Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC Backup? Ads running through speakers


  • This topic is locked This topic is locked
10 replies to this topic

#1 leighlamb

leighlamb

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 18 August 2013 - 02:04 PM

Hello! I had Backup PC and thought that Norton (I get free from Comcast) removed it, but evidently it's still here.  I am still having a small popup in the lower left corner of my screen which changes based on the webpage I'm on I think.  Also, if I try to watch a video, or turn on the speakers at all, my computer sounds schizophrenic--as in there are multiple voices of different language (sometimes) playing through the speakers.  Sometimes when I Google something and try to select a link, I am redirected to a page that is completely non-related.  Norton auto protect will sometimes give me the message that there is a "suspicious.cloud.7.ep", and I can't use IE at all, only Firefox. IE just continually "works" with the circle just spinning. I hope the description of my problem is clear.  My son plays Roblox, world of tanks, world of aircraft, and who knows what else. Thanks in advance!

 

I posted this in the "Am I infected..." forum and was instructed to follow the prep guide and repost.  Here are the DDS logs:

 

Attached File  attach.txt   35.83KB   0 downloads

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.16635
Run by Leigh at 13:52:22 on 2013-08-18
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.3327.1310 [GMT -5:00]
.
AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Users\Leigh\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe
C:\Program Files\Norton Security Suite\Engine\20.4.0.40\ccSvcHst.exe
C:\Windows\system32\viakaraokesrv.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Norton Security Suite\Engine\20.4.0.40\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
C:\Windows\System32\regsvr32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_8_800_94_ActiveX.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: SySaver: {2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3} - c:\users\leigh\appdata\local\sysaver\temp.dat
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton security suite\engine\20.4.0.40\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton security suite\engine\20.4.0.40\ips\ipsbho.dll
BHO: DefaultTab Browser Helper: {7F6AFBF1-E065-4627-A2FD-810366367D01} - c:\users\leigh\appdata\roaming\defaulttab\defaulttab\DefaultTabBHO.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton security suite\engine\20.4.0.40\coieplg.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton security suite\engine\20.4.0.40\coieplg.dll
uRun: [EADM] "c:\program files\origin\Origin.exe" -AutoStart
uRun: [Electronic Arts Update] regsvr32.exe "c:\users\leigh\appdata\local\electronic arts\CNBLH.DLL"
uRun: [Mozilla] rundll32 "c:\users\leigh\appdata\local\diagnostics\mozilla\oeocgnjejb.dll",DllRegisterServer
mRun: [HDAudDeck] c:\program files\via\viaudioi\vdeck\VDeck.exe -r
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [JavaSoft Update] regsvr32.exe c:\windows\system32\config\systemprofile\appdata\local\javasoft\ICDFConv.dll
dRun: [Mozilla] rundll32 "c:\users\leigh\appdata\local\diagnostics\mozilla\oeocgnjejb.dll",DllRegisterServer
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{9732C720-464B-48E3-BED2-262BBBCDFF53} : DHCPNameServer = 75.75.75.75 75.75.76.76
SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\leigh\appdata\roaming\mozilla\firefox\profiles\uovtc7uw.default-1375896852069\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_94.dll
FF - ExtSQL: 2013-08-07 13:12; {BBDA0591-3099-440a-AA10-41764D9DB4DB}; c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.1.0.24\IPSFFPlgn
FF - ExtSQL: 2013-08-07 13:40; {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}; c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.1.0.24\coFFPlgn
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\1404000.028\symds.sys [2013-8-8 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\1404000.028\symefa.sys [2013-8-8 934488]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.1.0.24\definitions\bashdefs\20130715.001\BHDrvx86.sys [2013-7-15 1002072]
R1 ccSet_N360;Norton Security Suite Settings Manager;c:\windows\system32\drivers\n360\1404000.028\ccsetx86.sys [2013-8-8 134744]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.1.0.24\definitions\ipsdefs\20130813.001\IDSvix86.sys [2013-8-13 386720]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\1404000.028\ironx86.sys [2013-8-8 175264]
R1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\n360\1404000.028\symnets.sys [2013-8-8 339544]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-2-10 172032]
