WINDOWS\DEFRAG.EXE -  /SAGERUN:1 [-] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[12] : NtAlertResumeThread @ 0x80630120 -> HOOKED (Unknown @ 0x89A833A0)
[Address] SSDT[13] : NtAlertThread @ 0x80577310 -> HOOKED (Unknown @ 0x89A83438)
[Address] SSDT[17] : NtAllocateVirtualMemory @ 0x80569302 -> HOOKED (Unknown @ 0x89AB8F80)
[Address] SSDT[19] : NtAssignProcessToJobObject @ 0x805A1387 -> HOOKED (Unknown @ 0x89A908C0)
[Address] SSDT[31] : NtConnectPort @ 0x8058CB11 -> HOOKED (Unknown @ 0x89C244A8)
[Address] SSDT[43] : NtCreateMutant @ 0x805776E0 -> HOOKED (Unknown @ 0x89A8F898)
[Address] SSDT[52] : NtCreateSymbolicLinkObject @ 0x8059E796 -> HOOKED (Unknown @ 0x89A90770)
[Address] SSDT[53] : NtCreateThread @ 0x80578925 -> HOOKED (Unknown @ 0x89AECC20)
[Address] SSDT[57] : NtDebugActiveProcess @ 0x8065C271 -> HOOKED (Unknown @ 0x89A90958)
[Address] SSDT[68] : NtDuplicateObject @ 0x805749DA -> HOOKED (Unknown @ 0x89ADD8F8)
[Address] SSDT[83] : NtFreeVirtualMemory @ 0x80569C2D -> HOOKED (Unknown @ 0x89AB8E30)
[Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x805DC22E -> HOOKED (Unknown @ 0x89A8F940)
[Address] SSDT[91] : NtImpersonateThread @ 0x805817C1 -> HOOKED (Unknown @ 0x89A8F9B8)
[Address] SSDT[97] : NtLoadDriver @ 0x805A29BD -> HOOKED (Unknown @ 0x89B11600)
[Address] SSDT[108] : unknown @ 0x8057CB31 -> HOOKED (Unknown @ 0x89AC97F0)
[Address] SSDT[114] : NtOpenEvent @ 0x80581B30 -> HOOKED (Unknown @ 0x89A8F800)
[Address] SSDT[122] : NtOpenProcess @ 0x80574BC1 -> HOOKED (Unknown @ 0x89AB94A0)
[Address] SSDT[123] : NtOpenProcessToken @ 0x80571121 -> HOOKED (Unknown @ 0x89ADD860)
[Address] SSDT[125] : NtOpenSection @ 0x8056E583 -> HOOKED (Unknown @ 0x89A858C0)
[Address] SSDT[128] : NtOpenThread @ 0x80590CFC -> HOOKED (Unknown @ 0x89ADD980)
[Address] SSDT[137] : NtProtectVirtualMemory @ 0x80574F70 -> HOOKED (Unknown @ 0x89A90818)
[Address] SSDT[206] : NtResumeThread @ 0x80578F98 -> HOOKED (Unknown @ 0x89A83E08)
[Address] SSDT[213] : NtSetContextThread @ 0x8062E94F -> HOOKED (Unknown @ 0x89A83F90)
[Address] SSDT[228] : NtSetInformationProcess @ 0x80570E2D -> HOOKED (Unknown @ 0x89AC96B0)
[Address] SSDT[240] : NtSetSystemInformation @ 0x805A6AA9 -> HOOKED (Unknown @ 0x89A85808)
[Address] SSDT[253] : NtSuspendProcess @ 0x80630065 -> HOOKED (Unknown @ 0x89A85958)
[Address] SSDT[254] : NtSuspendThread @ 0x805E05D6 -> HOOKED (Unknown @ 0x89A83E60)
[Address] SSDT[257] : NtTerminateProcess @ 0x80585851 -> HOOKED (Unknown @ 0x89AC4A60)
[Address] SSDT[258] : unknown @ 0x80578037 -> HOOKED (Unknown @ 0x89A83EF8)
[Address] SSDT[267] : NtUnmapViewOfSection @ 0x8057C6B6 -> HOOKED (Unknown @ 0x89AC9758)
[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805815AA -> HOOKED (Unknown @ 0x89AB8ED8)
[Address] Shadow SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x89C759F0)
[Address] Shadow SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x89C73B20)
[Address] Shadow SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x89C689F8)
[Address] Shadow SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x89C73008)
[Address] Shadow SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x89D67490)
[Address] Shadow SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x89CA7C18)
[Address] Shadow SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x89CE5DA8)
[Address] Shadow SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x89CD9068)
[Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x89CAC038)
[Address] Shadow SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x89C5C3E8)

