TechSpot

[A] Inexperienced but needing some help plz! I think I have the virus too :(

Inactive
By Shaunie
Aug 17, 2012
  1. I have tried reading the blogs but they say not to follow anyone else instructions and to post your own. I have not made any logs because my computer restarts itself before I can do so. I began having problems a week ago when my computer would automatically redirect me to a spam page whenever I attempted to go on the Internet and I kept getting a popup. I attempted to install different virus scanners such as mcafee and norton but each one would stop and say can not continue due to Internet connection even though my internet was working. I uninstalled all the software and finally tried Microsoft free virus software and now my computer keeps rebooting and saying windows has encountered and error and has to reboot in one minute. I'm pretty good with computers butthishas got me baffled. Help please!
     
  2. Shaunie

    Shaunie TS Rookie Topic Starter

    I am attempting to find out how together to this farbar to get a log. Any help would be great.
     
  3. Shaunie

    Shaunie TS Rookie Topic Starter

    Nit sure why my topic isn't getting any answers but I guess I'm on my own
     
  4. Shaunie

    Shaunie TS Rookie Topic Starter

    I have managed to download the tool and run the scan before my computer rebooted. Hope this will get me some help from someone. thank you

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 15-08-2012
    Ran by Owner at 17-08-2012 16:46:16
    Running from C:\Users\Owner\Downloads
    Service Pack 1 (X86) OS Language: English(US)
    Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

    ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.


    ============ One Month Created Files and Folders ==============

    2012-08-17 16:46 - 2012-08-17 16:46 - 00000000 ____D C:\FRST
    2012-08-17 16:44 - 2012-08-17 16:45 - 00896198 ____A (Farbar) C:\Users\Owner\Downloads\FRST.exe
    2012-08-17 16:29 - 2012-08-17 16:29 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fxhlqpyf.sys
    2012-08-17 15:17 - 2012-08-17 15:17 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-17 15:13 - 2012-08-17 15:15 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-08-17 15:08 - 2012-08-17 15:09 - 10288512 ____A (Microsoft Corporation) C:\Users\Owner\Desktop\mseinstall.exe
    2012-08-17 14:32 - 2012-08-17 14:32 - 00535144 ____A C:\Users\Owner\Downloads\PIRATEBAY-Downloader(1).exe
    2012-08-17 14:28 - 2012-08-17 14:28 - 00535144 ____A C:\Users\Owner\Downloads\PIRATEBAY-Downloader.exe
    2012-08-17 14:14 - 2012-08-17 14:15 - 109370032 ____A (Symantec Corporation) C:\Users\Owner\Downloads\NIS-TW-30-19-1-0-28-EN.exe
    2012-08-16 23:33 - 2012-08-16 23:33 - 00000000 ____D C:\Users\Owner\AppData\Local\Macromedia
    2012-08-16 23:15 - 2012-08-16 23:15 - 00000000 __SHD C:\found.002
    2012-08-16 22:34 - 2012-08-16 22:34 - 04299144 ____A (McAfee, Inc.) C:\Users\Owner\Downloads\McAfeeSetup(2).exe
    2012-08-16 22:03 - 2012-05-25 17:13 - 00151912 ____A (McAfee, Inc.) C:\Windows\System32\mfevtps.exe.c3ff.deleteme
    2012-08-16 22:03 - 2012-05-25 17:13 - 00151912 ____A (McAfee, Inc.) C:\Windows\System32\mfevtps.exe
    2012-08-16 21:54 - 2012-08-16 21:54 - 04299144 ____A (McAfee, Inc.) C:\Users\Owner\Downloads\McAfeeSetup(1).exe
    2012-08-16 19:46 - 2012-08-16 19:46 - 04299144 ____A (McAfee, Inc.) C:\Users\Owner\Downloads\McAfeeSetup.exe
    2012-08-16 19:44 - 2012-08-17 16:41 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-16 19:44 - 2012-08-16 22:41 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-08-16 18:07 - 2012-08-16 18:07 - 04299144 ____A (McAfee, Inc.) C:\Users\Owner\Desktop\McAfeeSetup.exe
    2012-08-15 20:30 - 2012-08-16 23:34 - 00001075 ____A C:\Users\Public\Desktop\Panda Cloud Cleaner.lnk
    2012-08-15 20:30 - 2012-08-15 20:30 - 00000000 ____D C:\Program Files\Panda Security
    2012-08-15 20:28 - 2012-08-15 20:28 - 19526944 ____A (Panda Security ) C:\Users\Owner\Downloads\PandaCloudCleaner.exe
    2012-08-15 12:23 - 2012-08-15 12:23 - 00000000 ____D C:\Users\All Users\Sun
    2012-08-15 12:22 - 2012-08-15 12:21 - 00472808 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
    2012-08-15 12:22 - 2012-08-15 12:21 - 00153376 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
    2012-08-15 12:22 - 2012-08-15 12:21 - 00145184 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
    2012-08-15 12:22 - 2012-08-15 12:21 - 00145184 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
    2012-08-15 12:06 - 2012-08-15 12:06 - 00000000 ____A C:\Users\Owner\Downloads\jre-6u22-windows-i586-s.exe
    2012-08-13 19:58 - 2012-08-13 19:59 - 77251480 ____A (Apple Inc.) C:\Users\Owner\Downloads\iTunesSetup(1).exe
    2012-08-13 19:46 - 2012-08-13 19:46 - 00001302 ____A C:\Windows\setupact.log
    2012-08-13 19:46 - 2012-08-13 19:46 - 00000000 ____A C:\Windows\setuperr.log
    2012-08-13 13:57 - 2012-08-13 13:58 - 00000000 ____D C:\f7abe61c8074232dce88ff85aa5bbba8
    2012-08-13 13:57 - 2012-08-13 13:57 - 06955968 ____A (Microsoft Corporation) C:\Users\Owner\Downloads\Silverlight(2).exe
    2012-08-13 13:53 - 2012-08-13 13:54 - 06955968 ____A (Microsoft Corporation) C:\Users\Owner\Downloads\Silverlight(1).exe
    2012-08-11 12:45 - 2012-08-11 12:45 - 00069120 ____A C:\Users\Owner\Desktop\OWS.wps
    2012-08-10 20:40 - 2012-08-10 21:00 - 00000000 ____A C:\Users\Owner\Downloads\X17-75058.exe.partial
    2012-08-10 20:40 - 2012-08-10 20:40 - 00000000 ____D C:\Users\Owner\AppData\Local\MicrosoftStore
    2012-08-10 20:22 - 2012-08-10 20:22 - 02574064 ____A (Solid State Networks) C:\Users\Owner\Downloads\027c247eb22944438a2bba93c8d9a44a_Pod023_en-US.exe
    2012-08-09 11:53 - 2012-08-09 11:53 - 00025088 ____A C:\Users\Owner\Downloads\myresume3.doc.wps
    2012-08-06 14:16 - 2012-08-06 14:16 - 00010368 ____A C:\Users\Owner\CheckInfo.aspx.htm
    2012-08-06 14:16 - 2012-08-06 14:16 - 00000000 ____D C:\Users\Owner\CheckInfo.aspx_files
    2012-07-29 21:33 - 2012-07-29 21:33 - 15267728 ____A (Google Inc.) C:\Users\Owner\Downloads\picasa39-setup.exe
    2012-07-29 21:24 - 2012-08-15 22:25 - 00000000 ____D C:\Users\Owner\Desktop\rganizing with Shaunie
    2012-07-26 10:55 - 2012-07-29 22:39 - 00000000 ____D C:\Users\Owner\Desktop\St AgnesAgreementConfirmation_files
    2012-07-26 10:55 - 2012-07-26 10:55 - 00064093 ____A C:\Users\Owner\Desktop\St AgnesAgreementConfirmation.aspx
    2012-07-18 16:17 - 2012-07-18 16:17 - 00007418 ____A C:\Users\Owner\Desktop\BBB.htm
    2012-07-18 16:17 - 2012-07-18 16:17 - 00000000 ____D C:\Users\Owner\Desktop\BBB_files

