Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

(moved topic) "Microsoft Security Essentials folders now listed as "junctions"


  • This topic is locked This topic is locked
36 replies to this topic

#1 gwhiz9999

gwhiz9999

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 07 November 2013 - 09:06 AM

I have had a recurrence of a problem I had with MSE having it's files changed to junctions, making the MSE program inaccessible.  I never went through the process of having you people address it here, as, for some reason, your previous replies went to my email's spam folder.  After coming back here and realizing that I did get a response after my last post, I now need to try to get this problem fixed for good.  I still have the original junctions in a folder, and now have the second coming of the same problem in ANOTHER renamed folder that I can't delete, while a fresh, third MSE program folder exists, with the program running as it should, seemingly (I am paranoid about not having it running, even though it has apparently not stopped some sort of infestation at least once.).  I don't know if the second incarnation of this problem is a matter of the first instance rearing it's head again, or if this is brought on by a separate incident. I ran a scan with Malwarebytes, and it removed 4 items.  Along with the MSE problem, something had shut off my Windows firewall, which is now running again.

 

Here are the logs requested:

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.9.2
Run by Owner at 8:45:10 on 2013-11-07
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1022.503 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Ralink\Common\RaRegistry.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mWindow Title = Microsoft Internet Explorer provided by Comcast
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [MSC] "c:\program files\microsoft security client\mssecex.exe" -hide -runkey
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - c:\documents and settings\owner\desktop\EmpirePoker.lnk
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/OneClickFix/tgctlsr.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213142040551
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1373471559156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{2EE6AAFD-B705-4C10-8734-CBB78F18BA54} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{BD260EE0-2601-466D-A323-AF8A4076E468} : DHCPNameServer = 68.87.77.134 68.87.72.134
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\30.0.1599.101\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-6-18 211560]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2008-6-11 2560]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\ralink\common\RaRegistry.exe [2011-6-24 185632]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [2011-6-24 19072]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2011-6-24 818976]
S0 wgnqtu;wgnqtu;c:\windows\system32\drivers\efxh.sys --> c:\windows\system32\drivers\efxh.sys [?]
S0 yokmtm;yokmtm;c:\windows\system32\drivers\pcbuaqje.sys --> c:\windows\system32\drivers\pcbuaqje.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-4-19 161384]
S3 cpuz132;cpuz132;\??\c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
S4 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-6-29 116608]
UnknownUnknown ejfmnolt;ejfmnolt; [x]
.
=============== Created Last 30 ================
.
2013-11-07 06:58:38 7796464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b62579dd-452b-456b-b49b-97e89ac7f25e}\mpengine.dll
2013-11-07 06:54:54 -------- d-----w- c:\program files\Microsoft Security Client
2013-10-09 22:04:52 25088 -c----w- c:\windows\system32\dllcache\hidparse.sys
2013-10-09 22:04:51 14976 -c----w- c:\windows\system32\dllcache\usbscan.sys
2013-10-09 22:04:44 60160 -c----w- c:\windows\system32\dllcache\usbaudio.sys
2013-10-09 22:04:44 123008 -c----w- c:\windows\system32\dllcache\usbvideo.sys
2013-10-09 22:01:56 5376 -c----w- c:\windows\system32\dllcache\usbd.sys
2013-10-09 22:01:56 32384 -c----w- c:\windows\system32\dllcache\usbccgp.sys
2013-10-09 22:01:56 30336 -c----w- c:\windows\system32\dllcache\usbehci.sys
2013-10-09 22:01:55 144128 -c----w- c:\windows\system32\dllcache\usbport.sys
.
==================== Find3M  ====================
.
2013-11-07 13:28:16 2473 ----a-w- c:\windows\system32\mmf.sys
2013-10-19 07:21:11 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-19 07:21:10 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-23 18:33:58 920064 ----a-w- c:\windows\system32\wininet.dll
2013-09-23 18:33:57 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-09-23 18:33:57 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-09-23 18:33:56 18944 ----a-w- c:\windows\system32\corpol.dll
2013-09-23 18:06:48 385024 ----a-w- c:\windows\system32\html.iec
2013-09-14 10:57:28 12558 ----a-w- C:\FixitRegBackup.reg
2013-09-03 18:35:12 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-08-29 01:31:44 1878656 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH:  8:46:55.78 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:19 AM

Posted 08 November 2013 - 08:40 PM





Hello gwhiz9999

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

I would like you to run this program for me.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gwhiz9999

gwhiz9999
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 09 November 2013 - 07:18 AM

I should have noted before, though I don't know it has anything to do with the issues I am having, that I keep getting the same Windows update notice from my pc, even after downloading and installing it more than once.  In case it is relevant and will help, it is update KB2863239, which it says is a security update for Microsoft.net framework 2.0 SP2 on Windows server 2003 and Windows XP x86.  I also just got an update for MSE, KB2866337, (4.3.219.0).  I haven't tried to download or install either, since the previous instructions said to not alter the system, etc...  though I am using the PC.

 

I don't know if I still have an infection, but it is disconcerting to have files/folders on the PC that can't be accessed/deleted, and I certainly want to know if there is an ongoing problem to deal with, or if I just need to figure out how to get rid of the files/folders that were turned into "junctions."

 

Here are the logs you asked for:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 31-10-2013
Ran by Owner (administrator) on GPM2 on 09-11-2013 07:08:08
Running from C:\Documents and Settings\Owner\Desktop
Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
() C:\WINDOWS\runservice.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Broadcom Corporation) C:\WINDOWS\BCMSMMSG.exe
(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Program Files\internet explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\internet explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\internet explorer\iexplore.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [BCMSMMSG] - C:\WINDOWS\BCMSMMSG.exe [122880 2003-08-29] (Broadcom Corporation)
HKLM\...\Run: [HotKeysCmds] - C:\WINDOWS\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [SoundMAXPnP] - C:\Program Files\Analog Devices\Core\smax4pnp.exe [1404928 2004-10-14] (Analog Devices, Inc.)
HKLM\...\Run: [MSConfig] - C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe [169984 2008-04-14] (Microsoft Corporation)
HKLM\...\Run: [MSC] - "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey <===== ATTENTION (File name is altered)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxsrvc.dll (Intel Corporation)
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKU\Default User\...\Run: [MySpaceIM] - C:\Program Files\MySpace\IM\MySpaceIM.exe [ 2009-12-01] ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
SearchScopes: HKLM - DefaultScope {DBCA6D52-5D3F-4F95-9C1D-1FBA069FCC13} URL =
SearchScopes: HKCU - {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL = http://websearch.ask.com/redirect?client=ie&tb=GAM1&o=15491&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=HE&apn_dtid=YYYYYYYYUS&apn_uid=7CAA42F0-DF5D-4A15-8471-203D2A9D3397&apn_sauid=81FAC039-A413-4AA4-BFAE-4CE91CBA9125
SearchScopes: HKCU - {233FDCBD-FCA3-4095-AC07-C63E2564DB38} URL = http://www.bing.com/search?FORM=BABTDF&PC=BBLN&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKCU - {5D37B1C5-6D9D-4D24-9253-1D6B6E5AD011} URL = http://search.conduit.com/Results.aspx?ctid=CT3300018&SearchSource=45&UM=2&q={searchTerms}
SearchScopes: HKCU - {DBCA6D52-5D3F-4F95-9C1D-1FBA069FCC13} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3289847&CUI=UN25019174603890521&UM=2
BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7529.1424\swg.dll No File
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
Toolbar: HKCU - No Name - {EEE6C35B-6118-11DC-9C72-001320C79847} -  No File
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} http://www.comcastsupport.com/OneClickFix/tgctlsr.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [113024 2011-12-20] (SuperAdBlocker.com)
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9 01 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 02 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 03 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 04 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 05 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 06 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 07 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 08 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 09 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 10 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 11 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 12 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 13 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 14 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 15 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 16 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 17 mswsock.dll File Not found (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