R2 DefaultTabUpdate;DefaultTabUpdate;c:\users\leigh\appdata\roaming\defaulttab\defaulttab\DTUpdate.exe [2013-7-24 107520]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\20.4.0.40\ccsvchst.exe [2013-8-8 144368]
R2 VIAKaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\ViakaraokeSrv.exe [2013-3-13 27792]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2013-8-7 106656]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2013-3-13 543336]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2013-3-13 37504]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2013-3-13 1837200]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
S3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-20 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-3-8 1343400]
.
=============== Created Last 30 ================
.
2013-08-08 15:14:58    934488    ----a-w-    c:\windows\system32\drivers\n360\1404000.028\symefa.sys
2013-08-08 15:14:58    603224    ----a-w-    c:\windows\system32\drivers\n360\1404000.028\srtsp.sys
2013-08-08 15:14:58    367704    ----a-w-    c:\windows\system32\drivers\n360\1404000.028\symds.sys
2013-08-08 15:14:58    339544    ----a-w-    c:\windows\system32\drivers\n360\1404000.028\symnets.sys
2013-08-08 15:14:58    32344    ----a-w-    c:\windows\system32\drivers\n360\1404000.028\srtspx.sys
2013-08-08 15:14:58    21400    ----a-r-    c:\windows\system32\drivers\n360\1404000.028\symelam.sys
2013-08-08 15:14:58    175264    ----a-r-    c:\windows\system32\drivers\n360\1404000.028\ironx86.sys
2013-08-08 15:14:58    134744    ----a-w-    c:\windows\system32\drivers\n360\1404000.028\ccsetx86.sys
2013-08-08 15:14:41    14818    ----a-w-    c:\windows\system32\drivers\n360\1404000.028\symvtcer.dat
2013-08-08 15:14:41    --------    d-----w-    c:\windows\system32\drivers\n360\1404000.028
2013-08-08 10:47:04    --------    d-----w-    c:\users\leigh\appdata\local\JavaSoft
2013-08-07 19:23:55    --------    d-----w-    c:\users\leigh\appdata\local\Macromedia
2013-08-07 18:11:26    142496    ----a-w-    c:\windows\system32\drivers\SYMEVENT.SYS
2013-08-07 18:11:26    --------    d-----w-    c:\program files\Symantec
2013-08-07 18:11:26    --------    d-----w-    c:\program files\common files\Symantec Shared
2013-08-07 18:10:48    --------    d-----w-    c:\windows\system32\drivers\N360
2013-08-07 18:10:47    --------    d-----w-    c:\program files\Norton Security Suite
2013-08-07 18:09:05    --------    d-----w-    c:\program files\NortonInstaller
2013-08-07 18:07:23    --------    d-----w-    c:\programdata\Norton
2013-08-07 17:58:31    6954968    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll
2013-08-07 17:58:28    7143960    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{31d6e4c3-3a0a-4f55-b0ce-3b7653295c43}\mpengine.dll
2013-08-07 17:27:25    --------    d-----w-    c:\users\leigh\appdata\local\ApplicationHistory
2013-08-07 17:15:00    --------    d-----w-    c:\users\leigh\appdata\local\Mozilla
2013-08-07 16:24:18    --------    d-----w-    c:\users\leigh\appdata\roaming\Soxowo
2013-08-07 16:24:18    --------    d-----w-    c:\users\leigh\appdata\roaming\Abwy
2013-08-06 21:53:04    --------    d-----w-    c:\users\leigh\appdata\local\Electronic Arts
2013-07-28 08:00:37    --------    d-----w-    c:\windows\system32\MRT
2013-07-25 21:03:33    --------    d-----w-    C:\TempDump
2013-07-24 20:12:49    --------    d-----w-    c:\users\leigh\appdata\roaming\DefaultTab
2013-07-24 20:12:38    --------    d-----w-    c:\users\leigh\appdata\local\SySaver
2013-07-24 20:12:27    --------    d-----w-    c:\program files\MyPC Backup
2013-07-24 20:11:46    --------    d-----w-    c:\program files\Yahoo!
.
==================== Find3M  ====================
.
2013-08-07 19:23:28    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-07 19:23:28    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-06-11 23:43:37    1767936    ----a-w-    c:\windows\system32\wininet.dll
2013-06-11 23:43:00    2877440    ----a-w-    c:\windows\system32\jscript9.dll
2013-06-11 23:42:58    61440    ----a-w-    c:\windows\system32\iesetup.dll
2013-06-11 23:42:58    109056    ----a-w-    c:\windows\system32\iesysprep.dll
2013-06-11 22:51:45    71680    ----a-w-    c:\windows\system32\RegisterIEPKEYs.exe
2013-06-07 02:37:52    2706432    ----a-w-    c:\windows\system32\mshtml.tlb
2013-06-05 08:02:11    9728    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-06-05 03:05:09    2347520    ----a-w-    c:\windows\system32\win32k.sys
2013-06-04 04:53:07    509440    ----a-w-    c:\windows\system32\qedit.dll
.
============= FINISH: 13:53:25.95 ===============
 

