TechSpot

0i763f66bz -- can't get rid of it

Solved
By mekabuser
Jul 17, 2012
  1. FIrst virus ever that was troublesome. Tried getting rid of with traditional methods, adaware,malawarebytes,iobit<tried shredding it with iobit> tried stopping process.. We now all know none of that helps. Computer is basically functional, it eats 25% cpu but thats about it, aside from the strange music.

    What is the first thing I should do ? Thanks in advance. Broni et al, you guys are fantastic.
  2. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  3. mekabuser

    mekabuser TS Rookie Topic Starter Posts: 63

    Thanks for help. A few points, my windows firewall, am unable to enable it, get message<windows firewall cant change some of your settings. Error code 0x80070424> Also was unable to instal antivirus. adaware free couldnt get to work, commodo was disconnecting me from internet<just like the latest version of adaware> So I still have no antivirus. here are the logs.
    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org
    Database version: v2012.07.18.12
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    bing :: BING-PC [administrator]
    7/18/2012 6:08:00 PM
    mbam-log-2012-07-18 (18-08-00).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 190785
    Time elapsed: 3 minute(s), 59 second(s)
    Memory Processes Detected: 1
    c:\users\bing\0i763f66bz.exe (Trojan.Agent) -> 2380 -> Delete on reboot.
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|0i763f66bz (Trojan.Agent) -> Data: C:\Users\bing\0i763f66bz.exe -> Quarantined and deleted successfully.
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 6
    C:\Windows\Installer\{5d463ba7-dce0-4c6e-e783-06357ec45974}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
    c:\users\bing\0i763f66bz.exe (Trojan.Agent) -> Delete on reboot.
    c:\users\public\0i763f66bz.exe (Trojan.Agent) -> Delete on reboot.
    c:\windows\serviceprofiles\localservice\0i763f66bz.exe (Trojan.Agent) -> Delete on reboot.
    c:\windows\serviceprofiles\networkservice\0i763f66bz.exe (Trojan.Agent) -> Delete on reboot.
    c:\windows\system32\config\systemprofile\0i763f66bz.exe (Trojan.Agent) -> Delete on reboot.
    (end)
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-07-18 19:55:21
    Windows 6.1.7601 Service Pack 1
    Running: vt91odlv.exe

    ---- Services - GMER 1.0.15 ----
    Service C:\SystemRoot\System32\Drivers\ff8dd40f59eeaad9.sys (*** hidden *** ) [BOOT] ff8dd40f59eeaad9 <-- ROOTKIT !!!
    ---- Registry - GMER 1.0.15 ----
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000b6b63a4ee
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b482fee44d81
    Reg HKLM\SYSTEM\CurrentControlSet\services\ff8dd40f59eeaad9@ImagePath \SystemRoot\System32\Drivers\ff8dd40f59eeaad9.sys
    Reg HKLM\SYSTEM\CurrentControlSet\services\ff8dd40f59eeaad9@Group Boot Bus Extender
    Reg HKLM\SYSTEM\CurrentControlSet\services\ff8dd40f59eeaad9@ErrorControl 0
    Reg HKLM\SYSTEM\CurrentControlSet\services\ff8dd40f59eeaad9@Type 1
    Reg HKLM\SYSTEM\CurrentControlSet\services\ff8dd40f59eeaad9@Start 0
    Reg HKLM\SYSTEM\CurrentControlSet\services\ff8dd40f59eeaad9@Tag 1
    Reg HKLM\SYSTEM\CurrentControlSet\services\ff8dd40f59eeaad9@DisplayName 0i763f66bz.exe
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000b6b63a4ee (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b482fee44d81 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\ff8dd40f59eeaad9@ImagePath \SystemRoot\System32\Drivers\ff8dd40f59eeaad9.sys
    Reg HKLM\SYSTEM\ControlSet002\services\ff8dd40f59eeaad9@Group Boot Bus Extender
    Reg HKLM\SYSTEM\ControlSet002\services\ff8dd40f59eeaad9@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet002\services\ff8dd40f59eeaad9@Type 1
    Reg HKLM\SYSTEM\ControlSet002\services\ff8dd40f59eeaad9@Start 0
    Reg HKLM\SYSTEM\ControlSet002\services\ff8dd40f59eeaad9@Tag 1
    Reg HKLM\SYSTEM\ControlSet002\services\ff8dd40f59eeaad9@DisplayName 0i763f66bz.exe
    ---- EOF - GMER 1.0.15 ----
  4. Broni

