TechSpot

[A] New help repairing computer with Sirefef infection and restarts

Inactive
By Joseph Rapley
Oct 13, 2012
  1. Hi

    Looks like this is the place to come for help with this annoying problem.

    Hadn't used computer for a while and after using it for a few hours noticed that the virus protection (MS Security Essentials) was not functioning well so I tried to reinstall it. After doing so it detected infected services.exe files and tried to clean them but then started rebooting with the 'Windows has encountered problem...' error.

    I have downloaded FRST64.EXE and have pasted the FRST.TXT contents below. I'm not able to complete a file search before WIndows restarts.

    Help with this problem would be greatly appreciated.

    Thank you in advance for any assistance.

    Joseph

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 12-10-2012
    Ran by joe at 13-10-2012 18:32:42
    Running from C:\Users\joe\Desktop
    Service Pack 1 (X64) OS Language: English(US)
    Attention: Could not load system hive.ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.


    ==================== One Month Created Files and Folders ========

    2012-10-13 18:33 - 2012-10-13 18:33 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\bedjzlli.sys
    2012-10-13 18:29 - 2012-10-13 18:32 - 00000000 ____D C:\FRST
    2012-10-13 18:29 - 2012-10-13 18:29 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.17627B7B2776FEC4
    2012-10-13 18:29 - 2012-10-13 18:29 - 00004096 ___AH C:\Users\joe\Desktop\._FRST64.exe
    2012-10-13 18:29 - 2012-10-13 18:28 - 01456821 ____A (Farbar) C:\Users\joe\Desktop\FRST64.exe
    2012-10-13 18:26 - 2012-10-13 18:26 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.9341647272B507BE
    2012-10-13 18:23 - 2012-10-13 18:23 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C37E765747901CC7
    2012-10-13 18:19 - 2012-10-13 18:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.60A7E533FFC9EA34
    2012-10-13 18:18 - 2012-10-13 18:19 - 00000025 ____A C:\Users\joe\Desktop\stop shutdown.bat
    2012-10-13 18:16 - 2012-10-13 18:16 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2D92A35D1EF713FB
    2012-10-13 18:13 - 2012-10-13 18:13 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1898A60DE2614A51
    2012-10-13 18:09 - 2012-10-13 18:09 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.05ECC41AD079FFDD
    2012-10-13 18:06 - 2012-10-13 18:06 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E07BD0F351D4B89C
    2012-10-13 18:06 - 2012-10-13 18:06 - 00000000 ___SD C:\32788R22FWJFW
    2012-10-13 18:06 - 2012-10-13 18:06 - 00000000 ____D C:\Windows\erdnt
    2012-10-13 18:05 - 2012-10-13 18:05 - 04771502 ____R (Swearware) C:\Users\joe\Desktop\ComboFix.exe
    2012-10-13 18:05 - 2012-10-13 18:05 - 00004096 ___AH C:\Users\joe\Desktop\._ComboFix.exe
    2012-10-13 17:54 - 2012-10-13 17:54 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.17D124396AE4C9A4
    2012-10-12 21:56 - 2012-10-12 21:56 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.71C7F78B5F41D819
    2012-10-12 21:46 - 2012-10-12 21:46 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.608850FFB1802BB4
    2012-10-12 20:03 - 2012-10-12 20:57 - 00000000 ____D C:\Users\joe\Desktop\The.Walking.Dead.Episode.3-RELOADED
    2012-10-12 20:03 - 2012-10-12 20:03 - 00043884 ____A C:\Users\joe\Downloads\[kat.ph]the.walking.dead.episode.3.reloaded.torrent
    2012-10-12 20:03 - 2012-10-12 20:03 - 00043884 ____A C:\Users\joe\Downloads\[kat.ph]the.walking.dead.episode.3.reloaded (1).torrent

    ==================== 3 Months Modified Files ==================

    2012-10-13 18:34 - 2010-12-05 22:16 - 00000408 _RASH C:\Users\All Users\ntuser.pol
    2012-10-13 18:33 - 2012-10-13 18:33 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\bedjzlli.sys
    2012-10-13 18:31 - 2011-04-26 11:04 - 00037874 ____A C:\Windows\setupact.log
    2012-10-13 18:31 - 2009-07-14 06:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-10-13 18:29 - 2012-10-13 18:29 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.17627B7B2776FEC4
    2012-10-13 18:29 - 2012-10-13 18:29 - 00004096 ___AH C:\Users\joe\Desktop\._FRST64.exe
    2012-10-13 18:29 - 2011-04-10 20:42 - 00021508 ____A C:\.DS_Store
    2012-10-13 18:29 - 2010-10-28 19:24 - 01431865 ____A C:\Windows\WindowsUpdate.log
    2012-10-13 18:28 - 2012-10-13 18:29 - 01456821 ____A (Farbar) C:\Users\joe\Desktop\FRST64.exe
    2012-10-13 18:26 - 2012-10-13 18:26 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.9341647272B507BE
    2012-10-13 18:23 - 2012-10-13 18:23 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C37E765747901CC7
    2012-10-13 18:19 - 2012-10-13 18:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.60A7E533FFC9EA34
    2012-10-13 18:19 - 2012-10-13 18:18 - 00000025 ____A C:\Users\joe\Desktop\stop shutdown.bat
    2012-10-13 18:16 - 2012-10-13 18:16 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2D92A35D1EF713FB
    2012-10-13 18:13 - 2012-10-13 18:13 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1898A60DE2614A51
    2012-10-13 18:09 - 2012-10-13 18:09 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.05ECC41AD079FFDD
    2012-10-13 18:06 - 2012-10-13 18:06 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E07BD0F351D4B89C
    2012-10-13 18:05 - 2012-10-13 18:05 - 04771502 ____R (Swearware) C:\Users\joe\Desktop\ComboFix.exe
    2012-10-13 18:05 - 2012-10-13 18:05 - 00004096 ___AH C:\Users\joe\Desktop\._ComboFix.exe
    2012-10-13 18:05 - 2010-10-29 16:59 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1328558-2458857526-3040891912-1000UA.job
    2012-10-13 17:54 - 2012-10-13 17:54 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.17D124396AE4C9A4
    2012-10-13 17:53 - 2009-07-14 05:45 - 00020672 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-10-13 17:53 - 2009-07-14 05:45 - 00020672 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-10-13 17:48 - 2009-07-14 00:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-10-12 21:56 - 2012-10-12 21:56 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.71C7F78B5F41D819
    2012-10-12 21:55 - 2010-11-19 00:21 - 00822784 __ASH C:\Users\joe\Desktop\Thumbs.db
    2012-10-12 21:46 - 2012-10-12 21:46 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.608850FFB1802BB4
    2012-10-12 21:44 - 2011-01-23 06:48 - 00002155 ____A C:\Windows\epplauncher.mif
    2012-10-12 20:05 - 2010-10-29 16:59 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1328558-2458857526-3040891912-1000Core.job
    2012-10-12 20:04 - 2009-07-14 06:13 - 00967472 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-10-12 20:03 - 2012-10-12 20:03 - 00043884 ____A C:\Users\joe\Downloads\[kat.ph]the.walking.dead.episode.3.reloaded.torrent
    2012-10-12 20:03 - 2012-10-12 20:03 - 00043884 ____A C:\Users\joe\Downloads\[kat.ph]the.walking.dead.episode.3.reloaded (1).torrent
    2012-08-30 22:03 - 2012-08-30 22:03 - 00228768 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
    2012-08-30 22:03 - 2010-10-24 09:25 - 00128456 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys
    2012-07-22 21:20 - 2012-07-22 21:03 - 00000044 ____A C:\Users\joe\Desktop\New Text Document.txt
    2012-07-22 14:22 - 2010-11-17 16:16 - 00002034 ___AH C:\Users\joe\Documents\Default.rdp

