Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zero Access, Level Quality Watcher , catchme


  • Please log in to reply
16 replies to this topic

#1 JohnMWoods

JohnMWoods

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Diego, CA, USA
  • Local time:05:33 AM

Posted 10 December 2013 - 06:25 AM

Please help. I am having a rough time. I have been defeated by the above mentioned trio. I should mention that the three span 2 machines. Any help would be greatly appreciated.  Thanks, John (PS Please forgive any breaches of protocol in my virgin post.)
 
FROM MACHINE ONE:
 
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 10.0.9200.16736  BrowserJavaVersion: 10.45.2
Run by User at 5:33:12 on 2013-12-10
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2038.1023 [GMT -8:00]
.
AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\mqsvc.exe
C:\Program Files\Norton 360\Engine\5.2.2.3\ccSvcHst.exe
C:\Windows\System32\tcpsvcs.exe
C:\Windows\System32\snmp.exe
C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Norton 360\Engine\5.2.2.3\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Windows\explorer.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k ftpsvc
C:\Windows\System32\svchost.exe -k ipripsvc
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k SDRSVC
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton 360\engine\5.2.2.3\coieplg.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton 360\engine\5.2.2.3\ips\ipsbho.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\5.2.2.3\coieplg.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\5.2.2.3\coieplg.dll
uRun: [3C315CB7C05A2A2BFAEAFA05AE1603CA95A938F0._service_run] "c:\program files\google\chrome\application\chrome.exe" --type=service
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_45-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0045-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_45-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_45-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com/bin/srldetect_intel_4.5.15.0.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{3661FDE2-3D4D-4ADE-A1CF-23B0124D0FDE} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{3661FDE2-3D4D-4ADE-A1CF-23B0124D0FDE}\445716E65602C416D616270295F657E676 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{6C14A2E4-6F5C-49F3-B12F-3CFB7440B078} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{6C14A2E4-6F5C-49F3-B12F-3CFB7440B078}\6457E6E697D4F6F63756D27657563747 : DHCPNameServer = 192.168.3.1
TCP: Interfaces\{7862F33E-A2D6-4D8D-80C3-4FD4DE97100C} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{B84E9A7C-9ABF-496F-A291-158F70E62FA8} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{BD777DB2-9FB9-4661-8F60-569BA14FDC00} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{BD777DB2-9FB9-4661-8F60-569BA14FDC00}\46C696E6B6 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{BD86A190-2C7F-4B6E-93EB-774A5E28CB23} : DHCPNameServer = 192.168.0.1
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\31.0.1650.63\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-6-18 211560]
R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\drivers\SCMNdisP.sys [2013-11-12 21472]
R0 SMR410;Symantec SMR Utility Service 4.1.0;c:\windows\system32\drivers\SMR410.SYS [2013-12-9 98392]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502020.003\symds.sys [2013-12-9 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0502020.003\symefa.sys [2013-12-9 744568]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20131203.001\BHDrvx86.sys [2013-12-3 1098968]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20131207.001\IDSvix86.sys [2013-12-9 393816]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2013-9-15 20384]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502020.003\ironx86.sys [2013-12-9 136312]
R1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\n360\0502020.003\symnets.sys [2013-12-9 299640]
R2 ftpsvc;Microsoft FTP Service;c:\windows\system32\svchost.exe -k ftpsvc [2009-7-13 20992]
R2 iprip;RIP Listener;c:\windows\system32\svchost.exe -k ipripsvc [2009-7-13 20992]
R2 N360;Norton 360;c:\program files\norton 360\engine\5.2.2.3\ccsvchst.exe [2013-12-9 130008]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2013-6-18 107392]
R2 WSWNA1100;WSWNA1100;c:\program files\netgear\wna1100\WifiSvc.exe [2013-11-12 297440]
R3 athur;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athur.sys [2013-11-12 1564160]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2012-6-18 374648]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2013-12-7 108120]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-4-11 62464]
S3 jswpsapi;JumpStart Wi-Fi Protected Setup;c:\program files\netgear\wna1100\jswpsapi.exe [2013-11-12 960992]
S3 NisSrv;NisSrv;"c:\program files\microsoft security client\nissrv.exe" --> c:\program files\microsoft security client\NisSrv.exe [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2013-11-16 14848]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-6-10 347136]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2013-11-16 49152]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2013-11-16 27136]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-4-30 1343400]
S3 WMSVC;Web Management Service;c:\windows\system32\inetsrv\WMSvc.exe [2009-7-13 9728]
.
=============== Created Last 30 ================
.
2013-12-10 09:02:59 -------- d-sh--w- C:\$RECYCLE.BIN
2013-12-10 09:02:51 -------- d-----w- c:\users\user\appdata\local\temp
2013-12-10 07:30:25 98392 ----a-w- c:\windows\system32\drivers\SMR410.SYS
2013-12-10 06:40:52 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-12-09 23:14:54 -------- d-----w- c:\programdata\HitmanPro
2013-12-09 19:12:49 744568 ----a-w- c:\windows\system32\drivers\n360\0502020.003\symefa.sys
2013-12-09 19:12:49 299640 ----a-w- c:\windows\system32\drivers\n360\0502020.003\symnets.sys
2013-12-09 19:12:48 516216 ----a-w- c:\windows\system32\drivers\n360\0502020.003\srtsp.sys
2013-12-09 19:12:48 50168 ----a-w- c:\windows\system32\drivers\n360\0502020.003\srtspx.sys
2013-12-09 19:12:48 340088 ----a-w- c:\windows\system32\drivers\n360\0502020.003\symds.sys
2013-12-09 19:12:48 136312 ----a-r- c:\windows\system32\drivers\n360\0502020.003\ironx86.sys
2013-12-09 19:12:00 -------- d-----w- c:\windows\system32\drivers\n360\0502020.003
2013-12-08 21:20:11 -------- d-----w- C:\AdwCleaner
2013-12-08 06:17:41 -------- d-----w- c:\windows\system32\N360_BACKUP
2013-12-08 04:57:31 -------- d-----w- c:\programdata\Symantec
2013-12-08 04:56:54 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2013-12-08 04:56:49 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2013-12-08 04:56:49 -------- d-----w- c:\program files\Symantec
2013-12-08 04:56:49 -------- d-----w- c:\program files\common files\Symantec Shared
2013-12-08 04:56:23 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2013-12-08 04:55:56 -------- d-----w- c:\windows\system32\drivers\N360
2013-12-08 04:55:48 -------- d-----w- c:\program files\Norton 360
2013-12-08 04:54:39 -------- d-----w- c:\program files\NortonInstaller
2013-12-08 04:03:41 -------- d-----w- c:\users\user\.android
2013-12-08 04:03:40 -------- d-----w- c:\users\user\appdata\local\cache
2013-12-08 04:03:37 -------- d-----w- c:\users\user\appdata\roaming\newnext.me
2013-12-08 04:03:37 -------- d-----w- c:\users\user\appdata\local\Mobogenie
2013-12-08 04:03:37 -------- d-----w- c:\users\user\appdata\local\genienext
2013-12-08 04:02:24 -------- d-----w- c:\users\user\appdata\roaming\DictAddon
2013-12-06 16:00:09 98816 ----a-w- c:\windows\sed.exe
2013-12-06 16:00:09 256000 ----a-w- c:\windows\PEV.exe
2013-12-06 16:00:09 208896 ----a-w- c:\windows\MBR.exe
2013-12-06 05:45:44 7772552 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{ea34556e-afb3-4064-903f-cb6ed4f3657c}\mpengine.dll
2013-12-05 10:59:28 -------- d-----w- c:\windows\ERUNT
2013-12-05 08:50:17 -------- d-----w- C:\Microsoft
2013-12-05 07:44:21 -------- d-----w- c:\programdata\Uniblue
2013-12-05 07:43:43 -------- d-----w- c:\program files\Uniblue
2013-12-03 21:56:35 -------- d-----w- c:\users\user\appdata\roaming\WinZip
2013-12-03 21:53:31 -------- d-----w- c:\programdata\msat
2013-12-03 21:53:31 -------- d-----w- c:\program files\Microsoft Corporation
2013-12-03 18:47:43 -------- d-----w- c:\program files\Microsoft Games
2013-12-03 18:45:22 -------- d-----w- c:\program files\My Dell
2013-12-03 18:20:15 -------- d-----w- c:\programdata\Passmark
2013-12-03 05:40:48 -------- d-----w- C:\712abfcbc31a53c00592
2013-11-27 09:09:04 -------- d-----w- c:\windows\Migration
2013-11-20 15:08:13 1247744 ----a-w- c:\windows\system32\DWrite.dll
2013-11-17 23:13:43 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2013-11-17 13:16:59 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2013-11-17 13:15:07 -------- d--h--w- c:\windows\msdownld.tmp
2013-11-17 13:14:55 -------- d-----w- c:\windows\system32\directx
2013-11-16 17:19:23 -------- d-----r- c:\users\user\Virtual Machines
2013-11-16 16:53:04 48128 ----a-w- c:\windows\system32\drivers\vpcnfltr.sys
2013-11-16 16:53:04 2171392 ----a-w- c:\windows\system32\VPCWizard.exe
2013-11-16 16:53:02 78336 ----a-w- c:\windows\system32\drivers\vpcusb.sys
2013-11-16 16:53:02 296064 ----a-w- c:\windows\system32\drivers\vpcvmm.sys
2013-11-16 16:53:02 172416 ----a-w- c:\windows\system32\drivers\vpchbus.sys
2013-11-16 16:53:02 14848 ----a-w- c:\windows\system32\vpchbuspipe.dll
2013-11-16 16:53:00 559616 ----a-w- c:\windows\system32\VMCPropertyHandler.dll
2013-11-16 16:53:00 1260032 ----a-w- c:\windows\system32\VPCSettings.exe
2013-11-16 16:52:58 793600 ----a-w- c:\windows\system32\vmsal.exe
2013-11-16 16:52:58 3330560 ----a-w- c:\windows\system32\vpc.exe
2013-11-16 16:52:58 1003008 ----a-w- c:\windows\system32\VMWindow.exe
2013-11-16 15:04:35 -------- d-----w- c:\program files\Foxit Software
2013-11-16 11:40:28 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2013-11-16 11:18:22 32256 ----a-w- c:\windows\system32\TsUsbGDCoInstaller.dll
2013-11-16 11:18:20 49152 ----a-w- c:\windows\system32\drivers\TsUsbFlt.sys
2013-11-16 11:18:20 12800 ----a-w- c:\windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2013-11-16 11:18:19 855552 ----a-w- c:\windows\system32\rdvidcrl.dll
2013-11-16 11:18:19 76288 ----a-w- c:\windows\system32\TSWbPrxy.exe
2013-11-16 11:18:19 53248 ----a-w- c:\windows\system32\tsgqec.dll
2013-11-16 11:18:19 50176 ----a-w- c:\windows\system32\MsRdpWebAccess.dll
2013-11-16 11:18:19 350208 ----a-w- c:\windows\system32\wksprt.exe
2013-11-16 11:18:19 17920 ----a-w- c:\windows\system32\wksprtPS.dll
2013-11-16 11:18:19 14336 ----a-w- c:\windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2013-11-16 11:18:19 1068544 ----a-w- c:\windows\system32\mstsc.exe
2013-11-16 11:18:18 5698048 ----a-w- c:\windows\system32\mstscax.dll
2013-11-16 11:17:20 14848 ----a-w- c:\windows\system32\drivers\rdpvideominiport.sys
2013-11-16 11:17:19 12800 ----a-w- c:\windows\system32\RdpGroupPolicyExtension.dll
2013-11-16 11:17:18 27136 ----a-w- c:\windows\system32\drivers\TsUsbGD.sys
2013-11-16 11:17:15 2739712 ----a-w- c:\windows\system32\rdpcorets.dll
2013-11-16 11:17:15 221184 ----a-w- c:\windows\system32\rdpudd.dll
2013-11-16 11:17:15 192000 ----a-w- c:\windows\system32\rdpendp_winip.dll
2013-11-16 11:14:13 187392 ----a-w- c:\windows\system32\UIAnimation.dll
2013-11-16 11:14:04 417792 ----a-w- c:\windows\system32\WMPhoto.dll
2013-11-16 07:53:47 -------- d-----w- c:\users\user\appdata\local\Innovative Solutions
2013-11-16 04:04:42 53248 ----a-w- c:\windows\system32\CSVer.dll
2013-11-16 02:04:06 -------- d-----w- c:\users\user\My Backup Files
2013-11-16 01:09:16 -------- d-sh--w- C:\System Recovery
2013-11-16 01:09:04 -------- d-----w- c:\users\user\appdata\local\SoftThinks
2013-11-16 00:51:26 -------- d-----w- c:\program files\Dell DataSafe Local Backup
2013-11-15 21:55:17 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2013-11-15 18:02:47 -------- d-----w- c:\users\user\appdata\roaming\Dell
2013-11-15 18:01:52 -------- d-----w- c:\programdata\PCDr
2013-11-15 17:59:06 -------- d-----w- c:\users\user\appdata\roaming\PCDr
2013-11-13 20:16:41 -------- dc----w- c:\users\user\appdata\local\MigWiz
2013-11-13 20:10:32 -------- d-----w- c:\users\user\appdata\local\CrashDumps
2013-11-12 11:04:17 -------- d-----w- C:\09ed75230285d3da4708
2013-11-12 08:01:45 21472 ----a-w- c:\windows\system32\drivers\SCMNdisP.sys
2013-11-12 08:01:45 1564160 ----a-w- c:\windows\system32\drivers\athur.sys
2013-11-11 16:42:16 18656 ----a-w- c:\windows\system32\PCloudBroom.exe
2013-11-11 16:25:22 -------- d-----w- c:\program files\Panda Security
2013-11-11 10:15:27 -------- d-----w- c:\windows\system32\Lang
2013-11-11 10:01:36 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-11-10 20:06:15 -------- d-----w- c:\windows\addins
2013-11-10 20:06:14 -------- d-----w- c:\windows\system32\FxsTmp
.
==================== Find3M  ====================
.
2013-12-03 09:03:40 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-03 09:03:40 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-11-11 13:50:18 230048 ------w- c:\windows\system32\MpSigStub.exe
2013-11-08 11:53:19 348160 ----a-w- c:\windows\system32\msvcr71.dll
2013-11-08 11:53:19 1060864 ----a-w- c:\windows\system32\mfc71.dll
2013-11-08 11:53:18 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2013-11-08 05:44:54 403440 ----a-w- c:\windows\system32\drivers\buidilov.sys
2013-11-08 05:39:17 403440 ----a-w- c:\windows\system32\drivers\rftblwiw.sys
2013-10-12 02:03:08 656896 ----a-w- c:\windows\system32\nshwfp.dll
2013-10-12 02:01:41 679424 ----a-w- c:\windows\system32\IKEEXT.DLL
2013-10-12 02:01:25 216576 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2013-10-05 19:57:25 1168384 ----a-w- c:\windows\system32\crypt32.dll
2013-10-04 01:58:50 152576 ----a-w- c:\windows\system32\SmartcardCredentialProvider.dll
2013-10-04 01:56:25 168960 ----a-w- c:\windows\system32\credui.dll
2013-10-04 01:56:00 1796096 ----a-w- c:\windows\system32\authui.dll
2013-10-03 01:58:07 305152 ----a-w- c:\windows\system32\gdi32.dll
2013-10-02 02:46:11 3072 ----a-w- c:\windows\system32\drivers\en-us\tsusbflt.sys.mui
2013-09-25 02:01:08 136640 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2013-09-25 02:01:06 67520 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2013-09-25 01:57:53 792576 ----a-w- c:\windows\system32\TSWorkspace.dll
2013-09-25 01:57:46 99840 ----a-w- c:\windows\system32\sspicli.dll
2013-09-25 01:57:26 22016 ----a-w- c:\windows\system32\secur32.dll
2013-09-25 01:57:24 247808 ----a-w- c:\windows\system32\schannel.dll
2013-09-25 01:56:42 220160 ----a-w- c:\windows\system32\ncrypt.dll
2013-09-25 01:56:02 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2013-09-25 00:49:20 22016 ----a-w- c:\windows\system32\lsass.exe
2013-09-25 00:49:18 15872 ----a-w- c:\windows\system32\sspisrv.dll
2013-09-20 18:49:30 18968 ----a-w- c:\windows\system32\sdnclean.exe
2013-09-14 00:48:58 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2013-09-12 05:21:54 863344 ----a-w- c:\windows\system32\msvcr110_clr0400.dll
2013-09-12 05:21:54 501872 ----a-w- c:\windows\system32\msvcp110_clr0400.dll
2013-09-12 05:21:54 28776 ----a-w- c:\windows\system32\aspnet_counters.dll
2013-09-12 05:21:54 18000 ----a-w- c:\windows\system32\msvcr100_clr0400.dll
.
============= FINISH:  5:33:43.63 ===============
 
