antivirus security pro

[arnoldbowman@aol.com]

Upon trying to run OTL, I get the following message:
This application has failed to start because framedyn.dll was not found.

 

[arnoldbowman@aol.com]

I was able to paste your activation code into the Security Pro,
but it was an invalid code

 

[arnoldbowman@aol.com]

http://www.antivirussecurityproremoval.com/
On this page is the tool "process explorer" from Microsoft.
This tool was able to stop the security pro processes,
which then allowed me to download Malwarebytes Anti-Malware application
My computer seems to be working fine now.
Thanks for your help
BTW: The Hitman Pro application does not have a 30
day free tial.

 

[TwinHeadedEagle]

Good

If you want, now run FRST from normal mode, we need to check for remnants...

 

[arnoldbowman@aol.com]

It generated 2 documents. I will paste both of them
1-Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 22-11-2013 01
Ran by abowman (administrator) on STATION3 on 22-11-2013 15:52:33
Running from G:\
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Symantec Corporation) D:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
(Symantec Corporation) D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
(Symantec Corporation) D:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
(SurfRight B.V.) D:\Program Files\HitmanPro\hmpsched.exe
(Symantec Corporation) D:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
(Symantec Corporation) D:\Program Files\Common Files\Symantec Shared\ccApp.exe
(Realtek Semiconductor Corp.) D:\WINDOWS\RTHDCPL.EXE
(iCode Inc.) D:\Program Files\Icode\Everest\Client\Everest.exe
(Mozilla Corporation) D:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) D:\Program Files\Mozilla Firefox\plugin-container.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Adobe ARM] - D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [Synchronization Manager] - D:\WINDOWS\system32\mobsync.exe [143360 2008-04-14] (Microsoft Corporation)
HKLM\...\Run: [CanonSolutionMenu] - D:\Program Files\Canon\SolutionMenu\CNSLMAIN.EXE [689488 2008-03-10] (CANON INC.)
HKLM\...\Run: [ccApp] - D:\Program Files\Common Files\Symantec Shared\ccApp.exe [115560 2009-12-11] (Symantec Corporation)
HKLM\...\Run: [RTHDCPL] - D:\WINDOWS\RTHDCPL.EXE [18789920 2012-01-31] (Realtek Semiconductor Corp.)
HKLM\...\Policies\Explorer: [NoWelcomeScreen] 1
HKLM\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKCU\...\Run: [AS2014] - D:\Documents and Settings\All Users\Application Data\ngXgVar3\ngXgVar3.exe
HKCU\...\Run: [gfkjhxxd] - "D:\Documents and Settings\ABowman\Local Settings\Application Data\njdprbwt.exe"
HKCU\...\Winlogon: [Shell] Explorer.exe <==== ATTENTION
HKCU\...\Policies\Explorer: [DisablePersonalDirChange] 1
HKCU\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKU\abowman.STATION3\...\Winlogon: [Shell] Explorer.exe <==== ATTENTION
HKU\Administrator\...\Winlogon: [Shell] Explorer.exe <==== ATTENTION
HKU\administrator.RIOGRANDESALES\...\Run: [AS2014] - D:\Documents and Settings\All Users\Application Data\ngXgVar3\ngXgVar3.exe
HKU\administrator.RIOGRANDESALES\...\Winlogon: [Shell] Explorer.exe <==== ATTENTION

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?ocid=OIE8HP&PC=B8MC
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/?ocid=OIE8HP&PC=B8MC
BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1327095304203
Tcpip\..\Interfaces\{F7750B09-3B95-43F6-BC22-58ADEAF8F74D}: [NameServer]192.168.254.11,68.94.156.1

FireFox:
========
FF ProfilePath: D:\Documents and Settings\ABowman\Application Data\Mozilla\Firefox\Profiles\msothoo6.default
FF user.js: detected! => D:\Documents and Settings\ABowman\Application Data\Mozilla\Firefox\Profiles\msothoo6.default\user.js
FF Homepage: hxxp://www.aol.com/
FF Plugin: @adobe.com/FlashPlayer - D:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_9_900_152.dll ()
FF Plugin: @microsoft.com/WPF,version=3.5 - d:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader - D:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - d:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - d:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

========================== Services (Whitelisted) =================

R2 ccEvtMgr; D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108392 2009-12-11] (Symantec Corporation)
R2 ccSetMgr; D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108392 2009-12-11] (Symantec Corporation)
R2 HitmanProScheduler; D:\Program Files\HitmanPro\hmpsched.exe [106280 2013-11-22] (SurfRight B.V.)
S3 LiveUpdate; D:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093880 2009-07-13] (Symantec Corporation)
R2 SmcService; D:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [1864888 2009-12-11] (Symantec Corporation)
S4 SNAC; D:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [341320 2009-12-11] (Symantec Corporation)
R2 Symantec AntiVirus; D:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2477304 2009-12-11] (Symantec Corporation)