    ZeroAccess:
    C:\Windows\Installer\{0b57f992-415d-77db-3088-8f653b0e3437}
    C:\Windows\Installer\{0b57f992-415d-77db-3088-8f653b0e3437}\@
    C:\Windows\Installer\{0b57f992-415d-77db-3088-8f653b0e3437}\L
    C:\Windows\Installer\{0b57f992-415d-77db-3088-8f653b0e3437}\n
    C:\Windows\Installer\{0b57f992-415d-77db-3088-8f653b0e3437}\U
    C:\Windows\Installer\{0b57f992-415d-77db-3088-8f653b0e3437}\U\00000001.@
    C:\Windows\Installer\{0b57f992-415d-77db-3088-8f653b0e3437}\U\800000cb.@

    ZeroAccess:
    C:\Users\joe\AppData\Local\{0b57f992-415d-77db-3088-8f653b0e3437}
    C:\Users\joe\AppData\Local\{0b57f992-415d-77db-3088-8f653b0e3437}\@
    C:\Users\joe\AppData\Local\{0b57f992-415d-77db-3088-8f653b0e3437}\L
    C:\Users\joe\AppData\Local\{0b57f992-415d-77db-3088-8f653b0e3437}\U
    C:\Users\joe\AppData\Local\{0b57f992-415d-77db-3088-8f653b0e3437}\U\00000001.@
    C:\Users\joe\AppData\Local\{0b57f992-415d-77db-3088-8f653b0e3437}\U\80000000.@
    C:\Users\joe\AppData\Local\{0b57f992-415d-77db-3088-8f653b0e3437}\U\800000cb.@

    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== Restore Points =========================


    ==================== Memory info ===========================

    Percentage of memory in use: 25%
    Total physical RAM: 4095.55 MB
    Available physical RAM: 3038.16 MB
    Total Pagefile: 8189.3 MB
    Available Pagefile: 6940.78 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ==================== Partitions =============================

    2 Drive c: (BOOTCAMP) (Fixed) (Total:447.03 GB) (Free:35.89 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

    DiskPart has encountered an error: The RPC server is unavailable.
    See the System Event Log for more information.


    Last Boot: 2012-10-12 20:27

    ==================== End Of Log =============================
     
  2. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==================================

    You ran the tool from within Windows.
    That's not the correct way to do it.

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

    Next...

    Re-run FRST again.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes in your reply.

    I'll expect two logs:
    - FRST.txt
    - Search.txt
     
  3. Joseph Rapley

    Joseph Rapley TS Rookie Topic Starter

    Hi thanks for the quick reply. Have run FRST64.exe in System Recovery and posted the information below.

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 12-10-2012
    Ran by SYSTEM at 14-10-2012 12:44:47
    Running from E:\
    Windows 7 Ultimate (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2417032 2011-07-31] (Microsoft Corporation)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)
    HKLM\...\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun [825184 2009-09-30] (Microsoft Corporation)
    HKLM-x32\...\Run: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s [85160 2009-06-17] (Elaborate Bytes AG)
    HKLM-x32\...\Run: [Parallels Tools Center] "C:\Program Files (x86)\Parallels\Parallels Tools\prl_cc.exe" [270088 2011-09-12] (Parallels Holdings, Ltd. and its affiliates.)
    HKLM-x32\...\Run: [TV IR] C:\Program Files (x86)\TV IR\TV IR.exe [1437184 2011-04-13] ()
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
    HKU\joe\...\Run: [Google Update] "C:\Users\joe\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-10-29] (Google Inc.)
    Winlogon\Notify\WB: C:\Program Files (x86)\Stardock\MyColors\fast64.dll [X]
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

    ==================== Services (Whitelisted) ===================

    2 AppleOSSMgr; C:\Windows\system32\AppleOSSMgr.exe [223544 2010-11-10] ()
    4 ForceWare Intelligent Application Manager (IAM); C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe [496232 2010-01-20] ()
    2 Irmon; C:\Windows\System32\irmon.dll [23552 2009-07-13] (Microsoft Corporation)
    4 Mobiola Wave Service; "C:\Program Files (x86)\Common Files\SHAPE Services\Mobiola Wave Service\MobiolaWaveService.exe" [125088 2011-04-10] ()
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)
    2 MSSQL$ACT7; "C:\Program Files\Microsoft SQL Server\MSSQL10_50.ACT7\MSSQL\Binn\sqlservr.exe" -sACT7 [62111072 2011-06-17] (Microsoft Corporation)
    4 NetLogin Helper; "C:\Program Files (x86)\NetLogin\NetLoginService.exe" [69632 2008-02-18] ()
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)
    4 nSvcIp; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe [209000 2010-01-20] ()
    2 Parallels Coherence Service; C:\Program Files (x86)\Parallels\Parallels Tools\Services\coherence.exe [33544 2011-09-12] (Parallels Holdings, Ltd. and its affiliates.)
    2 Parallels Tools Service; C:\Program Files (x86)\Parallels\Parallels Tools\Services\prl_tools_service.exe [260360 2011-09-12] (Parallels Holdings, Ltd. and its affiliates.)
    2 RemoteAccess; C:\Windows\SysWOW64\mprdin.dll [1756160 2012-06-24] ()
    4 Rohos; C:\Program Files (x86)\Rohos\ntserv.exe [71792 2010-09-16] (Tesline-Service SRL)
    4 SQLAgent$ACT7; "C:\Program Files\Microsoft SQL Server\MSSQL10_50.ACT7\MSSQL\Binn\SQLAGENT.EXE" -I ACT7 [431456 2011-06-17] (Microsoft Corporation)
    2 Synergy Server; C:\Program Files\Synergy\synergys.exe [1012224 2011-02-05] ()
    4 VmbService; "C:\Program Files (x86)\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe" [9216 2010-12-30] (Vodafone)
    4 WindowBlinds; C:\Program Files (x86)\Stardock\MyColors\VistaSrv.exe [337200 2009-06-08] (Stardock Corporation)
    4 Mcx2Svc; C:\Windows\SysWOW64\Mcx2Svc.dll [x]

