Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP system smells funny


  • This topic is locked This topic is locked
27 replies to this topic

#1 TheGear

TheGear

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 31 January 2014 - 09:44 PM

This is an XP system which passes MBAM with flying colors, but it still gives me the uneasy feeling that something's up. To wit:

1. it's generally lethargic, even after I shut off all IE add-ins, and even if there's plenty of headroom shown by Task Manager;

2. I can't enable the firewall;

3. I'm unable to install Microsoft Security Essentials due to "corrupted installation database";

4. Belarc Advisor hangs at about 50%;

5. and (although I'm certainly no expert) RootkitRevealer has many more results than I'm accustomed to seeing.

 

There's just something wrong here.  I'm about to decommission this system because it's XP, but I'm concerned about migrating the data to a Windows 7/8 system before I ascertain that there are no deep problems.

 

Your help would be deeply appreciated.

 

BTW, this system has already been cleaned by the folks at BleepingComputer a while back (about a year, I think), so a few artifacts of ComboFix are still there.

 

 



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:24 PM

Posted 01 February 2014 - 06:57 AM





Hello TheGear

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

I would like you to run this program for me.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 TheGear

TheGear
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 01 February 2014 - 07:17 AM

Mmmph. I hit the Go button too early. Here is the DDS file. Note that, since my initial post, I was able to enable the firewall, although I have no idea why it works now and not before.

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Margi at 7:07:26 on 2014-02-01
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2038.1122 [GMT -5:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\APC\PowerChute Personal Edition\mainserv.exe
C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Cobian Backup 11\cbVSCService11.exe
C:\Program Files\Cobian Backup 11\cbService.exe
C:\Program Files\Office Depot PC Support Agent\esService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Office Depot PC Support Agent\escont.exe
C:\Program Files\APC\PowerChute Personal Edition\dataserv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Cobian Backup 11\cbInterface.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Printer Pro Desktop\PrinterProDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\APC\PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
D:\HBCD\HBCDMenu.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - c:\program files\mcafee security scan\3.8.130\McAfeeMSS_IE.dll
BHO: Avira SearchFree Toolbar: {41564952-412D-5637-00A7-7A786E7484D7} -
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.9012.1008\swg.dll
BHO: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Avira SearchFree Toolbar: {41564952-412D-5637-00A7-7A786E7484D7} -
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [FCCD7AB6C256F5FC8AFEEC423CCF207E4CA2BD16._service_run] "c:\program files\google\chrome\application\chrome.exe" --type=service
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [PrinterProDesktop] c:\program files\printer pro desktop\PrinterProDesktop.exe /autorun
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [Cobian Backup 11 interface] "c:\program files\cobian backup 11\cbInterface.exe" -service
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ApnTBMon] "c:\program files\askpartnernetwork\toolbar\updater\TBNotifier.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.8.130\SSScheduler.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: &AOL Email Toolbar Search - c:\documents and settings\all users\application data\aol email toolbar\ietoolbar\resources\en-us\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\avira\antivir desktop\avsda.dll
Trusted Zone: dell.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} - hxxps://remote4.ruden.com/XTSAC.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1365624071031
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://remote4.ruden.com/msrdp.cab
DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} - hxxps://remote4.ruden.com/MLWebCacheCleaner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 172.16.2.1
TCP: Interfaces\{752B2A48-ACCC-437C-868D-178D5C86824D} : DHCPNameServer = 172.16.2.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\32.0.1700.102\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\margi\application data\mozilla\firefox\profiles\hm1bq3v6.default\
FF - plugin: c:\documents and settings\margi\application data\mozilla\firefox\profiles\hm1bq3v6.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\amazon\mp3 downloader\npAmazonMP3DownloaderPlugin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\program files\mcafee security scan\3.8.130\npMcAfeeMSS.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_170.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: !HIDDEN! 2010-11-30 09:44; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-9-27 214696]
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\drivers\tdrpm273.sys [2011-10-1 752128]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2013-12-13 37352]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-6-15 214664]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2013-12-13 440376]
R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2013-12-13 440376]
R2 AntiVirWebService;Avira Web Protection;c:\program files\avira\antivir desktop\avwebgrd.exe [2013-12-13 1011768]
R2 APC Data Service;APC Data Service;c:\program files\apc\powerchute personal edition\dataserv.exe [2012-1-24 21880]
R2 APNMCP;Ask Update Service;c:\program files\askpartnernetwork\toolbar\apnmcp.exe [2013-12-20 166352]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2013-12-13 90400]
R2 cbVSCService11;Cobian Backup 11 Volume Shadow Copy Requester;c:\program files\cobian backup 11\cbVSCService11.exe [2012-8-1 67584]
R2 CobianBackup11;Cobian Backup 11 Gravity;c:\program files\cobian backup 11\cbService.exe [2012-8-1 1131008]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2011-10-18 12184]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2012-8-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2012-10-25 47640]
R2 Office Depot PC Support Agent;Office Depot PC Support Agent;c:\program files\office depot pc support agent\esService.exe [2014-1-22 1005144]
S1 MpKslaf0215da;MpKslaf0215da;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{920d0c0b-7f96-480c-b5d9-8646e25fb8f2}\mpkslaf0215da.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{920d0c0b-7f96-480c-b5d9-8646e25fb8f2}\MpKslaf0215da.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9fc20d12d0974;Google Update Service (gupdate1c9fc20d12d0974);c:\program files\google\update\GoogleUpdate.exe [2009-7-3 133104]
S3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2011-10-1 167968]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [2011-4-30 42648]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [2011-4-30 12184]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.8.130\McCHSvc.exe [2013-9-6 235216]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-6-15 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-6-15 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-6-15 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-6-15 40552]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2003-7-16 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
S4 afcdpsrv;Acronis Nonstop Backup Service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2011-10-1 3246040]
S4 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-7-7 195336]
S4 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-6-15 249648]
S4 KQRNZCZEM;KQRNZCZEM;c:\docume~1\billge~1\locals~1\temp\kqrnzczem.exe --> c:\docume~1\billge~1\locals~1\temp\KQRNZCZEM.exe [?]
S4 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2012-10-19 374704]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackup\MemeoBackgroundService.exe [2011-1-24 25824]
S4 NIIBRQNPXLE;NIIBRQNPXLE;c:\docume~1\margi\locals~1\temp\niibrqnpxle.exe --> c:\docume~1\margi\locals~1\temp\NIIBRQNPXLE.exe [?]
S4 SeagateDashboardService;Seagate Dashboard Service;c:\program files\seagate\seagate dashboard\SeagateDashboardService.exe [2011-6-1 14088]
S4 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
.
=============== Created Last 30 ================
.
2014-01-31 04:36:55 -------- d-----w- c:\program files\Windows Easy Transfer 7
2014-01-15 22:01:15 -------- dc----w- c:\documents and settings\margi\local settings\application data\MigWiz
2014-01-10 23:27:27 -------- d-----w- c:\documents and settings\margi\local settings\application data\Deployment
.
==================== Find3M  ====================
.
2013-12-11 13:54:34 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-11 13:54:34 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-12-09 16:37:19 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-12-09 16:37:18 90400 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-11-19 10:21:30 230048 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH:  7:08:25.79 ===============
 



#4 TheGear

TheGear
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 01 February 2014 - 07:37 AM

Thank you, Gringo, nice to see you again. My screen hadn't refreshed, so I didn't see your FRST directive until I had posted the DDS output. Here is the output from FRST:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 01-02-2014 03
Ran by Margi (administrator) on SOPHOCLES on 01-02-2014 07:20:44
Running from C:\Documents and Settings\Margi\My Documents\Downloads\BleepingComputer
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) ===================