==================== Drivers (Whitelisted) ====================

S3 Ambfilt; D:\Windows\System32\drivers\Ambfilt.sys [1691480 2012-01-31] (Creative)
S3 COH_Mon; D:\WINDOWS\system32\Drivers\COH_Mon.sys [23888 2009-12-11] (Symantec Corporation)
R1 eeCtrl; D:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376920 2013-11-21] (Symantec Corporation)
R3 EraserUtilRebootDrv; D:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [108120 2013-11-21] (Symantec Corporation)
S3 Monfilt; D:\Windows\System32\drivers\Monfilt.sys [1395800 2012-01-31] (Creative Technology Ltd.)
R3 NAVENG; D:\Program Files\Common Files\Symantec Shared\VirusDefs\20131121.023\NAVENG.SYS [93272 2013-11-19] (Symantec Corporation)
R3 NAVEX15; D:\Program Files\Common Files\Symantec Shared\VirusDefs\20131121.023\NAVEX15.SYS [1612376 2013-11-19] (Symantec Corporation)
R1 SPBBCDrv; D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [421424 2009-12-11] (Symantec Corporation)
R1 SRTSP; D:\Windows\System32\Drivers\SRTSP.SYS [281648 2009-12-11] (Symantec Corporation)
S3 SRTSPL; D:\Windows\System32\Drivers\SRTSPL.SYS [320560 2009-12-11] (Symantec Corporation)
R1 SRTSPX; D:\Windows\System32\Drivers\SRTSPX.SYS [43696 2009-12-11] (Symantec Corporation)
R3 SymEvent; D:\WINDOWS\system32\Drivers\SYMEVENT.SYS [124976 2012-01-26] (Symantec Corporation)
R3 SYMREDRV; D:\Windows\System32\Drivers\SYMREDRV.SYS [26416 2009-12-11] (Symantec Corporation)
R1 SYMTDI; D:\Windows\System32\Drivers\SYMTDI.SYS [188080 2009-12-11] (Symantec Corporation)
S4 SysPlant; D:\Windows\SYSTEM32\Drivers\SysPlant.sys [92488 2009-12-11] (Symantec Corporation)
R3 Teefer2; D:\Windows\System32\DRIVERS\teefer2.sys [50064 2009-12-11] (Symantec Corporation)
S3 TRCDR; D:\Windows\System32\DRIVERS\trcdr.sys [32092 2011-07-28] (Worth Data, Inc.)
R1 WPS; D:\WINDOWS\system32\drivers\wpsdrvnt.sys [42312 2009-12-11] (Symantec Corporation)
R3 WpsHelper; D:\WINDOWS\system32\drivers\WpsHelper.sys [174056 2013-05-30] (Symantec Corporation)
S4 IntelIde; No ImagePath
U1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-11-22 15:52 - 2013-11-22 15:52 - 00000000 ____D D:\FRST
2013-11-22 11:35 - 2013-11-22 11:35 - 00000000 ____D D:\Program Files\HitmanPro
2013-11-22 11:35 - 2013-11-22 11:35 - 00000000 ____D D:\Documents and Settings\All Users\Start Menu\Programs\HitmanPro
2013-11-22 10:15 - 2013-11-22 10:15 - 00000000 ____D D:\Program Files\Malwarebytes' Anti-Malware
2013-11-22 10:15 - 2013-11-22 10:15 - 00000000 ____D D:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
2013-11-22 10:15 - 2013-11-22 10:15 - 00000000 ____D D:\Documents and Settings\All Users\Application Data\Malwarebytes
2013-11-22 10:15 - 2013-11-22 10:15 - 00000000 ____D D:\Documents and Settings\Administrator\Application Data\Malwarebytes
2013-11-22 10:15 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) D:\WINDOWS\system32\Drivers\mbam.sys
2013-11-21 11:10 - 2013-11-21 11:10 - 00000000 ____D D:\Documents and Settings\Administrator\Start Menu\Programs\Antivirus Security Pro
2013-11-20 18:38 - 2013-11-22 11:33 - 00000000 ____D D:\Documents and Settings\All Users\Application Data\HitmanPro
2013-11-20 18:01 - 2013-11-20 18:01 - 00000000 __SHD D:\Documents and Settings\administrator.RIOGRANDESALES\PrivacIE
2013-11-20 17:49 - 2013-11-20 17:50 - 00000000 ____D D:\Documents and Settings\administrator.RIOGRANDESALES\Application Data\Adobe
2013-11-20 17:49 - 2013-11-20 17:49 - 00000000 ____D D:\Documents and Settings\administrator.RIOGRANDESALES\Local Settings\Application Data\Adobe
2013-11-20 17:43 - 2013-11-20 17:43 - 00000000 ____D D:\Documents and Settings\administrator.RIOGRANDESALES\Start Menu\Programs\Antivirus Security Pro
2013-11-20 17:37 - 2013-11-20 17:37 - 00000000 _____ D:\Documents and Settings\ABowman\Application Data\SharedSettings.ccs
2013-11-20 17:36 - 2013-11-21 11:10 - 00000000 ____D D:\Documents and Settings\All Users\Application Data\ngXgVar3
2013-11-20 17:36 - 2013-11-20 17:36 - 00000000 ____D D:\Documents and Settings\ABowman\Start Menu\Programs\Antivirus Security Pro
2013-11-15 11:56 - 2013-11-18 10:04 - 00000000 ____D D:\Program Files\Mozilla Firefox
2013-11-13 17:56 - 2013-11-13 17:56 - 00008898 _____ D:\WINDOWS\KB2900986.log
2013-11-13 17:56 - 2013-11-13 17:56 - 00000000 __HDC D:\WINDOWS\$NtUninstallKB2900986$
2013-11-13 17:56 - 2013-11-13 17:56 - 00000000 __HDC D:\WINDOWS\$NtUninstallKB2876331$
2013-11-13 17:56 - 2013-11-13 17:56 - 00000000 __HDC D:\WINDOWS\$NtUninstallKB2868626$
2013-11-13 17:56 - 2013-11-13 17:56 - 00000000 __HDC D:\WINDOWS\$NtUninstallKB2862152$
2013-11-13 17:55 - 2013-11-13 17:56 - 00014617 _____ D:\WINDOWS\KB2888505-IE8.log
2013-11-13 10:27 - 2013-11-13 17:56 - 00014721 _____ D:\WINDOWS\KB2868626.log
2013-11-13 10:27 - 2013-11-13 17:56 - 00013630 _____ D:\WINDOWS\KB2862152.log
2013-11-13 10:27 - 2013-11-13 17:56 - 00013154 _____ D:\WINDOWS\KB2876331.log