 



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:27 AM

Posted 18 August 2013 - 07:58 PM

Please run the following:

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 leighlamb

leighlamb
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 19 August 2013 - 01:57 PM

Thanks! Here are the results:

 

Attached File  Addition.txt   17.43KB   1 downloads

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 19-08-2013
Ran by Leigh (administrator) on 19-08-2013 13:53:29
Running from C:\Users\Leigh\Downloads
Microsoft Windows 7 Ultimate  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(AMD) C:\Windows\system32\atiesrxx.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Users\Leigh\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe
(Symantec Corporation) C:\Program Files\Norton Security Suite\Engine\20.4.0.40\ccSvcHst.exe
(VIA Technologies, Inc.) C:\Windows\system32\viakaraokesrv.exe
(Yahoo! Inc.) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
(Symantec Corporation) C:\Program Files\Norton Security Suite\Engine\20.4.0.40\ccSvcHst.exe
(VIA) C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
(Microsoft Corporation) C:\Windows\System32\regsvr32.exe
(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [HDAudDeck] - C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe [4011152 2012-07-11] (VIA)
HKLM\...\Run: [StartCCC] - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-02-10] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-10] (Adobe Systems Incorporated)
HKLM\...\Run: [JavaSoft Update] - regsvr32.exe C:\Windows\system32\config\systemprofile\AppData\Local\JavaSoft\ICDFConv.dll [x]
HKCU\...\Run: [EADM] - C:\Program Files\Origin\Origin.exe [3549528 2013-07-31] (Electronic Arts)
HKCU\...\Run: [Electronic Arts Update] - C:\Users\Leigh\AppData\Local\Electronic Arts\CNBLH.DLL [929280 2013-08-06] (CANON INC.)
HKCU\...\Run: [Mozilla] - rundll32 "C:\Users\Leigh\AppData\Local\Diagnostics\Mozilla\oeocgnjejb.dll",DllRegisterServer [x] <===== ATTENTION
HKCR\...409d6c4515e9\InprocServer32: [Default-shell32] \\?\globalroot\Device\HarddiskVolume2\Users\Leigh\AppData\Local\Temp\sfunnrv\serdpuc\wow.dll ATTENTION! ====> ZeroAccess?
HKCU\...\Policies\system: [LogonHoursAction] 2
HKCU\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
MountPoints2: {057754df-8c43-11e2-9ce2-806e6f6e6963} - D:\Setup.exe
HKU\Jerry\...\Policies\system: [LogonHoursAction] 2
HKU\Jerry\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Lily\...\Policies\system: [LogonHoursAction] 2
HKU\Lily\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Mark\...\Run: [Steam] - C:\Program Files\Steam\Steam.exe [ 2013-07-26] (Valve Corporation)
HKU\Mark\...\Policies\system: [LogonHoursAction] 2
HKU\Mark\...\Policies\system: [DontDisplayLogonHoursWarnings] 1

==================== Internet (Whitelisted) ====================

SearchScopes: HKCU - {2B285EAB-589B-4DAF-8F72-EDBFE94C423A} URL = http://search.conduit.com/Results.aspx?ctid=CT3300019&SearchSource=45&UM=2&q={searchTerms}
BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
BHO: SySaver - {2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3} - C:\Users\Leigh\AppData\Local\SySaver\temp.dat ()
BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation)
BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\20.4.0.40\IPS\IPSBHO.DLL (Symantec Corporation)
BHO: DefaultTab Browser Helper - {7F6AFBF1-E065-4627-A2FD-810366367D01} - C:\Users\Leigh\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll (Search Results LLC.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation)
Toolbar: HKCU -Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Winsock: Catalog9 01 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 02 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 03 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 04 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 05 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 06 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 07 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 08 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 09 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 10 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 11 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 12 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 13 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 14 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 15 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 16 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 17 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 18 mswsock.dll File Not found (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

