100k searches issue

Hi,

I've got a something where my Google searches were redirected to 100K searches when I clicked on any of the search results. That lasted for one day and now my Symantec file system auto protect is malfuctioning and I'm denied access to any Windows installer.

I tried running OTL.com but got a a dialog box stating that "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

I do have administrators rights.

I ran aswMBR.exe and have this log file:

aswMBR version 0.9.8.977 Copyright(c) 2011 AVAST Software
Run date: 2011-07-29 19:11:47
-----------------------------
19:11:47.484 OS Version: Windows 5.1.2600 Service Pack 3
19:11:47.484 Number of processors: 4 586 0x2505
19:11:47.484 ComputerName: 9WS4WM1 UserName: pscully
19:12:01.796 Initialize success
19:12:31.281 AVAST engine defs: 11072900
19:12:36.093 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:12:36.093 Disk 0 Vendor: WDC_WD16 01.0 Size: 152627MB BusType: 3
19:12:36.109 Disk 0 MBR read successfully
19:12:36.109 Disk 0 MBR scan
19:12:36.359 Disk 0 Windows XP default MBR code
19:12:36.390 Disk 0 scanning sectors +312560640
19:12:36.484 Disk 0 scanning C:\WINDOWS\system32\drivers
19:13:22.171 Service scanning
19:13:23.906 Service SysPlant C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys **LOCKED** 32
19:13:23.906 Service Teefer2 C:\WINDOWS\system32\DRIVERS\teefer2.sys **LOCKED** 32
19:13:23.921 Service WGX C:\WINDOWS\System32\Drivers\WGX.SYS **LOCKED** 32
19:13:23.921 Service WPS C:\WINDOWS\system32\drivers\wpsdrvnt.sys **LOCKED** 32
19:13:23.921 Service WpsHelper C:\WINDOWS\system32\drivers\WpsHelper.sys **LOCKED** 32
19:13:24.421 Modules scanning
19:14:11.687 Disk 0 trace - called modules:
19:14:11.703 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
19:14:11.718 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7b78a0]
19:14:11.718 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8a20c028]
19:14:36.046 AVAST engine scan C:\WINDOWS
19:15:11.656 AVAST engine scan C:\WINDOWS\system32
19:17:55.375 AVAST engine scan C:\WINDOWS\system32\drivers
19:18:11.078 AVAST engine scan C:\Documents and Settings\pscully
19:57:55.250 AVAST engine scan C:\Documents and Settings\All Users
20:05:02.031 Scan finished successfully
20:06:50.062 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\pscully\Desktop\Fixes\MBR.dat"
20:06:50.078 The log file has been saved successfully to "C:\Documents and Settings\pscully\Desktop\Fixes\aswMBR.txt"

I then ran SecurityCheck.exe and got this log file:

Results of screen317's Security Check version 0.99.18
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
Symantec Endpoint Protection
Rockwell Windows Firewall Configuration Utility 1.00.03
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:
Java(TM) 6 Update 26
Java 2 Runtime Environment, SE v1.4.2
Adobe Flash Player 10.3.181.34
Mozilla Firefox (3.6.18) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
``````````End of Log````````````

Any help will be appreciated.

Thanks in advance,

Hi,

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

Hi Sneakyone,

I tried to disable Symantec Endpoint Protection but the disable was grayed out.
Here is the ComboFix log, I attached it because it looked like an external link or email.

Thanks for your help.

Here it is for real (I hope):

Hi,

Please download Malwarebytes Anti-Malware from Here.


Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Hi,
Here is the log from Malwarebytes:



Thanks in advance,

Hi,

I ran malwarebytes in safe mode as described in the Using malwarebytes Guide and posted that log in Post #6.
I then ran it again in normal mode twice and got the following two logs that I concatenated into one file.