==================== One Month Modified Files and Folders =======

2013-11-22 15:52 - 2013-11-22 15:52 - 00000000 ____D D:\FRST
2013-11-22 15:33 - 2012-04-03 09:08 - 00000830 _____ D:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2013-11-22 15:13 - 2012-01-24 14:51 - 00000152 _____ D:\WINDOWS\system32\config\netlogon.ftl
2013-11-22 12:33 - 2012-01-03 15:52 - 00032466 _____ D:\WINDOWS\SchedLgU.Txt
2013-11-22 12:23 - 2012-01-03 15:50 - 01452320 _____ D:\WINDOWS\WindowsUpdate.log
2013-11-22 11:45 - 2012-01-24 15:07 - 00000426 ____H D:\WINDOWS\Tasks\User_Feed_Synchronization-{E19F1FCB-8C97-4D2C-A1A1-951C031EDCBC}.job
2013-11-22 11:44 - 2003-06-20 04:00 - 00002206 _____ D:\WINDOWS\system32\wpa.dbl
2013-11-22 11:43 - 2012-01-03 15:59 - 00000178 ___SH D:\Documents and Settings\Administrator\ntuser.ini
2013-11-22 11:35 - 2013-11-22 11:35 - 00000000 ____D D:\Program Files\HitmanPro
2013-11-22 11:35 - 2013-11-22 11:35 - 00000000 ____D D:\Documents and Settings\All Users\Start Menu\Programs\HitmanPro
2013-11-22 11:33 - 2013-11-20 18:38 - 00000000 ____D D:\Documents and Settings\All Users\Application Data\HitmanPro
2013-11-22 11:25 - 2012-01-03 08:37 - 00513832 _____ D:\WINDOWS\system32\PerfStringBackup.INI
2013-11-22 11:21 - 2012-01-03 15:52 - 00000006 ____H D:\WINDOWS\Tasks\SA.DAT
2013-11-22 11:21 - 2012-01-03 08:44 - 00000159 _____ D:\WINDOWS\wiadebug.log
2013-11-22 11:21 - 2012-01-03 08:44 - 00000050 _____ D:\WINDOWS\wiaservc.log
2013-11-22 11:20 - 2012-01-20 14:55 - 00000000 ____D D:\WINDOWS\ie8updates
2013-11-22 10:26 - 2012-01-03 15:49 - 00000000 ____D D:\WINDOWS\srchasst
2013-11-22 10:25 - 2012-01-03 15:59 - 00000000 ____D D:\Documents and Settings\Administrator
2013-11-22 10:15 - 2013-11-22 10:15 - 00000000 ____D D:\Program Files\Malwarebytes' Anti-Malware
2013-11-22 10:15 - 2013-11-22 10:15 - 00000000 ____D D:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
2013-11-22 10:15 - 2013-11-22 10:15 - 00000000 ____D D:\Documents and Settings\All Users\Application Data\Malwarebytes
2013-11-22 10:15 - 2013-11-22 10:15 - 00000000 ____D D:\Documents and Settings\Administrator\Application Data\Malwarebytes
2013-11-22 09:47 - 2012-01-03 08:33 - 00000000 ____D D:\WINDOWS\security
2013-11-21 11:25 - 2012-01-24 14:52 - 00000000 __SHD D:\WINDOWS\CSC
2013-11-21 11:10 - 2013-11-21 11:10 - 00000000 ____D D:\Documents and Settings\Administrator\Start Menu\Programs\Antivirus Security Pro
2013-11-21 11:10 - 2013-11-20 17:36 - 00000000 ____D D:\Documents and Settings\All Users\Application Data\ngXgVar3
2013-11-21 11:10 - 2012-01-25 13:47 - 00046840 _____ D:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-11-21 11:08 - 2012-01-25 13:46 - 00000178 ___SH D:\Documents and Settings\administrator.RIOGRANDESALES\ntuser.ini
2013-11-21 09:49 - 2012-01-24 15:01 - 00000278 ___SH D:\Documents and Settings\ABowman\ntuser.ini
2013-11-20 18:01 - 2013-11-20 18:01 - 00000000 __SHD D:\Documents and Settings\administrator.RIOGRANDESALES\PrivacIE
2013-11-20 18:01 - 2012-01-25 13:45 - 00000000 ____D D:\Documents and Settings\administrator.RIOGRANDESALES
2013-11-20 17:50 - 2013-11-20 17:49 - 00000000 ____D D:\Documents and Settings\administrator.RIOGRANDESALES\Application Data\Adobe
2013-11-20 17:49 - 2013-11-20 17:49 - 00000000 ____D D:\Documents and Settings\administrator.RIOGRANDESALES\Local Settings\Application Data\Adobe
2013-11-20 17:43 - 2013-11-20 17:43 - 00000000 ____D D:\Documents and Settings\administrator.RIOGRANDESALES\Start Menu\Programs\Antivirus Security Pro
2013-11-20 17:43 - 2012-01-25 13:46 - 00046840 _____ D:\Documents and Settings\administrator.RIOGRANDESALES\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-11-20 17:37 - 2013-11-20 17:37 - 00000000 _____ D:\Documents and Settings\ABowman\Application Data\SharedSettings.ccs
2013-11-20 17:36 - 2013-11-20 17:36 - 00000000 ____D D:\Documents and Settings\ABowman\Start Menu\Programs\Antivirus Security Pro
2013-11-19 10:45 - 2013-03-15 13:23 - 00000000 ____D D:\Program Files\Mozilla Maintenance Service
2013-11-18 18:10 - 2012-01-24 15:01 - 00000000 ____D D:\Documents and Settings\ABowman
2013-11-18 10:04 - 2013-11-15 11:56 - 00000000 ____D D:\Program Files\Mozilla Firefox
2013-11-15 10:19 - 2012-04-03 09:08 - 00692616 _____ (Adobe Systems Incorporated) D:\WINDOWS\system32\FlashPlayerApp.exe
2013-11-15 10:19 - 2012-01-27 16:58 - 00071048 _____ (Adobe Systems Incorporated) D:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2013-11-15 10:19 - 2012-01-24 18:01 - 00000000 ____D D:\Documents and Settings\ABowman\Local Settings\Application Data\Adobe
2013-11-14 16:15 - 2012-01-25 13:37 - 00046840 _____ D:\Documents and Settings\ABowman\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-11-13 17:56 - 2013-11-13 17:56 - 00008898 _____ D:\WINDOWS\KB2900986.log
2013-11-13 17:56 - 2013-11-13 17:56 - 00000000 __HDC D:\WINDOWS\$NtUninstallKB2900986$
2013-11-13 17:56 - 2013-11-13 17:56 - 00000000 __HDC D:\WINDOWS\$NtUninstallKB2876331$
2013-11-13 17:56 - 2013-11-13 17:56 - 00000000 __HDC D:\WINDOWS\$NtUninstallKB2868626$
2013-11-13 17:56 - 2013-11-13 17:56 - 00000000 __HDC D:\WINDOWS\$NtUninstallKB2862152$
2013-11-13 17:56 - 2013-11-13 17:55 - 00014617 _____ D:\WINDOWS\KB2888505-IE8.log
2013-11-13 17:56 - 2013-11-13 10:27 - 00014721 _____ D:\WINDOWS\KB2868626.log
2013-11-13 17:56 - 2013-11-13 10:27 - 00013630 _____ D:\WINDOWS\KB2862152.log
2013-11-13 17:56 - 2013-11-13 10:27 - 00013154 _____ D:\WINDOWS\KB2876331.log
2013-11-13 17:56 - 2012-01-20 14:30 - 00089589 _____ D:\WINDOWS\updspapi.log
2013-11-13 17:56 - 2012-01-03 08:37 - 01405636 _____ D:\WINDOWS\iis6.log
2013-11-13 17:56 - 2012-01-03 08:37 - 01266633 _____ D:\WINDOWS\FaxSetup.log
2013-11-13 17:56 - 2012-01-03 08:37 - 00654107 _____ D:\WINDOWS\ocgen.log
2013-11-13 17:56 - 2012-01-03 08:37 - 00583418 _____ D:\WINDOWS\tsoc.log
2013-11-13 17:56 - 2012-01-03 08:37 - 00431288 _____ D:\WINDOWS\comsetup.log
2013-11-13 17:56 - 2012-01-03 08:37 - 00393680 _____ D:\WINDOWS\msmqinst.log
2013-11-13 17:56 - 2012-01-03 08:37 - 00259686 _____ D:\WINDOWS\ntdtcsetup.log
2013-11-13 17:56 - 2012-01-03 08:37 - 00222639 _____ D:\WINDOWS\netfxocm.log
2013-11-13 17:56 - 2012-01-03 08:37 - 00087762 _____ D:\WINDOWS\MedCtrOC.log
2013-11-13 17:56 - 2012-01-03 08:37 - 00070311 _____ D:\WINDOWS\ocmsn.log
2013-11-13 17:56 - 2012-01-03 08:37 - 00064385 _____ D:\WINDOWS\tabletoc.log
2013-11-13 17:56 - 2012-01-03 08:37 - 00063598 _____ D:\WINDOWS\msgsocm.log
2013-11-13 17:56 - 2012-01-03 08:37 - 00001393 _____ D:\WINDOWS\imsins.log
2013-11-13 17:56 - 2012-01-03 08:37 - 00001393 _____ D:\WINDOWS\imsins.BAK
2013-11-13 17:55 - 2013-08-13 17:00 - 00000000 ____D D:\WINDOWS\system32\MRT
2013-11-13 17:54 - 2012-01-20 14:57 - 80340640 _____ (Microsoft Corporation) D:\WINDOWS\system32\MRT.exe
2013-11-11 16:35 - 2012-01-27 16:59 - 00000664 _____ D:\WINDOWS\system32\d3d9caps.dat
2013-10-31 04:51 - 2012-01-03 08:36 - 00491302 _____ D:\WINDOWS\setupapi.log

