Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I have a virus but help needed


  • This topic is locked This topic is locked
16 replies to this topic

#1 krysw

krysw

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 24 July 2013 - 04:44 AM

I have been having problems with crashes particularly when I'm online. It's worse on Google Chrome than on IE but happens there as well.

For example on Facebook I can see and comment on everything but if I try to view a video or open a game it crashes. It has been running very slow as well.

 

I have run various antivirus, regsitry cleaners, malware etc and one found Yontoo. I followed a thread on here to get rid of yontoo but I'm still having the same problems. The virus checkers are not fining anything so I don't know what to do next.

 

I have run FRST and this is the report. Any help would be appreciated. Thanks

 

Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 7
Boot Mode: Safe Mode (with Networking)

==================== Processes (Whitelisted) ===================

(Panda Security, S.L.) C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUAService.exe
(Panda Security, S.L.) C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
(Google Inc.) C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\IEXPLORE.EXE

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SoundMAXPnP] - C:\Program Files\Analog Devices\Core\smax4pnp.exe [1404928 2004-10-14] (Analog Devices, Inc.)
HKLM\...\Run: [Google Desktop Search] - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2011-03-05] (Google)
HKLM\...\Run: [HP Software Update] - C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe [49208 2011-02-18] (Hewlett-Packard)
HKLM\...\Run: [BluetoothAuthenticationAgent] - rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent [x]
HKLM\...\Run: [PCSuiteTrayApplication] - C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE [229376 2006-06-15] (Nokia)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [RIMBBLaunchAgent.exe] - C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [90448 2011-09-01] (Research In Motion Limited)
HKLM\...\Run: [PSUAMain] - C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUAMain.exe [32736 2013-05-28] (Panda Security, S.L.)
HKLM\...\Run: [Corel Photo Downloader] - C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe [531272 2007-08-28] (Corel, Inc.)
Winlogon\Notify\igfxcui: igfxsrvc.dll (Intel Corporation)
Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)
HKCU\...\Run: [PcSync] - C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe [1449984 2006-06-27] (Time Information Services Ltd.)
HKU\Default User\...\RunOnce: [_nltide_2] - regsvr32 /s /n /i:U shell32 [x]
HKU\Default User\...\RunOnce: [_nltide_3] - rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N [x]
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Development Company, L.P.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
ShortcutTarget: HP Photosmart Premier Fast Start.lnk -> C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PandaUSBVaccine.lnk
ShortcutTarget: PandaUSBVaccine.lnk -> C:\Program Files\Panda USB Vaccine\USBVaccine.exe (Panda Security)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
StartMenuInternet: IEXPLORE.EXE - "C:\Program Files\Internet Explorer\iexplore.exe"
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\20.4.0.40\IPS\IPSBHO.DLL (Symantec Corporation)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (Google Inc.)
BHO: Norton Identity Protection - {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} - C:\Program Files\Norton Identity Safe\Engine\2013.3.0.26\coIEPlg.dll (Symantec Corporation)
BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5825.1100\swg.dll (Google Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (Google Inc.)
Toolbar: HKLM - Norton Identity Safe Toolbar - {A13C2648-91D4-4bf3-BC6D-0079707C4389} - C:\Program Files\Norton Identity Safe\Engine\2013.3.0.26\coIEPlg.dll (Symantec Corporation)
Toolbar: HKCU -&Google - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (Google Inc.)
Toolbar: HKCU -Norton Identity Safe Toolbar - {A13C2648-91D4-4BF3-BC6D-0079707C4389} - C:\Program Files\Norton Identity Safe\Engine\2013.3.0.26\coIEPlg.dll (Symantec Corporation)
DPF: {283B7DE7-A1ED-4D27-AA59-C6E7427544D2} https://bg.itronenergypoint.net/IHVConnect/KeyBoxControl.cab
DPF: {2A293777-79CA-4DD9-A545-0E1718C0D3CF} https://bg.itronenergypoint.net/IHVConnect2/KeyboxControl.cab
Handler: ipp - No CLSID Value -
Handler: msdaipp - No CLSID Value -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
ShellExecuteHooks:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
Tcpip\Parameters: [DhcpNameServer] 194.168.4.100 194.168.8.100

Chrome:
=======
CHR Extension: (Google Docs) - C:\DOCUME~1\Owner\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0
CHR Extension: (Google Drive) - C:\DOCUME~1\Owner\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
CHR Extension: (Google Search) - C:\DOCUME~1\Owner\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (Norton Identity Protection) - C:\DOCUME~1\Owner\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\nppllibpnmahfaklnpggkibhkapjkeob\2013.3.0.26_0
CHR Extension: (Gmail) - C:\DOCUME~1\Owner\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0
CHR HKLM\...\Chrome\Extension: [eijoglodfkeicibboibphapnoahoaapi] - C:\DOCUME~1\Owner\LOCALS~1\Temp\eijoglodfkeicibboibphapnoahoaapi.crx
CHR HKLM\...\Chrome\Extension: [nppllibpnmahfaklnpggkibhkapjkeob] - C:\Program Files\Norton Identity Safe\Engine\2013.3.0.26\Exts\Chrome.crx
CHR StartMenuInternet: Google Chrome - "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe"

========================== Services (Whitelisted) =================

S3 GoogleDesktopManager-051210-111108; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2011-03-05] (Google)
S2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [106280 2013-07-13] (SurfRight B.V.)
S3 HP Port Resolver; C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE [81920 2005-05-20] (Hewlett-Packard Company)
S3 HP Status Server; C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE [73728 2004-10-16] (Hewlett-Packard Company)
S3 LLRCService; C:\WINDOWS\system32\LLRCService.exe [181624 2010-05-14] (Laplink Software, Inc.)
S2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 NanoServiceMain; C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [140768 2013-05-28] (Panda Security, S.L.)
S2 NAV; C:\Program Files\Norton AntiVirus\Engine\20.4.0.40\diMaster.dll [556336 2013-05-30] (Symantec Corporation)
S2 NCO; C:\Program Files\Norton Identity Safe\Engine\2013.3.0.26\diMaster.dll [551728 2013-02-06] (Symantec Corporation)
S2 ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [177704 2007-06-05] ()
R2 PSUAService; C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUAService.exe [37344 2013-05-28] (Panda Security, S.L.)
S3 ServiceLayer; C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe [174080 2006-06-05] (Nokia.)
S2 TSIRCSRV; C:\WINDOWS\System32\TSIRCSRV.EXE [206200 2010-05-14] (Laplink Software, Inc.)
S3 AppMgmt; %SystemRoot%\System32\appmgmts.dll [x]
S2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" [x]