(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
(Schneider Electric) C:\Program Files\APC\PowerChute Personal Edition\mainserv.exe
(APN LLC.) C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(CobianSoft, Luis Cobian) C:\Program Files\Cobian Backup 11\cbVSCService11.exe
(Luis Cobian, CobianSoft) C:\Program Files\Cobian Backup 11\cbService.exe
(Support.com, Inc.) C:\Program Files\Office Depot PC Support Agent\esService.exe
(Microsoft Corp.) C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
(Support.com, Inc.) C:\Program Files\Office Depot PC Support Agent\escont.exe
(Schneider Electric) C:\Program Files\APC\PowerChute Personal Edition\dataserv.exe
(Microsoft Corporation) C:\WINDOWS\system32\taskmgr.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Logitech, Inc.) C:\Program Files\Logitech\SetPointP\SetPoint.exe
(Luis Cobian, CobianSoft) C:\Program Files\Cobian Backup 11\cbInterface.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
(APN) C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
(Google Inc.) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
() C:\Program Files\Printer Pro Desktop\PrinterProDesktop.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
(Logitech, Inc.) C:\Program Files\Common Files\Logishrd\KHAL3\KHALMNPR.exe
(Schneider Electric) C:\Program Files\APC\PowerChute Personal Edition\apcsystray.exe
(Microsoft Corporation) C:\Program Files\Windows NT\Accessories\wordpad.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avwebgrd.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(http://www.hiren.info) D:\HBCD\HBCDMenu.exe
(Microsoft Corporation) C:\Program Files\Windows NT\Accessories\wordpad.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Farbar) C:\Documents and Settings\Margi\My Documents\Downloads\BleepingComputer\FRST farbar.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [igfxpers] - C:\WINDOWS\system32\igfxpers.exe [114688 2005-10-14] (Intel Corporation)
HKLM\...\Run: [igfxhkcmd] - C:\WINDOWS\system32\hkcmd.exe [77824 2005-10-14] (Intel Corporation)
HKLM\...\Run: [EvtMgr6] - C:\Program Files\Logitech\SetPointP\SetPoint.exe [1387288 2011-10-07] (Logitech, Inc.)
HKLM\...\Run: [Cobian Backup 11 interface] - C:\Program Files\Cobian Backup 11\cbInterface.exe [4407808 2012-07-31] (Luis Cobian, CobianSoft)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-11-02] (Apple Inc.)
HKLM\...\Run: [avgnt] - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [684600 2013-12-09] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [ApnTBMon] - C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe [1778640 2013-12-20] (APN)
HKLM Group Policy restriction on software: *.wma.exe <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc.com <====== ATTENTION
HKLM Group Policy restriction on software: *.txt.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.doc.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.avi.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wma.pif <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.divx.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Application Data\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.gif.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.txt.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.zip.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.docx.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Application Data\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.divx.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.doc.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wav.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pub.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xls.pif <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rar.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pub.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Local Settings\Application Data\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pub.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.gif.com <====== ATTENTION
HKLM Group Policy restriction on software: *.png.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf.com <====== ATTENTION
HKLM Group Policy restriction on software: *.doc.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.divx.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Local Settings\Application Data\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Application Data\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wav.pif <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.7z.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wav.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xls.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Local Settings\Application Data\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.png.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.zip.com <====== ATTENTION
HKLM Group Policy restriction on software: *.png.com <====== ATTENTION
HKLM Group Policy restriction on software: *.zip.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.7z.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Application Data\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rar.com <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pub.com <====== ATTENTION
HKLM Group Policy restriction on software: *.docx.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.txt.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.avi.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xls.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx.pif <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.gif.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Local Settings\Application Data\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xls.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.zip.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Local Settings\Application Data\188f1432-103a-4ffb-80f1-36b633c5c9e1\geardifx.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\pcpe setup.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Application Data\188f1432-103a-4ffb-80f1-36b633c5c9e1\geardifx.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\pcpe setup.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\188f1432-103a-4ffb-80f1-36b633c5c9e1\geardifx.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\188f1432-103a-4ffb-80f1-36b633c5c9e1\geardifx.exe <====== ATTENTION
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
Winlogon\Notify\LMIinit: C:\WINDOWS\system32\LMIinit.dll (LogMeIn, Inc.)
HKU\.DEFAULT\...\Run: [DWQueuedReporting] - C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE [437160 2007-02-26] (Microsoft Corporation)
HKU\S-1-5-21-839522115-2000478354-2147116355-1004\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [68856 2007-06-27] (Google Inc.)
HKU\S-1-5-21-839522115-2000478354-2147116355-1007\...\Run: [FCCD7AB6C256F5FC8AFEEC423CCF207E4CA2BD16._service_run] - C:\Program Files\Google\Chrome\Application\chrome.exe [866584 2014-01-23] (Google Inc.)
HKU\S-1-5-21-839522115-2000478354-2147116355-1007\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [68856 2007-06-27] (Google Inc.)
HKU\S-1-5-21-839522115-2000478354-2147116355-1007\...\Run: [PrinterProDesktop] - C:\Program Files\Printer Pro Desktop\PrinterProDesktop.exe [2132992 2012-02-02] ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
ShortcutTarget: APC UPS Status.lnk -> C:\Program Files\APC\PowerChute Personal Edition\Display.exe (Schneider Electric)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe (McAfee, Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM - DefaultScope value is missing.
BHO: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.8.130\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO: Avira SearchFree Toolbar - {41564952-412D-5637-00A7-7A786E7484D7} - C:\Program Files\AskPartnerNetwork\Toolbar\AVIRA-V7\Passport.dll (APN LLC.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
Toolbar: HKCU - Avira SearchFree Toolbar - {41564952-412D-5637-00A7-7A786E7484D7} - C:\Program Files\AskPartnerNetwork\Toolbar\AVIRA-V7\Passport.dll (APN LLC.)
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www2.snapfish.com/SnapfishActivia.cab
DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} https://remote4.ruden.com/XTSAC.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} https://remote4.ruden.com/msrdp.cab
DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} https://remote4.ruden.com/MLWebCacheCleaner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Winsock: Catalog9 01 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [257608] (Avira Operations GmbH & Co. KG)
Winsock: Catalog9 02 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [257608] (Avira Operations GmbH & Co. KG)
Winsock: Catalog9 16 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [257608] (Avira Operations GmbH & Co. KG)
Tcpip\Parameters: [DhcpNameServer] 172.16.2.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\hm1bq3v6.default
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_9_900_170.dll ()
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @Google.com/GoogleEarthPlugin - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @google.com/npPicasa3,version=3.0.0 - C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin: @java.com/DTPlugin,version=1.6.0_32 - C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin: @mcafee.com/McAfeeMssPlugin - C:\Program Files\McAfee Security Scan\3.8.130\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=14.0.8117.0416 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @pack.google.com/Google Updater;version=14 - C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: amazon.com/AmazonMP3DownloaderPlugin - C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin.dll (Amazon.com, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll (Coupons, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll (Coupons, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF SearchPlugin: C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\hm1bq3v6.default\searchplugins\aol-search.xml
FF Extension: Разпознаване на устройство Logitech - C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\hm1bq3v6.default\Extensions\DeviceDetection@logitech.com [2011-10-18]
FF Extension: Pocket - C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\hm1bq3v6.default\Extensions\isreaditlater@ideashower.com [2013-07-02]
FF Extension: No Name - C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\hm1bq3v6.default\Extensions\staged [2014-01-31]
FF Extension: Super Start - C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\hm1bq3v6.default\Extensions\superstart@enjoyfreeware.org [2014-01-31]
FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\hm1bq3v6.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} [2011-05-25]
FF Extension: SearchPreview - C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\hm1bq3v6.default\Extensions\{EF522540-89F5-46b9-B6FE-1829E2B572C6} [2013-11-27]
FF Extension: AOL Mail Toolbar - C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\hm1bq3v6.default\Extensions\{fa1cfe8c-66b4-4469-b360-b60c79d70c28} [2013-10-05]
FF Extension: Email Yourself! - C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\hm1bq3v6.default\Extensions\emailyourself@lazyrussian.com.xpi [2012-07-05]
FF Extension: Email This! Bookmarklet Extension - C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\hm1bq3v6.default\Extensions\gmailthis@lazyrussian.com.xpi [2012-07-05]
FF Extension: Advertising Cookie Opt-out - C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\hm1bq3v6.default\Extensions\optout@google.com.xpi [2011-09-26]
FF Extension: Print Without Ads - C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\hm1bq3v6.default\Extensions\printwithoutads@oleg.vaskevich.xpi [2012-07-05]
FF Extension: Clearly - C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\hm1bq3v6.default\Extensions\readable@evernote.com.xpi [2012-07-05]
FF Extension: Avira SearchFree Toolbar plus Web Protection - C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\hm1bq3v6.default\Extensions\toolbar_AVIRA-V7@apn.ask.com.xpi [2013-12-20]
FF Extension: Readability - C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\hm1bq3v6.default\Extensions\{6005d9b1-d115-485a-a92a-3f6453ca3fe2}.xpi [2012-07-05]
FF Extension: Protect My Choices - C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\hm1bq3v6.default\Extensions\{dc501fe1-520b-41f2-9421-ecbb2e7f0255}.xpi [2012-03-05]
FF HKLM\...\Firefox\Extensions: [{3112ca9c-de6d-4884-a869-9855de68056c}] - C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}
FF Extension: Google Toolbar for Firefox - C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2009-07-03]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []

Chrome:
=======
CHR HomePage: hxxp://www.google.com
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\32.0.1700.102\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\32.0.1700.102\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\32.0.1700.102\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Coupons Inc., Coupon Printer Manager ) - C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll (Coupons, Inc.)
CHR Plugin: (Coupons Inc., Coupon Printer Manager ) - C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll (Coupons, Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll No File
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation)
CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.))
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation)
CHR Plugin: (AmazonMP3DownloaderPlugin) - C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin.dll (Amazon.com, Inc.)
CHR Plugin: (Google Earth Plugin) - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
CHR Plugin: (Google Updater) - C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
CHR Plugin: (Picasa) - C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
CHR Plugin: (McAfee Security Scanner +) - C:\Program Files\McAfee Security Scan\3.0.318\npMcAfeeMss.dll No File
CHR Plugin: (Silverlight Plug-In) - C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll No File
CHR Plugin: (MetaStream 3 Plugin) - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll No File
CHR Plugin: (Windows Live® Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Windows Presentation Foundation) - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.320.5) - C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
CHR Extension: (Avira SearchFree Toolbar plus Web Protection) - C:\Documents and Settings\Margi\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aaaaacalgebmfelllfiaoknifldpngjh [2013-12-22]
CHR Extension: (Entanglement Web App) - C:\Documents and Settings\Margi\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd [2011-05-25]
CHR Extension: (Poppit) - C:\Documents and Settings\Margi\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2011-05-25]
CHR Extension: (Google Wallet) - C:\Documents and Settings\Margi\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-27]
CHR Extension: (Read Your AOL Mail) - C:\Documents and Settings\Margi\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\phgdojkomekmnemlclopfjlmbamhnafp [2011-05-25]
CHR HKLM\...\Chrome\Extension: [aaaaacalgebmfelllfiaoknifldpngjh] - C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\AVIRA-V7\CRX\ToolbarCR.crx [2013-12-20]

========================== Services (Whitelisted) =================

S4 AcrSch2Svc; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [804536 2011-09-22] (Acronis)
S4 afcdpsrv; C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe [3246040 2011-10-01] (Acronis)
R2 AntiVirSchedulerService; C:\Program Files\Avira\AntiVir Desktop\sched.exe [440376 2013-12-09] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [440376 2013-12-09] (Avira Operations GmbH & Co. KG)
R2 AntiVirWebService; C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE [1011768 2013-12-09] (Avira Operations GmbH & Co. KG)
R2 APC Data Service; C:\Program Files\APC\PowerChute Personal Edition\dataserv.exe [21880 2012-01-24] (Schneider Electric)
R2 APC UPS Service; C:\Program Files\APC\PowerChute Personal Edition\mainserv.exe [705912 2012-01-24] (Schneider Electric)
R2 APNMCP; C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe [166352 2013-12-20] (APN LLC.)
S4 BAsfIpM; C:\WINDOWS\System32\basfipm.exe [77824 2004-04-01] (Broadcom Corp.)
R2 cbVSCService11; C:\Program Files\Cobian Backup 11\cbVSCService11.exe [67584 2012-07-31] (CobianSoft, Luis Cobian)
R2 CobianBackup11; C:\Program Files\Cobian Backup 11\cbService.exe [1131008 2012-07-31] (Luis Cobian, CobianSoft)
S2 gupdate1c9fc20d12d0974; C:\Program Files\Google\Update\GoogleUpdate.exe [133104 2009-07-03] (Google Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [235216 2013-09-06] (McAfee, Inc.)
S4 MemeoBackgroundService; C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe [25824 2011-01-24] (Memeo)
S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-10-23] (Microsoft Corporation)
R2 Office Depot PC Support Agent; C:\Program Files\Office Depot PC Support Agent\esService.exe [1005144 2014-01-22] (Support.com, Inc.)
S4 ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [174656 2006-11-02] ()
S4 SeagateDashboardService; C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [14088 2011-06-01] (Memeo)
S4 spkrmon; C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe [61440 2003-08-28] ()
S4 KQRNZCZEM; C:\DOCUME~1\BILLGE~1\LOCALS~1\Temp\KQRNZCZEM.exe [x]
S4 NIIBRQNPXLE; C:\DOCUME~1\Margi\LOCALS~1\Temp\NIIBRQNPXLE.exe [x]