    ============ 3 Months Modified Files ========================

    2012-08-17 16:45 - 2012-08-17 16:44 - 00896198 ____A (Farbar) C:\Users\Owner\Downloads\FRST.exe
    2012-08-17 16:44 - 2006-11-02 08:45 - 00003296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-17 16:44 - 2006-11-02 08:45 - 00003296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-17 16:43 - 2007-07-05 12:32 - 00000149 ____A C:\Users\Public\Documents\hpqp.ini
    2012-08-17 16:41 - 2012-08-16 19:44 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-17 16:40 - 2011-12-18 04:38 - 00000378 ____A C:\Windows\Tasks\FreeFileViewerUpdateChecker.job
    2012-08-17 16:29 - 2012-08-17 16:29 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fxhlqpyf.sys
    2012-08-17 16:26 - 2006-11-02 08:58 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-17 16:24 - 2008-05-30 18:24 - 00279040 ____A C:\Windows\System32\services.exe
    2012-08-17 15:17 - 2012-08-17 15:17 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-17 15:16 - 2007-09-19 23:39 - 01800369 ____A C:\Windows\WindowsUpdate.log
    2012-08-17 15:15 - 2006-11-02 06:33 - 00722456 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-17 15:09 - 2012-08-17 15:08 - 10288512 ____A (Microsoft Corporation) C:\Users\Owner\Desktop\mseinstall.exe
    2012-08-17 14:32 - 2012-08-17 14:32 - 00535144 ____A C:\Users\Owner\Downloads\PIRATEBAY-Downloader(1).exe
    2012-08-17 14:28 - 2012-08-17 14:28 - 00535144 ____A C:\Users\Owner\Downloads\PIRATEBAY-Downloader.exe
    2012-08-17 14:15 - 2012-08-17 14:14 - 109370032 ____A (Symantec Corporation) C:\Users\Owner\Downloads\NIS-TW-30-19-1-0-28-EN.exe
    2012-08-17 13:40 - 2006-11-02 08:58 - 00032586 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-08-16 23:34 - 2012-08-15 20:30 - 00001075 ____A C:\Users\Public\Desktop\Panda Cloud Cleaner.lnk
    2012-08-16 22:41 - 2012-08-16 19:44 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-08-16 22:41 - 2012-03-11 22:33 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-08-16 22:34 - 2012-08-16 22:34 - 04299144 ____A (McAfee, Inc.) C:\Users\Owner\Downloads\McAfeeSetup(2).exe
    2012-08-16 21:54 - 2012-08-16 21:54 - 04299144 ____A (McAfee, Inc.) C:\Users\Owner\Downloads\McAfeeSetup(1).exe
    2012-08-16 21:21 - 2007-07-05 12:16 - 00144284 ____A C:\Windows\PFRO.log
    2012-08-16 19:46 - 2012-08-16 19:46 - 04299144 ____A (McAfee, Inc.) C:\Users\Owner\Downloads\McAfeeSetup.exe
    2012-08-16 19:32 - 2007-12-25 07:07 - 00000680 ____A C:\Users\Owner\AppData\Local\d3d9caps.dat
    2012-08-16 18:07 - 2012-08-16 18:07 - 04299144 ____A (McAfee, Inc.) C:\Users\Owner\Desktop\McAfeeSetup.exe
    2012-08-15 20:28 - 2012-08-15 20:28 - 19526944 ____A (Panda Security ) C:\Users\Owner\Downloads\PandaCloudCleaner.exe
    2012-08-15 12:21 - 2012-08-15 12:22 - 00472808 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
    2012-08-15 12:21 - 2012-08-15 12:22 - 00153376 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
    2012-08-15 12:21 - 2012-08-15 12:22 - 00145184 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
    2012-08-15 12:21 - 2012-08-15 12:22 - 00145184 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
    2012-08-15 12:06 - 2012-08-15 12:06 - 00000000 ____A C:\Users\Owner\Downloads\jre-6u22-windows-i586-s.exe
    2012-08-15 10:52 - 2010-10-27 22:18 - 00002300 ____A C:\Users\Owner\AppData\Roaming\wklnhst.dat
    2012-08-13 19:59 - 2012-08-13 19:58 - 77251480 ____A (Apple Inc.) C:\Users\Owner\Downloads\iTunesSetup(1).exe
    2012-08-13 19:46 - 2012-08-13 19:46 - 00001302 ____A C:\Windows\setupact.log
    2012-08-13 19:46 - 2012-08-13 19:46 - 00000000 ____A C:\Windows\setuperr.log
    2012-08-13 13:57 - 2012-08-13 13:57 - 06955968 ____A (Microsoft Corporation) C:\Users\Owner\Downloads\Silverlight(2).exe
    2012-08-13 13:54 - 2012-08-13 13:53 - 06955968 ____A (Microsoft Corporation) C:\Users\Owner\Downloads\Silverlight(1).exe
    2012-08-11 12:45 - 2012-08-11 12:45 - 00069120 ____A C:\Users\Owner\Desktop\OWS.wps
    2012-08-10 21:00 - 2012-08-10 20:40 - 00000000 ____A C:\Users\Owner\Downloads\X17-75058.exe.partial
    2012-08-10 20:22 - 2012-08-10 20:22 - 02574064 ____A (Solid State Networks) C:\Users\Owner\Downloads\027c247eb22944438a2bba93c8d9a44a_Pod023_en-US.exe
    2012-08-09 11:53 - 2012-08-09 11:53 - 00025088 ____A C:\Users\Owner\Downloads\myresume3.doc.wps
    2012-08-06 14:16 - 2012-08-06 14:16 - 00010368 ____A C:\Users\Owner\CheckInfo.aspx.htm
    2012-07-29 21:33 - 2012-07-29 21:33 - 15267728 ____A (Google Inc.) C:\Users\Owner\Downloads\picasa39-setup.exe
    2012-07-29 16:32 - 2007-12-28 03:31 - 00000322 ____A C:\Windows\Tasks\HPCeeScheduleForOwner.job
    2012-07-26 10:55 - 2012-07-26 10:55 - 00064093 ____A C:\Users\Owner\Desktop\St AgnesAgreementConfirmation.aspx
    2012-07-18 21:36 - 2012-05-04 21:18 - 00025088 ____A C:\Users\Owner\Downloads\Shauntrice%20Coleman%20resume.wps
    2012-07-18 16:17 - 2012-07-18 16:17 - 00007418 ____A C:\Users\Owner\Desktop\BBB.htm
    2012-07-12 03:02 - 2006-11-02 06:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-07-05 12:28 - 2012-07-05 12:28 - 00007609 ____A C:\Users\Owner\Desktop\report.htm
    2012-07-04 12:54 - 2012-07-04 12:52 - 00000000 ____A C:\Users\Owner\Downloads\DesktopUploader1.1.0.0(1).exe
    2012-07-04 12:43 - 2012-07-04 12:40 - 01857072 ____A C:\Users\Owner\Downloads\DesktopUploader1.1.0.0.exe
    2012-07-04 12:17 - 2007-12-01 19:15 - 00090448 ____A C:\Users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-07-04 12:12 - 2006-11-02 08:44 - 00351744 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-04 11:37 - 2012-07-04 11:37 - 04285248 ____A (McAfee, Inc.) C:\Users\Guest\Downloads\McAfeeSetup.exe
    2012-06-26 22:14 - 2012-06-26 22:14 - 04472832 ____A (Google Inc.) C:\Windows\System32\GPhotos.scr
    2012-06-13 13:24 - 2012-06-13 13:24 - 00525465 ____A C:\Users\Owner\Downloads\taxReturn.tax2011
    2012-05-31 12:25 - 2009-10-02 23:22 - 00237072 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2012-05-30 10:38 - 2007-07-05 12:29 - 00035740 ____A C:\Windows\DPINST.LOG
    2012-05-30 10:29 - 2012-05-30 10:25 - 10249568 ____A (LeapFrog Enterprises, Inc.) C:\Users\Owner\Downloads\LeapFrogConnectSetup_LeapPadExplorer.exe
    2012-05-25 17:13 - 2012-08-16 22:03 - 00151912 ____A (McAfee, Inc.) C:\Windows\System32\mfevtps.exe.c3ff.deleteme
    2012-05-25 17:13 - 2012-08-16 22:03 - 00151912 ____A (McAfee, Inc.) C:\Windows\System32\mfevtps.exe
    2012-05-20 20:21 - 2012-05-20 20:21 - 00035328 ____A C:\Users\Owner\Documents\COREY DAVIS RESUME.wps
    2012-05-20 14:41 - 2007-12-26 23:54 - 00000846 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
    2012-05-20 14:21 - 2012-05-20 14:19 - 00000000 ____A C:\Users\Owner\Downloads\Firefox Setup 12.0.exe


    ZeroAccess:
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\n
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L\00000004.@
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L\201d3dde

    ZeroAccess:
    C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
    C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
    C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
    C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U
    C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L\00000004.@
    C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\00000004.@
    C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\00000008.@
    C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\000000cb.@
    C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\80000000.@
    C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\80000032.@

    ZeroAccess:
    C:\Windows\assembly\GAC\Desktop.ini

    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe
    [2008-05-30 18:24] - [2012-08-17 16:24] - 0279040 ____A () D41D8CD98F00B204E9800998ECF8427E

    C:\Windows\System32\services.exe IS INFECTED. <===== ATTENTION!

