Jump to content


Photo
- - - - -

Multiple Outgoing Blocks Occurring


  • This topic is locked This topic is locked
35 replies to this topic

#1 Charlie_Whisky

Charlie_Whisky

    New Member

  • Members
  • Pip
  • 19 posts

Posted 12 June 2013 - 04:08 PM

(Reposting this here from other forums on the advice of DarkSnakeKobra and Firefox, thanks)


For the past few days, Malwarebytes Pro has been blocking hundreds of outgoing IP access attempts.

It doesn’t matter if am browsing (IE8) or not. In fact, when I end all of the processes “iexplore.exe” using taskmanger, new ones start up in a few minutes.

Here’s one example line of hundreds of lines from today’s protection log:

2013/06/10 19:07:39 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)


And here’s the result of a quick scan result from today:

Malwarebytes Anti-Malware (PRO) 1.75.0.1300

www.malwarebytes.org

Database version: v2013.06.12.03

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Owner :: GW-5B4ED3A077 [administrator]

Protection: Enabled

6/12/2013 11:06:52 AM

mbam-log-2013-06-12 (11-06-52).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 237780

Time elapsed: 30 minute(s), 44 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

As you can see “no malicious items detected,” but, I am concerned that I have some malware that is attempting to cause my computer to connect to another remote computer. Also my computer is acting sluggishly.

I note that http://whatmyip.co/i...s/95.211.194.79 shows a location in Amsterdam NL and owned by www.leaseweb.com Posted Image
Any suggestions on how to proceed to detect and remove the cause of this?
ps

I have downloaded “checker” and "dds," ran then and have paste the texts of the generated below: (long files)

CheckResults
WIN32_EXIT_CODE : 0
SERVICE_EXIT_CODE : 0
CHECKPOINT : 0
WAIT_HINT : 0


MBAMService:
==============
Type : 16
State : 4 (The service is running.)
WIN32_EXIT_CODE : 0
SERVICE_EXIT_CODE : 0
CHECKPOINT : 0
WAIT_HINT : 0


MBAMScheduler:
==============
Type : 16
State : 4 (The service is running.)
WIN32_EXIT_CODE : 0
SERVICE_EXIT_CODE : 0
CHECKPOINT : 0
WAIT_HINT : 0


<--CAN NOT OPEN SC_HANDLE, SERVICE IS NOT RUNNING FOR: MBAMChameleon


MBAMProtector Registry Values:
==============================

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector
Type REG_DWORD 2
Start REG_DWORD 3
ErrorControl REG_DWORD 1
ImagePath REG_EXPAND_SZ \??\C:\WINDOWS\system32\drivers\mbam.sys
Group REG_SZ FSFilter Anti-Virus
DependOnService REG_MULTI_SZ FltMgr

DependOnGroup REG_DWORD 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector\Instances
DefaultInstance REG_SZ MBAMProtector Instance
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector\Instances\MBAMProtector Instance
Altitude REG_SZ 328800
Flags REG_DWORD 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector\Security
Security REG_BINARY Binary Data

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector\Enum
0 REG_SZ Root\LEGACY_MBAMPROTECTOR\0000
Count REG_DWORD 1
NextInstance REG_DWORD 1
MBAMService Registry Values:
============================

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService
Type REG_DWORD 16
Start REG_DWORD 2
ErrorControl REG_DWORD 1
ImagePath REG_EXPAND_SZ "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe"
DependOnService REG_MULTI_SZ MBAMProtector

DependOnGroup REG_DWORD 0
ObjectName REG_SZ LocalSystem
Description REG_SZ Malwarebytes Anti-Malware service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService\Security
Security REG_BINARY Binary Data

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService\Enum
0 REG_SZ Root\LEGACY_MBAMSERVICE\0000
Count REG_DWORD 1
NextInstance REG_DWORD 1
MBAMScheduler Registry Values:
==============================

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMScheduler
Type REG_DWORD 16
Start REG_DWORD 2
ErrorControl REG_DWORD 1
ImagePath REG_EXPAND_SZ "C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe"
ObjectName REG_SZ LocalSystem
Description REG_SZ Malwarebytes Anti-Malware scheduler
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMScheduler\Security
Security REG_BINARY Binary Data

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMScheduler\Enum
0 REG_SZ Root\LEGACY_MBAMSCHEDULER\0000
Count REG_DWORD 1
NextInstance REG_DWORD 1

MBAM DLL's and Runtime Files:
=============================

HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.vbalGrid
(Default): REG_SZ vbAccelerator Grid Control
HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.vbalGrid\Clsid
(Default): REG_SZ {C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}

HKEY_CLASSES_ROOT\SSubTimer6.GSubclass
(Default): REG_SZ SSubTimer6.GSubclass
HKEY_CLASSES_ROOT\SSubTimer6.GSubclass\Clsid
(Default): REG_SZ {71A27032-C7D8-11D2-BEF8-525400DFB47A}

HKEY_CLASSES_ROOT\SSubTimer6.CTimer
(Default): REG_SZ SSubTimer6.CTimer
HKEY_CLASSES_ROOT\SSubTimer6.CTimer\Clsid
(Default): REG_SZ {71A27034-C7D8-11D2-BEF8-525400DFB47A}

HKEY_CLASSES_ROOT\SSubTimer6.ISubclass
(Default): REG_SZ SSubTimer6.ISubclass
HKEY_CLASSES_ROOT\SSubTimer6.ISubclass\Clsid
(Default): REG_SZ {71A2702F-C7D8-11D2-BEF8-525400DFB47A}

HKEY_CLASSES_ROOT\mbam.script
(Default): REG_SZ Malwarebytes' Anti-Malware script
HKEY_CLASSES_ROOT\mbam.script\shell
HKEY_CLASSES_ROOT\mbam.script\shell\open
HKEY_CLASSES_ROOT\mbam.script\shell\open\command
(Default): REG_SZ "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" %1

HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}
(Default): REG_SZ SSubTimer6.ISubclass
HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\Implemented Categories
HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\ProgID
(Default): REG_SZ SSubTimer6.ISubclass
HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\Programmable
HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\TypeLib
(Default): REG_SZ {71A2702D-C7D8-11D2-BEF8-525400DFB47A}
HKEY_CLASSES_ROOT\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\VERSION
(Default): REG_SZ 1.0

HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}
(Default): REG_SZ SSubTimer6.GSubclass
HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\Implemented Categories
HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\InprocServer32
(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\ssubtmr6.dll
ThreadingModel REG_SZ Apartment
HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\ProgID
(Default): REG_SZ SSubTimer6.GSubclass
HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\Programmable
HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\TypeLib
(Default): REG_SZ {71A2702D-C7D8-11D2-BEF8-525400DFB47A}
HKEY_CLASSES_ROOT\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\VERSION
(Default): REG_SZ 1.0

HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}
(Default): REG_SZ SSubTimer6.CTimer
HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\Implemented Categories
HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\InprocServer32
(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\ssubtmr6.dll
ThreadingModel REG_SZ Apartment
HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\ProgID
(Default): REG_SZ SSubTimer6.CTimer
HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\Programmable
HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\TypeLib
(Default): REG_SZ {71A2702D-C7D8-11D2-BEF8-525400DFB47A}
HKEY_CLASSES_ROOT\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\VERSION
(Default): REG_SZ 1.0



HKEY_CLASSES_ROOT\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}
HKEY_CLASSES_ROOT\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1
(Default): REG_SZ vbAccelerator VB6 SGrid Control 2.0
HKEY_CLASSES_ROOT\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\0
HKEY_CLASSES_ROOT\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\0\win32
(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\vbalsgrid6.ocx
HKEY_CLASSES_ROOT\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\FLAGS
(Default): REG_SZ 2
HKEY_CLASSES_ROOT\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\HELPDIR
(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware

HKEY_CLASSES_ROOT\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}
HKEY_CLASSES_ROOT\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0
(Default): REG_SZ vbAccelerator VB6 Subclassing and Timer Assistant (with configurable message response, multi-control support + timer bug fix)
HKEY_CLASSES_ROOT\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\0\win32
(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\ssubtmr6.dll
HKEY_CLASSES_ROOT\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\FLAGS
(Default): REG_SZ 0
HKEY_CLASSES_ROOT\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\HELPDIR
(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware

HKEY_CLASSES_ROOT\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}
(Default): REG_SZ ISubclass
HKEY_CLASSES_ROOT\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid
(Default): REG_SZ {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32
(Default): REG_SZ {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\TypeLib
(Default): REG_SZ {71A2702D-C7D8-11D2-BEF8-525400DFB47A}
Version REG_SZ 1.0

HKEY_CLASSES_ROOT\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}
(Default): REG_SZ CTimer
HKEY_CLASSES_ROOT\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid
(Default): REG_SZ {00020420-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32
(Default): REG_SZ {00020420-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\TypeLib
(Default): REG_SZ {71A2702D-C7D8-11D2-BEF8-525400DFB47A}
Version REG_SZ 1.0

HKEY_CLASSES_ROOT\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}
(Default): REG_SZ vbalGrid
HKEY_CLASSES_ROOT\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\ProxyStubClsid
(Default): REG_SZ {00020420-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\ProxyStubClsid32
(Default): REG_SZ {00020420-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\TypeLib
(Default): REG_SZ {DE8CE233-DD83-481D-844C-C07B96589D3A}
Version REG_SZ 1.1

MBAM Registry Settings and License Info:
========================================

HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes' Anti-Malware
InstallPath REG_SZ C:\Program Files\Malwarebytes' Anti-Malware
Affiliate REG_SZ https://www.cleverbr...kout&cart=29945
ID XXXXX This is hidden data.
Key XXXX-XXXX-XXXX-XXXX This is hidden data.
updating REG_DWORD 1
silent REG_DWORD 1
dbversion REG_SZ v2013.06.12.03
programversion REG_SZ 1.75.0.1300
hidereg REG_DWORD 0
startipdisabled REG_DWORD 0
useproxy REG_DWORD 0
useauthentication REG_DWORD 0
downloadprogram REG_DWORD 1
advancedheuristics REG_DWORD 1
dbdate REG_SZ Wed, 12 Jun 2013 10:45:12 GMT
detectpup REG_DWORD 2
detectpum REG_DWORD 1
detectp2p REG_DWORD 0
updatewarn REG_DWORD 1
updatewarndays REG_DWORD 7
notifyinstallprogram REG_DWORD 1
SchedulerQueue REG_MULTI_SZ 36872, 30171011, 3467743744, 1, 1 | 30303420, 3211252841

contextmenu REG_DWORD 1
reportthreats REG_DWORD 1
silentipmode REG_DWORD 0
trialpromptshown REG_DWORD 0
startwithwindows REG_DWORD 1
startfsdisabled REG_DWORD 0
autoquarantine REG_DWORD 1
autoquarantinenotify REG_DWORD 1
programbuild REG_SZ consumer
alwaysscanarchives REG_DWORD 1
HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes' Anti-Malware\UUID
There is data here but it is hidden.

HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes' Anti-Malware\UUID



HKEY_CURRENT_USER\SOFTWARE\Malwarebytes' Anti-Malware
language REG_SZ english.lng
firstrun REG_DWORD 1
defaultscan REG_DWORD 0
selectedrives REG_SZ C:\|D:\|I:\|
terminateie REG_DWORD 1
autosavelog REG_DWORD 1
autoupdate REG_DWORD 1
autoscan REG_DWORD 1
updatetime REG_DWORD 21
scantime REG_DWORD 22
alwaysscanmemory REG_DWORD 1
alwaysscanregistry REG_DWORD 1
alwaysscanfiles REG_DWORD 1
alwaysscanheuristics REG_DWORD 1
startminimized REG_DWORD 0
updating REG_DWORD 1
openlog REG_DWORD 1
alwaysscanstartups REG_DWORD 1
HKEY_USERS\S-1-5-18\SOFTWARE\Malwarebytes' Anti-Malware
alwaysscanfiles REG_DWORD 1
alwaysscanheuristics REG_DWORD 1
alwaysscanmemory REG_DWORD 1
alwaysscanregistry REG_DWORD 1
alwaysscanstartups REG_DWORD 1
autosavelog REG_DWORD 1
openlog REG_DWORD 1
contextmenu REG_DWORD 1
defaultscan REG_DWORD 0
reportthreats REG_DWORD 1
terminateie REG_DWORD 0
startwithwindows REG_DWORD 1
startfsdisabled REG_DWORD 0
silentipmode REG_DWORD 0
trialpromptshown REG_DWORD 0
HKEY_USERS\.DEFAULT\SOFTWARE\Malwarebytes' Anti-Malware
alwaysscanfiles REG_DWORD 1
alwaysscanheuristics REG_DWORD 1
alwaysscanmemory REG_DWORD 1
alwaysscanregistry REG_DWORD 1
alwaysscanstartups REG_DWORD 1
autosavelog REG_DWORD 1
openlog REG_DWORD 1
contextmenu REG_DWORD 1
defaultscan REG_DWORD 0
reportthreats REG_DWORD 1
terminateie REG_DWORD 0
startwithwindows REG_DWORD 1
startfsdisabled REG_DWORD 0
silentipmode REG_DWORD 0
trialpromptshown REG_DWORD 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malwarebytes' Anti-Malware_is1
Inno Setup: Setup Version REG_SZ 5.5.3-dev (a)
Inno Setup: App Path REG_SZ C:\Program Files\Malwarebytes' Anti-Malware
InstallLocation REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\
Inno Setup: Icon Group REG_SZ Malwarebytes' Anti-Malware
Inno Setup: User REG_SZ Owner
Inno Setup: Selected Tasks REG_SZ desktopicon
Inno Setup: Deselected Tasks REG_SZ quicklaunchicon
Inno Setup: Language REG_SZ English
DisplayName REG_SZ Malwarebytes Anti-Malware version 1.75.0.1300
DisplayIcon REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
UninstallString REG_SZ "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
QuietUninstallString REG_SZ "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe" /SILENT
DisplayVersion REG_SZ 1.75.0.1300
Publisher REG_SZ Malwarebytes Corporation
URLInfoAbout REG_SZ http://www.malwarebytes.org
NoModify REG_DWORD 1
NoRepair REG_DWORD 1
InstallDate REG_SZ 20130415
MajorVersion REG_DWORD 1
MinorVersion REG_DWORD 75

Pending File Rename Operations:
================================
If any Malwarebytes Anti-Malware items are listed below, the user must reboot to complete a Malwarebytes Anti-Malware upgrade installation.

Scheduler Queue:
================

Scheduled Item: Update Schedule Options: Flash Scan | Weekly
Start Time: 2011-08-20 21:55 Repeating Every: 1 Recover if missed by: 1



Context Menu Entries:
=====================

HKEY_CLASSES_ROOT\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShlExt
(Default): REG_SZ {57CE581A-0CB6-4266-9CA0-19364C90A0B3}

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\MBAMShlExt
(Default): REG_SZ {57CE581A-0CB6-4266-9CA0-19364C90A0B3}

HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt
(Default): REG_SZ MBAMShlExt Class
HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt\CLSID
(Default): REG_SZ {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt\CurVer
(Default): REG_SZ MBAMExt.MBAMShlExt.1
HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt.1
(Default): REG_SZ MBAMShlExt Class
HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt.1\CLSID
(Default): REG_SZ {57CE581A-0CB6-4266-9CA0-19364C90A0B3}


HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}
(Default): REG_SZ IMBAMShlExt
HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\ProxyStubClsid
(Default): REG_SZ {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\ProxyStubClsid32
(Default): REG_SZ {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\TypeLib
(Default): REG_SZ {AFF1A83B-6C83-4342-8E68-1648DE06CB65}
Version REG_SZ 1.0
HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}
(Default): REG_SZ MBAMShlExt Class
HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32
(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
ThreadingModel REG_SZ Apartment
HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\ProgID
(Default): REG_SZ MBAMExt.MBAMShlExt.1
HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\TypeLib
(Default): REG_SZ {AFF1A83B-6C83-4342-8E68-1648DE06CB65}
HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\VersionIndependentProgID
(Default): REG_SZ MBAMExt.MBAMShlExt

HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}
HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0
(Default): REG_SZ MBAMExt 1.0 Type Library
HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0\win32
(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\FLAGS
(Default): REG_SZ 0
HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\HELPDIR
(Default): REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\



MBAM Drivers:
=============

C:\WINDOWS\system32\drivers\mbam.sys File Size: 22856 BYTES FileVersion: 1.60.2.0


Required Dependencies:
======================

fltmgr:
==============
Type : 2
State : 4 (The service is running.) (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0
SERVICE_EXIT_CODE : 0
CHECKPOINT : 0
WAIT_HINT : 0


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FltMgr
Type REG_DWORD 2
Start REG_DWORD 0
ErrorControl REG_DWORD 1
Tag REG_DWORD 1
ImagePath REG_EXPAND_SZ system32\drivers\fltmgr.sys
DisplayName REG_SZ FltMgr
Group REG_SZ FSFilter Infrastructure
Description REG_SZ File System Filter Manager Driver
AttachWhenLoaded REG_DWORD 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FltMgr\Security
Security REG_BINARY Binary Data

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FltMgr\Enum
0 REG_SZ Root\LEGACY_FLTMGR\0000
Count REG_DWORD 1
NextInstance REG_DWORD 1
C:\WINDOWS\system32\drivers\fltmgr.sys File Size: 129792 BYTES FileVersion: 5.1.2600.5512
C:\WINDOWS\system32\comctl32.ocx File Size: 608448 BYTES FileVersion: 6.0.81.5
C:\WINDOWS\system32\mscomctl.ocx File Size: 1070152 BYTES FileVersion: 6.1.98.34
C:\WINDOWS\system32\olepro32.dll File Size: 84992 BYTES FileVersion: 5.1.2600.5512


List of MBAM Related Directories:
=================================

C:\Program Files\Malwarebytes' Anti-Malware
7z.dll File Size: 914432 BYTES FileVersion: 9.20.0.0
changes.rtf File Size: 785 BYTES
changes.txt File Size: 200 BYTES
license.rtf File Size: 17916 BYTES
license.txt File Size: 11141 BYTES
mbam.chm File Size: 474148 BYTES
mbam.dll File Size: 527944 BYTES FileVersion: 1.70.0.0
mbam.exe File Size: 887432 BYTES FileVersion: 1.75.0.1
mbamcore.dll File Size: 1127496 BYTES FileVersion: 1.70.0.0
mbamext.dll File Size: 79208 BYTES FileVersion: 1.70.0.0
mbamgui.exe File Size: 532040 BYTES FileVersion: 1.70.0.0
mbamnet.dll File Size: 2191944 BYTES FileVersion: 1.70.0.0
mbampt.exe File Size: 40008 BYTES FileVersion: 1.70.0.0
mbamscheduler.exe File Size: 418376 BYTES FileVersion: 1.70.0.0
mbamservice.exe File Size: 701512 BYTES FileVersion: 1.70.0.0
ssubtmr6.dll File Size: 44664 BYTES FileVersion: 1.1.0.3
unins000.dat File Size: 339405 BYTES
unins000.exe File Size: 712264 BYTES FileVersion: 51.52.0.0
unins000.msg File Size: 11277 BYTES
vbalsgrid6.ocx File Size: 495224 BYTES FileVersion: 2.0.0.40

C:\Program Files\Malwarebytes' Anti-Malware\Chameleon
chameleon.chm File Size: 186068 BYTES
firefox.com File Size: 218184 BYTES
firefox.exe File Size: 218184 BYTES
firefox.pif File Size: 218184 BYTES
firefox.scr File Size: 218184 BYTES
iexplore.exe File Size: 218184 BYTES
mbam-chameleon.com File Size: 218184 BYTES
mbam-chameleon.exe File Size: 218184 BYTES
mbam-chameleon.pif File Size: 218184 BYTES
mbam-chameleon.scr File Size: 218184 BYTES
mbam-killer.exe File Size: 984648 BYTES FileVersion: 1.60.0.47
rundll32.exe File Size: 218184 BYTES
svchost.exe File Size: 218184 BYTES
winlogon.exe File Size: 218184 BYTES