==================== Drivers (Whitelisted) ====================

R2 avgntflt; C:\WINDOWS\System32\DRIVERS\avgntflt.sys [90400 2013-12-09] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\WINDOWS\System32\DRIVERS\avipbb.sys [135648 2013-12-09] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\WINDOWS\System32\DRIVERS\avkmgr.sys [37352 2013-12-09] (Avira Operations GmbH & Co. KG)
R1 BANTExt; C:\WINDOWS\System32\Drivers\BANTExt.sys [3840 2008-02-27] ()
R3 BCM43XX; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [369024 2004-12-22] (Broadcom Corporation)
S3 cpudrv; C:\Program Files\SystemRequirementsLab\cpudrv.sys [11336 2009-12-18] ()
S3 LEqdUsb; C:\WINDOWS\System32\Drivers\LEqdUsb.Sys [42648 2011-09-02] (Logitech, Inc.)
S3 LHidEqd; C:\WINDOWS\System32\Drivers\LHidEqd.Sys [12184 2011-09-02] (Logitech, Inc.)
S3 mfeavfk; C:\WINDOWS\System32\drivers\mfeavfk.sys [79816 2009-09-16] (McAfee, Inc.)
S3 mfebopk; C:\WINDOWS\System32\drivers\mfebopk.sys [35272 2009-09-16] (McAfee, Inc.)
R1 mfehidk; C:\WINDOWS\System32\drivers\mfehidk.sys [214664 2009-09-16] (McAfee, Inc.)
S3 mferkdk; C:\WINDOWS\System32\drivers\mferkdk.sys [34248 2009-09-16] (McAfee, Inc.)
S3 mfesmfk; C:\WINDOWS\System32\drivers\mfesmfk.sys [40552 2009-09-16] (McAfee, Inc.)
R0 MpFilter; C:\WINDOWS\System32\DRIVERS\MpFilter.sys [214696 2013-09-27] (Microsoft Corporation)
S3 NuidFltr; C:\WINDOWS\System32\DRIVERS\NuidFltr.sys [14736 2009-05-09] (Microsoft Corporation)
R3 pfc; C:\WINDOWS\system32\drivers\pfc.sys [10368 2003-09-26] (Padus, Inc.)
R1 ssmdrv; C:\WINDOWS\System32\DRIVERS\ssmdrv.sys [28520 2013-12-09] (Avira GmbH)
S3 catchme; \??\C:\DOCUME~1\Margi\LOCALS~1\Temp\catchme.sys [x]
S4 IntelIde; No ImagePath
S4 LMIRfsClientNP; No ImagePath
S1 MpKslaf0215da; \??\C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{920D0C0B-7F96-480C-B5D9-8646E25FB8F2}\MpKslaf0215da.sys [x]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U3 mbr; \??\C:\DOCUME~1\Margi\LOCALS~1\Temp\mbr.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-02-01 07:19 - 2014-02-01 07:20 - 00000000 ____D () C:\FRST
2014-02-01 07:08 - 2014-02-01 07:08 - 00025481 _____ () C:\Documents and Settings\Margi\Desktop\attach.txt
2014-02-01 07:08 - 2014-02-01 07:08 - 00015706 _____ () C:\Documents and Settings\Margi\Desktop\dds.txt
2014-01-31 14:08 - 2014-01-31 14:08 - 00000000 ____D () C:\Documents and Settings\Margi Gearhiser\Application Data\Avira
2014-01-31 14:03 - 2014-01-31 14:03 - 00001822 _____ () C:\Documents and Settings\Margi Gearhiser\Desktop\Google Chrome.lnk
2014-01-31 14:03 - 2014-01-31 14:03 - 00000000 ____D () C:\Documents and Settings\Margi Gearhiser\Start Menu\Programs\Google Chrome
2014-01-31 14:03 - 2014-01-31 14:03 - 00000000 ____D () C:\Documents and Settings\Margi Gearhiser\Application Data\Seagate
2014-01-30 23:38 - 2014-01-30 23:38 - 00001682 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Windows Easy Transfer for Windows 7.lnk
2014-01-30 23:36 - 2014-01-30 23:37 - 00000000 ____D () C:\Program Files\Windows Easy Transfer 7
2014-01-30 23:36 - 2014-01-30 23:36 - 00000000 __HDC () C:\WINDOWS\$NtUninstallWET7Cable$
2014-01-30 23:35 - 2014-01-30 23:35 - 00001918 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Office Depot PC Support Agent.lnk
2014-01-30 23:28 - 2014-01-25 23:08 - 07609104 _____ (Microsoft Corporation) C:\Documents and Settings\Margi\Desktop\wet7xp_x86.exe
2014-01-15 14:46 - 2014-01-15 14:46 - 00001591 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Windows Easy Transfer.lnk
2014-01-15 14:45 - 2014-01-15 14:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallWETCable$
2014-01-10 18:28 - 2014-01-10 18:28 - 00000000 ____D () C:\Documents and Settings\Margi\Start Menu\Programs\Dell
2014-01-10 18:27 - 2014-01-31 13:47 - 00000000 ____D () C:\Documents and Settings\Margi\Local Settings\Application Data\Deployment

==================== One Month Modified Files and Folders =======

2014-02-01 07:20 - 2014-02-01 07:19 - 00000000 ____D () C:\FRST
2014-02-01 07:08 - 2014-02-01 07:08 - 00025481 _____ () C:\Documents and Settings\Margi\Desktop\attach.txt
2014-02-01 07:08 - 2014-02-01 07:08 - 00015706 _____ () C:\Documents and Settings\Margi\Desktop\dds.txt
2014-02-01 06:52 - 2012-04-12 10:14 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2014-02-01 06:46 - 2009-07-03 16:06 - 00000886 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-02-01 06:05 - 2006-03-23 17:07 - 00000000 ____D () C:\WINDOWS\Registration
2014-02-01 06:05 - 2006-03-23 11:57 - 00000000 ____D () C:\WINDOWS\repair
2014-02-01 05:01 - 2012-10-26 09:06 - 00000356 _____ () C:\WINDOWS\Tasks\MyDefrag v4.3.1 Daily.job
2014-02-01 05:00 - 2012-10-26 09:06 - 00000360 _____ () C:\WINDOWS\Tasks\MyDefrag v4.3.1 Monthly.job
2014-02-01 04:22 - 2011-12-19 07:34 - 01863363 _____ () C:\WINDOWS\WindowsUpdate.log
2014-02-01 03:30 - 2013-12-01 22:05 - 00000384 ____H () C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2014-01-31 17:05 - 2013-04-10 16:49 - 00000000 ____D () C:\Documents and Settings\Margi\Tracing
2014-01-31 17:04 - 2011-05-25 09:49 - 00000000 ____D () C:\Documents and Settings\Margi\Desktop\Palm Tools
2014-01-31 17:04 - 2011-05-25 09:49 - 00000000 ____D () C:\Documents and Settings\Margi\Desktop\iPod tools
2014-01-31 17:04 - 2011-05-25 09:45 - 00000000 ____D () C:\Documents and Settings\Margi\Desktop\SysAdmin stuff
2014-01-31 17:04 - 2011-05-25 09:20 - 00000000 ____D () C:\Documents and Settings\Margi\Start Menu\Programs\Palm
2014-01-31 17:04 - 2006-03-23 17:19 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Utilities
2014-01-31 16:46 - 2009-07-03 16:06 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-01-31 16:33 - 2003-07-16 11:46 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-01-31 16:25 - 2011-12-19 07:24 - 00000159 ____N () C:\WINDOWS\wiadebug.log
2014-01-31 16:25 - 2011-12-19 07:24 - 00000049 ____N () C:\WINDOWS\wiaservc.log
2014-01-31 16:24 - 2006-03-23 17:10 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-01-31 14:08 - 2014-01-31 14:08 - 00000000 ____D () C:\Documents and Settings\Margi Gearhiser\Application Data\Avira
2014-01-31 14:03 - 2014-01-31 14:03 - 00001822 _____ () C:\Documents and Settings\Margi Gearhiser\Desktop\Google Chrome.lnk
2014-01-31 14:03 - 2014-01-31 14:03 - 00000000 ____D () C:\Documents and Settings\Margi Gearhiser\Start Menu\Programs\Google Chrome
2014-01-31 14:03 - 2014-01-31 14:03 - 00000000 ____D () C:\Documents and Settings\Margi Gearhiser\Application Data\Seagate
2014-01-31 13:47 - 2014-01-10 18:27 - 00000000 ____D () C:\Documents and Settings\Margi\Local Settings\Application Data\Deployment
2014-01-31 13:08 - 2011-06-27 22:29 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-01-31 13:08 - 2011-05-25 09:49 - 00000000 ____D () C:\Documents and Settings\Margi\Application Data\Malwarebytes
2014-01-31 11:00 - 2009-07-03 15:50 - 00000868 _____ () C:\WINDOWS\Tasks\Google Software Updater.job
2014-01-31 10:52 - 2011-12-19 07:24 - 00032426 ____N () C:\WINDOWS\SchedLgU.Txt
2014-01-31 01:21 - 2011-05-25 09:20 - 00000278 ___SH () C:\Documents and Settings\Margi\ntuser.ini
2014-01-31 01:21 - 2011-05-25 09:20 - 00000000 ____D () C:\Documents and Settings\Margi
2014-01-30 23:38 - 2014-01-30 23:38 - 00001682 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Windows Easy Transfer for Windows 7.lnk
2014-01-30 23:37 - 2014-01-30 23:36 - 00000000 ____D () C:\Program Files\Windows Easy Transfer 7
2014-01-30 23:36 - 2014-01-30 23:36 - 00000000 __HDC () C:\WINDOWS\$NtUninstallWET7Cable$
2014-01-30 23:35 - 2014-01-30 23:35 - 00001918 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Office Depot PC Support Agent.lnk
2014-01-30 23:35 - 2013-11-25 22:18 - 00001912 _____ () C:\Documents and Settings\All Users\Desktop\Office Depot PC Support Agent.lnk
2014-01-30 23:35 - 2011-12-18 16:33 - 00000000 ____D () C:\Program Files\Office Depot PC Support Agent
2014-01-25 23:08 - 2014-01-30 23:28 - 07609104 _____ (Microsoft Corporation) C:\Documents and Settings\Margi\Desktop\wet7xp_x86.exe
2014-01-25 17:17 - 2011-09-04 18:02 - 00000282 _____ () C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2014-01-18 13:42 - 2012-08-01 19:49 - 00065536 _____ () C:\WINDOWS\system32\config\Cobian B.evt
2014-01-15 17:16 - 2013-09-27 12:59 - 00002347 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
2014-01-15 17:12 - 2006-05-13 14:34 - 00000000 ____D () C:\Program Files\Common Files\Adobe
2014-01-15 14:46 - 2014-01-15 14:46 - 00001591 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Windows Easy Transfer.lnk
2014-01-15 14:45 - 2014-01-15 14:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallWETCable$
2014-01-15 14:34 - 2011-05-29 17:21 - 00000000 __SHD () C:\WINDOWS\CSC
2014-01-15 13:58 - 2006-05-17 02:55 - 00001324 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-01-12 13:39 - 2007-01-23 17:42 - 00000000 ____D () C:\WINDOWS\system32\LogFiles
2014-01-10 18:28 - 2014-01-10 18:28 - 00000000 ____D () C:\Documents and Settings\Margi\Start Menu\Programs\Dell
2014-01-09 00:26 - 2012-05-05 11:44 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service