FireFox:
========
FF ProfilePath: C:\Users\Leigh\AppData\Roaming\Mozilla\Firefox\Profiles\uovtc7uw.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_11_8_800_94.dll ()
FF Plugin: @adobe.com/ShockwavePlayer - C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: SySaver - C:\Program Files\Mozilla Firefox\extensions\ecyoivyyjrojzoyplneg@nrbkkafymvigofepbi.org
FF Extension: Default - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF Extension: Default - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn\
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn\
FF HKLM\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\IPSFFPlgn\
FF Extension: Norton Vulnerability Protection - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\IPSFFPlgn\

========================== Services (Whitelisted) =================

R2 DefaultTabUpdate; C:\Users\Leigh\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe [107520 2013-07-24] ()
R2 N360; C:\Program Files\Norton Security Suite\Engine\20.4.0.40\diMaster.dll [556336 2013-05-29] (Symantec Corporation)
R2 VIAKaraokeService; C:\Windows\system32\viakaraokesrv.exe [27792 2012-07-06] (VIA Technologies, Inc.)
U4 *etadpug; "C:\Program Files\Google\Desktop\Install\{4d4bfb8c-20be-6051-4f10-f496de8afc02}\   \...\???\{4d4bfb8c-20be-6051-4f10-f496de8afc02}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

