TechSpot

[A] SMART virus + others, ran Hitman 3, now won't boot (frst log included)

By bbbbbb
Jul 19, 2012
  1. Started with the S.M.A.R.T virus. Making me think my hard drive was failing, etc etc. Finally found it and removed it. Yet now my computer was running slow and the internet was crawling. Many pages were being redirected as well. Ran malwarebytes, ad-aware, avast, no solution. Ran hitman pro, found plenty of infections, went to reboot, now stuck in a reboot loop. BSOD. No simple cure.

    Windows 7 x64 Operating system

    I have successfully ran FRST64.exe and a log has been reported. Attached below.

    Thank you!!!

    Scan result of Farbar Recovery Scan Tool Version: 16-07-2012 02
    Ran by SYSTEM at 18-07-2012 02:25:33
    Running from G:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10134560 2010-03-23] (Realtek Semiconductor)
    HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [165912 2010-03-14] (Intel Corporation)
    HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [387608 2010-03-14] (Intel Corporation)
    HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [365592 2010-03-14] (Intel Corporation)
    HKLM\...\Run: [Acer ePower Management] C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe [860192 2010-02-05] (Acer Incorporated)
    HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284696 2009-12-23] (Intel Corporation)
    HKLM-x32\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4273976 2012-06-28] (AVAST Software)
    HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2009-07-13] (Microsoft Corporation)
    Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
    Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
    Startup: C:\Users\Bobby\Start Menu\Programs\Startup\RocketDock.lnk
    ShortcutTarget: RocketDock.lnk -> C:\Program Files (x86)\RocketDock\RocketDock.exe ()

    ==================== Services (Whitelisted) ======

    2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [44808 2012-06-28] (AVAST Software)
    2 DsiWMIService; C:\Program Files (x86)\Launch Manager\dsiwmis.exe [325200 2010-03-03] (Dritek System Inc.)
    2 ePowerSvc; C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe [865824 2010-02-05] (Acer Incorporated)
    3 GameConsoleService; "C:\Program Files (x86)\eMachines Games\eMachines Game Console\GameConsoleService.exe" [238328 2009-10-09] (WildTangent, Inc.)
    2 GREGService; C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe [23584 2010-01-08] (Acer Incorporated)
    2 Lavasoft Ad-Aware Service; "C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe" [2152720 2012-05-28] (Lavasoft Limited)
    2 Updater Service; C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [243232 2010-01-28] (Acer Group)
    2 WinDefend; C:\Program Files (x86)\Windows Defender\mpsvc.dll [x]