    Broni Malware Annihilator Posts: 46,713   +254

  5. mekabuser

    mekabuser TS Rookie Topic Starter Posts: 63

    one moment, IE keeps saying the website is not responding
  6. mekabuser

    mekabuser TS Rookie Topic Starter Posts: 63

    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421
    Run by bing at 21:06:54 on 2012-07-18
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2933.1045 [GMT -4:00]
    .
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    .
    ============== Running Processes ===============
    .
    C:\windows\system32\wininit.exe
    C:\windows\system32\lsm.exe
    C:\windows\system32\svchost.exe -k DcomLaunch
    C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCService.exe
    C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
    C:\windows\system32\svchost.exe -k RPCSS
    C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\windows\system32\svchost.exe -k netsvcs
    C:\windows\system32\svchost.exe -k LocalService
    C:\windows\system32\svchost.exe -k NetworkService
    C:\windows\System32\spoolsv.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    C:\windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
    C:\windows\system32\Dwm.exe
    C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
    C:\windows\Explorer.EXE
    C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
    C:\windows\system32\taskhost.exe
    C:\windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
    C:\windows\system32\taskeng.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
    C:\Program Files\Elantech\ETDCtrl.exe
    C:\Windows\System32\igfxtray.exe
    C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe
    C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
    D:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe
    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Elantech\ETDCtrlHelper.exe
    C:\windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
    C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_265_ActiveX.exe
    C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe
    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe
    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe
    C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    C:\windows\System32\svchost.exe -k swprv
    C:\windows\SysWOW64\NOTEPAD.EXE
    \\.\globalroot\systemroot\Installer\{5d463ba7-dce0-4c6e-e783-06357ec45974}\U
    C:\windows\system32\DllHost.exe
    C:\windows\system32\DllHost.exe
    C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\conhost.exe
    C:\windows\SysWOW64\cscript.exe
    C:\windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Page_URL = hxxp://samsung.msn.com
    mStart Page = hxxp://samsung.msn.com
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
    mURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
    mWinlogon: Userinit=userinit.exe,
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    uRun: [Advanced SystemCare 5] "C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe" /AutoStart
    mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
    mRun: [SSBkgdUpdate] "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    mRun: [PaperPort PTD] "C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe"
    mRun: [IndexSearch] "C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe"
    mRun: [PPort11reminder] "C:\Program Files (x86)\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
    mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "D:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [ControlCenter3] C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe /autorun
    mRun: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    Trusted Zone: intuit.com\ttlc
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.4.26.0.cab
    TCP: DhcpNameServer = 167.206.254.1 167.206.254.2
    TCP: Interfaces\{0E60EF94-B41C-479A-B729-CAE7EA4F430C} : DhcpNameServer = 167.206.254.1 167.206.254.2
    TCP: Interfaces\{0E60EF94-B41C-479A-B729-CAE7EA4F430C}\2696E676 : DhcpNameServer = 167.206.254.1 167.206.254.2
    TCP: Interfaces\{0E60EF94-B41C-479A-B729-CAE7EA4F430C}\4796D656771627E65627361626C65677966696 : DhcpNameServer = 10.240.205.161 10.240.205.162
    TCP: Interfaces\{0E60EF94-B41C-479A-B729-CAE7EA4F430C}\A657A6572656165723032303 : DhcpNameServer = 124.106.6.2 124.106.5.2
    TCP: Interfaces\{0E60EF94-B41C-479A-B729-CAE7EA4F430C}\F6074796D657D677966696 : DhcpNameServer = 10.240.205.161 10.240.205.162
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO-X64: SkypeIEPluginBHO - No File
    BHO-X64: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
    BHO-X64: Vuze Remote - No File
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB-X64: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
    TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    mRun-x64: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
    mRun-x64: [SSBkgdUpdate] "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    mRun-x64: [PaperPort PTD] "C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe"
    mRun-x64: [IndexSearch] "C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe"
    mRun-x64: [PPort11reminder] "C:\Program Files (x86)\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
    mRun-x64: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun-x64: [iTunesHelper] "D:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [ControlCenter3] C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe /autorun
    mRun-x64: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 SABI;SAMSUNG Kernel Driver For Windows 7;\??\C:\windows\system32\Drivers\SABI.sys --> C:\windows\system32\Drivers\SABI.sys [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
    R2 a2AntiMalware;Emsisoft Anti-Malware 6.6 - Service;C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [2012-7-13 3069752]
    R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-4-4 63928]
    R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [2012-5-24 913752]
    R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
    R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-1 2804568]
    R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
    R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-7-5 3048136]
    R3 ETD;ELAN PS/2 Port Input Device;C:\windows\system32\DRIVERS\ETD.sys --> C:\windows\system32\DRIVERS\ETD.sys [?]
    R3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys --> C:\windows\system32\DRIVERS\Impcd.sys [?]
    R3 IntcDAud;Intel(R) Display Audio;C:\windows\system32\DRIVERS\IntcDAud.sys --> C:\windows\system32\DRIVERS\IntcDAud.sys [?]
    R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-10 4925184]
    R3 Sftfs;Sftfs;C:\windows\system32\DRIVERS\Sftfslh.sys --> C:\windows\system32\DRIVERS\Sftfslh.sys [?]
    R3 Sftplay;Sftplay;C:\windows\system32\DRIVERS\Sftplaylh.sys --> C:\windows\system32\DRIVERS\Sftplaylh.sys [?]
    R3 Sftredir;Sftredir;C:\windows\system32\DRIVERS\Sftredirlh.sys --> C:\windows\system32\DRIVERS\Sftredirlh.sys [?]
    R3 Sftvol;Sftvol;C:\windows\system32\DRIVERS\Sftvollh.sys --> C:\windows\system32\DRIVERS\Sftvollh.sys [?]
    R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\system32\DRIVERS\yk62x64.sys --> C:\windows\system32\DRIVERS\yk62x64.sys [?]
    S1 A2DDA;A2 Direct Disk Access Support Driver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [2012-7-13 23208]
    S1 SBRE;SBRE;\??\C:\windows\system32\drivers\SBREdrv.sys --> C:\windows\system32\drivers\SBREdrv.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-10-28 136176]
    S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-6-7 160944]
    S3 a2acc;a2acc;C:\Program Files (x86)\Emsisoft Anti-Malware\a2accx64.sys [2012-7-13 66320]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-7-9 250056]
    S3 BrYNSvc;BrYNSvc;C:\Program Files (x86)\Browny02\BrYNSvc.exe [2012-6-19 245760]
    S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-10-28 136176]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys [2011-11-9 17152]
    S3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
    S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\system32\drivers\TsUsbGD.sys --> C:\windows\system32\drivers\TsUsbGD.sys [?]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
    S3 WSDPrintDevice;WSD Print Support via UMB;C:\windows\system32\DRIVERS\WSDPrint.sys --> C:\windows\system32\DRIVERS\WSDPrint.sys [?]
    S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
    .
    =============== Created Last 30 ================
    .
    2012-07-18 21:57:56 -------- d-----w- C:\ProgramData\CPA_VA
    2012-07-18 19:59:39 -------- d-----w- C:\ProgramData\AVAST Software
    2012-07-18 19:59:39 -------- d-----w- C:\Program Files\AVAST Software
    2012-07-14 23:12:09 55384 ----a-w- C:\windows\System32\drivers\SBREDrv.sys
    2012-07-14 11:36:52 0 ----a-w- C:\windows\SysWow64\shoC2A0.tmp
    2012-07-14 00:39:53 -------- d-----w- C:\Program Files (x86)\Emsisoft Anti-Malware
    2012-07-13 23:47:14 -------- d-----w- C:\Users\bing\AppData\Roaming\Malwarebytes
    2012-07-13 23:47:02 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-07-13 23:47:01 24904 ----a-w- C:\windows\System32\drivers\mbam.sys
    2012-07-13 23:47:01 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-07-13 23:19:17 -------- d-----w- C:\ProgramData\GFI Software
    2012-07-10 00:25:51 -------- d-sh--w- C:\windows\System32\%APPDATA%
    2012-07-06 11:29:15 9013136 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2656AB82-F1B6-4D54-B309-47321C178E68}\mpengine.dll
    2012-07-03 13:54:32 -------- d-----r- C:\Program Files (x86)\Skype
    2012-06-21 11:53:42 2622464 ----a-w- C:\windows\System32\wucltux.dll
    2012-06-21 11:53:31 99840 ----a-w- C:\windows\System32\wudriver.dll
    2012-06-21 11:53:22 36864 ----a-w- C:\windows\System32\wuapp.exe
    2012-06-21 11:53:22 186752 ----a-w- C:\windows\System32\wuwebv.dll
    2012-06-19 23:15:11 -------- d-----w- C:\Brother
    2012-06-19 23:15:08 -------- d-----w- C:\Program Files (x86)\Browny02
    2012-06-19 23:13:42 73728 ------w- C:\windows\SysWow64\BrDctF2.dll
    2012-06-19 23:13:42 5120 ------w- C:\windows\SysWow64\BrDctF2L.dll
    2012-06-19 23:13:42 3072 ------w- C:\windows\SysWow64\BrDctF2S.dll
    2012-06-19 23:13:42 217088 ------w- C:\windows\SysWow64\NSSearch.dll
    2012-06-19 23:13:38 180224 ------w- C:\windows\SysWow64\BroSNMP.dll
    .
    ==================== Find3M ====================
    .
    2012-07-12 02:58:30 70344 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-07-12 02:58:30 426184 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
    2012-05-18 02:06:48 2311680 ----a-w- C:\windows\System32\jscript9.dll
    2012-05-18 01:59:14 1392128 ----a-w- C:\windows\System32\wininet.dll
    2012-05-18 01:58:39 1494528 ----a-w- C:\windows\System32\inetcpl.cpl
    2012-05-18 01:55:22 173056 ----a-w- C:\windows\System32\ieUnatt.exe
    2012-05-18 01:51:30 2382848 ----a-w- C:\windows\System32\mshtml.tlb
    2012-05-17 22:45:37 1800192 ----a-w- C:\windows\SysWow64\jscript9.dll
    2012-05-17 22:35:47 1129472 ----a-w- C:\windows\SysWow64\wininet.dll
    2012-05-17 22:35:39 1427968 ----a-w- C:\windows\SysWow64\inetcpl.cpl
    2012-05-17 22:29:45 142848 ----a-w- C:\windows\SysWow64\ieUnatt.exe
    2012-05-17 22:24:45 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb
    2012-05-15 01:32:33 3146752 ----a-w- C:\windows\System32\win32k.sys
    2012-05-04 11:06:22 5559664 ----a-w- C:\windows\System32\ntoskrnl.exe
    2012-05-04 10:03:53 3968368 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
    2012-05-04 10:03:50 3913072 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
    2012-05-01 05:40:20 209920 ----a-w- C:\windows\System32\profsvc.dll
    2012-04-28 03:55:21 210944 ----a-w- C:\windows\System32\drivers\rdpwd.sys
    2012-04-26 05:41:56 77312 ----a-w- C:\windows\System32\rdpwsx.dll
    2012-04-26 05:41:55 149504 ----a-w- C:\windows\System32\rdpcorekmts.dll
    2012-04-26 05:34:27 9216 ----a-w- C:\windows\System32\rdrmemptylst.exe
    2012-04-25 01:02:55 472808 ----a-w- C:\windows\SysWow64\deployJava1.dll
    2012-04-24 05:37:37 184320 ----a-w- C:\windows\System32\cryptsvc.dll
    2012-04-24 05:37:37 140288 ----a-w- C:\windows\System32\cryptnet.dll
    2012-04-24 05:37:36 1462272 ----a-w- C:\windows\System32\crypt32.dll
    2012-04-24 04:36:42 140288 ----a-w- C:\windows\SysWow64\cryptsvc.dll
    2012-04-24 04:36:42 1158656 ----a-w- C:\windows\SysWow64\crypt32.dll
    2012-04-24 04:36:42 103936 ----a-w- C:\windows\SysWow64\cryptnet.dll
    .
    ============= FINISH: 21:07:24.14 ===============
  7. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    Attach.txt?
  8. mekabuser