Some content of TEMP:
====================
D:\Documents and Settings\ABowman\Local Settings\Temp\applnch.exe
D:\Documents and Settings\ABowman\Local Settings\Temp\fp_pl_pfs_installer.exe
D:\Documents and Settings\ABowman\Local Settings\Temp\MSETUP4.EXE
D:\Documents and Settings\administrator.RIOGRANDESALES\Local Settings\Temp\applnch.exe


==================== Bamital & volsnap Check =================

D:\Windows\explorer.exe => MD5 is legit
D:\Windows\System32\winlogon.exe => MD5 is legit
D:\Windows\System32\svchost.exe => MD5 is legit
D:\Windows\System32\services.exe => MD5 is legit
D:\Windows\System32\User32.dll => MD5 is legit
D:\Windows\System32\userinit.exe => MD5 is legit
D:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================
2-Additional scan result of Farbar Recovery Scan Tool (x86) Version: 22-11-2013 01
Ran by abowman at 2013-11-22 15:52:59
Running from G:\
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AV: Symantec Endpoint Protection (Disabled - Up to date) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection (Disabled) {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

==================== Installed Programs ======================

Adobe AIR (Version: 3.1.0.4880)
Adobe Flash Player 11 ActiveX (Version: 11.9.900.117)
Adobe Flash Player 11 Plugin (Version: 11.9.900.152)
Adobe Reader X (10.1.8) (Version: 10.1.8)
ArcSoft PhotoStudio 5.5
Canon CanoScan LiDE 200 User Registration
Canon MP Navigator EX 2.0
Canon Utilities Solution Menu
CanoScan LiDE 200 Scanner Driver
Compatibility Pack for the 2007 Office system (Version: 12.0.6514.5001)
Everest Advanced Edition 5.0.2.6 (Client) (Version: 1.00.0000)
GhostMouse 2.0
GoToMeeting 5.1.0.880 (HKCU Version: 5.1.0.880)
Hardware Utilities 1.0
HitmanPro 3.7 (Version: 3.7.8.208)
KwikCountEX 2.0
LiveUpdate 3.3 (Symantec Corporation) (Version: 3.3.0.92)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Office Professional Edition 2003 (Version: 11.0.5614.0)
Mozilla Firefox 25.0.1 (x86 en-US) (Version: 25.0.1)
Mozilla Maintenance Service (Version: 25.0.1)
MSN
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
novaPDF Standard Desktop 7.7 printer
Realtek High Definition Audio Driver (Version: 5.10.0.6024)
Symantec Endpoint Protection (Version: 11.0.5002.333)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB2736233) (Version: 1)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB2863058) (Version: 1)
Update for Windows XP (KB898461) (Version: 1)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 8 (Version: 20090308.140743)

==================== Restore Points =========================

23-08-2013 23:28:27 System Checkpoint
25-08-2013 04:32:05 System Checkpoint
26-08-2013 04:40:11 System Checkpoint
27-08-2013 19:25:19 System Checkpoint
28-08-2013 23:41:06 System Checkpoint
28-08-2013 23:59:34 Software Distribution Service 3.0
30-08-2013 17:24:46 System Checkpoint
31-08-2013 17:56:40 System Checkpoint
01-09-2013 17:58:45 System Checkpoint
02-09-2013 18:36:48 System Checkpoint
03-09-2013 19:14:27 System Checkpoint
04-09-2013 19:15:06 System Checkpoint
05-09-2013 20:00:37 System Checkpoint
06-09-2013 20:27:58 System Checkpoint
07-09-2013 20:29:56 System Checkpoint
08-09-2013 21:06:33 System Checkpoint
09-09-2013 21:19:47 System Checkpoint
10-09-2013 21:40:02 System Checkpoint
11-09-2013 23:20:12 System Checkpoint
11-09-2013 23:58:57 Software Distribution Service 3.0
13-09-2013 16:21:12 System Checkpoint
14-09-2013 16:23:31 System Checkpoint
15-09-2013 17:35:02 System Checkpoint
16-09-2013 18:09:07 System Checkpoint
17-09-2013 19:16:04 System Checkpoint
18-09-2013 19:30:16 System Checkpoint
19-09-2013 20:03:01 System Checkpoint
20-09-2013 22:03:26 System Checkpoint
21-09-2013 23:05:04 System Checkpoint
22-09-2013 23:58:48 System Checkpoint
24-09-2013 19:48:11 System Checkpoint
25-09-2013 22:30:28 System Checkpoint
26-09-2013 23:35:11 System Checkpoint
27-09-2013 23:36:07 System Checkpoint
28-09-2013 23:37:13 System Checkpoint
30-09-2013 01:53:45 System Checkpoint
01-10-2013 20:00:29 System Checkpoint
02-10-2013 20:08:52 System Checkpoint
03-10-2013 20:16:41 System Checkpoint
05-10-2013 00:15:59 System Checkpoint
06-10-2013 00:23:27 System Checkpoint
07-10-2013 01:09:27 System Checkpoint
08-10-2013 17:13:52 System Checkpoint
09-10-2013 17:17:34 System Checkpoint
10-10-2013 17:32:27 System Checkpoint
11-10-2013 00:03:28 Software Distribution Service 3.0
12-10-2013 00:35:52 System Checkpoint
13-10-2013 01:22:31 System Checkpoint
14-10-2013 01:34:30 System Checkpoint
15-10-2013 19:34:44 System Checkpoint
16-10-2013 19:41:01 System Checkpoint
17-10-2013 21:28:29 System Checkpoint
18-10-2013 00:01:22 Software Distribution Service 3.0
19-10-2013 00:24:22 System Checkpoint
19-10-2013 09:00:13 Software Distribution Service 3.0
20-10-2013 09:43:53 System Checkpoint
21-10-2013 09:52:53 System Checkpoint
22-10-2013 19:09:09 System Checkpoint
24-10-2013 18:45:17 System Checkpoint
25-10-2013 19:44:36 System Checkpoint
26-10-2013 19:52:34 System Checkpoint
27-10-2013 19:57:23 System Checkpoint
28-10-2013 21:06:28 System Checkpoint
29-10-2013 21:37:18 System Checkpoint
30-10-2013 22:25:17 System Checkpoint
31-10-2013 22:26:21 System Checkpoint
02-11-2013 00:40:00 System Checkpoint
03-11-2013 01:16:12 System Checkpoint
04-11-2013 02:15:07 System Checkpoint
05-11-2013 20:19:16 System Checkpoint
06-11-2013 21:15:22 System Checkpoint
07-11-2013 21:49:34 System Checkpoint
09-11-2013 01:17:32 System Checkpoint
10-11-2013 01:53:33 System Checkpoint
11-11-2013 02:02:02 System Checkpoint
12-11-2013 20:21:44 System Checkpoint
13-11-2013 20:22:49 System Checkpoint
14-11-2013 00:54:53 Software Distribution Service 3.0
15-11-2013 19:13:05 System Checkpoint
16-11-2013 19:19:08 System Checkpoint
17-11-2013 20:19:08 System Checkpoint
18-11-2013 21:25:19 System Checkpoint
20-11-2013 18:52:09 System Checkpoint
21-11-2013 19:34:43 System Checkpoint
22-11-2013 20:30:48 System Checkpoint