Files to move or delete:
====================
C:\Documents and Settings\Margi\en_res.dll
C:\Documents and Settings\Margi\es_res.dll
C:\Documents and Settings\Margi\fr_res.dll
C:\Documents and Settings\Margi\grm_res.dll
C:\Documents and Settings\Margi\it_res.dll
C:\Documents and Settings\Margi\jp_res.dll
C:\Documents and Settings\Margi\mfc80u.dll
C:\Documents and Settings\Margi\msvcr80.dll
C:\Documents and Settings\Margi\PCPE Setup.exe
C:\Documents and Settings\Margi\pt_res.dll
C:\Documents and Settings\Margi\ResourceReader.dll
C:\Documents and Settings\Margi\ru_res.dll
C:\Documents and Settings\Margi\zh_res.dll

Some content of TEMP:
====================
C:\Documents and Settings\Margi\Local Settings\temp\avgnt.exe
C:\Documents and Settings\Margi Gearhiser\Local Settings\temp\avgnt.exe

==================== Bamital & volsnap Check =================

C:\WINDOWS\explorer.exe => MD5 is legit
C:\WINDOWS\system32\winlogon.exe => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\User32.dll => MD5 is legit
C:\WINDOWS\system32\userinit.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

Attached Files



#5 TheGear

TheGear
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 01 February 2014 - 07:46 AM

Full disclosure: in checking my notes, I find that I ran ComboFix myself on this system, hoping it would do something to energize the system. So that's the reason there are artifacts on the system.



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:24 PM

Posted 01 February 2014 - 08:36 AM

Hello TheGear



I need you to download this script I have made for you --> Attached File  fixlist.txt   12.97KB   2 downloads

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

Run FRST again but this time press the Fix button just once and wait.


When finished, it will make a log (fixlog.txt) next to FRST. Please copy and paste the content of this file to your reply.


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 TheGear

TheGear
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 01 February 2014 - 08:49 AM

Here is fixlog.txt:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 01-02-2014 03
Ran by Margi at 2014-02-01 08:47:51 Run:1
Running from C:\Documents and Settings\Margi\My Documents\Downloads\BleepingComputer\02 FRST
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKLM Group Policy restriction on software: *.wma.exe <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc.com <====== ATTENTION
HKLM Group Policy restriction on software: *.txt.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.doc.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.avi.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wma.pif <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.divx.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Application Data\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.gif.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.txt.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.zip.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.docx.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Application Data\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.divx.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.doc.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wav.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pub.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xls.pif <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rar.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pub.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Local Settings\Application Data\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pub.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.gif.com <====== ATTENTION
HKLM Group Policy restriction on software: *.png.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf.com <====== ATTENTION
HKLM Group Policy restriction on software: *.doc.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.divx.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Local Settings\Application Data\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Application Data\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wav.pif <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.7z.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wav.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xls.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Local Settings\Application Data\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.png.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.zip.com <====== ATTENTION
HKLM Group Policy restriction on software: *.png.com <====== ATTENTION
HKLM Group Policy restriction on software: *.zip.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.7z.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Application Data\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rar.com <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pub.com <====== ATTENTION
HKLM Group Policy restriction on software: *.docx.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.txt.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.avi.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xls.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx.pif <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.gif.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Local Settings\Application Data\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xls.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.zip.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Local Settings\Application Data\188f1432-103a-4ffb-80f1-36b633c5c9e1\geardifx.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\pcpe setup.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Application Data\188f1432-103a-4ffb-80f1-36b633c5c9e1\geardifx.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\pcpe setup.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\188f1432-103a-4ffb-80f1-36b633c5c9e1\geardifx.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\188f1432-103a-4ffb-80f1-36b633c5c9e1\geardifx.exe <====== ATTENTION
S4 KQRNZCZEM; C:\DOCUME~1\BILLGE~1\LOCALS~1\Temp\KQRNZCZEM.exe [x]
S4 NIIBRQNPXLE; C:\DOCUME~1\Margi\LOCALS~1\Temp\NIIBRQNPXLE.exe [x]

*****************

HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
KQRNZCZEM => Service deleted successfully.
NIIBRQNPXLE => Service deleted successfully.

==== End of Fixlog ====



#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:24 PM

Posted 01 February 2014 - 10:15 AM



Hello TheGear

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 TheGear

TheGear
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 01 February 2014 - 11:36 AM

# AdwCleaner v3.018 - Report created 01/02/2014 at 10:46:00
# Updated 28/01/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Margi - SOPHOCLES
# Running from : C:\Documents and Settings\Margi\My Documents\Downloads\BleepingComputer\03 Adware Cleaner\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v26.0 (en-US)

[ File : C:\Documents and Settings\Bill Gearhiser\Application Data\Mozilla\Firefox\Profiles\5kpo48r4.default\prefs.js ]

[ File : C:\Documents and Settings\Margi Gearhiser\Application Data\Mozilla\Firefox\Profiles\0ci6ma6t.default\prefs.js ]

[ File : C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\hm1bq3v6.default\prefs.js ]

-\\ Google Chrome v32.0.1700.102

[ File : C:\Documents and Settings\Margi\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [13146 octets] - [28/11/2013 11:21:11]
AdwCleaner[R1].txt - [1389 octets] - [01/02/2014 10:42:16]
AdwCleaner[S0].txt - [13494 octets] - [28/11/2013 12:15:14]
AdwCleaner[S1].txt - [1310 octets] - [01/02/2014 10:46:00]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1370 octets] ##########