    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ========================= Memory info ======================

    Percentage of memory in use: 71%
    Total physical RAM: 1013.28 MB
    Available physical RAM: 284.57 MB
    Total Pagefile: 2292.89 MB
    Available Pagefile: 1156.91 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1950.42 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:66.85 GB) (Free:16.4 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (PRESARIO_RP) (Fixed) (Total:7.68 GB) (Free:1.77 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 75 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 67 GB 32 KB
    Partition 2 Primary 7860 MB 67 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 67 GB Healthy System (partition with boot components)

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 D PRESARIO_RP NTFS Partition 7860 MB Healthy

    ==================================================================================

    Last Boot: 2012-08-17 16:48

    ======================= End Of Log ==========================
     
  5. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ========================================

    You ran the tool from within Windows.
    That won't work.

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

    Next...

    Re-run FRST again.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes in your reply.

    I'll expect two logs:
    - FRST.txt
    - Search.txt
     
  6. Shaunie

    Shaunie TS Rookie Topic Starter

    Ok I didn't know that.I will try this again. Thanks
     
  7. Shaunie

    Shaunie TS Rookie Topic Starter

    WHEW ok I think I did it right this time.

    FRST.TXT

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 15-08-2012
    Ran by SYSTEM at 17-08-2012 17:42:31
    Running from F:\
    Windows Vista (TM) Home Basic (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [115816 2007-01-10] (Symantec Corporation)
    HKLM\...\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" [176128 2007-03-28] (CyberLink Corp.)
    HKLM\...\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [184320 2007-06-11] ( Hewlett-Packard Development Company, L.P.)
    HKLM\...\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe [212992 2007-10-25] (Alps Electric Co., Ltd.)
    HKLM\...\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" [398728 2008-01-29] (Symantec Corporation)
    HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2007-08-28] (Intel Corporation)
    HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [154136 2007-08-28] (Intel Corporation)
    HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [137752 2007-08-28] (Intel Corporation)
    HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [40368 2009-12-18] (Adobe Systems Incorporated)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [948672 2009-12-11] (Adobe Systems Incorporated)
    HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2006-12-10] (Hewlett-Packard Co.)
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-09-08] (Apple Inc.)
    HKLM\...\Run: [CoreChipTiManager] C:\Windows\diskediag.exe [3338240 2011-11-30] (GP Systems Integration)
    HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
    HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-03-06] (Apple Inc.)
    HKLM\...\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe" [268640 2011-11-12] (LeapFrog Enterprises, Inc.)
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [248552 2010-05-14] (Sun Microsystems, Inc.)
    HKU\Default\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1773568 2007-03-20] (Hewlett-Packard)
    HKU\Default User\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1773568 2007-03-20] (Hewlett-Packard)
    HKU\Owner\...\Run: [DriverScanner] "C:\Program Files\Uniblue\DriverScanner\launcher.exe" delay 20000 [x]
    HKU\Owner\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation)
    Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
    Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\MRI_DISABLED ()
    Startup: C:\Users\Owner\Start Menu\Programs\Startup\Sprint media monitor.lnk
    ShortcutTarget: Sprint media monitor.lnk -> C:\Windows\RM.exe ()

    ================================ Services (Whitelisted) ==================

    2 Automatic LiveUpdate Scheduler; "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [554352 2007-09-12] (Symantec Corporation)
    3 Com4Qlb; "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe" [110592 2007-03-05] (Hewlett-Packard Development Company, L.P.)
    2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)
    2 HP Health Check Service; "C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe" [62984 2007-03-14] (Hewlett-Packard)
    2 hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [135168 2006-05-02] (Hewlett-Packard Development Company, L.P.)
    2 LeapFrog Connect Device Service; "C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe" [0 2011-11-12] ()
    3 LiveUpdate; "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" [2999664 2007-09-12] (Symantec Corporation)
    2 LiveUpdate Notice Service; "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll" [537992 2008-04-10] (Symantec Corporation)
    2 mfevtp; "C:\Windows\system32\mfevtps.exe" [151912 2012-05-25] (McAfee, Inc.)
    3 Symantec Core LC; "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" [1251720 2008-08-12] ()
    2 Viewpoint Manager Service; "C:\Program Files\Viewpoint\Common\ViewpointService.exe" [24652 2007-01-04] (Viewpoint Corporation)
    2 Vongo Service; C:\Program Files\Vongo\VongoService.exe [176128 2007-03-29] (Starz Entertainment Group LLC)
    2 ccEvtMgr; "c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]
    2 ccSetMgr; "c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]
    2 CLTNetCnService; "c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon [x]
    3 comHost; "c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe" [x]
    3 ISPwdSvc; "c:\Program Files\Norton Internet Security\isPwdSvc.exe" [x]
    2 LiveUpdate Notice Ex; "c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]
    2 NovacomD; C:\Program Files\Palm\SDK\bin\novacomd\x86\novacomd.exe [x]
    2 SymAppCore; "c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe" [x]