==================== Hosts content: ==========================

2003-06-20 04:00 - 2003-06-20 04:00 - 00000734 ____A D:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1 localhost

==================== Scheduled Tasks (whitelisted) =============

Task: D:\WINDOWS\Tasks\Adobe Flash Player Updater.job => D:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: D:\WINDOWS\Tasks\User_Feed_Synchronization-{E19F1FCB-8C97-4D2C-A1A1-951C031EDCBC}.job => D:\WINDOWS\system32\msfeedssync.exe

==================== Loaded Modules (whitelisted) =============

2005-10-17 22:53 - 2005-10-17 22:53 - 01191936 _____ () D:\Program Files\Icode\Everest\Client\prompt.dll
2005-08-04 01:43 - 2005-08-04 01:43 - 01429504 _____ () D:\Program Files\Icode\Everest\Client\crlov.dll
2013-11-15 11:56 - 2013-11-15 11:56 - 03363952 _____ () D:\Program Files\Mozilla Firefox\mozjs.dll
2013-11-15 10:19 - 2013-11-15 10:19 - 16237448 _____ () D:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_9_900_152.dll

==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antvirus => ""="Service"

==================== Faulty Device Manager Devices =============

Name: Video Controller (VGA Compatible)
Description: Video Controller (VGA Compatible)
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (11/21/2013 10:03:33 AM) (Source: Symantec AntiVirus) (User: RIOGRANDESALES)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target: D:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info: Terminate Process
Action Taken: Logged
Actor Process: D:\Documents and Settings\All Users\Application Data\ngXgVar3\ngXgVar3.exe (PID 700)
Time: Thursday, November 21, 2013 10:03:33 AM

Error: (11/20/2013 05:56:12 PM) (Source: Symantec AntiVirus) (User: RIOGRANDESALES)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target: D:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info: Terminate Process
Action Taken: Logged
Actor Process: D:\Documents and Settings\All Users\Application Data\ngXgVar3\ngXgVar3.exe (PID 3880)
Time: Wednesday, November 20, 2013 5:56:12 PM

Error: (11/20/2013 05:56:04 PM) (Source: Symantec AntiVirus) (User: RIOGRANDESALES)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target: D:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info: Terminate Process
Action Taken: Logged
Actor Process: D:\Documents and Settings\All Users\Application Data\ngXgVar3\ngXgVar3.exe (PID 3880)
Time: Wednesday, November 20, 2013 5:56:04 PM

Error: (11/20/2013 05:56:02 PM) (Source: Symantec AntiVirus) (User: RIOGRANDESALES)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target: D:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info: Terminate Process
Action Taken: Logged
Actor Process: D:\Documents and Settings\All Users\Application Data\ngXgVar3\ngXgVar3.exe (PID 3880)
Time: Wednesday, November 20, 2013 5:56:02 PM

Error: (11/20/2013 05:56:01 PM) (Source: Symantec AntiVirus) (User: RIOGRANDESALES)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target: D:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info: Terminate Process
Action Taken: Logged
Actor Process: D:\Documents and Settings\All Users\Application Data\ngXgVar3\ngXgVar3.exe (PID 3880)
Time: Wednesday, November 20, 2013 5:56:01 PM

Error: (11/20/2013 05:55:59 PM) (Source: Symantec AntiVirus) (User: RIOGRANDESALES)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target: D:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info: Terminate Process
Action Taken: Logged
Actor Process: D:\Documents and Settings\All Users\Application Data\ngXgVar3\ngXgVar3.exe (PID 3880)
Time: Wednesday, November 20, 2013 5:55:59 PM

Error: (11/20/2013 05:55:57 PM) (Source: Symantec AntiVirus) (User: RIOGRANDESALES)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target: D:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info: Terminate Process
Action Taken: Logged
Actor Process: D:\Documents and Settings\All Users\Application Data\ngXgVar3\ngXgVar3.exe (PID 3880)
Time: Wednesday, November 20, 2013 5:55:57 PM

Error: (11/20/2013 05:55:53 PM) (Source: Symantec AntiVirus) (User: RIOGRANDESALES)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target: D:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info: Terminate Process
Action Taken: Logged
Actor Process: D:\Documents and Settings\All Users\Application Data\ngXgVar3\ngXgVar3.exe (PID 3880)
Time: Wednesday, November 20, 2013 5:55:53 PM

Error: (11/20/2013 05:55:50 PM) (Source: Symantec AntiVirus) (User: RIOGRANDESALES)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target: D:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info: Terminate Process
Action Taken: Logged
Actor Process: D:\Documents and Settings\All Users\Application Data\ngXgVar3\ngXgVar3.exe (PID 3880)
Time: Wednesday, November 20, 2013 5:55:50 PM