==================== Drivers (Whitelisted) ====================

R1 AFS2K; C:\Windows\System32\Drivers\AFS2K.sys [43672 2011-03-11] (Oak Technology Inc.)
R3 b57w2k; C:\Windows\System32\DRIVERS\b57xp32.sys [176640 2009-09-18] (Broadcom Corporation)
S1 BHDrvx86; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.3.0.36\Definitions\BASHDefs\20130715.001\BHDrvx86.sys [1002072 2013-07-02] (Symantec Corporation)
S3 CCDECODE; C:\Windows\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation)
S1 ccSet_NAV; C:\Windows\system32\drivers\NAV\1404000.028\ccSetx86.sys [134744 2013-04-16] (Symantec Corporation)
S1 ccSet_NST; C:\Windows\system32\drivers\NST\7DD03000.01A\ccSetx86.sys [134304 2012-11-16] (Symantec Corporation)
S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2013-01-31] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2013-07-12] (Symantec Corporation)
S3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [49664 2006-04-13] (HP)
S3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2006-04-13] (HP)
R3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2006-04-13] (HP)
S3 ialm; C:\Windows\System32\DRIVERS\ialmnt5.sys [804317 2005-01-23] (Intel Corporation)
S3 IDSxpx86; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.3.0.36\Definitions\IPSDefs\20130717.001\IDSxpx86.sys [373728 2013-07-11] (Symantec Corporation)
R3 llkbf; C:\Windows\System32\DRIVERS\llkbf.sys [19552 2010-05-14] (Laplink Software, Inc.)
S3 llrcmir; C:\Windows\System32\DRIVERS\llrcm.sys [11872 2010-05-14] (Laplink Software, Inc.)
S3 LLUSBFLT; C:\Windows\System32\drivers\llusbflt.sys [4736 2008-08-14] (Laplink Software, Inc.)
S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S3 NABTSFEC; C:\Windows\System32\DRIVERS\NABTSFEC.sys [85248 2008-04-14] (Microsoft Corporation)
S3 NAVENG; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.3.0.36\Definitions\VirusDefs\20130715.003\NAVENG.SYS [93272 2013-07-12] (Symantec Corporation)
S3 NAVEX15; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.3.0.36\Definitions\VirusDefs\20130715.003\NAVEX15.SYS [1611992 2013-07-12] (Symantec Corporation)
S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation)
S1 NNSALPC; C:\Windows\System32\DRIVERS\NNSAlpc.sys [84200 2013-05-29] (Panda Security, S.L.)
S1 NNSHTTP; C:\Windows\System32\DRIVERS\NNSHttp.sys [126184 2013-05-29] (Panda Security, S.L.)
S1 NNSHTTPS; C:\Windows\System32\DRIVERS\NNSHttps.sys [107752 2013-05-29] (Panda Security, S.L.)
S1 NNSIDS; C:\Windows\System32\DRIVERS\NNSIds.sys [124648 2013-05-29] (Panda Security, S.L.)
S1 NNSPICC; C:\Windows\System32\DRIVERS\NNSPicc.sys [95464 2013-05-29] (Panda Security, S.L.)
S4 NNSPIHS; C:\Windows\System32\DRIVERS\NNSPihs.sys [52328 2013-05-29] (Panda Security, S.L.)
S1 NNSPOP3; C:\Windows\System32\DRIVERS\NNSPop3.sys [106344 2013-05-29] (Panda Security, S.L.)
S1 NNSPROT; C:\Windows\System32\DRIVERS\NNSProt.sys [287336 2013-05-29] (Panda Security, S.L.)
S1 NNSPRV; C:\Windows\System32\DRIVERS\NNSPrv.sys [161384 2013-05-29] (Panda Security, S.L.)
S1 NNSSMTP; C:\Windows\System32\DRIVERS\NNSSmtp.sys [108904 2013-05-29] (Panda Security, S.L.)
S1 NNSSTRM; C:\Windows\System32\DRIVERS\NNSStrm.sys [230376 2013-05-29] (Panda Security, S.L.)
S1 NNSTLSC; C:\Windows\System32\DRIVERS\NNSTlsc.sys [93928 2013-05-29] (Panda Security, S.L.)
S0 Pavboot; C:\Windows\System32\Drivers\pavboot.sys [26696 2012-05-09] (Panda Security, S.L.)
S3 PLUsbbc2; C:\Windows\System32\Drivers\usbbc2.sys [8960 2008-08-14] (Prolific Technology Inc.)
S2 PSINAflt; C:\Windows\System32\DRIVERS\PSINAflt.sys [145128 2013-05-28] (Panda Security, S.L.)
S2 PSINFile; C:\Windows\System32\DRIVERS\PSINFile.sys [103400 2013-05-28] (Panda Security, S.L.)
S1 PSINKNC; C:\Windows\System32\DRIVERS\psinknc.sys [179688 2013-05-28] (Panda Security, S.L.)
S2 PSINProc; C:\Windows\System32\DRIVERS\PSINProc.sys [114920 2013-05-28] (Panda Security, S.L.)
S2 PSINProt; C:\Windows\System32\DRIVERS\PSINProt.sys [128104 2013-05-29] (Panda Security, S.L.)
S3 PSINReg; C:\Windows\System32\DRIVERS\PSINReg.sys [97768 2013-05-28] (Panda Security, S.L.)
S3 senfilt; C:\Windows\System32\drivers\senfilt.sys [732928 2004-09-17] (Creative Technology Ltd.)
R0 Si3132; C:\Windows\System32\Drivers\Si3132.sys [67456 2009-09-18] (Silicon Image, Inc.)
S3 SLIP; C:\Windows\System32\DRIVERS\SLIP.sys [11136 2008-04-13] (Microsoft Corporation)
S3 SRTSP; C:\Windows\System32\Drivers\NAV\1404000.028\SRTSP.SYS [603224 2013-05-16] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\NAV\1404000.028\SRTSPX.SYS [32344 2013-03-05] (Symantec Corporation)
S3 streamip; C:\Windows\System32\DRIVERS\StreamIP.sys [15232 2008-04-13] (Microsoft Corporation)
R0 SymDS; C:\Windows\System32\drivers\NAV\1404000.028\SYMDS.SYS [367704 2013-05-21] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\NAV\1404000.028\SYMEFA.SYS [934488 2013-05-23] (Symantec Corporation)
S3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [142496 2013-07-12] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\NAV\1404000.028\Ironx86.SYS [175264 2013-03-05] (Symantec Corporation)
S1 SYMTDI; C:\Windows\System32\Drivers\NAV\1404000.028\SYMTDI.SYS [396760 2013-04-25] (Symantec Corporation)
R3 TSIKBF5; C:\Windows\System32\Drivers\TSIKBF5.sys [14584 2010-05-14] (Traveling Software, Inc.)
R3 TSIMSF5; C:\Windows\System32\Drivers\TSIMSF5.sys [13176 2010-05-14] (Laplink Software, Inc.)
S1 tsircmir; C:\Windows\System32\Drivers\tsircmir.sys [8824 2010-05-14] (Traveling Software, Inc.)
S2 TSISER; C:\Windows\System32\Drivers\TSISER.sys [27896 2010-05-14] (Traveling Software, Inc.)
S2 TSISTRMX; C:\Windows\System32\Drivers\TSISTRMX.sys [11384 2010-05-14] (LapLink, Inc.)
S3 WSTCODEC; C:\Windows\System32\DRIVERS\WSTCODEC.SYS [19200 2008-04-14] (Microsoft Corporation)
S3 catchme; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys [x]
U3 TlntSvr;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-07-18 12:47 - 2013-07-18 12:47 - 00000113 _____ C:\WINDOWS\system32\Drivers\etc\pfdnnt.act
2013-07-18 12:47 - 2012-05-09 11:52 - 00026696 _____ (Panda Security, S.L.) C:\WINDOWS\system32\Drivers\pavboot.sys
2013-07-18 12:18 - 2013-07-18 12:18 - 00000867 _____ C:\WINDOWS\setupapi.log
2013-07-18 12:18 - 2013-07-18 12:18 - 00000000 ____D C:\WINDOWS\LastGood
2013-07-18 11:37 - 2013-07-18 11:37 - 00000000 ____D C:\FRST
2013-07-18 11:34 - 2013-07-24 10:30 - 01220240 _____ (Farbar) C:\Documents and Settings\Owner\My Documents\FRST.exe
2013-07-18 10:37 - 2013-07-18 10:38 - 00001419 _____ C:\WINDOWS\KB2481109.log
2013-07-18 10:12 - 2013-07-18 10:12 - 00094208 _____ C:\WINDOWS\Minidump\Mini071813-01.dmp
2013-07-15 11:31 - 2013-07-15 11:31 - 00122228 _____ C:\Documents and Settings\Owner\My Documents\OTL.Txt
2013-07-15 11:31 - 2013-07-15 11:31 - 00069370 _____ C:\Documents and Settings\Owner\My Documents\Extras.Txt
2013-07-15 11:14 - 2013-07-15 11:14 - 00602112 _____ (OldTimer Tools) C:\Documents and Settings\Owner\My Documents\OTL.exe
2013-07-15 11:09 - 2013-07-18 10:28 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-07-15 11:09 - 2013-07-15 11:09 - 00025922 _____ C:\ComboFix.txt