Thanks,

Hi,

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

Hi,

Here is the log from ESET:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=639feb87add2954580920f367a8b6a34
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-07-31 06:12:05
# local_time=2011-07-31 02:12:05 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=200996
# found=0
# cleaned=0
# scan_time=6257
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=639feb87add2954580920f367a8b6a34
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-08-05 07:52:33
# local_time=2011-08-05 03:52:33 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=237513
# found=3
# cleaned=3
# scan_time=21654
C:\System Volume Information\_restore{39A642AC-C956-49A1-ADCF-C297E6B297EC}\RP179\A0036050.sys a variant of Win32/Rootkit.Kryptik.DM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{39A642AC-C956-49A1-ADCF-C297E6B297EC}\RP179\A0036051.ini a variant of Win32/Sirefef.CH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{39A642AC-C956-49A1-ADCF-C297E6B297EC}\RP188\A0036457.ini a variant of Win32/Sirefef.CH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


My Symantec Endpoint Protection also found Trojan.Zeroaccess when I started my machine at home.

Thanks,

Hi,

How's your computer running now?

Hi,

I'm still denied access to any windows installer. It either does the configuration of the installer and stops or I get a dialog box with: "Cannot launch C:\Windows\System32\msiexec.exe
Access is denied"

I cannot run OTL.com either.

Thanks in advance,

Hi,

1. Download Win32kDiag from any of the following locations and save it to your Desktop.
   
   
   
   • Download Win32kDiag (Win32kDiag.exe) - #1
     
   • Download Win32kDiag (Win32kDiag.exe) - #2
     
   • Download Win32kDiag (Win32kDiag.exe) - #3
     

Double-click Win32kDiag.exe to run Win32kDiag and let it finish.

When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.

Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

Hi,

Here is the Win32kDiag log file:

Running from: C:\Documents and Settings\pscully\Desktop\Fixes\Win32kDiag.exe

Log file at : C:\Documents and Settings\pscully\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\CCM\CcmExec.exe

[1] 2009-09-18 04:00:00 764768 C:\WINDOWS\system32\CCM\CcmExec.exe ()



Cannot access: C:\WINDOWS\system32\msiexec.exe

[1] 2008-04-14 06:42:30 78848 C:\WINDOWS\$NtUninstallKB942288-v3$\msiexec.exe (Microsoft Corporation)

[1] 2008-05-19 02:57:42 95744 C:\WINDOWS\system32\dllcache\msiexec.exe (Microsoft Corporation)

[1] 2008-05-19 02:57:42 95744 C:\WINDOWS\system32\msiexec.exe ()





Finished!

Thanks,

Hi,

Submit a file for analysis.

1. Please visit this website: VirusTotal.com
   
2. Press the "Browse" button and locate the following file in bold:
   C:\WINDOWS\system32\msiexec.exe
   
3. Press the "Upload button to submit the file for analysis.
   
4. Allow it to be scanned, it could take a few minutes depending on server load.
   
5. Copy and paste the result back here.
   

Hi,

The file did not want to be uploaded. The main analysis page tried to upload and did nothing else. I tried installing the Uploader 2.0 and it responded the it couldn't open the file.

Thanks,

Hi,

Could you please upload it to mediafire.com and post a link here?

Hi,

I get an upload failure: 'Permissions error. Error#-503'

Thanks,

Can you right click on the file and copy it to your desktop, then upload it?

Hi,

I can't copy it to my desktop. I get a dialog box with this message:
'Cannot copy misexec.exe: Access id Denied.'

Thanks,

Hi,

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   FCopy::
   C:\WINDOWS\system32\dllcache\msiexec.exe | C:\WINDOWS\system32\msiexec.exe
   
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

Hi,

Here is the ComboFix log:

ComboFix 11-08-18.02 - pscully 08/18/2011 16:12:29.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3510.2616 [GMT -4:00]
Running from: c:\documents and settings\pscully\Desktop\Fixes\commy.exe
Command switches used :: c:\documents and settings\pscully\Desktop\Fixes\CFScript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\system32\dllcache\msiexec.exe --> c:\windows\system32\msiexec.exe
.
((((((((((((((((((((((((( Files Created from 2011-07-18 to 2011-08-18 )))))))))))))))))))))))))))))))
.
.