¤¤¤ External Hives: ¤¤¤
-> I:\Documents and Settings\HC\NTUSER.DAT | DRVINFO [Drv - I:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]
-> I:\Documents and Settings\HC2\NTUSER.DAT | DRVINFO [Drv - I:] | SYSTEMINFO [sys - NO_SYS] [sys32 - NOT_FOUND] | USERINFO [startup - NOT_FOUND]

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - WDC WD2500JB-00REA0 +++++
--- User ---
[MBR] 211e2f97f442344d1ee0a8a4744f8100
[bSP] 80b0def8c0bc8e3626a25b59d942ca51 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 57474 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 117708255 | Size: 180997 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE2 @ USB) (Standard disk drives) - SanDisk Cruzer Glide USB Device +++++
--- User ---
[MBR] a124dc1f32b91ceacb765c7a5ad6ec2e
[bSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 32 | Size: 15266 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[0]_S_10202013_004201.txt >>

 

 

 

 

 

[annajean]

Combofix logfile (I believe that SpeedUpMyPC was installed during my absence by my husband, who visited my dad and tried to fix his computer too):

 

ComboFix 13-10-19.02 - HC 10/20/2013   9:45.2.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1279.746 [GMT -4:00]
Running from: i:\documents and settings\HC2\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system\IEPEERS.DLL
c:\windows\system\IERNONCE.DLL
c:\windows\system\IMGUTIL.DLL
c:\windows\system\IMPLODE.DLL
c:\windows\system\INETCPL.CPL
c:\windows\system\INETCPLC.DLL
c:\windows\system\INSENG.DLL
c:\windows\system\itircl.dll
c:\windows\system\itss.dll
c:\windows\system\JCB.DLL
c:\windows\system\LMOUSE32.DLL
c:\windows\system\MLANG.DLL
c:\windows\system\MSENCODE.DLL
c:\windows\system\MSHTML.DLL
c:\windows\system\MSHTMLED.DLL
c:\windows\system\MSHTMLER.DLL
c:\windows\system\MSRATING.DLL
c:\windows\system\MSXML.DLL
c:\windows\system\NV3API.DLL
c:\windows\system\NV3DD32.DLL
c:\windows\system\OCCACHE.DLL
c:\windows\system\p2sodbc.dll
c:\windows\system\PLUGIN.OCX
c:\windows\system\QuickTime.cpl
c:\windows\system\QuickTime.qts
.
---- Previous Run -------
.
c:\program files\DictionaryBossEI\Installr\1.bin\NPv4EISb.dll
c:\program files\DictionaryBossEI\Installr\1.bin\v4EIPlug.dll
c:\program files\DictionaryBossEI\Installr\1.bin\v4EZSETP.dll
c:\program files\FunWebProducts\PopSwatr\History\allowed
c:\program files\FunWebProducts\PopSwatr\History\notallow
c:\program files\Internet Explorer\iexplore.exe.tmp
c:\program files\MyWebSearch\bar\History\search
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\Uniblue\SpeedUpMyPC\cwebpage.dll
c:\program files\Uniblue\SpeedUpMyPC\InstallerExtensions.dll
c:\program files\Uniblue\SpeedUpMyPC\intermediate_views.dat
c:\program files\Uniblue\SpeedUpMyPC\latest_scan_results.xsl
c:\program files\Uniblue\SpeedUpMyPC\launcher.exe
c:\program files\Uniblue\SpeedUpMyPC\library.dat
c:\program files\Uniblue\SpeedUpMyPC\locale\br\br.dll
c:\program files\Uniblue\SpeedUpMyPC\locale\br\LC_MESSAGES\messages.mo
c:\program files\Uniblue\SpeedUpMyPC\locale\de\de.dll
c:\program files\Uniblue\SpeedUpMyPC\locale\de\LC_MESSAGES\messages.mo
c:\program files\Uniblue\SpeedUpMyPC\locale\dk\dk.dll
c:\program files\Uniblue\SpeedUpMyPC\locale\dk\LC_MESSAGES\messages.mo