    mekabuser TS Rookie Topic Starter Posts: 63

    Computer is running fine, so it seems, I dont see the virus in task manager but I cant understand why it would be gone now,, for real... THank you again.
    Ah yes, attach txt... I dont know where that is? As far as I could tell the program only made one log. Only one window opened.
    nvmnd. found it.
    tnks again. I have to log off for the night.. TY.
  9. mekabuser

    mekabuser TS Rookie Topic Starter Posts: 63

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 10/27/2011 6:09:07 PM
    System Uptime: 7/18/2012 7:02:40 PM (2 hours ago)
    .
    Motherboard: SAMSUNG ELECTRONICS CO., LTD. | | R530/R730/R540
    Processor: Intel(R) Core(TM) i3 CPU M 380 @ 2.53GHz | CPU 1 | 1190/133mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 51 GiB total, 10.686 GiB free.
    D: is FIXED (NTFS) - 227 GiB total, 139.1 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP136: 7/12/2012 6:22:07 AM - FU
    RP137: 7/14/2012 6:41:07 PM - Installed Ad-Aware
    RP138: 7/14/2012 7:08:54 PM - Installed Ad-Aware
    RP139: 7/18/2012 3:59:10 PM - avast! Free Antivirus Setup
    RP140: 7/18/2012 5:33:46 PM - avast! Free Antivirus Setup
    RP141: 7/18/2012 5:47:30 PM - avast! Free Antivirus Setup
    RP142: 7/18/2012 5:53:56 PM - Device Driver Package Install: COMODO Network Service
    .
    ==== Installed Programs ======================
    .
    ?? ??? ?? Windows Live Mesh ActiveX ???
    ??? ActiveX ?? Windows Live Mesh ???? ??????? ???????
    ???? ??? Windows Live
    ???? ???? ActiveX ????? ?? Windows Live Mesh ????????? ???????
    ???? Windows Live
    ????? Windows Live
    ?????? ??????? ?? Windows Live
    ??????? ?????????? Windows Live Mesh ActiveX ??? ????????? ???????????
    ??????? Windows Live Mesh ActiveX ??(????)
    ??????? Windows Live Mesh ActiveX ???
    ???????? ?????????? Windows Live
    ????????? ActiveX ?? Windows Live Mesh ????????????????????????? (???)
    ?????????? Windows Live
    ??????????? ?? Windows Live
    ActiveX-kontroll för fjärranslutningar för Windows Live Mesh
    ActiveX ???????? ?? Windows Live Mesh ?? ?????????? ??????
    Adobe Flash Player 11 ActiveX
    Adobe Reader X (10.1.3)
    Advanced SystemCare 5
    Apple Application Support
    Apple Software Update
    Atheros Client Installation Program
    AVS Screen Capture version 2.0.1
    AVS Update Manager 1.0
    AVS Video Editor 6
    AVS Video Recorder 2.4
    AVS4YOU Software Navigator 1.4
    „Windows Live Essentials“
    „Windows Live Mail“
    „Windows Live Mesh ActiveX“ nuotoliniu ryšiu valdiklis
    „Windows Live Messenger“
    „Windows Live“ fotogalerija
    BatteryLifeExtender
    Brother MFL-Pro Suite MFC-J265W
    Contrôle ActiveX Windows Live Mesh pour connexions à distance
    Control ActiveX de Windows Live Mesh para conexiones remotas
    Control ActiveX Windows Live Mesh pentru conexiuni la distan?a
    Controle ActiveX do Windows Live Mesh para Conexões Remotas
    Controlo ActiveX do Windows Live Mesh para Ligações Remotas
    D3DX10
    Easy Content Share
    Easy Display Manager
    Easy Media Player 1.1.12
    Easy Network Manager
    Easy SpeedUp Manager
    EasyBatteryManager
    EasyFileShare
    Emsisoft Anti-Malware
    Formant ActiveX programu Windows Live Mesh odpowiedzialny za obsluge polaczen zdalnych
    Fotogalerija Windows Live
    Galeria de Fotografias do Windows Live
    Galeria fotografii uslugi Windows Live
    Galerie de photos Windows Live
    Galerie foto Windows Live
    Galería fotográfica de Windows Live
    Game Pack
    Google Chrome
    Google Toolbar for Internet Explorer
    Google Update Helper
    ImgBurn
    Intel(R) Control Center
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Rapid Storage Technology
    Java Auto Updater
    Java(TM) 6 Update 31
    Junk Mail filter update
    Kontrola Windows Live Mesh ActiveX za daljinske veze
    Kontrolnik Windows Live Mesh ActiveX za oddaljene povezave
    Lagarith lossless video codec (Remove Only)
    Malwarebytes Anti-Malware version 1.62.0.1300
    Marvell Miniport Driver
    Mesh Runtime
    Microsoft Office 2010
    Microsoft Office Click-to-Run 2010
    Microsoft Office Starter 2010 - English
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    MSVCRT
    MSVCRT_amd64
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Norton Online Backup
    Ovládací prvek ActiveX platformy Windows Live Mesh pro vzdálená pripojení
    Ovládací prvok ActiveX programu Windows Live Mesh pre vzdialené pripojenia
    Poczta uslugi Windows Live
    Podstawowe programy Windows Live
    Pošta Windows Live
    QuickTime
    Raccolta foto di Windows Live
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    Realtek High Definition Audio Driver
    RealUpgrade 1.1
    S?????? f?t???af??? t?? Windows Live
    Samsung Recovery Solution 4
    Samsung Support Center
    Samsung Update Plus
    ScanSoft PaperPort 11
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Skype Click to Call
    Skype™ 5.10
    St???e?? e?????? ActiveX t?? Windows Live Mesh ??a ap?µa???sµ??e? s??d?se??
    System Requirements Lab CYRI
    TurboTax 2010
    TurboTax 2010 WinPerFedFormset
    TurboTax 2010 WinPerReleaseEngine
    TurboTax 2010 WinPerTaxSupport
    TurboTax 2010 wnyiper
    TurboTax 2010 wrapper
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    User Guide
    Uzak Baglantilar Için Windows Live Mesh ActiveX Denetimi
    VLC media player 2.0.1
    Vuze
    Vuze Remote Toolbar
    Windows 7 USB/DVD Download Tool
    Windows Live
    Windows Live ??
    Windows Live ?? ???
    Windows Live ???
    Windows Live ????
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Fotótár
    Windows Live Foto-galerija
    Windows Live fotoattelu galerija
    Windows Live Fotogalerie
    Windows Live Fotogalleri
    Windows Live Fotogaléria
    Windows Live Fotograf Galerisi
    Windows Live Galeria de Fotos
    Windows Live Galerija fotografija
    Windows Live Installer
    Windows Live Mail
    Windows Live Mesh
    Windows Live Mesh - ActiveX-besturingselement voor externe verbindingen
    Windows Live Mesh ActiveX-kontroll for eksterne tilkoblinger
    Windows Live Mesh ActiveX-objekt til fjernforbindelser
    Windows Live Mesh ActiveX-vezérlo távoli kapcsolatokhoz
    Windows Live Mesh ActiveX control for remote connections
    Windows Live Mesh ActiveX kontrola za daljinske veze
    Windows Live Mesh ActiveX vadikla attalajiem savienojumiem
    Windows Live Meshin etäyhteyksien ActiveX-komponentti
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live Pošta
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Temel Parçalar
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    Windows Liven asennustyökalu
    Windows Liven sähköposti
    Windows Liven valokuvavalikoima
    .
    ==== Event Viewer Messages From Past Week ========
    .
    7/18/2012 6:59:39 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SBRE
    7/18/2012 6:59:33 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
    7/18/2012 6:59:33 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    7/18/2012 6:59:33 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    7/18/2012 6:59:33 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    7/18/2012 6:59:30 PM, Error: Service Control Manager [7022] - The Emsisoft Anti-Malware 6.6 - Service service hung on starting.
    7/18/2012 6:01:07 PM, Error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s).
    7/18/2012 5:56:57 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cmderd cmdGuard cmdHlp inspect Lbd SBRE
    7/18/2012 5:54:13 PM, Error: Service Control Manager [7000] - The COMODO Internet Security Sandbox Driver service failed to start due to the following error: A device attached to the system is not functioning.
    7/18/2012 5:54:12 PM, Error: Service Control Manager [7000] - The COMODO Internet Security Firewall Driver service failed to start due to the following error: A device attached to the system is not functioning.
    7/18/2012 5:53:52 PM, Error: Service Control Manager [7030] - The COMODO Internet Security Helper Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    7/18/2012 5:46:09 PM, Error: Service Control Manager [7001] - The avast! Antivirus service depends on the aswMonFlt service which failed to start because of the following error: A device attached to the system is not functioning.
    7/18/2012 5:46:09 PM, Error: Service Control Manager [7000] - The aswMonFlt service failed to start due to the following error: A device attached to the system is not functioning.
    7/18/2012 5:42:06 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswRdr aswSnx aswSP aswTdi Lbd SBRE
    7/18/2012 5:41:53 PM, Error: Service Control Manager [7000] - The aswFsBlk service failed to start due to the following error: A device attached to the system is not functioning.
    7/18/2012 5:34:59 PM, Error: Service Control Manager [7000] - The avast! Network Shield Support service failed to start due to the following error: A device attached to the system is not functioning.
    7/18/2012 5:34:59 PM, Error: Service Control Manager [7000] - The aswSP service failed to start due to the following error: A device attached to the system is not functioning.
    7/15/2012 3:03:19 PM, Error: Schannel [36888] - The following fatal alert was generated: 10. The internal error state is 10.
    7/14/2012 9:42:55 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd SBRE
    7/14/2012 7:46:09 PM, Error: Schannel [36888] - The following fatal alert was generated: 40. The internal error state is 107.
    7/14/2012 7:46:09 PM, Error: Schannel [36874] - An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
    7/14/2012 7:09:38 PM, Error: Service Control Manager [7000] - The Lbd service failed to start due to the following error: A device attached to the system is not functioning.
    7/13/2012 7:34:26 PM, Error: Service Control Manager [7000] - The sbwtis service failed to start due to the following error: A device attached to the system is not functioning.
    7/13/2012 7:34:26 PM, Error: Service Control Manager [7000] - The sbhips service failed to start due to the following error: A device attached to the system is not functioning.
    7/13/2012 3:16:19 PM, Error: Service Control Manager [7034] - The Google Update Service (gupdate) service terminated unexpectedly. It has done this 1 time(s).
    7/12/2012 8:50:44 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SbFw SBRE
    7/12/2012 8:50:25 PM, Error: Service Control Manager [7000] - The sbapifs service failed to start due to the following error: A device attached to the system is not functioning.
    7/11/2012 7:44:38 PM, Error: Microsoft-Windows-WMPNSS-Service [14356] - A media delivery engine with ID '0x80070057' was not initialized because RegisterDelegate() encountered error ''. Restart your computer, and then restart the WMPNetworkSvc service.
    7/11/2012 7:44:38 PM, Error: Microsoft-Windows-WMPNSS-Service [14348] - A new media server was not initialized due to error '0x80070057'. Restart your computer, and then restart the WMPNetworkSvc service. If the problem persists, in Windows Media Player, turn off media sharing, and then turn it back on.
    7/11/2012 7:44:38 PM, Error: Microsoft-Windows-WMPNSS-Service [14323] - Service 'WMPNetworkSvc' did not start correctly because MFCreateWMPMDEOpCenter encountered error '0x80070505'. If possible, reinstall Windows Media Player.
    7/11/2012 7:44:30 PM, Error: Service Control Manager [7023] - The Software Protection service terminated with the following error: Access is denied.
    7/11/2012 11:12:10 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SbFw
    7/11/2012 10:51:43 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd
    .
    ==== End Of File ===========================
  10. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    You're still seriously infected.