2011-08-18 20:06 . 2011-08-18 20:06 -------- d-----w- c:\documents and settings\pscully\Application Data\smkits
2011-08-18 19:22 . 2011-08-18 19:22 -------- d-----w- c:\documents and settings\pscully\Local Settings\Application Data\BostonUniversity
2011-08-18 13:01 . 2011-08-12 05:57 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-08-18 13:01 . 2011-08-12 05:57 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-08-18 13:01 . 2011-08-12 05:57 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-08-18 13:01 . 2011-08-12 05:57 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-08-18 13:01 . 2011-08-12 05:57 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-08-18 13:01 . 2011-08-12 05:57 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-08-18 13:01 . 2011-08-12 03:16 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-08-18 13:01 . 2011-08-12 03:16 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-08-10 22:38 . 2011-08-10 22:38 -------- d-----w- c:\program files\VirusTotalUploader2
2011-08-08 13:40 . 2011-08-08 13:40 21064 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-08-08 13:40 . 2011-08-08 13:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-08-08 13:34 . 2011-08-08 13:34 -------- d--h--w- c:\windows\PIF
2011-08-04 14:14 . 2011-08-04 14:14 -------- d-----w- c:\windows\system32\Wave Systems Corp
2011-08-04 13:25 . 2011-08-04 13:25 -------- d-----w- c:\documents and settings\pscully\Application Data\Malwarebytes
2011-08-04 13:25 . 2011-08-04 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-03 14:11 . 2011-08-03 14:32 -------- d-----w- c:\documents and settings\pscully\Application Data\InfraRecorder
2011-08-03 14:10 . 2011-08-03 14:10 -------- d-----w- c:\program files\InfraRecorder
2011-08-03 12:32 . 2011-08-03 12:32 -------- d-----w- C:\Downloads
2011-08-03 12:31 . 2011-08-15 18:01 -------- d-----w- c:\program files\FlashGet
2011-07-28 16:53 . 2011-07-28 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith
2011-07-28 16:53 . 2011-07-28 16:53 -------- d-----w- c:\program files\TechSmith
2011-07-28 16:53 . 2011-07-28 16:53 -------- d-----w- c:\documents and settings\pscully\Local Settings\Application Data\TechSmith
2011-07-28 16:51 . 2011-07-28 16:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-07-28 02:36 . 2011-07-28 02:36 -------- d-----w- c:\documents and settings\pscully\Local Settings\Application Data\PCHealth
2011-07-28 02:14 . 2011-07-28 02:22 -------- d-----w- c:\windows\SxsCaPendDel
2011-07-28 01:17 . 2011-07-28 01:17 -------- d-----w- c:\program files\Common Files\L&H
2011-07-28 01:04 . 2011-07-28 01:04 -------- d-----r- C:\MSOCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-18 19:58 . 2011-01-14 18:17 0 ----a-w- c:\documents and settings\pscully\Local Settings\Application Data\WavXMapDrive.bat
2011-08-15 00:08 . 2011-07-13 12:43 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-28 02:11 . 2011-02-24 16:52 2377696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2011-06-02 14:07 . 2010-11-16 09:37 1867904 ----a-w- c:\windows\system32\win32k.sys
2011-08-12 05:57 . 2011-08-18 13:01 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-03_13.14.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-18 19:54 . 2011-08-18 19:54 16384 c:\windows\Temp\Perflib_Perfdata_450.dat
+ 2010-11-16 09:37 . 2011-08-18 20:00 582036 c:\windows\system32\perfh009.dat
- 2010-11-16 09:37 . 2011-08-03 13:17 582036 c:\windows\system32\perfh009.dat
+ 2010-11-16 09:37 . 2011-08-18 20:00 116426 c:\windows\system32\perfc009.dat
- 2010-11-16 09:37 . 2011-08-03 13:17 116426 c:\windows\system32\perfc009.dat
+ 2011-08-15 00:08 . 2011-08-15 00:08 243360 c:\windows\system32\Macromed\Flash\FlashUtil10v_Plugin.exe
+ 2011-01-14 21:46 . 2011-08-15 00:08 6277280 c:\windows\system32\Macromed\Flash\NPSWF32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2009-11-24 20:48 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2009-11-24 20:48 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-29 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-29 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-03-29 144920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-03-29 278528]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-07-07 737280]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-09-15 115560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-11-02 657920]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2010-01-14 158592]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2010-01-14 34232]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"RightFAX Print-to-Fax Driver"="c:\program files\RightFax\Client\FaxCtrl.exe" [2007-03-22 98304]