 

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.0 (01.07.2014:1)
OS: Microsoft Windows XP x86
Ran by Margi on Sat 02/01/2014 at 11:09:30.96
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\apntbmon

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{41564952-412D-5637-00A7-7A786E7484D7}

 

~~~ Files

Successfully deleted: [File] "C:\Program Files\mozilla firefox\plugins\npcouponprinter.dll"
Successfully deleted: [File] "C:\Program Files\mozilla firefox\plugins\npmozcouponprinter.dll"

 

~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\apn"
Successfully deleted: [Folder] "C:\Program Files\coupons"

 

~~~ FireFox

Successfully deleted: [File] C:\Documents and Settings\Margi\Application Data\mozilla\firefox\profiles\hm1bq3v6.default\extensions\toolbar_avira-v7@apn.ask.com.xpi
Successfully deleted: [Folder] C:\Documents and Settings\Margi\Application Data\mozilla\firefox\profiles\hm1bq3v6.default\extensions\staged
Successfully deleted: [Folder] C:\Documents and Settings\Margi\Application Data\mozilla\firefox\profiles\hm1bq3v6.default\extensions\{ef522540-89f5-46b9-b6fe-1829e2b572c6}
Successfully deleted the following from C:\Documents and Settings\Margi\Application Data\mozilla\firefox\profiles\hm1bq3v6.default\prefs.js

user_pref("aolmail_toolbar.search.searchtype", "web");
Emptied folder: C:\Documents and Settings\Margi\Application Data\mozilla\firefox\profiles\hm1bq3v6.default\minidumps [5 files]