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
  11. mekabuser

    mekabuser TS Rookie Topic Starter Posts: 63

    Scan result of Farbar Recovery Scan Tool Version: 16-07-2012 02
    Ran by SYSTEM at 19-07-2012 22:44:43
    Running from H:\
    Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10144288 2010-04-06] (Realtek Semiconductor)
    HKLM\...\Run: [ETDWare] %ProgramFiles%\Elantech\ETDCtrl.exe [2703752 2010-03-25] (ELAN Microelectronics Corp.)
    HKLM\...\Run: [IgfxTray] C:\windows\system32\igfxtray.exe [161304 2010-11-29] (Intel Corporation)
    HKLM\...\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe [386584 2010-11-29] (Intel Corporation)
    HKLM\...\Run: [Persistence] C:\windows\system32\igfxpers.exe [415256 2010-11-29] (Intel Corporation)
    HKLM-x32\...\Run: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-05-31] (Symantec Corporation)
    HKLM-x32\...\Run: [SSBkgdUpdate] "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [210472 2006-10-25] (Nuance Communications, Inc.)
    HKLM-x32\...\Run: [PaperPort PTD] "C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe" [29984 2008-07-09] (Nuance Communications, Inc.)
    HKLM-x32\...\Run: [IndexSearch] "C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe" [46368 2008-07-09] (Nuance Communications, Inc.)
    HKLM-x32\...\Run: [PPort11reminder] "C:\Program Files (x86)\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini" [346 2012-07-19] ()
    HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot [273528 2011-11-12] (RealNetworks, Inc.)
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
    HKLM-x32\...\Run: [iTunesHelper] "D:\Program Files (x86)\iTunes\iTunesHelper.exe" [x]
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-04-03] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [ControlCenter3] C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe /autorun [114688 2008-12-24] (Brother Industries, Ltd.)
    HKLM-x32\...\Run: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN [2621440 2010-02-09] (Brother Industries, Ltd.)
    HKU\bing\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-10-27] (Google Inc.)
    HKU\bing\...\Run: [Advanced SystemCare 5] "C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe" /AutoStart [574296 2012-03-06] (IObit)
    Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
    Tcpip\Parameters: [DhcpNameServer] 167.206.254.1 167.206.254.2
    AppInit_DLLs:

    ==================== Services (Whitelisted) ======

    2 a2AntiMalware; "C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe" [3069752 2012-06-17] (Emsisoft GmbH)
    2 AdvancedSystemCareService5; C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [913752 2012-03-14] (IObit)
    2 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-05-31] (Symantec Corporation)

    ========================== Drivers (Whitelisted) =============

    3 a2acc; \??\C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [66320 2012-04-30] (Emsisoft GmbH)
    1 A2DDA; \??\C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [23208 2011-05-19] (Emsi Software GmbH)
    0 ff8dd40f59eeaad9; C:\Windows\System32\Drivers\ff8dd40f59eeaad9.sys [73688 2012-07-10] ()
    3 Lavasoft Kernexplorer; \??\C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [17152 2011-11-09] ()
    3 rtport; C:\Windows\SysWow64\Drivers\rtport.sys [15144 2011-07-01] (Windows (R) 2003 DDK 3790 provider)
    1 SABI; C:\Windows\System32\Drivers\SABI.sys [13824 2010-10-06] (SAMSUNG ELECTRONICS)
    1 SBRE; \??\C:\windows\system32\drivers\SBREdrv.sys [55384 2012-07-14] (Sunbelt Software)
    3 yukonw7; C:\Windows\System32\DRIVERS\yk62x64.sys [395264 2009-09-28] ()