2013-07-15 10:45 - 2011-03-04 14:53 - 00000211 _____ C:\Boot.bak
2013-07-15 10:45 - 2004-08-03 23:00 - 00260272 __RSH C:\cmldr
2013-07-15 10:44 - 2013-07-15 10:45 - 00000000 _RSHD C:\cmdcons
2013-07-15 10:42 - 2011-06-26 07:45 - 00256000 _____ C:\WINDOWS\PEV.exe
2013-07-15 10:42 - 2010-11-07 18:20 - 00208896 _____ C:\WINDOWS\MBR.exe
2013-07-15 10:42 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2013-07-15 10:42 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2013-07-15 10:42 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2013-07-15 10:42 - 2000-08-31 01:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2013-07-15 10:42 - 2000-08-31 01:00 - 00098816 _____ C:\WINDOWS\sed.exe
2013-07-15 10:42 - 2000-08-31 01:00 - 00080412 _____ C:\WINDOWS\grep.exe
2013-07-15 10:42 - 2000-08-31 01:00 - 00068096 _____ C:\WINDOWS\zip.exe
2013-07-15 10:41 - 2013-07-15 11:09 - 00000000 ____D C:\Qoobox
2013-07-15 10:41 - 2013-07-15 11:07 - 00000000 ____D C:\WINDOWS\erdnt
2013-07-15 10:40 - 2013-07-15 10:40 - 05088557 ____R (Swearware) C:\Documents and Settings\Owner\My Documents\ComboFix.exe
2013-07-15 10:37 - 2013-07-15 10:37 - 00004374 _____ C:\Documents and Settings\Owner\Desktop\RKreport[0]_D_07152013_103750.txt
2013-07-15 10:37 - 2013-07-15 10:37 - 00004336 _____ C:\Documents and Settings\Owner\Desktop\RKreport[0]_S_07152013_103700.txt
2013-07-15 10:34 - 2013-07-15 10:36 - 00004401 _____ C:\Documents and Settings\Owner\Desktop\RKreport[0]_D_07152013_103444.txt
2013-07-15 10:34 - 2013-07-15 10:34 - 00004359 _____ C:\Documents and Settings\Owner\Desktop\RKreport[0]_S_07152013_103424.txt
2013-07-15 10:32 - 2013-07-15 10:37 - 00000000 ____D C:\Documents and Settings\Owner\Desktop\RK_Quarantine
2013-07-15 10:30 - 2013-07-15 10:30 - 00915456 _____ C:\Documents and Settings\Owner\My Documents\RogueKiller.exe
2013-07-15 09:53 - 2013-07-15 10:08 - 00004409 _____ C:\AdwCleaner[S1].txt
2013-07-15 09:52 - 2013-07-15 09:52 - 00004273 _____ C:\AdwCleaner[R3].txt
2013-07-15 09:50 - 2013-07-15 09:50 - 00004153 _____ C:\AdwCleaner[R1].txt
2013-07-15 09:49 - 2013-07-15 09:49 - 00001489 _____ C:\Documents and Settings\Owner\My Documents\checkup.txt
2013-07-14 14:10 - 2013-07-18 10:29 - 00000159 _____ C:\WINDOWS\wiadebug.log
2013-07-14 14:10 - 2013-07-18 10:29 - 00000050 _____ C:\WINDOWS\wiaservc.log
2013-07-14 14:10 - 2013-07-14 14:10 - 00000000 _____ C:\WINDOWS\Sti_Trace.log
2013-07-14 13:48 - 2013-07-18 13:03 - 00428086 _____ C:\WINDOWS\WindowsUpdate.log
2013-07-14 10:43 - 2013-07-14 10:43 - 00000942 _____ C:\WINDOWS\system32\.crusader
2013-07-13 21:04 - 2013-07-13 21:04 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2834904_WM11$
2013-07-13 21:02 - 2013-07-13 21:02 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2850851$
2013-07-13 21:02 - 2013-07-13 21:02 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2834886$
2013-07-13 21:00 - 2013-07-13 21:00 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2845187$
2013-07-13 19:02 - 2013-07-13 19:02 - 00000000 ____D C:\Program Files\HitmanPro
2013-07-13 19:01 - 2013-07-13 20:12 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro
2013-07-13 08:32 - 2013-07-13 08:32 - 00000000 _____ C:\Documents and Settings\All Users\Application Data\0x0304A000.sfl
2013-07-12 18:27 - 2013-07-13 04:19 - 00000000 ____D C:\WINDOWS\system32\Drivers\NST
2013-07-12 18:27 - 2013-07-12 21:29 - 00142496 _____ (Symantec Corporation) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2013-07-12 18:27 - 2013-07-12 21:29 - 00007611 _____ C:\WINDOWS\system32\Drivers\SYMEVENT.CAT
2013-07-12 18:27 - 2013-07-12 18:47 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-07-12 18:27 - 2013-07-12 18:27 - 00000000 ____D C:\Program Files\Symantec
2013-07-12 18:27 - 2013-07-12 18:27 - 00000000 ____D C:\Program Files\Norton Identity Safe
2013-07-12 18:26 - 2013-07-13 07:47 - 00001885 _____ C:\Documents and Settings\All Users\Desktop\Norton AntiVirus.LNK
2013-07-12 18:22 - 2013-07-13 07:49 - 00000000 ____D C:\WINDOWS\system32\Drivers\NAV
2013-07-12 18:22 - 2013-07-12 18:31 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton
2013-07-12 18:22 - 2013-07-12 18:22 - 00000000 ____D C:\Program Files\Norton AntiVirus
2013-07-12 13:24 - 2013-07-12 14:08 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-07-12 13:20 - 2013-07-12 13:20 - 00000000 ____D C:\Documents and Settings\Owner\My Documents\malaware antirootkit
2013-07-11 20:24 - 2013-07-11 20:24 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\Panda Security
2013-07-11 20:14 - 2013-07-18 13:03 - 20971520 _____ C:\WINDOWS\system32\config\Nano.evt
2013-07-11 19:16 - 2013-07-11 19:31 - 00692104 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2013-07-11 19:16 - 2013-07-11 19:31 - 00071048 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2013-07-11 18:36 - 2013-07-11 20:12 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Panda Security
2013-07-11 18:36 - 2013-07-11 18:36 - 00000000 ____D C:\Program Files\Panda USB Vaccine
2013-07-11 17:57 - 2013-07-11 17:57 - 00000935 _____ C:\Documents and Settings\All Users\Desktop\Panda Cloud Cleaner.lnk
2013-07-11 17:56 - 2013-07-11 20:12 - 00000000 ____D C:\Program Files\Panda Security
2013-07-11 13:15 - 2013-07-18 10:28 - 00000408 _____ C:\WINDOWS\Tasks\Auslogics BoostSpeed Integrator Start On Owner Logon.job
2013-07-11 13:13 - 2013-07-11 13:13 - 00000892 _____ C:\Documents and Settings\Owner\Desktop\Auslogics BoostSpeed.lnk
2013-07-11 12:30 - 2013-07-11 13:15 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\Auslogics
2013-07-11 12:24 - 2013-07-11 13:13 - 00000000 ____D C:\Program Files\Auslogics
2013-07-11 12:24 - 2013-07-11 12:24 - 00000934 _____ C:\Documents and Settings\Owner\Desktop\Auslogics Registry Cleaner.lnk
2013-07-11 11:13 - 2013-07-11 11:13 - 00531608 _____ C:\Documents and Settings\Owner\My Documents\Best Free Tune-up Program For Computer.mht
2013-07-11 10:19 - 2013-07-11 10:19 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\Foresight Software
2013-07-11 10:19 - 2013-07-11 10:19 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Foresight Software
2013-07-10 20:44 - 2013-07-10 20:44 - 00000784 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-07-10 20:44 - 2013-07-10 20:44 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-07-10 20:44 - 2013-07-10 20:44 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\Malwarebytes
2013-07-10 20:44 - 2013-07-10 20:44 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2013-07-10 20:44 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2013-06-29 12:19 - 2013-06-29 12:19 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\TuneUp Software
2013-06-26 11:45 - 2013-07-11 10:18 - 00065536 _____ C:\WINDOWS\system32\config\TuneUp.evt
2013-06-26 11:43 - 2013-07-18 12:18 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\TuneUp Software
2013-06-26 11:39 - 2013-06-26 11:45 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\TuneUp Software
2013-06-26 11:38 - 2013-06-26 13:45 - 00000000 __SHD C:\Documents and Settings\All Users\Application Data\{C4ABDBC8-1C81-42C9-BFFC-4A68511E9E4F}