    ========================== Drivers (Whitelisted) =============

    4 adpu160m; C:\Windows\system32\drivers\adpu160m.sys [98408 2006-11-02] (Adaptec, Inc.)
    1 eabfiltr; C:\Windows\System32\DRIVERS\eabfiltr.sys [8192 2006-11-30] (Hewlett-Packard Development Company, L.P.)
    3 easytether; C:\Windows\System32\DRIVERS\easytthr.sys [17232 2010-08-29] (Mobile Stream)
    1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [371248 2008-08-11] (Symantec Corporation)
    3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [99376 2008-08-11] (Symantec Corporation)
    3 HdAudAddService; C:\Windows\System32\drivers\CHDART.sys [163328 2007-06-29] (Conexant Systems Inc.)
    1 IDSvix86; \??\C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080812.001\IDSvix86.sys [261680 2008-02-13] (Symantec Corporation)
    3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [121544 2012-02-22] (McAfee, Inc.)
    0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [464304 2012-02-22] (McAfee, Inc.)
    3 ndiscm; C:\Windows\System32\DRIVERS\NetMotCM.sys [15360 2004-09-29] (Motorola Inc.)
    1 PCANDIS5; \??\C:\Windows\system32\PCANDIS5.SYS [17408 2004-12-02] (Printing Communications Assoc., Inc. (PCAUSA))
    3 pneteth; C:\Windows\System32\DRIVERS\pneteth.sys [13312 2010-09-02] (June Fabrics Technology Inc.)
    3 pnetmdm; C:\Windows\System32\DRIVERS\pnetmdm.sys [9472 2006-09-28] (June Fabrics Technology)
    3 RTL8023xp; C:\Windows\System32\DRIVERS\Rtnicxp.sys [51200 2008-02-13] (Realtek Semiconductor Corporation )
    3 sscdserd; C:\Windows\System32\DRIVERS\sscdserd.sys [86824 2007-07-03] (MCCI Corporation)
    3 SYMDNS; C:\Windows\System32\Drivers\SYMDNS.SYS [12848 2007-10-30] (Symantec Corporation)
    3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [123952 2008-08-12] (Symantec Corporation)
    3 SYMFW; C:\Windows\System32\Drivers\SYMFW.SYS [145968 2007-10-30] (Symantec Corporation)
    3 SYMIDS; C:\Windows\System32\Drivers\SYMIDS.SYS [39856 2007-10-30] (Symantec Corporation)
    3 SYMNDISV; C:\Windows\System32\Drivers\SYMNDISV.SYS [37936 2007-10-30] (Symantec Corporation)
    3 SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [27696 2007-10-30] (Symantec Corporation)
    1 SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [191536 2007-10-30] (Symantec Corporation)
    4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
    3 VBoxNetFlt; C:\Windows\System32\DRIVERS\VBoxNetFlt.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-17 12:48 - 2012-08-17 12:49 - 00016222 ____A C:\Users\Owner\Downloads\FRST.txt
    2012-08-17 12:46 - 2012-08-17 12:46 - 00000000 ____D C:\FRST
    2012-08-17 11:13 - 2012-08-17 11:15 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-08-16 19:33 - 2012-08-16 19:33 - 00000000 ____D C:\Users\Owner\Local Settings\Macromedia
    2012-08-16 19:33 - 2012-08-16 19:33 - 00000000 ____D C:\Users\Owner\Local Settings\Application Data\Macromedia
    2012-08-16 19:33 - 2012-08-16 19:33 - 00000000 ____D C:\Users\Owner\AppData\Local\Macromedia
    2012-08-16 19:15 - 2012-08-16 19:15 - 00000000 __SHD C:\found.002
    2012-08-16 18:34 - 2012-08-16 18:34 - 04299144 ____A (McAfee, Inc.) C:\Users\Owner\Downloads\McAfeeSetup(2).exe
    2012-08-16 18:03 - 2012-05-25 13:13 - 00151912 ____A (McAfee, Inc.) C:\Windows\System32\mfevtps.exe.c3ff.deleteme
    2012-08-16 18:03 - 2012-05-25 13:13 - 00151912 ____A (McAfee, Inc.) C:\Windows\System32\mfevtps.exe
    2012-08-16 17:54 - 2012-08-16 17:54 - 04299144 ____A (McAfee, Inc.) C:\Users\Owner\Downloads\McAfeeSetup(1).exe
    2012-08-16 15:46 - 2012-08-16 15:46 - 04299144 ____A (McAfee, Inc.) C:\Users\Owner\Downloads\McAfeeSetup.exe