    ==================== Drivers (Whitelisted) =====================

    3 AF15BDA; C:\Windows\System32\Drivers\AF15BDA.sys [507392 2009-10-27] (ITETech )
    3 btwsecfl; C:\Windows\System32\Drivers\btwsecfl.sys [71720 2009-10-26] (Broadcom Corporation.)
    3 CirrusFilter; C:\Windows\System32\DRIVERS\CS420x64.sys [18432 2010-10-14] (Cirrus Logic)
    2 cpuz134; \??\C:\Windows\system32\drivers\cpuz134_x64.sys [21480 2010-07-08] (Windows (R) Win 7 DDK provider)
    2 irda; C:\Windows\System32\Drivers\irda.sys [120320 2009-07-13] (Microsoft Corporation)
    3 IRRemoteFlt; C:\Windows\System32\DRIVERS\IRFilter.sys [18432 2009-10-15] (Apple Inc.)
    3 lmimirr; C:\Windows\System32\Drivers\lmimirr.sys [11552 2010-09-16] (LogMeIn, Inc.)
    2 LMIRfsDriver; C:\Windows\System32\Drivers\LMIRfsDriver.sys [72216 2010-09-16] (LogMeIn, Inc.)
    3 massfilter; C:\Windows\System32\Drivers\massfilter.sys [11776 2010-12-29] (MBB Incorporated)
    3 mobiolavs; C:\Windows\System32\Drivers\mobiolavs.sys [28304 2011-04-05] (SHAPE Services GmbH)
    3 MOBIOLA_Wave; C:\Windows\System32\drivers\mobiolawave.sys [29120 2011-04-05] (SHAPE Services)
    3 MonitorFunction; C:\Windows\System32\DRIVERS\TVMonitor.sys [16376 2010-11-12] (TeamViewer GmbH)
    3 MungoDriver; C:\Windows\System32\Drivers\MungoDriver.sys [13912 2010-12-17] (Windows (R) Win 7 DDK provider)
    1 prl_boot; C:\Windows\System32\Drivers\prl_boot.sys [45832 2011-09-12] (Parallels Holdings, Ltd. and its affiliates.)
    3 prl_dd; C:\Windows\System32\DRIVERS\prl_kmdd.sys [156424 2011-09-12] (Parallels Holdings, Ltd. and its affiliates.)
    1 prl_fs; C:\Windows\System32\Drivers\prl_fs.sys [196360 2011-09-12] (Parallels Holdings, Ltd. and its affiliates.)
    3 prl_memdev; C:\Windows\System32\Drivers\prl_memdev.sys [19720 2011-09-12] ()
    3 prl_mouf; C:\Windows\System32\Drivers\prl_mouf.sys [19720 2011-09-12] (Parallels Holdings, Ltd. and its affiliates.)
    0 prl_pv64; C:\Windows\System32\Drivers\prl_pv64.sys [100680 2011-11-28] (Parallels Holdings, Ltd. and its affiliates.)
    3 prl_sound; C:\Windows\System32\Drivers\prl_sound.sys [40200 2011-09-12] (Parallels Holdings, Ltd. and its affiliates.)
    0 prl_strg; C:\Windows\System32\Drivers\prl_strg.sys [37640 2011-09-12] (Parallels Holdings, Ltd. and its affiliates.)
    0 prl_tg; C:\Windows\System32\Drivers\prl_tg.sys [26248 2011-09-12] (Parallels Holdings, Ltd. and its affiliates.)
    2 prl_time; C:\Windows\System32\Drivers\prl_time.sys [17160 2011-09-12] (Parallels Holdings, Ltd. and its affiliates.)
    4 RsFx0151; C:\Windows\System32\Drivers\RsFx0151.sys [313696 2011-06-16] (Microsoft Corporation)
    3 RTL2832UBDA; C:\Windows\System32\Drivers\RTL2832UBDA.sys [224488 2010-07-01] (REALTEK SEMICONDUCTOR Corp.)
    3 RTL2832UUSB; C:\Windows\System32\Drivers\RTL2832UUSB.sys [39016 2010-07-01] (REALTEK SEMICONDUCTOR Corp.)
    3 RTL2832U_IRHID; C:\Windows\System32\Drivers\RTL2832U_IRHID.sys [44320 2009-10-05] (Realtek)
    4 sfhlp02; C:\Windows\System32\Drivers\sfhlp02.sys [7168 2005-02-23] (Protection Technology)
    3 SIS163u; C:\Windows\System32\Drivers\SIS163u.sys [271360 2006-12-19] (Silicon Integrated Systems Corp.)
    3 stus2x64; C:\Windows\System32\DRIVERS\stusb2ir.sys [47872 2008-01-02] ()
    2 VBoxDrv; \??\C:\Program Files (x86)\YouWave_Android\vb\VBoxDrv.sys [203864 2010-07-15] (Oracle Corporation)
    4 vcd10bus; C:\Windows\System32\Drivers\vcd10bus.sys [40464 2008-06-16] (H+H Software GmbH)
    3 vodafone_K3805-z_dc_enum; C:\Windows\System32\Drivers\vodafone_K3805-z_dc_enum.sys [75776 2010-08-31] (Vodafone)
    3 ZTEusbnet; C:\Windows\System32\Drivers\ZTEusbnet.sys [135168 2010-12-29] (ZTE Corporation)
    3 ZTEusbvoice; C:\Windows\System32\Drivers\ZTEusbvoice.sys [121344 2010-12-29] (ZTE Incorporated)
    3 ALSysIO; \??\C:\Users\joe\AppData\Local\Temp\ALSysIO64.sys [x]
    3 btaudio; C:\Windows\System32\drivers\btaudio.sys [x]
    3 BTDriver; C:\Windows\System32\DRIVERS\btport.sys [x]
    3 BTWDNDIS; C:\Windows\System32\DRIVERS\btwdndis.sys [x]
    3 btwhid; C:\Windows\System32\DRIVERS\btwhid.sys [x]
    4 DxkgFilter; [x]
    2 LMIInfo; \??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [x]
    4 LMIRfsClientNP; [x]
    3 NVENETFD; C:\Windows\System32\DRIVERS\nvmfdx64.sys [x]
    4 pccsmcfd; C:\Windows\System32\DRIVERS\pccsmcfdx64.sys [x]
    3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [x]
    4 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
    4 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
    4 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]
    4 VMnetAdapter; C:\Windows\System32\DRIVERS\vmnetadapter.sys [x]

    ==================== NetSvcs (Whitelisted) ====================

    NETSVCx32: Mcx2Svc -> C:\Windows\SysWOW64\Mcx2Svc.dll ==> No File.

    ==================== One Month Created Files and Folders ========

    2012-10-13 09:37 - 2012-10-13 09:37 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.A1F95B36D2E0EFAC
    2012-10-13 09:34 - 2012-10-13 09:36 - 00000190 ____A C:\Users\joe\Desktop\Search.txt
    2012-10-13 09:34 - 2012-10-13 09:34 - 00009584 ____A C:\Users\joe\Desktop\FRST.txt
    2012-10-13 09:33 - 2012-10-13 09:33 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.70ECC422571FAB80
    2012-10-13 09:29 - 2012-10-13 09:32 - 00000000 ____D C:\FRST
    2012-10-13 09:29 - 2012-10-13 09:29 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.17627B7B2776FEC4
    2012-10-13 09:29 - 2012-10-13 09:29 - 00004096 ___AH C:\Users\joe\Desktop\._FRST64.exe
    2012-10-13 09:29 - 2012-10-13 09:28 - 01456821 ____A (Farbar) C:\Users\joe\Desktop\FRST64.exe
    2012-10-13 09:26 - 2012-10-13 09:26 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.9341647272B507BE
    2012-10-13 09:23 - 2012-10-13 09:23 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C37E765747901CC7
    2012-10-13 09:19 - 2012-10-13 09:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.60A7E533FFC9EA34
    2012-10-13 09:18 - 2012-10-13 09:19 - 00000025 ____A C:\Users\joe\Desktop\stop shutdown.bat
    2012-10-13 09:16 - 2012-10-13 09:16 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2D92A35D1EF713FB
    2012-10-13 09:13 - 2012-10-13 09:13 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1898A60DE2614A51
    2012-10-13 09:09 - 2012-10-13 09:09 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.05ECC41AD079FFDD
    2012-10-13 09:06 - 2012-10-13 09:06 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E07BD0F351D4B89C
    2012-10-13 09:06 - 2012-10-13 09:06 - 00000000 ___SD C:\32788R22FWJFW
    2012-10-13 09:06 - 2012-10-13 09:06 - 00000000 ____D C:\Windows\erdnt
    2012-10-13 09:05 - 2012-10-13 09:05 - 04771502 ____R (Swearware) C:\Users\joe\Desktop\ComboFix.exe
    2012-10-13 09:05 - 2012-10-13 09:05 - 00004096 ___AH C:\Users\joe\Desktop\._ComboFix.exe
    2012-10-13 08:54 - 2012-10-13 08:54 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.17D124396AE4C9A4
    2012-10-12 12:56 - 2012-10-12 12:56 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.71C7F78B5F41D819
    2012-10-12 12:46 - 2012-10-12 12:46 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.608850FFB1802BB4
    2012-10-12 11:03 - 2012-10-12 11:57 - 00000000 ____D C:\Users\joe\Desktop\The.Walking.Dead.Episode.3-RELOADED
    2012-10-12 11:03 - 2012-10-12 11:03 - 00043884 ____A C:\Users\joe\Downloads\[kat.ph]the.walking.dead.episode.3.reloaded.torrent
    2012-10-12 11:03 - 2012-10-12 11:03 - 00043884 ____A C:\Users\joe\Downloads\[kat.ph]the.walking.dead.episode.3.reloaded (1).torrent