Error: (11/20/2013 05:55:49 PM) (Source: Symantec AntiVirus) (User: RIOGRANDESALES)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target: D:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info: Terminate Process
Action Taken: Logged
Actor Process: D:\Documents and Settings\All Users\Application Data\ngXgVar3\ngXgVar3.exe (PID 3880)
Time: Wednesday, November 20, 2013 5:55:49 PM


System errors:
=============
Error: (11/22/2013 00:02:27 PM) (Source: DCOM) (User: RIOGRANDESALES)
Description: DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error: (11/22/2013 00:00:29 PM) (Source: DCOM) (User: RIOGRANDESALES)
Description: DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error: (11/22/2013 11:39:20 AM) (Source: 0) (User: )
Description: \Device\Ide\IdePort2

Error: (11/22/2013 11:38:39 AM) (Source: 0) (User: )
Description: \Device\Ide\IdePort2

Error: (11/22/2013 11:36:44 AM) (Source: 0) (User: )
Description: \Device\Ide\IdePort2

Error: (11/22/2013 11:36:42 AM) (Source: 0) (User: )
Description: \Device\Ide\IdePort2

Error: (11/22/2013 11:21:27 AM) (Source: 0) (User: )
Description: 0xC0000001HarddiskVolume4

Error: (11/22/2013 10:27:11 AM) (Source: 0) (User: )
Description: 0xC0000001HarddiskVolume4

Error: (11/21/2013 11:22:18 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (11/21/2013 11:19:18 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}


Microsoft Office Sessions:
=========================
Error: (11/21/2013 10:03:33 AM) (Source: Symantec AntiVirus)(User: RIOGRANDESALES)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target: D:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info: Terminate Process
Action Taken: Logged
Actor Process: D:\Documents and Settings\All Users\Application Data\ngXgVar3\ngXgVar3.exe (PID 700)
Time: Thursday, November 21, 2013 10:03:33 AM

Error: (11/20/2013 05:56:12 PM) (Source: Symantec AntiVirus)(User: RIOGRANDESALES)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target: D:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info: Terminate Process
Action Taken: Logged
Actor Process: D:\Documents and Settings\All Users\Application Data\ngXgVar3\ngXgVar3.exe (PID 3880)
Time: Wednesday, November 20, 2013 5:56:12 PM

Error: (11/20/2013 05:56:04 PM) (Source: Symantec AntiVirus)(User: RIOGRANDESALES)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target: D:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info: Terminate Process
Action Taken: Logged
Actor Process: D:\Documents and Settings\All Users\Application Data\ngXgVar3\ngXgVar3.exe (PID 3880)
Time: Wednesday, November 20, 2013 5:56:04 PM

Error: (11/20/2013 05:56:02 PM) (Source: Symantec AntiVirus)(User: RIOGRANDESALES)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target: D:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info: Terminate Process
Action Taken: Logged
Actor Process: D:\Documents and Settings\All Users\Application Data\ngXgVar3\ngXgVar3.exe (PID 3880)
Time: Wednesday, November 20, 2013 5:56:02 PM

Error: (11/20/2013 05:56:01 PM) (Source: Symantec AntiVirus)(User: RIOGRANDESALES)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target: D:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info: Terminate Process
Action Taken: Logged
Actor Process: D:\Documents and Settings\All Users\Application Data\ngXgVar3\ngXgVar3.exe (PID 3880)
Time: Wednesday, November 20, 2013 5:56:01 PM

Error: (11/20/2013 05:55:59 PM) (Source: Symantec AntiVirus)(User: RIOGRANDESALES)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target: D:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info: Terminate Process
Action Taken: Logged
Actor Process: D:\Documents and Settings\All Users\Application Data\ngXgVar3\ngXgVar3.exe (PID 3880)
Time: Wednesday, November 20, 2013 5:55:59 PM

Error: (11/20/2013 05:55:57 PM) (Source: Symantec AntiVirus)(User: RIOGRANDESALES)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target: D:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info: Terminate Process
Action Taken: Logged
Actor Process: D:\Documents and Settings\All Users\Application Data\ngXgVar3\ngXgVar3.exe (PID 3880)
Time: Wednesday, November 20, 2013 5:55:57 PM

Error: (11/20/2013 05:55:53 PM) (Source: Symantec AntiVirus)(User: RIOGRANDESALES)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target: D:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info: Terminate Process
Action Taken: Logged
Actor Process: D:\Documents and Settings\All Users\Application Data\ngXgVar3\ngXgVar3.exe (PID 3880)
Time: Wednesday, November 20, 2013 5:55:53 PM

Error: (11/20/2013 05:55:50 PM) (Source: Symantec AntiVirus)(User: RIOGRANDESALES)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target: D:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info: Terminate Process
Action Taken: Logged
Actor Process: D:\Documents and Settings\All Users\Application Data\ngXgVar3\ngXgVar3.exe (PID 3880)
Time: Wednesday, November 20, 2013 5:55:50 PM

Error: (11/20/2013 05:55:49 PM) (Source: Symantec AntiVirus)(User: RIOGRANDESALES)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target: D:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info: Terminate Process
Action Taken: Logged
Actor Process: D:\Documents and Settings\All Users\Application Data\ngXgVar3\ngXgVar3.exe (PID 3880)
Time: Wednesday, November 20, 2013 5:55:49 PM


==================== Memory info ===========================

Percentage of memory in use: 39%
Total physical RAM: 2013.17 MB
Available physical RAM: 1221.93 MB
Total Pagefile: 3906.37 MB
Available Pagefile: 3310.85 MB
Total Virtual: 2047.88 MB
Available Virtual: 1950.3 MB

==================== Drives ================================

Drive c: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: () (Fixed) (Total:134.94 GB) (Free:119.69 GB) NTFS
Drive e: (DATA) (Fixed) (Total:135.04 GB) (Free:83.57 GB) NTFS
Drive g: () (Removable) (Total:3.72 GB) (Free:3.4 GB) FAT32
Drive z: (Data) (Network) (Total:1 GB) (Free:0.52 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 298 GB) (Disk ID: E5E84A05)
Partition 1: (Not Active) - (Size=28 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=135 GB) - (Type=OF Extended)
Partition 4: (Not Active) - (Size=135 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 4 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)

==================== End Of Log ============================

 

[TwinHeadedEagle]

There is still a lot of malware present.


Download attached fixlist.txt on the same location as FRST (otherwise the fix won't work)

Open FRST, and click Fix. Attach me that report after it is finished.



Then...