Chrome:
=======
CHR HomePage: hxxp://search.conduit.com/?ctid=CT3289847&SearchSource=48&CUI=UN11646635362583914&UM=2
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\30.0.1599.101\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\30.0.1599.101\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\30.0.1599.101\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Microsoft\u00AE DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation)
CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.))
CHR Plugin: (Microsoft\u00AE DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation)
CHR Plugin: (DNA Plug-in) - C:\Program Files\DNA\plugins\npbtdna.dll (BitTorrent, Inc.)
CHR Plugin: (DivX Player Netscape Plugin) - C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
CHR Plugin: (DivX Web Player) - C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (Java™ Platform SE 7 U9) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (Windows Live\u00AE Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Windows Presentation Foundation) - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Plugin: (Java Deployment Toolkit 7.0.90.5) - C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Extension: (YouTube) - C:\DOCUME~1\Owner\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\DOCUME~1\Owner\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (Google Wallet) - C:\DOCUME~1\Owner\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.5.0_0
CHR Extension: (Gmail) - C:\DOCUME~1\Owner\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1
CHR HKLM\...\Chrome\Extension: [klibnahbojhkanfgaglnlalfkgpcppfi] - C:\Documents and Settings\Owner\Local Settings\Application Data\CRE\klibnahbojhkanfgaglnlalfkgpcppfi.crx

========================== Services (Whitelisted) =================

S4 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [116608 2011-12-20] (SUPERAntiSpyware.com)
R2 LicCtrlService; C:\WINDOWS\runservice.exe [2560 2008-06-11] ()
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2013-07-18] (Microsoft Corporation)
S2 RalinkRegistryWriter; C:\Program Files\Ralink\Common\RaRegistry.exe [185632 2009-12-15] (Ralink Technology, Corp.)
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{0381312f-e4a4-3249-e2b5-595a905733aa}\   \   \???\{0381312f-e4a4-3249-e2b5-595a905733aa}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

R2 Aspi32; C:\Windows\System32\Drivers\Aspi32.sys [23936 1997-12-22] (Adaptec)
R3 BCMModem; C:\Windows\System32\DRIVERS\BCMSM.sys [1101696 2003-08-29] (Broadcom Corporation)
S3 CCDECODE; C:\Windows\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
S3 ialm; C:\Windows\System32\DRIVERS\ialmnt5.sys [807998 2005-10-19] (Intel Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [211560 2013-06-18] (Microsoft Corporation)
S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
R2 PfModNT; C:\WINDOWS\system32\drivers\PfModNT.sys [15840 2003-03-05] (Creative Technology Ltd.)
S3 QCMerced; C:\Windows\System32\DRIVERS\LVCM.sys [472332 2003-06-26] (Logitech Inc.)
R3 rt2870; C:\Windows\System32\DRIVERS\rt2870.sys [818976 2010-02-12] (Ralink Technology, Corp.)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-12-20] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-12-20] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R2 Scutum50; C:\Windows\System32\Drivers\Scutum50.sys [19072 2009-04-21] (Printing Communications Assoc., Inc. (PCAUSA))
R3 senfilt; C:\Windows\System32\drivers\senfilt.sys [732928 2004-09-17] (Creative Technology Ltd.)
S3 USBCM; C:\Windows\System32\DRIVERS\Sacm2A.sys [15429 2004-06-10] ( )
S3 catchme; \??\C:\ComboFix\catchme.sys [x]
S3 cpuz132; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys [x]
U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U3 TlntSvr;
S0 wgnqtu; System32\drivers\efxh.sys [x]
U5 WinRM; C:\WINDOWS\System32\svchost.exe [14336 2008-04-14] (Microsoft Corporation)
S0 yokmtm; System32\drivers\pcbuaqje.sys [x]
U3 mbr; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\mbr.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-11-09 07:07 - 2013-11-09 07:07 - 01089445 _____ (Farbar) C:\Documents and Settings\Owner\Desktop\FRST.exe
2013-11-07 08:47 - 2013-11-07 08:50 - 00021374 _____ C:\Documents and Settings\Owner\Desktop\attach.txt
2013-11-07 08:47 - 2013-11-07 08:50 - 00009926 _____ C:\Documents and Settings\Owner\Desktop\dds.txt
2013-11-07 02:23 - 2013-11-07 02:23 - 00688992 ____R (Swearware) C:\Documents and Settings\Owner\Desktop\dds.com
2013-11-07 01:55 - 2013-11-07 01:55 - 00001698 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
2013-11-07 01:54 - 2013-11-07 01:55 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-10-15 23:08 - 2013-11-07 08:39 - 00000384 ____H C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2013-10-11 18:30 - 2013-10-11 18:30 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2847311$
2013-10-11 18:29 - 2013-10-11 18:30 - 00134687 _____ C:\WINDOWS\KB2862335.log
2013-10-11 18:29 - 2013-10-11 18:29 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2862335$
2013-10-11 18:02 - 2013-10-11 18:02 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2868038$
2013-10-11 18:01 - 2013-10-11 18:02 - 00014639 _____ C:\WINDOWS\KB2868038.log
2013-10-11 17:57 - 2013-10-11 18:00 - 00015358 _____ C:\WINDOWS\KB2879017-IE8.log
2013-10-11 17:57 - 2013-10-11 17:57 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2883150$
2013-10-11 17:56 - 2013-10-11 17:56 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2862330$