    ==================== 3 Months Modified Files ==================

    2012-10-14 03:35 - 2010-12-05 13:16 - 00000408 _RASH C:\Users\All Users\ntuser.pol
    2012-10-14 03:35 - 2010-10-28 10:24 - 01437770 ____A C:\Windows\WindowsUpdate.log
    2012-10-14 03:35 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-10-14 03:34 - 2011-04-26 02:04 - 00038322 ____A C:\Windows\setupact.log
    2012-10-14 03:34 - 2009-07-13 20:45 - 00020672 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-10-14 03:34 - 2009-07-13 20:45 - 00020672 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-10-13 09:37 - 2012-10-13 09:37 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.A1F95B36D2E0EFAC
    2012-10-13 09:36 - 2012-10-13 09:34 - 00000190 ____A C:\Users\joe\Desktop\Search.txt
    2012-10-13 09:34 - 2012-10-13 09:34 - 00009584 ____A C:\Users\joe\Desktop\FRST.txt
    2012-10-13 09:33 - 2012-10-13 09:33 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.70ECC422571FAB80
    2012-10-13 09:29 - 2012-10-13 09:29 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.17627B7B2776FEC4
    2012-10-13 09:29 - 2012-10-13 09:29 - 00004096 ___AH C:\Users\joe\Desktop\._FRST64.exe
    2012-10-13 09:29 - 2011-04-10 11:42 - 00021508 ____A C:\.DS_Store
    2012-10-13 09:28 - 2012-10-13 09:29 - 01456821 ____A (Farbar) C:\Users\joe\Desktop\FRST64.exe
    2012-10-13 09:26 - 2012-10-13 09:26 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.9341647272B507BE
    2012-10-13 09:23 - 2012-10-13 09:23 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C37E765747901CC7
    2012-10-13 09:19 - 2012-10-13 09:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.60A7E533FFC9EA34
    2012-10-13 09:19 - 2012-10-13 09:18 - 00000025 ____A C:\Users\joe\Desktop\stop shutdown.bat
    2012-10-13 09:16 - 2012-10-13 09:16 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2D92A35D1EF713FB
    2012-10-13 09:13 - 2012-10-13 09:13 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1898A60DE2614A51
    2012-10-13 09:09 - 2012-10-13 09:09 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.05ECC41AD079FFDD
    2012-10-13 09:06 - 2012-10-13 09:06 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E07BD0F351D4B89C
    2012-10-13 09:05 - 2012-10-13 09:05 - 04771502 ____R (Swearware) C:\Users\joe\Desktop\ComboFix.exe
    2012-10-13 09:05 - 2012-10-13 09:05 - 00004096 ___AH C:\Users\joe\Desktop\._ComboFix.exe
    2012-10-13 09:05 - 2010-10-29 07:59 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1328558-2458857526-3040891912-1000UA.job
    2012-10-13 08:54 - 2012-10-13 08:54 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.17D124396AE4C9A4
    2012-10-13 08:48 - 2009-07-13 15:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-10-12 12:56 - 2012-10-12 12:56 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.71C7F78B5F41D819
    2012-10-12 12:55 - 2010-11-18 15:21 - 00822784 __ASH C:\Users\joe\Desktop\Thumbs.db
    2012-10-12 12:46 - 2012-10-12 12:46 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.608850FFB1802BB4
    2012-10-12 12:44 - 2011-01-22 21:48 - 00002155 ____A C:\Windows\epplauncher.mif
    2012-10-12 11:05 - 2010-10-29 07:59 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1328558-2458857526-3040891912-1000Core.job
    2012-10-12 11:04 - 2009-07-13 21:13 - 00967472 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-10-12 11:03 - 2012-10-12 11:03 - 00043884 ____A C:\Users\joe\Downloads\[kat.ph]the.walking.dead.episode.3.reloaded.torrent
    2012-10-12 11:03 - 2012-10-12 11:03 - 00043884 ____A C:\Users\joe\Downloads\[kat.ph]the.walking.dead.episode.3.reloaded (1).torrent
    2012-08-30 13:03 - 2012-08-30 13:03 - 00228768 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
    2012-08-30 13:03 - 2010-10-24 00:25 - 00128456 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys
    2012-07-22 12:20 - 2012-07-22 12:03 - 00000044 ____A C:\Users\joe\Desktop\New Text Document.txt
    2012-07-22 05:22 - 2010-11-17 07:16 - 00002034 ___AH C:\Users\joe\Documents\Default.rdp

    ZeroAccess:
    C:\Windows\Installer\{0b57f992-415d-77db-3088-8f653b0e3437}
    C:\Windows\Installer\{0b57f992-415d-77db-3088-8f653b0e3437}\@
    C:\Windows\Installer\{0b57f992-415d-77db-3088-8f653b0e3437}\L
    C:\Windows\Installer\{0b57f992-415d-77db-3088-8f653b0e3437}\n
    C:\Windows\Installer\{0b57f992-415d-77db-3088-8f653b0e3437}\U
    C:\Windows\Installer\{0b57f992-415d-77db-3088-8f653b0e3437}\U\00000001.@
    C:\Windows\Installer\{0b57f992-415d-77db-3088-8f653b0e3437}\U\800000cb.@

    ZeroAccess:
    C:\Users\joe\AppData\Local\{0b57f992-415d-77db-3088-8f653b0e3437}
    C:\Users\joe\AppData\Local\{0b57f992-415d-77db-3088-8f653b0e3437}\@
    C:\Users\joe\AppData\Local\{0b57f992-415d-77db-3088-8f653b0e3437}\L
    C:\Users\joe\AppData\Local\{0b57f992-415d-77db-3088-8f653b0e3437}\U
    C:\Users\joe\AppData\Local\{0b57f992-415d-77db-3088-8f653b0e3437}\U\00000001.@
    C:\Users\joe\AppData\Local\{0b57f992-415d-77db-3088-8f653b0e3437}\U\80000000.@
    C:\Users\joe\AppData\Local\{0b57f992-415d-77db-3088-8f653b0e3437}\U\800000cb.@

    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2012-01-22 13:06:42
    Restore point made on: 2012-01-27 09:27:37
    Restore point made on: 2012-06-07 10:48:02
    Restore point made on: 2012-06-08 11:56:19
    Restore point made on: 2012-06-09 01:19:59
    Restore point made on: 2012-06-10 08:46:31
    Restore point made on: 2012-06-12 11:46:07
    Restore point made on: 2012-06-12 12:36:15
    Restore point made on: 2012-06-14 23:09:31
    Restore point made on: 2012-06-14 23:11:07
    Restore point made on: 2012-06-14 23:11:40
    Restore point made on: 2012-06-14 23:12:27
    Restore point made on: 2012-06-15 10:26:57
    Restore point made on: 2012-06-15 10:28:07
    Restore point made on: 2012-06-19 12:38:29
    Restore point made on: 2012-06-20 13:01:26
    Restore point made on: 2012-06-23 21:37:19
    Restore point made on: 2012-06-25 10:42:38
    Restore point made on: 2012-06-28 10:53:44
    Restore point made on: 2012-06-28 11:54:54
    Restore point made on: 2012-06-29 11:11:59
    Restore point made on: 2012-06-29 11:28:29
    Restore point made on: 2012-06-29 11:29:13
    Restore point made on: 2012-07-01 07:20:26
    Restore point made on: 2012-07-01 07:21:19
    Restore point made on: 2012-07-21 03:55:24
    Restore point made on: 2012-09-01 03:13:47
    Restore point made on: 2012-10-12 11:34:21