c:\program files\Uniblue\SpeedUpMyPC\locale\en\en.dll
c:\program files\Uniblue\SpeedUpMyPC\locale\en\LC_MESSAGES\messages.mo
c:\program files\Uniblue\SpeedUpMyPC\locale\es\es.dll
c:\program files\Uniblue\SpeedUpMyPC\locale\es\LC_MESSAGES\messages.mo
c:\program files\Uniblue\SpeedUpMyPC\locale\fi\fi.dll
c:\program files\Uniblue\SpeedUpMyPC\locale\fi\LC_MESSAGES\messages.mo
c:\program files\Uniblue\SpeedUpMyPC\locale\fr\fr.dll
c:\program files\Uniblue\SpeedUpMyPC\locale\fr\LC_MESSAGES\messages.mo
c:\program files\Uniblue\SpeedUpMyPC\locale\it\it.dll
c:\program files\Uniblue\SpeedUpMyPC\locale\it\LC_MESSAGES\messages.mo
c:\program files\Uniblue\SpeedUpMyPC\locale\jp\jp.dll
c:\program files\Uniblue\SpeedUpMyPC\locale\jp\LC_MESSAGES\messages.mo
c:\program files\Uniblue\SpeedUpMyPC\locale\nl\LC_MESSAGES\messages.mo
c:\program files\Uniblue\SpeedUpMyPC\locale\nl\nl.dll
c:\program files\Uniblue\SpeedUpMyPC\locale\no\LC_MESSAGES\messages.mo
c:\program files\Uniblue\SpeedUpMyPC\locale\no\no.dll
c:\program files\Uniblue\SpeedUpMyPC\locale\ru\LC_MESSAGES\messages.mo
c:\program files\Uniblue\SpeedUpMyPC\locale\ru\ru.dll
c:\program files\Uniblue\SpeedUpMyPC\locale\se\LC_MESSAGES\messages.mo
c:\program files\Uniblue\SpeedUpMyPC\locale\se\se.dll
c:\program files\Uniblue\SpeedUpMyPC\Microsoft.VC90.CRT.manifest
c:\program files\Uniblue\SpeedUpMyPC\msvcp90.dll
c:\program files\Uniblue\SpeedUpMyPC\msvcr90.dll
c:\program files\Uniblue\SpeedUpMyPC\repair_transform.xsl
c:\program files\Uniblue\SpeedUpMyPC\sp_move_serial.exe
c:\program files\Uniblue\SpeedUpMyPC\spmonitor.exe
c:\program files\Uniblue\SpeedUpMyPC\spnotifier.exe
c:\program files\Uniblue\SpeedUpMyPC\sump.exe
c:\program files\Uniblue\SpeedUpMyPC\Third party Terms\comtypes.txt
c:\program files\Uniblue\SpeedUpMyPC\Third party Terms\cwebpage.dll.html
c:\program files\Uniblue\SpeedUpMyPC\Third party Terms\decorator.py.txt
c:\program files\Uniblue\SpeedUpMyPC\Third party Terms\ordereddict.py.txt
c:\program files\Uniblue\SpeedUpMyPC\Third party Terms\py2exe.txt
c:\program files\Uniblue\SpeedUpMyPC\Third party Terms\python-changes.txt
c:\program files\Uniblue\SpeedUpMyPC\Third party Terms\python.txt
c:\program files\Uniblue\SpeedUpMyPC\Third party Terms\simplejson.txt
c:\program files\Uniblue\SpeedUpMyPC\Third party Terms\wmi.txt
c:\program files\Uniblue\SpeedUpMyPC\unins000.dat
c:\program files\Uniblue\SpeedUpMyPC\unins000.exe
c:\program files\Uniblue\SpeedUpMyPC\unins000.msg
c:\program files\Uniblue\SpeedUpMyPC\views.dat
c:\program files\Uniblue\SpeedUpMyPC\x86\Trackerbird.py.clr2.dll
c:\program files\Uniblue\SpeedUpMyPC\x86\Trackerbird.py.clr4.dll
c:\windows\calc.exe
c:\windows\cleanmgr.exe
c:\windows\command.com
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.8-2.inf
c:\windows\EventSystem.log
c:\windows\hosts.sam
c:\windows\HPSJ1695.DLL
c:\windows\Mplayer.exe
c:\windows\patch.exe
c:\windows\ping.exe
c:\windows\Reg32.dll
c:\windows\Rundll.exe
c:\windows\sndrec32.exe
c:\windows\system\ACTXPRXY.DLL
c:\windows\system\ASCTRLS.OCX
c:\windows\system\BINDFILE.DLL
c:\windows\system\BROWSELC.DLL
c:\windows\system\BROWSEUI.DLL
c:\windows\system\BWCC32.DLL
c:\windows\system\cmstp.exe
c:\windows\system\COMCTL32.DLL