1. Please download ComboFix by sUBs from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guidehttp://www.bleepingcomputer.com/combofix/how-to-use-combofix carefully.
Note: ComboFix must be downloaded to your Desktop.

--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program.
If you are unsure how to do this please read http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.htmlthis or this Instruction.

Instructions how to disable avast:

• Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
• In the window that opens on the top right corner, click Settings.
• In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
• => Again, right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!

ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.

--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.

 

[arnoldbowman@aol.com]

Here is the FRST fix log
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 22-11-2013 01
Ran by abowman at 2013-11-22 17:34:33 Run:1
Running from G:\
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKCU\...\Run: [AS2014] - D:\Documents and Settings\All Users\Application Data\ngXgVar3\ngXgVar3.exe
HKCU\...\Run: [gfkjhxxd] - "D:\Documents and Settings\ABowman\Local Settings\Application Data\njdprbwt.exe"
HKCU\...\Winlogon: [Shell] Explorer.exe <==== ATTENTION
D:\Documents and Settings\All Users\Application Data\ngXgVar3
D:\Documents and Settings\ABowman\Local Settings\Application Data\njdprbwt.exe
HKU\abowman.STATION3\...\Winlogon: [Shell] Explorer.exe <==== ATTENTION
HKU\Administrator\...\Winlogon: [Shell] Explorer.exe <==== ATTENTION
HKU\administrator.RIOGRANDESALES\...\Run: [AS2014] - D:\Documents and Settings\All Users\Application Data\ngXgVar3\ngXgVar3.exe
HKU\administrator.RIOGRANDESALES\...\Winlogon: [Shell] Explorer.exe <==== ATTENTION
D:\Documents and Settings\ABowman\Local Settings\Temp

*****************

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\AS2014 => Value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\gfkjhxxd => Value deleted successfully.
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
D:\Documents and Settings\All Users\Application Data\ngXgVar3 => Moved successfully.
"D:\Documents and Settings\ABowman\Local Settings\Application Data\njdprbwt.exe" => File/Directory not found.
HKU\abowman.STATION3\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKU\Administrator\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKU\administrator.RIOGRANDESALES\Software\Microsoft\Windows\CurrentVersion\Run\\AS2014 => Value deleted successfully.
HKU\administrator.RIOGRANDESALES\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
D:\Documents and Settings\ABowman\Local Settings\Temp => Moved successfully.

==== End of Fixlog ====

 

[TwinHeadedEagle]

Looking good, attach ComboFix too...

 

[arnoldbowman@aol.com]

Here is combo fix log
ComboFix 13-11-23.02 - abowman 11/24/2013 9:21.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2013.1330 [GMT -7:00]
Running from: \\server2\Users BkUp\Desktop\ABowman\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
d:\documents and settings\ABowman\WINDOWS
d:\windows\system32\FlashPlayerApp.exe
d:\windows\system32\ijl11.dll
.
.
((((((((((((((((((((((((( Files Created from 2013-10-24 to 2013-11-24 )))))))))))))))))))))))))))))))
.
.
2013-11-22 22:52 . 2013-11-22 22:52 -------- d-----w- D:\FRST
2013-11-22 18:35 . 2013-11-22 18:35 -------- d-----w- d:\program files\HitmanPro
2013-11-22 17:15 . 2013-11-22 17:15 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
2013-11-22 17:15 . 2013-11-22 17:15 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2013-11-22 17:15 . 2013-11-22 17:15 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2013-11-22 17:15 . 2013-04-04 21:50 22856 ----a-w- d:\windows\system32\drivers\mbam.sys
2013-11-21 01:38 . 2013-11-22 18:33 -------- d-----w- d:\documents and settings\All Users\Application Data\HitmanPro
2013-11-21 01:01 . 2013-11-21 01:01 -------- d-sh--w- d:\documents and settings\administrator.RIOGRANDESALES\PrivacIE
2013-11-21 00:49 . 2013-11-21 00:49 -------- d-----w- d:\documents and settings\administrator.RIOGRANDESALES\Local Settings\Application Data\Temp
2013-11-21 00:49 . 2013-11-21 00:49 -------- d-----w- d:\documents and settings\administrator.RIOGRANDESALES\Local Settings\Application Data\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-15 17:19 . 2012-01-27 23:58 71048 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-13 07:25 . 2008-04-14 12:42 920064 ----a-w- d:\windows\system32\wininet.dll
2013-10-13 07:25 . 2008-04-14 12:41 43520 ----a-w- d:\windows\system32\licmgr10.dll
2013-10-13 07:25 . 2008-04-14 12:42 1469440 ----a-w- d:\windows\system32\inetcpl.cpl
2013-10-13 07:24 . 2008-04-14 12:41 18944 ----a-w- d:\windows\system32\corpol.dll
2013-10-13 06:57 . 2008-04-14 07:07 385024 ----a-w- d:\windows\system32\html.iec
2013-10-12 15:56 . 2008-04-14 12:42 278528 ----a-w- d:\windows\system32\oakley.dll
2013-10-09 13:12 . 2008-04-14 12:41 287744 ----a-w- d:\windows\system32\gdi32.dll
2013-10-07 10:59 . 2008-04-14 12:41 603136 ----a-w- d:\windows\system32\crypt32.dll
2013-10-05 01:14 . 2012-01-20 21:40 7168 ----a-w- d:\windows\system32\xpsp4res.dll
2013-08-29 01:31 . 2008-04-14 08:00 1878656 ----a-w- d:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"Synchronization Manager"="d:\windows\system32\mobsync.exe" [2008-04-14 143360]
"CanonSolutionMenu"="d:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"ccApp"="d:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-12-11 115560]
"RTHDCPL"="RTHDCPL.EXE" [2012-02-01 18789920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableVirtualization"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\WINDOWS\\system32\\mmc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]
"Enabled"= 1 (0x1)
.
R2 HitmanProScheduler;HitmanPro Scheduler;d:\program files\HitmanPro\hmpsched.exe [11/22/2013 11:35 AM 106280]
R3 COH_Mon;COH_Mon;d:\windows\system32\drivers\COH_Mon.sys [12/11/2009 10:11 AM 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;d:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/21/2013 9:53 AM 108120]
S3 Ambfilt;Ambfilt;d:\windows\system32\drivers\Ambfilt.sys [1/31/2012 5:02 PM 1691480]
S3 TRCDR;TriCoder High-Speed USB Driver;d:\windows\system32\drivers\trcdr.sys [12/20/2012 12:44 PM 32092]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - HITMANPROSCHEDULER
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-24 d:\windows\Tasks\Adobe Flash Player Updater.job
- d:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 17:19]
.
2013-11-24 d:\windows\Tasks\User_Feed_Synchronization-{E19F1FCB-8C97-4D2C-A1A1-951C031EDCBC}.job
- d:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: Interfaces\{F7750B09-3B95-43F6-BC22-58ADEAF8F74D}: NameServer = 192.168.254.11,68.94.156.1
FF - ProfilePath - d:\documents and settings\ABowman\Application Data\Mozilla\Firefox\Profiles\msothoo6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - ExtSQL: 2013-10-17 18:04; {20a82645-c095-46ed-80e3-08825760534b}; d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-24 09:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-11-24 09:24:56
ComboFix-quarantined-files.txt 2013-11-24 16:24
.
Pre-Run: 128,814,780,416 bytes free
Post-Run: 129,045,729,280 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(4)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(4)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 2139D775ACC347914E84D88817153715
8F558EB6672622401DA993E1E865C861