    ========================== Drivers (Whitelisted) =============

    2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [25232 2012-06-28] (AVAST Software)
    2 aswMonFlt; C:\Windows\System32\Drivers\aswMonFlt.sys [71064 2012-06-28] (AVAST Software)
    1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [54072 2012-06-28] (AVAST Software)
    1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [958912 2012-06-28] (AVAST Software)
    1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [355856 2012-06-28] (AVAST Software)
    1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [59728 2012-06-28] (AVAST Software)
    3 epmntdrv; \??\C:\Windows\system32\epmntdrv.sys [16776 2011-07-29] ()
    3 EuGdiDrv; \??\C:\Windows\system32\EuGdiDrv.sys [9096 2011-07-29] ()
    3 Lavasoft Kernexplorer; \??\C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [17152 2012-01-16] ()
    0 Lbd; C:\Windows\System32\Drivers\Lbd.sys [69376 2011-11-03] (Lavasoft AB)
    3 prwntdrv; \??\C:\Windows\system32\prwntdrv.sys [16776 2010-08-25] ()
    3 pwdrvio; \??\C:\Windows\system32\pwdrvio.sys [19936 2012-01-18] ()
    3 pwdspio; \??\C:\Windows\system32\pwdspio.sys [13280 2012-01-18] ()
    3 TS_AR5416; C:\Windows\System32\DRIVERS\ts_athwx.sys [2156968 2011-01-06] (TamoSoft)
    3 catchme; \??\C:\ComboFix\catchme.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-07-10 22:07 - 2012-07-13 15:26 - 00000000 ____D C:\Windows\Cursors
    2012-07-10 18:45 - 2012-07-10 22:18 - 00000000 ____D C:\Users\All Users\HitmanPro
    2012-07-10 18:44 - 2012-07-10 18:46 - 00135673 ____A C:\Users\Bobby\Downloads\HitmanPro36.exe.part
    2012-07-08 10:21 - 2012-07-08 10:36 - 00000000 ____D C:\Users\Bobby\Desktop\dad stuff
    2012-07-07 22:00 - 2012-07-08 09:10 - 00000258 ____A C:\Windows\setupact.log
    2012-07-07 22:00 - 2012-07-07 22:00 - 00000000 ____A C:\Windows\setuperr.log
    2012-07-07 20:57 - 2012-07-07 20:58 - 00078844 ____A C:\Users\Bobby\Documents\cc_20120707_235757.reg
    2012-07-07 20:55 - 2012-07-07 20:56 - 00000000 ____D C:\Malwarebytes' Anti-Malware
    2012-07-07 20:55 - 2012-07-07 20:55 - 00000717 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-07-07 20:54 - 2012-07-07 20:54 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\Bobby\Downloads\mbam-setup-1.61.0.1400.exe
    2012-07-07 20:51 - 2012-07-10 16:49 - 00010033 ____A C:\Users\Bobby\Desktop\Book1.xlsx
    2012-07-06 09:49 - 2012-07-08 07:57 - 00000408 ____A C:\Windows\Tasks\Ad-Aware Update (Weekly).job
    2012-07-04 21:26 - 2012-07-04 21:32 - 00000000 ____D C:\Users\Bobby\Downloads\500.Days.Of.Summer.BDRip.XviD-ARiGOLD
    2012-07-04 09:58 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
    2012-07-04 09:58 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
    2012-07-04 09:58 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2012-07-04 09:58 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2012-07-04 09:58 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2012-07-04 09:58 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
    2012-07-04 09:58 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
    2012-07-04 09:58 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
    2012-07-04 09:57 - 2012-07-04 16:27 - 00000000 ___SD C:\ComboFix
    2012-07-04 09:53 - 2012-07-04 09:57 - 00000000 ____D C:\Qoobox
    2012-07-04 06:37 - 2012-07-04 11:40 - 00000000 ____D C:\Windows\erdnt
    2012-07-03 21:54 - 2012-06-28 04:52 - 00355856 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
    2012-07-03 21:54 - 2012-06-28 04:52 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
    2012-07-03 21:53 - 2012-07-03 21:53 - 00000000 ____A C:\Windows\SysWOW64\config.nt
    2012-07-03 21:53 - 2012-06-28 04:52 - 00958912 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
    2012-07-03 21:53 - 2012-06-28 04:52 - 00071064 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
    2012-07-03 21:53 - 2012-06-28 04:52 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
    2012-07-03 21:53 - 2012-06-28 04:52 - 00054072 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys
    2012-07-03 21:53 - 2012-06-28 04:51 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
    2012-07-03 21:52 - 2012-07-03 21:52 - 00000000 ____D C:\Users\All Users\AVAST Software
    2012-07-03 21:52 - 2012-07-03 21:52 - 00000000 ____D C:\Program Files\AVAST Software
    2012-07-03 21:52 - 2012-06-28 04:52 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
    2012-07-03 21:52 - 2012-06-28 04:51 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
    2012-06-29 02:33 - 2012-06-29 02:34 - 00000092 ____A C:\Users\Bobby\Desktop\realitysnap.txt
    2012-06-28 23:06 - 2012-06-28 23:16 - 00000000 ____D C:\Users\Bobby\Downloads\Being.Flynn.2012.LiMiTED.DVDRip.XviD-DEPRiVED
    2012-06-28 23:06 - 2012-06-28 23:12 - 00000000 ____D C:\Users\Bobby\Downloads\God.Bless.America.2011.LIMITED.DVDRip.XviD-AMIABLE
    2012-06-28 22:38 - 2012-06-28 22:39 - 00000116 ____A C:\Users\Bobby\Desktop\bike.txt
    2012-06-27 15:14 - 2012-07-10 17:26 - 00000319 ____A C:\Users\Bobby\Desktop\eating plan.txt
    2012-06-26 22:19 - 2012-06-26 22:19 - 00000000 ____D C:\Users\Test\AppData\Roaming\Adobe
    2012-06-25 00:19 - 2012-06-25 00:19 - 00000000 ____D C:\Users\Bobby\Downloads\CamStudioCodec-1.4-w32
    2012-06-25 00:19 - 2010-10-23 21:56 - 00049664 ____A (CamStudio Group) C:\Windows\System32\CamCodec.dll
    2012-06-25 00:18 - 2012-06-25 00:18 - 04472121 ____A (CamStudio Open Source Dev Team ) C:\Users\Bobby\Downloads\CamStudio_Setup_v2.6b_r294_(build_24Oct2010).exe
    2012-06-25 00:18 - 2012-06-25 00:18 - 00034510 ____A C:\Users\Bobby\Downloads\CamStudioCodec-1.4-w32.zip
    2012-06-25 00:17 - 2012-06-25 00:17 - 20786971 ____A (Audacity Team ) C:\Users\Bobby\Downloads\audacity-win-2.0.exe
    2012-06-21 22:28 - 2012-06-21 22:28 - 00003690 ____A C:\Users\Bobby\.jmf-resource
    2012-06-21 22:25 - 2012-06-21 22:25 - 00000000 ____D C:\Users\Bobby\Downloads\krut_full_windows_0_9_3
    2012-06-21 22:24 - 2012-06-21 22:24 - 00000000 ____D C:\Windows\SysWOW64\CSIDL_PERSONAL
    2012-06-21 22:23 - 2012-06-21 22:25 - 00000000 ____D C:\Users\Bobby\AppData\Local\uTIPu
    2012-06-21 22:22 - 2012-06-21 22:41 - 00000000 ____D C:\Program Files (x86)\uTIPu
    2012-06-21 22:18 - 2012-06-21 22:18 - 04994545 ____A C:\Users\Bobby\Downloads\krut_full_windows_0_9_3.zip
    2012-06-21 22:17 - 2012-06-21 22:46 - 00000000 ____D C:\Program Files (x86)\UltraVNC Addons
    2012-06-21 22:01 - 2012-06-25 00:19 - 00000000 ____D C:\Program Files (x86)\CamStudio 2.6b
    2012-06-21 08:13 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-21 08:13 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-21 08:13 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-21 08:13 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-21 08:13 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-21 08:13 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-21 08:13 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-21 08:12 - 2012-06-02 12:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-21 08:12 - 2012-06-02 12:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-20 19:55 - 2012-06-20 19:55 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_dc3d_01009.Wdf
    2012-06-19 15:06 - 2012-06-19 15:06 - 00000000 ____D C:\Users\Bobby\AppData\Roaming\Thunderbird
    2012-06-19 15:06 - 2012-06-19 15:06 - 00000000 ____D C:\Users\Bobby\AppData\Local\Thunderbird
    2012-06-19 15:04 - 2012-06-19 15:04 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
    2012-06-18 20:08 - 2012-06-21 22:46 - 00000000 ____D C:\Users\Bobby\Downloads\The Vow 2012 R5 LiNE XViD - INSPiRAL
    2012-06-18 20:08 - 2012-06-18 20:09 - 733956096 ____A C:\Users\Bobby\Downloads\25th Hour (2002).avi
    2012-06-18 15:48 - 2012-06-18 15:49 - 18506296 ____A (Mozilla) C:\Users\Test\Downloads\Thunderbird Setup 13.0.1.exe
    2012-06-18 15:41 - 2012-06-18 15:41 - 00007864 ____A C:\Users\Test\Desktop\Book1.xlsx
    2012-06-18 14:19 - 2012-06-18 14:19 - 00115936 ____A C:\Users\Test\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-06-18 14:19 - 2012-06-18 14:19 - 00000000 ____D C:\Users\Test\AppData\Roaming\Mozilla
    2012-06-18 14:19 - 2012-06-18 14:19 - 00000000 ____D C:\Users\Test\AppData\Roaming\Intel Corporation
    2012-06-18 14:19 - 2012-06-18 14:19 - 00000000 ____D C:\Users\Test\AppData\Local\Mozilla
    2012-06-18 14:18 - 2012-06-27 00:19 - 00000000 ____D C:\Users\Test\AppData\Roaming\ExpressFiles
    2012-06-18 14:18 - 2012-06-18 14:18 - 00000000 ____D C:\Users\Test\AppData\Roaming\Macromedia
    2012-06-18 14:17 - 2012-07-13 15:26 - 00000000 ____D C:\users\Test
    2012-06-18 14:17 - 2012-06-18 14:17 - 00000020 ___SH C:\Users\Test\ntuser.ini
    2012-06-18 14:17 - 2010-08-26 00:03 - 00000000 ____D C:\Users\Test\AppData\Local\Microsoft Help
    2012-06-18 13:57 - 2012-06-18 13:57 - 18506296 ____A (Mozilla) C:\Users\Bobby\Downloads\Thunderbird Setup 13.0.1.exe