c:\windows\system\ddraw.dll
c:\windows\system\Drivers\msscript.ocx
c:\windows\system\DSCVR.DLL
c:\windows\system\dsound.dll
c:\windows\System\Folder.htt
c:\windows\system\FRAMEBUF.DLL
c:\windows\system\HLINK.DLL
c:\windows\System\jgaw400.dll
c:\windows\system\msconfig.exe
c:\windows\system\mstask.exe
c:\windows\System\mstinit.exe
c:\windows\system\msvbvm60.dll
c:\windows\system\oeminfo.ini
c:\windows\system\olepro32.dll
c:\windows\system\Quartz.dll
c:\windows\system\rsvp.exe
c:\windows\system\Smartvsd.vxd
c:\windows\system\Stdole2.tlb
c:\windows\system\systray.exe
c:\windows\system32\Cache\075884af680ff6dc.fb
c:\windows\system32\Cache\227113dfa1ca894d.fb
c:\windows\system32\Cache\468d40988a85c907.fb
c:\windows\system32\Cache\49fbbc5a8678d502.fb
c:\windows\system32\Cache\5c54eb1a1655b076.fb
c:\windows\system32\Cache\613e8ce7ab7106af.fb
c:\windows\system32\Cache\633a76311867bd11.fb
c:\windows\system32\Cache\691f14230153a9e1.fb
c:\windows\system32\Cache\6cb409d7ac73d9f1.fb
c:\windows\system32\Cache\7614bd6cfa99e546.fb
c:\windows\system32\Cache\77664b6ccc36be9f.fb
c:\windows\system32\Cache\881b3593316772f0.fb
c:\windows\system32\Cache\98657d0579ae1930.fb
c:\windows\system32\Cache\d5c0f4e7bbe35bf3.fb
c:\windows\system32\Cache\d9ca663388d21ec0.fb
c:\windows\system32\Cache\f2cda51fd108941f.fb
c:\windows\system32\Cache\f34d8db84131d925.fb
c:\windows\system32\CKAgent.dat
c:\windows\system32\CKSetup32.dat
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\SET107.tmp
c:\windows\system32\SET109.tmp
c:\windows\system32\SETF9.tmp
c:\windows\system32\SETFB.tmp
c:\windows\system32\SETFF.tmp
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\Web\default.htt
c:\windows\winfile.exe
c:\windows\wininit.exe
c:\windows\WINSOCK.DLL
.
.
(((((((((((((((((((((((((   Files Created from 2013-09-20 to 2013-10-20  )))))))))))))))))))))))))))))))
.
.
2013-10-20 01:26 . 2013-10-20 01:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-10-20 01:26 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-10-16 01:13 . 2013-10-16 01:13 -------- d-sh--w- i:\documents and settings\HC2\UserData
2013-10-14 17:37 . 2013-07-03 02:12 25088 ------w- c:\windows\system32\dllcache\hidparse.sys
2013-10-14 17:37 . 2013-07-03 01:59 14976 ------w- c:\windows\system32\dllcache\usbscan.sys
2013-10-14 17:36 . 2013-07-17 00:58 123008 ------w- c:\windows\system32\dllcache\usbvideo.sys
2013-10-14 17:29 . 2009-03-18 11:02 30336 ------w- c:\windows\system32\dllcache\usbehci.sys
2013-10-14 17:29 . 2013-08-09 00:55 144128 ------w- c:\windows\system32\dllcache\usbport.sys
2013-10-14 17:29 . 2013-08-09 00:55 32384 ------w- c:\windows\system32\dllcache\usbccgp.sys
2013-10-14 17:29 . 2013-08-09 00:55 5376 ------w- c:\windows\system32\dllcache\usbd.sys
2013-10-04 21:18 . 2013-10-04 21:18 -------- d-----w- i:\documents and settings\HC2\Application Data\HNC
2013-09-29 20:58 . 2013-10-20 05:23 -------- d-----w- c:\program files\Uniblue
2013-09-29 20:58 . 2013-09-29 20:58 -------- d-----w- i:\documents and settings\HC2\Application Data\Uniblue
2013-09-26 18:00 . 2013-09-26 18:00 208760 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-14 17:53 . 2013-04-03 14:45 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-14 17:53 . 2013-04-03 14:45 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-23 18:33 . 2004-08-24 00:32 920064 ----a-w- c:\windows\system32\wininet.dll