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-07-19 22:44 - 2012-07-19 22:44 - 00000000 ____D C:\FRST
    2012-07-19 17:49 - 2012-07-19 17:50 - 01437107 ____A (Farbar) C:\Users\bing\Downloads\FRST64.exe
    2012-07-19 17:44 - 2012-07-19 17:44 - 00000000 ____D C:\Users\bing\Desktop\selected
    2012-07-19 15:43 - 2012-07-19 15:43 - 00000000 ____D C:\Users\bing\AppData\Local\{EEF4FB3C-910F-47E9-96F1-980DF58B14E9}
    2012-07-19 15:43 - 2012-07-19 15:43 - 00000000 ____D C:\Users\bing\AppData\Local\{8D55BD51-5C83-425B-963A-7927D68BDCDF}
    2012-07-19 06:20 - 2012-07-19 06:20 - 00000000 ____D C:\Users\All Users\Comodo
    2012-07-18 17:09 - 2012-07-18 17:09 - 00021106 ____A C:\Users\bing\Desktop\DDS.txt
    2012-07-18 16:59 - 2012-07-18 16:59 - 00607260 ____R (Swearware) C:\Users\bing\Desktop\dds.scr
    2012-07-18 15:55 - 2012-07-18 15:55 - 00002528 ____A C:\Users\bing\Desktop\gmer.log
    2012-07-18 13:57 - 2012-07-18 13:57 - 00000000 ____D C:\Users\All Users\CPA_VA
    2012-07-18 13:31 - 2012-07-18 13:33 - 89340632 ____A C:\Users\bing\Downloads\avast_free_antivirus_setup.exe
    2012-07-18 12:00 - 2012-07-18 13:34 - 00000000 ____A C:\Windows\SysWOW64\config.nt
    2012-07-18 12:00 - 2012-07-03 08:21 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
    2012-07-18 11:59 - 2012-07-18 13:48 - 00000000 ____D C:\Users\All Users\AVAST Software
    2012-07-18 11:59 - 2012-07-18 11:59 - 00000000 ____D C:\Program Files\AVAST Software
    2012-07-14 15:12 - 2012-07-14 15:12 - 00055384 ____A (Sunbelt Software) C:\Windows\System32\Drivers\SBREDrv.sys
    2012-07-14 15:09 - 2012-07-18 14:01 - 00000000 ____D C:\Users\All Users\Lavasoft
    2012-07-14 03:36 - 2012-07-14 03:36 - 00000000 ____A C:\Windows\SysWOW64\shoC2A0.tmp
    2012-07-13 16:40 - 2012-07-13 16:40 - 00001091 ____A C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
    2012-07-13 16:39 - 2012-07-16 18:21 - 00000000 ____D C:\Program Files (x86)\Emsisoft Anti-Malware
    2012-07-13 15:47 - 2012-07-13 15:47 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-07-13 15:47 - 2012-07-13 15:47 - 00000000 ____D C:\Users\bing\AppData\Roaming\Malwarebytes
    2012-07-13 15:47 - 2012-07-13 15:47 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-07-13 15:47 - 2012-07-13 15:47 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-07-13 15:47 - 2012-07-03 09:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-07-13 15:19 - 2012-07-13 15:19 - 00000000 ____D C:\Users\All Users\GFI Software
    2012-07-10 17:09 - 2012-07-10 17:09 - 00025368 ____A C:\Users\bing\Downloads\John Adams_1x03_en.zip
    2012-07-10 17:09 - 2012-07-10 17:09 - 00025368 ____A C:\Users\bing\Downloads\John Adams_1x03_en (1).zip
    2012-07-10 17:07 - 2012-07-10 17:13 - 02820393 ____A C:\Users\bing\Downloads\John Adams_1x02_LOL.en.zip
    2012-07-10 03:30 - 2012-07-10 03:30 - 00073688 ____A C:\Windows\System32\Drivers\ff8dd40f59eeaad9.sys
    2012-07-10 03:30 - 2012-07-10 03:30 - 00000000 ____D C:\Users\Default\AppData\Roaming\IObit
    2012-07-10 03:30 - 2012-07-10 03:30 - 00000000 ____D C:\Users\Default User\AppData\Roaming\IObit
    2012-07-09 16:25 - 2012-07-09 16:25 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-07-09 16:22 - 2012-07-19 17:57 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-07-08 04:15 - 2012-05-17 18:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-07-08 04:15 - 2012-05-17 18:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-07-08 04:15 - 2012-05-17 18:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-07-08 04:15 - 2012-05-17 17:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-07-08 04:15 - 2012-05-17 17:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-07-08 04:15 - 2012-05-17 17:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-07-08 04:15 - 2012-05-17 17:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-07-08 04:15 - 2012-05-17 17:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-07-08 04:15 - 2012-05-17 17:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-07-08 04:15 - 2012-05-17 17:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-07-08 04:15 - 2012-05-17 17:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-07-08 04:15 - 2012-05-17 17:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-07-08 04:15 - 2012-05-17 17:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-07-08 04:15 - 2012-05-17 17:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-07-08 04:15 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-07-08 04:15 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-07-08 04:15 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-07-08 04:15 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-07-08 04:15 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-07-08 04:15 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-07-08 04:15 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-07-08 04:15 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-07-08 04:15 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-07-08 04:15 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-07-08 04:15 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-07-08 04:15 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-07-08 04:15 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-07-08 04:15 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-07-05 15:35 - 2012-07-05 15:35 - 00002993 ____A C:\Users\bing\Downloads\resume2 (1).html
    2012-07-03 05:54 - 2012-07-09 05:27 - 00000000 ___RD C:\Program Files (x86)\Skype
    2012-07-03 05:52 - 2012-07-03 05:53 - 00946352 ____A (Skype Technologies S.A.) C:\Users\bing\Downloads\SkypeSetup.exe
    2012-06-21 03:53 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-21 03:53 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-21 03:53 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-21 03:53 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-21 03:53 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-21 03:53 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-21 03:53 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-21 03:53 - 2012-06-02 11:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-21 03:53 - 2012-06-02 11:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-19 15:15 - 2012-06-19 15:15 - 00002140 ____A C:\Users\Public\Desktop\Brother Creative Center.lnk
    2012-06-19 15:15 - 2012-06-19 15:15 - 00000000 ____D C:\Program Files (x86)\Browny02
    2012-06-19 15:15 - 2012-06-19 15:15 - 00000000 ____D C:\Brother
    2012-06-19 15:15 - 2003-11-28 14:57 - 00000000 ____A C:\Windows\brdfxspd.dat
    2012-06-19 15:13 - 2010-02-09 13:11 - 00217088 ____N (brother) C:\Windows\SysWOW64\NSSearch.dll
    2012-06-19 15:13 - 2010-02-05 07:42 - 00180224 ____N (Brother Industries, Ltd.) C:\Windows\SysWOW64\BroSNMP.dll
    2012-06-19 15:13 - 2010-01-22 11:34 - 00003072 ____N (Brother Industries Ltd.) C:\Windows\SysWOW64\BrDctF2S.dll
    2012-06-19 15:13 - 2007-12-13 18:16 - 00073728 ____N (Brother Industries Ltd.) C:\Windows\SysWOW64\BrDctF2.dll
    2012-06-19 15:13 - 2007-12-13 18:16 - 00005120 ____N (Brother Industries Ltd.) C:\Windows\SysWOW64\BrDctF2L.dll
    2012-06-19 15:06 - 2012-06-19 15:06 - 00000000 ____D C:\Users\bing\AppData\Roaming\InstallShield