R0 amdide; C:\Windows\System32\DRIVERS\amdide.sys [11832 2010-03-29] (Advanced Micro Devices Inc.)
R3 amdkmdag; C:\Windows\System32\DRIVERS\atipmdag.sys [5315584 2010-02-10] (ATI Technologies Inc.)
R1 BHDrvx86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130715.001\BHDrvx86.sys [1002072 2013-07-15] (Symantec Corporation)
R1 ccSet_N360; C:\Windows\system32\drivers\N360\1404000.028\ccSetx86.sys [134744 2013-04-15] (Symantec Corporation)
R0 CLFS; C:\Windows\System32\CLFS.sys [249408 2009-07-13] (Microsoft Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2013-08-07] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2013-08-07] (Symantec Corporation)
R1 IDSVix86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130813.001\IDSvix86.sys [386720 2013-08-07] (Symantec Corporation)
R3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130819.001\NAVENG.SYS [93272 2013-08-18] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130819.001\NAVEX15.SYS [1611992 2013-08-18] (Symantec Corporation)
R1 SRTSP; C:\Windows\System32\Drivers\N360\1404000.028\SRTSP.SYS [603224 2013-05-16] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\N360\1404000.028\SRTSPX.SYS [32344 2013-03-04] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\N360\1404000.028\SYMDS.SYS [367704 2013-05-21] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\N360\1404000.028\SYMEFA.SYS [934488 2013-05-23] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142496 2013-08-08] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\N360\1404000.028\Ironx86.SYS [175264 2012-07-27] (Symantec Corporation)
R1 SymNetS; C:\Windows\System32\Drivers\N360\1404000.028\SYMNETS.SYS [339544 2013-04-24] (Symantec Corporation)
R3 VIAHdAudAddService; C:\Windows\System32\drivers\viahduaa.sys [1837200 2012-07-06] (VIA Technologies, Inc.)
S1 oyomxsqc; \??\C:\Windows\system32\drivers\oyomxsqc.sys [x]
S3 VGPU; System32\drivers\rdvgkmd.sys [x]
U3 mbr; \??\C:\Users\Leigh\AppData\Local\Temp\mbr.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-08-19 13:51 - 2013-08-19 13:52 - 01069895 _____ (Farbar) C:\Users\Leigh\Downloads\FRST.exe
2013-08-19 13:49 - 2013-08-19 13:49 - 01575812 _____ (Farbar) C:\Users\Leigh\Downloads\FRST64.exe
2013-08-18 13:53 - 2013-08-18 13:53 - 00036689 _____ C:\Users\Leigh\Desktop\attach.txt
2013-08-18 13:53 - 2013-08-18 13:53 - 00012994 _____ C:\Users\Leigh\Desktop\dds.txt
2013-08-18 13:51 - 2013-08-18 13:51 - 00688992 _____ (Swearware) C:\Users\Leigh\Downloads\dds(1).com
2013-08-18 13:50 - 2013-08-18 13:50 - 00688992 ____R (Swearware) C:\Users\Leigh\Downloads\dds.com
2013-08-17 17:14 - 2013-08-17 17:14 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-08-09 16:52 - 2013-08-09 16:52 - 00002744 _____ C:\{E73C0F4C-17C6-4AB3-8303-406F83D97B56}
2013-08-08 05:47 - 2013-08-08 05:47 - 00000000 ____D C:\Users\Leigh\AppData\Local\JavaSoft
2013-08-07 14:23 - 2013-08-07 14:23 - 00000000 ____D C:\Users\Leigh\AppData\Local\Macromedia
2013-08-07 14:03 - 2013-08-07 14:03 - 00000000 ____D C:\Users\Leigh\Desktop\New folder
2013-08-07 14:02 - 2013-08-07 14:03 - 00000000 ____D C:\Users\Leigh\Desktop\Initials Inc
2013-08-07 13:11 - 2013-08-08 10:15 - 00142496 _____ (Symantec Corporation) C:\Windows\system32\Drivers\SYMEVENT.SYS
2013-08-07 13:11 - 2013-08-08 10:15 - 00007611 _____ C:\Windows\system32\Drivers\SYMEVENT.CAT
2013-08-07 13:11 - 2013-08-07 13:13 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-08-07 13:11 - 2013-08-07 13:11 - 00000000 ____D C:\Program Files\Symantec
2013-08-07 13:10 - 2013-08-08 15:39 - 00000000 ____D C:\Windows\system32\Drivers\N360
2013-08-07 13:10 - 2013-08-07 13:10 - 00000000 ____D C:\Program Files\Norton Security Suite
2013-08-07 13:09 - 2013-08-07 13:09 - 00000000 ____D C:\Users\Leigh\Documents\Symantec
2013-08-07 13:07 - 2013-08-07 13:12 - 00000000 ____D C:\ProgramData\Norton
2013-08-07 13:07 - 2013-08-07 13:09 - 00000000 ____D C:\Users\Leigh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton
2013-08-07 13:07 - 2013-08-07 13:07 - 00001358 _____ C:\Users\Leigh\Desktop\Norton Installation Files.lnk
2013-08-07 13:07 - 2013-08-07 13:07 - 00000000 ____D C:\Users\Public\Downloads\Norton
2013-08-07 12:34 - 2013-08-07 12:34 - 00000000 ____D C:\Users\Leigh\Desktop\Old Firefox Data
2013-08-07 12:15 - 2013-08-07 12:15 - 00000000 ____D C:\Users\Leigh\AppData\Roaming\Mozilla
2013-08-07 12:15 - 2013-08-07 12:15 - 00000000 ____D C:\Users\Leigh\AppData\Local\Mozilla
2013-08-07 11:24 - 2013-08-09 14:13 - 00000000 ____D C:\Users\Leigh\AppData\Roaming\Soxowo
2013-08-07 11:24 - 2013-08-07 12:29 - 00000000 ____D C:\Users\Leigh\AppData\Roaming\Abwy
2013-08-06 16:53 - 2013-08-07 12:50 - 00000000 ____D C:\Users\Leigh\AppData\Local\Electronic Arts
2013-08-03 21:28 - 2013-08-03 21:28 - 00000000 ____D C:\Windows\Sun
2013-08-03 21:28 - 2013-08-03 21:28 - 00000000 ____D C:\Program Files\Google
2013-07-31 15:34 - 2013-07-31 15:34 - 00000000 ____D C:\Users\Mark\AppData\Roaming\Yahoo!
2013-07-28 03:00 - 2013-07-28 03:02 - 00000000 ____D C:\Windows\system32\MRT
2013-07-25 16:03 - 2013-07-25 16:03 - 00000000 ____D C:\TempDump
2013-07-24 23:38 - 2013-07-24 23:38 - 00000014 _____ C:\Users\Leigh\Documents\hi.mep
2013-07-24 15:12 - 2013-08-07 13:14 - 00000000 ____D C:\Users\Leigh\AppData\Roaming\DefaultTab
2013-07-24 15:12 - 2013-08-07 12:27 - 00000000 ____D C:\Program Files\MyPC Backup
2013-07-24 15:12 - 2013-07-24 15:12 - 00000000 ____D C:\Users\Leigh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SySaver
2013-07-24 15:12 - 2013-07-24 15:12 - 00000000 ____D C:\Users\Leigh\AppData\Local\SySaver
2013-07-24 15:11 - 2013-07-31 15:34 - 00000000 ____D C:\ProgramData\Yahoo! Companion
2013-07-24 15:11 - 2013-07-24 15:11 - 00000000 ____D C:\Users\Leigh\AppData\Roaming\Yahoo!
2013-07-24 15:11 - 2013-07-24 15:11 - 00000000 ____D C:\ProgramData\Yahoo!
2013-07-24 15:11 - 2013-07-24 15:11 - 00000000 ____D C:\Program Files\Yahoo!