    ==================== Memory info ===========================

    Percentage of memory in use: 16%
    Total physical RAM: 4095.55 MB
    Available physical RAM: 3434.12 MB
    Total Pagefile: 4093.7 MB
    Available Pagefile: 3440.98 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB

    ==================== Partitions =============================

    2 Drive c: (BOOTCAMP) (Fixed) (Total:447.03 GB) (Free:35.72 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    3 Drive d: (bie764210) (CDROM) (Total:3.29 GB) (Free:0 GB) CDFS
    4 Drive e: (VIDEOS) (Fixed) (Total:465.65 GB) (Free:194.8 GB) FAT32
    5 Drive f: (wasteland) (Fixed) (Total:287.18 GB) (Free:285.19 GB) NTFS
    6 Drive g: (MEDIA) (Fixed) (Total:465.65 GB) (Free:190.46 GB) FAT32
    7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 931 GB 18 GB
    Disk 1 Online 465 GB 255 MB *
    Disk 2 Online 465 GB 0 B
    Disk 3 Online 465 GB 128 MB
    Disk 4 Online 465 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 200 MB 512 B
    Partition 2 Primary 465 GB 200 MB
    Partition 3 Primary 447 GB 465 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : EE
    Hidden: Yes
    Active: No

    There is no volume associated with this partition.

    =========================================================

    Disk: 0
    Partition 2
    Type : AF
    Hidden: Yes
    Active: No

    There is no volume associated with this partition.

    =========================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C BOOTCAMP NTFS Partition 447 GB Healthy

    =========================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 System (partition with boot components) 200 MB 20 KB
    Partition 2 Unknown 465 GB 200 MB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : c12a7328-f81f-11d2-ba4b-00a0c93ec93b
    Hidden : Yes
    Required: No
    Attrib : 0000000000000000

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 EFI FAT32 Partition 200 MB Healthy Hidden

    =========================================================

    Disk: 1
    Partition 2
    Type : 48465300-0000-11aa-aa11-00306543ecac
    Hidden : Yes
    Required: No
    Attrib : 0000000000000000

    There is no volume associated with this partition.

    =========================================================

    Partitions of Disk 2:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 465 GB 1024 B

    ==================================================================================

    Disk: 2
    Partition 1
    Type : 0B
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E VIDEOS FAT32 Partition 465 GB Healthy

    =========================================================

    Partitions of Disk 3:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 200 MB 512 B
    Partition 2 Primary 178 GB 200 MB
    Partition 3 Primary 287 GB 178 GB

    ==================================================================================

    Disk: 3
    Partition 1
    Type : EE
    Hidden: Yes
    Active: No

    There is no volume associated with this partition.

    =========================================================

    Disk: 3
    Partition 2
    Type : AF
    Hidden: Yes
    Active: No

    There is no volume associated with this partition.

    =========================================================

    Disk: 3
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 F wasteland NTFS Partition 287 GB Healthy

    =========================================================

    Partitions of Disk 4:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 465 GB 31 KB

    ==================================================================================

    Disk: 4
    Partition 1
    Type : 0B
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 5 G MEDIA FAT32 Partition 465 GB Healthy

    =========================================================

    Last Boot: 2012-10-12 11:27

    ==================== End Of Log =============================








    Farbar Recovery Scan Tool (x64) Version: 12-10-2012
    Ran by SYSTEM at 2012-10-14 12:46:41
    Running from E:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\System32\services.exe
    [2009-07-13 15:19] - [2012-10-13 08:48] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

    ====== End Of Search ======


    Thanks heaps
     
  4. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next...

    Restart normally.

    ==================================

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

    ================================

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    ================================

    Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
    Alternate download: http://www.filehippo.com/download_malwarebytes_anti_malware/
    NOTE. If you already have MBAM installed, update it before running the scan.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer IF MBAM asks you to do so.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    ===============================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
     

    Attached Files:

  5. Joseph Rapley

    Joseph Rapley TS Rookie Topic Starter

    Excellent. Have run FRST64.exe with the fixlist.txt file and now Windows isn't restarting. Have posted log below.

    Now running TDSSKiller

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-10-2012
    Ran by SYSTEM at 2012-10-14 17:10:15 Run:1
    Running from E:\

    ==============================================

    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
    C:\Windows\System32\consrv.dll not found.
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs Mcx2Svc Deleted successfully.
    C:\Windows\System32\services.exe.A1F95B36D2E0EFAC moved successfully.
    C:\Windows\System32\services.exe.70ECC422571FAB80 moved successfully.
    C:\Windows\System32\services.exe.17627B7B2776FEC4 moved successfully.
    C:\Windows\System32\services.exe.9341647272B507BE moved successfully.
    C:\Windows\System32\services.exe.C37E765747901CC7 moved successfully.
    C:\Windows\System32\services.exe.60A7E533FFC9EA34 moved successfully.
    C:\Users\joe\Desktop\stop shutdown.bat moved successfully.
    C:\Windows\System32\services.exe.2D92A35D1EF713FB moved successfully.
    C:\Windows\System32\services.exe.1898A60DE2614A51 moved successfully.
    C:\Windows\System32\services.exe.05ECC41AD079FFDD moved successfully.
    C:\Windows\System32\services.exe.E07BD0F351D4B89C moved successfully.
    C:\Windows\System32\services.exe.17D124396AE4C9A4 moved successfully.
    C:\Windows\System32\services.exe.71C7F78B5F41D819 moved successfully.
    C:\Windows\System32\services.exe.608850FFB1802BB4 moved successfully.
    C:\Windows\Installer\{0b57f992-415d-77db-3088-8f653b0e3437} moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

    ==== End of Fixlog ====
     
  6. Joseph Rapley

    Joseph Rapley TS Rookie Topic Starter

    TDDSKiller ran without finding anything. The report is too big to post here.
     
  7. Joseph Rapley

    Joseph Rapley TS Rookie Topic Starter

    RogueKiller found and removed/replaced some things.


    RogueKiller V8.1.1 [10/03/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : joe [Admin rights]
    Mode : Remove -- Date : 10/14/2012 17:22:48

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 10 ¤¤¤
    [TASK][PREVRUN] {7EC8D6FC-183C-4FCC-989E-9901207A0A23} : C:\Windows\system32\pcalua.exe -a "C:\Program Files (x86)\InstallShield Installation Information\{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}\setup.exe" -c -runfromtemp -l0x0009 -removeonly -> DELETED
    [TASK][PREVRUN] {9D48F0E9-C14A-4E9C-AA28-3184474A36C9} : C:\Windows\system32\pcalua.exe -a "C:\Users\joe\Desktop\Kick-***\CDisplay v1.8.exe" -d C:\Users\joe\Desktop\Kick-*** -> DELETED
    [TASK][SUSP PATH] {B4ABDD33-EE67-4D0F-B165-C90EB4FC1E6F} : C:\Users\joe\Desktop\BootCamp_3.1_64-bit.exe -> DELETED
    [TASK][PREVRUN] {C078BC01-DD06-4D00-B85F-8508B12B8AF8} : C:\Windows\system32\pcalua.exe -a "C:\Program Files (x86)\AVG\AVG10\avgmfapx.exe" -c /AppMode=SETUP /Uninstall -> DELETED
    [HJPOL] HKCU\[...]\System : disableregistrytools (0) -> DELETED
    [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
    [HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Particular Files / Folders: ¤¤¤
    [ZeroAccess][FILE] @ : C:\Users\joe\AppData\Local\{0b57f992-415d-77db-3088-8f653b0e3437}\@ --> REMOVED
    [Del.Parent][FILE] 00000001.@ : C:\Users\joe\AppData\Local\{0b57f992-415d-77db-3088-8f653b0e3437}\U\00000001.@ --> REMOVED
    [Del.Parent][FILE] 80000000.@ : C:\Users\joe\AppData\Local\{0b57f992-415d-77db-3088-8f653b0e3437}\U\80000000.@ --> REMOVED
    [Del.Parent][FILE] 800000cb.@ : C:\Users\joe\AppData\Local\{0b57f992-415d-77db-3088-8f653b0e3437}\U\800000cb.@ --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\Users\joe\AppData\Local\{0b57f992-415d-77db-3088-8f653b0e3437}\U --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\Users\joe\AppData\Local\{0b57f992-415d-77db-3088-8f653b0e3437}\L --> REMOVED