 
FROM MACHINE TWO:
 
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.45.2
Run by Mike at 5:34:18 on 2013-12-10
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.759.291 [GMT -8:00]
.
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
AV:  *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW:  *Disabled* 
FW: Norton 360 *Enabled* 
.
============== Running Processes ================
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Norton 360\Engine\21.1.0.18\N360.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\locator.exe
C:\WINDOWS\system32\skeys.exe
C:\Program Files\Norton 360\Engine\21.1.0.18\N360.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWinlogon: Userinit = c:\windows\system32\userinit.exe,,SKEYS /I
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - 
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton 360\engine\21.1.0.18\CoIEPlg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton 360\engine\21.1.0.18\ips\IPSBHO.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\21.1.0.18\CoIEPlg.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\21.1.0.18\CoIEPlg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: dell.com
DPF: {07450679-A737-4F26-B3E6-E994A7C5CD92} - hxxp://174.79.251.156/Ocxfile/DVROcx.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1342538465562
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1296684884609
DPF: {B479199A-1242-4E3C-AD81-7F0DF801B4AE} - hxxp://download.microsoft.com/download/C/9/C/C9C3D86D-84AC-4AF0-8584-842756A66467/MicrosoftDownloadManager.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{F7F00D2C-9FD4-46D9-BDB4-8222565AA7ED} : DHCPNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook - {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - c:\program files\windows defender\MpShHook.dll
LSA: Authentication Packages =  msv1_0 nwprovau
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\31.0.1650.63\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\1501000.012\SymDS.sys [2013-12-7 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\1501000.012\SymEFA.sys [2013-12-7 935512]
R1 BHDrvx86;BHDrvx86;c:\program files\norton 360\nortondata\21.1.0.18\definitions\bashdefs\20131203.001\BHDrvx86.sys [2013-12-3 1098968]
R1 ccSet_N360;N360 Settings Manager;c:\windows\system32\drivers\n360\1501000.012\ccSetx86.sys [2013-12-7 127064]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\1501000.012\Ironx86.sys [2013-12-7 206936]
R2 N360;Norton 360;c:\program files\norton 360\engine\21.1.0.18\N360.exe [2013-12-7 264360]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2013-12-7 108120]
R3 IDSxpx86;IDSxpx86;c:\program files\norton 360\nortondata\21.1.0.18\definitions\ipsdefs\20131207.001\IDSXpx86.sys [2013-12-10 380824]
R3 NAVENG;NAVENG;c:\program files\norton 360\nortondata\21.1.0.18\definitions\virusdefs\20131209.001\NAVENG.SYS [2013-12-9 93272]
R3 NAVEX15;NAVEX15;c:\program files\norton 360\nortondata\21.1.0.18\definitions\virusdefs\20131209.001\NAVEX15.SYS [2013-12-9 1612376]
S1 qnycqypa;qnycqypa;\??\c:\windows\system32\drivers\qnycqypa.sys --> c:\windows\system32\drivers\qnycqypa.sys [?]
S3 AR9271;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys --> c:\windows\system32\drivers\athuw.sys [?]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-12-9 51416]
S3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [2011-7-1 13312]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2011-7-1 9472]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2001-8-23 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\wpffontcache_v0400.exe --> c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [?]
.
=============== File Associations ===============
.
.txt: <filetype is not registered>
FileExt: .inf: Applications\iexplore.exe="c:\program files\internet explorer\iexplore.exe" %1 [UserChoice]
.
=============== Created Last 30 ================
.
2013-12-10 13:02:10 -------- d-----w- c:\documents and settings\mike\application data\FixZeroAccess
2013-12-10 12:32:22 388096 ----a-r- c:\documents and settings\mike\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2013-12-10 12:32:12 -------- d-----w- c:\program files\Trend Micro
2013-12-10 10:30:35 7772552 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{7aa164cf-ec80-4c46-bd41-4517cfcd0ae1}\mpengine.dll
2013-12-10 06:58:04 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)
2013-12-10 06:58:02 104664 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-12-10 06:55:02 51416 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-12-08 09:14:00 -------- dc----w- C:\DECCHECK
2013-12-08 07:48:39 -------- d-----w- c:\documents and settings\mike\local settings\application data\NPE
2013-12-07 22:53:12 142936 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2013-12-07 22:53:12 -------- d-----w- c:\program files\Symantec
2013-12-07 22:53:12 -------- d-----w- c:\program files\common files\Symantec Shared
2013-12-07 22:51:51 935512 ----a-r- c:\windows\system32\drivers\n360\1501000.012\SymEFA.sys
2013-12-07 22:51:51 446552 ----a-r- c:\windows\system32\drivers\n360\1501000.012\symnets.sys
2013-12-07 22:51:51 421592 ----a-r- c:\windows\system32\drivers\n360\1501000.012\symtdi.sys
2013-12-07 22:51:51 383576 ----a-r- c:\windows\system32\drivers\n360\1501000.012\symtdiv.sys
2013-12-07 22:51:51 21520 ----a-r- c:\windows\system32\drivers\n360\1501000.012\SymELAM.sys
2013-12-07 22:51:50 651352 ----a-r- c:\windows\system32\drivers\n360\1501000.012\srtsp.sys
2013-12-07 22:51:50 367704 ----a-r- c:\windows\system32\drivers\n360\1501000.012\SymDS.sys
2013-12-07 22:51:50 32344 ----a-r- c:\windows\system32\drivers\n360\1501000.012\srtspx.sys
2013-12-07 22:51:50 206936 ----a-r- c:\windows\system32\drivers\n360\1501000.012\Ironx86.sys
2013-12-07 22:51:46 127064 ----a-r- c:\windows\system32\drivers\n360\1501000.012\ccSetx86.sys
2013-12-07 22:44:57 14818 ----a-r- c:\windows\system32\drivers\n360\1501000.012\SymVTcer.dat
2013-12-07 22:44:46 -------- d-----w- c:\windows\system32\drivers\n360\1501000.012
2013-12-07 22:44:45 -------- d-----w- c:\windows\system32\drivers\N360
2013-12-07 22:44:40 -------- d-----w- c:\program files\Norton 360
2013-12-07 22:43:43 -------- d-----w- c:\program files\NortonInstaller
2013-12-07 18:18:29 -------- d-----w- c:\windows\ERUNT
2013-12-07 17:13:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-12-07 15:50:29 -------- d-----w- c:\program files\Windows Media Connect 2
2013-12-07 09:58:32 7772552 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\backup\mpengine.dll
2013-12-06 18:48:38 -------- d-----w- c:\windows\system32\XPSViewer
2013-12-06 15:48:51 -------- dcsha-r- C:\cmdcons
2013-12-06 15:45:29 98816 ----a-w- c:\windows\sed.exe
2013-12-06 15:45:29 256000 ----a-w- c:\windows\PEV.exe
2013-12-06 15:45:29 208896 ----a-w- c:\windows\MBR.exe
2013-12-06 08:55:05 -------- d-----w- c:\documents and settings\mike\application data\ElevatedDiagnostics
2013-12-05 11:18:04 -------- d--h--w- c:\program files\WindowsUpdate
2013-12-05 11:13:37 -------- dc----w- C:\AdwCleaner
2013-12-04 22:21:18 -------- d-----w- c:\windows\system32\wbem\repository\FS
2013-12-04 22:21:18 -------- d-----w- c:\windows\system32\wbem\Repository
2013-12-04 21:35:37 -------- d-----w- c:\documents and settings\mike\application data\McAfee.com Personal Firewall
2013-12-04 21:35:37 -------- d-----w- c:\documents and settings\mike\application data\AVAST Software
2013-12-04 21:35:37 -------- d-----w- c:\documents and settings\mike\application data\AOL
2013-12-04 21:35:35 -------- d-----w- c:\documents and settings\mike\local settings\application data\Mozilla
2013-12-04 21:35:35 -------- d-----w- c:\documents and settings\mike\application data\Winward
2013-12-03 21:28:34 -------- d-----w- c:\documents and settings\mike\application data\Python-Eggs
2013-12-03 17:35:13 -------- d-----w- c:\documents and settings\all users\application data\Passmark
2013-12-03 10:06:41 -------- dc----w- C:\44b67f18e7b587fb3ae6ccb099
2013-12-03 10:05:24 -------- dc----w- C:\b09062fdf7f0c8188b
2013-12-03 10:01:46 -------- dc----w- C:\2ce17f1f6dc52f3817a3dbd690
2013-12-03 10:01:20 -------- dc----w- C:\2860d3f864a30b6732
2013-12-03 10:00:55 -------- dc----w- C:\46073bed9658236ee8c49ffd044f27
2013-12-03 10:00:11 -------- dc----w- C:\09713bc72b71f5f14371
2013-12-03 09:59:59 -------- dc----w- C:\8c6e25fcf112a75a7ce85e952d
2013-12-03 09:59:29 -------- dc----w- C:\64d5426faca7540967034ab5de
2013-12-03 09:59:10 -------- dc----w- C:\ace611d784f8b963b7f174ffd6
2013-12-03 09:57:48 -------- dc----w- C:\83270d3aafce523a4940d7c3
2013-12-02 21:36:09 -------- d-----w- c:\program files\Real(2)
2013-11-30 22:03:02 -------- dc----w- C:\temp
2013-11-29 20:25:43 -------- d-----w- c:\documents and settings\all users\application data\PCDr(2)
2013-11-28 19:03:17 94208 ------w- c:\windows\system32\mclsp.dll
2013-11-28 19:03:16 32768 ----a-w- c:\windows\system32\instlsp.exe
2013-11-28 19:03:16 11264 ----a-w- c:\windows\system32\sporder.dll
2013-11-27 22:20:52 -------- d-----w- c:\documents and settings\mike\application data\Malwarebytes
2013-11-26 23:55:35 139264 ----a-w- c:\windows\system32\igfxres.dll
2013-11-25 08:35:47 -------- dc----w- C:\ACCESS DENIED
2013-11-25 06:07:40 -------- d-----w- c:\program files\CONEXANT
2013-11-25 06:01:34 1033728 ----a-w- c:\windows\system32\drivers\HSF_DPV.SYS
2013-11-25 06:01:33 705408 ----a-w- c:\windows\system32\drivers\HSF_CNXT.sys
2013-11-25 06:01:31 208384 ----a-w- c:\windows\system32\drivers\HSFHWICH.sys
2013-11-25 06:01:28 42858 ----a-w- c:\windows\system32\hsfci014.dll
2013-11-25 02:32:49 74703 ----a-w- c:\windows\system32\mfc45.dat
2013-11-25 02:32:48 -------- d-----w- c:\program files\iolo
2013-11-24 23:03:14 36880 ----a-w- c:\windows\system32\drivers\mohfilt.sys
2013-11-24 23:03:13 49152 ----a-w- c:\windows\system32\mhwt.dll
2013-11-24 23:03:13 47360 ----a-w- c:\windows\system32\drivers\IntelC53.sys
2013-11-24 23:03:13 172032 ----a-w- c:\windows\system32\intelmoh.dll
2013-11-24 23:03:12 618880 ----a-w- c:\windows\system32\drivers\IntelC52.sys
2013-11-24 23:03:12 1339776 ----a-w- c:\windows\system32\drivers\IntelC51.sys
2013-11-24 21:00:08 -------- d-----w- c:\documents and settings\mike\application data\Dell
2013-11-24 18:36:19 -------- d-----w- c:\documents and settings\mike\local settings\application data\Google
2013-11-24 15:43:42 -------- d-----w- c:\documents and settings\mike\application data\PCDr
2013-11-24 15:41:09 -------- d-----w- c:\documents and settings\mike\local settings\application data\Deployment
2013-11-24 05:07:46 253952 ----a-w- c:\windows\system32\bcmwlu00.exe
2013-11-24 05:07:45 69632 ----a-w- c:\windows\system32\bcmwlpkt.dll
2013-11-24 05:07:45 33664 ----a-w- c:\windows\system32\drivers\BCMWLNPF.SYS
2013-11-24 05:07:45 1200128 ----a-w- c:\windows\system32\BCMWLTRY.EXE
2013-11-24 05:07:08 3096576 ----a-w- c:\windows\system32\BCMWLCPL.CPL
2013-11-24 05:07:06 44032 ----a-w- c:\windows\system32\wltrynt.dll
2013-11-24 05:07:06 18944 ----a-w- c:\windows\system32\WLTRYSVC.EXE
2013-11-24 05:07:05 86016 ----a-w- c:\windows\system32\preflib.dll
2013-11-24 05:07:05 1347584 ----a-w- c:\windows\system32\WLTRAY.EXE
2013-11-24 03:07:47 192512 ----a-w- c:\windows\system32\Stac97co.dll
2013-11-24 03:07:47 102481 ------r- c:\windows\system32\stac97.cpl
2013-11-24 03:07:47 -------- d-----w- c:\program files\SigmaTel
2013-11-24 03:07:30 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\ctor.dll
2013-11-24 03:07:30 32768 ----a-w- c:\program files\common files\installshield\professional\runtime\Objectps.dll
2013-11-24 03:07:30 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iscript.dll
2013-11-24 03:07:30 172032 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iuser.dll
2013-11-24 03:07:29 733184 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iKernel.dll
2013-11-24 03:07:29 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\DotNetInstaller.exe
2013-11-24 03:07:28 180356 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iGdi.dll
2013-11-24 03:07:27 303104 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\setup.dll
2013-11-24 00:34:00 2129920 ----a-w- c:\windows\system32\WLBCGCBPRO731.DLL
2013-11-24 00:33:58 757760 ----a-w- c:\windows\system32\bcm1xsup.dll
2013-11-23 08:53:39 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2013-11-23 08:53:39 2944 ----a-w- c:\windows\system32\drivers\msmpu401.sys
2013-11-15 20:10:17 -------- d-----w- c:\windows\system32\msmq
2013-11-15 05:07:53 2560 ----a-w- c:\documents and settings\all users\application data\microsoft\usmt\iconlib.dll
2013-11-14 23:29:33 -------- d-----w- c:\documents and settings\mike\local settings\application data\Identities
2013-11-13 22:39:47 -------- d-----w- c:\windows\pss
2013-11-13 10:50:16 -------- d-----w- C:\downloads
.
==================== Find3M  ====================
.
2013-12-09 21:52:47 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-12-09 21:52:45 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-19 11:33:38 230048 ------w- c:\windows\system32\MpSigStub.exe
2013-11-15 18:24:23 73376 ---ha-w- c:\windows\system\MCIAVI.DRV
2013-11-15 16:11:03 2855 ----a-w- c:\windows\_default.pif
2013-11-15 15:55:07 1744 ---ha-w- c:\windows\system\SOUND.DRV
2013-11-15 06:51:30 146432 ----a-w- c:\windows\system\winspool.drv
2013-10-13 07:25:38 920064 ----a-w- c:\windows\system32\wininet.dll
2013-10-13 07:25:08 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-10-13 07:25:02 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-10-13 07:24:17 18944 ----a-w- c:\windows\system32\corpol.dll
2013-10-13 06:57:59 385024 ----a-w- c:\windows\system32\html.iec
2013-10-12 15:56:19 278528 ----a-w- c:\windows\system32\oakley.dll
2013-10-09 13:12:48 287744 ----a-w- c:\windows\system32\gdi32.dll
2013-10-08 14:50:41 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-10-08 14:29:36 145408 ----a-w- c:\windows\system32\javacpl.cpl
2013-10-07 10:59:21 603136 ----a-w- c:\windows\system32\crypt32.dll
2013-10-05 01:14:01 7168 ----a-w- c:\windows\system32\xpsp4res.dll
.
============= FINISH:  5:36:13.95 ===============

Edit: Moved topic from Am I Infected to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:33 AM

Posted 13 December 2013 - 10:13 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

I will deal here with your Fist computer with the Windows 7 operating system only.
We do not service two computers on the same topic much lest if the operating system is not the same.
If you have problems with the XP computer then please start a new topic and post a fresh DDS log.
You can give me the URL of your topic in your next reply and I will expedite the matter.
===

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
==============

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: Turorial
Link 1
Link 2

IMPORTANT !!! Save ComboFix.exe to your Desktop

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe and follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Please paste the logs in your next reply DO NOT ATTACH THEM.
Let me know what problem persists.

#3 JohnMWoods

JohnMWoods
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Diego, CA, USA
  • Local time:05:33 AM

Posted 13 December 2013 - 05:56 PM

Hello Nasdaq and thank you for your reply. I am sorry it has taken me this long to get back to you. And please be assured that I completely understand the one-machine-at-a-time policy. Here are the Rogue Killer and AdwCleaner logs. Please note that I did not delete anything in AdwCleaner as I was unsure what to do. Perhaps you can assist. 