    2012-08-16 15:44 - 2012-08-16 20:41 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-16 15:44 - 2012-08-16 18:41 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-08-16 14:07 - 2012-08-16 14:07 - 04299144 ____A (McAfee, Inc.) C:\Users\Owner\Desktop\McAfeeSetup.exe
    2012-08-15 16:30 - 2012-08-16 19:34 - 00001075 ____A C:\Users\Public\Desktop\Panda Cloud Cleaner.lnk
    2012-08-15 16:30 - 2012-08-16 19:34 - 00001075 ____A C:\Users\All Users\Desktop\Panda Cloud Cleaner.lnk
    2012-08-15 16:30 - 2012-08-15 16:30 - 00000000 ____D C:\Program Files\Panda Security
    2012-08-15 16:28 - 2012-08-15 16:28 - 19526944 ____A (Panda Security ) C:\Users\Owner\Downloads\PandaCloudCleaner.exe
    2012-08-15 08:23 - 2012-08-15 08:23 - 00000000 ____D C:\Users\All Users\Sun
    2012-08-15 08:23 - 2012-08-15 08:23 - 00000000 ____D C:\Users\All Users\Application Data\Sun
    2012-08-15 08:22 - 2012-08-15 08:21 - 00472808 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
    2012-08-15 08:22 - 2012-08-15 08:21 - 00153376 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
    2012-08-15 08:22 - 2012-08-15 08:21 - 00145184 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
    2012-08-15 08:22 - 2012-08-15 08:21 - 00145184 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
    2012-08-15 08:06 - 2012-08-15 08:06 - 00000000 ____A C:\Users\Owner\Downloads\jre-6u22-windows-i586-s.exe
    2012-08-13 15:58 - 2012-08-13 15:59 - 77251480 ____A (Apple Inc.) C:\Users\Owner\Downloads\iTunesSetup(1).exe
    2012-08-13 15:46 - 2012-08-17 13:17 - 00002016 ____A C:\Windows\setupact.log
    2012-08-13 15:46 - 2012-08-13 15:46 - 00000000 ____A C:\Windows\setuperr.log
    2012-08-13 09:57 - 2012-08-13 09:58 - 00000000 ____D C:\f7abe61c8074232dce88ff85aa5bbba8
    2012-08-13 09:57 - 2012-08-13 09:57 - 06955968 ____A (Microsoft Corporation) C:\Users\Owner\Downloads\Silverlight(2).exe
    2012-08-13 09:53 - 2012-08-13 09:54 - 06955968 ____A (Microsoft Corporation) C:\Users\Owner\Downloads\Silverlight(1).exe
    2012-08-11 08:45 - 2012-08-11 08:45 - 00069120 ____A C:\Users\Owner\Desktop\OWS.wps
    2012-08-10 16:40 - 2012-08-10 17:00 - 00000000 ____A C:\Users\Owner\Downloads\X17-75058.exe.partial
    2012-08-10 16:40 - 2012-08-10 16:40 - 00000000 ____D C:\Users\Owner\Local Settings\MicrosoftStore
    2012-08-10 16:40 - 2012-08-10 16:40 - 00000000 ____D C:\Users\Owner\Local Settings\Application Data\MicrosoftStore
    2012-08-10 16:40 - 2012-08-10 16:40 - 00000000 ____D C:\Users\Owner\AppData\Local\MicrosoftStore
    2012-08-10 16:22 - 2012-08-10 16:22 - 02574064 ____A (Solid State Networks) C:\Users\Owner\Downloads\027c247eb22944438a2bba93c8d9a44a_Pod023_en-US.exe
    2012-08-09 07:53 - 2012-08-09 07:53 - 00025088 ____A C:\Users\Owner\Downloads\myresume3.doc.wps
    2012-08-06 10:16 - 2012-08-06 10:16 - 00010368 ____A C:\Users\Owner\CheckInfo.aspx.htm
    2012-08-06 10:16 - 2012-08-06 10:16 - 00000000 ____D C:\Users\Owner\CheckInfo.aspx_files
    2012-07-29 17:33 - 2012-07-29 17:33 - 15267728 ____A (Google Inc.) C:\Users\Owner\Downloads\picasa39-setup.exe
    2012-07-29 17:24 - 2012-08-15 18:25 - 00000000 ____D C:\Users\Owner\Desktop\rganizing with Shaunie
    2012-07-26 06:55 - 2012-07-29 18:39 - 00000000 ____D C:\Users\Owner\Desktop\St AgnesAgreementConfirmation_files
    2012-07-26 06:55 - 2012-07-26 06:55 - 00064093 ____A C:\Users\Owner\Desktop\St AgnesAgreementConfirmation.aspx
    2012-07-18 12:17 - 2012-07-18 12:17 - 00007418 ____A C:\Users\Owner\Desktop\BBB.htm
    2012-07-18 12:17 - 2012-07-18 12:17 - 00000000 ____D C:\Users\Owner\Desktop\BBB_files