==================== One Month Modified Files and Folders =======

2013-07-24 10:30 - 2013-07-18 11:34 - 01220240 _____ (Farbar) C:\Documents and Settings\Owner\My Documents\FRST.exe
2013-07-21 22:02 - 2011-03-20 22:33 - 00001324 _____ C:\WINDOWS\system32\d3d9caps.dat
2013-07-18 14:35 - 2011-10-24 20:53 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\AVG2012
2013-07-18 14:35 - 2006-02-28 12:00 - 00013646 _____ C:\WINDOWS\system32\wpa.dbl
2013-07-18 13:03 - 2013-07-14 13:48 - 00428086 _____ C:\WINDOWS\WindowsUpdate.log
2013-07-18 13:03 - 2013-07-11 20:14 - 20971520 _____ C:\WINDOWS\system32\config\Nano.evt
2013-07-18 13:03 - 2011-03-04 15:07 - 00000178 ___SH C:\Documents and Settings\Owner\ntuser.ini
2013-07-18 12:47 - 2013-07-18 12:47 - 00000113 _____ C:\WINDOWS\system32\Drivers\etc\pfdnnt.act
2013-07-18 12:20 - 2011-03-05 18:11 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\MFAData
2013-07-18 12:18 - 2013-07-18 12:18 - 00000867 _____ C:\WINDOWS\setupapi.log
2013-07-18 12:18 - 2013-07-18 12:18 - 00000000 ____D C:\WINDOWS\LastGood
2013-07-18 12:18 - 2013-06-26 11:43 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\TuneUp Software
2013-07-18 12:18 - 2011-03-05 18:22 - 00000000 ____D C:\WINDOWS\system32\Drivers\AVG
2013-07-18 12:18 - 2011-03-04 14:43 - 00000000 ____D C:\Documents and Settings\All Users\Desktop
2013-07-18 11:37 - 2013-07-18 11:37 - 00000000 ____D C:\FRST
2013-07-18 11:18 - 2010-06-19 17:09 - 00000000 ____D C:\Documents and Settings\Owner\Desktop
2013-07-18 10:38 - 2013-07-18 10:37 - 00001419 _____ C:\WINDOWS\KB2481109.log
2013-07-18 10:37 - 2011-03-05 19:06 - 00000978 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1677128483-1177238915-1004UA.job
2013-07-18 10:32 - 2011-04-01 13:19 - 00000884 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2013-07-18 10:29 - 2013-07-14 14:10 - 00000159 _____ C:\WINDOWS\wiadebug.log
2013-07-18 10:29 - 2013-07-14 14:10 - 00000050 _____ C:\WINDOWS\wiaservc.log
2013-07-18 10:29 - 2011-04-01 13:19 - 00000880 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2013-07-18 10:28 - 2013-07-15 11:09 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-07-18 10:28 - 2013-07-11 13:15 - 00000408 _____ C:\WINDOWS\Tasks\Auslogics BoostSpeed Integrator Start On Owner Logon.job
2013-07-18 10:12 - 2013-07-18 10:12 - 00094208 _____ C:\WINDOWS\Minidump\Mini071813-01.dmp
2013-07-18 10:12 - 2011-04-24 19:15 - 00000000 ____D C:\WINDOWS\Minidump
2013-07-18 07:37 - 2011-03-04 15:01 - 00032430 _____ C:\WINDOWS\SchedLgU.Txt
2013-07-17 23:37 - 2011-03-05 19:06 - 00000926 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1677128483-1177238915-1004Core.job
2013-07-15 15:51 - 2011-03-04 15:01 - 00000000 __SHD C:\Documents and Settings\NetworkService
2013-07-15 11:31 - 2013-07-15 11:31 - 00122228 _____ C:\Documents and Settings\Owner\My Documents\OTL.Txt
2013-07-15 11:31 - 2013-07-15 11:31 - 00069370 _____ C:\Documents and Settings\Owner\My Documents\Extras.Txt
2013-07-15 11:14 - 2013-07-15 11:14 - 00602112 _____ (OldTimer Tools) C:\Documents and Settings\Owner\My Documents\OTL.exe
2013-07-15 11:09 - 2013-07-15 11:09 - 00025922 _____ C:\ComboFix.txt
2013-07-15 11:09 - 2013-07-15 10:41 - 00000000 ____D C:\Qoobox
2013-07-15 11:07 - 2013-07-15 10:41 - 00000000 ____D C:\WINDOWS\erdnt
2013-07-15 11:05 - 2006-02-28 12:00 - 00000227 _____ C:\WINDOWS\system.ini
2013-07-15 10:45 - 2013-07-15 10:44 - 00000000 _RSHD C:\cmdcons
2013-07-15 10:45 - 2011-03-04 14:41 - 00000327 __RSH C:\boot.ini
2013-07-15 10:40 - 2013-07-15 10:40 - 05088557 ____R (Swearware) C:\Documents and Settings\Owner\My Documents\ComboFix.exe
2013-07-15 10:37 - 2013-07-15 10:37 - 00004374 _____ C:\Documents and Settings\Owner\Desktop\RKreport[0]_D_07152013_103750.txt
2013-07-15 10:37 - 2013-07-15 10:37 - 00004336 _____ C:\Documents and Settings\Owner\Desktop\RKreport[0]_S_07152013_103700.txt
2013-07-15 10:37 - 2013-07-15 10:32 - 00000000 ____D C:\Documents and Settings\Owner\Desktop\RK_Quarantine
2013-07-15 10:36 - 2013-07-15 10:34 - 00004401 _____ C:\Documents and Settings\Owner\Desktop\RKreport[0]_D_07152013_103444.txt
2013-07-15 10:34 - 2013-07-15 10:34 - 00004359 _____ C:\Documents and Settings\Owner\Desktop\RKreport[0]_S_07152013_103424.txt
2013-07-15 10:30 - 2013-07-15 10:30 - 00915456 _____ C:\Documents and Settings\Owner\My Documents\RogueKiller.exe
2013-07-15 10:08 - 2013-07-15 09:53 - 00004409 _____ C:\AdwCleaner[S1].txt
2013-07-15 09:54 - 2011-03-04 15:07 - 00000000 ____D C:\Documents and Settings\Owner
2013-07-15 09:52 - 2013-07-15 09:52 - 00004273 _____ C:\AdwCleaner[R3].txt
2013-07-15 09:50 - 2013-07-15 09:50 - 00004153 _____ C:\AdwCleaner[R1].txt
2013-07-15 09:49 - 2013-07-15 09:49 - 00001489 _____ C:\Documents and Settings\Owner\My Documents\checkup.txt
2013-07-14 20:21 - 2011-03-05 20:03 - 00045056 ____C C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-07-14 14:10 - 2013-07-14 14:10 - 00000000 _____ C:\WINDOWS\Sti_Trace.log
2013-07-14 11:51 - 2011-03-11 17:08 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\HpUpdate
2013-07-14 11:51 - 2011-03-10 00:15 - 00000000 ____D C:\WINDOWS\system32\NtmsData
2013-07-14 11:51 - 2011-03-04 14:53 - 00000000 ____D C:\WINDOWS\system32\MsDtc
2013-07-14 10:43 - 2013-07-14 10:43 - 00000942 _____ C:\WINDOWS\system32\.crusader
2013-07-14 10:21 - 2011-03-04 15:01 - 00000178 __SHC C:\Documents and Settings\NetworkService\ntuser.ini
2013-07-14 10:21 - 2011-03-04 15:01 - 00000178 __SHC C:\Documents and Settings\LocalService\ntuser.ini
2013-07-14 00:57 - 2011-03-04 15:20 - 00000000 ____D C:\WINDOWS\Microsoft.NET
2013-07-13 22:27 - 2003-10-13 23:53 - 00000000 ____D C:\Documents and Settings\Owner\Desktop\Unused Desktop Shortcuts
2013-07-13 22:14 - 2011-03-04 15:12 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-07-13 22:14 - 2011-03-04 14:42 - 00536056 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2013-07-13 21:04 - 2013-07-13 21:04 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2834904_WM11$
2013-07-13 21:02 - 2013-07-13 21:02 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2850851$
2013-07-13 21:02 - 2013-07-13 21:02 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2834886$
2013-07-13 21:00 - 2013-07-13 21:00 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2845187$
2013-07-13 20:59 - 2011-03-04 14:43 - 00505208 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2013-07-13 20:52 - 2011-03-04 15:24 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Microsoft Help
2013-07-13 20:46 - 2011-03-14 01:34 - 75699896 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2013-07-13 20:44 - 2011-03-04 14:35 - 00000000 ____D C:\WINDOWS\pchealth
2013-07-13 20:42 - 2011-03-04 17:56 - 00000000 ____D C:\WINDOWS\ie7updates
2013-07-13 20:12 - 2013-07-13 19:01 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro
2013-07-13 19:02 - 2013-07-13 19:02 - 00000000 ____D C:\Program Files\HitmanPro
2013-07-13 17:42 - 2013-06-20 23:44 - 00000000 ____D C:\Program Files\File Type Assistant
2013-07-13 17:34 - 2011-03-04 15:11 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-07-13 09:06 - 2011-03-04 15:22 - 00000000 ____D C:\WINDOWS\system32\XPSViewer
2013-07-13 08:32 - 2013-07-13 08:32 - 00000000 _____ C:\Documents and Settings\All Users\Application Data\0x0304A000.sfl
2013-07-13 07:49 - 2013-07-12 18:22 - 00000000 ____D C:\WINDOWS\system32\Drivers\NAV
2013-07-13 07:47 - 2013-07-12 18:26 - 00001885 _____ C:\Documents and Settings\All Users\Desktop\Norton AntiVirus.LNK
2013-07-13 04:46 - 2011-03-05 19:08 - 00002284 _____ C:\Documents and Settings\Owner\Desktop\Google Chrome.lnk
2013-07-13 04:19 - 2013-07-12 18:27 - 00000000 ____D C:\WINDOWS\system32\Drivers\NST
2013-07-12 23:48 - 2013-06-20 23:51 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\FileTypeAssistant
2013-07-12 21:29 - 2013-07-12 18:27 - 00142496 _____ (Symantec Corporation) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2013-07-12 21:29 - 2013-07-12 18:27 - 00007611 _____ C:\WINDOWS\system32\Drivers\SYMEVENT.CAT
2013-07-12 18:47 - 2013-07-12 18:27 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-07-12 18:31 - 2013-07-12 18:22 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton
2013-07-12 18:27 - 2013-07-12 18:27 - 00000000 ____D C:\Program Files\Symantec
2013-07-12 18:27 - 2013-07-12 18:27 - 00000000 ____D C:\Program Files\Norton Identity Safe
2013-07-12 18:22 - 2013-07-12 18:22 - 00000000 ____D C:\Program Files\Norton AntiVirus
2013-07-12 14:08 - 2013-07-12 13:24 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-07-12 13:20 - 2013-07-12 13:20 - 00000000 ____D C:\Documents and Settings\Owner\My Documents\malaware antirootkit
2013-07-11 20:24 - 2013-07-11 20:24 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\Panda Security
2013-07-11 20:15 - 2011-03-05 14:10 - 00183160 ____C C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-07-11 20:12 - 2013-07-11 18:36 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Panda Security
2013-07-11 20:12 - 2013-07-11 17:56 - 00000000 ____D C:\Program Files\Panda Security
2013-07-11 19:33 - 2011-03-04 15:16 - 00000000 ____D C:\Documents and Settings\Owner\Local Settings\Application Data\Adobe
2013-07-11 19:31 - 2013-07-11 19:16 - 00692104 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2013-07-11 19:31 - 2013-07-11 19:16 - 00071048 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2013-07-11 19:12 - 2011-03-04 15:16 - 00000000 ____D C:\Program Files\Adobe
2013-07-11 18:36 - 2013-07-11 18:36 - 00000000 ____D C:\Program Files\Panda USB Vaccine
2013-07-11 17:57 - 2013-07-11 17:57 - 00000935 _____ C:\Documents and Settings\All Users\Desktop\Panda Cloud Cleaner.lnk
2013-07-11 13:15 - 2013-07-11 12:30 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\Auslogics
2013-07-11 13:13 - 2013-07-11 13:13 - 00000892 _____ C:\Documents and Settings\Owner\Desktop\Auslogics BoostSpeed.lnk
2013-07-11 13:13 - 2013-07-11 12:24 - 00000000 ____D C:\Program Files\Auslogics
2013-07-11 12:24 - 2013-07-11 12:24 - 00000934 _____ C:\Documents and Settings\Owner\Desktop\Auslogics Registry Cleaner.lnk
2013-07-11 11:13 - 2013-07-11 11:13 - 00531608 _____ C:\Documents and Settings\Owner\My Documents\Best Free Tune-up Program For Computer.mht
2013-07-11 10:19 - 2013-07-11 10:19 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\Foresight Software
2013-07-11 10:19 - 2013-07-11 10:19 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Foresight Software
2013-07-11 10:18 - 2013-06-26 11:45 - 00065536 _____ C:\WINDOWS\system32\config\TuneUp.evt
2013-07-11 10:17 - 2011-03-04 14:55 - 00000000 ____D C:\WINDOWS\system32\Restore
2013-07-11 09:52 - 2011-10-31 11:16 - 00000284 _____ C:\WINDOWS\Tasks\doxillionShakeIcon.job
2013-07-11 09:52 - 2011-07-30 23:52 - 00000272 _____ C:\WINDOWS\Tasks\mixpadShakeIcon.job
2013-07-10 23:51 - 2011-03-04 14:35 - 00000000 ____D C:\WINDOWS\java
2013-07-10 21:13 - 2012-12-02 21:40 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2761226$
2013-07-10 20:48 - 2012-02-14 23:22 - 00000000 ____D C:\Program Files\SnadBoy's Revelation v2
2013-07-10 20:44 - 2013-07-10 20:44 - 00000784 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-07-10 20:44 - 2013-07-10 20:44 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-07-10 20:44 - 2013-07-10 20:44 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\Malwarebytes
2013-07-10 20:44 - 2013-07-10 20:44 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2013-07-05 18:51 - 2011-06-11 09:58 - 11752448 ____H C:\Documents and Settings\Owner\My Documents\photothumb.db
2013-07-05 18:46 - 2011-06-08 15:30 - 00000000 ____D C:\Program Files\PhotoScape
2013-07-05 18:37 - 2011-06-08 15:30 - 00000706 _____ C:\Documents and Settings\Owner\Desktop\PhotoScape.lnk
2013-07-01 19:22 - 2010-08-04 23:56 - 00000000 ____D C:\Documents and Settings\Owner\My Documents\My Scans
2013-06-29 12:19 - 2013-06-29 12:19 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\TuneUp Software
2013-06-26 13:45 - 2013-06-26 11:38 - 00000000 __SHD C:\Documents and Settings\All Users\Application Data\{C4ABDBC8-1C81-42C9-BFFC-4A68511E9E4F}
2013-06-26 13:45 - 2011-03-17 23:29 - 00000000 ____D C:\Documents and Settings\Owner\Local Settings\Application Data\Downloaded Installations
2013-06-26 13:42 - 2007-12-26 16:07 - 00000000 ____D C:\Documents and Settings\Owner\Desktop\My DSC
2013-06-26 11:45 - 2013-06-26 11:39 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\TuneUp Software