 

RogueKiller V8.7.11 [Dec  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : ADMINSTRATOR [Admin rights]
Mode : Remove -- Date : 12/13/2013 14:38:42
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 2 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[13] : NtAlertResumeThread @ 0x83CDEDA3 -> HOOKED (Unknown @ 0x86BEE8E0)
[Address] SSDT[14] : NtAlertThread @ 0x83C31CC7 -> HOOKED (Unknown @ 0x86BEE978)
[Address] SSDT[19] : NtAllocateVirtualMemory @ 0x83C2ACBC -> HOOKED (Unknown @ 0x86AB36F0)
[Address] SSDT[22] : NtAlpcConnectPort @ 0x83C7659E -> HOOKED (Unknown @ 0x86B508F8)
[Address] SSDT[43] : NtAssignProcessToJobObject @ 0x83C000CC -> HOOKED (Unknown @ 0x86A3FDC8)
[Address] SSDT[74] : NtCreateMutant @ 0x83C1135A -> HOOKED (Unknown @ 0x86BEE708)
[Address] SSDT[86] : NtCreateSymbolicLinkObject @ 0x83C029D4 -> HOOKED (Unknown @ 0x86A3FBC0)
[Address] SSDT[87] : NtCreateThread @ 0x83CDCFDA -> HOOKED (Unknown @ 0x86A5AC48)
[Address] SSDT[88] : NtCreateThreadEx @ 0x83C714AB -> HOOKED (Unknown @ 0x86A3FC68)
[Address] SSDT[96] : NtDebugActiveProcess @ 0x83CAEEDA -> HOOKED (Unknown @ 0x86A48008)
[Address] SSDT[111] : NtDuplicateObject @ 0x83C32761 -> HOOKED (Unknown @ 0x869F31F0)
[Address] SSDT[131] : NtFreeVirtualMemory @ 0x83AB982C -> HOOKED (Unknown @ 0x86BEEEF0)
[Address] SSDT[145] : NtImpersonateAnonymousToken @ 0x83BF6970 -> HOOKED (Unknown @ 0x86BEE7B0)
[Address] SSDT[147] : NtImpersonateThread @ 0x83C7A992 -> HOOKED (Unknown @ 0x86BEE848)
[Address] SSDT[155] : NtLoadDriver @ 0x83BC6C40 -> HOOKED (Unknown @ 0x86B50880)
[Address] SSDT[168] : NtMapViewOfSection @ 0x83C475F1 -> HOOKED (Unknown @ 0x86BEEE38)
[Address] SSDT[177] : NtOpenEvent @ 0x83C10D56 -> HOOKED (Unknown @ 0x86BEE670)
[Address] SSDT[190] : NtOpenProcess @ 0x83C12BA1 -> HOOKED (Unknown @ 0x86A4D188)
[Address] SSDT[191] : NtOpenProcessToken @ 0x83C6537F -> HOOKED (Unknown @ 0x86AB3A20)
[Address] SSDT[194] : NtOpenSection @ 0x83C6A9FB -> HOOKED (Unknown @ 0x86BEE540)
[Address] SSDT[198] : NtOpenThread @ 0x83C5F102 -> HOOKED (Unknown @ 0x86A3CBD8)
[Address] SSDT[215] : NtProtectVirtualMemory @ 0x83C43651 -> HOOKED (Unknown @ 0x86A3FD20)
[Address] SSDT[304] : NtResumeThread @ 0x83C716D2 -> HOOKED (Unknown @ 0x86BEEA38)
[Address] SSDT[316] : NtSetContextThread @ 0x83CDE84F -> HOOKED (Unknown @ 0x86BEEC60)
[Address] SSDT[333] : NtSetInformationProcess @ 0x83C39875 -> HOOKED (Unknown @ 0x86BEECF8)
[Address] SSDT[350] : NtSetSystemInformation @ 0x83C4F37A -> HOOKED (Unknown @ 0x86A3FEE8)
[Address] SSDT[366] : NtSuspendProcess @ 0x83CDECDF -> HOOKED (Unknown @ 0x86BEE5D8)
[Address] SSDT[367] : NtSuspendThread @ 0x83C961CB -> HOOKED (Unknown @ 0x86BEEAD0)
[Address] SSDT[370] : NtTerminateProcess @ 0x83C5BD9A -> HOOKED (Unknown @ 0x86AB2008)
[Address] SSDT[371] : NtTerminateThread @ 0x83C796CB -> HOOKED (Unknown @ 0x86BEEBC8)
[Address] SSDT[385] : NtUnmapViewOfSection @ 0x83C659BA -> HOOKED (Unknown @ 0x86BEEDA0)
[Address] SSDT[399] : NtWriteVirtualMemory @ 0x83C60A97 -> HOOKED (Unknown @ 0x86BEEF80)
[Address] Shadow SSDT[318] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x87CABA88)
[Address] Shadow SSDT[402] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x87C839D8)
[Address] Shadow SSDT[434] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x87C8F9D8)
[Address] Shadow SSDT[436] : NtUserGetKeyState -> HOOKED (Unknown @ 0x87CAE9D8)
[Address] Shadow SSDT[448] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x87CE59D8)
[Address] Shadow SSDT[490] : NtUserMessageCall -> HOOKED (Unknown @ 0x87CA7BF8)
[Address] Shadow SSDT[508] : NtUserPostMessage -> HOOKED (Unknown @ 0x87C6CB50)
[Address] Shadow SSDT[509] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x87CA7C40)
[Address] Shadow SSDT[585] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x87CAD9D8)
[Address] Shadow SSDT[588] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x87CB0DA0)
[Address] IRP[IRP_MJ_CREATE] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED (Unknown @ 0x85A4E1F8)
[Address] IRP[IRP_MJ_CLOSE] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED (Unknown @ 0x85A4E1F8)
[Address] IRP[IRP_MJ_DEVICE_CONTROL] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED (Unknown @ 0x85A4E1F8)
[Address] IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED (Unknown @ 0x85A4E1F8)
[Address] IRP[IRP_MJ_POWER] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED (Unknown @ 0x85A4E1F8)
[Address] IRP[IRP_MJ_SYSTEM_CONTROL] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED (Unknown @ 0x85A4E1F8)
[Address] IRP[IRP_MJ_PNP] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED (Unknown @ 0x85A4E1F8)
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST380815AS ATA Device +++++
--- User ---
[MBR] 54450851cace6408af46ffe2c40e2628
[BSP] 979d62a1edf2708c3cf6c8c602335b03 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 356 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 731136 | Size: 65707 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 135299430 | Size: 10228 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_D_12132013_143842.txt >>
RKreport[0]_S_12132013_143556.txt
 
_______________________________________________________________________________
 
RogueKiller V8.7.11 [Dec  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : ADMINSTRATOR [Admin rights]
Mode : Scan -- Date : 12/13/2013 14:35:56
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 2 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[13] : NtAlertResumeThread @ 0x83CDEDA3 -> HOOKED (Unknown @ 0x86BEE8E0)
[Address] SSDT[14] : NtAlertThread @ 0x83C31CC7 -> HOOKED (Unknown @ 0x86BEE978)
[Address] SSDT[19] : NtAllocateVirtualMemory @ 0x83C2ACBC -> HOOKED (Unknown @ 0x86AB36F0)
[Address] SSDT[22] : NtAlpcConnectPort @ 0x83C7659E -> HOOKED (Unknown @ 0x86B508F8)
[Address] SSDT[43] : NtAssignProcessToJobObject @ 0x83C000CC -> HOOKED (Unknown @ 0x86A3FDC8)
[Address] SSDT[74] : NtCreateMutant @ 0x83C1135A -> HOOKED (Unknown @ 0x86BEE708)
[Address] SSDT[86] : NtCreateSymbolicLinkObject @ 0x83C029D4 -> HOOKED (Unknown @ 0x86A3FBC0)
[Address] SSDT[87] : NtCreateThread @ 0x83CDCFDA -> HOOKED (Unknown @ 0x86A5AC48)
[Address] SSDT[88] : NtCreateThreadEx @ 0x83C714AB -> HOOKED (Unknown @ 0x86A3FC68)
[Address] SSDT[96] : NtDebugActiveProcess @ 0x83CAEEDA -> HOOKED (Unknown @ 0x86A48008)
[Address] SSDT[111] : NtDuplicateObject @ 0x83C32761 -> HOOKED (Unknown @ 0x869F31F0)
[Address] SSDT[131] : NtFreeVirtualMemory @ 0x83AB982C -> HOOKED (Unknown @ 0x86BEEEF0)
[Address] SSDT[145] : NtImpersonateAnonymousToken @ 0x83BF6970 -> HOOKED (Unknown @ 0x86BEE7B0)
[Address] SSDT[147] : NtImpersonateThread @ 0x83C7A992 -> HOOKED (Unknown @ 0x86BEE848)
[Address] SSDT[155] : NtLoadDriver @ 0x83BC6C40 -> HOOKED (Unknown @ 0x86B50880)
[Address] SSDT[168] : NtMapViewOfSection @ 0x83C475F1 -> HOOKED (Unknown @ 0x86BEEE38)
[Address] SSDT[177] : NtOpenEvent @ 0x83C10D56 -> HOOKED (Unknown @ 0x86BEE670)
[Address] SSDT[190] : NtOpenProcess @ 0x83C12BA1 -> HOOKED (Unknown @ 0x86A4D188)
[Address] SSDT[191] : NtOpenProcessToken @ 0x83C6537F -> HOOKED (Unknown @ 0x86AB3A20)
[Address] SSDT[194] : NtOpenSection @ 0x83C6A9FB -> HOOKED (Unknown @ 0x86BEE540)
[Address] SSDT[198] : NtOpenThread @ 0x83C5F102 -> HOOKED (Unknown @ 0x86A3CBD8)
[Address] SSDT[215] : NtProtectVirtualMemory @ 0x83C43651 -> HOOKED (Unknown @ 0x86A3FD20)
[Address] SSDT[304] : NtResumeThread @ 0x83C716D2 -> HOOKED (Unknown @ 0x86BEEA38)
[Address] SSDT[316] : NtSetContextThread @ 0x83CDE84F -> HOOKED (Unknown @ 0x86BEEC60)
[Address] SSDT[333] : NtSetInformationProcess @ 0x83C39875 -> HOOKED (Unknown @ 0x86BEECF8)
[Address] SSDT[350] : NtSetSystemInformation @ 0x83C4F37A -> HOOKED (Unknown @ 0x86A3FEE8)
[Address] SSDT[366] : NtSuspendProcess @ 0x83CDECDF -> HOOKED (Unknown @ 0x86BEE5D8)
[Address] SSDT[367] : NtSuspendThread @ 0x83C961CB -> HOOKED (Unknown @ 0x86BEEAD0)
[Address] SSDT[370] : NtTerminateProcess @ 0x83C5BD9A -> HOOKED (Unknown @ 0x86AB2008)
[Address] SSDT[371] : NtTerminateThread @ 0x83C796CB -> HOOKED (Unknown @ 0x86BEEBC8)
[Address] SSDT[385] : NtUnmapViewOfSection @ 0x83C659BA -> HOOKED (Unknown @ 0x86BEEDA0)
[Address] SSDT[399] : NtWriteVirtualMemory @ 0x83C60A97 -> HOOKED (Unknown @ 0x86BEEF80)
[Address] Shadow SSDT[318] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x87CABA88)
[Address] Shadow SSDT[402] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x87C839D8)
[Address] Shadow SSDT[434] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x87C8F9D8)
[Address] Shadow SSDT[436] : NtUserGetKeyState -> HOOKED (Unknown @ 0x87CAE9D8)
[Address] Shadow SSDT[448] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x87CE59D8)
[Address] Shadow SSDT[490] : NtUserMessageCall -> HOOKED (Unknown @ 0x87CA7BF8)
[Address] Shadow SSDT[508] : NtUserPostMessage -> HOOKED (Unknown @ 0x87C6CB50)
[Address] Shadow SSDT[509] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x87CA7C40)
[Address] Shadow SSDT[585] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x87CAD9D8)
[Address] Shadow SSDT[588] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x87CB0DA0)
[Address] IRP[IRP_MJ_CREATE] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED (Unknown @ 0x85A4E1F8)
[Address] IRP[IRP_MJ_CLOSE] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED (Unknown @ 0x85A4E1F8)
[Address] IRP[IRP_MJ_DEVICE_CONTROL] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED (Unknown @ 0x85A4E1F8)
[Address] IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED (Unknown @ 0x85A4E1F8)
[Address] IRP[IRP_MJ_POWER] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED (Unknown @ 0x85A4E1F8)
[Address] IRP[IRP_MJ_SYSTEM_CONTROL] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED (Unknown @ 0x85A4E1F8)
[Address] IRP[IRP_MJ_PNP] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED (Unknown @ 0x85A4E1F8)
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST380815AS ATA Device +++++
--- User ---
[MBR] 54450851cace6408af46ffe2c40e2628
[BSP] 979d62a1edf2708c3cf6c8c602335b03 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 356 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 731136 | Size: 65707 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 135299430 | Size: 10228 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_S_12132013_143556.txt >>
 