==================== One Month Modified Files and Folders =======

2013-11-09 07:07 - 2013-11-09 07:07 - 01089445 _____ (Farbar) C:\Documents and Settings\Owner\Desktop\FRST.exe
2013-11-09 07:07 - 2009-05-09 14:16 - 00000422 ____H C:\WINDOWS\Tasks\User_Feed_Synchronization-{39CFE49B-3195-48FA-A891-36E86B83D597}.job
2013-11-09 07:06 - 2008-06-10 18:54 - 01428960 _____ C:\WINDOWS\WindowsUpdate.log
2013-11-09 06:47 - 2012-11-02 02:13 - 00000884 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2013-11-09 06:20 - 2003-07-16 15:53 - 00013646 _____ C:\WINDOWS\system32\wpa.dbl
2013-11-09 04:47 - 2008-06-10 17:39 - 00032528 _____ C:\WINDOWS\SchedLgU.Txt
2013-11-09 03:45 - 2003-07-16 15:47 - 00000227 _____ C:\WINDOWS\system.ini
2013-11-08 12:47 - 2012-11-02 02:13 - 00000880 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2013-11-07 08:50 - 2013-11-07 08:47 - 00021374 _____ C:\Documents and Settings\Owner\Desktop\attach.txt
2013-11-07 08:50 - 2013-11-07 08:47 - 00009926 _____ C:\Documents and Settings\Owner\Desktop\dds.txt
2013-11-07 08:39 - 2013-10-15 23:08 - 00000384 ____H C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2013-11-07 08:28 - 2008-06-11 17:17 - 00002473 _____ C:\WINDOWS\system32\mmf.sys
2013-11-07 08:28 - 2008-06-10 17:32 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-11-07 08:28 - 2008-06-10 13:27 - 00000159 _____ C:\WINDOWS\wiadebug.log
2013-11-07 08:28 - 2008-06-10 13:27 - 00000049 _____ C:\WINDOWS\wiaservc.log
2013-11-07 08:27 - 2012-05-12 03:14 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2676562$
2013-11-07 08:26 - 2008-06-10 17:39 - 00000178 ___SH C:\Documents and Settings\Owner\ntuser.ini
2013-11-07 02:23 - 2013-11-07 02:23 - 00688992 ____R (Swearware) C:\Documents and Settings\Owner\Desktop\dds.com
2013-11-07 01:55 - 2013-11-07 01:55 - 00001698 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
2013-11-07 01:55 - 2013-11-07 01:54 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-11-07 01:55 - 2011-01-26 11:52 - 00001945 ____C C:\WINDOWS\epplauncher.mif
2013-11-07 01:53 - 2008-06-11 10:25 - 00000000 ____D C:\Documents and Settings\Owner\My Documents\INSTALLATION FILES
2013-11-07 01:48 - 2010-08-11 06:55 - 00001341 _____ C:\WINDOWS\wmsetup.log
2013-11-07 01:44 - 2008-06-11 11:20 - 00022016 _____ C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-11-07 01:39 - 2008-06-13 23:33 - 00000000 ____D C:\WINDOWS\pss
2013-11-07 01:39 - 2008-06-10 13:15 - 00000281 _____ C:\boot.ini
2013-11-07 01:39 - 2003-07-16 15:51 - 00000611 _____ C:\WINDOWS\win.ini
2013-11-07 01:14 - 2012-04-03 08:25 - 00000000 ____D C:\WINDOWS\$NtUninstallKB968930$
2013-11-07 01:12 - 2010-05-25 19:28 - 00000664 _____ C:\WINDOWS\system32\d3d9caps.dat
2013-11-07 01:12 - 2008-06-10 17:39 - 00000000 ____D C:\Documents and Settings\Owner
2013-11-06 09:46 - 2008-06-11 12:03 - 00000000 ____D C:\Program Files\PokerStars.NET
2013-11-06 09:24 - 2008-06-10 13:16 - 00616260 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2013-11-06 04:41 - 2010-05-16 21:15 - 00001841 _____ C:\test.htm
2013-10-29 15:20 - 2009-01-19 15:50 - 00000000 ____D C:\WINDOWS\Microsoft.NET
2013-10-19 02:21 - 2012-10-12 01:15 - 00692616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2013-10-19 02:21 - 2012-04-04 04:06 - 00071048 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2013-10-16 23:15 - 2009-10-03 18:45 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\vlc
2013-10-15 22:57 - 2013-09-14 07:47 - 00000000 ____D C:\Program Files\Microsoft Security Client - corrupted 2
2013-10-15 18:19 - 2008-06-16 19:48 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\BitTorrent
2013-10-12 10:58 - 2008-06-10 13:15 - 00141240 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2013-10-12 10:57 - 2010-02-26 07:25 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-10-11 18:30 - 2013-10-11 18:30 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2847311$
2013-10-11 18:30 - 2013-10-11 18:29 - 00134687 _____ C:\WINDOWS\KB2862335.log
2013-10-11 18:30 - 2013-10-09 17:05 - 00138712 _____ C:\WINDOWS\KB2847311.log
2013-10-11 18:30 - 2010-08-12 02:02 - 00111251 _____ C:\WINDOWS\updspapi.log
2013-10-11 18:30 - 2010-08-12 02:01 - 01137679 _____ C:\WINDOWS\FaxSetup.log
2013-10-11 18:30 - 2010-08-12 02:01 - 00543904 _____ C:\WINDOWS\ocgen.log
2013-10-11 18:30 - 2010-08-12 02:01 - 00434066 _____ C:\WINDOWS\tsoc.log
2013-10-11 18:30 - 2010-08-12 02:01 - 00375573 _____ C:\WINDOWS\comsetup.log
2013-10-11 18:30 - 2010-08-12 02:01 - 00228099 _____ C:\WINDOWS\ntdtcsetup.log
2013-10-11 18:30 - 2010-08-12 02:01 - 00179898 _____ C:\WINDOWS\iis6.log
2013-10-11 18:30 - 2010-08-12 02:01 - 00062928 _____ C:\WINDOWS\ocmsn.log
2013-10-11 18:30 - 2010-08-12 02:01 - 00056856 _____ C:\WINDOWS\msgsocm.log
2013-10-11 18:30 - 2010-08-12 02:01 - 00001393 _____ C:\WINDOWS\imsins.log
2013-10-11 18:30 - 2010-08-12 02:01 - 00001393 _____ C:\WINDOWS\imsins.BAK
2013-10-11 18:30 - 2010-08-11 06:27 - 00467515 _____ C:\WINDOWS\setupapi.log
2013-10-11 18:29 - 2013-10-11 18:29 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2862335$
2013-10-11 18:20 - 2013-08-24 15:06 - 00000000 ____D C:\WINDOWS\system32\MRT
2013-10-11 18:08 - 2008-06-10 19:49 - 78106760 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2013-10-11 18:05 - 2010-06-03 18:24 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
2013-10-11 18:02 - 2013-10-11 18:02 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2868038$
2013-10-11 18:02 - 2013-10-11 18:01 - 00014639 _____ C:\WINDOWS\KB2868038.log
2013-10-11 18:00 - 2013-10-11 17:57 - 00015358 _____ C:\WINDOWS\KB2879017-IE8.log
2013-10-11 17:58 - 2009-05-09 14:11 - 00000000 ____D C:\WINDOWS\ie8updates
2013-10-11 17:57 - 2013-10-11 17:57 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2883150$
2013-10-11 17:56 - 2013-10-11 17:56 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2862330$