"eCopy Scan Inbox Monitor"="c:\program files\eCopy\Desktop 9.0\Bin\InboxMonitor.exe" [2006-11-21 65536]
"eDP2eD"="c:\program files\eCopy\Desktop 9.0\Bin\eDP2eD.exe" [2006-11-21 118784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"Asset Insight SUM"="c:\program files\Insight\Tools\AISOFTMN.EXE" [2002-04-23 8091]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"UsbCipHelper"="c:\program files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe" [2008-05-27 434176]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2723623973-1505943458-2159161028-60746\Scripts\Logon\0\0]
"Script"=RAdminConfig.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\EventClientMultiplexer.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RsvcHost.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RdcyHost.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\NmspHost.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RnaDirServer.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\EventServer.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\DaClient.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RNADiagReceiver.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\VStudio.exe"=
"c:\\WINDOWS\\system32\\OpcEnum.exe"=
"c:\\Program Files\\Rockwell Software\\RSLinx\\RSLINX.EXE"=
"c:\\Program Files\\Rockwell Software\\OPCTools\\OPCTest\\opctest.exe"=
"c:\\Program Files\\Rockwell Software\\RSCommon\\rssql_xml.exe"=
"c:\\Program Files\\Rockwell Software\\RSSql\\rssql.exe"=
"c:\\Program Files\\Rockwell Software\\RSSql\\rssql_tmctrl.exe"=
"c:\\Program Files\\Rockwell Software\\RSSql\\rssql_trnmgr.exe"=
"c:\\Program Files\\Rockwell Software\\RSSql\\rssql_cfg_server.exe"=
"c:\\Program Files\\Rockwell Software\\RSSql\\rssql_comp_storer.exe"=
"c:\\Program Files\\Rockwell Software\\RSSql\\rssql_lnxcoll.exe"=
"c:\\Program Files\\Rockwell Software\\RSSql\\rssql_rnacoll.exe"=
"c:\\Program Files\\Rockwell Software\\RSSql\\rssql_rsvcoll.exe"=
"c:\\Program Files\\Rockwell Software\\RSSql\\rssql_opccoll.exe"=
"c:\\Program Files\\Rockwell Software\\RSSql\\rssql_trx_csv.exe"=
"c:\\Program Files\\Schneider Electric\\ConneXium\\LANconfig\\lanconf.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4899:UDP"= 4899:UDP:RAdmin
"4899:TCP"= 4899:TCP:RAdmin
"135:TCP"= 135:TCP:Port 135 TCP
"137:UDP"= 137:UDP:@xpsp2res.dll,-22001
"400:TCP"= 400:TCP:Port 400 TCP
"401:TCP"= 401:TCP:Port 401 TCP
"402:TCP"= 402:TCP:Port 402 TCP
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\drivers\VirtualBackplane.sys [07/23/2008 4:07 PM 63544]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [11/20/2009 6:42 PM 278304]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [12/17/2009 11:45 AM 812448]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [12/17/2009 11:45 AM 27040]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [12/10/2009 2:09 PM 376608]
R2 NA_Service;NetAccess Service;c:\windows\system32\NA_Service.exe [01/17/2011 2:47 PM 49152]
R2 NmspHost;Rockwell Namespace Services;c:\program files\Common Files\Rockwell\NmspHost.exe [06/25/2008 2:14 PM 218408]
R2 RdcyHost;Rockwell Redundancy Services;c:\program files\Common Files\Rockwell\RdcyHost.exe [06/25/2008 2:14 PM 218408]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [11/16/2010 5:31 AM 47616]
R2 rssql_cfg_server;FactoryTalk Transaction Manager Configuration Server;c:\program files\Rockwell Software\RSSql\rssql_cfg_server.exe [09/25/2007 8:46 PM 229444]
R2 rssql_comp_storer;FactoryTalk Transaction Manager Compression Server;c:\program files\Rockwell Software\RSSql\rssql_comp_storer.exe [09/25/2007 8:48 PM 114757]
R2 UsbConnect;Usb PLC;c:\windows\system32\UsbConnect.exe [01/17/2011 2:48 PM 77824]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [11/16/2010 5:30 AM 42672]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [11/16/2010 5:30 AM 113664]
R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [11/16/2010 5:31 AM 33832]
R3 Duntlw;UNTLW device;c:\windows\system32\drivers\DuntlwNT.sys [01/17/2011 2:47 PM 53568]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [11/16/2010 5:30 AM 167080]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [07/27/2011 4:00 AM 105592]
R3 EventServer;Rockwell Event Server;c:\program files\Common Files\Rockwell\EventServer.exe [06/25/2008 2:12 PM 222504]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [11/16/2010 5:31 AM 132352]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [11/16/2010 5:31 AM 215040]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [03/18/2010 2:16 PM 130384]
S2 FTActivationBoost;FactoryTalk Activation Helper;"c:\program files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe" --> c:\program files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe [?]