C:\Program Files\Malwarebytes' Anti-Malware\Languages
albanian.lng File Size: 13924 BYTES
arabic.lng File Size: 21894 BYTES
belarusian.lng File Size: 26884 BYTES
bosnian.lng File Size: 27108 BYTES
bulgarian.lng File Size: 27574 BYTES
catalan.lng File Size: 28252 BYTES
chineseSI.lng File Size: 11024 BYTES
chineseTR.lng File Size: 11952 BYTES
croatian.lng File Size: 26670 BYTES
czech.lng File Size: 24874 BYTES
danish.lng File Size: 26582 BYTES
dutch.lng File Size: 28342 BYTES
english.lng File Size: 24542 BYTES
estonian.lng File Size: 25146 BYTES
finnish.lng File Size: 25950 BYTES
french.lng File Size: 29830 BYTES
german.lng File Size: 29894 BYTES
greek.lng File Size: 29300 BYTES
hebrew.lng File Size: 19362 BYTES
hungarian.lng File Size: 28666 BYTES
indonesian.lng File Size: 26854 BYTES
italian.lng File Size: 28194 BYTES
japanese.lng File Size: 16266 BYTES
korean.lng File Size: 14188 BYTES
latvian.lng File Size: 27100 BYTES
lithuanian.lng File Size: 27838 BYTES
macedonian.lng File Size: 28864 BYTES
norwegian.lng File Size: 25116 BYTES
polish.lng File Size: 26644 BYTES
portugueseBR.lng File Size: 28654 BYTES
portuguesePT.lng File Size: 29062 BYTES
romanian.lng File Size: 28290 BYTES
russian.lng File Size: 27302 BYTES
serbian.lng File Size: 26804 BYTES
slovak.lng File Size: 25644 BYTES
slovenian.lng File Size: 24852 BYTES
spanish.lng File Size: 30060 BYTES
swedish.lng File Size: 25992 BYTES
thai.lng File Size: 26092 BYTES
turkish.lng File Size: 25876 BYTES
ukrainian.lng File Size: 13097 BYTES
vietnamese.lng File Size: 29528 BYTES

C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\Malwarebytes\Malwarebytes' Anti-Malware

C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
mbam-log-08-24-2008 (18-59-20).txt File Size: 892 BYTES
mbam-log-2008-09-08 (20-34-11).txt File Size: 1221 BYTES
mbam-log-2008-12-10 (20-48-07).txt File Size: 835 BYTES
mbam-log-2008-12-10 (22-47-31).txt File Size: 1212 BYTES
mbam-log-2008-12-13 (13-04-47).txt File Size: 846 BYTES
mbam-log-2009-01-04 (11-30-09).txt File Size: 2309 BYTES
mbam-log-2009-01-04 (15-21-01).txt File Size: 2762 BYTES
mbam-log-2009-01-04 (16-30-26).txt File Size: 1147 BYTES
mbam-log-2009-01-04 (16-52-09).txt File Size: 832 BYTES
mbam-log-2009-01-04 (17-12-45).txt File Size: 839 BYTES
mbam-log-2009-01-04 (19-11-51).txt File Size: 831 BYTES
mbam-log-2009-01-10 (10-01-23).txt File Size: 842 BYTES
mbam-log-2009-01-10 (17-54-08).txt File Size: 1647 BYTES
mbam-log-2009-01-10 (18-51-28).txt File Size: 845 BYTES
mbam-log-2009-01-10 (21-12-45).txt File Size: 834 BYTES
mbam-log-2009-01-13 (21-04-24).txt File Size: 833 BYTES
mbam-log-2009-01-15 (21-05-01).txt File Size: 894 BYTES
mbam-log-2009-01-16 (21-04-34).txt File Size: 833 BYTES
mbam-log-2009-01-17 (21-04-20).txt File Size: 833 BYTES
mbam-log-2009-01-19 (21-05-01).txt File Size: 833 BYTES
mbam-log-2009-01-21 (21-05-05).txt File Size: 832 BYTES
mbam-log-2009-01-26 (21-06-22).txt File Size: 833 BYTES
mbam-log-2009-01-28 (21-06-42).txt File Size: 833 BYTES
mbam-log-2009-02-01 (21-07-00).txt File Size: 832 BYTES
mbam-log-2009-02-02 (21-08-32).txt File Size: 832 BYTES
mbam-log-2009-02-04 (21-08-13).txt File Size: 832 BYTES
mbam-log-2009-02-05 (21-08-30).txt File Size: 832 BYTES
mbam-log-2009-02-06 (21-02-20).txt File Size: 831 BYTES
mbam-log-2009-02-07 (21-09-11).txt File Size: 831 BYTES
mbam-log-2009-02-09 (21-13-20).txt File Size: 833 BYTES
mbam-log-2009-02-10 (21-06-57).txt File Size: 833 BYTES
mbam-log-2009-02-11 (21-07-10).txt File Size: 832 BYTES
mbam-log-2009-02-13 (21-09-22).txt File Size: 833 BYTES
mbam-log-2009-02-14 (21-06-19).txt File Size: 833 BYTES
mbam-log-2009-02-16 (21-10-58).txt File Size: 834 BYTES
mbam-log-2009-02-17 (22-56-58).txt File Size: 834 BYTES
mbam-log-2009-02-18 (21-02-19).txt File Size: 833 BYTES
mbam-log-2009-02-19 (21-09-04).txt File Size: 832 BYTES
mbam-log-2009-02-20 (21-09-15).txt File Size: 832 BYTES
mbam-log-2009-02-21 (21-29-32).txt File Size: 833 BYTES
mbam-log-2009-02-22 (21-06-40).txt File Size: 833 BYTES
mbam-log-2009-02-23 (21-08-03).txt File Size: 833 BYTES
mbam-log-2009-02-25 (22-50-59).txt File Size: 846 BYTES
mbam-log-2009-02-26 (21-05-52).txt File Size: 905 BYTES
mbam-log-2009-02-27 (21-06-19).txt File Size: 833 BYTES
mbam-log-2009-02-28 (21-06-57).txt File Size: 833 BYTES
mbam-log-2009-03-01 (21-06-46).txt File Size: 832 BYTES
mbam-log-2009-03-02 (21-08-09).txt File Size: 831 BYTES
mbam-log-2009-03-03 (21-09-01).txt File Size: 832 BYTES
mbam-log-2009-03-04 (21-09-02).txt File Size: 832 BYTES
mbam-log-2009-03-05 (22-38-16).txt File Size: 834 BYTES
mbam-log-2009-03-06 (21-19-53).txt File Size: 833 BYTES
mbam-log-2009-03-07 (22-05-32).txt File Size: 833 BYTES
mbam-log-2009-03-08 (21-21-17).txt File Size: 833 BYTES
mbam-log-2009-03-09 (21-12-40).txt File Size: 833 BYTES
mbam-log-2009-03-10 (22-07-30).txt File Size: 921 BYTES
mbam-log-2009-03-11 (21-05-37).txt File Size: 833 BYTES
mbam-log-2009-03-12 (21-05-41).txt File Size: 833 BYTES
mbam-log-2009-03-13 (21-06-17).txt File Size: 833 BYTES
mbam-log-2009-03-14 (21-11-31).txt File Size: 964 BYTES
mbam-log-2009-03-15 (21-07-23).txt File Size: 833 BYTES
mbam-log-2009-03-16 (21-31-00).txt File Size: 833 BYTES
mbam-log-2009-03-17 (22-13-08).txt File Size: 834 BYTES
mbam-log-2009-03-18 (21-10-46).txt File Size: 834 BYTES
mbam-log-2009-03-20 (22-23-23).txt File Size: 1015 BYTES
mbam-log-2009-03-21 (21-11-44).txt File Size: 834 BYTES
mbam-log-2009-03-22 (21-04-48).txt File Size: 833 BYTES
mbam-log-2009-03-23 (21-05-37).txt File Size: 833 BYTES
mbam-log-2009-03-24 (21-33-53).txt File Size: 833 BYTES
mbam-log-2009-03-26 (21-07-15).txt File Size: 832 BYTES
mbam-log-2009-03-27 (21-05-00).txt File Size: 833 BYTES
mbam-log-2009-03-31 (21-26-29).txt File Size: 833 BYTES
mbam-log-2009-04-03 (21-41-23).txt File Size: 832 BYTES
mbam-log-2009-04-05 (21-05-56).txt File Size: 832 BYTES
mbam-log-2009-04-08 (21-08-01).txt File Size: 832 BYTES
mbam-log-2009-04-11 (21-04-23).txt File Size: 833 BYTES
mbam-log-2009-04-12 (21-07-10).txt File Size: 832 BYTES
mbam-log-2009-04-13 (22-07-20).txt File Size: 833 BYTES
mbam-log-2009-04-14 (22-18-07).txt File Size: 833 BYTES
mbam-log-2009-04-16 (21-05-06).txt File Size: 833 BYTES
mbam-log-2009-04-18 (08-19-34).txt File Size: 832 BYTES
mbam-log-2009-04-18 (21-04-58).txt File Size: 833 BYTES
mbam-log-2009-04-19 (21-06-05).txt File Size: 832 BYTES
mbam-log-2009-04-20 (21-04-39).txt File Size: 833 BYTES
mbam-log-2009-04-25 (22-33-37).txt File Size: 833 BYTES
mbam-log-2009-04-26 (21-06-39).txt File Size: 833 BYTES
mbam-log-2009-04-27 (21-49-57).txt File Size: 833 BYTES
mbam-log-2009-04-30 (21-04-47).txt File Size: 833 BYTES
mbam-log-2009-05-02 (21-33-41).txt File Size: 832 BYTES
mbam-log-2009-05-03 (21-12-23).txt File Size: 833 BYTES
mbam-log-2009-05-04 (21-47-45).txt File Size: 832 BYTES
mbam-log-2009-05-13 (21-07-26).txt File Size: 833 BYTES
mbam-log-2009-05-16 (21-05-20).txt File Size: 833 BYTES
mbam-log-2009-05-17 (21-06-04).txt File Size: 832 BYTES
mbam-log-2009-05-21 (21-04-23).txt File Size: 833 BYTES
mbam-log-2009-05-22 (21-03-33).txt File Size: 833 BYTES
mbam-log-2009-05-23 (22-31-37).txt File Size: 834 BYTES
mbam-log-2009-05-24 (21-25-10).txt File Size: 833 BYTES
mbam-log-2009-05-25 (21-09-40).txt File Size: 833 BYTES
mbam-log-2009-05-26 (21-07-59).txt File Size: 833 BYTES
mbam-log-2009-05-28 (21-28-42).txt File Size: 832 BYTES
mbam-log-2009-05-29 (21-07-28).txt File Size: 833 BYTES
mbam-log-2009-05-30 (21-05-22).txt File Size: 833 BYTES
mbam-log-2009-05-31 (21-06-48).txt File Size: 833 BYTES
mbam-log-2009-06-01 (21-06-30).txt File Size: 832 BYTES
mbam-log-2009-06-02 (21-03-31).txt File Size: 832 BYTES
mbam-log-2009-06-04 (21-05-26).txt File Size: 832 BYTES
mbam-log-2009-06-06 (21-19-04).txt File Size: 935 BYTES
mbam-log-2009-06-06 (22-16-46).txt File Size: 1014 BYTES
mbam-log-2009-06-07 (21-06-15).txt File Size: 832 BYTES
mbam-log-2009-06-08 (21-04-20).txt File Size: 832 BYTES
mbam-log-2009-06-13 (21-06-21).txt File Size: 833 BYTES
mbam-log-2009-06-14 (21-04-52).txt File Size: 833 BYTES
mbam-log-2009-06-18 (21-04-48).txt File Size: 833 BYTES
mbam-log-2009-06-19 (21-49-25).txt File Size: 833 BYTES
mbam-log-2009-06-22 (21-07-47).txt File Size: 834 BYTES
mbam-log-2009-06-23 (21-08-12).txt File Size: 833 BYTES
mbam-log-2009-06-25 (21-09-23).txt File Size: 834 BYTES
mbam-log-2009-06-27 (21-08-29).txt File Size: 834 BYTES
mbam-log-2009-06-30 (21-10-53).txt File Size: 835 BYTES
mbam-log-2009-07-03 (21-07-04).txt File Size: 832 BYTES
mbam-log-2009-07-06 (21-08-36).txt File Size: 833 BYTES
mbam-log-2009-07-08 (21-09-09).txt File Size: 832 BYTES
mbam-log-2009-07-11 (21-09-39).txt File Size: 834 BYTES
mbam-log-2009-07-12 (21-06-54).txt File Size: 834 BYTES
mbam-log-2009-07-14 (21-07-27).txt File Size: 834 BYTES
mbam-log-2009-07-15 (21-58-47).txt File Size: 833 BYTES
mbam-log-2009-07-18 (21-07-27).txt File Size: 833 BYTES
mbam-log-2009-07-20 (21-35-45).txt File Size: 833 BYTES
mbam-log-2009-07-21 (21-09-00).txt File Size: 833 BYTES
mbam-log-2009-07-22 (21-11-36).txt File Size: 834 BYTES
mbam-log-2009-07-25 (21-30-33).txt File Size: 833 BYTES
mbam-log-2009-07-27 (21-11-06).txt File Size: 833 BYTES
mbam-log-2009-07-28 (21-19-05).txt File Size: 834 BYTES
mbam-log-2009-07-29 (21-11-32).txt File Size: 834 BYTES
mbam-log-2009-07-30 (21-13-04).txt File Size: 834 BYTES
mbam-log-2009-08-01 (21-09-13).txt File Size: 831 BYTES
mbam-log-2009-08-02 (21-11-00).txt File Size: 833 BYTES
mbam-log-2009-08-04 (21-11-09).txt File Size: 833 BYTES
mbam-log-2009-08-04 (21-21-32).txt File Size: 833 BYTES
mbam-log-2009-08-05 (21-11-36).txt File Size: 834 BYTES
mbam-log-2009-08-06 (21-11-27).txt File Size: 834 BYTES
mbam-log-2009-08-08 (21-06-51).txt File Size: 833 BYTES
mbam-log-2009-08-09 (14-57-18).txt File Size: 832 BYTES
mbam-log-2009-08-09 (16-18-54).txt File Size: 858 BYTES
mbam-log-2009-08-09 (21-10-45).txt File Size: 834 BYTES
mbam-log-2009-08-10 (21-08-23).txt File Size: 834 BYTES
mbam-log-2009-08-11 (21-10-37).txt File Size: 835 BYTES
mbam-log-2009-08-12 (21-20-13).txt File Size: 834 BYTES
mbam-log-2009-08-17 (21-39-55).txt File Size: 834 BYTES
mbam-log-2009-08-18 (21-07-41).txt File Size: 834 BYTES
mbam-log-2009-08-19 (20-18-47).txt File Size: 855 BYTES
mbam-log-2009-08-20 (19-36-18).txt File Size: 864 BYTES
mbam-log-2009-08-21 (21-14-08).txt File Size: 835 BYTES
mbam-log-2009-08-22 (21-09-23).txt File Size: 834 BYTES
mbam-log-2009-08-24 (21-10-14).txt File Size: 834 BYTES
mbam-log-2009-08-26 (21-13-26).txt File Size: 835 BYTES
mbam-log-2009-08-27 (21-07-23).txt File Size: 834 BYTES
mbam-log-2009-08-29 (21-09-57).txt File Size: 834 BYTES
mbam-log-2009-08-30 (21-11-08).txt File Size: 834 BYTES
mbam-log-2009-08-31 (21-12-41).txt File Size: 835 BYTES
mbam-log-2009-09-02 (22-30-07).txt File Size: 835 BYTES
mbam-log-2009-09-06 (21-11-42).txt File Size: 834 BYTES
mbam-log-2009-09-12 (21-08-28).txt File Size: 834 BYTES
mbam-log-2009-09-19 (21-07-51).txt File Size: 834 BYTES
mbam-log-2009-09-21 (21-20-20).txt File Size: 834 BYTES
mbam-log-2009-09-23 (21-22-55).txt File Size: 920 BYTES
mbam-log-2009-09-25 (21-36-31).txt File Size: 834 BYTES
mbam-log-2009-09-28 (21-02-26).txt File Size: 833 BYTES
mbam-log-2009-09-29 (21-10-05).txt File Size: 834 BYTES
mbam-log-2009-09-30 (21-18-19).txt File Size: 835 BYTES
mbam-log-2009-10-01 (21-10-46).txt File Size: 835 BYTES
mbam-log-2009-10-05 (21-12-28).txt File Size: 835 BYTES
mbam-log-2009-10-06 (21-12-11).txt File Size: 834 BYTES
mbam-log-2009-10-10 (21-08-10).txt File Size: 834 BYTES
mbam-log-2009-10-11 (22-47-05).txt File Size: 836 BYTES
mbam-log-2009-10-12 (21-16-08).txt File Size: 834 BYTES
mbam-log-2009-10-13 (21-15-15).txt File Size: 836 BYTES
mbam-log-2009-10-19 (21-33-47).txt File Size: 835 BYTES
mbam-log-2009-10-20 (21-08-03).txt File Size: 835 BYTES
mbam-log-2009-10-21 (21-09-13).txt File Size: 834 BYTES
mbam-log-2009-10-25 (21-09-12).txt File Size: 834 BYTES
mbam-log-2009-10-26 (21-09-08).txt File Size: 834 BYTES
mbam-log-2009-10-27 (22-22-51).txt File Size: 837 BYTES
mbam-log-2009-10-28 (21-09-42).txt File Size: 835 BYTES
mbam-log-2009-10-29 (21-11-00).txt File Size: 836 BYTES
mbam-log-2009-10-30 (21-29-00).txt File Size: 835 BYTES
mbam-log-2009-11-01 (21-10-01).txt File Size: 834 BYTES
mbam-log-2009-11-04 (21-16-58).txt File Size: 835 BYTES
mbam-log-2009-11-07 (21-08-26).txt File Size: 834 BYTES
mbam-log-2009-11-08 (21-17-17).txt File Size: 834 BYTES
mbam-log-2009-11-09 (21-12-20).txt File Size: 835 BYTES
mbam-log-2009-11-12 (21-15-12).txt File Size: 835 BYTES
mbam-log-2009-11-15 (21-08-16).txt File Size: 835 BYTES
mbam-log-2009-11-16 (21-11-12).txt File Size: 835 BYTES
mbam-log-2009-11-18 (21-09-59).txt File Size: 835 BYTES
mbam-log-2009-11-22 (21-12-22).txt File Size: 836 BYTES
mbam-log-2009-11-23 (21-49-03).txt File Size: 836 BYTES
mbam-log-2009-11-24 (21-15-19).txt File Size: 836 BYTES
mbam-log-2009-11-25 (21-14-04).txt File Size: 836 BYTES
mbam-log-2009-11-27 (21-39-24).txt File Size: 836 BYTES
mbam-log-2009-11-28 (21-14-23).txt File Size: 836 BYTES
mbam-log-2009-11-29 (21-18-43).txt File Size: 836 BYTES
mbam-log-2009-11-30 (21-28-23).txt File Size: 835 BYTES
mbam-log-2009-12-02 (21-08-30).txt File Size: 834 BYTES
mbam-log-2009-12-03 (21-23-02).txt File Size: 834 BYTES
mbam-log-2009-12-05 (22-11-12).txt File Size: 888 BYTES
mbam-log-2009-12-06 (21-11-41).txt File Size: 866 BYTES
mbam-log-2009-12-10 (21-10-02).txt File Size: 866 BYTES
mbam-log-2009-12-11 (21-11-18).txt File Size: 867 BYTES
mbam-log-2009-12-12 (21-13-44).txt File Size: 867 BYTES
mbam-log-2009-12-14 (21-15-10).txt File Size: 866 BYTES
mbam-log-2009-12-15 (21-08-39).txt File Size: 866 BYTES
mbam-log-2009-12-17 (21-09-41).txt File Size: 866 BYTES
mbam-log-2009-12-18 (21-10-05).txt File Size: 866 BYTES
mbam-log-2009-12-19 (21-10-32).txt File Size: 867 BYTES
mbam-log-2010-01-01 (18-10-45).txt File Size: 865 BYTES
mbam-log-2010-01-02 (18-11-21).txt File Size: 865 BYTES
mbam-log-2010-01-02 (20-19-15).txt File Size: 881 BYTES
mbam-log-2010-01-03 (21-36-30).txt File Size: 1417 BYTES
mbam-log-2010-01-09 (22-38-02).txt File Size: 1000 BYTES
mbam-log-2010-01-10 (18-13-51).txt File Size: 866 BYTES
mbam-log-2010-01-16 (20-00-46).txt File Size: 1018 BYTES
mbam-log-2010-01-17 (18-03-45).txt File Size: 864 BYTES
mbam-log-2010-01-24 (19-45-25).txt File Size: 866 BYTES
mbam-log-2010-01-26 (21-01-20).txt File Size: 2357 BYTES
mbam-log-2010-02-21 (08-09-50).txt File Size: 864 BYTES
mbam-log-2010-02-22 (22-10-39).txt File Size: 867 BYTES
mbam-log-2010-02-24 (22-11-09).txt File Size: 866 BYTES
mbam-log-2010-02-25 (22-12-09).txt File Size: 866 BYTES
mbam-log-2010-03-02 (22-25-41).txt File Size: 866 BYTES
mbam-log-2010-03-09 (22-16-21).txt File Size: 866 BYTES
mbam-log-2010-03-10 (21-27-22).txt File Size: 866 BYTES
mbam-log-2010-03-12 (22-19-40).txt File Size: 867 BYTES
mbam-log-2010-03-14 (22-17-34).txt File Size: 867 BYTES
mbam-log-2010-03-16 (22-56-16).txt File Size: 867 BYTES
mbam-log-2010-03-20 (22-16-25).txt File Size: 867 BYTES
mbam-log-2010-07-13 (19-11-09).txt File Size: 892 BYTES
mbam-log-2010-11-20 (15-08-20).txt File Size: 1316 BYTES
mbam-log-2011-02-09 (17-43-34).txt File Size: 897 BYTES
mbam-log-2011-02-09 (17-55-45).txt File Size: 898 BYTES
mbam-log-2011-09-03 (21-58-37).txt File Size: 900 BYTES
mbam-log-2011-10-08 (21-58-15).txt File Size: 901 BYTES
mbam-log-2011-10-22 (21-58-17).txt File Size: 902 BYTES
mbam-log-2011-11-19 (21-57-10).txt File Size: 902 BYTES
mbam-log-2011-12-17 (21-57-40).txt File Size: 901 BYTES
mbam-log-2012-01-01 (17-56-28).txt File Size: 1946 BYTES
mbam-log-2012-01-07 (22-02-14).txt File Size: 1926 BYTES
mbam-log-2012-01-13 (21-15-53).txt File Size: 2188 BYTES
mbam-log-2012-01-14 (22-01-15).txt File Size: 1928 BYTES
mbam-log-2012-02-04 (22-09-00).txt File Size: 1926 BYTES
mbam-log-2012-02-11 (21-56-52).txt File Size: 1926 BYTES
mbam-log-2012-02-25 (22-09-46).txt File Size: 1928 BYTES
mbam-log-2012-03-10 (21-57-25).txt File Size: 1926 BYTES
mbam-log-2012-03-17 (21-47-36).txt File Size: 1926 BYTES
mbam-log-2012-03-24 (22-09-13).txt File Size: 1928 BYTES
mbam-log-2012-04-28 (21-51-14).txt File Size: 1926 BYTES
mbam-log-2012-05-19 (21-56-33).txt File Size: 1926 BYTES
mbam-log-2012-05-26 (21-48-06).txt File Size: 1924 BYTES
mbam-log-2012-06-02 (22-01-05).txt File Size: 1926 BYTES
mbam-log-2012-06-16 (22-01-15).txt File Size: 1928 BYTES
mbam-log-2012-06-23 (22-07-34).txt File Size: 1928 BYTES
mbam-log-2012-06-27 (07-59-07).txt File Size: 2138 BYTES
mbam-log-2012-06-29 (17-46-53).txt File Size: 1928 BYTES
mbam-log-2012-07-07 (22-01-11).txt File Size: 1926 BYTES
mbam-log-2012-07-21 (21-57-22).txt File Size: 1926 BYTES
mbam-log-2012-07-28 (21-53-56).txt File Size: 1926 BYTES
mbam-log-2012-08-25 (21-43-33).txt File Size: 1926 BYTES
mbam-log-2012-08-27 (14-27-27).txt File Size: 2274 BYTES
mbam-log-2012-10-06 (21-56-42).txt File Size: 1926 BYTES
mbam-log-2012-10-13 (22-03-29).txt File Size: 1930 BYTES
mbam-log-2012-10-20 (22-05-26).txt File Size: 1930 BYTES
mbam-log-2012-10-27 (21-43-29).txt File Size: 1928 BYTES
mbam-log-2012-11-17 (21-57-20).txt File Size: 1928 BYTES
mbam-log-2012-11-24 (21-59-23).txt File Size: 1928 BYTES
mbam-log-2012-12-03 (21-30-45).txt File Size: 1928 BYTES
mbam-log-2012-12-08 (21-44-56).txt File Size: 1926 BYTES
mbam-log-2012-12-15 (22-03-03).txt File Size: 1930 BYTES
mbam-log-2012-12-30 (14-25-03).txt File Size: 1930 BYTES
mbam-log-2013-01-05 (22-03-45).txt File Size: 1926 BYTES
mbam-log-2013-02-09 (22-10-44).txt File Size: 1926 BYTES
mbam-log-2013-02-16 (21-44-05).txt File Size: 1924 BYTES
mbam-log-2013-02-18 (14-45-15).txt File Size: 1912 BYTES
mbam-log-2013-03-04 (19-26-30).txt File Size: 1924 BYTES
mbam-log-2013-03-09 (22-00-59).txt File Size: 1926 BYTES
mbam-log-2013-03-10 (16-18-28).txt File Size: 1926 BYTES
mbam-log-2013-03-16 (21-41-06).txt File Size: 1924 BYTES
mbam-log-2013-03-23 (22-02-00).txt File Size: 1928 BYTES
mbam-log-2013-04-06 (21-43-10).txt File Size: 1924 BYTES
mbam-log-2013-04-13 (22-11-30).txt File Size: 1928 BYTES
mbam-log-2013-04-15 (20-18-40).txt File Size: 1924 BYTES
mbam-log-2013-05-04 (22-09-35).txt File Size: 1926 BYTES
mbam-log-2013-05-11 (22-07-13).txt File Size: 1928 BYTES
mbam-log-2013-05-18 (22-03-44).txt File Size: 1926 BYTES
mbam-log-2013-06-01 (21-54-02).txt File Size: 1924 BYTES
mbam-log-2013-06-09 (15-03-24).txt File Size: 1924 BYTES
mbam-log-2013-06-09 (15-09-25).txt File Size: 1926 BYTES
mbam-log-2013-06-12 (09-19-28).txt File Size: 1902 BYTES
mbam-log-2013-06-12 (11-06-52).txt File Size: 1930 BYTES
mbam-log-8-9-2008 (13-11-51).txt File Size: 2378 BYTES
mbam-log-8-9-2008 (14-24-47).txt File Size: 2936 BYTES
mbam-log-8-9-2008 (18-41-13).txt File Size: 1119 BYTES