Files to move or delete:
====================
ZeroAccess:
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install

Some content of TEMP:
====================
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-f79b1f18.exe
C:\Documents and Settings\Owner\Local Settings\temp\AMPing.exe
C:\Documents and Settings\Owner\Local Settings\temp\D2M-Precheck.exe
C:\Documents and Settings\Owner\Local Settings\temp\jucheck.dll
C:\Documents and Settings\Owner\Local Settings\temp\tbWhit.dll
C:\Documents and Settings\Owner\Local Settings\temp\utt6E2.tmp.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

 

AND:

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 31-10-2013
Ran by Owner at 2013-11-09 07:10:14
Running from C:\Documents and Settings\Owner\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

AV: Microsoft Security Essentials (Disabled - Up to date) {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials (Disabled - Up to date) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
Could not list Security Center items. Check WMI.

==================== Installed Programs ======================

7-Zip 4.65
AAC Decoder (Version: 7.1.0)
Adobe AIR (Version: 2.0.3.13070)
Adobe Flash Player 11 ActiveX (Version: 11.9.900.117)
Adobe Reader XI (11.0.04) (Version: 11.0.04)
AnswerWorks 4.0 Runtime - English (Version: 4.0.101)
Apple Software Update (Version: 2.1.1.116)
AutoUpdate (Version: 1.1)
BCM V.92 56K Modem
BitTorrent (HKCU Version: 7.8.2.30182)
Broadcom 440x 10/100 Integrated Controller (Version: 3.29)
Cake Poker 2.0 (Version: 2.0.1.3240)
CCleaner (remove only)
DivX Codec (Version: 6.8.5)
DivX Converter (Version: 7.1.0)
DivX Player (Version: 7.2.0)
DivX Plus DirectShow Filters
DivX Version Checker (Version: 7.1.0.2)
DivX Web Player (Version: 1.5.0)
DNA (HKCU Version: 2.2.4 (16502))
Document eSort Components (Version: 3.1.1.74)
EmpirePoker
File Opener Pro
Full Tilt Poker (Version: 4.14.1.WIN.FullTilt.Real)
Google Chrome (Version: 30.0.1599.101)
Google Update Helper (Version: 1.3.21.165)
H.264 Decoder (Version: 1.1.0)
HijackThis 2.0.2 (Version: 2.0.2)
Intel® Extreme Graphics Driver
InterVideo WinDVD
Intuit Entitlement Client (Version: 1.0.0)
Intuit Entitlement Client v8 (Version: 8.0.24)
Java 7 Update 9 (Version: 7.0.90)
Java Auto Updater (Version: 2.1.9.0)
Junk Mail filter update (Version: 14.0.8117.416)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2833941)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004 (Version: 12.0.50)
Microsoft Money 2004 System Pack (Version: 12.0.80)
Microsoft National Language Support Downlevel APIs
Microsoft Security Client (Version: 4.3.0216.0)
Microsoft Security Essentials (Version: 4.3.216.0)
Microsoft Silverlight (Version: 5.1.20913.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218 (Version: 9.0.21022.218)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Word 2000 SR-1 (Version: 9.00.3821)
Microsoft Works 2001 Setup Launcher
Microsoft Works 6.0 (Version: 06.00.1829)
Microsoft Works Suite Add-in for Microsoft Word (Version: 2.0.0.0000)
MKV Splitter (Version: 1.0.1)
MSVCRT (Version: 14.0.1468.721)
MXpie Patch for WinMX Network/WPNP 3.6.3.6 (HKCU Version: 3.6.3.6)
MySpaceIM (Version: 1.0.823.0)
OneTouch Version 3.0 (Version: Version 3.0)
Out of the Park Baseball 9 (Version: 9)
PaperPort 7.02
PokerStars
PokerStars.net
ProSeries Basic Edition 2009
ProSeries Basic Edition 2010
ProSeries Basic Edition 2011
ProSeries Basic Edition 2012
Ralink RT2870 Wireless LAN Card (Version: 1.5.7.0)
Scientific-Atlanta WebSTAR 2000 series Cable Modem
Season Ticket Baseball 2003
Segoe UI (Version: 14.0.4327.805)
Skype™ 6.3 (Version: 6.3.107)
SoundMAX (Version: 5.12.01.5246)
Spybot - Search & Destroy (Version: 1.6.2)
SUPERAntiSpyware (Version: 4.41.1000)
Theorica Divx ;-) Codecs (remove only) (Version: 5.0)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Windows Internet Explorer 8 (KB982632) (Version: 1)
Update for Windows Internet Explorer 8 (KB982664) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB2736233) (Version: 1)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB2863058) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
VC80CRTRedist - 8.0.50727.762 (Version: 1.0.0)
VLC media player 1.0.2 (Version: 1.0.2)
WebFldrs XP (Version: 9.50.6513)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Live Call (Version: 14.0.8117.0416)
Windows Live Communications Platform (Version: 14.0.8117.416)
Windows Live Essentials (Version: 14.0.8117.0416)
Windows Live Essentials (Version: 14.0.8117.416)
Windows Live ID Sign-in Assistant (Version: 6.500.3165.0)
Windows Live Mail (Version: 14.0.8117.0416)
Windows Live Messenger (Version: 14.0.8117.0416)
Windows Live OneCare safety scanner
Windows Live Photo Gallery (Version: 14.0.8117.416)
Windows Live Sync (Version: 14.0.8117.416)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3 (Version: 20080414.031525)
Winmx Community 1
WinRAR 5.00 (32-bit) (Version: 5.00.0)
Works Suite OS Pack (Version: 1.0.0.0000)
Works Synchronization (Version: 1.0.0.0000)
XP Codec Pack
Xvid 1.2.2 final uninstall (Version: 1.2)
Yahoo! Messenger

==================== Restore Points  =========================

07-11-2013 19:08:28 System Checkpoint
08-11-2013 13:50:49 Software Distribution Service 3.0