    ============ 3 Months Modified Files ========================

    2012-07-10 18:46 - 2012-07-10 18:44 - 00135673 ____A C:\Users\Bobby\Downloads\HitmanPro36.exe.part
    2012-07-10 17:58 - 2012-02-20 19:15 - 00007388 ____A C:\aaw7boot.log
    2012-07-10 17:26 - 2012-06-27 15:14 - 00000319 ____A C:\Users\Bobby\Desktop\eating plan.txt
    2012-07-10 16:49 - 2012-07-07 20:51 - 00010033 ____A C:\Users\Bobby\Desktop\Book1.xlsx
    2012-07-08 10:16 - 2010-08-21 03:42 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-07-08 09:17 - 2010-05-13 14:01 - 01403628 ____A C:\Windows\WindowsUpdate.log
    2012-07-08 09:10 - 2012-07-07 22:00 - 00000258 ____A C:\Windows\setupact.log
    2012-07-08 08:22 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-07-08 08:22 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-07-08 07:58 - 2010-08-21 03:42 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-07-08 07:57 - 2012-07-06 09:49 - 00000408 ____A C:\Windows\Tasks\Ad-Aware Update (Weekly).job
    2012-07-08 07:57 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-07 22:00 - 2012-07-07 22:00 - 00000000 ____A C:\Windows\setuperr.log
    2012-07-07 20:58 - 2012-07-07 20:57 - 00078844 ____A C:\Users\Bobby\Documents\cc_20120707_235757.reg
    2012-07-07 20:55 - 2012-07-07 20:55 - 00000717 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-07-07 20:54 - 2012-07-07 20:54 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\Bobby\Downloads\mbam-setup-1.61.0.1400.exe
    2012-07-07 19:58 - 2009-07-13 21:13 - 00792118 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-04 22:16 - 2012-01-19 23:08 - 00000064 ____A C:\Windows\SysWOW64\rp_stats.dat
    2012-07-04 22:16 - 2012-01-19 23:08 - 00000044 ____A C:\Windows\SysWOW64\rp_rules.dat
    2012-07-03 21:53 - 2012-07-03 21:53 - 00000000 ____A C:\Windows\SysWOW64\config.nt
    2012-07-01 20:43 - 2012-06-14 00:06 - 00012047 ____A C:\Users\Bobby\Desktop\NOW.xlsx
    2012-06-29 02:34 - 2012-06-29 02:33 - 00000092 ____A C:\Users\Bobby\Desktop\realitysnap.txt
    2012-06-28 22:39 - 2012-06-28 22:38 - 00000116 ____A C:\Users\Bobby\Desktop\bike.txt
    2012-06-28 04:52 - 2012-07-03 21:54 - 00355856 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
    2012-06-28 04:52 - 2012-07-03 21:54 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
    2012-06-28 04:52 - 2012-07-03 21:53 - 00958912 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
    2012-06-28 04:52 - 2012-07-03 21:53 - 00071064 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
    2012-06-28 04:52 - 2012-07-03 21:53 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
    2012-06-28 04:52 - 2012-07-03 21:53 - 00054072 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys
    2012-06-28 04:52 - 2012-07-03 21:52 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
    2012-06-28 04:51 - 2012-07-03 21:53 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
    2012-06-28 04:51 - 2012-07-03 21:52 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
    2012-06-25 00:18 - 2012-06-25 00:18 - 04472121 ____A (CamStudio Open Source Dev Team ) C:\Users\Bobby\Downloads\CamStudio_Setup_v2.6b_r294_(build_24Oct2010).exe
    2012-06-25 00:18 - 2012-06-25 00:18 - 00034510 ____A C:\Users\Bobby\Downloads\CamStudioCodec-1.4-w32.zip
    2012-06-25 00:17 - 2012-06-25 00:17 - 20786971 ____A (Audacity Team ) C:\Users\Bobby\Downloads\audacity-win-2.0.exe
    2012-06-21 22:28 - 2012-06-21 22:28 - 00003690 ____A C:\Users\Bobby\.jmf-resource
    2012-06-21 22:18 - 2012-06-21 22:18 - 04994545 ____A C:\Users\Bobby\Downloads\krut_full_windows_0_9_3.zip
    2012-06-20 19:55 - 2012-06-20 19:55 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_dc3d_01009.Wdf
    2012-06-18 20:09 - 2012-06-18 20:08 - 733956096 ____A C:\Users\Bobby\Downloads\25th Hour (2002).avi
    2012-06-18 15:49 - 2012-06-18 15:48 - 18506296 ____A (Mozilla) C:\Users\Test\Downloads\Thunderbird Setup 13.0.1.exe
    2012-06-18 15:41 - 2012-06-18 15:41 - 00007864 ____A C:\Users\Test\Desktop\Book1.xlsx
    2012-06-18 14:19 - 2012-06-18 14:19 - 00115936 ____A C:\Users\Test\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-06-18 14:17 - 2012-06-18 14:17 - 00000020 ___SH C:\Users\Test\ntuser.ini
    2012-06-18 13:57 - 2012-06-18 13:57 - 18506296 ____A (Mozilla) C:\Users\Bobby\Downloads\Thunderbird Setup 13.0.1.exe
    2012-06-14 23:43 - 2012-06-14 23:19 - 1724041765 ____A C:\Users\Bobby\Downloads\Aziz Ansari - Dangerously Delicious.mov
    2012-06-13 18:32 - 2009-07-13 20:45 - 00432056 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-06-06 22:29 - 2012-06-06 22:29 - 00011851 ____A C:\Users\Bobby\Documents\Copy of NOW.xlsx
    2012-06-06 19:50 - 2011-03-22 23:17 - 00786334 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-06-06 19:29 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
    2012-06-06 17:24 - 2012-06-06 17:22 - 41623552 ____A C:\Users\Bobby\Downloads\PC recovery iso.iso
    2012-06-02 14:19 - 2012-06-21 08:13 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-21 08:13 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-21 08:13 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-21 08:13 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-21 08:13 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:15 - 2012-06-21 08:13 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-21 08:13 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 12:19 - 2012-06-21 08:12 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 12:15 - 2012-06-21 08:12 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-05-28 22:11 - 2012-01-17 13:55 - 00016432 ____A C:\Windows\System32\lsdelete.exe
    2012-05-17 14:36 - 2012-06-06 17:17 - 02468520 ____A C:\Windows\SysWOW64\BootMan.exe
    2012-05-15 08:13 - 2012-06-06 17:17 - 03316736 ____A C:\Windows\System32\BootMan.exe
    2012-04-26 17:03 - 2010-08-30 20:11 - 57848688 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe


    ZeroAccess:
    C:\Users\Bobby\AppData\Local\11e30dbc
    C:\Users\Bobby\AppData\Local\11e30dbc\@
    C:\Users\Bobby\AppData\Local\11e30dbc\loader.tlb

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 30%
    Total physical RAM: 1977.98 MB
    Available physical RAM: 1374.48 MB
    Total Pagefile: 1977.98 MB
    Available Pagefile: 1363.57 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ======================= Partitions =========================

    1 Drive c: (eMachines) (Fixed) (Total:136.94 GB) (Free:18.78 GB) NTFS
    2 Drive e: (PQSERVICE) (Fixed) (Total:12 GB) (Free:0.57 GB) NTFS
    4 Drive g: (ADATA UFD) (Removable) (Total:7.52 GB) (Free:7.17 GB) FAT32
    5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    6 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 149 GB 8 MB
    Disk 1 Online 7718 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Recovery 12 GB 31 KB
    Partition 2 Primary 101 MB 12 GB
    Partition 3 Primary 136 GB 12 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 27
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E PQSERVICE NTFS Partition 12 GB Healthy Hidden

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y SYSTEM RESE NTFS Partition 101 MB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C eMachines NTFS Partition 136 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 7717 MB 31 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0C
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 G ADATA UFD FAT32 Removable 7717 MB Healthy

    ==================================================================================
    ==========================================================
    TDL4: custom:26000022 <===== ATTENTION!


    ==========================================================

    Last Boot: 2012-07-07 21:27

    ======================= End Of Log ==========================
     
  2. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ========================================================

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next...

    See if you can boot normally.
     

    Attached Files:

  3. bbbbbb

    bbbbbb TS Rookie Topic Starter

    Thank you for helping!

    Ran fix, completed, restarted. Still no luck... bsod soon after windows animation. Should I run it again or something?

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 16-07-2012 02
    Ran by SYSTEM at 2012-07-19 01:27:39 Run:1
    Running from G:\

    ==============================================

    DEFAULT hive was successfully copied to System32\config\HiveBackup
    DEFAULT hive was successfully restored from registry back up.
    SAM hive was successfully copied to System32\config\HiveBackup
    SAM hive was successfully restored from registry back up.
    SECURITY hive was successfully copied to System32\config\HiveBackup
    SECURITY hive was successfully restored from registry back up.
    SOFTWARE hive was successfully copied to System32\config\HiveBackup
    SOFTWARE hive was successfully restored from registry back up.
    SYSTEM hive was successfully copied to System32\config\HiveBackup
    SYSTEM hive was successfully restored from registry back up.