 

~~~ Chrome

Successfully deleted: [Folder] C:\Documents and Settings\Margi\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aaaaacalgebmfelllfiaoknifldpngjh
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\aaaaacalgebmfelllfiaoknifldpngjh

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 02/01/2014 at 11:16:14.42
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:24 PM

Posted 01 February 2014 - 11:38 AM


Hello TheGear

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 TheGear

TheGear
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 01 February 2014 - 02:00 PM

That didn't go too smoothly. Recall that Microsoft Security Essentials is not installed on this machine, and I'm temporarily using Avira Free for some coverage.

 

When I started ComboFix, it got to a point where it popped up a warning that Security Essentials was running and that I should disable it before continuing. So I started up Process Explorer (SysInternals) to see if I could see anything like MsMpEng running. Nothing. I had already turned off Avira's realtime protection, but web protection was still on. I turned it off. I thought maybe Avira was aliasing itself to MSE somehow, so I decided to exit ComboFix, uninstall Avira, and start over. Mistake.

 

ProcExp told me that the Warning window was attached to a process with a 3XE extension (can't remember the exact name -- Dir something). I thought that killing that process would kill ComboFix. So I killed it. Immediately I got another window indicating that ComboFix was continuing the process, so I let it.

 

ComboFix went ahead and finished its job, apparently. Here is the log file. I'm going to post this now, then uninstall Avira and see whether I can get MSE to install. I'll report on that shortly.

 

 

ComboFix 14-02-01.01 - Margi 02/01/2014  13:23:52.6.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2038.1400 [GMT -5:00]
Running from: c:\documents and settings\Margi\My Documents\Downloads\BleepingComputer\05 ComboFix\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Margi\ResourceReader.dll
.
.
(((((((((((((((((((((((((   Files Created from 2014-01-01 to 2014-02-01  )))))))))))))))))))))))))))))))
.
.
2014-02-01 16:09 . 2014-02-01 16:09 -------- d-----w- c:\windows\ERUNT
2014-02-01 12:19 . 2014-02-01 13:47 -------- d-----w- C:\FRST
2014-01-31 19:08 . 2014-01-31 19:08 -------- d-----w- c:\documents and settings\Margi Gearhiser\Application Data\Avira
2014-01-31 19:03 . 2014-01-31 19:03 -------- d-----w- c:\documents and settings\Margi Gearhiser\Application Data\Seagate
2014-01-31 04:36 . 2014-01-31 04:37 -------- d-----w- c:\program files\Windows Easy Transfer 7
2014-01-15 22:01 . 2014-01-31 22:04 -------- dc----w- c:\documents and settings\Margi\Local Settings\Application Data\MigWiz
2014-01-10 23:27 . 2014-01-31 18:47 -------- d-----w- c:\documents and settings\Margi\Local Settings\Application Data\Deployment
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-11 13:54 . 2013-12-11 12:54 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-12-11 13:54 . 2011-06-15 13:29 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-09 16:37 . 2013-12-13 05:29 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-12-09 16:37 . 2013-12-13 05:29 135648 ----a-w- c:\windows\system32\drivers\avipbb.sys
2013-12-09 16:37 . 2013-12-13 05:29 90400 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-11-19 10:21 . 2010-04-12 03:40 230048 ------w- c:\windows\system32\MpSigStub.exe
2013-11-08 01:15 . 2013-12-01 07:53 7772552 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{920D0C0B-7F96-480C-B5D9-8646E25FB8F2}\mpengine.dll
2013-11-08 01:15 . 2013-11-30 07:51 7772552 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FCCD7AB6C256F5FC8AFEEC423CCF207E4CA2BD16._service_run"="c:\program files\Google\Chrome\Application\chrome.exe" [2014-01-23 866584]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 68856]
"PrinterProDesktop"="c:\program files\Printer Pro Desktop\PrinterProDesktop.exe" [2012-02-02 2132992]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
"Cobian Backup 11 interface"="c:\program files\Cobian Backup 11\cbInterface.exe" [2012-07-31 4407808]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-11-02 152392]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2013-12-09 684600]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2012-8-10 113664]
APC UPS Status.lnk - c:\program files\APC\PowerChute Personal Edition\Display.exe [2012-1-24 271736]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.8.130\SSScheduler.exe [2013-9-6 273296]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2011-06-17 07:33 66328 ------w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-10-19 22:08 92072 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Office Depot PC Support Agent]
@="Office Depot PC Support Agent"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2011-09-23 00:30 394832 ------w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-11-21 16:57 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-04-22 01:43 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2012-10-10 15:22 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Memeo AutoSync]
2010-04-16 21:43 144608 ------w- c:\program files\Memeo\AutoSync\MemeoLauncher2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Memeo Instant Backup]
2011-01-24 18:35 136416 ------w- c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Memeo Send]
2010-07-20 18:18 236816 ------w- c:\program files\Memeo\Memeo Send\MemeoLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 10:50 155648 ------r- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAOB Monitor]
2011-09-22 20:00 2536760 ------w- c:\program files\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2011-09-23 00:29 5550984 ------w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"spkrmon"=2 (0x2)
"SeagateDashboardService"=2 (0x2)
"ose"=3 (0x3)
"MsMpSvc"=2 (0x2)
"MemeoBackgroundService"=2 (0x2)
"KQRNZCZEM"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"Bonjour Service"=2 (0x2)
"BAsfIpM"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"SkypeUpdate"=2 (0x2)
"LBTServ"=3 (0x3)
"iPod Service"=3 (0x3)
"afcdpsrv"=2 (0x2)
"AcrSch2Svc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Seagate\\Seagate Dashboard\\HipServAgent\\HipServAgent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"33300:TCP"= 33300:TCP:PrinterProDesktop
.
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\drivers\tdrpm273.sys [10/1/2011 3:29 PM 752128]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [12/13/2013 12:29 AM 37352]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/13/2013 12:29 AM 440376]
R2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [12/13/2013 12:29 AM 1011768]
R2 APC Data Service;APC Data Service;c:\program files\APC\PowerChute Personal Edition\dataserv.exe [1/24/2012 3:21 PM 21880]
R2 APNMCP;Ask Update Service;c:\program files\AskPartnerNetwork\Toolbar\apnmcp.exe [12/20/2013 2:29 PM 166352]
R2 cbVSCService11;Cobian Backup 11 Volume Shadow Copy Requester;c:\program files\Cobian Backup 11\cbVSCService11.exe [8/1/2012 3:45 PM 67584]
R2 CobianBackup11;Cobian Backup 11 Gravity;c:\program files\Cobian Backup 11\cbService.exe [8/1/2012 3:45 PM 1131008]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [10/18/2011 4:14 PM 12184]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/24/2012 1:41 PM 12856]
R2 Office Depot PC Support Agent;Office Depot PC Support Agent;c:\program files\Office Depot PC Support Agent\esService.exe [1/22/2014 4:47 AM 1005144]
S1 MpKslaf0215da;MpKslaf0215da;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{920D0C0B-7F96-480C-B5D9-8646E25FB8F2}\MpKslaf0215da.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{920D0C0B-7F96-480C-B5D9-8646E25FB8F2}\MpKslaf0215da.sys [?]
S2 gupdate1c9fc20d12d0974;Google Update Service (gupdate1c9fc20d12d0974);c:\program files\Google\Update\GoogleUpdate.exe [7/3/2009 3:57 PM 133104]
S3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [10/1/2011 3:30 PM 167968]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [4/30/2011 7:00 AM 42648]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [4/30/2011 7:00 AM 12184]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.8.130\McCHSvc.exe [9/6/2013 12:29 PM 235216]
S4 afcdpsrv;Acronis Nonstop Backup Service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [10/1/2011 3:29 PM 3246040]
S4 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [7/7/2011 6:31 PM 195336]
S4 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [6/15/2011 4:33 PM 249648]
S4 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/19/2012 5:08 PM 374704]
S4 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [1/24/2011 1:35 PM 25824]
S4 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [6/1/2011 11:42 AM 14088]
S4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 12:28 PM 160944]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - PROCEXP152
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-01-29 06:47 1211672 ----a-w- c:\program files\Google\Chrome\Application\32.0.1700.102\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-02-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 13:54]
.
2014-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2014-02-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-21 16:30]
.
2014-02-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-03 20:56]
.
2014-02-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-03 20:56]
.
2014-02-01 c:\windows\Tasks\MyDefrag v4.3.1 Daily.job
- c:\program files\MyDefrag v4.3.1\Scripts\AutomaticDaily.MyD [2012-10-26 16:03]
.
2014-02-01 c:\windows\Tasks\MyDefrag v4.3.1 Monthly.job
- c:\program files\MyDefrag v4.3.1\Scripts\AutomaticMonthly.MyD [2012-10-26 16:03]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: &AOL Email Toolbar Search - c:\documents and settings\All Users\Application Data\AOL Email Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
Trusted Zone: dell.com
TCP: DhcpNameServer = 172.16.2.1
DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} - hxxps://remote4.ruden.com/MLWebCacheCleaner.cab
FF - ProfilePath - c:\documents and settings\Margi\Application Data\Mozilla\Firefox\Profiles\hm1bq3v6.default\
FF - ExtSQL: !HIDDEN! 2010-11-30 09:44; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{41564952-412D-5637-00A7-7A786E7484D7} - (no file)
WebBrowser-{41564952-412D-5637-00A7-7A786E7484D7} - (no file)
AddRemove-Coupon Printer for Windows5.0.0.1 - c:\program files\Coupons\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-02-01 13:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-839522115-2000478354-2147116355-1004_Classes\CLSID\{97090E2F-3062-4459-855B-014F0D3CDBB1}]
@DACL=(02 0000)
@="Windows Search Deskbar"
"AppID"=""
.
[HKEY_USERS\S-1-5-21-839522115-2000478354-2147116355-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ff,b7,36,30,1a,6f,57,4f,81,af,d1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ff,b7,36,30,1a,6f,57,4f,81,af,d1,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(940)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'lsass.exe'(996)
c:\windows\system32\LMIRfsClientNP.dll
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
Completion time: 2014-02-01  13:37:15
ComboFix-quarantined-files.txt  2014-02-01 18:37
ComboFix2.txt  2013-11-28 19:28
.
Pre-Run: 8,890,347,520 bytes free
Post-Run: 9,101,258,752 bytes free
.
- - End Of File - - 2A56CD0A5D717F3C1360656B109BC709
8F558EB6672622401DA993E1E865C861
 



#12 TheGear

TheGear
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 01 February 2014 - 03:55 PM