==================== Hosts content: ==========================

2003-07-16 15:29 - 2010-08-17 05:05 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job => c:\Program Files\Microsoft Security Client\MpCmdRun.exe
Task: C:\WINDOWS\Tasks\User_Feed_Synchronization-{39CFE49B-3195-48FA-A891-36E86B83D597}.job => C:\WINDOWS\system32\msfeedssync.exe

==================== Loaded Modules (whitelisted) =============

2008-06-11 17:17 - 2008-06-11 17:17 - 00048640 _____ () C:\WINDOWS\mmfs.dll
2008-06-11 17:17 - 2008-06-11 17:17 - 00126976 _____ () C:\WINDOWS\lcmmfu.cpl
2003-03-31 07:00 - 2013-01-02 01:49 - 01292288 _____ () C:\WINDOWS\System32\quartz.dll
2003-03-31 07:00 - 2008-04-14 04:41 - 00059904 _____ () C:\WINDOWS\System32\devenum.dll
2003-03-31 07:00 - 2008-04-14 04:42 - 00014336 _____ () C:\WINDOWS\system32\msdmo.dll

==================== Alternate Data Streams (whitelisted) =========

==================== Safe Mode (whitelisted) ===================

==================== Faulty Device Manager Devices =============

Name: Intel® 82845G/GL/GE/PE/GV Graphics Controller
Description: Intel® 82845G/GL/GE/PE/GV Graphics Controller
Class Guid: {4D36E968-E325-11CE-BFC1-08002BE10318}
Manufacturer: Intel Corporation
Service: ialm
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Broadcom 440x 10/100 Integrated Controller
Description: Broadcom 440x 10/100 Integrated Controller
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Broadcom
Service: bcm4sbxp
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================
Error: (11/07/2013 08:30:04 AM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 80070490, P2 remediation, P3 remediationfailuretelemetry, P4 1.1.10003.0, P5 mpengine, P6 0, P7 unspecified, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (11/07/2013 02:02:20 AM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 0x8050a003, P2 mpupdateengine, P3 am fe, P4 11.1.4406.0, P5 mpsigstub.exe, P6 4.3.216.0, P7 microsoft security essentials, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (11/07/2013 01:55:20 AM) (Source: Microsoft Security Client) (User: )
Description: mssecurityclientsetup.exe4.3.216.00x80070424morrobootstraper__cinstallflow__internalrun - getenablefirewallactionmorrobootstraper__cflow__processflowactionresult0security essentialsNILNILNIL

Error: (11/07/2013 01:55:16 AM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 0x80070003, P2 moac, P3 cachereset, P4 4.3.216.0, P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (11/07/2013 01:50:10 AM) (Source: Microsoft Security Client) (User: )
Description: mssecurityclientsetup.exe4.3.216.00x8004ff06common client setup outcomesetresultdatapoints0security essentialsNILNILNIL

Error: (11/07/2013 01:50:09 AM) (Source: Microsoft Security Client) (User: )
Description: mssecurityclientsetup.exe4.3.216.00x8004ff06failed to check upgrade conditionsmorrobootstraper__cmorromain__runupgradeorrepairscenario0security essentialsNILNILNIL

Error: (11/07/2013 01:42:18 AM) (Source: Application Hang) (User: )
Description: Hanging application explorer.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (11/06/2013 10:38:18 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Error: (11/06/2013 10:38:04 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Error: (11/06/2013 10:37:46 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

System errors:
=============
Error: (11/09/2013 06:47:55 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (11/09/2013 01:47:47 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (11/08/2013 08:47:11 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (11/08/2013 03:47:41 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (11/08/2013 10:47:25 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (11/08/2013 04:48:54 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (11/07/2013 11:47:57 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (11/07/2013 06:47:42 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (11/07/2013 06:42:32 PM) (Source: Service Control Manager) (User: )
Description: The Ralink Registry Writer service terminated unexpectedly.  It has done this 1 time(s).

Error: (11/07/2013 01:47:56 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Microsoft Office Sessions:
=========================
Error: (11/07/2013 08:30:04 AM) (Source: MPSampleSubmission)(User: )
Description: mptelemetry80070490remediationremediationfailuretelemetry1.1.10003.0mpengine0unspecifiedNILNILNIL

Error: (11/07/2013 02:02:20 AM) (Source: MPSampleSubmission)(User: )
Description: mptelemetry0x8050a003mpupdateengineam fe11.1.4406.0mpsigstub.exe4.3.216.0microsoft security essentialsNILNILNIL

Error: (11/07/2013 01:55:20 AM) (Source: Microsoft Security Client)(User: )
Description: mssecurityclientsetup.exe4.3.216.00x80070424morrobootstraper__cinstallflow__internalrun - getenablefirewallactionmorrobootstraper__cflow__processflowactionresult0security essentialsNILNILNIL

Error: (11/07/2013 01:55:16 AM) (Source: MPSampleSubmission)(User: )
Description: mptelemetry0x80070003moaccachereset4.3.216.0unspecifiedunspecifiedunspecifiedNILNILNIL

Error: (11/07/2013 01:50:10 AM) (Source: Microsoft Security Client)(User: )
Description: mssecurityclientsetup.exe4.3.216.00x8004ff06common client setup outcomesetresultdatapoints0security essentialsNILNILNIL

Error: (11/07/2013 01:50:09 AM) (Source: Microsoft Security Client)(User: )
Description: mssecurityclientsetup.exe4.3.216.00x8004ff06failed to check upgrade conditionsmorrobootstraper__cmorromain__runupgradeorrepairscenario0security essentialsNILNILNIL

Error: (11/07/2013 01:42:18 AM) (Source: Application Hang)(User: )
Description: explorer.exe6.0.2900.5512hungapp0.0.0.000000000

Error: (11/06/2013 10:38:18 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired.

Error: (11/06/2013 10:38:04 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired.

Error: (11/06/2013 10:37:46 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired.

==================== Memory info ===========================

Percentage of memory in use: 76%
Total physical RAM: 1022 MB
Available physical RAM: 240.77 MB
Total Pagefile: 2463.43 MB
Available Pagefile: 1166.5 MB
Total Virtual: 2047.88 MB
Available Virtual: 1932.45 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:74.5 GB) (Free:0.41 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (STB_2003) (CDROM) (Total:0.14 GB) (Free:0 GB) CDFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 75 GB) (Disk ID: 9DC96E9E)
Partition 1: (Active) - (Size=74 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

 

------------------------------------Thank you in advance for your help, Gringo



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:19 AM

Posted 09 November 2013 - 01:48 PM

Hello gwhiz9999



I need you to download this script I have made for you --> Attached File  fixlist.txt   1.15KB   5 downloads

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

Run FRST again but this time press the Fix button just once and wait.


When finished, it will make a log (fixlog.txt) next to FRST. Please copy and paste the content of this file to your reply.