C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine

===============================================================
END OF FILE

DDS results

DS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Owner at 11:19:56 on 2013-06-12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.597 [GMT -5:00]
.
FW: CA Personal Firewall *Disabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\cwh.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Norton 360\Engine\20.3.1.22\ccSvcHst.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Norton 360\Engine\20.3.1.22\ccSvcHst.exe
C:\Program Files\VERIZONDM\bin\sprtsvc.exe
C:\Program Files\VERIZONDM\bin\tgsrvc.exe
C:\Program Files\VERIZONDM\bin\sprtcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6453
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6453
uURLSearchHooks: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - <orphaned>
uURLSearchHooks: Verizon Toolbar: {f8d96645-337c-419b-8792-b6c126145811} - c:\program files\verizontb\verizonDx.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: vShare Toolbar: {043C5167-00BB-4324-AF7E-62013FAEDACF} - c:\program files\vshare\vshare_toolbar.dll
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton 360\engine\20.3.1.22\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton 360\engine\20.3.1.22\ips\ipsbho.dll
BHO: Updater For Verizon Toolbar: {96673559-e653-4cdc-8923-f89347a952c0} - c:\program files\verizontb\auxi\verizonAu.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\bae.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Verizon Toolbar: {f8d96645-337c-419b-8792-b6c126145811} - c:\program files\verizontb\verizonDx.dll
TB: vShare Toolbar: {043C5167-00BB-4324-AF7E-62013FAEDACF} - c:\program files\vshare\vshare_toolbar.dll
TB: vShare Toolbar: {043C5167-00BB-4324-AF7E-62013FAEDACF} - c:\program files\vshare\vshare_toolbar.dll
TB: Verizon Toolbar: {f8d96645-337c-419b-8792-b6c126145811} - c:\program files\verizontb\verizonDx.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\20.3.1.22\coieplg.dll
uRun: [Power2GoExpress] NA
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [RtWLan] regsvr32.exe "c:\documents and settings\owner.your-5b4ed3a077\local settings\application data\rtwlan\gjmqsipv.dll"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [VERIZONDM] "c:\program files\verizondm\bin\sprtcmd.exe" /P VERIZONDM
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SetDefPrt] c:\program files\brother\brmfl04g\BrStDvPt.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe
mRun: [capfasem] c:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exe
mRun: [cafwc] c:\program files\ca\ca internet security suite\ca personal firewall\cafw.exe -cl
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [MioNet] c:\program files\mionet\MioNetLauncher.exe /p
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\realte~1.lnk - c:\program files\realtek rtl8187 wireless lan driver and utility\RtWLan.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} -
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15030/CTSUEng.cab
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://biz.lgservice.com/DjvuViewer/DjVuControl-6.1.4.cab
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install/00/alttiff.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3A52566B-6018-485B-B713-8B9FF660D8E8} - hxxp://71.123.169.42:0/webdvr2.18.2.16_71.0.0.0.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1343697687988
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1343697663689
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9282A3AA-4954-46B4-B4AE-F086CE3F1110} - hxxp://71.123.169.42:0/regtrustsite.cab
DPF: {9CA74596-B5BB-4634-971C-F0224115A15F} - hxxp://nba.tom.com/video/tcastV1.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://vexcast.com/download/vexcast.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15030/CTPID.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{481AE3E8-CD00-4ED3-9F1D-6AB6C25A01D6} : DHCPNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\1403010.016\symds.sys [2013-4-8 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\1403010.016\symefa.sys [2013-4-8 934488]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.3.0.36\definitions\bashdefs\20130531.001\BHDrvx86.sys [2013-5-31 1002072]
R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\n360\1403010.016\ccsetx86.sys [2013-4-8 134304]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\1403010.016\ironx86.sys [2013-4-8 175264]
R2 cwh;cwh;c:\windows\cwh.exe [2006-12-23 368640]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\verizon\iha_messagecenter\bin\Verizon_IHAMessageCenter.exe [2011-12-12 352248]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-9-10 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2008-8-9 701512]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 N360;Norton 360;c:\program files\norton 360\engine\20.3.1.22\ccsvchst.exe [2013-4-8 144520]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\verizondm\bin\sprtsvc.exe [2011-12-1 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\verizondm\bin\tgsrvc.exe [2011-12-1 185640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-8-28 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.3.0.36\definitions\ipsdefs\20130611.001\IDSXpx86.sys [2013-6-11 373728]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-8-9 22856]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-6-12 40776]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.3.0.36\definitions\virusdefs\20130612.002\NAVENG.SYS [2013-6-12 93272]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.3.0.36\definitions\virusdefs\20130612.002\NAVEX15.SYS [2013-6-12 1611992]
S0 jwsog;jwsog;c:\windows\system32\drivers\xbjj.sys --> c:\windows\system32\drivers\xbjj.sys [?]
S0 plmd;plmd;c:\windows\system32\drivers\xvqfl.sys --> c:\windows\system32\drivers\xvqfl.sys [?]
S0 qnmthkg;qnmthkg;c:\windows\system32\drivers\dgwdfd.sys --> c:\windows\system32\drivers\dgwdfd.sys [?]
S0 shho;shho;c:\windows\system32\drivers\rtbiatm.sys --> c:\windows\system32\drivers\rtbiatm.sys [?]
S3 EraserUtilDrv11210;EraserUtilDrv11210;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv11210.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv11210.sys [?]
S3 ICDSX;Sony IC Recorder (SX);c:\windows\system32\drivers\ICDSX.sys [2003-10-1 31744]
S3 WebDictateService;Web Dictate;c:\program files\nch software\webdictate\webdictate.exe [2012-2-7 814596]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-6-17 14336]
.
=============== File Associations ===============
.
FileExt: .reg: regfile=regedit.exe "%1" %*
ShellExec: pi11.exe: Open="c:\program files\microsoft digital image 2006\pi.exe" "%1"
ShellExec: switch.exe: Convert with Switch Sound File Converter="c:\program files\nch swift sound\switch\switch" "%L"
.
=============== Created Last 30 ================
.
2013-06-12 15:29:27 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-06-10 09:54:40 -------- d-----w- c:\documents and settings\owner.your-5b4ed3a077\local settings\application data\RtWLan
2013-05-21 01:23:01 -------- d-----w- C:\hotlink
2013-05-21 01:20:18 752496 ----a-w- C:\WindowsXP-KB959658-x86-ENU.exe
.
==================== Find3M ====================
.
2013-06-12 02:59:20 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-12 02:59:20 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-05 00:00:20 695578 ----a-w- c:\windows\unins000.exe
2013-04-04 19:50:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-17 23:47:46 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2003-12-05 16:41:00 368640 --sh--r- c:\windows\cwh.exe
2003-12-05 02:16:44 69632 --sh--r- c:\windows\lnchshll.exe
2003-12-05 02:16:46 49152 --sh--r- c:\windows\ScrnInt.exe
.
============= FINISH: 11:29:41.75 ===============

Attach Results

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/26/2006 7:38:38 PM
System Uptime: 6/12/2013 10:40:28 AM (1 hours ago)
.
Motherboard: Gateway | |
Processor: AMD Turion™ 64 X2 Mobile Technology TL-52 | Socket M2/S1G1 | 1595/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 142 GiB total, 71.821 GiB free.
D: is FIXED (FAT32) - 7 GiB total, 4.625 GiB free.
E: is CDROM ()
F: is FIXED (FAT32) - 931 GiB total, 588.271 GiB free.
H: is FIXED (FAT32) - 931 GiB total, 873.102 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 802.11g Network Adapter
Device ID: PCI\VEN_14E4&DEV_4311&SUBSYS_046514E4&REV_01\4&25829AB5&0&0028
Manufacturer: Broadcom
Name: Broadcom 802.11g Network Adapter
PNP Device ID: PCI\VEN_14E4&DEV_4311&SUBSYS_046514E4&REV_01\4&25829AB5&0&0028
Service: BCM43XX
.
Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: SigmaTel High Definition Audio CODEC
Device ID: HDAUDIO\FUNC_01&VEN_8384&DEV_7634&SUBSYS_107B0367&REV_1001\4&C38BD79&0&0001
Manufacturer: SigmaTel
Name: SigmaTel High Definition Audio CODEC
PNP Device ID: HDAUDIO\FUNC_01&VEN_8384&DEV_7634&SUBSYS_107B0367&REV_1001\4&C38BD79&0&0001
Service: STHDA
.
Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: MTP Device
Device ID: ROOT\WPD\0000
Manufacturer: (Standard MTP-compliant devices)
Name: MTP Device
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd
.
==== System Restore Points ===================
.
RP1: 4/21/2013 1:18:00 PM - System Checkpoint
RP2: 4/21/2013 1:40:02 PM - Removed Skype™ 5.10
RP3: 4/21/2013 1:40:57 PM - Removed Click to Call with Skype
RP4: 4/21/2013 1:41:16 PM - Removed Click to Call with Skype
RP5: 4/21/2013 1:41:42 PM - Removed Click to Call with Skype
RP6: 4/21/2013 1:42:54 PM - Removed Adobe Reader Japanese Fonts
RP7: 4/21/2013 1:47:56 PM - Posr April 21 2013 clean up
RP8: 4/21/2013 2:02:57 PM - Removed Click to Call with Skype
RP9: 4/21/2013 2:05:01 PM - Removed NetDisk 2.42
RP10: 4/23/2013 7:57:25 PM - System Checkpoint
RP11: 4/24/2013 8:44:34 PM - System Checkpoint
RP12: 4/26/2013 7:01:13 PM - System Checkpoint
RP13: 4/28/2013 10:02:16 AM - System Checkpoint
RP14: 5/1/2013 6:33:36 PM - System Checkpoint
RP15: 5/2/2013 7:08:29 PM - System Checkpoint
RP16: 5/3/2013 7:10:04 PM - System Checkpoint
RP17: 5/4/2013 8:40:23 PM - System Checkpoint
RP18: 5/5/2013 8:46:37 PM - System Checkpoint
RP19: 5/7/2013 7:17:29 PM - System Checkpoint
RP20: 5/11/2013 7:32:05 AM - System Checkpoint
RP21: 5/12/2013 9:29:29 AM - System Checkpoint
RP22: 5/15/2013 7:00:05 PM - System Checkpoint
RP23: 5/17/2013 7:04:47 PM - System Checkpoint
RP24: 5/18/2013 7:48:24 PM - System Checkpoint
RP25: 5/19/2013 8:22:51 PM - System Checkpoint
RP26: 5/20/2013 8:27:52 PM - Installed Windows XP KB959658.
RP27: 5/20/2013 8:30:20 PM - Installed Windows XP KB2661254-v2.
RP28: 5/24/2013 7:02:28 PM - System Checkpoint
RP29: 5/26/2013 10:25:33 AM - System Checkpoint
RP30: 5/27/2013 11:47:44 AM - System Checkpoint
RP31: 5/28/2013 7:53:30 PM - System Checkpoint
RP32: 5/29/2013 8:31:10 PM - System Checkpoint
RP33: 5/31/2013 7:28:35 PM - System Checkpoint
RP34: 6/2/2013 9:32:04 AM - System Checkpoint
RP35: 6/5/2013 8:01:43 AM - System Checkpoint
.
==== Installed Programs ======================
.
7-Zip 9.20
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 7.0
Adobe Shockwave Player 11
Amazon Kindle For PC
ATI Display Driver
Bonjour
Broadcom 802.11 Network Adapter
Brother BRAdmin Professional 2.49
Brother Driver Deployment Wizard
Brother MFL-Pro Suite
Browser Address Error Redirector
BurnPlugin for Audible
Click to Call with Skype
Compatibility Pack for the 2007 Office system
Creative MediaSource 5
Creative MuVo V100
Creative System Information
Critical Update for Windows Media Player 11 (KB959772)
DNA
DVD Solution
Express Dictate
Express Scribe
GearDrvs
GenoPro Beta 2.b19f
Google Video Player
gtw_logo
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB959658)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
IHA_MessageCenter
IMM4 VCM Codec 3.0.0.2
InfraRecorder
IrfanView (remove only)
Java Auto Updater
Java™ 6 Update 24
LizardTech DjVu Control (autoinstall)
Lotus NotesSQL 3.01 driver
Lotus SmartSuite - English
Malwarebytes' RogueRemover
Malwarebytes Anti-Malware version 1.75.0.1300
MediaJoin
Microsoft .NET Framework 1.0 Hotfix (KB2572066)
Microsoft .NET Framework 1.0 Hotfix (KB2604042)
Microsoft .NET Framework 1.0 Hotfix (KB2656378)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.0 Security Update (KB2742607)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2742597)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Starter Edition 2006
Microsoft Digital Image Starter Edition 2006 Editor
Microsoft Digital Image Starter Edition 2006 Library
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Works
Motorola SM56 Data Fax Modem
Move Media Player
Mp3tag v2.46a
Mplayer 0.6.9
MSN
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Napster Burn Engine
NCH Speech Recognition Tools
NCH Toolbox
Norton 360
PaperPort
Plex Media Server
Power2Go 4.0
PowerDVD
PowerPaint 2.50
QuickFile5
QuickTime
REALTEK RTL8187 Wireless LAN Driver and Utility
RealUpgrade 1.0
Recovery Software Suite Gateway
Remove Hidden Data Tool
Rhapsody Player Engine
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2792100)
Security Update for Windows Internet Explorer 8 (KB2797052)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219-v2)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135-v2)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847-v2)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2778344)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2799494)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SigmaTel Audio
Sonic Encoders
Sony Digital Voice Editor 2
Sony Player Plug-in for Windows Media Player
SoundTap Streaming Audio Recorder
STP Viewer 2.3
Switch Sound File Converter
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows Internet Explorer 8 (KB2632503)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
VC80CRTRedist - 8.0.50727.6195
Verizon Download Manager
Verizon Toolbar
Viewpoint Media Player
VLC media player 2.0.1
vShare Toolbar
Vz In Home Agent
WD Anywhere Backup
Web Dictate
WebFldrs XP
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB2619340
Windows XP Media Center Edition 2005 KB2628259
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WordPerfect Office 12
.
==== Event Viewer Messages From Past Week ========
.
6/12/2013 10:43:17 AM, error: ati2mtag [45062] - CRT invalid display type
6/12/2013 10:42:56 AM, error: WPDMTPDriver [15300] - MTP WPD Driver has failed to start. Error 0x80070005.
.
==== End Of File ===========================

#2 gringo_pr

gringo_pr

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 9,601 posts
  • Gender:Male

Posted 12 June 2013 - 04:29 PM


Hello Charlie_Whisky

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!