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe
[2009-01-06 23:46] - [2009-01-06 23:46] - 1033728 ____A (Microsoft Corporation) 2bb75b7f548d82a099125d0c5971de7d

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:54 PM

Posted 26 July 2013 - 10:09 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
===

thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please restart the computer before running this security check..

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#3 krysw

krysw
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 26 July 2013 - 11:42 AM

Hi Nasdaq

Thanks for your help. I have run the ADW cleaner

 

# AdwCleaner v2.306 - Logfile created 07/26/2013 at 17:17:51
# Updated 19/07/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Owner - DF57C8ED4C1B4E1
# Boot Mode : Safe mode with networking
# Running from : C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PTS7WOJG\adwcleaner[1].exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

***** [Registry] *****

***** [Internet Browsers] *****

-\\ Internet Explorer v7.0.6000.21342

[OK] Registry is clean.

-\\ Google Chrome v28.0.1500.72

File : C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [4153 octets] - [15/07/2013 09:50:35]
AdwCleaner[R3].txt - [4273 octets] - [15/07/2013 09:52:31]
AdwCleaner[R4].txt - [1096 octets] - [26/07/2013 17:16:39]
AdwCleaner[R5].txt - [1156 octets] - [26/07/2013 17:17:30]
AdwCleaner[S1].txt - [4409 octets] - [15/07/2013 09:53:06]
AdwCleaner[S2].txt - [1088 octets] - [26/07/2013 17:17:51]

########## EOF - C:\AdwCleaner[S2].txt - [1148 octets] ##########

 

 

 

 

 

 

 

and downloaded the Junkware removal tool but when I try to run this programme I get an error message "Non 7-Zip Archive".

 

What do I do? Thanks


Edited by krysw, 26 July 2013 - 11:44 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:54 PM

Posted 26 July 2013 - 12:37 PM

and downloaded the Junkware removal tool but when I try to run this programme I get an error message "Non 7-Zip Archive".


Are you running this tool from Safe Mode.

Try normal mode.

If that fails delete the downloaded file and download a fresh Copy.

Keep me posted.

#5 krysw

krysw
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 26 July 2013 - 12:50 PM

I have tried in both safe mode and in normal and the same thing happens. I have tried saving and then running but still the same.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:54 PM

Posted 26 July 2013 - 01:08 PM

Do you have Winzip or 7-zip on this computer?

How much space do you have on that drive?

#7 krysw

krysw
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 26 July 2013 - 02:41 PM

I have winrar and plenty of space.



#8 krysw

krysw
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 26 July 2013 - 04:06 PM

Downloaded Winzip and managed to run JRT. Here's the report

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.2.3 (07.25.2013:1)
OS: Microsoft Windows XP x86
Ran by Owner on 26/07/2013 at 21:58:38.01
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

 

~~~ Registry Keys

 

~~~ Files

Successfully deleted: [File] "C:\Program Files\mozilla firefox\plugins\npcouponprinter.dll"
Successfully deleted: [File] "C:\Program Files\mozilla firefox\plugins\npmozcouponprinter.dll"
Successfully deleted: [File] C:\eula.1028.txt
Successfully deleted: [File] C:\eula.1031.txt
Successfully deleted: [File] C:\eula.1033.txt
Successfully deleted: [File] C:\eula.1036.txt
Successfully deleted: [File] C:\eula.1040.txt
Successfully deleted: [File] C:\eula.1041.txt
Successfully deleted: [File] C:\eula.1042.txt
Successfully deleted: [File] C:\eula.2052.txt
Successfully deleted: [File] C:\install.res.1028.dll
Successfully deleted: [File] C:\install.res.1031.dll
Successfully deleted: [File] C:\install.res.1033.dll
Successfully deleted: [File] C:\install.res.1036.dll
Successfully deleted: [File] C:\install.res.1040.dll
Successfully deleted: [File] C:\install.res.1041.dll
Successfully deleted: [File] C:\install.res.1042.dll
Successfully deleted: [File] C:\install.res.2052.dll
Successfully deleted: [File] C:\install.res.3082.dll
Successfully deleted: [File] "C:\WINDOWS\couponprinter.ocx"