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ Infection : ZeroAccess ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    0.0.0.0 .psf
    0.0.0.0 psf


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: Virtual HDD [0] ATA Device +++++
    --- User ---
    [MBR] b6ee4911422356d6018163293b22d20a
    [BSP] 686c2a6d53618898fb3ed748781f15e6 : Windows 7 MBR Code
    Partition table:
    0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 200 Mo
    1 - [XXXXXX] UNKNOWN (0xaf) [VISIBLE] Offset (sectors): 409640 | Size: 476837 Mo
    2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 977235968 | Size: 457758 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: WDC WD50 00AVVS-63M8B0 USB Device +++++
    --- User ---
    [MBR] c5f53180e7401ffc5ab75d9df71efe37
    [BSP] 9ef8ec88639eda421bd8380315ba746c : MBR Code unknown
    Partition table:
    0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 476940 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    +++++ PhysicalDrive2: WDC WD50 00AVVS-63M8B0 USB Device +++++
    --- User ---
    [MBR] dd7bd1c8d6599510e0583bca99b0b5b2
    [BSP] 95f56119bfa9f1c8a3cd203d95ec6cfc : MBR Code unknown
    Partition table:
    0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 2 | Size: 476940 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    +++++ PhysicalDrive3: WDC WD50 00AVVS-63M8B0 USB Device +++++
    --- User ---
    [MBR] cd0a4b42220da66b1cf4bdb4945d04d4
    [BSP] 6ca311ef3ae3ce4659438995955ad864 : MBR Code unknown
    Partition table:
    0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 200 Mo
    1 - [XXXXXX] UNKNOWN (0xaf) [VISIBLE] Offset (sectors): 409640 | Size: 182543 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 374521856 | Size: 294068 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    +++++ PhysicalDrive4: WDC WD50 00AVVS-63M8B0 USB Device +++++
    --- User ---
    [MBR] 6e063034fe21e224e6134d1884271076
    [BSP] 6532b8f4f1bdc4531d8efd09d0435210 : MBR Code unknown
    Partition table:
    0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 476939 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[3].txt >>
    RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
     
  8. Joseph Rapley

    Joseph Rapley TS Rookie Topic Starter

    And the first RogueKiller report

    RogueKiller V8.1.1 [10/03/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : joe [Admin rights]
    Mode : Scan -- Date : 10/14/2012 17:22:03

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 12 ¤¤¤
    [TASK][PREVRUN] {7EC8D6FC-183C-4FCC-989E-9901207A0A23} : C:\Windows\system32\pcalua.exe -a "C:\Program Files (x86)\InstallShield Installation Information\{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}\setup.exe" -c -runfromtemp -l0x0009 -removeonly -> FOUND
    [TASK][PREVRUN] {9D48F0E9-C14A-4E9C-AA28-3184474A36C9} : C:\Windows\system32\pcalua.exe -a "C:\Users\joe\Desktop\Kick-***\CDisplay v1.8.exe" -d C:\Users\joe\Desktop\Kick-*** -> FOUND
    [TASK][SUSP PATH] {B4ABDD33-EE67-4D0F-B165-C90EB4FC1E6F} : C:\Users\joe\Desktop\BootCamp_3.1_64-bit.exe -> FOUND
    [TASK][PREVRUN] {C078BC01-DD06-4D00-B85F-8508B12B8AF8} : C:\Windows\system32\pcalua.exe -a "C:\Program Files (x86)\AVG\AVG10\avgmfapx.exe" -c /AppMode=SETUP /Uninstall -> FOUND
    [HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
    [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
    [HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
    [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
    [HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤
    [ZeroAccess][FILE] @ : C:\Users\joe\AppData\Local\{0b57f992-415d-77db-3088-8f653b0e3437}\@ --> FOUND
    [ZeroAccess][FOLDER] U : C:\Users\joe\AppData\Local\{0b57f992-415d-77db-3088-8f653b0e3437}\U --> FOUND
    [ZeroAccess][FOLDER] L : C:\Users\joe\AppData\Local\{0b57f992-415d-77db-3088-8f653b0e3437}\L --> FOUND

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ Infection : ZeroAccess ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    0.0.0.0 .psf
    0.0.0.0 psf


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: Virtual HDD [0] ATA Device +++++
    --- User ---
    [MBR] b6ee4911422356d6018163293b22d20a
    [BSP] 686c2a6d53618898fb3ed748781f15e6 : Windows 7 MBR Code
    Partition table:
    0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 200 Mo
    1 - [XXXXXX] UNKNOWN (0xaf) [VISIBLE] Offset (sectors): 409640 | Size: 476837 Mo
    2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 977235968 | Size: 457758 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: WDC WD50 00AVVS-63M8B0 USB Device +++++
    --- User ---
    [MBR] c5f53180e7401ffc5ab75d9df71efe37
    [BSP] 9ef8ec88639eda421bd8380315ba746c : MBR Code unknown
    Partition table:
    0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 476940 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    +++++ PhysicalDrive2: WDC WD50 00AVVS-63M8B0 USB Device +++++
    --- User ---
    [MBR] dd7bd1c8d6599510e0583bca99b0b5b2
    [BSP] 95f56119bfa9f1c8a3cd203d95ec6cfc : MBR Code unknown
    Partition table:
    0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 2 | Size: 476940 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    +++++ PhysicalDrive3: WDC WD50 00AVVS-63M8B0 USB Device +++++
    --- User ---
    [MBR] cd0a4b42220da66b1cf4bdb4945d04d4
    [BSP] 6ca311ef3ae3ce4659438995955ad864 : MBR Code unknown
    Partition table:
    0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 200 Mo
    1 - [XXXXXX] UNKNOWN (0xaf) [VISIBLE] Offset (sectors): 409640 | Size: 182543 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 374521856 | Size: 294068 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    +++++ PhysicalDrive4: WDC WD50 00AVVS-63M8B0 USB Device +++++
    --- User ---
    [MBR] 6e063034fe21e224e6134d1884271076
    [BSP] 6532b8f4f1bdc4531d8efd09d0435210 : MBR Code unknown
    Partition table:
    0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 476939 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[2].txt >>
    RKreport[1].txt ; RKreport[2].txt
     
  9. Joseph Rapley

    Joseph Rapley TS Rookie Topic Starter

    MalwareBytes found and removed one threat

    Malwarebytes Anti-Malware 1.65.0.1400
    www.malwarebytes.org

    Database version: v2012.10.14.05

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    joe :: WINDOWS-IMAC420 [administrator]

    14/10/2012 5:28:07 p.m.
    mbam-log-2012-10-14 (17-28-07).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 214262
    Time elapsed: 6 minute(s), 51 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 1
    HKLM\System\CurrentControlSet\Services\Netlogin (Trojan.Downloader) -> Quarantined and deleted successfully.