2013-09-23 18:33 . 2003-11-22 04:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-09-23 18:33 . 2003-11-22 04:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-09-23 18:33 . 2001-08-18 12:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-09-23 18:06 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2013-08-29 01:31 . 2001-08-18 12:00 1878656 ----a-w- c:\windows\system32\win32k.sys
2013-08-20 19:26 . 2010-04-20 20:39 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2013-08-09 01:56 . 2003-11-22 04:10 386560 ----a-w- c:\windows\system32\themeui.dll
2013-08-09 00:55 . 2001-08-18 12:00 144128 ----a-w- c:\windows\system32\drivers\usbport.sys
2013-08-09 00:55 . 2007-04-09 15:33 32384 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2013-08-09 00:55 . 2001-08-18 12:00 5376 ----a-w- c:\windows\system32\drivers\usbd.sys
2013-08-05 13:30 . 2004-04-24 09:43 1289728 ----a-w- c:\windows\system32\ole32.dll
2013-08-03 18:18 . 2006-10-19 02:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-02-20 00:07 . 2013-02-20 00:07 0 -c--a-w- c:\program files\GUM6F.tmp
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-08-17 39408]
"Adobe Reader Synchronizer"="c:\program files\Adobe\Reader 11.0\Reader\AdobeCollabSync.exe" [2013-09-05 694152]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA" [X]
"3c1807pd"="c:\windows\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd" [X]
"MXOBG"="c:\windows\MXOALDR.EXE" [2005-12-25 94208]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-12-24 618496]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360]
"MFNetworkScanUtility"="c:\program files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE" [2012-09-27 472728]
"FromDocToPDF Search Scope Monitor"="c:\progra~1\FROMDO~2\bar\1.bin\65srchmn.exe" [2013-05-30 44784]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2011-11-14 82026]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FromDocToPDF Search Scope Monitor]
2013-05-30 03:02 44784 ----a-w- c:\progra~1\FROMDO~2\bar\1.bin\65SrchMn.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-10-19 20:30 136176 ----atw- c:\documents and settings\HC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-08-17 15:31 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Symantec NetDriver Monitor"=c:\progra~1\SYMNET~1\SNDMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"vptray"=c:\progra~1\NavNT\vptray.exe
"SSC_UserPrompt"=c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour
.
R0 SymDS;Symantec Data Store;c:\windows\SYSTEM32\DRIVERS\NIS\1404000.028\SymDS.sys [8/20/2013 3:24 PM 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\NIS\1404000.028\SymEFA.sys [8/20/2013 3:24 PM 934488]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\BASHDefs\20131002.001\BHDrvx86.sys [10/1/2013 11:20 PM 1097304]
R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\SYSTEM32\DRIVERS\NIS\1404000.028\ccSetx86.sys [8/20/2013 3:24 PM 134744]