 

~~~ Folders

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 26/07/2013 at 22:04:43.17
End of JRT log



#9 krysw

krysw
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 26 July 2013 - 04:40 PM

Combofix Report

ComboFix 13-07-25.02 - Owner 26/07/2013  22:22:21.2.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.44.1033.18.1014.489 [GMT 1:00]
Running from: c:\documents and settings\Owner\My Documents\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-26 to 2013-07-26  )))))))))))))))))))))))))))))))
.
.
2013-07-26 20:58 . 2013-07-26 20:58 -------- d-----w- c:\windows\ERUNT
2013-07-26 20:55 . 2013-07-26 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2013-07-26 09:48 . 2013-07-26 09:48 -------- d-----w- c:\program files\Tweaking.com
2013-07-18 11:47 . 2012-05-09 10:52 26696 ----a-w- c:\windows\system32\drivers\pavboot.sys
2013-07-18 11:18 . 2012-12-10 03:28 142176 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2013-07-18 11:18 . 2012-04-19 03:50 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2013-07-18 11:18 . 2011-12-23 12:32 24144 ----a-w- c:\windows\system32\drivers\avgidsfilterx.sys
2013-07-18 11:18 . 2013-04-11 02:18 302368 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2013-07-18 11:18 . 2012-11-08 03:49 250080 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2013-07-18 11:18 . 2011-12-23 12:32 41040 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2013-07-18 11:18 . 2011-12-23 12:32 17232 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
2013-07-18 11:18 . 2012-01-31 03:46 31952 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2013-07-18 10:37 . 2013-07-18 10:37 -------- d-----w- C:\FRST
2013-07-13 18:02 . 2013-07-13 18:02 -------- d-----w- c:\program files\HitmanPro
2013-07-13 18:01 . 2013-07-13 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2013-07-12 17:27 . 2013-07-13 03:19 -------- d-----w- c:\windows\system32\drivers\NST
2013-07-12 17:27 . 2013-07-12 17:27 -------- d-----w- c:\program files\Norton Identity Safe
2013-07-12 17:27 . 2013-07-12 20:29 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2013-07-12 17:27 . 2013-07-12 17:47 -------- d-----w- c:\program files\Common Files\Symantec Shared
2013-07-12 17:27 . 2013-07-12 17:27 -------- d-----w- c:\program files\Symantec
2013-07-12 17:22 . 2013-07-13 06:49 -------- d-----w- c:\windows\system32\drivers\NAV
2013-07-12 17:22 . 2013-07-12 17:22 -------- d-----w- c:\program files\Norton AntiVirus
2013-07-12 17:22 . 2013-07-12 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2013-07-12 17:21 . 2013-07-12 17:27 -------- d-----w- c:\program files\NortonInstaller
2013-07-12 12:24 . 2013-07-12 13:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-07-11 19:24 . 2013-07-26 16:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Panda Security
2013-07-11 18:16 . 2013-07-11 18:31 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-11 18:16 . 2013-07-11 18:31 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-11 16:56 . 2013-07-11 19:12 -------- d-----w- c:\program files\Panda Security
2013-07-11 11:30 . 2013-07-11 12:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Auslogics
2013-07-11 09:19 . 2013-07-11 09:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Foresight Software
2013-07-11 09:19 . 2013-07-11 09:19 -------- d-----w- c:\documents and settings\Owner\Application Data\Foresight Software
2013-07-10 19:44 . 2013-07-10 19:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2013-07-10 19:44 . 2013-07-10 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-06-29 11:19 . 2013-06-29 11:19 -------- d-----w- c:\documents and settings\LocalService\Application Data\TuneUp Software
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-07 21:30 . 2009-09-18 21:00 841216 ----a-w- c:\windows\system32\wininet.dll
2013-06-07 21:30 . 2009-09-18 20:59 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2013-06-07 21:30 . 2009-09-18 20:59 78336 ----a-w- c:\windows\system32\ieencode.dll
2013-06-07 21:30 . 2009-09-18 20:59 17408 ----a-w- c:\windows\system32\corpol.dll
2013-06-04 07:23 . 2008-04-14 04:42 562688 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 01:40 . 2009-09-18 20:58 1876736 ----a-w- c:\windows\system32\win32k.sys
2013-05-14 10:41 . 2013-05-10 10:38 252288 ----a-r- c:\windows\system32\cpnprt2.cid
2013-05-14 10:33 . 2013-05-14 10:33 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-14 10:33 . 2013-05-14 10:34 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-14 10:33 . 2012-09-29 10:22 866720 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-05-14 10:33 . 2011-03-04 14:16 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-05-10 10:38 . 2013-05-10 10:38 338304 ----a-r- c:\windows\system32\cpnprtuk.cid
2013-05-08 23:28 . 2006-10-18 21:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-05-03 01:26 . 2009-09-18 20:58 2193536 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2009-02-07 19:02 2070144 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-03-05 18:43 . 2011-03-05 18:43 119808 -c--a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-09-18 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-03-05 30192]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-09-01 90448]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 531272]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe -s [2006-2-10 73728]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2013-4-29 685936]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Spearit\\Move Me\\MoveMe.exe"=
"c:\\Program Files\\Laplink\\Laplink Gold\\laplink.exe"=
"c:\\Program Files\\Laplink\\PCmover\\PCmover.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [18/07/2013 12:18 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [18/07/2013 12:18 31952]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1404000.028\symds.sys [12/07/2013 21:27 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1404000.028\symefa.sys [12/07/2013 21:27 934488]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [18/07/2013 12:18 302368]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.3.0.36\Definitions\BASHDefs\20130715.001\BHDrvx86.sys [16/07/2013 22:48 1002072]
R1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAV\1404000.028\ccsetx86.sys [12/07/2013 21:27 134744]
R1 ccSet_NST;Norton Identity Safe Settings Manager;c:\windows\system32\drivers\NST\7DD03000.01A\ccSetx86.sys [12/07/2013 18:28 134304]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1404000.028\ironx86.sys [12/07/2013 21:27 175264]
R1 tsircmir;LapLink Mirror Driver Miniport;c:\windows\system32\drivers\tsircmir.sys [14/05/2010 13:25 8824]
R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [13/07/2013 19:02 106280]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\20.4.0.40\ccsvchst.exe [12/07/2013 21:26 144368]
R2 NCO;Norton Identity Safe;c:\program files\Norton Identity Safe\Engine\2013.3.0.26\ccSvcHst.exe [12/07/2013 18:27 144520]
R2 TSISER;TSISER;c:\windows\system32\drivers\tsiser.sys [14/05/2010 13:25 27896]
R2 TSISTRMX;Traveling Software Stream Driver;c:\windows\system32\drivers\tsistrmx.sys [14/05/2010 13:25 11384]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [18/07/2013 12:18 142176]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [18/07/2013 12:18 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [18/07/2013 12:18 17232]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.3.0.36\Definitions\IPSDefs\20130725.001\IDSXpx86.sys [26/07/2013 15:33 373728]
R3 llkbf;LLRC Keyboard Filter;c:\windows\system32\drivers\llkbf.sys [13/03/2011 19:53 19552]
R3 llrcmir;llrcmir;c:\windows\system32\drivers\llrcm.sys [13/03/2011 19:53 11872]
R3 TSIKBF5;Traveling Software Keyboard Filter Driver;c:\windows\system32\drivers\tsikbf5.sys [14/05/2010 13:25 14584]
R3 TSIMSF5;Traveling Software Mouse Filter Driver;c:\windows\system32\drivers\tsimsf5.sys [14/05/2010 13:25 13176]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [18/07/2013 12:18 250080]
S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\AVG\AVG2012\AVGIDSAgent.exe" --> c:\program files\AVG\AVG2012\AVGIDSAgent.exe [?]
S2 avgwd;AVG WatchDog;"c:\program files\AVG\AVG2012\avgwdsvc.exe" --> c:\program files\AVG\AVG2012\avgwdsvc.exe [?]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [13/07/2012 13:28 160944]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [05/03/2011 19:43 30192]
S3 LLRCService;LLRCService;c:\windows\system32\LLRCService.exe [14/05/2010 12:45 181624]
S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [14/03/2011 00:27 4736]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [14/03/2011 00:27 8960]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - EraserUtilDrv11220
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-11 c:\windows\Tasks\doxillionShakeIcon.job
- c:\program files\NCH Software\Doxillion\doxillion.exe [2011-10-24 10:15]
.
2013-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-01 18:05]
.
2013-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-01 18:05]
.
2013-07-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1677128483-1177238915-1004Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-27 20:29]
.
2013-07-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1677128483-1177238915-1004UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-27 20:29]
.
2013-07-11 c:\windows\Tasks\mixpadShakeIcon.job
- c:\program files\NCH Software\MixPad\mixpad.exe [2011-07-30 22:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
DPF: {283B7DE7-A1ED-4D27-AA59-C6E7427544D2} - hxxps://bg.itronenergypoint.net/IHVConnect/KeyBoxControl.cab
DPF: {2A293777-79CA-4DD9-A545-0E1718C0D3CF} - hxxps://bg.itronenergypoint.net/IHVConnect2/KeyboxControl.cab
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-NanoServiceMain
SafeBoot-PSUAService
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-26 22:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\20.4.0.40\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\20.4.0.40\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NCO]
"ImagePath"="\"c:\program files\Norton Identity Safe\Engine\2013.3.0.26\ccSvcHst.exe\" /s \"NCO\" /m \"c:\program files\Norton Identity Safe\Engine\2013.3.0.26\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
- - - - - - - > 'explorer.exe'(5860)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
Completion time: 2013-07-26  22:39:20
ComboFix-quarantined-files.txt  2013-07-26 21:39
ComboFix2.txt  2013-07-15 10:09
.
Pre-Run: 180,439,015,424 bytes free
Post-Run: 180,510,232,576 bytes free
.
- - End Of File - - 36B0F07A445ED3D23246F1F73D1AFB20
8F558EB6672622401DA993E1E865C861
 



#10 krysw

krysw
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 26 July 2013 - 04:56 PM

 Results of screen317's Security Check version 0.99.71 
 Windows XP Service Pack 3 x86  
 Internet Explorer 7 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
 Norton AntiVirus    
`````````Anti-malware/Other Utilities Check:`````````
 Java 7 Update 21 
 Java version out of Date!
 Adobe Flash Player  11.8.800.94 
 Adobe Reader 10.1.7 Adobe Reader out of Date! 
````````Process Check: objlist.exe by Laurent```````` 
 Norton ccSvcHst.exe
 Norton AntiVirus Engine 20.4.0.40 ccSvcHst.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 2%
````````````````````End of Log``````````````````````

 

The problem with Facebook using Chrome still the same I'm afraid.



#11 krysw

krysw
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 27 July 2013 - 05:48 AM

I noticed on the combofix report that it says AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} but I could find no trace of that programme so I ran your suggested avg removal tool and have rerun the combofix and here's that report.
 