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gwhiz9999

gwhiz9999
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 10 November 2013 - 06:59 AM

I have done as you have instructed, and here is the log you requested:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 31-10-2013
Ran by Owner at 2013-11-10 06:55:58 Run:1
Running from C:\Documents and Settings\Owner\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKLM\...\Run: [MSC] - "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey <===== ATTENTION (File name is altered)
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
S0 wgnqtu; System32\drivers\efxh.sys [x]
S0 yokmtm; System32\drivers\pcbuaqje.sys [x]
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Desktop\Install
C:\Program Files\Google\Desktop\Install
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-f79b1f18.exe
C:\Documents and Settings\Owner\Local Settings\temp\AMPing.exe
C:\Documents and Settings\Owner\Local Settings\temp\D2M-Precheck.exe
C:\Documents and Settings\Owner\Local Settings\temp\jucheck.dll
C:\Documents and Settings\Owner\Local Settings\temp\tbWhit.dll
C:\Documents and Settings\Owner\Local Settings\temp\utt6E2.tmp.exe

 

 

 

 

 

 

 

 

*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\MSC => Value was restored successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
Winsock: Catalog5 entry 000000000003\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
wgnqtu => Service deleted successfully.
yokmtm => Service deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Desktop\Install => Moved successfully.
C:\Program Files\Google\Desktop\Install => Moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\temp\mpam-f79b1f18.exe => Moved successfully.
C:\Documents and Settings\Owner\Local Settings\temp\AMPing.exe => Moved successfully.
C:\Documents and Settings\Owner\Local Settings\temp\D2M-Precheck.exe => Moved successfully.
C:\Documents and Settings\Owner\Local Settings\temp\jucheck.dll => Moved successfully.
C:\Documents and Settings\Owner\Local Settings\temp\tbWhit.dll => Moved successfully.
C:\Documents and Settings\Owner\Local Settings\temp\utt6E2.tmp.exe => Moved successfully.

==== End of Fixlog ====



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:19 AM

Posted 10 November 2013 - 11:15 AM



Hello gwhiz9999

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 gwhiz9999

gwhiz9999
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 11 November 2013 - 07:33 AM

Here are the logs you requested:

 

# AdwCleaner v3.012 - Report created 11/11/2013 at 06:38:27
# Updated 11/11/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Owner - GPM2
# Running from : C:\Documents and Settings\Owner\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Trymedia
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\SaveValet
Folder Deleted : C:\Program Files\SweetIM
Folder Deleted : C:\Program Files\Trymedia
Folder Deleted : C:\Documents and Settings\Owner\Local Settings\Application Data\Conduit
[!] Folder Deleted : C:\Documents and Settings\LocalService\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc
File Deleted : C:\END
File Deleted : C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_app.mam.conduit.com_0.localstorage
File Deleted : C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_app.mam.conduit.com_0.localstorage-journal
File Deleted : C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_search.conduit.com_0.localstorage
File Deleted : C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_search.conduit.com_0.localstorage-journal

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2418376
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3289847
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{64697678-0000-0010-8000-00AA00389B71}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EEE6C35B-6118-11DC-9C72-001320C79847}]
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\smartbar
Key Deleted : HKCU\Software\SocialBit
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\InfoAtoms
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngine
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Optimizer Pro_is1
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08121C32A9C319F4CB0C11FF059552A4
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\464AA55239C100F32AF2D438EDDC0F47
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5652BA3D5FB98AE31B337BF0AF939856
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\86EB95E1AFCBABE3DB9ECCC669B99494

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Google Chrome v30.0.1599.101

[ File : C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

Deleted : homepage

*************************

AdwCleaner[R0].txt - [6058 octets] - [11/11/2013 06:34:58]
AdwCleaner[S0].txt - [6077 octets] - [11/11/2013 06:38:27]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [6137 octets] ##########

 

and:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Microsoft Windows XP x86
Ran by Owner on Mon 11/11/2013 at  6:55:25.12
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1BB8B3AE-757D-443F-B3A4-0629E709B0D9}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5D37B1C5-6D9D-4D24-9253-1D6B6E5AD011}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{DBCA6D52-5D3F-4F95-9C1D-1FBA069FCC13}

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\Owner\Local Settings\Application Data\cre"
Successfully deleted: [Folder] "C:\Program Files\fileopenerpro"

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 11/11/2013 at  7:02:42.14
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

***I am not sure if you wanted me to see if I could delete the corrupted files/folders from previous Microsoft Security Essentials installations that were changed to "junctions," and I am loathe to do anything like that without you instructing me to do so, so they are still there, and they are still listed as junctions when I check them under a command prompt analysis with "DIR".  Should I try to delete them?  I am not sure what to do to get rid of them.  And FYI, as of now, and after restarting MSE, the continuous pop up from Microsoft Update of the same update has gone away and has not come back.***



#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:19 AM

Posted 11 November 2013 - 08:38 AM



Hello gwhiz9999

Malwarebytes Anti-Rootkit

1.Download Malwarebytes Anti-Rootkit
2.Unzip the contents to a folder in a convenient location.
3.Open the folder where the contents were unzipped and run mbar.exe
4.Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
5.Click on the Cleanup button to remove any threats and reboot if prompted to do so.
6.Wait while the system shuts down and the cleanup process is performed.
7.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
8.If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
  • •Internet access
    •Windows Update
    •Windows Firewall
9.If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.
10.Verify that your system is now functioning normally.


--RogueKiller--

Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • the scan will make two reports the one I would like to see is called RKreport[2].txt on your Desktop
  • Exit/Close RogueKiller+
send me the reports made from MBAR and Roguekiller and also let me know how the computer is doing at this time.

Gringo






When you are complete please send me both reports

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 gwhiz9999

gwhiz9999
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 12 November 2013 - 03:11 AM

When I click on the links to those latest program downloads, I get a new tab that pops up with a security warning.  When I click on the warning bar and tell it to download the files, each time it does nothing and leaves me with a blank tab on my internet explorer.  I have tried it multiple times for each. 



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:19 AM

Posted 12 November 2013 - 12:44 PM


Hello gwhiz9999

first I would like you to go here and click on the fixit button - http://support.microsoft.com/kb/923737


Then I want you to do the following
  • Start Internet Explorer.
  • click on "safety"
  • click on "Delete Browsing History"
  • make sure all boxes are checked
  • click on "Delete"
  • click on "Tools",
  • click "Internet Options".
  • On the "Advanced" tab, click "Reset"
  • put a check mark next to "Delete Personal Settings"
  • click "Reset" to confirm
  • when complete click the "Close" button
  • restart IE
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gwhiz9999

gwhiz9999
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 13 November 2013 - 09:07 AM

I did what you most recently asked, and then my password for your site wouldn't work when I tried to log back on.  I had to have your site send me a new password.  I now have an  "svchost.exe" process that is constantly running in the high 90s on task manager.