S2 r_server;Remote Administrator Service;c:\program files\RAdmin\r_server.exe [07/24/2001 12:15 PM 241664]
S3 1784-PCIDS DeviceNet;1784-PCIDS DeviceNet;c:\program files\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe [07/23/2008 4:19 PM 106496]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [01/20/2011 3:01 PM 20160]
S3 ClmbxPnP;Cyberlogic MBX Driver (PnP);c:\windows\system32\Drivers\ClmbxPnP.sys --> c:\windows\system32\Drivers\ClmbxPnP.sys [?]
S3 CLMbxUsb;Cyberlogic MBX Driver (USB);c:\windows\system32\drivers\CLMbxUsb.sys [01/21/2011 4:54 PM 94608]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [09/15/2009 3:59 PM 23888]
S3 eMBX;Cyberlogic Ethernet MBX Driver;c:\program files\Cyberlogic\Ethernet MBX Driver\EMbxRpcS.exe [02/05/2008 3:51 PM 222480]
S3 EmuLogix 5868 Slot0;EmuLogix 5868 Slot0;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
S3 EmuLogix 5868 Slot1;EmuLogix 5868 Slot1;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
S3 EmuLogix 5868 Slot10;EmuLogix 5868 Slot10;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
S3 EmuLogix 5868 Slot11;EmuLogix 5868 Slot11;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
S3 EmuLogix 5868 Slot12;EmuLogix 5868 Slot12;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
S3 EmuLogix 5868 Slot13;EmuLogix 5868 Slot13;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
S3 EmuLogix 5868 Slot14;EmuLogix 5868 Slot14;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
S3 EmuLogix 5868 Slot15;EmuLogix 5868 Slot15;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
S3 EmuLogix 5868 Slot16;EmuLogix 5868 Slot16;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
S3 EmuLogix 5868 Slot2;EmuLogix 5868 Slot2;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
S3 EmuLogix 5868 Slot3;EmuLogix 5868 Slot3;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
S3 EmuLogix 5868 Slot4;EmuLogix 5868 Slot4;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
S3 EmuLogix 5868 Slot5;EmuLogix 5868 Slot5;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
S3 EmuLogix 5868 Slot6;EmuLogix 5868 Slot6;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
S3 EmuLogix 5868 Slot7;EmuLogix 5868 Slot7;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
S3 EmuLogix 5868 Slot8;EmuLogix 5868 Slot8;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
S3 EmuLogix 5868 Slot9;EmuLogix 5868 Slot9;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
S3 gMBX;Cyberlogic MBX Gateway Server;c:\program files\Common Files\Cyberlogic Shared\gMbxRpcS.exe [10/04/2007 11:00 AM 182544]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [06/25/2010 1:07 PM 35088]
S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [07/05/2008 7:19 PM 39067]
S3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\system32\rsserial.sys [07/05/2008 7:19 PM 155440]
S3 rssql_ddecoll;FactoryTalk Transaction Manager DDE Connector;c:\program files\Rockwell Software\RSSql\rssql_ddecoll.exe [09/25/2007 8:48 PM 118849]
S3 rssql_lnxcoll;FactoryTalk Transaction Manager RSlinx Connector;c:\program files\Rockwell Software\RSSql\rssql_lnxcoll.exe [09/25/2007 8:48 PM 315457]
S3 rssql_mts_storer;FactoryTalk Transaction Manager COM+ Enterprise Connector;c:\program files\Rockwell Software\RSSql\rssql_mts_storer.exe [09/25/2007 8:48 PM 65604]
S3 rssql_oci_storer;FactoryTalk Transaction Manager OCI Enterprise Connector ;c:\program files\Rockwell Software\RSSql\rssql_oci_storer.exe [09/25/2007 8:47 PM 73796]
S3 rssql_oledb_storer;FactoryTalk Transaction Manager OLE-DB Enterprise Connector ;c:\program files\Rockwell Software\RSSql\rssql_oledb_storer.exe [09/25/2007 8:47 PM 65606]