 

 

ComboFix 13-07-25.02 - Owner 27/07/2013  11:22:18.3.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.44.1033.18.1014.546 [GMT 1:00]
Running from: c:\documents and settings\Owner\My Documents\ComboFix.exe
AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Local Settings\Application Data\assembly\tmp
.
c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-27 to 2013-07-27  )))))))))))))))))))))))))))))))
.
.
2013-07-26 22:09 . 2013-07-26 22:09 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\WinZip Courier
2013-07-26 21:59 . 2013-07-27 10:31 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\assembly
2013-07-26 20:58 . 2013-07-26 20:58 -------- d-----w- c:\windows\ERUNT
2013-07-26 20:55 . 2013-07-26 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2013-07-26 09:48 . 2013-07-26 09:48 -------- d-----w- c:\program files\Tweaking.com
2013-07-18 11:47 . 2012-05-09 10:52 26696 ----a-w- c:\windows\system32\drivers\pavboot.sys
2013-07-18 10:37 . 2013-07-18 10:37 -------- d-----w- C:\FRST
2013-07-13 18:02 . 2013-07-13 18:02 -------- d-----w- c:\program files\HitmanPro
2013-07-13 18:01 . 2013-07-13 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2013-07-12 17:27 . 2013-07-13 03:19 -------- d-----w- c:\windows\system32\drivers\NST
2013-07-12 17:27 . 2013-07-12 17:27 -------- d-----w- c:\program files\Norton Identity Safe
2013-07-12 17:27 . 2013-07-12 20:29 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2013-07-12 17:27 . 2013-07-12 17:47 -------- d-----w- c:\program files\Common Files\Symantec Shared
2013-07-12 17:27 . 2013-07-12 17:27 -------- d-----w- c:\program files\Symantec
2013-07-12 17:22 . 2013-07-13 06:49 -------- d-----w- c:\windows\system32\drivers\NAV
2013-07-12 17:22 . 2013-07-12 17:22 -------- d-----w- c:\program files\Norton AntiVirus
2013-07-12 17:22 . 2013-07-12 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2013-07-12 17:21 . 2013-07-12 17:27 -------- d-----w- c:\program files\NortonInstaller
2013-07-12 12:24 . 2013-07-12 13:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-07-11 19:24 . 2013-07-26 16:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Panda Security
2013-07-11 18:16 . 2013-07-11 18:31 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-11 18:16 . 2013-07-11 18:31 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-11 16:56 . 2013-07-11 19:12 -------- d-----w- c:\program files\Panda Security
2013-07-11 11:30 . 2013-07-11 12:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Auslogics
2013-07-11 09:19 . 2013-07-11 09:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Foresight Software
2013-07-11 09:19 . 2013-07-11 09:19 -------- d-----w- c:\documents and settings\Owner\Application Data\Foresight Software
2013-07-10 19:44 . 2013-07-10 19:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2013-07-10 19:44 . 2013-07-10 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-06-29 11:19 . 2013-06-29 11:19 -------- d-----w- c:\documents and settings\LocalService\Application Data\TuneUp Software
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-07 21:30 . 2009-09-18 21:00 841216 ----a-w- c:\windows\system32\wininet.dll
2013-06-07 21:30 . 2009-09-18 20:59 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2013-06-07 21:30 . 2009-09-18 20:59 78336 ----a-w- c:\windows\system32\ieencode.dll
2013-06-07 21:30 . 2009-09-18 20:59 17408 ----a-w- c:\windows\system32\corpol.dll
2013-06-04 07:23 . 2008-04-14 04:42 562688 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 01:40 . 2009-09-18 20:58 1876736 ----a-w- c:\windows\system32\win32k.sys
2013-05-14 10:41 . 2013-05-10 10:38 252288 ----a-r- c:\windows\system32\cpnprt2.cid
2013-05-14 10:33 . 2013-05-14 10:33 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-14 10:33 . 2013-05-14 10:34 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-14 10:33 . 2012-09-29 10:22 866720 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-05-14 10:33 . 2011-03-04 14:16 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-05-10 10:38 . 2013-05-10 10:38 338304 ----a-r- c:\windows\system32\cpnprtuk.cid
2013-05-08 23:28 . 2006-10-18 21:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-05-03 01:26 . 2009-09-18 20:58 2193536 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2009-02-07 19:02 2070144 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-03-05 18:43 . 2011-03-05 18:43 119808 -c--a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-09-18 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-03-05 30192]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-09-01 90448]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 531272]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe -s [2006-2-10 73728]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2013-4-29 685936]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Spearit\\Move Me\\MoveMe.exe"=
"c:\\Program Files\\Laplink\\Laplink Gold\\laplink.exe"=
"c:\\Program Files\\Laplink\\PCmover\\PCmover.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1404000.028\symds.sys [12/07/2013 21:27 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1404000.028\symefa.sys [12/07/2013 21:27 934488]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.3.0.36\Definitions\BASHDefs\20130715.001\BHDrvx86.sys [16/07/2013 22:48 1002072]
R1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAV\1404000.028\ccsetx86.sys [12/07/2013 21:27 134744]
R1 ccSet_NST;Norton Identity Safe Settings Manager;c:\windows\system32\drivers\NST\7DD03000.01A\ccSetx86.sys [12/07/2013 18:28 134304]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1404000.028\ironx86.sys [12/07/2013 21:27 175264]
R1 tsircmir;LapLink Mirror Driver Miniport;c:\windows\system32\drivers\tsircmir.sys [14/05/2010 13:25 8824]
R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [13/07/2013 19:02 106280]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\20.4.0.40\ccsvchst.exe [12/07/2013 21:26 144368]
R2 NCO;Norton Identity Safe;c:\program files\Norton Identity Safe\Engine\2013.3.0.26\ccSvcHst.exe [12/07/2013 18:27 144520]
R2 TSISER;TSISER;c:\windows\system32\drivers\tsiser.sys [14/05/2010 13:25 27896]
R2 TSISTRMX;Traveling Software Stream Driver;c:\windows\system32\drivers\tsistrmx.sys [14/05/2010 13:25 11384]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [26/07/2013 18:10 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.3.0.36\Definitions\IPSDefs\20130726.001\IDSXpx86.sys [27/07/2013 01:23 373728]
R3 llkbf;LLRC Keyboard Filter;c:\windows\system32\drivers\llkbf.sys [13/03/2011 19:53 19552]
R3 llrcmir;llrcmir;c:\windows\system32\drivers\llrcm.sys [13/03/2011 19:53 11872]
R3 TSIKBF5;Traveling Software Keyboard Filter Driver;c:\windows\system32\drivers\tsikbf5.sys [14/05/2010 13:25 14584]
R3 TSIMSF5;Traveling Software Mouse Filter Driver;c:\windows\system32\drivers\tsimsf5.sys [14/05/2010 13:25 13176]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [13/07/2012 13:28 160944]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [05/03/2011 19:43 30192]
S3 LLRCService;LLRCService;c:\windows\system32\LLRCService.exe [14/05/2010 12:45 181624]
S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [14/03/2011 00:27 4736]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [14/03/2011 00:27 8960]
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-11 c:\windows\Tasks\doxillionShakeIcon.job
- c:\program files\NCH Software\Doxillion\doxillion.exe [2011-10-24 10:15]
.
2013-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-01 18:05]
.
2013-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-01 18:05]
.
2013-07-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1677128483-1177238915-1004Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-27 20:29]
.
2013-07-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1677128483-1177238915-1004UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-27 20:29]
.
2013-07-11 c:\windows\Tasks\mixpadShakeIcon.job
- c:\program files\NCH Software\MixPad\mixpad.exe [2011-07-30 22:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
DPF: {283B7DE7-A1ED-4D27-AA59-C6E7427544D2} - hxxps://bg.itronenergypoint.net/IHVConnect/KeyBoxControl.cab
DPF: {2A293777-79CA-4DD9-A545-0E1718C0D3CF} - hxxps://bg.itronenergypoint.net/IHVConnect2/KeyboxControl.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-27 11:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\20.4.0.40\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\20.4.0.40\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NCO]
"ImagePath"="\"c:\program files\Norton Identity Safe\Engine\2013.3.0.26\ccSvcHst.exe\" /s \"NCO\" /m \"c:\program files\Norton Identity Safe\Engine\2013.3.0.26\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
- - - - - - - > 'explorer.exe'(4072)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-07-27  11:37:00
ComboFix-quarantined-files.txt  2013-07-27 10:36
ComboFix2.txt  2013-07-26 21:39
ComboFix3.txt  2013-07-15 10:09
.
Pre-Run: 180,647,911,424 bytes free
Post-Run: 180,665,425,920 bytes free
.
- - End Of File - - E983FC28D7F8CF63039C5F8299A71D11
8F558EB6672622401DA993E1E865C861
 



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:54 PM

Posted 27 July 2013 - 08:36 AM

Did you also remove the AVG Firewall?
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}

The SecurityCheck reports that Windows Firewall Enabled!

I can prepare a script to remove the registry item.
===

Is the problem persisting?

If you can give me some information as to what you are doing with the browsers and if you have any error messages.