R1 SymIRON;Symantec Iron Driver;c:\windows\SYSTEM32\DRIVERS\NIS\1404000.028\Ironx86.sys [8/20/2013 3:24 PM 175264]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe [8/20/2013 3:23 PM 144368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/1/2013 5:33 PM 108120]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\IPSDefs\20131018.001\IDSXpx86.sys [10/19/2013 11:30 AM 380824]
R3 JRSUKD25;JRSUKD25;c:\windows\SYSTEM32\JRSUKD25.SYS [5/26/2013 6:38 PM 22480]
S0 epstwnt;epstwnt;c:\windows\SYSTEM32\DRIVERS\epstwnt.mpd [10/17/2002 7:21 AM 82432]
S2 FromDocToPDF_65Service;FromDocToPDFService;c:\progra~1\FROMDO~2\bar\1.bin\65barsvc.exe [5/29/2013 11:02 PM 42504]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [10/19/2013 9:26 PM 418376]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/19/2013 9:26 PM 701512]
S2 SHARSHTL;Shuttle Sharer;c:\windows\SYSTEM32\DRIVERS\sharshtl.sys [10/17/2002 7:21 AM 18432]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:28 PM 160944]
S3 epstw2k;SCM Parallel Port SCSI Driver;c:\windows\SYSTEM32\DRIVERS\epstw2k.sys [8/17/2001 9:50 AM 114944]
S3 JRSKD24;JRSKD24; [x]
S3 kcrtx86;kcrtx86;c:\windows\SYSTEM32\kcrtx86.sys [5/26/2013 6:38 PM 126048]
S3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [10/19/2013 9:26 PM 22856]
S3 scsiscan;SCSI Scanner Driver; [x]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMPROTECTOR
*NewlyCreated* - MBAMSCHEDULER
*NewlyCreated* - MBAMSERVICE
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-16 17:40 1185744 ----a-w- c:\program files\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-04-03 17:54]
.
2013-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
.
2013-10-20 c:\windows\Tasks\Disk Defragmenter.job
- c:\windows\DEFRAG.EXE [2000-02-18 02:22]
.
2013-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cd602ea290ec82.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-17 15:38]
.
2013-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-17 15:38]
.
.
------- Supplementary Scan -------
.

uStart Page = https://www.google.com/
mSearch Bar = hxxp://rd.yahoo.com/customize/sbcy/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyServer = sysmatrix.net:3
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 172.16.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {1B5EE264-CCAB-48A4-B8DA-04D4BB004CC3} - file:///C:/DOCUME~1/HC/LOCALS~1/Temp/pft49.tmp/MiUpdater310.cab




.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-{E55B3271-7CA8-4D0C-AE06-69A24856E996}_is1 - c:\program files\Uniblue\SpeedUpMyPC\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-20 09:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\20.4.0.40\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\epstwnt]
"ImagePath"="System32\Drivers\epstwnt.mpd"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-10-20  10:02:02
ComboFix-quarantined-files.txt  2013-10-20 14:01
.
Pre-Run: 5,501,440,000 bytes free
Post-Run: 5,452,611,584 bytes free
.
- - End Of File - - E424FBFAFEB817AF6BD9BA35444C857D
35C6B2FCDE68FACBEFE0A4A7200BAE58

[AdvancedSetup]

Sorry for the delay but by replying to your own topic it makes it look like someone is already helping you and then no one opens the post.

 

If you still need help with this please let me know.

 

Thank you.

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!