S3 rssql_opccoll;FactoryTalk Transaction Manager OPC Connector;c:\program files\Rockwell Software\RSSql\rssql_opccoll.exe [09/25/2007 8:48 PM 315457]
S3 rssql_rnacoll;FactoryTalk Transaction Manager FactoryTalk Connector;c:\program files\Rockwell Software\RSSql\rssql_rnacoll.exe [09/25/2007 8:49 PM 315457]
S3 rssql_rsvcoll;FactoryTalk Transaction Manager RSView Connector;c:\program files\Rockwell Software\RSSql\rssql_rsvcoll.exe [09/25/2007 8:48 PM 307265]
S3 rssql_storer;FactoryTalk Transaction Manager ODBC Enterprise Connector;c:\program files\Rockwell Software\RSSql\rssql_storer.exe [09/25/2007 8:47 PM 69696]
S3 rssql_tb;FactoryTalk Transaction Manager Transaction Manager Service;c:\program files\Rockwell Software\RSSql\rssql_trnmgr.exe [09/25/2007 8:47 PM 155712]
S3 rssql_tmctrl;FactoryTalk Transaction Manager Transaction and Control Manager ;c:\program files\Rockwell Software\RSSql\rssql_tmctrl.exe [09/25/2007 8:47 PM 176192]
S3 SimModuleService;1789-SIM Simulator Module;c:\program files\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe [07/23/2008 4:09 PM 98304]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [11/16/2010 5:37 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [03/18/2010 2:16 PM 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [07/22/2009 11:08 PM 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [03/30/2009 4:09 AM 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [03/30/2009 4:23 AM 366936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://swebi.schneider-electric.com/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\program files\Microsoft Office\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 139.158.8.4 10.171.189.88 139.160.64.155 157.198.12.10
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\pscully\Application Data\Mozilla\Firefox\Profiles\1bb1k3xt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-18 16:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
UsbCipHelper = c:\program files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe???????????Nj?w??????@???D????????|P?E????|???????????????|????P?E?????????8???????????????????>?@?????T???@????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="REMOVED"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4540)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\msi.dll
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-08-18 16:25:07
ComboFix-quarantined-files.txt 2011-08-18 20:25
ComboFix2.txt 2011-08-03 13:20
.
Pre-Run: 40,798,785,536 bytes free
Post-Run: 40,909,385,728 bytes free
.
- - End Of File - - AE5547FEF9477E2FF366DB2E68D0E251


Thanks,

Hi,

Please download Malwarebytes Anti-Malware from Here.


Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Hi,

Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7507

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

08/19/2011 9:16:03 AM
mbam-log-2011-08-19 (09-16-03).txt

Scan type: Quick scan
Objects scanned: 211163
Time elapsed: 5 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thanks,

What other signs of infection are there?

Hi,

My Windows installer is working now. The only thing that is out of the ordinary is my 'Symantic Endpoint Protection File System Auto-Protect is malfunctioning'

I ran Malwarebytes again after a reboot and got those same two hits:

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Is this an issue?

Thanks,

Hi,

I will try the reinstall.

Thank you guys so much. I'll let you know how it goes.

OKAY