 
 
_________________________________________________________________________
 
# AdwCleaner v3.015 - Report created 13/12/2013 at 14:40:42
# Updated 10/12/2013 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (32 bits)
# Username : ADMINSTRATOR - JOHNDELL
# Running from : C:\Users\ADMINSTRATOR\Downloads\adwcleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Found C:\Users\ADMINSTRATOR\AppData\Roaming\0D0S1L2Z1P1B0T1P1B2Z
Folder Found C:\Users\ADMINSTRATOR\AppData\Roaming\digitalsite
Folder Found C:\Users\ADMINSTRATOR\AppData\Roaming\Uniblue\DriverScanner
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKCU\Software\dsiteproducts
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v10.0.9200.16750
 
 
-\\ Google Chrome v31.0.1650.63
 
[ File : C:\Users\ADMINSTRATOR\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
[ File : C:\Users\JOHN1\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [1878 octets] - [08/12/2013 13:21:54]
AdwCleaner[R1].txt - [900 octets] - [08/12/2013 13:51:48]
AdwCleaner[R2].txt - [955 octets] - [09/12/2013 13:46:57]
AdwCleaner[R3].txt - [1083 octets] - [09/12/2013 22:19:17]
AdwCleaner[R4].txt - [1143 octets] - [10/12/2013 04:15:00]
AdwCleaner[R5].txt - [1203 octets] - [10/12/2013 04:30:36]
AdwCleaner[R6].txt - [1268 octets] - [11/12/2013 13:59:38]
AdwCleaner[R7].txt - [1404 octets] - [13/12/2013 14:40:42]
AdwCleaner[S0].txt - [1965 octets] - [08/12/2013 13:33:10]
AdwCleaner[S1].txt - [1015 octets] - [09/12/2013 13:49:17]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R7].txt - [1584 octets] ##########
 


#4 JohnMWoods

JohnMWoods
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Diego, CA, USA
  • Local time:05:33 AM

Posted 13 December 2013 - 07:41 PM

Hello and Thank You again Nasdaq,

 