 

[TwinHeadedEagle]

Open notepad and copy/paste the text present inside the code box below:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"FirewallOverride"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyO​penPorts\List]
"3389:TCP"=-

ClearJavaCache::

Save this as CFScript.txt

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )




Tell me, how are the things now?

 

[arnoldbowman@aol.com]

Everything seems to be OK
Here is the log
ComboFix 13-11-23.02 - abowman 11/24/2013 12:19:52.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2013.1363 [GMT -7:00]
Running from: \\server2\Users BkUp\Desktop\ABowman\Desktop\ComboFix.exe
Command switches used :: \\server2\Users BkUp\Desktop\ABowman\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((( Files Created from 2013-10-24 to 2013-11-24 )))))))))))))))))))))))))))))))
.
.
2013-11-22 22:52 . 2013-11-22 22:52 -------- d-----w- D:\FRST
2013-11-22 18:35 . 2013-11-22 18:35 -------- d-----w- d:\program files\HitmanPro
2013-11-22 17:15 . 2013-11-22 17:15 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
2013-11-22 17:15 . 2013-11-22 17:15 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2013-11-22 17:15 . 2013-11-22 17:15 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2013-11-22 17:15 . 2013-04-04 21:50 22856 ----a-w- d:\windows\system32\drivers\mbam.sys
2013-11-21 01:38 . 2013-11-22 18:33 -------- d-----w- d:\documents and settings\All Users\Application Data\HitmanPro
2013-11-21 01:01 . 2013-11-21 01:01 -------- d-sh--w- d:\documents and settings\administrator.RIOGRANDESALES\PrivacIE
2013-11-21 00:49 . 2013-11-21 00:49 -------- d-----w- d:\documents and settings\administrator.RIOGRANDESALES\Local Settings\Application Data\Temp
2013-11-21 00:49 . 2013-11-21 00:49 -------- d-----w- d:\documents and settings\administrator.RIOGRANDESALES\Local Settings\Application Data\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-15 17:19 . 2012-01-27 23:58 71048 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-13 07:25 . 2008-04-14 12:42 920064 ----a-w- d:\windows\system32\wininet.dll
2013-10-13 07:25 . 2008-04-14 12:41 43520 ----a-w- d:\windows\system32\licmgr10.dll
2013-10-13 07:25 . 2008-04-14 12:42 1469440 ----a-w- d:\windows\system32\inetcpl.cpl
2013-10-13 07:24 . 2008-04-14 12:41 18944 ----a-w- d:\windows\system32\corpol.dll
2013-10-13 06:57 . 2008-04-14 07:07 385024 ----a-w- d:\windows\system32\html.iec
2013-10-12 15:56 . 2008-04-14 12:42 278528 ----a-w- d:\windows\system32\oakley.dll
2013-10-09 13:12 . 2008-04-14 12:41 287744 ----a-w- d:\windows\system32\gdi32.dll
2013-10-07 10:59 . 2008-04-14 12:41 603136 ----a-w- d:\windows\system32\crypt32.dll
2013-10-05 01:14 . 2012-01-20 21:40 7168 ----a-w- d:\windows\system32\xpsp4res.dll
2013-08-29 01:31 . 2008-04-14 08:00 1878656 ----a-w- d:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"Synchronization Manager"="d:\windows\system32\mobsync.exe" [2008-04-14 143360]
"CanonSolutionMenu"="d:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"ccApp"="d:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-12-11 115560]
"RTHDCPL"="RTHDCPL.EXE" [2012-02-01 18789920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableVirtualization"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\WINDOWS\\system32\\mmc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]
"Enabled"= 1 (0x1)
.
R2 HitmanProScheduler;HitmanPro Scheduler;d:\program files\HitmanPro\hmpsched.exe [11/22/2013 11:35 AM 106280]
R3 COH_Mon;COH_Mon;d:\windows\system32\drivers\COH_Mon.sys [12/11/2009 10:11 AM 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;d:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/21/2013 9:53 AM 108120]
S3 Ambfilt;Ambfilt;d:\windows\system32\drivers\Ambfilt.sys [1/31/2012 5:02 PM 1691480]
S3 TRCDR;TriCoder High-Speed USB Driver;d:\windows\system32\drivers\trcdr.sys [12/20/2012 12:44 PM 32092]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - HITMANPROSCHEDULER
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-24 d:\windows\Tasks\Adobe Flash Player Updater.job
- d:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 17:19]
.
2013-11-24 d:\windows\Tasks\User_Feed_Synchronization-{E19F1FCB-8C97-4D2C-A1A1-951C031EDCBC}.job
- d:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: Interfaces\{F7750B09-3B95-43F6-BC22-58ADEAF8F74D}: NameServer = 192.168.254.11,68.94.156.1
FF - ProfilePath - d:\documents and settings\ABowman\Application Data\Mozilla\Firefox\Profiles\msothoo6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - ExtSQL: 2013-10-17 18:04; {20a82645-c095-46ed-80e3-08825760534b}; d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-24 12:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3952)
d:\windows\system32\WININET.dll
d:\windows\system32\ieframe.dll
d:\windows\system32\webcheck.dll
.
Completion time: 2013-11-24 12:22:27
ComboFix-quarantined-files.txt 2013-11-24 19:22
ComboFix2.txt 2013-11-24 16:24
.
Pre-Run: 129,047,670,784 bytes free
Post-Run: 129,046,908,928 bytes free
.
- - End Of File - - BFEA59C3B8FAB8E6F9CB04ED6B8D6BDD
8F558EB6672622401DA993E1E865C861

 

[TwinHeadedEagle]

Ok, then we're done here


Please download DelFix by "Xplode" to your Desktop.

Run the tool and check the following boxes below;

• Remove disinfection tools
• Create registry backup
• Purge System Restore

Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

> I don't need DelFix log report.

 

[arnoldbowman@aol.com]

Thanks for all your help. I appreciate it.