==================== One Month Modified Files and Folders =======

2013-08-19 13:53 - 2013-08-19 13:53 - 00000000 ____D C:\FRST
2013-08-19 13:52 - 2013-08-19 13:51 - 01069895 _____ (Farbar) C:\Users\Leigh\Downloads\FRST.exe
2013-08-19 13:49 - 2013-08-19 13:49 - 01575812 _____ (Farbar) C:\Users\Leigh\Downloads\FRST64.exe
2013-08-19 13:29 - 2010-11-20 16:01 - 00792118 _____ C:\Windows\system32\PerfStringBackup.INI
2013-08-18 13:53 - 2013-08-18 13:53 - 00036689 _____ C:\Users\Leigh\Desktop\attach.txt
2013-08-18 13:53 - 2013-08-18 13:53 - 00012994 _____ C:\Users\Leigh\Desktop\dds.txt
2013-08-18 13:51 - 2013-08-18 13:51 - 00688992 _____ (Swearware) C:\Users\Leigh\Downloads\dds(1).com
2013-08-18 13:50 - 2013-08-18 13:50 - 00688992 ____R (Swearware) C:\Users\Leigh\Downloads\dds.com
2013-08-18 12:57 - 2013-03-13 17:48 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-08-17 17:14 - 2013-08-17 17:14 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-08-17 16:45 - 2009-07-13 23:53 - 00022078 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-08-17 16:42 - 2013-03-16 16:17 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-08-17 16:02 - 2009-07-13 23:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-17 15:42 - 2009-07-13 23:34 - 00021472 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-17 15:42 - 2009-07-13 23:34 - 00021472 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-17 15:40 - 2013-03-13 20:06 - 01361938 _____ C:\Windows\WindowsUpdate.log
2013-08-17 15:26 - 2013-03-16 19:12 - 00000000 ____D C:\Program Files\Origin
2013-08-17 15:26 - 2013-03-16 13:40 - 00001258 __RSH C:\Users\Leigh\ntuser.pol
2013-08-17 15:26 - 2013-03-16 13:40 - 00000000 ____D C:\Users\Leigh
2013-08-17 15:25 - 2010-11-20 16:48 - 00032056 _____ C:\Windows\PFRO.log
2013-08-17 15:25 - 2009-07-13 23:39 - 00028122 _____ C:\Windows\setupact.log
2013-08-09 16:52 - 2013-08-09 16:52 - 00002744 _____ C:\{E73C0F4C-17C6-4AB3-8303-406F83D97B56}
2013-08-09 14:13 - 2013-08-07 11:24 - 00000000 ____D C:\Users\Leigh\AppData\Roaming\Soxowo
2013-08-08 16:20 - 2013-03-19 17:55 - 00000000 ____D C:\Users\Mark\AppData\Local\War Thunder
2013-08-08 15:50 - 2013-03-16 15:55 - 00001347 _____ C:\Users\Mark\Desktop\ROBLOX Player.lnk
2013-08-08 15:50 - 2013-03-16 15:49 - 00001166 _____ C:\Users\Mark\Desktop\ROBLOX Studio 2013.lnk
2013-08-08 15:39 - 2013-08-07 13:10 - 00000000 ____D C:\Windows\system32\Drivers\N360
2013-08-08 15:39 - 2013-03-16 14:28 - 00000000 ____D C:\Program Files\Steam
2013-08-08 10:15 - 2013-08-07 13:11 - 00142496 _____ (Symantec Corporation) C:\Windows\system32\Drivers\SYMEVENT.SYS
2013-08-08 10:15 - 2013-08-07 13:11 - 00007611 _____ C:\Windows\system32\Drivers\SYMEVENT.CAT
2013-08-08 05:47 - 2013-08-08 05:47 - 00000000 ____D C:\Users\Leigh\AppData\Local\JavaSoft
2013-08-07 14:23 - 2013-08-07 14:23 - 00000000 ____D C:\Users\Leigh\AppData\Local\Macromedia
2013-08-07 14:23 - 2013-03-16 16:17 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2013-08-07 14:23 - 2013-03-16 16:17 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2013-08-07 14:03 - 2013-08-07 14:03 - 00000000 ____D C:\Users\Leigh\Desktop\New folder
2013-08-07 14:03 - 2013-08-07 14:02 - 00000000 ____D C:\Users\Leigh\Desktop\Initials Inc
2013-08-07 13:14 - 2013-07-24 15:12 - 00000000 ____D C:\Users\Leigh\AppData\Roaming\DefaultTab
2013-08-07 13:13 - 2013-08-07 13:11 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-08-07 13:12 - 2013-08-07 13:07 - 00000000 ____D C:\ProgramData\Norton