  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

When they are complete let me have the two reports and let me know how things are running.

Gringo




William Rowland
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3 Charlie_Whisky

Charlie_Whisky

    New Member

  • Members
  • Pip
  • 19 posts

Posted 12 June 2013 - 06:23 PM

Hi Gringo, thanks for helping:

The reports for AdwCleaner and JRT are copied below at the end of this post.

AdwCleaner pretty well ran as you described, rebooted the computer and produced its report.

JRT, when running at the stage “Check Registry,” gave 5 lines of "access is denied" in the open terminal window, but, it still finished its checks and generated the report shown below.

Note that I had both my Norton 360 antivirus and firewall disable and MBAM off while JRT was running (bit nervous about doing that) so, I don’t think that these would cause the “access is denied" messages.

FEEDBACK So how is the computer running now??

I am using two main criterion to suggest that my problem is still present:

1) MBAM is still opening a window saying: “successfully blocked access to a potentially malicious website 95.211.194.79” Type outgoing. “

This window still keeps periodically opening every minute or so.

Here a sample of today’s most recent portion of the protection log, since running AdwCleaner and JRT:

2013/06/12 17:53:03 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:04 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:04 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:06 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:12 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:13 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:14 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:17 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:18 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:18 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:19 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:20 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:21 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:21 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:22 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:23 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:24 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:26 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:27 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:28 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:28 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:28 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:29 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:30 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:31 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:31 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:31 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 17:53:32 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)

2) Multiple version of iexplore.exe keep opening up, even though I have not start IE

Gringo, I not sure if this is caused by the same problem as (1) but, if I have task manager open, watching the running processes, I will see two or three “image names” corresponding to iexplore.exe. But IE was not started by me and there is no open IE window. If I end these specific processes, then a minute or so later, iexplore.exe reappears as a processes in Task Manager.

Do you have any other suggestions?

AdwCleaner REPORT
# AdwCleaner v2.303 - Logfile created 06/12/2013 at 16:58:37
# Updated 08/06/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Owner - GW-5B4ED3A077
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\adwCleaner\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\Program Files\Common Files\AVG Secure Search
File Deleted : C:\WINDOWS\system32\conduitEngine.tmp
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\All Users\Application Data\boost_interprocess
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Program Files\Ilivid
Folder Deleted : C:\Program Files\Red Sky
Folder Deleted : C:\Program Files\verizontb
Folder Deleted : C:\Program Files\Viewpoint
Folder Deleted : C:\Program Files\vShare

***** [Registry] *****

Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{96673559-E653-4CDC-8923-F89347A952C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F8D96645-337C-419B-8792-B6C126145811}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{043C5167-00BB-4324-AF7E-62013FAEDACF}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3B7599DF-3D5D-4EF5-BF51-9C2EDA788E83}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{96673559-E653-4CDC-8923-F89347A952C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F8D96645-337C-419B-8792-B6C126145811}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\vShare
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\Zugo
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{043C5167-00BB-4324-AF7E-62013FAEDACF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3B7599DF-3D5D-4EF5-BF51-9C2EDA788E83}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{96673559-E653-4CDC-8923-F89347A952C0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F8D96645-337C-419B-8792-B6C126145811}
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{20ED5AF7-D9C4-409E-9EB3-D2A44A77FB6D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\vsharechrome
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2801948
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3E315C81-442B-431C-AEC8-ED189699EC24}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\SOFTWARE\Classes\vShare.IMedixProtocol
Key Deleted : HKLM\SOFTWARE\Classes\vShare.IMedixProtocol.1
Key Deleted : HKLM\SOFTWARE\Classes\vShare.PugiObj
Key Deleted : HKLM\SOFTWARE\Classes\vShare.PugiObj.1
Key Deleted : HKLM\SOFTWARE\Classes\vShare.ScriptHelpers
Key Deleted : HKLM\SOFTWARE\Classes\vShare.ScriptHelpers.1
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngine
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\vShare
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{043C5167-00BB-4324-AF7E-62013FAEDACF}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96673559-E653-4CDC-8923-F89347A952C0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F8D96645-337C-419B-8792-B6C126145811}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3B7599DF-3D5D-4EF5-BF51-9C2EDA788E83}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\vShare
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\Software\Viewpoint
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{043C5167-00BB-4324-AF7E-62013FAEDACF}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{F8D96645-337C-419B-8792-B6C126145811}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{043C5167-00BB-4324-AF7E-62013FAEDACF}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{F8D96645-337C-419B-8792-B6C126145811}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [10282 octets] - [12/06/2013 16:56:38]
AdwCleaner[S1].txt - [10139 octets] - [12/06/2013 16:58:37]

########## EOF - C:\AdwCleaner[S1].txt - [10200 octets] ##########

JRT REPORT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Microsoft Windows XP x86
Ran by Owner on Wed 06/12/2013 at 17:12:29.48
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{16823B47-26A9-45C0-8429-314E0AE07086}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5B7ABA07-7D53-407C-BA8B-F2F3A3E01E37}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6A35CB2B-7435-417F-A5CB-698DE6E4B3B7}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C0A3DE49-3EF2-482C-BCE7-700D1F6B53BB}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CB6AAD89-B6A3-440A-BA7F-39375C3B3D1D}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{F847030E-B096-432E-816F-D313BB4CA9AB}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{FBA0C2D5-8560-4555-838B-09738CFC3935}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\babylon"
Successfully deleted: [Folder] "C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\verizontb"
Successfully deleted: [Folder] "C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\vshare"
Successfully deleted: [Folder] "C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\babylon"
Successfully deleted: [Folder] "C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\ilivid player"
Successfully deleted: [Folder] "C:\Program Files\bigfix"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 06/12/2013 at 17:22:27.07
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#4 gringo_pr

gringo_pr

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 9,601 posts
  • Gender:Male

Posted 12 June 2013 - 06:24 PM


Hello Charlie_Whisky

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo



William Rowland
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#5 Charlie_Whisky

Charlie_Whisky

    New Member

  • Members
  • Pip
  • 19 posts

Posted 12 June 2013 - 08:55 PM

Hello Gringo

The Combo Fix (CF) report is at the end of this post.

As you suspected, CF asked to install the system recovery console before proceeding, so I let it do so.

After CF restarted the computer, Norton 360 popped up with a message Error 8501 421 but I just canceled it. Windows Security Alert popped up messages that there was no firewall and that auto updates was off, but I just ignored it and let CF finish until it popped up its report.

After the report popped up, I re-enabled Norton 360 and did another restart.

FEEDBACK: how is the computer running now??


1) MBAM is no longer continuously popping up the message “successfully blocked access to a potentially malicious website 85.211194.79 Type outgoing. “

There was one or two similar popups but not a continued series

Once again today’s most recent portion of the protection log:

2013/06/12 18:41:39 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 18:41:41 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 18:41:42 -0500 GW-5B4ED3A077 Owner IP-BLOCK 95.211.194.79 (Type: outgoing)
2013/06/12 18:41:43 -0500 GW-5B4ED3A077 Owner MESSAGE Stopping protection
2013/06/12 18:41:43 -0500 GW-5B4ED3A077 Owner MESSAGE Protection stopped successfully
2013/06/12 18:41:43 -0500 GW-5B4ED3A077 Owner MESSAGE Stopping IP protection
2013/06/12 18:41:43 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection stopped successfully
2013/06/12 18:41:46 -0500 GW-5B4ED3A077 Owner MESSAGE Protection stopped
2013/06/12 19:09:09 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection
2013/06/12 19:09:10 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully
2013/06/12 19:09:10 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection
2013/06/12 19:11:05 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully
2013/06/12 19:28:31 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection
2013/06/12 19:28:32 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully
2013/06/12 19:28:32 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection
2013/06/12 19:30:11 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully
2013/06/12 19:47:29 -0500 GW-5B4ED3A077 Owner IP-BLOCK 93.114.44.187 (Type: outgoing)
2013/06/12 20:16:20 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.99.83 (Type: outgoing)


Notice the two different IP addresses that were block once each, but not continuously.

2) Tack Manager shows two versions of iexplore.exe running, even though I didn’t start IE. When I ended those processes, another two started soon afterwards. I’m not sure if this is normal or not.

So some improvement, maybe fixed??

Obviously I need to keep monitoring this, but is there any anything else?

Turn on windows updates and let it update? Rerun anything?

p.s. as I was preparing this reply, MBAM blocked another different out going IP connection:

2013/06/12 20:45:45 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.8.154.220 (Type: outgoing)


Combo Fix REPORT
ComboFix 13-06-12.02 - Owner 06/12/2013 18:53:19.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1126 [GMT -5:00]
Running from: c:\documents and settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\Combo fix\ComboFix.exe
FW: CA Personal Firewall *Disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Owner.YOUR-5B4ED3A077\Application Data\Adobe\mushimu.exe
c:\documents and settings\Owner.YOUR-5B4ED3A077\Application Data\Google\T-Scan
c:\documents and settings\Owner.YOUR-5B4ED3A077\Application Data\Google\T-Scan\n.gif
c:\documents and settings\Owner.YOUR-5B4ED3A077\Application Data\Google\T-Scan\t.gif
c:\documents and settings\Owner.YOUR-5B4ED3A077\Application Data\Google\T-Scan\y.gif
c:\documents and settings\Owner.YOUR-5B4ED3A077\WINDOWS
c:\windows\system32\config\systemprofile\Application Data\cdf02b3822bf514b
c:\windows\system32\config\systemprofile\Application Data\eaf248b3d7cb021
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\Nagasoft
c:\windows\system32\Nagasoft\Codecs\asyncflt.ax
c:\windows\system32\Nagasoft\Codecs\atrc.dll
c:\windows\system32\Nagasoft\Codecs\cook.dll
c:\windows\system32\Nagasoft\Codecs\drvc.dll
c:\windows\system32\Nagasoft\Codecs\raac.dll
c:\windows\system32\Nagasoft\Codecs\RealMediaSplitter.ax
c:\windows\system32\Nagasoft\Codecs\WMFDemux.dll
c:\windows\system32\Nagasoft\GifShower.dll
c:\windows\system32\Nagasoft\vjocx.dll
c:\windows\system32\ndisapi.dll
c:\windows\system32\sdjeavd.tmp
c:\windows\system32\SET4C6.tmp
D:\Autorun.inf
F:\AUTORUN.INF
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_vvdsvc
-------\Legacy_vvdsvc
-------\Service_vvdsvc
-------\Service_vvdsvc
.
.
((((((((((((((((((((((((( Files Created from 2013-05-13 to 2013-06-13 )))))))))))))))))))))))))))))))
.
.
2013-06-12 22:12 . 2013-06-12 22:12 -------- d-----w- c:\windows\ERUNT
2013-06-12 22:12 . 2013-06-12 22:12 -------- d-----w- C:\JRT
2013-06-12 21:52 . 2013-06-12 21:52 -------- d-----w- c:\documents and settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\AVG SafeGuard toolbar
2013-06-12 21:52 . 2013-06-12 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG SafeGuard toolbar
2013-06-12 21:51 . 2013-06-12 21:51 -------- d-----w- c:\documents and settings\Owner.YOUR-5B4ED3A077\Application Data\AVG SafeGuard toolbar
2013-06-12 21:51 . 2013-06-12 21:50 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-06-12 21:51 . 2013-06-12 22:06 -------- d-----w- c:\program files\Common Files\AVG Secure Search
2013-06-12 21:51 . 2013-06-12 21:51 -------- d-----w- c:\program files\AVG SafeGuard toolbar
2013-06-12 21:50 . 2013-06-12 21:50 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2013-06-10 09:54 . 2013-06-10 09:54 -------- d-----w- c:\documents and settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan
2013-05-21 01:23 . 2013-05-28 00:28 -------- d-----w- C:\hotlink
2013-05-21 01:20 . 2008-11-07 10:53 752496 ----a-w- C:\WindowsXP-KB959658-x86-ENU.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-12 02:59 . 2012-04-18 18:39 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-12 02:59 . 2011-06-15 01:48 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-05 00:00 . 2011-06-20 01:25 695578 ----a-w- c:\windows\unins000.exe
2013-04-04 19:50 . 2008-08-09 19:09 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-17 23:47 . 2012-03-19 01:58 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2003-12-05 16:41 368640 --sh--r- c:\windows\cwh.exe
2003-12-05 02:16 69632 --sh--r- c:\windows\lnchshll.exe
2003-12-05 02:16 49152 --sh--r- c:\windows\ScrnInt.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-08 323392]
"RtWLan"="c:\documents and settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan\gjmqsipv.dll" [2012-10-24 731136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2011-12-01 206120]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-24 573440]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 413696]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-11-01 98304]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
REALTEK RTL8187 Wireless LAN Utility.lnk - c:\program files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe /H [2006-11-1 749568]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe /startup [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows\system32
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UmxFwHlp"=2 (0x2)
"ITMRTSVC"=2 (0x2)
"CaCCProvSP"=3 (0x3)
"YahooAUService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\ses2_client_bin_2_8_13g\\seswiz.exe"=
"c:\\Program Files\\REALTEK RTL8187 Wireless LAN Driver and Utility\\RtWLan.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Plex\\Plex Media Server\\Plex Media Server.exe"=
"c:\\Program Files\\Plex\\Plex Media Server\\PlexScriptHost.exe"=
"c:\\Program Files\\Plex\\Plex Media Server\\PlexDlnaServer.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0
"1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1
"1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2
"1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3
"1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4
"1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5
"1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6
"1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7
"1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8
"1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration
"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery
"4100:UDP"= 4100:UDP:uPNP Router Control Port
"50000:UDP"= 50000:UDP:IHA_MessageCenter
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\1403010.016\symds.sys [4/8/2013 7:03 PM 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\1403010.016\symefa.sys [4/8/2013 7:03 PM 934488]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [6/12/2013 4:51 PM 37664]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\BASHDefs\20130531.001\BHDrvx86.sys [5/31/2013 11:58 AM 1002072]
R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\N360\1403010.016\ccsetx86.sys [4/8/2013 7:03 PM 134304]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\1403010.016\ironx86.sys [4/8/2013 7:03 PM 175264]
R2 cwh;cwh;c:\windows\cwh.exe [12/23/2006 3:19 PM 368640]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [12/12/2011 11:03 AM 352248]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/10/2012 8:40 PM 418376]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/9/2008 2:09 PM 701512]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\20.3.1.22\ccsvchst.exe [4/8/2013 7:02 PM 144520]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [12/1/2011 6:11 AM 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [12/1/2011 6:11 AM 185640]
R2 vToolbarUpdater15.2.0;vToolbarUpdater15.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe [6/12/2013 4:51 PM 1015984]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2012 10:27 PM 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\IPSDefs\20130612.001\IDSXpx86.sys [6/12/2013 4:50 PM 373728]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/9/2008 2:09 PM 22856]
S0 jwsog;jwsog;c:\windows\system32\drivers\xbjj.sys --> c:\windows\system32\drivers\xbjj.sys [?]
S0 plmd;plmd;c:\windows\system32\drivers\xvqfl.sys --> c:\windows\system32\drivers\xvqfl.sys [?]
S0 qnmthkg;qnmthkg;c:\windows\system32\drivers\dgwdfd.sys --> c:\windows\system32\drivers\dgwdfd.sys [?]
S0 shho;shho;c:\windows\system32\drivers\rtbiatm.sys --> c:\windows\system32\drivers\rtbiatm.sys [?]
S3 EraserUtilDrv11210;EraserUtilDrv11210;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11210.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11210.sys [?]
S3 ICDSX;Sony IC Recorder (SX);c:\windows\system32\drivers\ICDSX.sys [10/1/2003 5:44 PM 31744]
S3 WebDictateService;Web Dictate;c:\program files\NCH Software\WebDictate\webdictate.exe [2/7/2012 10:13 AM 814596]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 02:59]
.
2012-02-10 c:\windows\Tasks\expressShakeIcon.job
- c:\program files\NCH Software\Express\express.exe [2012-02-07 15:13]
.
2013-06-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1542910684-3637753515-2293041949-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2013-06-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1542910684-3637753515-2293041949-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2013-03-06 c:\windows\Tasks\scribeShakeIcon.job
- c:\program files\NCH Software\Scribe\scribe.exe [2012-02-07 15:12]
.
2013-06-12 c:\windows\Tasks\User_Feed_Synchronization-{6F0D77EB-9DFC-4C8F-B264-D6025F8ED514}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6453
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
DPF: {3A52566B-6018-485B-B713-8B9FF660D8E8} - hxxp://71.123.169.42:0/webdvr2.18.2.16_71.0.0.0.cab
DPF: {9282A3AA-4954-46B4-B4AE-F086CE3F1110} - hxxp://71.123.169.42:0/regtrustsite.cab
DPF: {9CA74596-B5BB-4634-971C-F0224115A15F} - hxxp://nba.tom.com/video/tcastV1.cab
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
HKCU-Run-Messenger (Yahoo!) - c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
HKLM-Run-cctray - c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe
HKLM-Run-capfupgrade - c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
HKLM-Run-capfasem - c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
HKLM-Run-cafwc - c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe
HKLM-Run-ATICCC - c:\program files\ATI Technologies\ATI.ACE\cli.exe
HKLM-Run-MioNet - c:\program files\MioNet\MioNetLauncher.exe
HKLM-Run-googletalk - c:\program files\Google\Google Talk\googletalk.exe
c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk - c:\program files\BigFix\bigfix.exe /atstartup
MSConfigStartUp-kdfvb - c:\windows\system32\kdfvb.exe
AddRemove-GenoPro Beta - c:\program files\GenoPro Beta\Uninstall.exe
AddRemove-MSNINST - c:\program files\MSN\MsnInstaller\msninst.exe
AddRemove-verizontb - c:\program files\verizontb\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-12 19:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\20.3.1.22\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\20.3.1.22\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(964)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(1756)
c:\windows\system32\WININET.dll
c:\documents and settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan\gjmqsipv.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\SearchIndexer.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\regsvr32.exe
c:\program files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe
c:\program files\Windows Desktop Search\WindowsSearch.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2013-06-12 19:21:06 - machine was rebooted
ComboFix-quarantined-files.txt 2013-06-13 00:21
.
Pre-Run: 77,472,980,992 bytes free
Post-Run: 77,502,533,632 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - 79B4A49AC43D33545164058E0F336789
B20939CD98B7710036274839082AE757

#6 gringo_pr

gringo_pr

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 9,601 posts
  • Gender:Male

Posted 12 June 2013 - 09:07 PM


Hello Charlie_Whisky

I would like you to try and run these next.