Here are the JRT and ComboFix logs. I am sorry, but I inadvertently ran JRT a second time and feared cancelling the scan once it had already begun would cause further harm. As a result, the log from the second scan overwrote the original. I do apologize and I hope this doesn't render for naught the work done thus far.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 7 Professional x86
Ran by ADMINSTRATOR on Fri 12/13/2013 at 16:00:38.40
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 12/13/2013 at 16:08:37.00
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
ComboFix 13-12-13.01 - ADMINSTRATOR 12/13/2013  16:19:10.8.2 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2038.1278 [GMT -8:00]
Running from: c:\users\ADMINSTRATOR\Desktop\ComboFix.exe
AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-11-14 to 2013-12-14  )))))))))))))))))))))))))))))))
.
.
2013-12-14 00:29 . 2013-12-14 00:29 -------- d-----w- c:\users\Guest\AppData\Local\temp
2013-12-14 00:29 . 2013-12-14 00:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-12-13 07:45 . 2013-05-10 04:56 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2013-12-13 07:45 . 2013-05-10 03:48 164864 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2013-12-13 07:24 . 2013-12-13 07:25 -------- d-----w- c:\users\JOHN1
2013-12-12 15:51 . 2013-12-12 15:51 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-3\markup.dll
2013-12-11 22:05 . 2013-10-30 02:19 301568 ----a-w- c:\windows\system32\msieftp.dll
2013-12-11 22:05 . 2013-10-19 01:36 159232 ----a-w- c:\windows\system32\imagehlp.dll
2013-12-11 22:05 . 2013-10-12 02:04 121856 ----a-w- c:\windows\system32\wshom.ocx
2013-12-11 22:05 . 2013-10-12 02:03 163840 ----a-w- c:\windows\system32\scrrun.dll
2013-12-11 22:05 . 2013-10-12 01:15 141824 ----a-w- c:\windows\system32\wscript.exe
2013-12-11 22:05 . 2013-10-12 01:15 126976 ----a-w- c:\windows\system32\cscript.exe
2013-12-11 22:05 . 2013-11-23 18:26 417792 ----a-w- c:\windows\system32\WMPhoto.dll
2013-12-11 22:05 . 2013-11-12 02:07 2048 ----a-w- c:\windows\system32\tzres.dll
2013-12-11 22:04 . 2013-10-30 01:27 2349056 ----a-w- c:\windows\system32\win32k.sys
2013-12-11 22:04 . 2013-10-04 01:49 81408 ----a-w- c:\windows\system32\drivers\drmk.sys
2013-12-11 22:04 . 2013-10-04 01:17 177152 ----a-w- c:\windows\system32\drivers\portcls.sys
2013-12-10 14:31 . 2013-12-10 14:31 104664 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-12-10 14:30 . 2013-12-10 14:30 74456 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-12-10 06:40 . 2013-12-10 14:50 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-12-09 23:14 . 2013-12-10 02:22 -------- d-----w- c:\programdata\HitmanPro
2013-12-08 21:20 . 2013-12-13 22:41 -------- d-----w- C:\AdwCleaner
2013-12-08 06:17 . 2013-12-08 06:17 -------- d-----w- c:\windows\system32\N360_BACKUP
2013-12-08 04:57 . 2013-12-08 04:57 -------- d-----w- c:\programdata\Symantec
2013-12-08 04:56 . 2013-12-12 22:31 -------- dc----w- c:\windows\system32\DRVSTORE
2013-12-08 04:56 . 2013-12-13 06:52 -------- d-----w- c:\program files\Common Files\Symantec Shared
2013-12-08 04:56 . 2013-12-12 22:29 142936 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2013-12-08 04:56 . 2013-12-08 05:35 -------- d-----w- c:\program files\Symantec
2013-12-08 04:55 . 2013-12-12 22:33 -------- d-----w- c:\windows\system32\drivers\N360
2013-12-08 04:55 . 2013-12-12 22:28 -------- d-----w- c:\program files\Norton 360
2013-12-08 04:55 . 2013-12-08 04:55 -------- d-----w- c:\program files\Windows Sidebar
2013-12-08 04:54 . 2013-12-12 22:27 -------- d-----w- c:\program files\NortonInstaller
2013-12-06 05:45 . 2013-11-08 01:15 7772552 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EA34556E-AFB3-4064-903F-CB6ED4F3657C}\mpengine.dll
2013-12-05 10:59 . 2013-12-10 02:22 -------- d-----w- c:\windows\ERUNT
2013-12-05 08:50 . 2013-12-05 08:50 -------- d-----w- C:\Microsoft
2013-12-05 07:44 . 2013-12-08 21:33 -------- d-----w- c:\programdata\Uniblue
2013-12-05 07:43 . 2013-12-08 21:33 -------- d-----w- c:\program files\Uniblue
2013-12-03 21:53 . 2013-12-03 21:53 -------- d-----w- c:\programdata\msat
2013-12-03 21:53 . 2013-12-03 21:53 -------- d-----w- c:\program files\Microsoft Corporation
2013-12-03 18:47 . 2013-12-03 18:47 -------- d-----w- c:\program files\Microsoft Games
2013-12-03 18:45 . 2013-12-10 02:22 -------- d-----w- c:\program files\My Dell
2013-12-03 18:20 . 2013-12-03 18:20 -------- d-----w- c:\programdata\Passmark
2013-12-03 05:40 . 2013-12-03 05:40 -------- d-----w- C:\712abfcbc31a53c00592
2013-11-27 09:09 . 2013-11-27 09:09 -------- d-----w- c:\windows\Migration
2013-11-20 15:08 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\system32\DWrite.dll
2013-11-17 23:13 . 2013-11-17 23:13 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2013-11-17 13:16 . 2007-03-05 20:42 15128 ----a-w- c:\windows\system32\x3daudio1_1.dll
2013-11-17 13:15 . 2013-11-17 13:19 -------- d--h--w- c:\windows\msdownld.tmp
2013-11-16 16:53 . 2010-11-20 12:17 2171392 ----a-w- c:\windows\system32\VPCWizard.exe
2013-11-16 16:53 . 2010-11-20 10:50 48128 ----a-w- c:\windows\system32\drivers\vpcnfltr.sys
2013-11-16 16:53 . 2010-11-20 12:30 296064 ----a-w- c:\windows\system32\drivers\vpcvmm.sys
2013-11-16 16:53 . 2010-11-20 12:30 172416 ----a-w- c:\windows\system32\drivers\vpchbus.sys
2013-11-16 16:53 . 2010-11-20 12:21 14848 ----a-w- c:\windows\system32\vpchbuspipe.dll
2013-11-16 16:53 . 2010-11-20 10:50 78336 ----a-w- c:\windows\system32\drivers\vpcusb.sys
2013-11-16 16:53 . 2010-11-20 12:17 1260032 ----a-w- c:\windows\system32\VPCSettings.exe
2013-11-16 16:53 . 2010-11-20 10:50 559616 ----a-w- c:\windows\system32\VMCPropertyHandler.dll
2013-11-16 16:52 . 2010-11-20 12:17 3330560 ----a-w- c:\windows\system32\vpc.exe
2013-11-16 16:52 . 2010-11-20 10:52 1003008 ----a-w- c:\windows\system32\VMWindow.exe
2013-11-16 16:52 . 2010-11-20 10:52 793600 ----a-w- c:\windows\system32\vmsal.exe
2013-11-16 15:04 . 2013-11-16 15:04 -------- d-----w- c:\program files\Foxit Software
2013-11-16 12:48 . 2013-12-10 02:23 -------- d-----w- c:\users\ADMINSTRATOR
2013-11-16 11:40 . 2013-04-17 07:02 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2013-11-16 11:18 . 2013-10-01 23:45 32256 ----a-w- c:\windows\system32\TsUsbGDCoInstaller.dll
2013-11-16 11:18 . 2013-10-02 00:42 49152 ----a-w- c:\windows\system32\drivers\TsUsbFlt.sys
2013-11-16 11:18 . 2013-10-02 00:32 12800 ----a-w- c:\windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2013-11-16 11:18 . 2013-10-02 00:30 14336 ----a-w- c:\windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2013-11-16 11:18 . 2013-10-02 00:14 50176 ----a-w- c:\windows\system32\MsRdpWebAccess.dll
2013-11-16 11:18 . 2013-10-02 00:14 17920 ----a-w- c:\windows\system32\wksprtPS.dll
2013-11-16 11:18 . 2013-10-01 23:58 53248 ----a-w- c:\windows\system32\tsgqec.dll
2013-11-16 11:18 . 2013-10-01 23:08 855552 ----a-w- c:\windows\system32\rdvidcrl.dll
2013-11-16 11:18 . 2013-10-01 23:00 76288 ----a-w- c:\windows\system32\TSWbPrxy.exe
2013-11-16 11:18 . 2013-10-01 22:53 350208 ----a-w- c:\windows\system32\wksprt.exe
2013-11-16 11:18 . 2013-10-01 22:34 1068544 ----a-w- c:\windows\system32\mstsc.exe
2013-11-16 11:18 . 2013-10-01 20:55 5698048 ----a-w- c:\windows\system32\mstscax.dll
2013-11-16 11:17 . 2012-08-23 14:44 14848 ----a-w- c:\windows\system32\drivers\rdpvideominiport.sys
2013-11-16 11:17 . 2012-08-23 13:52 12800 ----a-w- c:\windows\system32\RdpGroupPolicyExtension.dll
2013-11-16 11:17 . 2012-08-23 14:41 27136 ----a-w- c:\windows\system32\drivers\TsUsbGD.sys
2013-11-16 11:17 . 2012-08-23 14:48 221184 ----a-w- c:\windows\system32\rdpudd.dll
2013-11-16 11:17 . 2012-08-23 11:12 192000 ----a-w- c:\windows\system32\rdpendp_winip.dll
2013-11-16 11:17 . 2012-08-23 10:08 2739712 ----a-w- c:\windows\system32\rdpcorets.dll
2013-11-16 11:14 . 2013-01-13 19:53 187392 ----a-w- c:\windows\system32\UIAnimation.dll
2013-11-16 04:04 . 2013-11-16 04:04 -------- d-----w- c:\program files\Intel
2013-11-16 04:04 . 2013-08-05 19:50 53248 ----a-w- c:\windows\system32\CSVer.dll
2013-11-16 01:09 . 2013-11-16 01:44 -------- d-sh--w- C:\System Recovery
2013-11-16 01:09 . 2013-12-03 07:45 -------- d-----w- c:\users\Default\AppData\Local\SoftThinks
2013-11-16 00:51 . 2013-12-05 07:24 -------- d-----w- c:\program files\Dell DataSafe Local Backup
2013-11-15 21:55 . 2013-11-15 21:55 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2013-11-15 20:16 . 2013-11-15 20:16 -------- d-----w- c:\program files\Microsoft Silverlight
2013-11-15 18:01 . 2013-12-07 19:08 -------- d-----w- c:\programdata\PCDr
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-13 21:05 . 2013-11-09 09:27 4194304 ----a-w- c:\windows\ServiceProfiles\NetworkService\msmqlog.bin
2013-12-12 15:50 . 2012-08-31 04:57 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2013-12-12 14:50 . 2012-08-27 00:57 736952 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2013-12-12 14:50 . 2012-08-31 04:58 2523136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2013-12-12 14:49 . 2012-08-27 00:53 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2013-12-12 14:49 . 2012-08-27 00:53 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2013-12-10 23:01 . 2012-04-30 20:03 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-10 23:01 . 2012-04-30 20:03 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-11-21 02:35 . 2012-08-30 14:03 736952 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2013-11-21 02:34 . 2012-08-27 00:56 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2013-11-11 13:50 . 2012-04-30 17:27 230048 ------w- c:\windows\system32\MpSigStub.exe