2013-08-07 13:11 - 2013-08-07 13:11 - 00000000 ____D C:\Program Files\Symantec
2013-08-07 13:10 - 2013-08-07 13:10 - 00000000 ____D C:\Program Files\Norton Security Suite
2013-08-07 13:10 - 2013-03-13 05:52 - 00001945 _____ C:\Windows\epplauncher.mif
2013-08-07 13:09 - 2013-08-07 13:09 - 00000000 ____D C:\Users\Leigh\Documents\Symantec
2013-08-07 13:09 - 2013-08-07 13:07 - 00000000 ____D C:\Users\Leigh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton
2013-08-07 13:07 - 2013-08-07 13:07 - 00001358 _____ C:\Users\Leigh\Desktop\Norton Installation Files.lnk
2013-08-07 13:07 - 2013-08-07 13:07 - 00000000 ____D C:\Users\Public\Downloads\Norton
2013-08-07 12:50 - 2013-08-06 16:53 - 00000000 ____D C:\Users\Leigh\AppData\Local\Electronic Arts
2013-08-07 12:34 - 2013-08-07 12:34 - 00000000 ____D C:\Users\Leigh\Desktop\Old Firefox Data
2013-08-07 12:29 - 2013-08-07 11:24 - 00000000 ____D C:\Users\Leigh\AppData\Roaming\Abwy
2013-08-07 12:27 - 2013-07-24 15:12 - 00000000 ____D C:\Program Files\MyPC Backup
2013-08-07 12:15 - 2013-08-07 12:15 - 00000000 ____D C:\Users\Leigh\AppData\Roaming\Mozilla
2013-08-07 12:15 - 2013-08-07 12:15 - 00000000 ____D C:\Users\Leigh\AppData\Local\Mozilla
2013-08-06 16:54 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\system32\NDF
2013-08-03 21:28 - 2013-08-03 21:28 - 00000000 ____D C:\Windows\Sun
2013-08-03 21:28 - 2013-08-03 21:28 - 00000000 ____D C:\Program Files\Google
2013-07-31 15:47 - 2013-03-16 14:28 - 00000000 ____D C:\Program Files\Common Files\Steam
2013-07-31 15:34 - 2013-07-31 15:34 - 00000000 ____D C:\Users\Mark\AppData\Roaming\Yahoo!
2013-07-31 15:34 - 2013-07-24 15:11 - 00000000 ____D C:\ProgramData\Yahoo! Companion
2013-07-30 08:04 - 2013-03-22 16:08 - 00000000 ___HD C:\Windows\msdownld.tmp
2013-07-30 08:04 - 2013-03-22 16:08 - 00000000 ____D C:\Windows\system32\directx
2013-07-30 08:03 - 2013-06-03 06:35 - 00000802 _____ C:\Users\Public\Desktop\World of Warplanes.lnk
2013-07-28 16:14 - 2013-06-03 15:54 - 00000000 ____D C:\Users\Leigh\AppData\Local\Adobe
2013-07-28 03:02 - 2013-07-28 03:00 - 00000000 ____D C:\Windows\system32\MRT
2013-07-27 13:10 - 2013-07-08 09:34 - 00000984 _____ C:\Users\Public\Desktop\World of Tanks - Common Test.lnk
2013-07-27 09:19 - 2013-03-16 16:45 - 00001634 __RSH C:\Users\Lily\ntuser.pol
2013-07-27 09:19 - 2013-03-16 16:45 - 00000000 ____D C:\Users\Lily
2013-07-26 07:43 - 2013-03-16 13:35 - 00001258 __RSH C:\Users\Jerry\ntuser.pol
2013-07-26 07:43 - 2013-03-13 17:17 - 00000000 ____D C:\Users\Jerry
2013-07-25 16:03 - 2013-07-25 16:03 - 00000000 ____D C:\TempDump
2013-07-24 23:38 - 2013-07-24 23:38 - 00000014 _____ C:\Users\Leigh\Documents\hi.mep
2013-07-24 23:26 - 2013-07-18 18:06 - 00000000 ____D C:\Users\Mark\Documents\SH4
2013-07-24 15:12 - 2013-07-24 15:12 - 00000000 ____D C:\Users\Leigh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SySaver
2013-07-24 15:12 - 2013-07-24 15:12 - 00000000 ____D C:\Users\Leigh\AppData\Local\SySaver
2013-07-24 15:12 - 2013-03-16 14:25 - 00001258 __RSH C:\Users\Mark\ntuser.pol
2013-07-24 15:12 - 2013-03-16 14:25 - 00000000 ____D C:\Users\Mark
2013-07-24 15:11 - 2013-07-24 15:11 - 00000000 ____D C:\Users\Leigh\AppData\Roaming\Yahoo!
2013-07-24 15:11 - 2013-07-24 15:11 - 00000000 ____D C:\ProgramData\Yahoo!
2013-07-24 15:11 - 2013-07-24 15:11 - 00000000 ____D C:\Program Files\Yahoo!
2013-07-22 13:29 - 2013-03-22 19:06 - 00000000 ____D C:\Users\Mark\AppData\Roaming\WinRAR