    ==== End of Fixlog ====undefined
     
  4. bbbbbb

    bbbbbb TS Rookie Topic Starter

    Talked to a gentleman at Hitman Pro, he suggested the fixlist with this, after showing him my log

    start
    TDL4: custom:26000022 <===== ATTENTION!
    end

    Solved my boot issue. I am now able to boot into windows.

    Are there any specific programs I should now run to make sure the computer is fully clean? (I will run malwarebytes and avast again, yet just like last time, hitman found stuff they didn't.... and I don't want to get stuck in the boot loop again)

    The computer runs incredibly slow....
     
  5. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Most likely you're still infected.

    Please post fresh FRST log.
     
  6. bbbbbb

    bbbbbb TS Rookie Topic Starter

    It actually seems to run fine now. Ran hitman again, this time didn't notice anything.

    Scan result of Farbar Recovery Scan Tool Version: 16-07-2012 02
    Ran by Bobby at 19-07-2012 21:05:50
    Running from C:\Users\Bobby\Downloads
    (X64) OS Language: English(US)
    Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

    ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.


    ============ One Month Created Files and Folders ==============

    2012-07-19 21:05 - 2012-07-19 21:05 - 01437107 ____A (Farbar) C:\Users\Bobby\Downloads\FRST64.exe
    2012-07-19 20:24 - 2012-07-19 20:24 - 00000408 ____A C:\Windows\Tasks\Ad-Aware Update (Weekly).job
    2012-07-19 05:37 - 2012-07-19 05:37 - 00001906 ____A C:\Users\Public\Desktop\HitmanPro.lnk
    2012-07-19 05:37 - 2012-07-19 05:37 - 00000000 ____D C:\Program Files\HitmanPro
    2012-07-19 05:36 - 2012-07-19 05:37 - 08834304 ____A (SurfRight B.V.) C:\Users\Bobby\Downloads\HitmanPro36_x64.exe
    2012-07-19 05:33 - 2012-07-19 05:34 - 02136664 ____A (Kaspersky Lab ZAO) C:\Users\Bobby\Downloads\tdsskiller.exe
    2012-07-19 05:16 - 2012-07-19 05:16 - 00001931 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
    2012-07-19 04:27 - 2012-07-19 04:27 - 00000000 ____D C:\Windows\System32\config\HiveBackup
    2012-07-18 05:25 - 2012-07-19 21:05 - 00000000 ____D C:\FRST
    2012-07-11 01:07 - 2012-07-13 18:26 - 00000000 ____D C:\Windows\Cursors
    2012-07-10 21:45 - 2012-07-11 01:18 - 00000000 ____D C:\Users\All Users\HitmanPro
    2012-07-10 21:44 - 2012-07-19 05:32 - 07718272 ____A (SurfRight B.V.) C:\Users\Bobby\Downloads\HitmanPro36.exe
    2012-07-08 13:21 - 2012-07-19 05:22 - 00000000 ____D C:\Users\Bobby\Desktop\dad stuff
    2012-07-08 01:00 - 2012-07-19 20:23 - 00000370 ____A C:\Windows\setupact.log
    2012-07-08 01:00 - 2012-07-08 01:00 - 00000000 ____A C:\Windows\setuperr.log
    2012-07-07 23:57 - 2012-07-07 23:58 - 00078844 ____A C:\Users\Bobby\Documents\cc_20120707_235757.reg
    2012-07-07 23:55 - 2012-07-07 23:56 - 00000000 ____D C:\Malwarebytes' Anti-Malware
    2012-07-07 23:55 - 2012-07-07 23:55 - 00000717 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-07-07 23:54 - 2012-07-07 23:54 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\Bobby\Downloads\mbam-setup-1.61.0.1400.exe
    2012-07-07 23:51 - 2012-07-10 19:49 - 00010033 ____A C:\Users\Bobby\Desktop\Book1.xlsx
    2012-07-05 00:26 - 2012-07-05 00:32 - 00000000 ____D C:\Users\Bobby\Downloads\500.Days.Of.Summer.BDRip.XviD-ARiGOLD
    2012-07-04 12:58 - 2011-06-26 01:45 - 00256000 ____A C:\Windows\PEV.exe
    2012-07-04 12:58 - 2010-11-07 12:20 - 00208896 ____A C:\Windows\MBR.exe
    2012-07-04 12:58 - 2009-04-19 23:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2012-07-04 12:58 - 2000-08-30 19:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2012-07-04 12:58 - 2000-08-30 19:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2012-07-04 12:58 - 2000-08-30 19:00 - 00098816 ____A C:\Windows\sed.exe
    2012-07-04 12:58 - 2000-08-30 19:00 - 00080412 ____A C:\Windows\grep.exe
    2012-07-04 12:58 - 2000-08-30 19:00 - 00068096 ____A C:\Windows\zip.exe
    2012-07-04 12:57 - 2012-07-04 19:27 - 00000000 ___SD C:\ComboFix
    2012-07-04 12:53 - 2012-07-04 12:57 - 00000000 ____D C:\Qoobox
    2012-07-04 09:37 - 2012-07-04 14:40 - 00000000 ____D C:\Windows\erdnt
    2012-07-04 00:54 - 2012-07-03 11:21 - 00355856 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
    2012-07-04 00:54 - 2012-07-03 11:21 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
    2012-07-04 00:53 - 2012-07-19 05:16 - 00000000 ____A C:\Windows\SysWOW64\config.nt
    2012-07-04 00:53 - 2012-07-03 11:21 - 00958400 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
    2012-07-04 00:53 - 2012-07-03 11:21 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
    2012-07-04 00:53 - 2012-07-03 11:21 - 00071064 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
    2012-07-04 00:53 - 2012-07-03 11:21 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
    2012-07-04 00:53 - 2012-07-03 11:21 - 00054072 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys
    2012-07-04 00:52 - 2012-07-04 00:52 - 00000000 ____D C:\Users\All Users\AVAST Software
    2012-07-04 00:52 - 2012-07-04 00:52 - 00000000 ____D C:\Program Files\AVAST Software
    2012-07-04 00:52 - 2012-07-03 11:21 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
    2012-07-04 00:52 - 2012-07-03 11:21 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
    2012-06-29 05:33 - 2012-06-29 05:34 - 00000092 ____A C:\Users\Bobby\Desktop\realitysnap.txt
    2012-06-29 02:06 - 2012-06-29 02:16 - 00000000 ____D C:\Users\Bobby\Downloads\Being.Flynn.2012.LiMiTED.DVDRip.XviD-DEPRiVED
    2012-06-29 02:06 - 2012-06-29 02:12 - 00000000 ____D C:\Users\Bobby\Downloads\God.Bless.America.2011.LIMITED.DVDRip.XviD-AMIABLE
    2012-06-29 01:38 - 2012-06-29 01:39 - 00000116 ____A C:\Users\Bobby\Desktop\bike.txt
    2012-06-27 18:14 - 2012-07-10 20:26 - 00000319 ____A C:\Users\Bobby\Desktop\eating plan.txt
    2012-06-27 01:19 - 2012-06-27 01:19 - 00000000 ____D C:\Users\Test\AppData\Roaming\Adobe
    2012-06-25 03:19 - 2012-06-25 03:19 - 00000000 ____D C:\Users\Bobby\Downloads\CamStudioCodec-1.4-w32
    2012-06-25 03:19 - 2010-10-24 00:56 - 00049664 ____A (CamStudio Group) C:\Windows\System32\CamCodec.dll
    2012-06-25 03:18 - 2012-06-25 03:18 - 04472121 ____A (CamStudio Open Source Dev Team ) C:\Users\Bobby\Downloads\CamStudio_Setup_v2.6b_r294_(build_24Oct2010).exe
    2012-06-25 03:18 - 2012-06-25 03:18 - 00034510 ____A C:\Users\Bobby\Downloads\CamStudioCodec-1.4-w32.zip
    2012-06-25 03:17 - 2012-06-25 03:17 - 20786971 ____A (Audacity Team ) C:\Users\Bobby\Downloads\audacity-win-2.0.exe
    2012-06-22 01:28 - 2012-06-22 01:28 - 00003690 ____A C:\Users\Bobby\.jmf-resource
    2012-06-22 01:25 - 2012-06-22 01:25 - 00000000 ____D C:\Users\Bobby\Downloads\krut_full_windows_0_9_3
    2012-06-22 01:24 - 2012-06-22 01:24 - 00000000 ____D C:\Windows\SysWOW64\CSIDL_PERSONAL
    2012-06-22 01:23 - 2012-06-22 01:25 - 00000000 ____D C:\Users\Bobby\AppData\Local\uTIPu
    2012-06-22 01:22 - 2012-06-22 01:41 - 00000000 ____D C:\Program Files (x86)\uTIPu
    2012-06-22 01:18 - 2012-06-22 01:18 - 04994545 ____A C:\Users\Bobby\Downloads\krut_full_windows_0_9_3.zip
    2012-06-22 01:17 - 2012-06-22 01:46 - 00000000 ____D C:\Program Files (x86)\UltraVNC Addons
    2012-06-22 01:01 - 2012-06-25 03:19 - 00000000 ____D C:\Program Files (x86)\CamStudio 2.6b
    2012-06-21 11:13 - 2012-06-02 17:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-21 11:13 - 2012-06-02 17:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-21 11:13 - 2012-06-02 17:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-21 11:13 - 2012-06-02 17:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-21 11:13 - 2012-06-02 17:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-21 11:13 - 2012-06-02 17:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-21 11:13 - 2012-06-02 17:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-21 11:12 - 2012-06-02 15:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-21 11:12 - 2012-06-02 15:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-20 22:55 - 2012-06-20 22:55 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_dc3d_01009.Wdf
    2012-06-19 18:06 - 2012-07-19 21:05 - 00000000 ____D C:\Users\Bobby\AppData\Local\Thunderbird
    2012-06-19 18:06 - 2012-06-19 18:06 - 00000000 ____D C:\Users\Bobby\AppData\Roaming\Thunderbird
    2012-06-19 18:04 - 2012-07-19 21:05 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird

    ============ 3 Months Modified Files ========================

    2012-07-19 21:05 - 2012-07-19 21:05 - 01437107 ____A (Farbar) C:\Users\Bobby\Downloads\FRST64.exe
    2012-07-19 20:32 - 2009-07-13 23:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-07-19 20:32 - 2009-07-13 23:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-07-19 20:28 - 2010-05-13 17:01 - 01427681 ____A C:\Windows\WindowsUpdate.log
    2012-07-19 20:26 - 2010-08-21 06:42 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-07-19 20:24 - 2012-07-19 20:24 - 00000408 ____A C:\Windows\Tasks\Ad-Aware Update (Weekly).job
    2012-07-19 20:24 - 2010-08-21 06:42 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-07-19 20:23 - 2012-07-08 01:00 - 00000370 ____A C:\Windows\setupact.log
    2012-07-19 20:23 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-19 20:22 - 2012-02-20 22:15 - 00007836 ____A C:\aaw7boot.log
    2012-07-19 10:16 - 2009-07-14 00:13 - 00796206 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-19 09:15 - 2011-03-23 02:17 - 00809704 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-07-19 05:37 - 2012-07-19 05:37 - 00001906 ____A C:\Users\Public\Desktop\HitmanPro.lnk
    2012-07-19 05:37 - 2012-07-19 05:36 - 08834304 ____A (SurfRight B.V.) C:\Users\Bobby\Downloads\HitmanPro36_x64.exe
    2012-07-19 05:34 - 2012-07-19 05:33 - 02136664 ____A (Kaspersky Lab ZAO) C:\Users\Bobby\Downloads\tdsskiller.exe
    2012-07-19 05:32 - 2012-07-10 21:44 - 07718272 ____A (SurfRight B.V.) C:\Users\Bobby\Downloads\HitmanPro36.exe
    2012-07-19 05:22 - 2012-01-20 02:08 - 00000064 ____A C:\Windows\SysWOW64\rp_stats.dat
    2012-07-19 05:22 - 2012-01-20 02:08 - 00000044 ____A C:\Windows\SysWOW64\rp_rules.dat
    2012-07-19 05:16 - 2012-07-19 05:16 - 00001931 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
    2012-07-19 05:16 - 2012-07-04 00:53 - 00000000 ____A C:\Windows\SysWOW64\config.nt
    2012-07-10 20:26 - 2012-06-27 18:14 - 00000319 ____A C:\Users\Bobby\Desktop\eating plan.txt
    2012-07-10 19:49 - 2012-07-07 23:51 - 00010033 ____A C:\Users\Bobby\Desktop\Book1.xlsx
    2012-07-08 01:00 - 2012-07-08 01:00 - 00000000 ____A C:\Windows\setuperr.log
    2012-07-07 23:58 - 2012-07-07 23:57 - 00078844 ____A C:\Users\Bobby\Documents\cc_20120707_235757.reg
    2012-07-07 23:55 - 2012-07-07 23:55 - 00000717 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-07-07 23:54 - 2012-07-07 23:54 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\Bobby\Downloads\mbam-setup-1.61.0.1400.exe
    2012-07-03 11:21 - 2012-07-04 00:54 - 00355856 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
    2012-07-03 11:21 - 2012-07-04 00:54 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
    2012-07-03 11:21 - 2012-07-04 00:53 - 00958400 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
    2012-07-03 11:21 - 2012-07-04 00:53 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
    2012-07-03 11:21 - 2012-07-04 00:53 - 00071064 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
    2012-07-03 11:21 - 2012-07-04 00:53 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
    2012-07-03 11:21 - 2012-07-04 00:53 - 00054072 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys
    2012-07-03 11:21 - 2012-07-04 00:52 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
    2012-07-03 11:21 - 2012-07-04 00:52 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
    2012-07-01 23:43 - 2012-06-14 03:06 - 00012047 ____A C:\Users\Bobby\Desktop\NOW.xlsx
    2012-06-29 05:34 - 2012-06-29 05:33 - 00000092 ____A C:\Users\Bobby\Desktop\realitysnap.txt
    2012-06-29 01:39 - 2012-06-29 01:38 - 00000116 ____A C:\Users\Bobby\Desktop\bike.txt
    2012-06-25 03:18 - 2012-06-25 03:18 - 04472121 ____A (CamStudio Open Source Dev Team ) C:\Users\Bobby\Downloads\CamStudio_Setup_v2.6b_r294_(build_24Oct2010).exe
    2012-06-25 03:18 - 2012-06-25 03:18 - 00034510 ____A C:\Users\Bobby\Downloads\CamStudioCodec-1.4-w32.zip
    2012-06-25 03:17 - 2012-06-25 03:17 - 20786971 ____A (Audacity Team ) C:\Users\Bobby\Downloads\audacity-win-2.0.exe
    2012-06-22 01:28 - 2012-06-22 01:28 - 00003690 ____A C:\Users\Bobby\.jmf-resource
    2012-06-22 01:18 - 2012-06-22 01:18 - 04994545 ____A C:\Users\Bobby\Downloads\krut_full_windows_0_9_3.zip
    2012-06-20 22:55 - 2012-06-20 22:55 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_dc3d_01009.Wdf
    2012-06-18 23:09 - 2012-06-18 23:08 - 733956096 ____A C:\Users\Bobby\Downloads\25th Hour (2002).avi
    2012-06-18 18:49 - 2012-06-18 18:48 - 18506296 ____A (Mozilla) C:\Users\Test\Downloads\Thunderbird Setup 13.0.1.exe
    2012-06-18 18:41 - 2012-06-18 18:41 - 00007864 ____A C:\Users\Test\Desktop\Book1.xlsx
    2012-06-18 17:19 - 2012-06-18 17:19 - 00115936 ____A C:\Users\Test\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-06-18 17:17 - 2012-06-18 17:17 - 00000020 ___SH C:\Users\Test\ntuser.ini
    2012-06-18 16:57 - 2012-06-18 16:57 - 18506296 ____A (Mozilla) C:\Users\Bobby\Downloads\Thunderbird Setup 13.0.1.exe
    2012-06-15 02:43 - 2012-06-15 02:19 - 1724041765 ____A C:\Users\Bobby\Downloads\Aziz Ansari - Dangerously Delicious.mov
    2012-06-13 21:32 - 2009-07-13 23:45 - 00432056 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-06-07 01:29 - 2012-06-07 01:29 - 00011851 ____A C:\Users\Bobby\Documents\Copy of NOW.xlsx
    2012-06-06 22:29 - 2009-07-13 21:34 - 00000478 ____A C:\Windows\win.ini
    2012-06-06 20:24 - 2012-06-06 20:22 - 41623552 ____A C:\Users\Bobby\Downloads\PC recovery iso.iso
    2012-06-02 17:19 - 2012-06-21 11:13 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 17:19 - 2012-06-21 11:13 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 17:19 - 2012-06-21 11:13 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 17:19 - 2012-06-21 11:13 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 17:19 - 2012-06-21 11:13 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 17:15 - 2012-06-21 11:13 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 17:15 - 2012-06-21 11:13 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 15:19 - 2012-06-21 11:12 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 15:15 - 2012-06-21 11:12 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-05-29 01:11 - 2012-01-17 16:55 - 00016432 ____A C:\Windows\System32\lsdelete.exe
    2012-05-17 17:36 - 2012-06-06 20:17 - 02468520 ____A C:\Windows\SysWOW64\BootMan.exe
    2012-05-15 11:13 - 2012-06-06 20:17 - 03316736 ____A C:\Windows\System32\BootMan.exe
    2012-04-26 20:03 - 2010-08-30 23:11 - 57848688 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe


    ZeroAccess:
    C:\Users\Bobby\AppData\Local\11e30dbc
    C:\Users\Bobby\AppData\Local\11e30dbc\@
    C:\Users\Bobby\AppData\Local\11e30dbc\loader.tlb

    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ========================= Memory info ======================

    Percentage of memory in use: 60%
    Total physical RAM: 1977.98 MB
    Available physical RAM: 778.88 MB
    Total Pagefile: 3955.96 MB
    Available Pagefile: 2594.29 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.88 MB

    ======================= Partitions =========================

    1 Drive c: (eMachines) (Fixed) (Total:136.94 GB) (Free:18.19 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 149 GB 8 MB

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Recovery 12 GB 31 KB
    Partition 2 Primary 101 MB 12 GB
    Partition 3 Primary 136 GB 12 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 27
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 PQSERVICE NTFS Partition 12 GB Healthy Hidden

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 SYSTEM RESE NTFS Partition 101 MB Healthy System (partition with boot components)

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 C eMachines NTFS Partition 136 GB Healthy Boot

    ==================================================================================

    ==========================================================

    Last Boot: 2012-07-08 00:27

    ======================= End Of Log ==========================
     
  7. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    You ran the tool from within Windows.
    That's not the right way but it looks good enough to use some other tools.

    ============================================

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  8. bbbbbb

    bbbbbb TS Rookie Topic Starter

    Sorry for the delay. Ran combofix.