2013-11-11 10:01 . 2013-11-11 10:01 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-11-09 19:46 . 2013-11-08 05:43 269216 ----a-w- c:\windows\system32\aswBoot.exe
2013-11-08 11:53 . 2013-11-08 11:53 1060864 ----a-w- c:\windows\system32\mfc71.dll
2013-11-08 11:53 . 2013-11-08 11:53 348160 ----a-w- c:\windows\system32\msvcr71.dll
2013-11-08 11:53 . 2013-11-08 11:53 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2013-11-08 05:44 . 2013-11-08 05:44 403440 ----a-w- c:\windows\system32\drivers\buidilov.sys
2013-11-08 05:39 . 2013-11-08 05:39 403440 ----a-w- c:\windows\system32\drivers\rftblwiw.sys
2013-11-07 16:42 . 2013-11-07 16:42 719224 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F90A2074-E1B2-4ABC-B4DB-ACA9C5506911}\gapaengine.dll
2013-10-14 07:39 . 2013-11-08 20:23 7796464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F40978A3-149B-4E3C-B95C-7D8EB9FDE45B}\mpengine.dll
2013-10-14 07:39 . 2013-11-07 19:09 7796464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-10-12 02:03 . 2013-11-13 07:27 656896 ----a-w- c:\windows\system32\nshwfp.dll
2013-10-12 02:01 . 2013-11-13 07:27 679424 ----a-w- c:\windows\system32\IKEEXT.DLL
2013-10-12 02:01 . 2013-11-13 07:27 216576 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2013-10-05 19:57 . 2013-11-13 07:27 1168384 ----a-w- c:\windows\system32\crypt32.dll
2013-10-04 01:58 . 2013-11-13 07:27 152576 ----a-w- c:\windows\system32\SmartcardCredentialProvider.dll
2013-10-04 01:56 . 2013-11-13 07:27 168960 ----a-w- c:\windows\system32\credui.dll
2013-10-04 01:56 . 2013-11-13 07:27 1796096 ----a-w- c:\windows\system32\authui.dll
2013-10-03 01:58 . 2013-11-13 07:27 305152 ----a-w- c:\windows\system32\gdi32.dll
2013-10-02 02:46 . 2013-11-16 11:18 3072 ----a-w- c:\windows\system32\drivers\en-US\tsusbflt.sys.mui
2013-09-25 02:01 . 2013-11-13 07:27 136640 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2013-09-25 02:01 . 2013-11-13 07:27 67520 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2013-09-25 01:57 . 2013-11-13 07:27 99840 ----a-w- c:\windows\system32\sspicli.dll
2013-09-25 01:57 . 2013-11-13 07:27 22016 ----a-w- c:\windows\system32\secur32.dll
2013-09-25 01:57 . 2013-11-13 07:27 247808 ----a-w- c:\windows\system32\schannel.dll
2013-09-25 01:56 . 2013-11-13 07:27 220160 ----a-w- c:\windows\system32\ncrypt.dll
2013-09-25 01:56 . 2013-11-13 07:27 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2013-09-25 00:49 . 2013-11-13 07:27 22016 ----a-w- c:\windows\system32\lsass.exe
2013-09-25 00:49 . 2013-11-13 07:27 15872 ----a-w- c:\windows\system32\sspisrv.dll
2013-09-20 18:49 . 2013-11-08 17:43 18968 ----a-w- c:\windows\system32\sdnclean.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   a\0u\0t\0o\0c\0h\0e\0c\0k\0 \0a\0u\0t\0o\0c\0h\0k\0 \0*
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NETGEAR WNA1100 Genie.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WNA1100 Genie.lnk
backup=c:\windows\pss\NETGEAR WNA1100 Genie.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSystemDetect]
c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dell\Dell System Detect.appref-ms [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-09-24 02:30 173592 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-09-24 02:30 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-09-24 02:30 150552 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-07-02 17:16 254336 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
R0 PRSBDRVR;Nemesis Link;c:\windows\\SystemRoot\system32\drivers\PRSBDRVR.SYS [x]
R3 cleanhlp;cleanhlp;c:\program files\EMSISOFT ANTI-MALWARE\cleanhlp32.sys [x]
R3 DIRECTIO;DIRECTIO;c:\program files\PerformanceTest\DirectIo32.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 jswpsapi;JumpStart Wi-Fi Protected Setup;c:\program files\NETGEAR\WNA1100\jswpsapi.exe [2010-03-23 960992]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [x]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [x]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [x]
R3 netr28u;TP-LINK Wireless USB Adapter;c:\windows\system32\DRIVERS\netr28u.sys [x]
R3 NisSrv;NisSrv;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-07-13 347136]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2013-10-02 49152]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 27136]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-30 1343400]
R3 WMSVC;Web Management Service;c:\windows\system32\inetsrv\wmsvc.exe [2009-07-14 9728]
S0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\DRIVERS\scmndisp.sys [2011-07-22 21472]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2013-11-15 691696]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\1501000.012\SYMDS.SYS [2013-09-10 367704]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\1501000.012\SYMEFA.SYS [2013-09-27 935512]
S1 BHDrvx86;BHDrvx86;c:\program files\Norton 360\NortonData\21.1.0.18\Definitions\BASHDefs\20131203.001\BHDrvx86.sys [2013-12-03 1098968]
S1 ccSet_N360;N360 Settings Manager;c:\windows\system32\drivers\N360\1501000.012\ccSetx86.sys [2013-09-26 127064]
S1 IDSVix86;IDSVix86;c:\program files\Norton 360\NortonData\21.1.0.18\Definitions\IPSDefs\20131212.001\IDSvix86.sys [2013-12-13 394456]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-05-15 20384]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\1501000.012\Ironx86.SYS [2013-09-27 206936]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360\1501000.012\SYMNETS.SYS [2013-09-26 446552]
S2 ftpsvc;Microsoft FTP Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 iprip;RIP Listener;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\21.1.0.18\N360.exe [2013-10-08 264360]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-06-19 107392]
S2 WSWNA1100;WSWNA1100;c:\program files\NETGEAR\WNA1100\WifiSvc.exe [2011-07-29 297440]
S3 athur;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\DRIVERS\athur.sys [2010-10-11 1564160]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - TrueSight
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ   w3svc was
apphost REG_MULTI_SZ   apphostsvc
ftpsvc REG_MULTI_SZ   ftpsvc
ipripsvc REG_MULTI_SZ   iprip
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-12-10 02:35 1210320 ----a-w- c:\program files\Google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-12-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-30 23:01]
.
2013-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-12-10 02:33]
.
2013-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-12-10 02:33]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
Trusted Zone: dell.com
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Revo Uninstaller - c:\users\User\Desktop\Revo Uninstaller\uninst.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet005\services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\21.1.0.18\N360.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\21.1.0.18\diMaster.dll\" /prefetch:1"
"ImagePath"="\SystemRoot\System32\Drivers\N360\1501000.012\SYMNETS.SYS"
"TrustedImagePaths"="c:\program files\Norton 360\Engine\21.1.0.18"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet005\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-12-13  16:31:58
ComboFix-quarantined-files.txt  2013-12-14 00:31
ComboFix2.txt  2013-12-13 01:11
.
Pre-Run: 46,864,396,288 bytes free
Post-Run: 47,382,368,256 bytes free
.
- - End Of File - - B03251DA9A182483EC52B4AC2ADBD01C
A36C5E4F47E84449FF07ED3517B43A31
 


#5 JohnMWoods

JohnMWoods
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Diego, CA, USA
  • Local time:05:33 AM

Posted 14 December 2013 - 10:47 AM

Good morning Nasdaq,

As you can see from the logs, I did my best. However, I am still getting pop-up ads in the style of Scorpion Saver and I have had 5 Blue Screens in succession while trying to play a game on Facebook. Also, this is my third attempt at trying to send this reply as Google Chrome has taken to crashing. I also ran AVG twice and was rewarded with 3 and then 48 infections. I couldn't remove a single one, though. The "data is invalid" was the message. Please help!



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:33 AM

Posted 14 December 2013 - 10:53 AM

Looking good.

Run AdwCleaner and remove these
Folder Found C:\Users\ADMINSTRATOR\AppData\Roaming\0D0S1L2Z1P1B0T1P1B2Z
Folder Found C:\Users\ADMINSTRATOR\AppData\Roaming\digitalsite


===

One last scan.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please let me know what problem persists.

#7 JohnMWoods

JohnMWoods
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Diego, CA, USA
  • Local time:05:33 AM

Posted 14 December 2013 - 03:27 PM

Thank you Nasdaq, So everything looks good to you? I am still getting the blue screen. Hmmm ... Below is the Security Check log.
 