#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:19 AM

Posted 13 November 2013 - 10:03 PM

Hello gwhiz9999

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo

Edited by gringo_pr, 13 November 2013 - 10:04 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gwhiz9999

gwhiz9999
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 14 November 2013 - 09:32 AM

This is really frustrating.  The first link again opens a new window with a security warning, and when I bypass it and tell it to download the file, the warning bar disappears and nothing else happens.  The second link takes me to a site that is in Spanish, so I didn't even try to do anything there.  The third link tries to get me to download something called "zip extractor," so I left that alone.  I will await your next instruction.



#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:19 AM

Posted 14 November 2013 - 08:32 PM

Hello

Ok try this link - http://www.bleepingcomputer.com/download/combofix/
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gwhiz9999

gwhiz9999
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 15 November 2013 - 06:11 AM

The new link worked fine and I was able to download and run the program.  Combofix did not restart my pc.  However, I did lose my ability to connect to the internet and had to manually restart it.  I still have an svchost.exe process that is intermittently running in the high 90s on CPU when I open Task Manager, and the computer is hanging/lagging sporadically.  I still have the old, renamed folders/files from previous installations of Microsoft Security Essentials that were changed to "junctions" that can't be deleted and "can not be accessed by the system."

 

Here is the Combofix log you requested:

 