TDSSKiller

Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  • Put a checkmark beside loaded modules.
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
  • Click the Start Scan button.
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • more than one report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". The one that I need is the larger one. Please copy and paste the contents of that file here.

    Note** this report can be very long - so if the website gives you an error saying it is to long you may attache it

    If the forum still complains about it being to long send me everything that is at the end of the report after where it says

    ==================
    Scan finished
    ==================

and I will see if I want to see the whole report

--RogueKiller--

Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • the scan will make two reports the one I would like to see is called RKreport[2].txt on your Desktop
  • Exit/Close RogueKiller+

send me the reports made from TDSSKiller and Roguekiller and also let me know how the computer is doing at this time.

Gringo




William Rowland
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#7 Charlie_Whisky

Charlie_Whisky

    New Member

  • Members
  • Pip
  • 19 posts

Posted 13 June 2013 - 11:18 PM

Hello Gringo

The reports for TDSSKiller (TDSK) and RogueKiller (RK) are at the end of this post.

Update: I can't paste all of TDSK report so I'll just show the end part below.

My first attempt to run TDSK was bit of a bust.

After I clicked on “loaded modules” TDSK rebooted.

A terminal window popped up asking approval to run the program which I accepted. But then the TDSK box didn’t pop up again, so there was no opportunity to click on “loaded modules” or check all the boxes okay etc...

I could tell that TDSK was running because it showed up as a process (and using about 50% of my CPU).

I just let it run.

About an hour later I came back and the process was done. Still nothing popped up though. In the root (C:) I found two files created: TDSSKiller.2.8.16.0_12.06.2013_22.18.36_log (about 4 KB) and a very large file “pagefile” which was a system file (about 2 MB).

This didn’t look much like the process you described. It was late, and so I just shut the computer down and called it a day.

Today, I tried running TDSK again, and this time I had better success, in that the process ran pretty well as you described.

This time after TDSK rebooted and I accepted to run the program, the TDSK box popped up and I was able to click on “loaded modules” and check all the boxes okay.

The program ran for a few minutes and gave its report: all the detected items were suspicious objects only; no malicious objects found.

So all of the default actions were “skip” after clicking on continue there were two reports: TDSSKiller.2.8.16.0_13.06.2013_18.56.27_log (4KB) and TDSSKiller.2.8.16.0_13.06.2013_19.00.01_log (679 KB). it is the second file that is at the end of this post. That big system file “pagefile” is still in the root directory.

For good measure I restarted the computer before moving on to RogueKiller.

RK pretty well ran smoothly. RK detected 6 objects and I selected delete.

The report RKreport[2]_D_06132013_02d2118 (6KB) is at the end of this post.

FEEDBACK how is the computer working??

1) While writing this summary without IE open, I saw the MBAM window pop up a few time (again no longer continuously popping up.

Here is the whole protection log for today so far

2013/06/13 18:50:39 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection
2013/06/13 18:50:39 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully
2013/06/13 18:50:39 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection
2013/06/13 18:52:06 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully
2013/06/13 18:59:15 -0500 GW-5B4ED3A077 ERROR StartServiceCtrlDispatcher failed with error code 1063
2013/06/13 21:07:27 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection
2013/06/13 21:07:27 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully
2013/06/13 21:07:27 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection
2013/06/13 21:08:05 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully
2013/06/13 21:09:56 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.241.217.206 (Type: outgoing)
2013/06/13 21:19:39 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.60.91 (Type: incoming)
2013/06/13 21:22:34 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection
2013/06/13 21:22:34 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully
2013/06/13 21:22:34 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection
2013/06/13 21:23:53 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully
2013/06/13 21:24:07 -0500 GW-5B4ED3A077 Owner IP-BLOCK 220.248.167.194 (Type: outgoing)
2013/06/13 21:42:07 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.60.91 (Type: incoming)


2) Again without IE open I don’t see any versions of iexplore.exe running.

I let the computer run for several minutes to see if iexplore.exe would pop up but nothing so far.

I notice that in this state CPU use is around 1-3% where as yesterday it was around 3-5%, with more spikes.

3) Since yesterday pages on IE don’t show any pictures just blank boxes with red xs; like on this page. I had to go to another computer to post this. So is there a way to restore IE to a normal state, please?

So what is next Gringo??

p.s.,
just as I’m about ready to post this, more blocks by MBAM in the protection log (maybe opening notepad??):
2013/06/13 21:53:29 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.117.183.15 (Type: outgoing)
2013/06/13 22:05:18 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.60.91 (Type: incoming)
2013/06/13 22:07:40 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.113.33.188 (Type: outgoing)


TDSSKiller REPORT

============================================================
19:04:59.0078 0228 Scan finished
19:04:59.0078 0228 ============================================================
19:04:59.0093 3468 Detected object count: 10
19:04:59.0093 3468 Actual detected object count: 10
19:05:36.0468 3468 AegisP ( UnsignedFile.Multi.Generic ) - skipped by user
19:05:36.0468 3468 AegisP ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:05:36.0468 3468 Creative Service for CDROM Access ( UnsignedFile.Multi.Generic ) - skipped by user
19:05:36.0468 3468 Creative Service for CDROM Access ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:05:36.0468 3468 cwh ( UnsignedFile.Multi.Generic ) - skipped by user
19:05:36.0468 3468 cwh ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:05:36.0468 3468 ICDSPTSV ( UnsignedFile.Multi.Generic ) - skipped by user
19:05:36.0468 3468 ICDSPTSV ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:05:36.0484 3468 MHN ( UnsignedFile.Multi.Generic ) - skipped by user
19:05:36.0484 3468 MHN ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:05:36.0484 3468 MHNDRV ( UnsignedFile.Multi.Generic ) - skipped by user
19:05:36.0484 3468 MHNDRV ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:05:36.0484 3468 NCHSSVAD ( UnsignedFile.Multi.Generic ) - skipped by user
19:05:36.0484 3468 NCHSSVAD ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:05:36.0484 3468 PMEM ( UnsignedFile.Multi.Generic ) - skipped by user
19:05:36.0484 3468 PMEM ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:05:36.0484 3468 PrismXL ( UnsignedFile.Multi.Generic ) - skipped by user
19:05:36.0484 3468 PrismXL ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:05:36.0500 3468 WebDictateService ( UnsignedFile.Multi.Generic ) - skipped by user
19:05:36.0500 3468 WebDictateService ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:08:21.0281 3700 Deinitialize success

RogueKiller REPORT

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Remove -- Date : 06/13/2013 21:18:05
| ARK || FAK || MBR |

¤¤¤ Bad processes : 4 ¤¤¤
[DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan\gjmqsipv.dll [x] -> UNLOADED
[SUSP PATH] cwh.exe -- C:\WINDOWS\cwh.exe [-] -> KILLED [TermProc]
[DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan\gjmqsipv.dll [x] -> UNLOADED
[DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan\gjmqsipv.dll [x] -> UNLOADED

¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : RtWLan (regsvr32.exe "C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan\gjmqsipv.dll") [-] -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[12] : NtAlertResumeThread @ 0x805D4BDC -> HOOKED (Unknown @ 0x8A36F418)
SSDT[13] : NtAlertThread @ 0x805D4B8C -> HOOKED (Unknown @ 0x8A322CA0)
SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AC2 -> HOOKED (Unknown @ 0x8A34CBE8)
SSDT[19] : NtAssignProcessToJobObject @ 0x805D66A0 -> HOOKED (Unknown @ 0x8A3C5D20)
SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x8A2120E8)
SSDT[43] : NtCreateMutant @ 0x80617718 -> HOOKED (Unknown @ 0x8A500D30)
SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A02 -> HOOKED (Unknown @ 0x8A367630)
SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0x8A54A108)
SSDT[57] : NtDebugActiveProcess @ 0x80643BA8 -> HOOKED (Unknown @ 0x8A359CE8)
SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0x8A4E35E0)
SSDT[83] : NtFreeVirtualMemory @ 0x805B2FBA -> HOOKED (Unknown @ 0x8A503D78)
SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9258 -> HOOKED (Unknown @ 0x8A343D08)
SSDT[91] : NtImpersonateThread @ 0x805D7860 -> HOOKED (Unknown @ 0x8A343DC8)
SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x8A33F330)
SSDT[108] : unknown @ 0x805B2042 -> HOOKED (Unknown @ 0x8A4E0ED8)
SSDT[114] : NtOpenEvent @ 0x8060F0D6 -> HOOKED (Unknown @ 0x8A544D68)
SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0x8A39B5D0)
SSDT[123] : NtOpenProcessToken @ 0x805EDF26 -> HOOKED (Unknown @ 0x8A2D6760)
SSDT[125] : NtOpenSection @ 0x805AA3F4 -> HOOKED (Unknown @ 0x8A34C660)
SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0x8A364D68)
SSDT[137] : NtProtectVirtualMemory @ 0x805B8426 -> HOOKED (Unknown @ 0x8A5045B8)
SSDT[206] : NtResumeThread @ 0x805D4A18 -> HOOKED (Unknown @ 0x8A564E20)
SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0x8A4E17F8)
SSDT[228] : NtSetInformationProcess @ 0x805CDEA0 -> HOOKED (Unknown @ 0x8A319D18)
SSDT[240] : NtSetSystemInformation @ 0x8060FD8E -> HOOKED (Unknown @ 0x8A359DC8)
SSDT[253] : NtSuspendProcess @ 0x805D4AE0 -> HOOKED (Unknown @ 0x8A5496F0)
SSDT[254] : NtSuspendThread @ 0x805D4952 -> HOOKED (Unknown @ 0x8A413A18)
SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0x8A51C268)
SSDT[258] : unknown @ 0x805D24D2 -> HOOKED (Unknown @ 0x8A4D2378)
SSDT[267] : NtUnmapViewOfSection @ 0x805B2E50 -> HOOKED (Unknown @ 0x8A4EBFD0)
SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (Unknown @ 0x8A3A0758)
S_SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8A2D2D90)
S_SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8A61A3B8)
S_SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8A603348)
S_SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8A61A3F0)
S_SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8A2D6D98)
S_SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x8A301230)
S_SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8A603300)
S_SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8A60CEB8)
S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8A2CB160)
S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8A5F4818)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9160821A +++++
--- User ---
[MBR] 066baec7920b5163c84ce8ef8c6e6d39
[BSP] db63615aa66f3fdfa2e467ad7beb91fe : Legit.B MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 14346045 | Size: 145612 Mo
1 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 7004 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_06132013_02d2118.txt >>
RKreport[1]_S_06132013_02d2115.txt ; RKreport[2]_D_06132013_02d2118.txt

#8 gringo_pr

gringo_pr

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 9,601 posts
  • Gender:Male

Posted 14 June 2013 - 08:35 AM



Hello Charlie_Whisky

Lets get a deeper look into the system and lets see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo


William Rowland
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#9 Charlie_Whisky

Charlie_Whisky

    New Member

  • Members
  • Pip
  • 19 posts

Posted 15 June 2013 - 07:11 AM

Hello Gringo

The OTL.txt report is at the end of this post.

I ran OTL.exe without any apparent issues.

FEEDBACK – how is the computer working?

Today is about the same as yesterday

1) The MBAM window still popped up with a few outgoing blocks, but its not a continuous stream as before; here’s the protection log from today:

2013/06/15 06:21:45 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection
2013/06/15 06:21:45 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully
2013/06/15 06:21:45 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection
2013/06/15 06:23:13 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully
2013/06/15 06:39:54 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.116.102 (Type: outgoing)
2013/06/15 06:55:10 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.116.102 (Type: outgoing)

2) without opening IE, in task manager, I don’t see any running processes of iexplore.exe.

3) IE, when ope,n no longer displays images/pictures associated with web pages (just red Xs or blank boxes) so it is difficult to navigate web pages, like this page..

OTL REPORT

OTL logfile created on: 6/15/2013 6:30:40 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\OTL
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 1.15 Gb Available Physical Memory | 61.65% Memory free
3.72 Gb Paging File | 3.08 Gb Available in Paging File | 82.78% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 142.20 Gb Total Space | 72.21 Gb Free Space | 50.78% Space Free | Partition Type: NTFS
Drive D: | 6.83 Gb Total Space | 4.63 Gb Free Space | 67.74% Space Free | Partition Type: FAT32

Computer Name: GW-5B4ED3A077 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\OTL\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe (AVG Secure Search)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Norton 360\Engine\20.3.1.22\ccsvchst.exe (Symantec Corporation)
PRC - C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe (Verizon)
PRC - C:\Program Files\VERIZONDM\bin\tgsrvc.exe (SupportSoft, Inc.)
PRC - C:\Program Files\VERIZONDM\bin\sprtsvc.exe (SupportSoft, Inc.)
PRC - C:\Program Files\VERIZONDM\bin\sprtcmd.exe (SupportSoft, Inc.)
PRC - C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)
PRC - C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe (Realtek Semiconductor Corp.)
PRC - C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
PRC - C:\Program Files\Brother\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.)
PRC - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
PRC - C:\WINDOWS\cwh.exe (Warranty Corporation of America)


========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\d7ee03714420b252415b952d40ef59e4\System.ServiceProcess.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management\1a6f9e23985e3159e6dd9827fd81c2fd\System.Management.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\96b7a0136e9e72e8f4eb0230c20766d2\System.Configuration.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\fe025743210c22bea2f009e1612c38bf\System.Xml.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\aeac298c43c77d8860db8e7634d9f2eb\System.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\eab2340ead8e1a84bdf1a87868659979\mscorlib.ni.dll ()
MOD - C:\WINDOWS\system32\quartz.dll ()
MOD - C:\Program Files\Norton 360\Engine\20.3.1.22\wincfi39.dll ()
MOD - C:\WINDOWS\system32\sbe.dll ()
MOD - C:\WINDOWS\system32\msdmo.dll ()
MOD - C:\WINDOWS\system32\devenum.dll ()
MOD - C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\EnumDevLib.dll ()
MOD - C:\WINDOWS\system32\bcm1xsup.dll ()
MOD - C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\acAuth.dll ()


========== Services (SafeList) ==========

SRV - (SNMPTRAP) -- C:\WINDOWS\system32\snmptrap.exe File not found
SRV - (vToolbarUpdater15.2.0) -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe (AVG Secure Search)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MBAMScheduler) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
SRV - (N360) -- C:\Program Files\Norton 360\Engine\20.3.1.22\ccSvcHst.exe (Symantec Corporation)
SRV - (IHA_MessageCenter) -- C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe (Verizon)
SRV - (WebDictateService) -- C:\Program Files\NCH Software\WebDictate\webdictate.exe (NCH Software)
SRV - (tgsrvc_verizondm) -- C:\Program Files\VERIZONDM\bin\tgsrvc.exe (SupportSoft, Inc.)
SRV - (sprtsvc_verizondm) -- C:\Program Files\VERIZONDM\bin\sprtsvc.exe (SupportSoft, Inc.)
SRV - (PrismXL) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)
SRV - (cwh) -- C:\WINDOWS\cwh.exe (Warranty Corporation of America)
SRV - (ICDSPTSV) -- C:\WINDOWS\system32\IcdSptSv.exe (Sony Corporation)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (shho) -- system32\drivers\rtbiatm.sys File not found
DRV - (qnmthkg) -- system32\drivers\dgwdfd.sys File not found
DRV - (plmd) -- system32\drivers\xvqfl.sys File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (jwsog) -- system32\drivers\xbjj.sys File not found
DRV - (EraserUtilDrv11210) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11210.sys File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\ComboFix\catchme.sys File not found
DRV - (avgtp) -- C:\WINDOWS\system32\drivers\avgtpx86.sys (AVG Technologies)
DRV - (BHDrvx86) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\BASHDefs\20130531.001\BHDrvx86.sys (Symantec Corporation)
DRV - (NAVEX15) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\VirusDefs\20130613.001\NAVEX15.SYS (Symantec Corporation)
DRV - (NAVENG) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\VirusDefs\20130613.001\NAVENG.SYS (Symantec Corporation)
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (IDSxpx86) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\IPSDefs\20130613.002\IDSXpx86.sys (Symantec Corporation)
DRV - (SYMTDI) -- C:\WINDOWS\system32\drivers\N360\1403010.016\symtdi.sys (Symantec Corporation)
DRV - (SymEFA) -- C:\WINDOWS\system32\drivers\N360\1403010.016\symefa.sys (Symantec Corporation)
DRV - (SRTSP) -- C:\WINDOWS\system32\drivers\N360\1403010.016\srtsp.sys (Symantec Corporation)
DRV - (SRTSPX) -- C:\WINDOWS\system32\drivers\N360\1403010.016\srtspx.sys (Symantec Corporation)
DRV - (SymDS) -- C:\WINDOWS\system32\drivers\N360\1403010.016\symds.sys (Symantec Corporation)
DRV - (SymIMMP) -- C:\WINDOWS\system32\drivers\SymIM.sys (Symantec Corporation)
DRV - (SymIM) -- C:\WINDOWS\system32\drivers\SymIM.sys (Symantec Corporation)
DRV - (SymIRON) -- C:\WINDOWS\system32\drivers\N360\1403010.016\ironx86.sys (Symantec Corporation)
DRV - (ccSet_N360) -- C:\WINDOWS\system32\drivers\N360\1403010.016\ccsetx86.sys (Symantec Corporation)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (NCHSSVAD) -- C:\WINDOWS\system32\drivers\nchssvad.sys (NCH Swift Sound)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (smserial) -- C:\WINDOWS\system32\drivers\smserial.sys (Motorola Inc.)
DRV - (yukonwxp) -- C:\WINDOWS\system32\drivers\yk51x86.sys (Marvell)
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (tifm21) -- C:\WINDOWS\system32\drivers\tifm21.sys (Texas Instruments)
DRV - (ICDSX) -- C:\WINDOWS\system32\drivers\ICDSX.sys (Sony Corporation)
DRV - (wanatw) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.c...ys=PTB&M=MX6453
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.c...ys=PTB&M=MX6453
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes,DefaultScope = {7EC915E5-CE4E-47C0-8506-E0CE5B5C8879}
IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{01B1BEBE-793E-4A64-BFAE-9E61703C794B}: "URL" = http://duckduckgo.com/?q={searchTerms}
IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{3DA52092-75EC-4513-B3C3-DA9628B5D34D}: "URL" = http://www.shopzilla...d={searchTerms}
IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{5C1B48D4-1670-4617-ADC8-0DDA51F7E33A}: "URL" = http://search.yahoo....=utf-8&fr=b2ie7
IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{61602A01-D10C-4324-BA0A-1E12C24D7F2A}: "URL" = http://www.scroogle....w={searchTerms}
IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{7EC915E5-CE4E-47C0-8506-E0CE5B5C8879}: "URL" = http://www.google.co...age={startPage}
IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{9329EF74-770B-47D8-AD0F-0E7B2AE9CA04}: "URL" = http://www.amazon.co...s={searchTerms}
IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{E2297ECC-2E67-4A3C-9426-2413485D513B}: "URL" = http://www.blinkx.co...y={searchTerms}
IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@bittorrent.com/BitTorrentDNA: C:\Program Files\DNA\plugins\npbtdna.dll (BitTorrent, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\Move Networks\plugins\npqmp071701000002.dll (Move Networks)
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17: C:\Program Files\Veetle\VLCBroadcast\npvbp.dll File not found
FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll File not found
FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\Move Networks\plugins\npqmp071701000002.dll (Move Networks)
FF - HKCU\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine: C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\nprhapengine.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{96AB4162-6E8C-495D-B3DD-0583314D0AB5}: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{96AB4162-6E8C-495D-B3DD-0583314D0AB5}\ [2009/01/10 10:14:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\coFFPlgn\ [2013/06/15 06:24:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\IPSFFPlgn\ [2013/03/17 19:01:11 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\moveplayer@movenetworks.com: C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\Move Networks [2010/03/11 10:04:19 | 000,000,000 | ---D | M]