    ============ 3 Months Modified Files ========================

    2012-08-17 17:37 - 2006-11-02 02:22 - 50593792 ____A C:\Windows\System32\config\software_previous
    2012-08-17 17:37 - 2006-11-02 02:22 - 23330816 ____A C:\Windows\System32\config\system_previous
    2012-08-17 17:32 - 2006-11-02 02:22 - 36175872 ____A C:\Windows\System32\config\components_previous
    2012-08-17 17:32 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\sam_previous
    2012-08-17 13:21 - 2006-11-02 02:22 - 00524288 ____A C:\Windows\System32\config\default_previous
    2012-08-17 13:21 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\security_previous
    2012-08-17 13:17 - 2012-08-13 15:46 - 00002016 ____A C:\Windows\setupact.log
    2012-08-17 12:49 - 2012-08-17 12:48 - 00016222 ____A C:\Users\Owner\Downloads\FRST.txt
    2012-08-17 11:16 - 2007-09-19 19:39 - 01800369 ____A C:\Windows\WindowsUpdate.log
    2012-08-17 09:37 - 2007-07-05 08:32 - 00000149 ____A C:\Users\Public\Documents\hpqp.ini
    2012-08-17 09:37 - 2007-07-05 08:32 - 00000149 ____A C:\Users\All Users\Documents\hpqp.ini
    2012-08-17 09:35 - 2011-12-18 00:38 - 00000378 ____A C:\Windows\Tasks\FreeFileViewerUpdateChecker.job
    2012-08-17 09:34 - 2006-11-02 04:58 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-17 09:34 - 2006-11-02 04:45 - 00003296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-17 09:34 - 2006-11-02 04:45 - 00003296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-17 09:25 - 2006-11-02 04:58 - 00032586 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-08-16 20:41 - 2012-08-16 15:44 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-16 19:34 - 2012-08-15 16:30 - 00001075 ____A C:\Users\Public\Desktop\Panda Cloud Cleaner.lnk
    2012-08-16 19:34 - 2012-08-15 16:30 - 00001075 ____A C:\Users\All Users\Desktop\Panda Cloud Cleaner.lnk
    2012-08-16 18:41 - 2012-08-16 15:44 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-08-16 18:41 - 2012-03-11 18:33 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-08-16 18:34 - 2012-08-16 18:34 - 04299144 ____A (McAfee, Inc.) C:\Users\Owner\Downloads\McAfeeSetup(2).exe
    2012-08-16 17:54 - 2012-08-16 17:54 - 04299144 ____A (McAfee, Inc.) C:\Users\Owner\Downloads\McAfeeSetup(1).exe
    2012-08-16 17:21 - 2007-07-05 08:16 - 00144284 ____A C:\Windows\PFRO.log
    2012-08-16 15:46 - 2012-08-16 15:46 - 04299144 ____A (McAfee, Inc.) C:\Users\Owner\Downloads\McAfeeSetup.exe
    2012-08-16 15:32 - 2007-12-25 03:07 - 00000680 ____A C:\Users\Owner\Local Settings\d3d9caps.dat
    2012-08-16 15:32 - 2007-12-25 03:07 - 00000680 ____A C:\Users\Owner\Local Settings\Application Data\d3d9caps.dat
    2012-08-16 15:32 - 2007-12-25 03:07 - 00000680 ____A C:\Users\Owner\AppData\Local\d3d9caps.dat
    2012-08-16 14:07 - 2012-08-16 14:07 - 04299144 ____A (McAfee, Inc.) C:\Users\Owner\Desktop\McAfeeSetup.exe
    2012-08-15 16:28 - 2012-08-15 16:28 - 19526944 ____A (Panda Security ) C:\Users\Owner\Downloads\PandaCloudCleaner.exe
    2012-08-15 08:21 - 2012-08-15 08:22 - 00472808 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
    2012-08-15 08:21 - 2012-08-15 08:22 - 00153376 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
    2012-08-15 08:21 - 2012-08-15 08:22 - 00145184 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
    2012-08-15 08:21 - 2012-08-15 08:22 - 00145184 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
    2012-08-15 08:06 - 2012-08-15 08:06 - 00000000 ____A C:\Users\Owner\Downloads\jre-6u22-windows-i586-s.exe
    2012-08-15 06:52 - 2010-10-27 18:18 - 00002300 ____A C:\Users\Owner\Application Data\wklnhst.dat
    2012-08-15 06:52 - 2010-10-27 18:18 - 00002300 ____A C:\Users\Owner\AppData\Roaming\wklnhst.dat