ComboFix 13-11-15.01 - Owner 11/15/2013   5:11.2.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1022.760 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Owner\WINDOWS
c:\documents and settings\Owner\WINDOWS\win.ini
c:\windows\system32\OLD2.tmp
c:\windows\system32\SET22.tmp
c:\windows\system32\SET26.tmp
c:\windows\system32\SET2C.tmp
c:\windows\system32\SET2E.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-15 to 2013-11-15  )))))))))))))))))))))))))))))))
.
.
2013-11-15 10:02 . 2013-11-15 10:02 40392 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{06462FBD-24ED-4394-A747-0579839FBB74}\MpKsle19608a3.sys
2013-11-14 14:38 . 2013-11-14 14:38 9310 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2013-11-14 14:38 . 2013-11-14 14:38 8646 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2013-11-14 14:38 . 2013-11-14 14:38 6429 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2013-11-14 14:38 . 2013-11-14 14:38 63115 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2013-11-14 14:38 . 2013-11-14 14:38 5927 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2013-11-14 14:38 . 2013-11-14 14:38 4599 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2013-11-14 14:38 . 2013-11-14 14:38 8613 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2013-11-14 14:38 . 2013-11-14 14:38 1651 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2013-11-14 14:38 . 2013-11-14 14:38 6910 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2013-11-14 14:38 . 2013-11-14 14:38 8288 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2013-11-14 14:38 . 2013-11-14 14:38 6208 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2013-11-14 14:38 . 2013-11-14 14:38 18541 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2013-11-14 14:37 . 2013-11-14 14:37 51852 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2013-11-14 14:37 . 2013-11-14 14:37 8782 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2013-11-14 14:37 . 2013-11-14 14:37 7271 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2013-11-14 14:37 . 2013-11-14 14:37 23327 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2013-11-14 14:37 . 2013-11-14 14:37 20719 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2013-11-14 14:06 . 2013-11-14 14:07 -------- d-sh--w- c:\documents and settings\Owner\Application Data\KB975713
2013-11-14 13:49 . 2013-10-16 05:20 7796464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{06462FBD-24ED-4394-A747-0579839FBB74}\mpengine.dll
2013-11-14 04:34 . 2013-11-14 14:07 -------- d-sh--w- c:\documents and settings\Owner\Local Settings\Application Data\KB2761465-IE8
2013-11-13 13:25 . 2013-10-16 05:20 7796464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-11-11 11:55 . 2013-11-11 11:55 -------- d-----w- c:\windows\ERUNT
2013-11-11 11:34 . 2013-11-11 11:39 -------- d-----w- C:\AdwCleaner
2013-11-07 06:54 . 2013-11-07 06:55 -------- d-----w- c:\program files\Microsoft Security Client
2013-11-07 06:48 . 2008-04-14 09:42 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-19 07:21 . 2012-10-12 06:15 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-19 07:21 . 2012-04-04 09:06 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-23 18:33 . 2003-03-31 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-09-23 18:33 . 2003-03-31 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-09-23 18:33 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-09-23 18:33 . 2003-03-31 12:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-09-23 18:06 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2013-09-14 10:57 . 2013-09-14 10:57 12558 ----a-w- C:\FixitRegBackup.reg
2013-09-03 18:35 . 2010-05-28 07:33 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-08-29 01:31 . 2003-03-31 12:00 1878656 ----a-w- c:\windows\system32\win32k.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-03-08 . B60DDDD2D63CE41CB8C487FCFBB6419E . 638816 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ie8\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-07-18 995184]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2009-12-01 6373376]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-12-20 113024]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=c:\windows\pss\Privoxy.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
backup=c:\windows\pss\Ralink Wireless Utility.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^ctfmon.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\ctfmon.lnk
backup=c:\windows\pss\ctfmon.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniStartup
.
[HKLM\~\startupfolder\^defogger_reenable]
path=\defogger_reenable
backup=c:\windows\pss\defogger_reenableCommon Startup
.
[HKLM\~\startupfolder\^ntuser.dat]
path=\ntuser.dat
backup=c:\windows\pss\ntuser.datCommon Startup
.
[HKLM\~\startupfolder\^ntuser.dat.LOG]
path=\ntuser.dat.LOG
backup=c:\windows\pss\ntuser.dat.LOGCommon Startup
.
[HKLM\~\startupfolder\^ntuser.ini]
path=\ntuser.ini
backup=c:\windows\pss\ntuser.iniCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-13 08:58 323392 ----a-w- c:\program files\DNA\btdna.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2013-04-04 18:50 887432 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2012-05-25 08:25 6595928 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2000-08-08 20:00 311350 -c--a-w- c:\program files\Microsoft Works\wkssb.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2000-08-08 20:00 28739 -c--a-w- c:\program files\Microsoft Works\WkDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2013-07-18 21:49 995184 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPWebCap]
2010-08-12 00:05 43008 -c--a-w- c:\progra~1\ScanSoft\PAPERP~1\PPWEBCAP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 -c--a-w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 13:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2013-09-14 13:32 5703920 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2000-08-08 20:00 24576 -c--a-w- c:\program files\Microsoft Works\wkfud.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"aawservice"=2 (0x2)
"MsMpSvc"=2 (0x2)
"!SASCORE"=2 (0x2)
"gusvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"FontCache3.0.0.0"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\WINMX\\WinMX.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2198:TCP"= 2198:TCP:Remote Assistance Local
"2856:TCP"= 2856:TCP:Remote Assistance Remote
.
R1 MpKsle19608a3;MpKsle19608a3;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{06462FBD-24ED-4394-A747-0579839FBB74}\MpKsle19608a3.sys [11/15/2013 5:02 AM 40392]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 1:25 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67664]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [6/24/2011 12:06 PM 19072]
S2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [6/11/2008 5:17 PM 2560]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [4/19/2013 2:14 PM 161384]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/29/2010 12:48 PM 116608]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLE19608A3
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-11-14 21:49 1210320 ----a-w- c:\program files\Google\Chrome\Application\31.0.1650.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-02 07:12]
.
2013-11-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-02 07:12]
.
2013-11-14 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-07-18 21:49]
.
2013-11-15 c:\windows\Tasks\User_Feed_Synchronization-{39CFE49B-3195-48FA-A891-36E86B83D597}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
Trusted Zone: google.com
Trusted Zone: google.com\maps
Trusted Zone: google.com\www
Trusted Zone: yahoo.com\games
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
MSConfigStartUp-1553187517 - c:\documents and settings\Owner\Local Settings\Application Data\ucc.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
MSConfigStartUp-CPN Notifier - c:\program files\Cake Poker 2.0\PokerNotifier.exe
MSConfigStartUp-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
MSConfigStartUp-MSSE - c:\program files\Microsoft Security Essentials\msseces.exe
MSConfigStartUp-NYDKOFWtGkff - c:\documents and settings\All Users\Application Data\NYDKOFWtGkff.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-fileopenerpro - c:\program files\FileOpenerPro\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-15 05:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-583907252-2000478354-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5a,5d,47,e2,e7,f2,bf,7c,70,d7,e1,1f,4d,d8,fe,ef,85,dd,b9,a0,a3,05,85,
   e5,60,01,51,38,1d,47,48,5b,b4,14,b1,3e,97,cc,33,9d,08,9f,2b,aa,24,7d,d5,41,\
"??"=hex:4e,5b,94,3c,fd,7c,e9,4e,cd,39,69,eb,e3,76,76,ba
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,
   d5,44,f7,88,8f,b5,4c,1b,f9,3e,da,c2,d2,eb,69,77,32,91,02,8c,84,09,5e,d2,d3
"2"=hex:f1,df,16,de,80,08,0e,2a,d1,38,b5,6f,94,ca,dc,d2,b3,e8,d2,40,6c,6f,61,
   5e,d2,5e,7f,21,14,b5,b2,29
"3"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,
   d5,f2,55,76,c8,bc,53,92,25,3f,d1,b6,bc,00,35,73,43,96,90,79,f6,5b,97,35,47,\
.
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\3323E31CCF524E1933A08EFC0405BBBB]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
   b0,ce,d6,da,a0,ab,80,e1,24
"2"=hex:cf,77,c8,3e,ea,da,16,30
"3"=hex:0d,7d,c9,18,d3,22,ea,6b,25,f0,a2,ef,a7,44,d7,14,db,6e,d9,81,61,c7,b6,
   c3,79,35,97,6b,1c,7f,f4,36,d3,a2,13,ea,06,04,06,f6,4e,8e,35,e9,28,e6,ed,df,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
   1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
   b0,62,93,57,0b,21,63,41,55,32,b5,f6,08,b8,5e,2d,e4,ec,af,ae,86,59,ce,53,bb,\
"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
   b0,29,7c,70,46,35,dc,d7,79
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,
   f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:89,de,70,71,9a,fd,bb,cb,32,88,ce,34,de,0b,d0,29,3a,91,b2,9c,5c,0e,03,
   04,9f,91,a5,ea,4e,34,64,51,40,45,2e,4f,a9,23,7d,75,e6,ba,1f,f6,fe,ee,c1,35,\
"13"=hex:f8,81,17,ce,ee,0c,18,ba,80,4a,8a,4f,96,a0,a7,52,0a,93,b5,ac,8d,aa,e8,
   78
"14"=hex:4e,63,05,ff,92,a2,5b,c8
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:6c,8a,54,38,f2,af,a5,7a,46,2e,a7,ca,18,b6,ed,97
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:fe,43,41,a2,3b,bb,56,64,9d,53,09,d4,d6,3e,09,dc,85,0b,80,ce,45,90,d4,
   0d,0e,50,7e,78,19,0c,a5,4f,5b,3c,7e,c8,27,8a,35,a6,a7,b8,91,6d,11,06,e5,52,\
.
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\37539B6D352ECF5C006214859EC1AF0C]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
   b0,c8,c9,f6,99,f8,a7,b9,da
"2"=hex:76,4e,1c,cc,2e,81,b8,f3
"3"=hex:37,f4,55,b7,8a,39,f0,05,79,7b,33,d6,65,7d,31,38,ed,56,d8,f1,24,f4,39,
   23,f4,45,9b,fb,62,4c,5f,59,2d,16,7c,2e,59,1d,67,ef,1c,57,06,09,b1,0c,12,81,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
   1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
   b0,13,d6,a9,04,9e,fe,4b,b3,10,e4,eb,ef,c4,3c,01,7c,da,ad,aa,35,c5,9e,af,7d,\
"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
   b0,f5,de,1e,04,6d,6b,1c,69
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,
   f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:f3,45,c8,e1,1c,e2,5b,b1,22,12,e8,be,94,28,3f,4d,32,10,27,fe,4a,61,a4,
   12,35,dd,a7,7c,95,78,a5,12,ba,af,72,46,2c,9c,32,9c,04,66,01,85,ae,86,87,80,\
"13"=hex:52,af,1a,eb,3f,3a,6a,35,17,58,85,de,ee,db,0a,76,ba,a6,29,a5,38,09,8d,
   cd
"14"=hex:6c,3a,76,3b,92,16,dd,60
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:b1,f0,11,ed,b5,09,c2,be,c0,de,35,ad,10,f1,63,35
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:81,ea,e0,b9,43,59,b8,9a,d4,36,9d,a1,cd,72,78,71,05,1d,22,de,c4,09,cc,
   a9,90,da,c3,a3,bc,52,7c,f0,f9,68,6f,b1,fe,16,18,6e,ac,0a,a4,77,13,d4,c0,9a,\
.
Completion time: 2013-11-15  05:32:59
ComboFix-quarantined-files.txt  2013-11-15 10:32
ComboFix2.txt  2010-08-17 10:16
.
Pre-Run: 669,458,432 bytes free
Post-Run: 1,905,975,296 bytes free
.
- - End Of File - - 749DCAD885FB45D88FADE4821FD3AE85
8F558EB6672622401DA993E1E865C861
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users