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

Files to move or delete:
====================
ZeroAccess:
C:\Program Files\Google\Desktop\Install\{4d4bfb8c-20be-6051-4f10-f496de8afc02}

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-07-13 06:55

==================== End Of Log ============================

 



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:27 AM

Posted 19 August 2013 - 02:07 PM

Please run the following:

Download attached fixlist.txt file and save it to the Desktop. (you have FRST saved to C:\Users\Leigh\Downloads so save FixList to the same folder)



NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 leighlamb

leighlamb
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 20 August 2013 - 03:05 PM

I have tried multiple times to run FRST and it will just not go.  I even put them both in a "new folder" on my desktop, alone. It works for a few minutes, then an error message pops up--"The dependency service or group failed to start"  I am not sure what the problem is--could be me? Thanks!



#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:27 AM

Posted 20 August 2013 - 04:24 PM

Please delete the copy of FRST that you have and download a fresh copy,

save FRST and Fixlist.txt to the same location, then try it with the newest version.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 leighlamb

leighlamb
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 20 August 2013 - 05:17 PM

Done--I even emptied the recycle bin and it still won't go.



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:27 AM

Posted 20 August 2013 - 06:15 PM

please advise the exact error message you are getting ( screen shot if possible) so I can let the developer know.


In the meantime,

Please run the following:

Refer to the ComboFix User's Guide
  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 leighlamb

leighlamb
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 20 August 2013 - 06:36 PM

Attached is the error screenshot--I couldn't paste it in the box.Attached File  error screenshot.jpg   89.34KB   5 downloads



#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:27 AM

Posted 23 August 2013 - 01:15 AM

were you able to run ComboFix or do you get the same error message?


If not, then please try the following:
  • NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system
  • Please download
  • Save it to your flash drive.
  • download a fresh copy of FRST to the same flash drive
  • Now boot to System Recovery Options
    To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next. On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your next reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:27 AM

Posted 23 September 2013 - 12:54 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users