[2010/03/28 13:05:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\Mozilla\Extensions

O1 HOSTS File: ([2013/06/12 19:09:27 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\20.3.1.22\coieplg.dll (Symantec Corporation)
O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\20.3.1.22\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\WINDOWS\system32\bae.dll (Gateway Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\20.3.1.22\coieplg.dll (Symantec Corporation)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\WINDOWS\creator\Remind_XP.exe (SoftThinks)
O4 - HKLM..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe (Brother Industories, Ltd.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [VERIZONDM] C:\Program Files\VERIZONDM\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006..\Run: [BitTorrent DNA] C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
O4 - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006..\Run: [Power2GoExpress] NA File not found
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\REALTEK RTL8187 Wireless LAN Utility.lnk = C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe (Realtek Semiconductor Corp.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_24.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found
O9 - Extra 'Tools' menuitem : Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...n/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} http://www.creative....030/CTSUEng.cab (Creative Software AutoUpdate)
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} http://biz.lgservice...ntrol-6.1.4.cab (DjVuCtl Class)
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} http://www.alternati.../00/alttiff.cab (AlternaTIFF ActiveX)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {3A52566B-6018-485B-B713-8B9FF660D8E8} http://71.123.169.42...16_71.0.0.0.cab (ilhtrapp Object)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photos.walmar...martActivia.cab (Snapfish Activia)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1343697687988 (WUWebControl Class)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx...owserPlugin.cab (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1343697663689 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9282A3AA-4954-46B4-B4AE-F086CE3F1110} http://71.123.169.42...egtrustsite.cab (TrustSiteAddMgr Class)
O16 - DPF: {9CA74596-B5BB-4634-971C-F0224115A15F} http://nba.tom.com/video/tcastV1.cab (tcast control)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} http://vexcast.com/d...oad/vexcast.cab (VodClient Control Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://www.creative....15030/CTPID.cab (Creative Software AutoUpdate Support Package)
O16 - DPF: vzTCPConfig http://my.verizon.co...vzTCPConfig.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{481AE3E8-CD00-4ED3-9F1D-6AB6C25A01D6}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/06/13 21:14:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Desktop\RK_Quarantine
[2013/06/13 18:54:33 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2013/06/12 18:50:23 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2013/06/12 18:45:39 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013/06/12 18:45:39 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013/06/12 18:45:39 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013/06/12 18:45:39 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013/06/12 18:44:22 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/06/12 18:42:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2013/06/12 17:12:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2013/06/12 17:12:09 | 000,000,000 | ---D | C] -- C:\JRT
[2013/06/12 16:52:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\AVG SafeGuard toolbar
[2013/06/12 16:52:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG SafeGuard toolbar
[2013/06/12 16:51:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\AVG SafeGuard toolbar
[2013/06/12 16:51:30 | 000,037,664 | ---- | C] (AVG Technologies) -- C:\WINDOWS\System32\drivers\avgtpx86.sys
[2013/06/12 16:51:18 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\AVG Secure Search
[2013/06/12 16:51:14 | 000,000,000 | ---D | C] -- C:\Program Files\AVG SafeGuard toolbar
[2013/06/12 16:50:17 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2013/06/10 04:54:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan
[2013/05/20 20:23:01 | 000,000,000 | ---D | C] -- C:\hotlink
[2013/05/20 20:20:18 | 000,752,496 | ---- | C] (Microsoft Corporation) -- C:\WindowsXP-KB959658-x86-ENU.exe
[2006/12/17 13:27:51 | 000,800,272 | ---- | C] (CA) -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\ppctl.dll
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/06/15 06:23:06 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{6F0D77EB-9DFC-4C8F-B264-D6025F8ED514}.job
[2013/06/15 06:23:00 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/06/15 06:21:36 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1542910684-3637753515-2293041949-1006.job
[2013/06/15 06:21:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/06/13 22:59:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/06/12 19:09:27 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2013/06/12 18:50:33 | 000,000,337 | RHS- | M] () -- C:\boot.ini
[2013/06/12 16:50:33 | 000,037,664 | ---- | M] (AVG Technologies) -- C:\WINDOWS\System32\drivers\avgtpx86.sys
[2013/06/12 16:49:14 | 000,000,990 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Desktop\Continue Zip Opener Installation.lnk
[2013/06/11 21:59:20 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/06/11 21:59:20 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/06/10 20:01:06 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1542910684-3637753515-2293041949-1006.job
[2013/05/21 21:46:06 | 000,000,426 | ---- | M] () -- C:\WINDOWS\brwmark.ini
[2013/05/19 15:11:24 | 000,002,419 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Vz In-Home Agent.lnk
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/06/12 18:50:33 | 000,000,221 | ---- | C] () -- C:\Boot.bak
[2013/06/12 18:50:27 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2013/06/12 18:45:39 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013/06/12 18:45:39 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013/06/12 18:45:39 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013/06/12 18:45:39 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013/06/12 18:45:39 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013/06/12 16:49:13 | 000,000,990 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Desktop\Continue Zip Opener Installation.lnk
[2012/09/10 21:03:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\DVEdit.INI
[2012/09/10 20:28:20 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\IcdSptSvps.dll
[2012/05/10 22:23:33 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/29 08:49:41 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/30 14:32:00 | 000,000,016 | ---- | C] () -- C:\WINDOWS\System32\jgldog11.dll
[2011/06/19 20:25:14 | 001,970,176 | ---- | C] () -- C:\WINDOWS\System32\vcmimm4.dll
[2011/06/19 20:25:13 | 000,695,578 | ---- | C] () -- C:\WINDOWS\unins000.exe
[2011/06/19 20:25:13 | 000,002,282 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2011/05/22 07:58:29 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2011/05/22 07:53:21 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2010/03/11 21:21:24 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\usb.dat.bin
[2008/08/23 12:13:24 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\wklnhst.dat
[2008/05/02 21:43:27 | 000,002,521 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\NMM-MetaData.db
[2007/11/29 19:47:29 | 000,016,896 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/06/27 21:00:15 | 000,000,023 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\presets.ini
[2006/12/03 12:57:58 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\PFP120JPR.{PB
[2006/12/03 12:57:58 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\PFP120JCM.{PB
[2006/11/26 20:38:56 | 000,000,144 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\fusioncache.dat

========== ZeroAccess Check ==========

[2006/06/17 04:37:41 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 19:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 19:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >

#10 Charlie_Whisky

Charlie_Whisky

    New Member

  • Members
  • Pip
  • 19 posts

Posted 15 June 2013 - 08:46 AM

Grinco

I’ve been doing some background digging into my older protection logs, maybe some of this will help.

Back around 5-21 to 5-23, I was getting about 6-7 blocks per day in the log.

Then from 5-23 on the number of block increased to 26, 27, 49, 72, 26 per day etc...

In the 6-6 log, I found the following item:
2013/06/06 17:06:53 -0500 GW-5B4ED3A077 Owner DETECTION C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Temp\notepad.exe Trojan.Backdoor QUARANTINE

In the 6-8 log, I found the following item:

2013/06/08 08:33:08 -0500 GW-5B4ED3A077 Owner DETECTION C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Temp\notepad.exe Trojan.Backdoor QUARANTINE


In the 6-9 log, I found the following item:

2013/06/09 14:23:21 -0500 GW-5B4ED3A077 Owner DETECTION C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Local Settings\Temp\notepad.exe Trojan.Backdoor QUARANTINE

On each of these days, the number of block was up to around 100 to 200 blocks per day.

I remember seeing and deleting these quarantined items, and running scans to make sure the computer was malware free.

It was on 6-10 that the number of blocks blew up to several hundred per day, most of them being outgoing blocks to IP: 95.211.194.79

By 6-11, I was getting several hundred outgoing blocks to IP: 95.211.194.79

On 6-12, I started this topic.

#11 gringo_pr

gringo_pr

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 9,601 posts
  • Gender:Male

Posted 15 June 2013 - 02:41 PM


Hello Charlie_Whisky

I would like you to run this custom script for me now and when it is complete please give me the report and a status update for the computer.

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image text box.
    :OTL
    FF - HKLM\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17: C:\Program Files\Veetle\VLCBroadcast\npvbp.dll File not found
    FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll File not found
    FF - HKCU\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine: C:\Documents and Settings\Owner.YOUR-5B4ED3A077\Application Data\nprhapengine.dll File not found
    O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O4 - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006..\Run: [Power2GoExpress] NA File not found
    O9 - Extra Button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found
    O9 - Extra 'Tools' menuitem : Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx...owserPlugin.cab (Reg Error: Key error.)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
    O16 - DPF: vzTCPConfig http://my.verizon.co...vzTCPConfig.CAB (Reg Error: Key error.)
    O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found
    IE - HKU\S-1-5-21-1542910684-3637753515-2293041949-1006\..\SearchScopes\{E2297ECC-2E67-4A3C-9426-2413485D513B}: "URL" = http://www.blinkx.co...y={searchTerms}
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    [reboot]
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

    Note** if the report does not popup after the computer reboots you can find it here in this folder - C:\_OTL\MovedFiles

    It will be named - mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss - are numbers representing the date and time the fix was run.

Let me know How things are doing

Gringo


William Rowland
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#12 Charlie_Whisky

Charlie_Whisky

    New Member

  • Members
  • Pip
  • 19 posts

Posted 15 June 2013 - 04:51 PM

Hello Gringo

The report log for the custom scan is at the end of this post.

I ran the custom scan via OTL.exe without incident.

The report didn’t popup after the reboot ,but I found it located where you said it would be.

FEEDBACK how is the computer working now??

1) While preparing this post, I saw MBAM pop up with any block; here’s the whole log for today (repeating the start of the log from my previous post today:

2013/06/15 06:21:45 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection
2013/06/15 06:21:45 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully
2013/06/15 06:21:45 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection
2013/06/15 06:23:13 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully
2013/06/15 06:39:54 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.116.102 (Type: outgoing)
2013/06/15 06:55:10 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.116.102 (Type: outgoing)
2013/06/15 07:22:42 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.55.219 (Type: incoming)
2013/06/15 07:24:57 -0500 GW-5B4ED3A077 Owner IP-BLOCK 109.163.233.156 (Type: outgoing)
2013/06/15 07:37:22 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming)
2013/06/15 07:37:23 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming)
2013/06/15 07:37:52 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming)
2013/06/15 07:37:53 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming)
2013/06/15 07:38:03 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming)
2013/06/15 07:38:04 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming)
2013/06/15 07:40:04 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.247.182.246 (Type: incoming)
2013/06/15 08:01:44 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming)
2013/06/15 08:01:45 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming)
2013/06/15 08:13:37 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming)
2013/06/15 08:13:37 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.39.202 (Type: incoming)
2013/06/15 08:41:39 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.241.202.53 (Type: incoming)
2013/06/15 08:41:40 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.241.202.53 (Type: incoming)
2013/06/15 08:42:58 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.87.55 (Type: outgoing)
2013/06/15 08:52:12 -0500 GW-5B4ED3A077 Owner IP-BLOCK 80.82.65.249 (Type: incoming)
2013/06/15 08:57:02 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.8.123.214 (Type: outgoing)
2013/06/15 08:59:35 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.220.250 (Type: incoming)
2013/06/15 09:03:39 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.96.53 (Type: incoming)
2013/06/15 09:06:49 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.117.178.203 (Type: incoming)
2013/06/15 09:10:25 -0500 GW-5B4ED3A077 Owner IP-BLOCK 78.26.179.231 (Type: outgoing)
2013/06/15 09:12:16 -0500 GW-5B4ED3A077 Owner IP-BLOCK 195.161.7.23 (Type: incoming)
2013/06/15 09:12:51 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.43.233 (Type: incoming)
2013/06/15 09:56:20 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.113.96 (Type: incoming)
2013/06/15 10:08:53 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.61.113 (Type: incoming)
2013/06/15 10:09:11 -0500 GW-5B4ED3A077 Owner IP-BLOCK 219.153.135.2 (Type: outgoing)
2013/06/15 10:20:20 -0500 GW-5B4ED3A077 Owner IP-BLOCK 194.165.0.6 (Type: incoming)
2013/06/15 10:25:32 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.220.250 (Type: outgoing)
2013/06/15 10:44:26 -0500 GW-5B4ED3A077 Owner IP-BLOCK 91.188.45.202 (Type: incoming)
2013/06/15 10:54:29 -0500 GW-5B4ED3A077 Owner IP-BLOCK 194.143.137.109 (Type: incoming)
2013/06/15 10:55:51 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.237.250 (Type: incoming)
2013/06/15 11:12:37 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.33.170 (Type: incoming)
2013/06/15 11:22:04 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.54.182 (Type: outgoing)
2013/06/15 11:37:21 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.215.119 (Type: incoming)
2013/06/15 11:39:05 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.85.239 (Type: incoming)
2013/06/15 12:45:15 -0500 GW-5B4ED3A077 Owner IP-BLOCK 94.102.56.145 (Type: incoming)
2013/06/15 12:46:44 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.220.250 (Type: incoming)
2013/06/15 12:52:08 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.111.169 (Type: incoming)
2013/06/15 12:52:51 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.117.183.228 (Type: outgoing)
2013/06/15 12:57:14 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.54.54 (Type: incoming)
2013/06/15 13:08:05 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.49.135 (Type: outgoing)
2013/06/15 13:21:51 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.220.250 (Type: outgoing)
2013/06/15 13:37:57 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.22.97 (Type: incoming)
2013/06/15 14:02:55 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.61.4 (Type: incoming)
2013/06/15 14:08:57 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.120.109.123 (Type: outgoing)
2013/06/15 14:09:16 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.99.216 (Type: outgoing)
2013/06/15 14:42:08 -0500 GW-5B4ED3A077 Owner IP-BLOCK 91.195.11.143 (Type: incoming)
2013/06/15 14:47:37 -0500 GW-5B4ED3A077 Owner IP-BLOCK 91.214.44.200 (Type: incoming)
2013/06/15 14:53:07 -0500 GW-5B4ED3A077 Owner IP-BLOCK 85.234.175.115 (Type: outgoing)
2013/06/15 15:07:28 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.220.250 (Type: outgoing)
2013/06/15 15:08:12 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.44.204 (Type: outgoing)
2013/06/15 15:08:17 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.40.176 (Type: outgoing)
2013/06/15 15:24:01 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.116.102 (Type: outgoing)
2013/06/15 15:25:58 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.38.220 (Type: incoming)
2013/06/15 15:39:23 -0500 GW-5B4ED3A077 Owner IP-BLOCK 91.188.33.97 (Type: incoming)
2013/06/15 15:53:52 -0500 GW-5B4ED3A077 Owner IP-BLOCK 46.108.226.217 (Type: outgoing)
2013/06/15 15:53:53 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.63.60 (Type: outgoing)
2013/06/15 15:54:49 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.16.139 (Type: incoming)
2013/06/15 16:00:31 -0500 GW-5B4ED3A077 Owner IP-BLOCK 37.229.128.3 (Type: incoming)
2013/06/15 16:07:38 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.224.50 (Type: outgoing)
2013/06/15 16:16:31 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.7.157 (Type: incoming)
2013/06/15 16:23:55 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection
2013/06/15 16:23:55 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully
2013/06/15 16:23:55 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection
2013/06/15 16:25:14 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully
2013/06/15 16:28:57 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.58.146 (Type: incoming)
2013/06/15 16:28:58 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.58.146 (Type: incoming)

At least post-reboot after 16:25 the only two blocks are incoming blocks. **

2) No iexplore.exe versions running as processes when IE is not open.

3) IE when open it still doesn’t show images/pictures

p.s., ** looks like I spoke too soon! After I opening up IE to make this post on the forum, a few more blocks popped up including two outgoing blocks:

2013/06/15 16:42:42 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.116.102 (Type: outgoing)
2013/06/15 16:42:58 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.58.146 (Type: incoming)
2013/06/15 16:42:59 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.58.146 (Type: incoming)
2013/06/15 16:43:23 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.42.82 (Type: outgoing)


REPORT FOR Custom Scan (06152013_161917.log)

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}\ deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-1542910684-3637753515-2293041949-1006\Software\Microsoft\Windows\CurrentVersion\Run\\Power2GoExpress deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}\ not found.
Starting removal of ActiveX control {67DABFBF-D0AB-41FA-9C46-CC0F21721616}
C:\WINDOWS\Downloaded Program Files\DivXPlugin.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Starting removal of ActiveX control vzTCPConfig
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\vzTCPConfig\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\vzTCPConfig\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\vzTCPConfig\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\skype-ie-addon-data\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91774881-D725-4E58-B298-07617B9B86A8}\ deleted successfully.
File {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found not found.
Registry key HKEY_USERS\S-1-5-21-1542910684-3637753515-2293041949-1006\Software\Microsoft\Internet Explorer\SearchScopes\{E2297ECC-2E67-4A3C-9426-2413485D513B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2297ECC-2E67-4A3C-9426-2413485D513B}\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\OTL\cmd.bat deleted successfully.
C:\Documents and Settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\OTL\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: Owner

User: Owner.YOUR-5B4ED3A077
->Java cache emptied: 53525803 bytes

User: OWNER~1~YOU

Total Java Files Cleaned = 51.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: Owner

User: Owner.YOUR-5B4ED3A077
->Flash cache emptied: 2608374 bytes

User: OWNER~1~YOU

Total Flash Files Cleaned = 2.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 06152013_161917

#13 gringo_pr

gringo_pr

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 9,601 posts
  • Gender:Male

Posted 15 June 2013 - 08:09 PM




Hello Charlie_Whisky

Malwarebytes Anti-Rootkit

1.Download Malwarebytes Anti-Rootkit
2.Unzip the contents to a folder in a convenient location.
3.Open the folder where the contents were unzipped and run mbar.exe
4.Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
5.Click on the Cleanup button to remove any threats and reboot if prompted to do so.
6.Wait while the system shuts down and the cleanup process is performed.
7.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
8.If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
•Internet access
•Windows Update
•Windows Firewall9.If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.
10.Verify that your system is now functioning normally.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

When you are complete please send me both reports

Gringo



William Rowland
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#14 Charlie_Whisky

Charlie_Whisky

    New Member

  • Members
  • Pip
  • 19 posts

Posted 16 June 2013 - 09:42 PM

Hello Gringo

1) I ran the Malwarebytes Anti-Rootkit (MAR) as instructed.

When trying to do the update, there was an error message: “Failed MBAM IO::writefile”

MAR found two pieces of malware and I checked clean and report.

But on reboot that was no log file “MABR-log ___) There was a system-log file which is at the end of this post.

I reran MAR and again when doing the update, there was athe same error message: “Failed MBAM IO::writefile”

This second time MAR found nothing: “Scan finished, no malware found”

I have internet access but with IE images/and pictures associated with buttons etc.. are still all blank or red Xs.

I ran the fixdamage.exe but this didn’t change the above issue with IE.

2) I ran aswMBR.exe after allowing updates; it didn’t appear to find anything; the report is at the end of this post.

FEEDBACK: No significant change from the past few days; I still have multiple ingoing out going blocks.