#13 krysw

krysw
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 27 July 2013 - 12:36 PM

I have switched off firewall and rerun combofix

 

ComboFix 13-07-25.02 - Owner 27/07/2013  17:50:56.4.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.44.1033.18.1014.533 [GMT 1:00]
Running from: c:\documents and settings\Owner\My Documents\ComboFix.exe
AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Local Settings\Application Data\assembly\tmp
c:\windows\system32\rnaph.dll
.
c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-27 to 2013-07-27  )))))))))))))))))))))))))))))))
.
.
2013-07-26 22:09 . 2013-07-26 22:09 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\WinZip Courier
2013-07-26 21:59 . 2013-07-27 17:00 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\assembly
2013-07-26 20:58 . 2013-07-26 20:58 -------- d-----w- c:\windows\ERUNT
2013-07-26 20:55 . 2013-07-26 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2013-07-26 09:48 . 2013-07-26 09:48 -------- d-----w- c:\program files\Tweaking.com
2013-07-18 11:47 . 2012-05-09 10:52 26696 ----a-w- c:\windows\system32\drivers\pavboot.sys
2013-07-18 10:37 . 2013-07-18 10:37 -------- d-----w- C:\FRST
2013-07-13 18:02 . 2013-07-13 18:02 -------- d-----w- c:\program files\HitmanPro
2013-07-13 18:01 . 2013-07-13 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2013-07-12 17:27 . 2013-07-13 03:19 -------- d-----w- c:\windows\system32\drivers\NST
2013-07-12 17:27 . 2013-07-12 17:27 -------- d-----w- c:\program files\Norton Identity Safe
2013-07-12 17:27 . 2013-07-12 20:29 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2013-07-12 17:27 . 2013-07-12 17:47 -------- d-----w- c:\program files\Common Files\Symantec Shared
2013-07-12 17:27 . 2013-07-12 17:27 -------- d-----w- c:\program files\Symantec
2013-07-12 17:22 . 2013-07-13 06:49 -------- d-----w- c:\windows\system32\drivers\NAV
2013-07-12 17:22 . 2013-07-12 17:22 -------- d-----w- c:\program files\Norton AntiVirus
2013-07-12 17:22 . 2013-07-12 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2013-07-12 17:21 . 2013-07-12 17:27 -------- d-----w- c:\program files\NortonInstaller
2013-07-12 12:24 . 2013-07-12 13:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-07-11 19:24 . 2013-07-26 16:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Panda Security
2013-07-11 18:16 . 2013-07-11 18:31 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-11 18:16 . 2013-07-11 18:31 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-11 16:56 . 2013-07-11 19:12 -------- d-----w- c:\program files\Panda Security
2013-07-11 11:30 . 2013-07-11 12:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Auslogics
2013-07-11 09:19 . 2013-07-11 09:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Foresight Software
2013-07-11 09:19 . 2013-07-11 09:19 -------- d-----w- c:\documents and settings\Owner\Application Data\Foresight Software
2013-07-10 19:44 . 2013-07-10 19:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2013-07-10 19:44 . 2013-07-10 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-06-29 11:19 . 2013-06-29 11:19 -------- d-----w- c:\documents and settings\LocalService\Application Data\TuneUp Software
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-07 21:30 . 2009-09-18 21:00 841216 ----a-w- c:\windows\system32\wininet.dll
2013-06-07 21:30 . 2009-09-18 20:59 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2013-06-07 21:30 . 2009-09-18 20:59 78336 ----a-w- c:\windows\system32\ieencode.dll
2013-06-07 21:30 . 2009-09-18 20:59 17408 ----a-w- c:\windows\system32\corpol.dll
2013-06-04 07:23 . 2008-04-14 04:42 562688 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 01:40 . 2009-09-18 20:58 1876736 ----a-w- c:\windows\system32\win32k.sys
2013-05-14 10:41 . 2013-05-10 10:38 252288 ----a-r- c:\windows\system32\cpnprt2.cid
2013-05-14 10:33 . 2013-05-14 10:33 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-14 10:33 . 2013-05-14 10:34 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-14 10:33 . 2012-09-29 10:22 866720 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-05-14 10:33 . 2011-03-04 14:16 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-05-10 10:38 . 2013-05-10 10:38 338304 ----a-r- c:\windows\system32\cpnprtuk.cid
2013-05-08 23:28 . 2006-10-18 21:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-05-03 01:26 . 2009-09-18 20:58 2193536 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2009-02-07 19:02 2070144 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-03-05 18:43 . 2011-03-05 18:43 119808 -c--a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-09-18 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-03-05 30192]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-09-01 90448]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 531272]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe -s [2006-2-10 73728]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2013-4-29 685936]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Spearit\\Move Me\\MoveMe.exe"=
"c:\\Program Files\\Laplink\\Laplink Gold\\laplink.exe"=
"c:\\Program Files\\Laplink\\PCmover\\PCmover.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1404000.028\symds.sys [12/07/2013 21:27 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1404000.028\symefa.sys [12/07/2013 21:27 934488]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.3.0.36\Definitions\BASHDefs\20130715.001\BHDrvx86.sys [16/07/2013 22:48 1002072]
R1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAV\1404000.028\ccsetx86.sys [12/07/2013 21:27 134744]
R1 ccSet_NST;Norton Identity Safe Settings Manager;c:\windows\system32\drivers\NST\7DD03000.01A\ccSetx86.sys [12/07/2013 18:28 134304]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1404000.028\ironx86.sys [12/07/2013 21:27 175264]
R1 tsircmir;LapLink Mirror Driver Miniport;c:\windows\system32\drivers\tsircmir.sys [14/05/2010 13:25 8824]
R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [13/07/2013 19:02 106280]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\20.4.0.40\ccsvchst.exe [12/07/2013 21:26 144368]
R2 NCO;Norton Identity Safe;c:\program files\Norton Identity Safe\Engine\2013.3.0.26\ccSvcHst.exe [12/07/2013 18:27 144520]
R2 TSISER;TSISER;c:\windows\system32\drivers\tsiser.sys [14/05/2010 13:25 27896]
R2 TSISTRMX;Traveling Software Stream Driver;c:\windows\system32\drivers\tsistrmx.sys [14/05/2010 13:25 11384]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [26/07/2013 18:10 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.3.0.36\Definitions\IPSDefs\20130726.001\IDSXpx86.sys [27/07/2013 01:23 373728]
R3 llkbf;LLRC Keyboard Filter;c:\windows\system32\drivers\llkbf.sys [13/03/2011 19:53 19552]
R3 llrcmir;llrcmir;c:\windows\system32\drivers\llrcm.sys [13/03/2011 19:53 11872]
R3 TSIKBF5;Traveling Software Keyboard Filter Driver;c:\windows\system32\drivers\tsikbf5.sys [14/05/2010 13:25 14584]
R3 TSIMSF5;Traveling Software Mouse Filter Driver;c:\windows\system32\drivers\tsimsf5.sys [14/05/2010 13:25 13176]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [13/07/2012 13:28 160944]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [05/03/2011 19:43 30192]
S3 LLRCService;LLRCService;c:\windows\system32\LLRCService.exe [14/05/2010 12:45 181624]
S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [14/03/2011 00:27 4736]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [14/03/2011 00:27 8960]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - HTTPFILTER
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-11 c:\windows\Tasks\doxillionShakeIcon.job
- c:\program files\NCH Software\Doxillion\doxillion.exe [2011-10-24 10:15]
.
2013-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-01 18:05]
.
2013-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-01 18:05]
.
2013-07-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1677128483-1177238915-1004Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-27 20:29]
.
2013-07-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1677128483-1177238915-1004UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-27 20:29]
.
2013-07-11 c:\windows\Tasks\mixpadShakeIcon.job
- c:\program files\NCH Software\MixPad\mixpad.exe [2011-07-30 22:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
DPF: {283B7DE7-A1ED-4D27-AA59-C6E7427544D2} - hxxps://bg.itronenergypoint.net/IHVConnect/KeyBoxControl.cab
DPF: {2A293777-79CA-4DD9-A545-0E1718C0D3CF} - hxxps://bg.itronenergypoint.net/IHVConnect2/KeyboxControl.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-27 18:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\20.4.0.40\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\20.4.0.40\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NCO]
"ImagePath"="\"c:\program files\Norton Identity Safe\Engine\2013.3.0.26\ccSvcHst.exe\" /s \"NCO\" /m \"c:\program files\Norton Identity Safe\Engine\2013.3.0.26\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2013-07-27  18:05:29
ComboFix-quarantined-files.txt  2013-07-27 17:05
ComboFix2.txt  2013-07-27 10:37
ComboFix3.txt  2013-07-26 21:39
ComboFix4.txt  2013-07-15 10:09
.
Pre-Run: 180,714,471,424 bytes free
Post-Run: 180,711,469,056 bytes free
.
- - End Of File - - B9B12254A29B84146317CFF892886C43
8F558EB6672622401DA993E1E865C861
 

The problem is most noticeable on Google Chrome but also affects IE. If I'm on Facebook and click on  a video, game or link to a site with flash or video it closes down and I get "Whoa. Google Chrome has crashed Relaunch Now? OK or cancel." if I relaunch and restore it immediately crashes again. On IE i can get on some of the sites with flash but not all and can't get on anything with video. 



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:54 PM

Posted 27 July 2013 - 12:54 PM

Have a look at your Flash Cache.

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html

You may want to delete the sites giving you problems.

#15 krysw

krysw
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 27 July 2013 - 02:59 PM

I have done that thanks but now I am getting dumprep.exe errors using 100% cpu. Any ideas?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users