    ============ 3 Months Modified Files ========================

    2012-07-19 18:38 - 2012-05-24 17:38 - 00009362 ____A C:\Windows\setupact.log
    2012-07-19 18:38 - 2011-10-27 21:40 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-07-19 18:38 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-19 18:25 - 2009-07-13 20:45 - 00021200 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-07-19 18:25 - 2009-07-13 20:45 - 00021200 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-07-19 18:23 - 2011-10-27 21:40 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-07-19 17:57 - 2012-07-09 16:22 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-07-19 17:50 - 2012-07-19 17:49 - 01437107 ____A (Farbar) C:\Users\bing\Downloads\FRST64.exe
    2012-07-19 17:45 - 2009-07-13 21:13 - 00727136 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-18 17:09 - 2012-07-18 17:09 - 00021106 ____A C:\Users\bing\Desktop\DDS.txt
    2012-07-18 16:59 - 2012-07-18 16:59 - 00607260 ____R (Swearware) C:\Users\bing\Desktop\dds.scr
    2012-07-18 15:55 - 2012-07-18 15:55 - 00002528 ____A C:\Users\bing\Desktop\gmer.log
    2012-07-18 14:57 - 2012-05-27 17:40 - 00007508 ____A C:\Windows\PFRO.log
    2012-07-18 13:55 - 2011-11-11 22:50 - 00016593 ____A C:\aaw7boot.log
    2012-07-18 13:34 - 2012-07-18 12:00 - 00000000 ____A C:\Windows\SysWOW64\config.nt
    2012-07-18 13:33 - 2012-07-18 13:31 - 89340632 ____A C:\Users\bing\Downloads\avast_free_antivirus_setup.exe
    2012-07-14 15:12 - 2012-07-14 15:12 - 00055384 ____A (Sunbelt Software) C:\Windows\System32\Drivers\SBREDrv.sys
    2012-07-14 03:36 - 2012-07-14 03:36 - 00000000 ____A C:\Windows\SysWOW64\shoC2A0.tmp
    2012-07-13 16:40 - 2012-07-13 16:40 - 00001091 ____A C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
    2012-07-13 16:00 - 2012-04-26 05:54 - 00002340 ____A C:\Users\Public\Desktop\Google Chrome.lnk
    2012-07-13 15:47 - 2012-07-13 15:47 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-07-12 04:22 - 2011-04-28 18:05 - 01269303 ____A C:\Windows\WindowsUpdate.log
    2012-07-11 18:58 - 2012-04-28 07:56 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-07-11 18:58 - 2012-04-28 07:56 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-07-11 08:40 - 2011-11-16 16:55 - 00000064 ____A C:\Windows\SysWOW64\rp_stats.dat
    2012-07-11 08:40 - 2011-11-16 16:55 - 00000044 ____A C:\Windows\SysWOW64\rp_rules.dat
    2012-07-10 17:13 - 2012-07-10 17:07 - 02820393 ____A C:\Users\bing\Downloads\John Adams_1x02_LOL.en.zip
    2012-07-10 17:09 - 2012-07-10 17:09 - 00025368 ____A C:\Users\bing\Downloads\John Adams_1x03_en.zip
    2012-07-10 17:09 - 2012-07-10 17:09 - 00025368 ____A C:\Users\bing\Downloads\John Adams_1x03_en (1).zip
    2012-07-10 03:31 - 2009-07-13 21:08 - 00029458 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-07-10 03:30 - 2012-07-10 03:30 - 00073688 ____A C:\Windows\System32\Drivers\ff8dd40f59eeaad9.sys
    2012-07-08 06:02 - 2009-07-13 20:45 - 00276040 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-08 04:22 - 2011-10-29 11:26 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-07-05 15:36 - 2012-05-31 15:08 - 00002993 ____A C:\Users\bing\Downloads\resume2.html
    2012-07-05 15:35 - 2012-07-05 15:35 - 00002993 ____A C:\Users\bing\Downloads\resume2 (1).html
    2012-07-03 09:46 - 2012-07-13 15:47 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-07-03 08:21 - 2012-07-18 12:00 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
    2012-07-03 05:54 - 2011-10-27 11:06 - 00002515 ____A C:\Users\Public\Desktop\Skype.lnk
    2012-07-03 05:53 - 2012-07-03 05:52 - 00946352 ____A (Skype Technologies S.A.) C:\Users\bing\Downloads\SkypeSetup.exe
    2012-06-19 15:15 - 2012-06-19 15:15 - 00002140 ____A C:\Users\Public\Desktop\Brother Creative Center.lnk
    2012-06-19 15:15 - 2011-10-29 10:55 - 00000254 ____A C:\Windows\Brpfx04a.ini
    2012-06-19 15:15 - 2011-10-29 10:55 - 00000093 ____A C:\Windows\brpcfx.ini
    2012-06-19 15:15 - 2011-10-29 10:53 - 00000419 ____A C:\Windows\BRWMARK.INI
    2012-06-19 15:15 - 2011-10-29 10:50 - 00000050 ____A C:\Windows\System32\BRIDF10A.DAT
    2012-06-18 15:53 - 2012-06-18 15:53 - 00001066 ____A C:\Users\Public\Desktop\VLC media player.lnk
    2012-06-12 10:40 - 2012-03-06 04:58 - 00007667 ____A C:\Users\bing\AppData\Local\Resmon.ResmonCfg
    2012-06-02 14:19 - 2012-06-21 03:53 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-21 03:53 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-21 03:53 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-21 03:53 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-21 03:53 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:15 - 2012-06-21 03:53 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-21 03:53 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 11:19 - 2012-06-21 03:53 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 11:15 - 2012-06-21 03:53 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-05-24 17:38 - 2012-05-24 17:38 - 00000000 ____A C:\Windows\setuperr.log
    2012-05-24 17:26 - 2012-05-24 17:26 - 00001272 ____A C:\Users\Public\Desktop\Uninstaller.lnk
    2012-05-24 17:26 - 2012-05-24 17:26 - 00001221 ____A C:\Users\Public\Desktop\Advanced SystemCare 5.lnk
    2012-05-20 08:30 - 2011-10-27 11:24 - 00060984 ____A C:\Users\bing\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-05-20 08:29 - 2012-05-20 08:29 - 00001293 ____A C:\Users\bing\Desktop\AVS4YOU Software Navigator.lnk
    2012-05-20 08:28 - 2012-05-20 08:28 - 00001201 ____A C:\Users\bing\Desktop\AVS Video Editor.lnk
    2012-05-20 06:20 - 2012-02-13 15:06 - 00007168 ____A C:\Users\bing\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-05-17 18:47 - 2012-07-08 04:15 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-05-17 18:16 - 2012-07-08 04:15 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-05-17 18:06 - 2012-07-08 04:15 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-05-17 17:59 - 2012-07-08 04:15 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-05-17 17:59 - 2012-07-08 04:15 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-05-17 17:58 - 2012-07-08 04:15 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-05-17 17:58 - 2012-07-08 04:15 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-05-17 17:56 - 2012-07-08 04:15 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-05-17 17:55 - 2012-07-08 04:15 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-05-17 17:55 - 2012-07-08 04:15 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-05-17 17:54 - 2012-07-08 04:15 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-05-17 17:51 - 2012-07-08 04:15 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-05-17 17:51 - 2012-07-08 04:15 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-05-17 17:47 - 2012-07-08 04:15 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-05-17 15:11 - 2012-07-08 04:15 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-05-17 14:48 - 2012-07-08 04:15 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-05-17 14:45 - 2012-07-08 04:15 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-05-17 14:36 - 2012-07-08 04:15 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-05-17 14:35 - 2012-07-08 04:15 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-05-17 14:35 - 2012-07-08 04:15 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-05-17 14:33 - 2012-07-08 04:15 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-05-17 14:31 - 2012-07-08 04:15 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-05-17 14:29 - 2012-07-08 04:15 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-05-17 14:29 - 2012-07-08 04:15 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-05-17 14:27 - 2012-07-08 04:15 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-05-17 14:25 - 2012-07-08 04:15 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-05-17 14:24 - 2012-07-08 04:15 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-05-17 14:20 - 2012-07-08 04:15 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-05-14 17:32 - 2012-06-13 15:24 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-05-07 10:43 - 2012-05-07 10:43 - 00002019 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk
    2012-05-04 03:06 - 2012-06-13 15:24 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2012-05-04 02:03 - 2012-06-13 15:24 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2012-05-04 02:03 - 2012-06-13 15:24 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
    2012-04-30 21:40 - 2012-06-13 15:24 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
    2012-04-27 19:55 - 2012-06-13 15:24 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-04-25 21:41 - 2012-06-13 15:24 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
    2012-04-25 21:41 - 2012-06-13 15:24 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
    2012-04-25 21:34 - 2012-06-13 15:24 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
    2012-04-24 17:02 - 2012-04-24 17:03 - 00472808 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
    2012-04-24 17:02 - 2012-04-24 17:03 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
    2012-04-24 17:02 - 2012-04-24 17:03 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
    2012-04-24 17:02 - 2012-04-24 17:03 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
    2012-04-23 21:37 - 2012-06-13 15:23 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-04-23 21:37 - 2012-06-13 15:23 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-04-23 21:37 - 2012-06-13 15:23 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-04-23 20:36 - 2012-06-13 15:23 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
    2012-04-23 20:36 - 2012-06-13 15:23 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
    2012-04-23 20:36 - 2012-06-13 15:23 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll


    ZeroAccess:
    C:\Windows\Installer\{5d463ba7-dce0-4c6e-e783-06357ec45974}
    C:\Windows\Installer\{5d463ba7-dce0-4c6e-e783-06357ec45974}\@
    C:\Windows\Installer\{5d463ba7-dce0-4c6e-e783-06357ec45974}\L
    C:\Windows\Installer\{5d463ba7-dce0-4c6e-e783-06357ec45974}\U
    C:\Windows\Installer\{5d463ba7-dce0-4c6e-e783-06357ec45974}\U\00000001.@
    C:\Windows\Installer\{5d463ba7-dce0-4c6e-e783-06357ec45974}\U\80000000.@
    C:\Windows\Installer\{5d463ba7-dce0-4c6e-e783-06357ec45974}\U\800000cb.@

    ZeroAccess:
    C:\Users\bing\AppData\Local\{5d463ba7-dce0-4c6e-e783-06357ec45974}
    C:\Users\bing\AppData\Local\{5d463ba7-dce0-4c6e-e783-06357ec45974}\@
    C:\Users\bing\AppData\Local\{5d463ba7-dce0-4c6e-e783-06357ec45974}\L
    C:\Users\bing\AppData\Local\{5d463ba7-dce0-4c6e-e783-06357ec45974}\U