    ComboFix 12-07-19.02 - Bobby 07/19/2012 21:20:01.2.1 - x64
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1978.1095 [GMT -5:00]
    Running from: c:\users\Bobby\Downloads\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    c:\program files (x86)\lol\LeagueofLegends\0x0409.ini
    c:\program files (x86)\lol\LeagueofLegends\data1.cab
    c:\program files (x86)\lol\LeagueofLegends\data1.hdr
    c:\program files (x86)\lol\LeagueofLegends\data2.cab
    c:\program files (x86)\lol\LeagueofLegends\ISSetup.dll
    c:\program files (x86)\lol\LeagueofLegends\layout.bin
    c:\program files (x86)\lol\LeagueofLegends\setup.exe
    c:\program files (x86)\lol\LeagueofLegends\setup.ini
    c:\program files (x86)\lol\LeagueofLegends\setup.inx
    c:\program files (x86)\lol\LeagueofLegends\setup.isn
    c:\users\Bobby\AppData\Local\11e30dbc\U\80000000.@
    c:\windows\Downloaded Program Files\Cursors\aero_arrow.cur
    c:\windows\Downloaded Program Files\Cursors\aero_arrow_l.cur
    c:\windows\Downloaded Program Files\Cursors\aero_arrow_xl.cur
    c:\windows\Downloaded Program Files\Cursors\aero_busy.ani
    c:\windows\Downloaded Program Files\Cursors\aero_busy_l.ani
    c:\windows\Downloaded Program Files\Cursors\aero_busy_xl.ani
    c:\windows\Downloaded Program Files\Cursors\aero_ew.cur
    c:\windows\Downloaded Program Files\Cursors\aero_ew_l.cur
    c:\windows\Downloaded Program Files\Cursors\aero_ew_xl.cur
    c:\windows\Downloaded Program Files\Cursors\aero_helpsel.cur
    c:\windows\Downloaded Program Files\Cursors\aero_helpsel_l.cur
    c:\windows\Downloaded Program Files\Cursors\aero_helpsel_xl.cur
    c:\windows\Downloaded Program Files\Cursors\aero_link.cur
    c:\windows\Downloaded Program Files\Cursors\aero_link_l.cur
    c:\windows\Downloaded Program Files\Cursors\aero_link_xl.cur
    c:\windows\Downloaded Program Files\Cursors\aero_move.cur
    c:\windows\Downloaded Program Files\Cursors\aero_move_l.cur
    c:\windows\Downloaded Program Files\Cursors\aero_move_xl.cur
    c:\windows\Downloaded Program Files\Cursors\aero_nesw.cur
    c:\windows\Downloaded Program Files\Cursors\aero_nesw_l.cur
    c:\windows\Downloaded Program Files\Cursors\aero_nesw_xl.cur
    c:\windows\Downloaded Program Files\Cursors\aero_ns.cur
    c:\windows\Downloaded Program Files\Cursors\aero_ns_l.cur
    c:\windows\Downloaded Program Files\Cursors\aero_ns_xl.cur
    c:\windows\Downloaded Program Files\Cursors\aero_nwse.cur
    c:\windows\Downloaded Program Files\Cursors\aero_nwse_l.cur
    c:\windows\Downloaded Program Files\Cursors\aero_nwse_xl.cur
    c:\windows\Downloaded Program Files\Cursors\aero_pen.cur
    c:\windows\Downloaded Program Files\Cursors\aero_pen_l.cur
    c:\windows\Downloaded Program Files\Cursors\aero_pen_xl.cur
    c:\windows\Downloaded Program Files\Cursors\aero_unavail.cur
    c:\windows\Downloaded Program Files\Cursors\aero_unavail_l.cur
    c:\windows\Downloaded Program Files\Cursors\aero_unavail_xl.cur
    c:\windows\Downloaded Program Files\Cursors\aero_up.cur
    c:\windows\Downloaded Program Files\Cursors\aero_up_l.cur
    c:\windows\Downloaded Program Files\Cursors\aero_up_xl.cur
    c:\windows\Downloaded Program Files\Cursors\aero_working.ani
    c:\windows\Downloaded Program Files\Cursors\aero_working_l.ani
    c:\windows\Downloaded Program Files\Cursors\aero_working_xl.ani
    c:\windows\Downloaded Program Files\Cursors\arrow_i.cur
    c:\windows\Downloaded Program Files\Cursors\arrow_il.cur
    c:\windows\Downloaded Program Files\Cursors\arrow_im.cur
    c:\windows\Downloaded Program Files\Cursors\arrow_l.cur
    c:\windows\Downloaded Program Files\Cursors\arrow_m.cur
    c:\windows\Downloaded Program Files\Cursors\arrow_r.cur
    c:\windows\Downloaded Program Files\Cursors\arrow_rl.cur
    c:\windows\Downloaded Program Files\Cursors\arrow_rm.cur
    c:\windows\Downloaded Program Files\Cursors\beam_i.cur
    c:\windows\Downloaded Program Files\Cursors\beam_il.cur
    c:\windows\Downloaded Program Files\Cursors\beam_im.cur
    c:\windows\Downloaded Program Files\Cursors\beam_l.cur
    c:\windows\Downloaded Program Files\Cursors\beam_m.cur
    c:\windows\Downloaded Program Files\Cursors\beam_r.cur
    c:\windows\Downloaded Program Files\Cursors\beam_rl.cur
    c:\windows\Downloaded Program Files\Cursors\beam_rm.cur
    c:\windows\Downloaded Program Files\Cursors\busy_i.cur
    c:\windows\Downloaded Program Files\Cursors\busy_il.cur
    c:\windows\Downloaded Program Files\Cursors\busy_im.cur
    c:\windows\Downloaded Program Files\Cursors\busy_l.cur
    c:\windows\Downloaded Program Files\Cursors\busy_m.cur
    c:\windows\Downloaded Program Files\Cursors\busy_r.cur
    c:\windows\Downloaded Program Files\Cursors\busy_rl.cur
    c:\windows\Downloaded Program Files\Cursors\busy_rm.cur
    c:\windows\Downloaded Program Files\Cursors\cross_i.cur
    c:\windows\Downloaded Program Files\Cursors\cross_il.cur
    c:\windows\Downloaded Program Files\Cursors\cross_im.cur
    c:\windows\Downloaded Program Files\Cursors\cross_l.cur
    c:\windows\Downloaded Program Files\Cursors\cross_m.cur
    c:\windows\Downloaded Program Files\Cursors\cross_r.cur
    c:\windows\Downloaded Program Files\Cursors\cross_rl.cur
    c:\windows\Downloaded Program Files\Cursors\cross_rm.cur
    c:\windows\Downloaded Program Files\Cursors\help_i.cur
    c:\windows\Downloaded Program Files\Cursors\help_il.cur
    c:\windows\Downloaded Program Files\Cursors\help_im.cur
    c:\windows\Downloaded Program Files\Cursors\help_l.cur
    c:\windows\Downloaded Program Files\Cursors\help_m.cur
    c:\windows\Downloaded Program Files\Cursors\help_r.cur
    c:\windows\Downloaded Program Files\Cursors\help_rl.cur
    c:\windows\Downloaded Program Files\Cursors\help_rm.cur
    c:\windows\Downloaded Program Files\Cursors\lappstrt.cur
    c:\windows\Downloaded Program Files\Cursors\larrow.cur
    c:\windows\Downloaded Program Files\Cursors\lcross.cur
    c:\windows\Downloaded Program Files\Cursors\libeam.cur
    c:\windows\Downloaded Program Files\Cursors\lmove.cur
    c:\windows\Downloaded Program Files\Cursors\lnesw.cur
    c:\windows\Downloaded Program Files\Cursors\lnodrop.cur
    c:\windows\Downloaded Program Files\Cursors\lns.cur
    c:\windows\Downloaded Program Files\Cursors\lnwse.cur
    c:\windows\Downloaded Program Files\Cursors\lwait.cur
    c:\windows\Downloaded Program Files\Cursors\lwe.cur
    c:\windows\Downloaded Program Files\Cursors\move_i.cur
    c:\windows\Downloaded Program Files\Cursors\move_il.cur
    c:\windows\Downloaded Program Files\Cursors\move_im.cur
    c:\windows\Downloaded Program Files\Cursors\move_l.cur
    c:\windows\Downloaded Program Files\Cursors\move_m.cur
    c:\windows\Downloaded Program Files\Cursors\move_r.cur
    c:\windows\Downloaded Program Files\Cursors\move_rl.cur
    c:\windows\Downloaded Program Files\Cursors\move_rm.cur
    c:\windows\Downloaded Program Files\Cursors\no_i.cur
    c:\windows\Downloaded Program Files\Cursors\no_il.cur
    c:\windows\Downloaded Program Files\Cursors\no_im.cur
    c:\windows\Downloaded Program Files\Cursors\no_l.cur
    c:\windows\Downloaded Program Files\Cursors\no_m.cur
    c:\windows\Downloaded Program Files\Cursors\no_r.cur
    c:\windows\Downloaded Program Files\Cursors\no_rl.cur
    c:\windows\Downloaded Program Files\Cursors\no_rm.cur
    c:\windows\Downloaded Program Files\Cursors\pen_i.cur
    c:\windows\Downloaded Program Files\Cursors\pen_il.cur
    c:\windows\Downloaded Program Files\Cursors\pen_im.cur
    c:\windows\Downloaded Program Files\Cursors\pen_l.cur
    c:\windows\Downloaded Program Files\Cursors\pen_m.cur