Here’s the entire MBAM protection log for today:

2013/06/16 06:44:59 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection
2013/06/16 06:44:59 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully
2013/06/16 06:44:59 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection
2013/06/16 06:45:41 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully
2013/06/16 07:26:43 -0500 GW-5B4ED3A077 Owner IP-BLOCK 94.242.205.235 (Type: incoming)
2013/06/16 07:29:45 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.108.96 (Type: incoming)
2013/06/16 08:05:44 -0500 GW-5B4ED3A077 Owner IP-BLOCK 124.125.251.183 (Type: outgoing)
2013/06/16 08:15:35 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.224.57 (Type: incoming)
2013/06/16 08:19:58 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.78.229 (Type: outgoing)
2013/06/16 08:34:40 -0500 GW-5B4ED3A077 Owner IP-BLOCK 178.152.5.238 (Type: outgoing)
2013/06/16 08:51:33 -0500 GW-5B4ED3A077 Owner IP-BLOCK 178.90.91.170 (Type: outgoing)
2013/06/16 09:04:44 -0500 GW-5B4ED3A077 Owner IP-BLOCK 219.153.94.46 (Type: outgoing)
2013/06/16 09:05:28 -0500 GW-5B4ED3A077 Owner IP-BLOCK 124.125.251.183 (Type: outgoing)
2013/06/16 09:09:13 -0500 GW-5B4ED3A077 Owner IP-BLOCK 93.114.44.187 (Type: incoming)
2013/06/16 09:20:19 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.127.39 (Type: outgoing)
2013/06/16 09:35:07 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.95.88 (Type: outgoing)
2013/06/16 09:35:23 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.58.32 (Type: outgoing)
2013/06/16 09:35:55 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.78.229 (Type: outgoing)
2013/06/16 09:35:57 -0500 GW-5B4ED3A077 Owner IP-BLOCK 124.125.251.183 (Type: outgoing)
2013/06/16 09:51:53 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.237.238 (Type: outgoing)
2013/06/16 10:07:28 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.42.59 (Type: outgoing)
2013/06/16 10:13:13 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.234.227 (Type: incoming)
2013/06/16 10:23:15 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.7.204.11 (Type: outgoing)
2013/06/16 10:23:59 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.237.238 (Type: outgoing)
2013/06/16 10:31:40 -0500 GW-5B4ED3A077 Owner IP-BLOCK 213.55.114.175 (Type: incoming)
2013/06/16 10:36:04 -0500 GW-5B4ED3A077 Owner IP-BLOCK 41.203.81.234 (Type: incoming)
2013/06/16 10:40:23 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.38.190 (Type: outgoing)
2013/06/16 10:54:02 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.60.45 (Type: outgoing)
2013/06/16 10:55:04 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.17.130 (Type: outgoing)
2013/06/16 11:07:43 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.103.213 (Type: outgoing)
2013/06/16 11:21:42 -0500 GW-5B4ED3A077 Owner IP-BLOCK 222.186.79.125 (Type: incoming)
2013/06/16 11:45:41 -0500 GW-5B4ED3A077 Owner IP-BLOCK 188.95.51.205 (Type: incoming)
2013/06/16 12:07:45 -0500 GW-5B4ED3A077 Owner IP-BLOCK 93.114.44.187 (Type: incoming)
2013/06/16 12:07:52 -0500 GW-5B4ED3A077 Owner IP-BLOCK 93.114.44.187 (Type: incoming)
2013/06/16 12:20:21 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.237.238 (Type: outgoing)
2013/06/16 12:27:41 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.49.139 (Type: incoming)
2013/06/16 12:36:01 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.58.50 (Type: outgoing)
2013/06/16 12:36:07 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.50.27 (Type: outgoing)
2013/06/16 12:36:15 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.3.122 (Type: outgoing)
2013/06/16 13:08:26 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.75.73 (Type: outgoing)
2013/06/16 13:39:13 -0500 GW-5B4ED3A077 Owner IP-BLOCK 213.186.115.249 (Type: outgoing)
2013/06/16 14:07:51 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.24.162 (Type: incoming)
2013/06/16 14:52:48 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.159.32 (Type: outgoing)
2013/06/16 14:53:11 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.248.172.103 (Type: incoming)
2013/06/16 14:53:29 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.237.238 (Type: outgoing)
2013/06/16 15:16:56 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.59.77 (Type: incoming)
2013/06/16 15:28:03 -0500 GW-5B4ED3A077 Owner IP-BLOCK 93.114.44.187 (Type: incoming)
2013/06/16 15:28:15 -0500 GW-5B4ED3A077 Owner IP-BLOCK 93.114.44.187 (Type: incoming)
2013/06/16 15:37:15 -0500 GW-5B4ED3A077 Owner IP-BLOCK 91.188.37.145 (Type: outgoing)
2013/06/16 15:54:56 -0500 GW-5B4ED3A077 Owner IP-BLOCK 188.130.177.20 (Type: incoming)
2013/06/16 16:08:58 -0500 GW-5B4ED3A077 Owner IP-BLOCK 93.114.44.187 (Type: incoming)
2013/06/16 16:13:52 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection
2013/06/16 16:13:52 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully
2013/06/16 16:13:52 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection
2013/06/16 16:14:55 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully
2013/06/16 16:16:00 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.34.13 (Type: outgoing)
2013/06/16 16:30:48 -0500 GW-5B4ED3A077 Owner IP-BLOCK 188.95.51.205 (Type: incoming)
2013/06/16 16:51:43 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection
2013/06/16 16:51:44 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully
2013/06/16 16:51:44 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection
2013/06/16 16:53:10 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully
2013/06/16 16:57:35 -0500 GW-5B4ED3A077 Owner IP-BLOCK 77.78.209.9 (Type: incoming)
2013/06/16 17:23:07 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.51.192 (Type: outgoing)
2013/06/16 17:23:16 -0500 GW-5B4ED3A077 Owner IP-BLOCK 212.117.164.173 (Type: outgoing)
2013/06/16 17:38:40 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.240.237.238 (Type: outgoing)
2013/06/16 18:09:34 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.88.83 (Type: incoming)
2013/06/16 18:23:20 -0500 GW-5B4ED3A077 Owner IP-BLOCK 178.152.3.227 (Type: outgoing)
2013/06/16 18:36:09 -0500 GW-5B4ED3A077 Owner IP-BLOCK 93.174.95.180 (Type: incoming)
2013/06/16 18:38:30 -0500 GW-5B4ED3A077 Owner IP-BLOCK 195.161.127.130 (Type: outgoing)
2013/06/16 18:51:08 -0500 GW-5B4ED3A077 Owner IP-BLOCK 31.133.37.163 (Type: outgoing)
2013/06/16 19:21:56 -0500 GW-5B4ED3A077 Owner IP-BLOCK 124.125.251.183 (Type: outgoing)
2013/06/16 19:24:45 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.9.192.35 (Type: incoming)
2013/06/16 19:32:46 -0500 GW-5B4ED3A077 Owner IP-BLOCK 218.10.65.200 (Type: incoming)
2013/06/16 19:36:17 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.14.165 (Type: outgoing)
2013/06/16 19:46:37 -0500 GW-5B4ED3A077 Owner MESSAGE Starting database refresh
2013/06/16 19:46:37 -0500 GW-5B4ED3A077 Owner MESSAGE Stopping IP protection
2013/06/16 19:46:37 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection stopped successfully
2013/06/16 19:46:50 -0500 GW-5B4ED3A077 Owner MESSAGE Database refreshed successfully
2013/06/16 19:46:50 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection
2013/06/16 19:47:26 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully
2013/06/16 21:05:03 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.14.165 (Type: outgoing)
2013/06/16 21:28:37 -0500 GW-5B4ED3A077 Owner IP-BLOCK 89.28.88.83 (Type: incoming)
2013/06/16 21:35:50 -0500 GW-5B4ED3A077 Owner IP-BLOCK 58.241.140.50 (Type: outgoing)



MAR system-log Report

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1003

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_24

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, H:\ DRIVE_FIXED
CPU speed: 1.596000 GHz
Memory total: 2011205632, free: 1187840000

------------ Kernel report ------------
06/15/2013 21:02:54
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
ohci1394.sys
\WINDOWS\system32\DRIVERS\1394BUS.SYS
compbatt.sys
\WINDOWS\system32\DRIVERS\BATTC.SYS
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
aliide.sys
intelide.sys
toside.sys
viaide.sys
cmdide.sys
pcmcia.sys
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
ACPIEC.sys
\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
PartMgr.sys
VolSnap.sys
cpqarray.sys
\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
atapi.sys
aha154x.sys
sparrow.sys
symc810.sys
aic78xx.sys
dac960nt.sys
ql10wnt.sys
amsint.sys
asc.sys
asc3550.sys
mraid35x.sys
i2omp.sys
ini910u.sys
ql1240.sys
aic78u2.sys
symc8xx.sys
sym_hi.sys
sym_u3.sys
ABP480N5.SYS
asc3350p.sys
cd20xrnt.sys
ultra.sys
adpu160m.sys
dpti2o.sys
ql1080.sys
ql1280.sys
ql12160.sys
perc2.sys
perc2hib.sys
hpn.sys
cbidf2k.sys
dac2w2k.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
SYMDS.SYS
sr.sys
SYMEFA.SYS
KSecDD.sys
WudfPf.sys
Ntfs.sys
NDIS.sys
sisagp.sys
viaagp.sys
Mup.sys
alim1541.sys
amdagp.sys
agp440.sys
agpCPQ.sys
\SystemRoot\system32\DRIVERS\nic1394.sys
\SystemRoot\system32\DRIVERS\AmdK8.sys
\SystemRoot\system32\DRIVERS\ati2mtag.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\yk51x86.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\drivers\tifm21.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\drivers\nchssvad.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\SymIM.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\smserial.sys
\SystemRoot\System32\Drivers\Modem.SYS
\SystemRoot\System32\Drivers\i2omgmt.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\drivers\N360\1403010.016\ccSetx86.sys
\SystemRoot\system32\drivers\N360\1403010.016\Ironx86.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\??\C:\WINDOWS\system32\drivers\avgtpx86.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\drivers\usbaudio.sys
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\BrScnUsb.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\Drivers\BrUsbSer.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\BrSerIf.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\System32\Drivers\N360\1403010.016\SYMTDI.SYS
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
\SystemRoot\system32\DRIVERS\arp1394.sys
\??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\IPSDefs\20130614.001\IDSxpx86.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\drivers\N360\1403010.016\SRTSPX.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\BASHDefs\20130531.001\BHDrvx86.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ati2dvag.dll
\SystemRoot\System32\ati2cqag.dll
\SystemRoot\System32\atikvmag.dll
\SystemRoot\System32\atiok3x2.dll
\SystemRoot\System32\ati3duag.dll
\SystemRoot\System32\ativvaxx.dll
\SystemRoot\System32\ATMFD.DLL
\??\C:\WINDOWS\system32\drivers\mbam.sys
\SystemRoot\system32\DRIVERS\AegisP.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\srv.sys
\??\C:\WINDOWS\system32\drivers\pmemnt.sys
\SystemRoot\System32\DRIVERS\ipfltdrv.sys
\SystemRoot\System32\Drivers\N360\1403010.016\SRTSP.SYS
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\VirusDefs\20130615.008\NAVEX15.SYS
\??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\VirusDefs\20130615.008\NAVENG.SYS
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\48230029.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1003

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_24

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, H:\ DRIVE_FIXED
CPU speed: 1.595000 GHz
Memory total: 2011205632, free: 1567211520


aswMBR REPORT

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-06-16 17:01:56
-----------------------------
17:01:56.718 OS Version: Windows 5.1.2600 Service Pack 3
17:01:56.718 Number of processors: 2 586 0x4802
17:01:56.718 ComputerName: GW-5B4ED3A077 UserName: Owner
17:02:24.015 Initialize success
17:02:24.593 write error "aswCmnB.dll". The process cannot access the file because it is being used by another process.
17:33:19.265 AVAST engine defs: 13061300
19:21:24.343 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
19:21:24.359 Disk 0 Vendor: ST9160821A 3.ALC Size: 152627MB BusType: 3
19:21:24.562 Disk 0 MBR read successfully
19:21:24.562 Disk 0 MBR scan
19:21:24.593 Disk 0 unknown MBR code
19:21:24.609 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 145612 MB offset 14346045
19:21:24.609 Disk 0 Partition 2 00 0B FAT32 RECOVERY 7004 MB offset 63
19:21:24.625 Disk 0 scanning sectors +312560640
19:21:24.843 Disk 0 scanning C:\WINDOWS\system32\drivers
19:21:40.109 Service scanning
19:22:08.000 Modules scanning
19:22:22.203 Disk 0 trace - called modules:
19:22:22.265 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
19:22:22.281 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a658ab8]
19:22:22.296 3 CLASSPNP.SYS[ba188fd7] -> nt!IofCallDriver -> \Device\000000b2[0x8a682350]
19:22:22.312 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8a680940]
19:22:22.781 AVAST engine scan C:\WINDOWS
19:22:51.546 AVAST engine scan C:\WINDOWS\system32
19:26:40.171 AVAST engine scan C:\WINDOWS\system32\drivers
19:27:05.546 AVAST engine scan C:\Documents and Settings\Owner.YOUR-5B4ED3A077
19:38:46.156 AVAST engine scan C:\Documents and Settings\All Users
19:41:59.828 Scan finished successfully
19:43:32.687 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\aswMBR\MBR.dat"
19:43:32.703 The log file has been saved successfully to "C:\Documents and Settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\aswMBR\aswMBR6-16-2013.txt"

#15 gringo_pr

gringo_pr

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 9,601 posts
  • Gender:Male

Posted 16 June 2013 - 09:49 PM


Create and Run Batch File
Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:
@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0
Save this as router.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.

It should look like this: Posted Image <--XP
Double-click on router.bat to run it. it will open notepad when done please post back the results
gringo

William Rowland
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#16 Charlie_Whisky

Charlie_Whisky

    New Member

  • Members
  • Pip
  • 19 posts

Posted 17 June 2013 - 08:17 PM

Gringo, here it is:

 

Windows IP Configuration

 

        Host Name . . . . . . . . . . . . : GW-5B4ED3A077

        Primary Dns Suffix  . . . . . . . :

        Node Type . . . . . . . . . . . . : Unknown

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No

        DNS Suffix Search List. . . . . . : home

 

Ethernet adapter Local Area Connection:

 

        Connection-specific DNS Suffix  . : home

        Description . . . . . . . . . . . : Marvell Yukon 88E8038 PCI-E Fast Ethernet Controller

        Physical Address. . . . . . . . . : 00-E0-B8-B9-C5-78

        Dhcp Enabled. . . . . . . . . . . : Yes

        Autoconfiguration Enabled . . . . : Yes

        IP Address. . . . . . . . . . . . : 192.168.1.2

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 192.168.1.1

        DHCP Server . . . . . . . . . . . : 192.168.1.1

        DNS Servers . . . . . . . . . . . : 192.168.1.1

        Lease Obtained. . . . . . . . . . : Monday, June 17, 2013 8:04:39 PM

        Lease Expires . . . . . . . . . . : Tuesday, June 18, 2013 8:04:39 PM

Server:  myrouter.home
Address:  192.168.1.1

Name:    google.com
Addresses:  74.125.227.103, 74.125.227.97, 74.125.227.100, 74.125.227.98
   74.125.227.104, 74.125.227.101, 74.125.227.99, 74.125.227.96, 74.125.227.105
   74.125.227.102, 74.125.227.110

Server:  myrouter.home
Address:  192.168.1.1

Name:    yahoo.com
Addresses:  98.139.183.24, 206.190.36.45, 98.138.253.109

 

Pinging google.com [74.125.227.132] with 32 bytes of data:

 

Reply from 74.125.227.132: bytes=32 time=9ms TTL=57

Reply from 74.125.227.132: bytes=32 time=7ms TTL=57

 

Ping statistics for 74.125.227.132:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 7ms, Maximum = 9ms, Average = 8ms

 

Pinging yahoo.com [206.190.36.45] with 32 bytes of data:

 

Reply from 206.190.36.45: bytes=32 time=63ms TTL=51

Reply from 206.190.36.45: bytes=32 time=61ms TTL=51

 

Ping statistics for 206.190.36.45:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 61ms, Maximum = 63ms, Average = 62ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 e0 b8 b9 c5 78 ...... Marvell Yukon 88E8038 PCI-E Fast Ethernet Controller - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.2   20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1   1
      169.254.0.0      255.255.0.0      192.168.1.2     192.168.1.2   20
      192.168.1.0    255.255.255.0      192.168.1.2     192.168.1.2   20
      192.168.1.2  255.255.255.255        127.0.0.1       127.0.0.1   20
    192.168.1.255  255.255.255.255      192.168.1.2     192.168.1.2   20
        224.0.0.0        240.0.0.0      192.168.1.2     192.168.1.2   20
  255.255.255.255  255.255.255.255      192.168.1.2     192.168.1.2   1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None



#17 gringo_pr

gringo_pr

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 9,601 posts
  • Gender:Male

Posted 17 June 2013 - 08:50 PM


Hello Charlie_Whisky

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
William Rowland
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#18 Charlie_Whisky

Charlie_Whisky

    New Member

  • Members
  • Pip
  • 19 posts

Posted 17 June 2013 - 10:23 PM

Hello Gringo

 

I dragged CFscript.txt over Combofix.exe, and it started to run.

 

Combofix.exe asked if I wanted to update and I declined.

 

Combix.exe warned me to suspend N360 antivirus, which I did.

 

Combix.exe then proceeded to run and ended by popping up with the log  report at the end of this post.

 

FEEDBACK

 

I don’t see too much change in the responsiveness of the computer.  CPU about 1-3% in the present state. 