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 19%
    Total physical RAM: 2932.55 MB
    Available physical RAM: 2375.27 MB
    Total Pagefile: 2930.75 MB
    Available Pagefile: 2364.18 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:51 GB) (Free:9.49 GB) NTFS
    2 Drive d: () (Fixed) (Total:226.99 GB) (Free:137.74 GB) NTFS
    3 Drive f: (RECOVERY) (Fixed) (Total:20 GB) (Free:3.61 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    5 Drive h: (KINGSTON) (Removable) (Total:3.65 GB) (Free:3.64 GB) FAT32
    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    7 Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 298 GB 1024 KB
    Disk 1 Online 3745 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Recovery 20 GB 1024 KB
    Partition 2 Primary 100 MB 20 GB
    Partition 3 Primary 51 GB 20 GB
    Partition 0 Extended 226 GB 71 GB
    Partition 4 Logical 226 GB 71 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 27
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 F RECOVERY NTFS Partition 20 GB Healthy Hidden

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y SYSTEM NTFS Partition 100 MB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 51 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 4
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 D NTFS Partition 226 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 3741 MB 4032 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0B
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 5 H KINGSTON FAT32 Removable 3741 MB Healthy

    ==================================================================================
    testsigning: ==> Check for possible unsigned malware driver <===== ATTENTION!


    ==========================================================

    Last Boot: 2012-07-18 15:36

    ======================= End Of Log ==========================
     
  12. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    In Vista or Windows 7: Boot to System Recovery Options and run FRST.
    In Windows XP: Please boot to UBCD and run FRST.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes to your reply.
  13. mekabuser

    mekabuser TS Rookie Topic Starter Posts: 63

    Broni, ty and here is the latest log. COmputer continues to run practically normal . We really havent been using it as much as a precautionary measure because I know it will take a little while to get this sorted out because I can only do so much with computer per day due to psychotic schedule. TNks again. !.
    Farbar Recovery Scan Tool Version: 16-07-2012 02
    Ran by SYSTEM at 2012-07-21 20:10:10
    Running from H:\
    ================== Search: "services.exe" ===================
    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
    C:\Windows\System32\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06
    ====== End Of Search ======
  14. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    You're still seriously infected.

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next....

    Restart normally.

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

    Attached Files:

  15. mekabuser

    mekabuser TS Rookie Topic Starter Posts: 63

    ty for replies. Based on what IVe posted, have I successfully disabled my anti malware etc while running prior scans?I will run your new scans tonight barring unforseen event. TNks yet again.
  16. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    You did fine.
  17. mekabuser

    mekabuser TS Rookie Topic Starter Posts: 63

    pls dont close. A,m doing 14 hour days last two days and just dont have the time. Hope to run scan 2morrow. Ty...
  18. Broni

    Broni Malware Annihilator Posts: 46,713   +254

  19. mekabuser

    mekabuser TS Rookie Topic Starter Posts: 63

    am still under a terrible schedule. Wife sez computer is still running ok, hope to run combo etc 2morrw. tyvm.
  20. Broni

    Broni Malware Annihilator Posts: 46,713   +254

  21. mekabuser

    mekabuser TS Rookie Topic Starter Posts: 63

    combofix has detected lavasoft ad-watch live anti virus and ad watch live running, but I dont see them listed in process, on taskbar, or unistall program or in program list? what should I do? continue scan?
    I found a small lavasoft file in program files on the C drive. gonna empty recycle bin too.
  22. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    Yes, go ahead.
  23. mekabuser

    mekabuser TS Rookie Topic Starter Posts: 63

    I got the illegal operation attempted message. I restarted right away. Expected to see report but dug for it in combofile folder and looked for a txt doc. I hope this is the right one. On my desktop it says Im still running in test mode. Is that proper?Here are the logs.
    ComboFix 12-07-27.03 - bing 07/27/2012 20:24:00.1.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2933.1821 [GMT -4:00]
    Running from: C:\Users\bing\Desktop\ComboFix.exe
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
    SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    C:\Program Files (x86)\I Want This
    C:\ProgramData\FullRemove.exe

    ((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-28 )))))))))))))))))))))))))))))))

    2012-07-28 00:28:57 . 2012-07-28 00:28:57 -------- d-----w- C:\Users\Default\AppData\Local\temp
    2012-07-20 06:44:32 . 2012-07-20 06:44:43 -------- d-----w- C:\FRST
    2012-07-19 14:20:16 . 2012-07-19 14:20:16 -------- d-----w- C:\ProgramData\Comodo
    2012-07-18 21:57:56 . 2012-07-18 21:57:56 -------- d-----w- C:\ProgramData\CPA_VA
    2012-07-18 20:00:39 . 2012-07-03 16:21:18 285328 ----a-w- C:\windows\system32\aswBoot.exe
    2012-07-18 19:59:39 . 2012-07-18 21:48:06 -------- d-----w- C:\ProgramData\AVAST Software
    2012-07-18 19:59:39 . 2012-07-18 19:59:39 -------- d-----w- C:\Program Files\AVAST Software
    2012-07-14 23:12:09 . 2012-07-14 23:12:09 55384 ----a-w- C:\windows\system32\drivers\SBREDrv.sys
    2012-07-14 23:09:31 . 2012-07-18 22:01:22 -------- d-----w- C:\ProgramData\Lavasoft
    2012-07-14 00:39:53 . 2012-07-22 14:23:25 -------- d-----w- C:\Program Files (x86)\Emsisoft Anti-Malware
    2012-07-13 23:47:14 . 2012-07-13 23:47:14 -------- d-----w- C:\Users\bing\AppData\Roaming\Malwarebytes
    2012-07-13 23:47:02 . 2012-07-13 23:47:02 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-07-13 23:47:01 . 2012-07-13 23:47:03 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-07-13 23:47:01 . 2012-07-03 17:46:44 24904 ----a-w- C:\windows\system32\drivers\mbam.sys
    2012-07-13 23:19:17 . 2012-07-13 23:19:17 -------- d-----w- C:\ProgramData\GFI Software
    2012-07-10 11:30:02 . 2012-07-10 11:30:02 -------- d-----w- C:\Users\Default\AppData\Roaming\IObit
    2012-07-10 00:25:51 . 2012-07-10 00:25:51 -------- d-sh--w- C:\windows\system32\%APPDATA%
    2012-07-06 11:29:15 . 2012-05-31 04:04:02 9013136 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2656AB82-F1B6-4D54-B309-47321C178E68}\mpengine.dll
    2012-07-03 13:54:32 . 2012-07-09 13:27:59 -------- d-----r- C:\Program Files (x86)\Skype
    2012-07-03 13:54:32 . 2012-07-03 13:54:32 -------- d-----w- C:\Program Files (x86)\Common Files\Skype
    .

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    2012-07-26 20:58:28 . 2012-04-28 15:56:17 70344 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-07-26 20:58:28 . 2012-04-28 15:56:17 426184 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
    2012-07-08 12:22:46 . 2011-10-29 19:26:39 58957832 ----a-w- C:\windows\system32\MRT.exe
    2012-06-02 22:19:46 . 2012-06-21 11:53:31 38424 ----a-w- C:\windows\system32\wups.dll
    2012-06-02 22:19:43 . 2012-06-21 11:53:42 2428952 ----a-w- C:\windows\system32\wuaueng.dll
    2012-06-02 22:19:42 . 2012-06-21 11:53:42 57880 ----a-w- C:\windows\system32\wuauclt.exe
    2012-06-02 22:19:42 . 2012-06-21 11:53:42 44056 ----a-w- C:\windows\system32\wups2.dll
    2012-06-02 22:19:23 . 2012-06-21 11:53:31 701976 ----a-w- C:\windows\system32\wuapi.dll
    2012-06-02 22:15:31 . 2012-06-21 11:53:42 2622464 ----a-w- C:\windows\system32\wucltux.dll
    2012-06-02 22:15:08 . 2012-06-21 11:53:31 99840 ----a-w- C:\windows\system32\wudriver.dll
    2012-06-02 19:19:42 . 2012-06-21 11:53:22 186752 ----a-w- C:\windows\system32\wuwebv.dll
    2012-06-02 19:15:12 . 2012-06-21 11:53:22 36864 ----a-w- C:\windows\system32\wuapp.exe
    2012-05-15 01:32:33 . 2012-06-13 23:24:04 3146752 ----a-w- C:\windows\system32\win32k.sys
    2012-05-04 11:06:22 . 2012-06-13 23:24:07 5559664 ----a-w- C:\windows\system32\ntoskrnl.exe
    2012-05-04 10:03:53 . 2012-06-13 23:24:06 3968368 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
    2012-05-04 10:03:50 . 2012-06-13 23:24:06 3913072 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
    2012-05-01 05:40:20 . 2012-06-13 23:24:08 209920 ----a-w- C:\windows\system32\profsvc.dll