The system looks like it has improved. The firewall is up. I still can't get Microsoft Security Essentials installed, but I no longer get an "installation database corruption" message (instead, I get a 0x80070645, which seems to be related to .NET installation).

 

Strangely, Belarc Advisor (which now runs to completion) tells me Microsoft Security Essentials is installed, up-to-date, and running. It's not installed! The same problem played games with running ComboFix. (I have uninstalled Avira)

 

Other than that, I haven't noticed any other anomalies.



#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:24 PM

Posted 02 February 2014 - 10:07 AM


Hello TheGear

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 TheGear

TheGear
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 02 February 2014 - 02:48 PM

Once again, when I started ComboFix it claimed that Microsoft Security Essentials was running and asked me to kill it. I did some googling ('manually remove microsoft security essentials') and discovered Hitman Pro Kickstart, which boots off a USB memory stick. I created that, rebooted the system without allowing ComboFix to run, and did a Hitman scan. Hitman said nothing about MSE, but considered windows\system32\userinit.exe to be "suspect" as well as explorer.exe. I found a web site at http://www.kellys-korner-xp.com/xp_tweaks.htm (which, I believe, was reference on a Bleeping Computer page), which offered to restore userinit. Ultimately I decided it was too far off the path and went back and ran ComboFix (after running Fix It 50535 in the hope that it would remove MSE for ComboFix. No help.).

 

As far as how it's running, I would say OK but slow sometimes. Probably stable enough to go ahead and close this thread, if you like.

 

So here is the ComboFix output:  Thanks for your patience.

 

ComboFix 14-02-01.01 - Margi 02/02/2014  14:10:04.7.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2038.1491 [GMT -5:00]
Running from: c:\documents and settings\Margi\My Documents\Downloads\BleepingComputer\05 ComboFix\ComboFix.exe
Command switches used :: c:\documents and settings\Margi\My Documents\Downloads\BleepingComputer\05 ComboFix\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((   Files Created from 2014-01-02 to 2014-02-02  )))))))))))))))))))))))))))))))
.
.
2014-02-02 18:41 . 2014-02-02 18:41 12872 ----a-w- c:\windows\system32\bootdelete.exe
2014-02-02 17:27 . 2014-02-02 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2014-02-01 22:33 . 2014-02-02 19:04 2318 ----a-w- C:\FixitRegBackup.reg
2014-02-01 16:09 . 2014-02-01 16:09 -------- d-----w- c:\windows\ERUNT
2014-02-01 12:19 . 2014-02-01 13:47 -------- d-----w- C:\FRST
2014-01-31 19:03 . 2014-01-31 19:03 -------- d-----w- c:\documents and settings\Margi Gearhiser\Application Data\Seagate
2014-01-31 04:36 . 2014-01-31 04:37 -------- d-----w- c:\program files\Windows Easy Transfer 7
2014-01-15 22:01 . 2014-01-31 22:04 -------- dc----w- c:\documents and settings\Margi\Local Settings\Application Data\MigWiz
2014-01-10 23:27 . 2014-01-31 18:47 -------- d-----w- c:\documents and settings\Margi\Local Settings\Application Data\Deployment
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-11 13:54 . 2013-12-11 12:54 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-12-11 13:54 . 2011-06-15 13:29 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-27 20:21 . 2003-07-16 16:31 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2013-11-19 10:21 . 2010-04-12 03:40 230048 ------w- c:\windows\system32\MpSigStub.exe
2013-11-13 02:59 . 2003-07-16 16:24 150528 ----a-w- c:\windows\system32\imagehlp.dll
2013-11-08 01:15 . 2013-12-01 07:53 7772552 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{920D0C0B-7F96-480C-B5D9-8646E25FB8F2}\mpengine.dll
2013-11-08 01:15 . 2013-11-30 07:51 7772552 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-11-07 05:38 . 2004-03-06 02:16 591360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-11-06 01:03 . 2009-04-17 00:59 7168 ----a-w- c:\windows\system32\xpsp4res.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FCCD7AB6C256F5FC8AFEEC423CCF207E4CA2BD16._service_run"="c:\program files\Google\Chrome\Application\chrome.exe" [2014-01-23 866584]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 68856]
"PrinterProDesktop"="c:\program files\Printer Pro Desktop\PrinterProDesktop.exe" [2012-02-02 2132992]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
"Cobian Backup 11 interface"="c:\program files\Cobian Backup 11\cbInterface.exe" [2012-07-31 4407808]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-11-02 152392]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2012-8-10 113664]
APC UPS Status.lnk - c:\program files\APC\PowerChute Personal Edition\Display.exe [2012-1-24 271736]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.8.130\SSScheduler.exe [2013-9-6 273296]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2011-06-17 07:33 66328 ------w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-10-19 22:08 92072 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Office Depot PC Support Agent]
@="Office Depot PC Support Agent"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2011-09-23 00:30 394832 ------w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-04-22 01:43 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2012-10-10 15:22 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Memeo AutoSync]
2010-04-16 21:43 144608 ------w- c:\program files\Memeo\AutoSync\MemeoLauncher2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Memeo Instant Backup]
2011-01-24 18:35 136416 ------w- c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Memeo Send]
2010-07-20 18:18 236816 ------w- c:\program files\Memeo\Memeo Send\MemeoLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 10:50 155648 ------r- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAOB Monitor]
2011-09-22 20:00 2536760 ------w- c:\program files\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2011-09-23 00:29 5550984 ------w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"spkrmon"=2 (0x2)
"SeagateDashboardService"=2 (0x2)
"ose"=3 (0x3)
"MsMpSvc"=2 (0x2)
"MemeoBackgroundService"=2 (0x2)
"KQRNZCZEM"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"Bonjour Service"=2 (0x2)
"BAsfIpM"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"SkypeUpdate"=2 (0x2)
"LBTServ"=3 (0x3)
"iPod Service"=3 (0x3)
"afcdpsrv"=2 (0x2)
"AcrSch2Svc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Seagate\\Seagate Dashboard\\HipServAgent\\HipServAgent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"33300:TCP"= 33300:TCP:PrinterProDesktop
.
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\drivers\tdrpm273.sys [10/1/2011 3:29 PM 752128]
R2 APC Data Service;APC Data Service;c:\program files\APC\PowerChute Personal Edition\dataserv.exe [1/24/2012 3:21 PM 21880]
R2 APNMCP;Ask Update Service;c:\program files\AskPartnerNetwork\Toolbar\apnmcp.exe [12/20/2013 2:29 PM 166352]
R2 cbVSCService11;Cobian Backup 11 Volume Shadow Copy Requester;c:\program files\Cobian Backup 11\cbVSCService11.exe [8/1/2012 3:45 PM 67584]
R2 CobianBackup11;Cobian Backup 11 Gravity;c:\program files\Cobian Backup 11\cbService.exe [8/1/2012 3:45 PM 1131008]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [10/18/2011 4:14 PM 12184]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/24/2012 1:41 PM 12856]
R2 Office Depot PC Support Agent;Office Depot PC Support Agent;c:\program files\Office Depot PC Support Agent\esService.exe [1/22/2014 4:47 AM 1005144]
S1 MpKslaf0215da;MpKslaf0215da;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{920D0C0B-7F96-480C-B5D9-8646E25FB8F2}\MpKslaf0215da.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{920D0C0B-7F96-480C-B5D9-8646E25FB8F2}\MpKslaf0215da.sys [?]
S2 gupdate1c9fc20d12d0974;Google Update Service (gupdate1c9fc20d12d0974);c:\program files\Google\Update\GoogleUpdate.exe [7/3/2009 3:57 PM 133104]
S2 HitmanPro37CrusaderBoot;HitmanPro 3.7 Crusader (Boot);"e:\hitmanpro.exe" /crusader:boot --> e:\HitmanPro.exe [?]
S3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [10/1/2011 3:30 PM 167968]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [4/30/2011 7:00 AM 42648]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [4/30/2011 7:00 AM 12184]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.8.130\McCHSvc.exe [9/6/2013 12:29 PM 235216]
S4 afcdpsrv;Acronis Nonstop Backup Service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [10/1/2011 3:29 PM 3246040]
S4 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [7/7/2011 6:31 PM 195336]
S4 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [6/15/2011 4:33 PM 249648]
S4 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/19/2012 5:08 PM 374704]
S4 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [1/24/2011 1:35 PM 25824]
S4 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [6/1/2011 11:42 AM 14088]
S4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 12:28 PM 160944]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - HITMANPRO37CRUSADERBOOT
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-01-29 06:47 1211672 ----a-w- c:\program files\Google\Chrome\Application\32.0.1700.102\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-02-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 13:54]
.
2014-02-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2014-02-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-21 16:30]
.
2014-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-03 20:56]
.
2014-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-03 20:56]
.
2014-02-02 c:\windows\Tasks\MyDefrag v4.3.1 Daily.job
- c:\program files\MyDefrag v4.3.1\Scripts\AutomaticDaily.MyD [2012-10-26 16:03]
.
2014-02-01 c:\windows\Tasks\MyDefrag v4.3.1 Monthly.job
- c:\program files\MyDefrag v4.3.1\Scripts\AutomaticMonthly.MyD [2012-10-26 16:03]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: &AOL Email Toolbar Search - c:\documents and settings\All Users\Application Data\AOL Email Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: dell.com
TCP: DhcpNameServer = 172.16.2.1
DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} - hxxps://remote4.ruden.com/MLWebCacheCleaner.cab
FF - ProfilePath - c:\documents and settings\Margi\Application Data\Mozilla\Firefox\Profiles\hm1bq3v6.default\
FF - ExtSQL: !HIDDEN! 2010-11-30 09:44; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-02-02 14:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HitmanPro37CrusaderBoot]
"ImagePath"="\"e:\hitmanpro.exe\" /crusader:boot"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-839522115-2000478354-2147116355-1004_Classes\CLSID\{97090E2F-3062-4459-855B-014F0D3CDBB1}]
@DACL=(02 0000)
@="Windows Search Deskbar"
"AppID"=""
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(940)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'lsass.exe'(996)
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(3120)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2014-02-02  14:23:21
ComboFix-quarantined-files.txt  2014-02-02 19:23
ComboFix2.txt  2014-02-01 18:37
ComboFix3.txt  2013-11-28 19:28
.
Pre-Run: 8,728,260,608 bytes free
Post-Run: 8,769,372,160 bytes free
.
- - End Of File - - F78DA254822FCAC37F928CBA3D235C1F
8F558EB6672622401DA993E1E865C861

 



#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:24 PM

Posted 02 February 2014 - 08:34 PM


Hello TheGear

I would like to see a report that combofix makes.

extra combofix report
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok
copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users