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  10. Joseph Rapley

    Joseph Rapley TS Rookie Topic Starter

    Log file from aswMBR.exe

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-10-14 18:04:21
    -----------------------------
    18:04:21.265 OS Version: Windows x64 6.1.7601 Service Pack 1
    18:04:21.265 Number of processors: 1 586 0x170A
    18:04:21.265 ComputerName: WINDOWS-IMAC420 UserName: joe
    18:04:23.812 Initialize success
    18:07:31.796 AVAST engine defs: 12101400
    18:08:31.655 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
    18:08:31.655 Disk 0 Vendor: Virtual__HDD_[0] FWR10003 Size: 953869MB BusType: 11
    18:08:31.671 Disk 0 MBR read successfully
    18:08:31.671 Disk 0 MBR scan
    18:08:31.687 Disk 0 Windows 7 default MBR code
    18:08:31.687 Disk 0 Partition 1 00 EE GPT 200 MB offset 1
    18:08:31.718 Disk 0 Partition 2 00 AF HFS / HFS+ 476837 MB offset 409640
    18:08:31.734 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 457758 MB offset 977235968
    18:08:31.796 Disk 0 scanning C:\Windows\system32\drivers
    18:08:45.046 Service scanning
    18:09:09.749 Service RemoteAccess C:\Windows\SysWOW64\mprdin.dll **INFECTED** Win32:Malware-gen
    18:09:19.187 Modules scanning
    18:09:19.187 Disk 0 trace - called modules:
    18:09:19.718 ntoskrnl.exe CLASSPNP.SYS disk.sys prl_strg.sys prl_tg.sys
    18:09:19.734 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004f5b690]
    18:09:19.734 3 CLASSPNP.SYS[fffff88001b9a43f] -> nt!IofCallDriver -> [0xfffffa8004f5a040]
    18:09:19.734 5 prl_strg.sys[fffff88001afcd23] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0xfffffa8004de71f0]
    18:09:19.749 \Driver\atapi[0xfffffa8004a9b3e0] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> prl_strg.sys[0xfffff88001afd768]
    18:09:19.749 7 prl_strg.sys[fffff88001aff3a5] -> nt!IofCallDriver -> \Device\prl_tg[0xfffffa8004a55540]
    18:09:20.421 AVAST engine scan C:\Windows
    18:09:23.124 AVAST engine scan C:\Windows\system32
    18:13:37.718 AVAST engine scan C:\Windows\system32\drivers
    18:13:59.077 AVAST engine scan C:\Users\joe
    18:20:55.265 AVAST engine scan C:\ProgramData
    18:22:17.609 Scan finished successfully
    20:00:28.859 Disk 0 MBR has been saved successfully to "C:\Users\joe\Desktop\MBR.dat"
    20:00:28.874 The log file has been saved successfully to "C:\Users\joe\Desktop\aswMBR.txt"
     
  11. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    Create new restore point before proceeding with the next step....
    How to:
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    ==============================

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If restarting doesn't help use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
     
     
  12. Joseph Rapley

    Joseph Rapley TS Rookie Topic Starter

    ComboFix log.