 
 Results of screen317's Security Check version 0.99.77  
 Windows 7 Service Pack 1 x86 (UAC is enabled)  
 Internet Explorer 10 Out of date! 
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
AVG Internet Security 2014   
Norton 360                   
 Antivirus out of date!  
`````````Anti-malware/Other Utilities Check:````````` 
 Malwarebytes Anti-Malware version 1.75.0.1300  
 CCleaner     
 JavaFX 2.1.1    
 Java 7 Update 45  
 Adobe Flash Player 11.9.900.170  
 Google Chrome 31.0.1650.63  
````````Process Check: objlist.exe by Laurent````````  
 AVG avgwdsvc.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 4% 
````````````````````End of Log`````````````````````` 


#8 JohnMWoods

JohnMWoods
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Diego, CA, USA
  • Local time:05:33 AM

Posted 14 December 2013 - 03:36 PM

My browser just crashed again.



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:33 AM

Posted 15 December 2013 - 08:23 AM

Please download the free home edition of WhoCrashed to your Desktop from here whocra10.png and install it by double-clicking "whocrashedSetup.exe".
At the end, it will open automatically. Click the "Analyze" button.

Please scroll down the Information window to copy and paste the results in your next reply.
 

whocra11.png



#10 JohnMWoods

JohnMWoods
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Diego, CA, USA
  • Local time:05:33 AM

Posted 15 December 2013 - 09:11 AM

Good morning again Nasdaq, 

Here is the requested report.

 

 

 

 

System Information (local)

computer name: JOHNDELL
windows version: Windows 7 Service Pack 1, 6.1, build: 7601
windows dir: C:\Windows
Hardware: OptiPlex 745 , Dell Inc. , Dell Inc. , 0GX297
CPU: GenuineIntel Intel® Pentium® D CPU 2.80GHz Intel586, level: 15
2 logical processors, active mask: 3
RAM: 2136592384 total
VM: 2147352576, free: 1955885056


 

Crash Dump Analysis

Crash dump directory: C:\Windows\Minidump

Crash dumps are enabled on your computer.

On Sun 12/15/2013 1:29:46 PM GMT your computer crashed
crash dump file: C:\Windows\memory.dmp
This was probably caused by the following module: ntkrpamp.exe (nt!Kei386EoiHelper+0x17D4)
Bugcheck code: 0x7F (0x8, 0xFFFFFFFF807CB750, 0x0, 0x0)
Error: UNEXPECTED_KERNEL_MODE_TRAP
Bug check description: This bug check indicates that the Intel CPU generated a trap and the kernel failed to catch this trap.
A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: ntkrpamp.exe .
Google query: ntkrpamp.exe UNEXPECTED_KERNEL_MODE_TRAP



On Sun 12/15/2013 12:56:10 PM GMT your computer crashed
crash dump file: C:\Windows\Minidump\121513-26629-01.dmp
This was probably caused by the following module: hal.sys (hal+0xEFCD)
Bugcheck code: 0x124 (0x0, 0xFFFFFFFF86A12024, 0xFFFFFFFFB2000000, 0x1040080F)
Error: WHEA_UNCORRECTABLE_ERROR
Bug check description: This bug check indicates that a fatal hardware error has occurred. This bug check uses the error data that is provided by the Windows Hardware Error Architecture (WHEA).
This is likely to be caused by a hardware problem problem. This problem might be caused by a thermal issue.
A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: hal.sys .
Google query: hal.sys WHEA_UNCORRECTABLE_ERROR


 

Conclusion

2 crash dumps have been found and analyzed. 2 third party drivers have been identified to be causing system crashes on your computer. It is strongly suggested that you check for updates for these drivers on their company websites. Click on the links below to search with Google for updates for these drivers:

hal.sys
ntkrpamp.exe

If no updates for these drivers are available, try searching with Google on the names of these drivers in combination the errors that have been reported for these drivers and include the brand and model name of your computer as well in the query. This often yields interesting results from discussions from users who have been experiencing similar problems.


Read the topic general suggestions for troubleshooting system crashes for more information.

Note that it's not always possible to state with certainty whether a reported driver is actually responsible for crashing your system or that the root cause is in another module. Nonetheless it's suggested you look for updates for the products that these drivers belong to and regularly visit Windows update or enable automatic updates for Windows. In case a piece of malfunctioning hardware is causing trouble, a search with Google on the bug check errors together with the model name and brand of your computer may help you investigate this further.
 



#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:33 AM

Posted 15 December 2013 - 10:38 AM

Run this SFC.exe tool. You may get lucky.

How to use the System File Checker tool to troubleshoot missing or corrupted system files on Windows Vista or on Windows 7
http://support.microsoft.com/kb/929833

#12 JohnMWoods

JohnMWoods
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Diego, CA, USA
  • Local time:05:33 AM

Posted 15 December 2013 - 05:38 PM

Thanks. I will try.



#13 JohnMWoods

JohnMWoods
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Diego, CA, USA
  • Local time:05:33 AM

Posted 15 December 2013 - 07:48 PM

Here is the resulting report (I have no idea what to do no and the MS explanations baffled me -- Any ideas/suggestions?)
 
2013-12-15 15:08:06, Info                  CSI    00000153 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:08:06, Info                  CSI    00000154 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:08:16, Info                  CSI    00000157 [SR] Verify complete
2013-12-15 15:08:16, Info                  CSI    00000158 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:08:16, Info                  CSI    00000159 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:08:25, Info                  CSI    0000015b [SR] Verify complete
2013-12-15 15:08:26, Info                  CSI    0000015c [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:08:26, Info                  CSI    0000015d [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:08:49, Info                  CSI    0000015f [SR] Verify complete
2013-12-15 15:08:50, Info                  CSI    00000160 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:08:50, Info                  CSI    00000161 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:08:55, Info                  CSI    00000163 [SR] Cannot repair me
mber file [l:24{12}]"spwizimg.dll" of Microsoft-Windows-Setup-Navigation-Wizard-
Framework, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Cult
ure neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35},
 Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2013-12-15 15:09:01, Info                  CSI    00000166 [SR] Cannot repair me
mber file [l:24{12}]"spwizimg.dll" of Microsoft-Windows-Setup-Navigation-Wizard-
Framework, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Cult
ure neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35},
 Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2013-12-15 15:09:01, Info                  CSI    00000167 [SR] This component w
as referenced by [l:198{99}]"Microsoft-Windows-Foundation-Package~31bf3856ad364e
35~x86~~6.1.7601.17514.WindowsFoundationDelivery"
2013-12-15 15:09:02, Info                  CSI    0000016a [SR] Could not reproj
ect corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:24{12}]"sp
wizimg.dll"; source file in store is also corrupted
2013-12-15 15:09:03, Info                  CSI    0000016c [SR] Verify complete
2013-12-15 15:09:03, Info                  CSI    0000016d [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:09:03, Info                  CSI    0000016e [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:09:10, Info                  CSI    00000170 [SR] Verify complete
2013-12-15 15:09:10, Info                  CSI    00000171 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:09:10, Info                  CSI    00000172 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:09:21, Info                  CSI    00000174 [SR] Verify complete
2013-12-15 15:09:22, Info                  CSI    00000175 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:09:22, Info                  CSI    00000176 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:09:38, Info                  CSI    00000179 [SR] Verify complete
2013-12-15 15:09:38, Info                  CSI    0000017a [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:09:38, Info                  CSI    0000017b [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:09:48, Info                  CSI    0000017d [SR] Verify complete
2013-12-15 15:09:49, Info                  CSI    0000017e [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:09:49, Info                  CSI    0000017f [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:09:57, Info                  CSI    00000181 [SR] Verify complete
2013-12-15 15:09:57, Info                  CSI    00000182 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:09:57, Info                  CSI    00000183 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:10:05, Info                  CSI    00000185 [SR] Verify complete
2013-12-15 15:10:06, Info                  CSI    00000186 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:10:06, Info                  CSI    00000187 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:10:14, Info                  CSI    0000018a [SR] Verify complete
2013-12-15 15:10:15, Info                  CSI    0000018b [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:10:15, Info                  CSI    0000018c [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:10:22, Info                  CSI    0000018e [SR] Verify complete
2013-12-15 15:10:23, Info                  CSI    0000018f [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:10:23, Info                  CSI    00000190 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:10:29, Info                  CSI    00000192 [SR] Verify complete
2013-12-15 15:10:29, Info                  CSI    00000193 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:10:29, Info                  CSI    00000194 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:10:37, Info                  CSI    00000196 [SR] Verify complete
2013-12-15 15:10:37, Info                  CSI    00000197 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:10:37, Info                  CSI    00000198 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:10:42, Info                  CSI    0000019a [SR] Verify complete
2013-12-15 15:10:42, Info                  CSI    0000019b [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:10:42, Info                  CSI    0000019c [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:10:47, Info                  CSI    0000019e [SR] Verify complete
2013-12-15 15:10:47, Info                  CSI    0000019f [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:10:47, Info                  CSI    000001a0 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:10:57, Info                  CSI    000001a2 [SR] Verify complete
2013-12-15 15:10:58, Info                  CSI    000001a3 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:10:58, Info                  CSI    000001a4 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:11:06, Info                  CSI    000001a7 [SR] Verify complete
2013-12-15 15:11:07, Info                  CSI    000001a8 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:11:07, Info                  CSI    000001a9 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:11:15, Info                  CSI    000001ab [SR] Verify complete
2013-12-15 15:11:16, Info                  CSI    000001ac [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:11:16, Info                  CSI    000001ad [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:11:32, Info                  CSI    000001af [SR] Verify complete
2013-12-15 15:11:33, Info                  CSI    000001b0 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:11:33, Info                  CSI    000001b1 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:11:45, Info                  CSI    000001b3 [SR] Verify complete
2013-12-15 15:11:46, Info                  CSI    000001b4 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:11:46, Info                  CSI    000001b5 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:11:50, Info                  CSI    000001b7 [SR] Verify complete
2013-12-15 15:11:50, Info                  CSI    000001b8 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:11:50, Info                  CSI    000001b9 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:11:53, Info                  CSI    000001bb [SR] Verify complete
2013-12-15 15:11:54, Info                  CSI    000001bc [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:11:54, Info                  CSI    000001bd [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:12:02, Info                  CSI    000001bf [SR] Verify complete
2013-12-15 15:12:02, Info                  CSI    000001c0 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:12:02, Info                  CSI    000001c1 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:12:08, Info                  CSI    000001c3 [SR] Verify complete
2013-12-15 15:12:09, Info                  CSI    000001c4 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:12:09, Info                  CSI    000001c5 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:12:17, Info                  CSI    000001c7 [SR] Verify complete