 

 

MBAM has been blocking, here’s the protection log for today:

 

2013/06/17 00:11:00 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         195.161.7.18 (Type: incoming)

2013/06/17 00:16:05 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         91.195.11.13 (Type: incoming)

2013/06/17 01:07:00 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         218.10.86.220 (Type: incoming)

2013/06/17 01:07:14 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         212.117.177.77 (Type: outgoing)

2013/06/17 01:23:36 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         89.28.88.119 (Type: incoming)

2013/06/17 01:52:14 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         91.188.44.53 (Type: outgoing)

2013/06/17 02:16:35 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         91.188.38.83 (Type: incoming)

2013/06/17 02:19:12 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         218.9.39.154 (Type: incoming)

2013/06/17 02:38:41 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         218.7.184.162 (Type: outgoing)

2013/06/17 02:39:30 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         98.142.247.209 (Type: incoming)

2013/06/17 03:36:07 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         89.28.17.215 (Type: outgoing)

2013/06/17 03:37:38 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         89.28.66.199 (Type: outgoing)

2013/06/17 03:39:04 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         31.133.61.171 (Type: incoming)

2013/06/17 03:47:17 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         58.240.253.81 (Type: incoming)

2013/06/17 03:51:50 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         58.240.186.244 (Type: outgoing)

2013/06/17 03:55:41 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         89.28.15.90 (Type: incoming)

2013/06/17 04:06:49 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         58.240.253.81 (Type: incoming)

2013/06/17 04:06:50 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         58.240.253.81 (Type: incoming)

2013/06/17 04:06:54 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         58.240.253.81 (Type: incoming)

2013/06/17 04:07:14 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         58.240.253.81 (Type: incoming)

2013/06/17 04:07:15 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         58.240.253.81 (Type: incoming)

2013/06/17 04:07:42 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         58.240.186.244 (Type: outgoing)

2013/06/17 04:12:08 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         58.240.253.81 (Type: incoming)

2013/06/17 04:18:07 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         218.10.86.140 (Type: incoming)

2013/06/17 04:34:32 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         218.10.65.200 (Type: incoming)

2013/06/17 04:38:17 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         89.28.116.158 (Type: outgoing)

2013/06/17 04:51:25 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         89.28.59.68 (Type: incoming)

2013/06/17 04:54:39 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         58.240.186.244 (Type: outgoing)

2013/06/17 05:03:46 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         218.10.86.140 (Type: incoming)

2013/06/17 05:09:39 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         91.188.53.16 (Type: incoming)

2013/06/17 05:11:08 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         58.240.186.244 (Type: outgoing)

2013/06/17 05:13:27 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         94.102.56.145 (Type: incoming)

2013/06/17 05:19:23 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         194.165.0.3 (Type: incoming)

2013/06/17 05:25:00 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         78.26.187.118 (Type: outgoing)

2013/06/17 05:26:26 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         91.188.50.159 (Type: outgoing)

2013/06/17 05:42:47 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         194.165.0.3 (Type: incoming)

2013/06/17 06:03:48 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         194.165.0.3 (Type: incoming)

2013/06/17 06:11:57 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         218.10.86.140 (Type: incoming)

2013/06/17 06:24:05 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         218.8.222.93 (Type: outgoing)

2013/06/17 06:24:37 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         194.165.0.3 (Type: incoming)

2013/06/17 06:32:18 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         89.28.64.63 (Type: incoming)

2013/06/17 06:37:46 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         58.240.186.244 (Type: outgoing)

2013/06/17 06:38:08 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         218.9.240.244 (Type: outgoing)

2013/06/17 06:45:59 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         89.28.64.63 (Type: incoming)

2013/06/17 06:46:29 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         194.165.0.3 (Type: incoming)

2013/06/17 06:53:32 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         91.195.11.90 (Type: outgoing)

2013/06/17 06:54:56 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         89.28.114.149 (Type: outgoing)

2013/06/17 07:05:17 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         218.10.86.140 (Type: incoming)

2013/06/17 07:08:51 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         219.153.111.3 (Type: outgoing)

2013/06/17 07:09:51 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         219.153.138.29 (Type: outgoing)

2013/06/17 07:10:06 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         194.165.0.3 (Type: incoming)

2013/06/17 07:18:04 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         31.133.55.82 (Type: incoming)

2013/06/17 07:24:54 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         91.188.41.191 (Type: outgoing)

2013/06/17 07:34:52 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         194.165.0.3 (Type: incoming)

2013/06/17 07:40:50 -0500          GW-5B4ED3A077          Owner   MESSAGE        Starting protection

2013/06/17 07:40:50 -0500          GW-5B4ED3A077          Owner   MESSAGE        Protection started successfully

2013/06/17 07:40:50 -0500          GW-5B4ED3A077          Owner   MESSAGE        Starting IP protection

2013/06/17 07:42:17 -0500          GW-5B4ED3A077          Owner   MESSAGE        IP Protection started successfully

2013/06/17 07:44:05 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         218.10.63.17 (Type: incoming)

2013/06/17 07:48:07 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         218.10.63.17 (Type: incoming)

2013/06/17 20:04:56 -0500          GW-5B4ED3A077          Owner   MESSAGE        Starting protection

2013/06/17 20:04:56 -0500          GW-5B4ED3A077          Owner   MESSAGE        Protection started successfully

2013/06/17 20:04:56 -0500          GW-5B4ED3A077          Owner   MESSAGE        Starting IP protection

2013/06/17 20:06:04 -0500          GW-5B4ED3A077          Owner   MESSAGE        IP Protection started successfully

2013/06/17 20:06:58 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         212.113.37.227 (Type: incoming)

2013/06/17 20:08:05 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         89.28.16.95 (Type: incoming)

2013/06/17 20:10:00 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         98.142.247.246 (Type: incoming)

2013/06/17 20:21:23 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         212.113.37.227 (Type: incoming)

2013/06/17 20:28:11 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         94.102.51.133 (Type: incoming)

2013/06/17 20:35:47 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         212.113.37.227 (Type: incoming)

2013/06/17 20:50:11 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         212.113.37.227 (Type: incoming)

2013/06/17 21:04:35 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         212.113.37.227 (Type: incoming)

2013/06/17 21:19:00 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         212.113.37.227 (Type: incoming)

2013/06/17 21:31:11 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         94.102.51.133 (Type: incoming)

2013/06/17 21:33:24 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         212.113.37.227 (Type: incoming)

2013/06/17 21:47:48 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         212.113.37.227 (Type: incoming)

2013/06/17 21:55:01 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         31.133.48.34 (Type: outgoing)

2013/06/17 22:00:21 -0500          GW-5B4ED3A077          Owner   MESSAGE        Starting protection

2013/06/17 22:00:21 -0500          GW-5B4ED3A077          Owner   MESSAGE        Protection started successfully

2013/06/17 22:00:21 -0500          GW-5B4ED3A077          Owner   MESSAGE        Starting IP protection

2013/06/17 22:01:22 -0500          GW-5B4ED3A077          Owner   MESSAGE        IP Protection started successfully

2013/06/17 22:01:57 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         98.142.247.246 (Type: outgoing)

2013/06/17 22:01:59 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         98.142.247.246 (Type: outgoing)

2013/06/17 22:02:14 -0500          GW-5B4ED3A077          Owner   IP-BLOCK         212.113.37.227 (Type: incoming)

 

Note that Combo fix finished at 21:43, there are still outgoing IP blocks after this. 

 

Combo Fix report

 

ComboFix 13-06-12.02 - Owner 06/17/2013  21:28:52.2.2 - x86

Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1918.1033 [GMT -5:00]

Running from: c:\documents and settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\Combo fix\ComboFix.exe

Command switches used :: c:\documents and settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\Batch Files\CFScript.txt

AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

FW: CA Personal Firewall *Disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}

FW: Norton 360 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

.

(((((((((((((((((((((((((   Files Created from 2013-05-18 to 2013-06-18  )))))))))))))))))))))))))))))))

.

.

2013-06-16 13:45 . 2013-02-12 00:32      12928 -c----w-            c:\windows\system32\dllcache\usb8023x.sys

2013-06-16 13:45 . 2013-02-12 00:32      12928 -c----w-            c:\windows\system32\dllcache\usb8023.sys

2013-06-16 02:02 . 2013-06-16 12:38      --------  d-----w-           c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)

2013-06-16 02:01 . 2013-06-16 02:01      35144 ----a-w-            c:\windows\system32\drivers\mbamchameleon.sys

2013-06-15 21:19 . 2013-06-15 21:19      --------  d-----w-           C:\_OTL

2013-06-12 22:12 . 2013-06-12 22:12      --------  d-----w-           c:\windows\ERUNT

2013-06-12 22:12 . 2013-06-12 22:12      --------  d-----w-           C:\JRT

2013-06-12 21:52 . 2013-06-12 21:52      --------  d-----w-           c:\documents and settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\AVG SafeGuard toolbar

2013-06-12 21:52 . 2013-06-12 21:52      --------  d-----w-           c:\documents and settings\All Users\Application Data\AVG SafeGuard toolbar

2013-06-12 21:51 . 2013-06-12 21:51      --------  d-----w-           c:\documents and settings\Owner.YOUR-5B4ED3A077\Application Data\AVG SafeGuard toolbar

2013-06-12 21:51 . 2013-06-12 21:50      37664 ----a-w-           c:\windows\system32\drivers\avgtpx86.sys

2013-06-12 21:51 . 2013-06-12 22:06      --------  d-----w-           c:\program files\Common Files\AVG Secure Search

2013-06-12 21:51 . 2013-06-12 21:51      --------  d-----w-           c:\program files\AVG SafeGuard toolbar

2013-06-12 21:50 . 2013-06-12 21:50      --------  d--h--w-          c:\documents and settings\All Users\Application Data\Common Files

2013-06-10 09:54 . 2013-06-10 09:54      --------  d-----w-           c:\documents and settings\Owner.YOUR-5B4ED3A077\Local Settings\Application Data\RtWLan

2013-05-21 01:23 . 2013-05-28 00:28      --------  d-----w-           C:\hotlink

2013-05-21 01:20 . 2008-11-07 10:53      752496           ----a-w-           C:\WindowsXP-KB959658-x86-ENU.exe

.

.

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-06-12 02:59 . 2012-04-18 18:39      692104           ----a-w-            c:\windows\system32\FlashPlayerApp.exe

2013-06-12 02:59 . 2011-06-15 01:48      71048 ----a-w-            c:\windows\system32\FlashPlayerCPLApp.cpl

2013-05-07 22:30 . 2006-06-17 09:23      920064           ----a-w-           c:\windows\system32\wininet.dll

2013-05-07 22:30 . 2006-06-17 09:23      43520 ------w-            c:\windows\system32\licmgr10.dll

2013-05-07 22:30 . 2006-06-17 09:23      1469440        ------w-            c:\windows\system32\inetcpl.cpl

2013-05-07 21:53 . 2006-06-17 09:23      385024           ------w-            c:\windows\system32\html.iec

2013-05-03 01:30 . 2006-06-17 09:23      2149888        ----a-w-           c:\windows\system32\ntoskrnl.exe

2013-05-03 00:38 . 2004-08-04 05:59      2028544        ----a-w-           c:\windows\system32\ntkrnlpa.exe

2013-04-10 01:31 . 2006-06-17 09:23      1876352        ----a-w-           c:\windows\system32\win32k.sys

2013-04-05 00:00 . 2011-06-20 01:25      695578           ----a-w-           c:\windows\unins000.exe

2013-04-04 19:50 . 2008-08-09 19:09      22856 ----a-w-           c:\windows\system32\drivers\mbam.sys

2003-12-05 16:41     368640           --sh--r-            c:\windows\cwh.exe

2003-12-05 02:16     69632 --sh--r-            c:\windows\lnchshll.exe

2003-12-05 02:16     49152 --sh--r-            c:\windows\ScrnInt.exe

.

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-08 323392]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2011-12-01 206120]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]

"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-24 573440]

"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 413696]

"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-11-01 98304]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

REALTEK RTL8187 Wireless LAN Utility.lnk - c:\program files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe /H [2006-11-1 749568]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe  /startup [2008-5-26 123904]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"UmxFwHlp"=2 (0x2)

"ITMRTSVC"=2 (0x2)

"CaCCProvSP"=3 (0x3)

"YahooAUService"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\ses2_client_bin_2_8_13g\\seswiz.exe"=

"c:\\Program Files\\REALTEK RTL8187 Wireless LAN Driver and Utility\\RtWLan.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Plex\\Plex Media Server\\Plex Media Server.exe"=

"c:\\Program Files\\Plex\\Plex Media Server\\PlexScriptHost.exe"=

"c:\\Program Files\\Plex\\Plex Media Server\\PlexDlnaServer.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0

"1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1

"1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2

"1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3

"1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4

"1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5

"1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6

"1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7

"1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8

"1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9

"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification

"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration

"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery

"4100:UDP"= 4100:UDP:uPNP Router Control Port

"50000:UDP"= 50000:UDP:IHA_MessageCenter

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\1403010.016\symds.sys [4/8/2013 7:03 PM 367704]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\1403010.016\symefa.sys [4/8/2013 7:03 PM 934488]

R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [6/12/2013 4:51 PM 37664]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\BASHDefs\20130531.001\BHDrvx86.sys [5/31/2013 11:58 AM 1002072]

R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\N360\1403010.016\ccsetx86.sys [4/8/2013 7:03 PM 134304]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\1403010.016\ironx86.sys [4/8/2013 7:03 PM 175264]

R2 cwh;cwh;c:\windows\cwh.exe [12/23/2006 3:19 PM 368640]

R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [12/12/2011 11:03 AM 352248]

R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/10/2012 8:40 PM 418376]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/9/2008 2:09 PM 701512]

R2 N360;Norton 360;c:\program files\Norton 360\Engine\20.3.1.22\ccsvchst.exe [4/8/2013 7:02 PM 144520]

R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [12/1/2011 6:11 AM 206120]

R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [12/1/2011 6:11 AM 185640]

R2 vToolbarUpdater15.2.0;vToolbarUpdater15.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe [6/12/2013 4:51 PM 1015984]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2012 10:27 PM 106656]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\IPSDefs\20130615.001\IDSXpx86.sys [6/17/2013 8:31 PM 373728]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/9/2008 2:09 PM 22856]

S0 jwsog;jwsog;c:\windows\system32\drivers\xbjj.sys --> c:\windows\system32\drivers\xbjj.sys [?]

S0 plmd;plmd;c:\windows\system32\drivers\xvqfl.sys --> c:\windows\system32\drivers\xvqfl.sys [?]

S0 qnmthkg;qnmthkg;c:\windows\system32\drivers\dgwdfd.sys --> c:\windows\system32\drivers\dgwdfd.sys [?]

S0 shho;shho;c:\windows\system32\drivers\rtbiatm.sys --> c:\windows\system32\drivers\rtbiatm.sys [?]

S3 EraserUtilDrv11210;EraserUtilDrv11210;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11210.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11210.sys [?]

S3 ICDSX;Sony IC Recorder (SX);c:\windows\system32\drivers\ICDSX.sys [10/1/2003 5:44 PM 31744]

S3 WebDictateService;Web Dictate;c:\program files\NCH Software\WebDictate\webdictate.exe [2/7/2012 10:13 AM 814596]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

vvdsvc            REG_MULTI_SZ      vvdsvc

.

Contents of the 'Scheduled Tasks' folder

.

2013-06-18 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 02:59]

.

2012-02-10 c:\windows\Tasks\expressShakeIcon.job

- c:\program files\NCH Software\Express\express.exe [2012-02-07 15:13]

.

2013-06-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1542910684-3637753515-2293041949-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

.

2013-06-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1542910684-3637753515-2293041949-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

.

2013-03-06 c:\windows\Tasks\scribeShakeIcon.job

- c:\program files\NCH Software\Scribe\scribe.exe [2012-02-07 15:12]

.

2013-06-17 c:\windows\Tasks\User_Feed_Synchronization-{6F0D77EB-9DFC-4C8F-B264-D6025F8ED514}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-23202751.sys

SafeBoot-71571137.sys

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-06-17 21:40

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ... 

.

scanning hidden autostart entries ...

.

scanning hidden files ... 

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]

"ImagePath"="\"c:\program files\Norton 360\Engine\20.3.1.22\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\20.3.1.22\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(956)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\BCMLogon.dll

.

- - - - - - - > 'explorer.exe'(5520)

c:\windows\system32\WININET.dll

c:\progra~1\WINDOW~3\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2013-06-17  21:43:24

ComboFix-quarantined-files.txt  2013-06-18 02:43

ComboFix2.txt  2013-06-13 00:21

.

Pre-Run: 76,455,112,704 bytes free

Post-Run: 76,793,696,256 bytes free

.

- - End Of File - - 1F18EFED6EC99D5297C14AA5BA14F1D6

B20939CD98B7710036274839082AE757



#19 gringo_pr

gringo_pr

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 9,601 posts
  • Gender:Male

Posted 17 June 2013 - 10:50 PM


Hello



Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)
  • Programs to remove

    • Adobe Reader 7.0
      Browser Address Error Redirector
      DNA
      Java™ 6 Update 24


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Update Adobe reader
  • Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com.../readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.
    • If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be careful not to install anything to do with AskBar.

Install Java:

Please go here to install Java
  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close
Clean Out Temp Files
  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here CCleaner
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.
: Malwarebytes' Anti-Malware :


I see You have MBAM installed on the computer - that is great!! it is a very good program! I would like you to run a quick scan for me now
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidentally close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



Download HijackThis
  • Go Here to download HijackThis program
  • Save HijackThis to your desktop.
  • Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
  • Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
  • copy and paste hijackthis report into the topic
"information and logs"
  • In your next post I need the following
    • Log From MBAM
    • report from Hijackthis
    • let me know of any problems you may have had
    • How is the computer doing now?
Gringo
William Rowland
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#20 Charlie_Whisky

Charlie_Whisky

    New Member

  • Members
  • Pip
  • 19 posts

Posted 18 June 2013 - 10:18 PM

Hello Gringo

 

I ran all of these without incident. the MBAM log and HJ logs are at the end of this post.

 

A commenct about Revo Uninstaller:  I found it very time consumming to use b/c I had to click on 7'al hundred boxes corresponding to all the bolded selections; it would be much better if there was a button to simply selects all bolded items.

 

I have not yet install the updated Adbove and Java versions that you pointed to.

 

Feedback

 

1) I have not seen any IP blocks popup since running Revo to uninstall those 4 programs and CC cleaner; thats a good sign!  But I'll have to monitor longer.

Here is today's protection log:

2013/06/18 19:22:06 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection
2013/06/18 19:22:06 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully
2013/06/18 19:22:06 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection
2013/06/18 19:23:26 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully
2013/06/18 19:24:29 -0500 GW-5B4ED3A077 Owner IP-BLOCK 79.135.139.182 (Type: outgoing)
2013/06/18 20:57:31 -0500 GW-5B4ED3A077 Owner IP-BLOCK 87.248.186.129 (Type: incoming)
2013/06/18 21:37:27 -0500 GW-5B4ED3A077 Owner MESSAGE Starting protection
2013/06/18 21:37:28 -0500 GW-5B4ED3A077 Owner MESSAGE Protection started successfully
2013/06/18 21:37:28 -0500 GW-5B4ED3A077 Owner MESSAGE Starting IP protection
2013/06/18 21:38:51 -0500 GW-5B4ED3A077 Owner MESSAGE IP Protection started successfully

 

2) IE still shows red Xs and blank boxes and pictures, so it is not very user friendly  Any idea how to restore this??

 

MBAM Log

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.16.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: GW-5B4ED3A077 [administrator]

Protection: Enabled

6/18/2013 9:40:50 PM
mbam-log-2013-06-18 (21-40-50).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 237368
Time elapsed: 17 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

 

 

Hacklack this log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:00:52 PM, on 6/18/2013
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\cwh.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\VERIZONDM\bin\sprtcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\VERIZONDM\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VERIZONDM\bin\tgsrvc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Norton 360\Engine\20.4.0.40\ccSvcHst.exe
C:\Program Files\Norton 360\Engine\20.4.0.40\ccSvcHst.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Owner.YOUR-5B4ED3A077\My Documents\Downloads\dds 6-12-2013\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.c...ys=PTB&M=MX6453
O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\20.4.0.40\coIEPlg.dll
O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\20.4.0.40\IPS\IPSBHO.DLL
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\20.4.0.40\coIEPlg.dll
O4 - HKLM\..\Run: [VERIZONDM] "C:\Program Files\VERIZONDM\bin\sprtcmd.exe" /P VERIZONDM
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: REALTEK RTL8187 Wireless LAN Utility.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....030/CTSUEng.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://biz.lgservice...ntrol-6.1.4.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {3A52566B-6018-485B-B713-8B9FF660D8E8} (ilhtrapp Object) - http://71.123.169.42...16_71.0.0.0.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1343697687988
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1343697663689
O16 - DPF: {9282A3AA-4954-46B4-B4AE-F086CE3F1110} (TrustSiteAddMgr Class) - http://71.123.169.42...egtrustsite.cab
O16 - DPF: {9CA74596-B5BB-4634-971C-F0224115A15F} (tcast control) - http://nba.tom.com/video/tcastV1.cab
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://vexcast.com/d...oad/vexcast.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15030/CTPID.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: cwh - Warranty Corporation of America - C:\WINDOWS\cwh.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: IHA_MessageCenter - Verizon - C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\20.4.0.40\ccSvcHst.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\system32\snmptrap.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (verizondm) (sprtsvc_verizondm) - SupportSoft, Inc. - C:\Program Files\VERIZONDM\bin\sprtsvc.exe
O23 - Service: SupportSoft Repair Service (verizondm) (tgsrvc_verizondm) - SupportSoft, Inc. - C:\Program Files\VERIZONDM\bin\tgsrvc.exe
O23 - Service: vToolbarUpdater15.2.0 - Unknown owner - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe
O23 - Service: Web Dictate (WebDictateService) - Unknown owner - C:\Program Files\NCH Software\WebDictate\webdictate.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9854 bytes






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users