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll" [2011-05-09 08:49:38 176936]
    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    2011-05-09 08:49:38 176936 ----a-w- C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll" [2011-05-09 08:49:38 176936]
    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-10-28 05:40:59 39408]
    "Advanced SystemCare 5"="C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe" [2012-03-06 22:39:50 574296]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Norton Online Backup"="C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 06:33:10 1155928]
    "SSBkgdUpdate"="C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 16:03:38 210472]
    "PaperPort PTD"="C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 06:07:00 29984]
    "IndexSearch"="C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 06:05:10 46368]
    "PPort11reminder"="C:\Program Files (x86)\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 16:01:58 328992]
    "TkBellExe"="C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" [2011-11-13 06:58:31 273528]
    "QuickTime Task"="C:\Program Files (x86)\QuickTime\QTTask.exe" [2010-11-30 01:38:18 421888]
    "iTunesHelper"="D:\Program Files (x86)\iTunes\iTunesHelper.exe" [2011-06-08 01:51:12 421160]
    "SunJavaUpdateSched"="C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 18:02:04 254696]
    "Adobe ARM"="C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 05:53:50 843712]
    "ControlCenter3"="C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 14:26:54 114688]
    "BrStsMon00"="C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe" [2010-02-09 20:43:16 2621440]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux3"=wdmaud.drv
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 22:27:14 138576]
    R2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-10-28 05:40:43 136176]
    R2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-06-07 23:12:14 160944]
    R3 a2acc;a2acc;C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [2012-04-30 22:45:28 66320]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-26 20:58:29 250056]
    R3 BrYNSvc;BrYNSvc;C:\Program Files (x86)\Browny02\BrYNSvc.exe [2010-01-25 12:22:56 245760]
    R3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-10-28 05:40:43 136176]
    R3 Lavasoft Kernexplorer;Lavasoft helper driver;C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [x]
    R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 04:34:24 4925184]
    R3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 20:35:42 187392]
    R3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys [2010-11-21 03:24:33 59392]
    R3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 03:23:47 31232]
    R3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys [2011-05-10 16:06:08 51712]
    R3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe [2011-10-29 19:22:35 1255736]
    R3 WSDPrintDevice;WSD Print Support via UMB;C:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 00:39:20 23040]
    R4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 09:10:10 57184]
    S1 A2DDA;A2 Direct Disk Access Support Driver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [2011-05-19 18:10:34 23208]
    S1 SABI;SAMSUNG Kernel Driver For Windows 7;C:\windows\system32\Drivers\SABI.sys [2010-10-07 02:59:00 13824]
    S1 SBRE;SBRE;C:\windows\system32\drivers\SBREdrv.sys [2012-07-14 23:12:09 55384]
    S1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys [2011-01-25 09:34:33 60416]
    S2 a2AntiMalware;Emsisoft Anti-Malware 6.6 - Service;C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [2012-06-17 19:44:46 3069752]
    S2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 05:53:50 63928]
    S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [2012-03-14 21:38:14 913752]
    S2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 19:22:40 822624]
    S2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
    S2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 13:30:18 508776]
    S2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-07-05 22:41:46 3048136]
    S3 ETD;ELAN PS/2 Port Input Device;C:\windows\system32\DRIVERS\ETD.sys [2010-04-01 00:25:14 136192]
    S3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys [2010-02-26 23:32:12 158976]
    S3 IntcDAud;Intel(R) Display Audio;C:\windows\system32\DRIVERS\IntcDAud.sys [2010-08-30 11:17:36 289280]
    S3 Sftfs;Sftfs;C:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 13:30:10 764264]
    S3 Sftplay;Sftplay;C:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 13:30:18 268648]
    S3 Sftredir;Sftredir;C:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 13:30:18 25960]
    S3 Sftvol;Sftvol;C:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 13:30:22 22376]
    S3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 13:30:22 219496]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\system32\DRIVERS\yk62x64.sys [2009-09-28 09:22:00 395264]

    --- Other Services/Drivers In Memory ---
    *NewlyCreated* - WS2IFSL
    Contents of the 'Scheduled Tasks' folder
    2012-07-27 C:\windows\Tasks\Adobe Flash Player Updater.job
    - C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-10 00:22:40 . 2012-07-26 20:58:29]
    2012-07-28 C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-10-28 05:40:52 . 2011-10-28 05:40:43]
    2012-07-28 C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-10-28 05:40:52 . 2011-10-28 05:40:43]

    --------- X64 Entries -----------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-04-07 01:59:40 10144288]
    "IgfxTray"="C:\windows\system32\igfxtray.exe" [2010-11-29 22:51:28 161304]
    "HotKeysCmds"="C:\windows\system32\hkcmd.exe" [2010-11-29 22:51:16 386584]
    "Persistence"="C:\windows\system32\igfxpers.exe" [2010-11-29 22:51:22 415256]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x1
    ------- Supplementary Scan -------
    uLocal Page = C:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://samsung.msn.com
    mLocal Page = C:\Windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    Trusted Zone: intuit.com\ttlc
    TCP: DhcpNameServer = 167.206.254.1 167.206.254.2
    - - - - ORPHANS REMOVED - - - -
    Toolbar-Locked - (no file)
    Toolbar-Locked - (no file)
    WebBrowser-{BA14329E-9550-4989-B3F2-9732E92D17CC} - (no file)
    HKLM-Run-ETDWare - C:\Program Files (x86)\Elantech\ETDCtrl.exe

    --------------------- LOCKED REGISTRY KEYS ---------------------
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
    @Denied: (2) (LocalSystem)
    "{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,
    89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b
    "{BA14329E-9550-4989-B3F2-9732E92D17CC}"=hex:51,66,7a,6c,4c,1d,38,12,f0,31,07,
    be,62,db,e7,0c,cc,e4,d4,72,ec,73,53,d8
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
    27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
    "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
    1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
    "{3049C3E9-B461-4BC5-8870-4C09146192CA}"=hex:51,66,7a,6c,4c,1d,38,12,87,c0,5a,
    34,53,fa,ab,0e,f7,66,0f,49,11,3f,d6,de
    "{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
    94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
    "{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
    ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
    "{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
    d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
    @Denied: (2) (LocalSystem)
    "Timestamp"=hex:c4,b8,ad,39,66,21,cd,01
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@C:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe,-101"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="C:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="C:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
    "ThreadingModel"="Apartment"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="C:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="C:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
    "ThreadingModel"="Apartment"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="C:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
    "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 16-07-2012 02
    Ran by SYSTEM at 2012-07-27 19:55:16 Run:1
    Running from H:\
    ==============================================
    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
    C:\Windows\System32\consrv.dll not found.
    ff8dd40f59eeaad9 service deleted successfully.
    C:\Windows\System32\Drivers\ff8dd40f59eeaad9.sys moved successfully.
    C:\Windows\SysWOW64\shoC2A0.tmp moved successfully.
    C:\Windows\Installer\{5d463ba7-dce0-4c6e-e783-06357ec45974} moved successfully.
    C:\Users\bing\AppData\Local\{5d463ba7-dce0-4c6e-e783-06357ec45974} moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe
    ==== End of Fixlog ====Microsoft\DbgagD\1*]

    thank you

    "value"="?\03\06\03\128\08?"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    ------------------------ Other Running Processes ------------------------
    C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
    C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe
    **************************************************************************
    Completion time: 2012-07-27 20:36:47 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-28 00:36:47


    I thi
  24. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    We have to fix this one first:
    I missed one entry in FRST log.

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Restart computer normally and see if the message is gone.

    Attached Files:

  25. mekabuser

    mekabuser TS Rookie Topic Starter Posts: 63

    thnks will do tonight


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.