    2012-08-13 15:59 - 2012-08-13 15:58 - 77251480 ____A (Apple Inc.) C:\Users\Owner\Downloads\iTunesSetup(1).exe
    2012-08-13 15:46 - 2012-08-13 15:46 - 00000000 ____A C:\Windows\setuperr.log
    2012-08-13 09:57 - 2012-08-13 09:57 - 06955968 ____A (Microsoft Corporation) C:\Users\Owner\Downloads\Silverlight(2).exe
    2012-08-13 09:54 - 2012-08-13 09:53 - 06955968 ____A (Microsoft Corporation) C:\Users\Owner\Downloads\Silverlight(1).exe
    2012-08-11 08:45 - 2012-08-11 08:45 - 00069120 ____A C:\Users\Owner\Desktop\OWS.wps
    2012-08-10 17:00 - 2012-08-10 16:40 - 00000000 ____A C:\Users\Owner\Downloads\X17-75058.exe.partial
    2012-08-10 16:22 - 2012-08-10 16:22 - 02574064 ____A (Solid State Networks) C:\Users\Owner\Downloads\027c247eb22944438a2bba93c8d9a44a_Pod023_en-US.exe
    2012-08-09 07:53 - 2012-08-09 07:53 - 00025088 ____A C:\Users\Owner\Downloads\myresume3.doc.wps
    2012-08-06 10:16 - 2012-08-06 10:16 - 00010368 ____A C:\Users\Owner\CheckInfo.aspx.htm
    2012-08-02 09:23 - 2006-11-02 02:33 - 00704254 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-29 17:33 - 2012-07-29 17:33 - 15267728 ____A (Google Inc.) C:\Users\Owner\Downloads\picasa39-setup.exe
    2012-07-29 12:32 - 2007-12-27 23:31 - 00000322 ____A C:\Windows\Tasks\HPCeeScheduleForOwner.job
    2012-07-26 06:55 - 2012-07-26 06:55 - 00064093 ____A C:\Users\Owner\Desktop\St AgnesAgreementConfirmation.aspx
    2012-07-18 17:36 - 2012-05-04 17:18 - 00025088 ____A C:\Users\Owner\Downloads\Shauntrice%20Coleman%20resume.wps
    2012-07-18 12:17 - 2012-07-18 12:17 - 00007418 ____A C:\Users\Owner\Desktop\BBB.htm
    2012-07-11 23:02 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-07-05 08:28 - 2012-07-05 08:28 - 00007609 ____A C:\Users\Owner\Desktop\report.htm
    2012-07-04 08:54 - 2012-07-04 08:52 - 00000000 ____A C:\Users\Owner\Downloads\DesktopUploader1.1.0.0(1).exe
    2012-07-04 08:43 - 2012-07-04 08:40 - 01857072 ____A C:\Users\Owner\Downloads\DesktopUploader1.1.0.0.exe
    2012-07-04 08:17 - 2007-12-01 15:15 - 00090448 ____A C:\Users\Owner\Local Settings\GDIPFONTCACHEV1.DAT
    2012-07-04 08:17 - 2007-12-01 15:15 - 00090448 ____A C:\Users\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2012-07-04 08:17 - 2007-12-01 15:15 - 00090448 ____A C:\Users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-07-04 08:12 - 2006-11-02 04:44 - 00351744 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-04 07:37 - 2012-07-04 07:37 - 04285248 ____A (McAfee, Inc.) C:\Users\Guest\Downloads\McAfeeSetup.exe
    2012-06-26 18:14 - 2012-06-26 18:14 - 04472832 ____A (Google Inc.) C:\Windows\System32\GPhotos.scr
    2012-06-13 09:24 - 2012-06-13 09:24 - 00525465 ____A C:\Users\Owner\Downloads\taxReturn.tax2011
    2012-05-31 08:25 - 2009-10-02 19:22 - 00237072 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2012-05-30 06:38 - 2007-07-05 08:29 - 00035740 ____A C:\Windows\DPINST.LOG
    2012-05-30 06:29 - 2012-05-30 06:25 - 10249568 ____A (LeapFrog Enterprises, Inc.) C:\Users\Owner\Downloads\LeapFrogConnectSetup_LeapPadExplorer.exe
    2012-05-25 13:13 - 2012-08-16 18:03 - 00151912 ____A (McAfee, Inc.) C:\Windows\System32\mfevtps.exe.c3ff.deleteme
    2012-05-25 13:13 - 2012-08-16 18:03 - 00151912 ____A (McAfee, Inc.) C:\Windows\System32\mfevtps.exe
    2012-05-20 16:21 - 2012-05-20 16:21 - 00035328 ____A C:\Users\Owner\My Documents\COREY DAVIS RESUME.wps
    2012-05-20 16:21 - 2012-05-20 16:21 - 00035328 ____A C:\Users\Owner\Documents\COREY DAVIS RESUME.wps
    2012-05-20 10:41 - 2007-12-26 19:54 - 00000846 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
    2012-05-20 10:41 - 2007-12-26 19:54 - 00000846 ____A C:\Users\All Users\Desktop\Mozilla Firefox.lnk
    2012-05-20 10:21 - 2012-05-20 10:19 - 00000000 ____A C:\Users\Owner\Downloads\Firefox Setup 12.0.exe