    ComboFix 12-10-14.03 - joseph 14/10/2012 20:23:14.1.1 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.64.1033.18.4096.2082 [GMT 1:00]
    Running from: c:\users\joe\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
    SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\Install.exe
    c:\programdata\B4F391B2A0.sys
    c:\users\joe\AppData\Local\assembly\tmp
    c:\users\joe\AppData\Local\Temp\9109.tmp
    c:\users\joe\AppData\Local\Temp\C12B.tmp
    c:\windows\AutoRun.ini
    c:\windows\jestertb.dll
    c:\windows\SwSys1.bmp
    c:\windows\SwSys2.bmp
    c:\windows\SysWow64\tmp4F19.tmp
    c:\windows\SysWow64\tmp4F58.tmp
    c:\windows\SysWow64\tmp693D.tmp
    c:\windows\SysWow64\tmp693E.tmp
    c:\windows\SysWow64\tmp9CA3.tmp
    c:\windows\SysWow64\tmpA15D.tmp
    c:\windows\SysWow64\tmpBF77.tmp
    c:\windows\SysWow64\tmpBF78.tmp
    c:\windows\SysWow64\tmpDD25.tmp
    c:\windows\SysWow64\tmpDD45.tmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-09-14 to 2012-10-14 )))))))))))))))))))))))))))))))
    .
    .
    2012-10-14 19:06 . 2012-08-29 23:279308616----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C7F0D9F8-7577-4E7C-B014-491646F51F74}\mpengine.dll
    2012-10-14 16:27 . 2012-10-14 16:27--------d-----w-c:\users\joe\AppData\Roaming\Malwarebytes
    2012-10-14 16:27 . 2012-10-14 16:27--------d-----w-c:\programdata\Malwarebytes
    2012-10-14 16:27 . 2012-10-14 16:27--------d-----w-c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-10-14 16:27 . 2012-09-07 16:0425928----a-w-c:\windows\system32\drivers\mbam.sys
    2012-10-13 17:29 . 2012-10-13 17:32--------d-----w-C:\FRST
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-30 21:03 . 2012-08-30 21:03228768----a-w-c:\windows\system32\drivers\MpFilter.sys
    2012-08-30 21:03 . 2010-10-24 08:25128456----a-w-c:\windows\system32\drivers\NisDrvWFP.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
    "Parallels Tools Center"="c:\program files (x86)\Parallels\Parallels Tools\prl_cc.exe" [2011-09-13 270088]
    "TV IR"="c:\program files (x86)\TV IR\TV IR.exe" [2011-04-13 1437184]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security PackagesREG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Rohos]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [x]
    R3 ALSysIO;ALSysIO;c:\users\joe\AppData\Local\Temp\ALSysIO64.sys [x]
    R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2009-08-24 6104064]
    R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-10-14 265728]
    R3 AppleBtBc;Apple Broadcom Built-in Bluetooth;c:\windows\system32\DRIVERS\AppleBtBc.sys [2010-01-27 18944]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2010-11-17 115216]
    R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-13 54824]
    R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-01-20 328232]
    R3 btwsecfl;Bluetooth USB Security Filter;c:\windows\system32\drivers\btwsecfl.sys [2009-10-27 71720]
    R3 CirrusFilter;CS420xLowerFilter;c:\windows\system32\DRIVERS\CS420x64.sys [2010-10-14 18432]
    R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2011-04-08 47616]
    R3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\DRIVERS\IRFilter.sys [2009-10-15 18432]
    R3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\DRIVERS\KeyMagic.sys [2010-03-22 29184]
    R3 massfilter;MBB Mass Storage Filter Driver;c:\windows\system32\DRIVERS\massfilter.sys [2010-12-30 11776]
    R3 MonitorFunction;Driver for Monitor;c:\windows\system32\DRIVERS\TVMonitor.sys [2010-11-12 16376]
    R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [2011-08-29 117520]
    R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [2011-05-09 22528]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-30 128456]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-12 368896]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
    R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
    R3 RTL2832U_IRHID;HID Infrared Remote Receiver;c:\windows\system32\DRIVERS\RTL2832U_IRHID.sys [2009-10-05 44320]
    R3 RTL2832UBDA;REALTEK 2832U BDA Driver;c:\windows\system32\drivers\RTL2832UBDA.sys [2010-07-01 224488]
    R3 RTL2832UUSB;REALTEK 2832U USB Driver;c:\windows\system32\Drivers\RTL2832UUSB.sys [2010-07-01 39016]
    R3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\DRIVERS\sis163u.sys [2006-12-19 271360]
    R3 stus2x64;USB 2.0 IrDA Bridge;c:\windows\system32\DRIVERS\stusb2ir.sys [2008-01-03 47872]
    R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\DRIVERS\teamviewervpn.sys [2010-11-04 35112]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-05-09 51712]
    R3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2011-01-18 68440]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
    R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2011-08-04 306400]
    R3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\DRIVERS\ZTEusbnet.sys [2010-12-30 135168]
    R3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\DRIVERS\ZTEusbvoice.sys [2010-12-30 121344]
    R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
    R4 DxkgFilter;Filtering Dxkg; [x]
    R4 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]
    R4 Mobiola Wave Service;Mobiola Wave Service;c:\program files (x86)\Common Files\SHAPE Services\Mobiola Wave Service\MobiolaWaveService.exe [2011-04-11 125088]
    R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2010-05-05 59744]
    R4 NetLogin Helper;NetLogin Helper;c:\program files (x86)\NetLogin\NetLoginService.exe [2008-02-18 69632]
    R4 Rohos;Rohos welcome screen elements;c:\program files (x86)\Rohos\ntserv.exe [2010-09-16 71792]
    R4 RsFx0105;RsFx0105 Driver;c:\windows\system32\DRIVERS\RsFx0105.sys [2011-09-22 311144]
    R4 RsFx0151;RsFx0151 Driver;c:\windows\system32\DRIVERS\RsFx0151.sys [2011-06-17 313696]
    R4 SQLAgent$ACT7;SQL Server Agent (ACT7);c:\program files\Microsoft SQL Server\MSSQL10_50.ACT7\MSSQL\Binn\SQLAGENT.EXE [2011-06-17 431456]
    R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2011-09-22 431464]
    R4 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R4 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
    R4 vcd10bus;Virtual CD v10 Bus Enumerator;c:\windows\system32\DRIVERS\vcd10bus.sys [2008-06-16 40464]
    R4 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    R4 VmbService;Vodafone Mobile Broadband Service;c:\program files (x86)\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe [2010-12-31 9216]
    R4 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
    S0 AppleHFS;AppleHFS; [x]
    S0 AppleMNT;AppleMNT; [x]
    S0 prl_pv64;prl_pv64;c:\windows\system32\DRIVERS\prl_pv64.sys [2011-11-29 100680]
    S0 prl_strg;Parallels paravirt disk filter;c:\windows\system32\DRIVERS\prl_strg.sys [2011-09-13 37640]
    S0 prl_tg;Parallels Tool Device;c:\windows\system32\DRIVERS\prl_tg.sys [2011-09-13 26248]
    S1 prl_boot;Parallels BootCamp Helper;c:\windows\system32\Drivers\prl_boot.sys [2011-09-13 45832]
    S1 prl_fs;Parallels Shared Folders;c:\windows\system32\DRIVERS\prl_fs.sys [2011-09-13 196360]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-24 202752]
    S2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [2010-11-11 223544]
    S2 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe [2010-02-01 110904]
    S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x64.sys [2010-07-09 21480]
    S2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [2010-11-11 15928]
    S2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [2010-11-11 21048]
    S2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL10_50.ACT7\MSSQL\Binn\sqlservr.exe [2011-06-17 62111072]
    S2 Parallels Coherence Service;Parallels Coherence Service;c:\program files (x86)\Parallels\Parallels Tools\Services\coherence.exe [2011-09-13 33544]
    S2 Parallels Tools Service;Parallels Tools Service;c:\program files (x86)\Parallels\Parallels Tools\Services\prl_tools_service.exe [2011-09-13 260360]
    S2 prl_time;Parallels Time Synchronization Helper;c:\windows\system32\drivers\prl_time.sys [2011-09-13 17160]
    S2 VBoxDrv;VBox Support Driver;c:\program files (x86)\YouWave_Android\vb\VBoxDrv.sys [2010-07-15 203864]
    S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [2010-12-30 85504]
    S3 MOBIOLA_Wave;Mobiola Wave Audio Device (WDM);c:\windows\system32\drivers\mobiolawave.sys [2011-04-06 29120]
    S3 mobiolavs;Mobiola Web Camera Video Source;c:\windows\system32\DRIVERS\mobiolavs.sys [2011-04-06 28304]
    S3 MungoDriver;MungoGamer Remote;c:\windows\system32\DRIVERS\MungoDriver.sys [2010-12-17 13912]
    S3 prl_dd;Parallels Display Adapter (WDDM);c:\windows\system32\DRIVERS\prl_kmdd.sys [2011-09-13 156424]
    S3 prl_memdev;prl_memdev;c:\windows\system32\DRIVERS\prl_memdev.sys [2011-09-13 19720]
    S3 prl_mouf;Parallels Mouse Synchronization Device;c:\windows\system32\DRIVERS\prl_mouf.sys [2011-09-13 19720]
    S3 prl_sound;Parallels Audio Controller;c:\windows\system32\DRIVERS\prl_sound.sys [2011-09-13 40200]
    S3 RDPDISPM;RDPDISPM;c:\windows\system32\DRIVERS\rdpdispm.sys [2010-08-30 10752]
    S3 vodafone_K3805-z_dc_enum;vodafone_K3805-z_dc_enum;c:\windows\system32\DRIVERS\vodafone_K3805-z_dc_enum.sys [2010-09-01 75776]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-10-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1328558-2458857526-3040891912-1000Core.job
    - c:\users\joe\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-29 15:59]
    .
    2012-10-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1328558-2458857526-3040891912-1000UA.job
    - c:\users\joe\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-29 15:59]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\PrlToolsShellExt]
    @="{456C7CE2-DAAA-4333-A715-898D4671BBD4}"
    [HKEY_CLASSES_ROOT\CLSID\{456C7CE2-DAAA-4333-A715-898D4671BBD4}]
    2011-09-13 04:43344840----a-w-c:\program files (x86)\Parallels\Parallels Tools\ShellExtentions\PrlToolsShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 1289704]
    "XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-10-01 825184]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office14\EXCEL.EXE/3000
    Trusted Zone: no-ip.info\poppy
    TCP: DhcpNameServer = 192.168.1.1
    DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574}
    FF - ProfilePath - c:\users\joe\AppData\Roaming\Mozilla\Firefox\Profiles\9y9imz34.default\
    FF - prefs.js: browser.startup.homepage - about:home
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 8888
    FF - prefs.js: network.proxy.socks - gate.ec.auckland.ac.nz
    FF - prefs.js: network.proxy.socks_port - 1080
    FF - prefs.js: network.proxy.ssl - 127.0.0.1
    FF - prefs.js: network.proxy.ssl_port - 8888
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-Scratches Director's Cut - c:\program files (x86)\GotGameEntertainment\Uninstall.exe
    AddRemove-{1AA94747-3BF6-4237-9E1A-7B3067738FE1} - c:\program files (x86)\InstallShield Installation Information\{1AA94747-3BF6-4237-9E1A-7B3067738FE1}\setup.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1328558-2458857526-3040891912-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.Email.1"
    .
    [HKEY_USERS\S-1-5-21-1328558-2458857526-3040891912-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.VCard.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Parallels\Parallels Tools\Services\WOW\coherence.exe
    c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    .
    **************************************************************************
    .
    Completion time: 2012-10-14 22:40:21 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-10-14 21:40
    .
    Pre-Run: 34,785,767,424 bytes free
    Post-Run: 36,523,167,744 bytes free
    .
    - - End Of File - - E3BDE584FCCC68F6C49BE0424CBFA722
     
  13. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    Looks good :)

    Any current issues?

    ========================

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  14. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    Still with me?
     
  15. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    This topic is marked as abandoned and closed due to inactivity.
    This member will NOT be eligible to receive any more help in malware removal forum.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.