2013-12-15 15:12:17, Info                  CSI    000001c8 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:12:17, Info                  CSI    000001c9 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:12:23, Info                  CSI    000001cb [SR] Verify complete
2013-12-15 15:12:24, Info                  CSI    000001cc [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:12:24, Info                  CSI    000001cd [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:12:35, Info                  CSI    000001cf [SR] Verify complete
2013-12-15 15:12:36, Info                  CSI    000001d0 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:12:36, Info                  CSI    000001d1 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:13:18, Info                  CSI    000001d3 [SR] Verify complete
2013-12-15 15:13:18, Info                  CSI    000001d4 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:13:18, Info                  CSI    000001d5 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:13:52, Info                  CSI    000001d7 [SR] Verify complete
2013-12-15 15:13:52, Info                  CSI    000001d8 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:13:52, Info                  CSI    000001d9 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:14:04, Info                  CSI    000001db [SR] Verify complete
2013-12-15 15:14:04, Info                  CSI    000001dc [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:14:04, Info                  CSI    000001dd [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:14:08, Info                  CSI    000001df [SR] Verify complete
2013-12-15 15:14:09, Info                  CSI    000001e0 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:14:09, Info                  CSI    000001e1 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:14:15, Info                  CSI    000001e3 [SR] Verify complete
2013-12-15 15:14:16, Info                  CSI    000001e4 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:14:16, Info                  CSI    000001e5 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:14:20, Info                  CSI    000001e7 [SR] Verify complete
2013-12-15 15:14:20, Info                  CSI    000001e8 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:14:20, Info                  CSI    000001e9 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:14:26, Info                  CSI    000001eb [SR] Verify complete
2013-12-15 15:14:26, Info                  CSI    000001ec [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:14:26, Info                  CSI    000001ed [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:14:34, Info                  CSI    000001ef [SR] Verify complete
2013-12-15 15:14:35, Info                  CSI    000001f0 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:14:35, Info                  CSI    000001f1 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:14:36, Info                  CSI    000001f3 [SR] Verify complete
2013-12-15 15:14:37, Info                  CSI    000001f4 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:14:37, Info                  CSI    000001f5 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:14:38, Info                  CSI    000001f7 [SR] Verify complete
2013-12-15 15:14:39, Info                  CSI    000001f8 [SR] Verifying 100 (0
x00000064) components
2013-12-15 15:14:39, Info                  CSI    000001f9 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:14:48, Info                  CSI    000001fb [SR] Verify complete
2013-12-15 15:14:48, Info                  CSI    000001fc [SR] Verifying 71 (0x
00000047) components
2013-12-15 15:14:48, Info                  CSI    000001fd [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:14:52, Info                  CSI    000001ff [SR] Verify complete
2013-12-15 15:14:52, Info                  CSI    00000200 [SR] Repairing 5 comp
onents
2013-12-15 15:14:52, Info                  CSI    00000201 [SR] Beginning Verify
 and Repair transaction
2013-12-15 15:14:54, Info                  CSI    00000203 [SR] Cannot repair me
mber file [l:22{11}]"PINTLGT.IMD" of Microsoft-Windows-IME-Simplified-Chinese-Tr
igramDictionary, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0)
, Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad36
4e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mism
atch
2013-12-15 15:14:54, Info                  CSI    00000205 [SR] Cannot repair me
mber file [l:18{9}]"IMTCS.IMD" of Microsoft-Windows-IME-Traditional-Chinese-Bigr
amDictionary, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), C
ulture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e3
5}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatc
h
2013-12-15 15:14:54, Info                  CSI    00000207 [SR] Cannot repair me
mber file [l:18{9}]"IMTCL.IMD" of Microsoft-Windows-IME-Traditional-Chinese-Core
, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutr
al, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neu
tral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2013-12-15 15:14:55, Info                  CSI    00000209 [SR] Cannot repair me
mber file [l:24{12}]"spwizimg.dll" of Microsoft-Windows-Setup-Navigation-Wizard-
Framework, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Cult
ure neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35},
 Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2013-12-15 15:14:55, Info                  CSI    0000020b [SR] Cannot repair me
mber file [l:18{9}]"IMTCS.IMD" of Microsoft-Windows-IME-Traditional-Chinese-Bigr
amDictionary, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), C
ulture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e3
5}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatc
h
2013-12-15 15:14:55, Info                  CSI    0000020c [SR] This component w
as referenced by [l:198{99}]"Microsoft-Windows-Foundation-Package~31bf3856ad364e
35~x86~~6.1.7601.17514.WindowsFoundationDelivery"
2013-12-15 15:14:56, Info                  CSI    0000020f [SR] Could not reproj
ect corrupted file [ml:520{260},l:64{32}]"\??\C:\Windows\IME\IMETC10\DICTS"\[l:1
8{9}]"IMTCS.IMD"; source file in store is also corrupted
2013-12-15 15:14:57, Info                  CSI    00000211 [SR] Cannot repair me
mber file [l:22{11}]"PINTLGT.IMD" of Microsoft-Windows-IME-Simplified-Chinese-Tr
igramDictionary, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0)
, Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad36
4e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mism
atch
2013-12-15 15:14:57, Info                  CSI    00000212 [SR] This component w
as referenced by [l:198{99}]"Microsoft-Windows-Foundation-Package~31bf3856ad364e
35~x86~~6.1.7601.17514.WindowsFoundationDelivery"
2013-12-15 15:15:01, Info                  CSI    00000215 [SR] Could not reproj
ect corrupted file [ml:520{260},l:62{31}]"\??\C:\Windows\IME\IMESC5\DICTS"\[l:22
{11}]"PINTLGT.IMD"; source file in store is also corrupted
2013-12-15 15:15:01, Info                  CSI    00000217 [SR] Cannot repair me
mber file [l:24{12}]"spwizimg.dll" of Microsoft-Windows-Setup-Navigation-Wizard-
Framework, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Cult
ure neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35},
 Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2013-12-15 15:15:01, Info                  CSI    00000218 [SR] This component w
as referenced by [l:198{99}]"Microsoft-Windows-Foundation-Package~31bf3856ad364e
35~x86~~6.1.7601.17514.WindowsFoundationDelivery"
2013-12-15 15:15:02, Info                  CSI    0000021b [SR] Could not reproj
ect corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:24{12}]"sp
wizimg.dll"; source file in store is also corrupted
2013-12-15 15:15:02, Info                  CSI    0000021d [SR] Cannot repair me
mber file [l:18{9}]"IMTCL.IMD" of Microsoft-Windows-IME-Traditional-Chinese-Core
, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutr
al, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neu
tral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2013-12-15 15:15:02, Info                  CSI    0000021e [SR] This component w
as referenced by [l:198{99}]"Microsoft-Windows-Foundation-Package~31bf3856ad364e
35~x86~~6.1.7601.17514.WindowsFoundationDelivery"
2013-12-15 15:15:02, Info                  CSI    00000221 [SR] Could not reproj
ect corrupted file [ml:520{260},l:64{32}]"\??\C:\Windows\IME\IMETC10\DICTS"\[l:1
8{9}]"IMTCL.IMD"; source file in store is also corrupted
2013-12-15 15:15:03, Info                  CSI    00000223 [SR] Repair complete
2013-12-15 15:15:03, Info                  CSI    00000224 [SR] Committing trans
action
2013-12-15 15:15:03, Info                  CSI    00000228 [SR] Verify and Repai
r Transaction completed. All files and registry keys listed in this transaction
 have been successfully repaired
 
C:\Windows\system32>


#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:33 AM

Posted 16 December 2013 - 09:43 AM

Verify and Repair
Transaction completed. All files and registry keys listed in this transaction have been successfully repaired

Not much else we can do here.
===

If the problem persists lets have a look at these files.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe
  • to run it.
  • Copy and paste the content
  • of the following bold text into the main text field:
    :filefind
    hal.sys
    ntkrpamp.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.[/*
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.


#15 JohnMWoods

JohnMWoods
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Diego, CA, USA
  • Local time:05:33 AM

Posted 16 December 2013 - 11:11 AM

The results follow. No files found!?!?!?!

 

SystemLook 30.07.11 by jpshortstuff
Log created at 08:08 on 16/12/2013 by ADMINSTRATOR
Administrator - Elevation successful
 
========== filefind ==========
 
Searching for "hal.sys"
No files found.
 
Searching for "ntkrpamp.exe"
No files found.
 
-= EOF =-
 
 
I also had another BSOD and here is the WhoCrashed analysis followed by the SystemLook report. I hate that I am such a novice and your patience and help are greatly appreciated.
 
 
Crash dump directory: C:\Windows\Minidump
 
Crash dumps are enabled on your computer.
 
On Mon 12/16/2013 3:47:56 PM GMT your computer crashed
crash dump file: C:\Windows\Minidump\121613-37565-01.dmp
This was probably caused by the following module: win32k.sys (win32k+0x16347C) 
Bugcheck code: 0xB4 (0xFFFFFFFF874BB580, 0xFFFFFFFF877A6000, 0xFFFFFFFF877A7000, 0x3)
Error: VIDEO_DRIVER_INIT_FAILURE
file path: C:\Windows\system32\win32k.sys
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: Multi-User Win32 Driver
Bug check description: This indicates that Windows was unable to enter graphics mode.
The crash took place in a standard Microsoft module. Your system configuration may be incorrect. Possibly this problem is caused by another driver on your system that cannot be identified at this time. 
 
 
 
On Mon 12/16/2013 3:47:56 PM GMT your computer crashed
crash dump file: C:\Windows\memory.dmp
This was probably caused by the following module: win32k.sys (win32k+0x16347C) 
Bugcheck code: 0xB4 (0xFFFFFFFF874BB580, 0xFFFFFFFF877A6000, 0xFFFFFFFF877A7000, 0x3)
Error: VIDEO_DRIVER_INIT_FAILURE
file path: C:\Windows\system32\win32k.sys
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: Multi-User Win32 Driver
Bug check description: This indicates that Windows was unable to enter graphics mode.
The crash took place in a standard Microsoft module. Your system configuration may be incorrect. Possibly this problem is caused by another driver on your system that cannot be identified at this time. 
 
 
 
On Mon 12/16/2013 3:32:32 PM GMT your computer crashed
crash dump file: C:\Windows\Minidump\121613-41496-01.dmp
This was probably caused by the following module: win32k.sys (win32k+0x16347C) 
Bugcheck code: 0xB4 (0xFFFFFFFF87353A28, 0xFFFFFFFF8701F000, 0xFFFFFFFF86A5C000, 0x3)
Error: VIDEO_DRIVER_INIT_FAILURE
file path: C:\Windows\system32\win32k.sys
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: Multi-User Win32 Driver
Bug check description: This indicates that Windows was unable to enter graphics mode.
The crash took place in a standard Microsoft module. Your system configuration may be incorrect. Possibly this problem is caused by another driver on your system that cannot be identified at this time. 
 
And the SystemLook results:
 
SystemLook 30.07.11 by jpshortstuff
Log created at 08:17 on 16/12/2013 by ADMINSTRATOR
Administrator - Elevation successful
 
========== filefind ==========
 
Searching for "win32k.sys"
C:\Windows\System32\win32k.sys --a---- 2349056 bytes [22:04 11/12/2013] [01:27 30/10/2013] 8ACB33EF85F9EA87D18FECEAD593A255
C:\Windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.1.7601.17514_none_bafae3a5f8c8e2cb\win32k.sys --a---- 2329088 bytes [21:29 20/11/2010] [21:29 20/11/2010] 687464342342B933D6B7FAA4A907AF4C
C:\Windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.1.7601.17803_none_bb04b8f9f8c1a4f8\win32k.sys --a---- 2343424 bytes [03:42 30/05/2012] [02:36 31/03/2012] F8DB740114248CE6910E550EE9C054A2
C:\Windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.1.7601.18300_none_bb0197d5f8c480d1\win32k.sys --a---- 2349056 bytes [22:04 11/12/2013] [01:27 30/10/2013] 8ACB33EF85F9EA87D18FECEAD593A255
C:\Windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.1.7601.21955_none_bb5a46bd12060325\win32k.sys --a---- 2351616 bytes [03:42 30/05/2012] [02:31 31/03/2012] 5E7C260B168054FCB68BE9C030A81CE8
C:\Windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.1.7601.22496_none_bb2fe7111225b41e\win32k.sys --a---- 2357248 bytes [22:05 11/12/2013] [01:09 30/10/2013] CCF2E6C5D39C6B82879DE66431710F0F
 
-= EOF =-
 
 
 
 

 


Edited by JohnMWoods, 16 December 2013 - 11:27 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users