    ZeroAccess:
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\n
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L\00000004.@
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L\201d3dde
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\00000004.@
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\00000008.@
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\000000cb.@
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\80000000.@
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\80000032.@

    ZeroAccess:
    C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
    C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
    C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
    C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U
    C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L\00000004.@
    C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\00000004.@
    C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\00000008.@
    C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\000000cb.@
    C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\80000000.@
    C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\80000032.@

    ZeroAccess:
    C:\Windows\assembly\GAC\Desktop.ini

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 5DC3C54FC22BBB6F66C290C7C0384DF9 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 43%
    Total physical RAM: 1013.41 MB
    Available physical RAM: 569.59 MB
    Total Pagefile: 778.55 MB
    Available Pagefile: 638.62 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1990.14 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:66.85 GB) (Free:16.46 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (PRESARIO_RP) (Fixed) (Total:7.68 GB) (Free:1.77 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    4 Drive f: () (Removable) (Total:3.73 GB) (Free:0 GB) FAT32
    5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 75 GB 1528 KB
    Disk 1 Online 3824 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 67 GB 32 KB
    Partition 2 Primary 7860 MB 67 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 67 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 D PRESARIO_RP NTFS Partition 7860 MB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    * Partition 1 Primary 3824 MB 0 B

    ==================================================================================

    Disk: 1
    There is no partition selected.

    There is no partition selected.
    Please select a partition and try again.

    ==================================================================================

    Last Boot: 2012-08-17 12:48

    ======================= End Of Log ==========================




    SERVICES.TXT

    Farbar Recovery Scan Tool Version: 15-08-2012
    Ran by SYSTEM at 2012-08-17 17:44:46
    Running from F:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
    [2008-05-30 14:24] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
    [2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0

    C:\Windows\System32\services.exe
    [2008-05-30 14:24] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 5DC3C54FC22BBB6F66C290C7C0384DF9

    C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
    [2009-09-23 15:11] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

    === End Of Search ===
     
  8. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Well done :)

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next...

    Restart normally.

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
     

    Attached Files:

  9. Shaunie

    Shaunie TS Rookie Topic Starter

    When I get to install combo fix an error comes up and says "error opening file for writing:c:\32788r22..... Click abort to stop retry to try again or ignore. I tried to install it again but it never gets past this
     
  10. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    I still need Fixlog.txt log.

    Delete your Combofix file, download fresh one and try again.
    If still some problem...

     
  11. Shaunie

    Shaunie TS Rookie Topic Starter

    Here is my fix it log.

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 15-08-2012
    Ran by SYSTEM at 2012-08-17 18:35:32 Run:1
    Running from F:\

    ==============================================

    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
    C:\Windows\System32\consrv.dll not found.
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} moved successfully.
    C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} moved successfully.
    C:\Windows\assembly\GAC\Desktop.ini moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe copied successfully to C:\Windows\System32\services.exe

    ==== End of Fixlog ====
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    This topic is marked as abandoned and closed due to inactivity.
    This member will NOT be eligible to receive any more help in malware removal forum.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.