    c:\windows\Downloaded Program Files\Cursors\pen_r.cur
    c:\windows\Downloaded Program Files\Cursors\pen_rl.cur
    c:\windows\Downloaded Program Files\Cursors\pen_rm.cur
    c:\windows\Downloaded Program Files\Cursors\size1_i.cur
    c:\windows\Downloaded Program Files\Cursors\size1_il.cur
    c:\windows\Downloaded Program Files\Cursors\size1_im.cur
    c:\windows\Downloaded Program Files\Cursors\size1_l.cur
    c:\windows\Downloaded Program Files\Cursors\size1_m.cur
    c:\windows\Downloaded Program Files\Cursors\size1_r.cur
    c:\windows\Downloaded Program Files\Cursors\size1_rl.cur
    c:\windows\Downloaded Program Files\Cursors\size1_rm.cur
    c:\windows\Downloaded Program Files\Cursors\size2_i.cur
    c:\windows\Downloaded Program Files\Cursors\size2_il.cur
    c:\windows\Downloaded Program Files\Cursors\size2_im.cur
    c:\windows\Downloaded Program Files\Cursors\size2_l.cur
    c:\windows\Downloaded Program Files\Cursors\size2_m.cur
    c:\windows\Downloaded Program Files\Cursors\size2_r.cur
    c:\windows\Downloaded Program Files\Cursors\size2_rl.cur
    c:\windows\Downloaded Program Files\Cursors\size2_rm.cur
    c:\windows\Downloaded Program Files\Cursors\size3_i.cur
    c:\windows\Downloaded Program Files\Cursors\size3_il.cur
    c:\windows\Downloaded Program Files\Cursors\size3_im.cur
    c:\windows\Downloaded Program Files\Cursors\size3_l.cur
    c:\windows\Downloaded Program Files\Cursors\size3_m.cur
    c:\windows\Downloaded Program Files\Cursors\size3_r.cur
    c:\windows\Downloaded Program Files\Cursors\size3_rl.cur
    c:\windows\Downloaded Program Files\Cursors\size3_rm.cur
    c:\windows\Downloaded Program Files\Cursors\size4_i.cur
    c:\windows\Downloaded Program Files\Cursors\size4_il.cur
    c:\windows\Downloaded Program Files\Cursors\size4_im.cur
    c:\windows\Downloaded Program Files\Cursors\size4_l.cur
    c:\windows\Downloaded Program Files\Cursors\size4_m.cur
    c:\windows\Downloaded Program Files\Cursors\size4_r.cur
    c:\windows\Downloaded Program Files\Cursors\size4_rl.cur
    c:\windows\Downloaded Program Files\Cursors\size4_rm.cur
    c:\windows\Downloaded Program Files\Cursors\up_i.cur
    c:\windows\Downloaded Program Files\Cursors\up_il.cur
    c:\windows\Downloaded Program Files\Cursors\up_im.cur
    c:\windows\Downloaded Program Files\Cursors\up_l.cur
    c:\windows\Downloaded Program Files\Cursors\up_m.cur
    c:\windows\Downloaded Program Files\Cursors\up_r.cur
    c:\windows\Downloaded Program Files\Cursors\up_rl.cur
    c:\windows\Downloaded Program Files\Cursors\up_rm.cur
    c:\windows\Downloaded Program Files\Cursors\wait_i.cur
    c:\windows\Downloaded Program Files\Cursors\wait_il.cur
    c:\windows\Downloaded Program Files\Cursors\wait_im.cur
    c:\windows\Downloaded Program Files\Cursors\wait_l.cur
    c:\windows\Downloaded Program Files\Cursors\wait_m.cur
    c:\windows\Downloaded Program Files\Cursors\wait_r.cur
    c:\windows\Downloaded Program Files\Cursors\wait_rl.cur
    c:\windows\Downloaded Program Files\Cursors\wait_rm.cur
    c:\windows\Fonts\TI89FAKE.ttf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-20 to 2012-07-20 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-20 02:28 . 2012-07-20 02:28 -------- d-----w- c:\users\Test\AppData\Local\temp
    2012-07-20 02:28 . 2012-07-20 02:28 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-07-19 10:37 . 2012-07-19 10:37 -------- d-----w- c:\program files\HitmanPro
    2012-07-18 10:25 . 2012-07-20 02:05 -------- d-----w- C:\FRST
    2012-07-11 06:07 . 2012-07-13 23:26 -------- d-----w- c:\windows\Cursors
    2012-07-11 02:45 . 2012-07-11 06:18 -------- d-----w- c:\programdata\HitmanPro
    2012-07-08 04:55 . 2012-07-08 04:56 -------- d-----w- C:\Malwarebytes' Anti-Malware
    2012-07-04 05:54 . 2012-07-03 16:21 355856 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-07-04 05:54 . 2012-07-03 16:21 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-07-04 05:53 . 2012-07-03 16:21 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
    2012-07-04 05:53 . 2012-07-03 16:21 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-07-04 05:53 . 2012-07-03 16:21 958400 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-07-04 05:53 . 2012-07-03 16:21 71064 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-07-04 05:53 . 2012-07-03 16:21 285328 ----a-w- c:\windows\system32\aswBoot.exe
    2012-07-04 05:52 . 2012-07-03 16:21 41224 ----a-w- c:\windows\avastSS.scr
    2012-07-04 05:52 . 2012-07-03 16:21 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
    2012-07-04 05:52 . 2012-07-04 05:52 -------- d-----w- c:\programdata\AVAST Software
    2012-07-04 05:52 . 2012-07-04 05:52 -------- d-----w- c:\program files\AVAST Software
    2012-06-27 06:45 . 2012-06-27 06:45 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
    2012-06-27 06:45 . 2012-06-27 06:45 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
    2012-06-25 08:19 . 2010-10-24 05:56 49664 ----a-w- c:\windows\system32\CamCodec.dll
    2012-06-22 06:24 . 2012-06-22 06:24 -------- d-----w- c:\windows\SysWow64\CSIDL_PERSONAL
    2012-06-22 06:23 . 2012-06-22 06:25 -------- d-----w- c:\users\Bobby\AppData\Local\uTIPu
    2012-06-22 06:22 . 2012-06-22 06:41 -------- d-----w- c:\program files (x86)\uTIPu
    2012-06-22 06:17 . 2012-06-22 06:46 -------- d-----w- c:\program files (x86)\UltraVNC Addons
    2012-06-22 06:01 . 2012-06-25 08:19 -------- d-----w- c:\program files (x86)\CamStudio 2.6b
    2012-06-21 16:13 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-21 16:13 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-21 16:13 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-21 16:13 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-21 16:13 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-21 16:13 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-21 16:13 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-21 16:12 . 2012-06-02 20:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-21 16:12 . 2012-06-02 20:15 36864 ----a-w- c:\windows\system32\wuapp.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-29 06:11 . 2012-01-17 21:55 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2012-05-17 22:36 . 2012-06-07 01:17 2468520 ----a-w- c:\windows\SysWow64\BootMan.exe
    2012-05-15 16:13 . 2012-06-07 01:17 3316736 ----a-w- c:\windows\system32\BootMan.exe
    2012-04-27 01:03 . 2010-08-31 04:11 57848688 ----a-w- c:\windows\system32\MRT.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2009-12-24 284696]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]
    .
    c:\users\Bobby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    RocketDock.lnk - c:\program files (x86)\RocketDock\RocketDock.exe [2010-8-21 495616]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\prwntdrv]
    @=""
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-21 135664]
    R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-12-24 13336]
    R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-07-28 52584]
    R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-07-29 16776]
    R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-07-29 9096]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-21 135664]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-27 113120]
    R3 prwntdrv;prwntdrv;c:\windows\system32\prwntdrv.sys [2010-08-26 16776]
    R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2012-01-18 19936]
    R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2012-01-18 13280]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-09-02 225280]
    R3 TS_AR5416;[CommView] Atheros AR5008 Wireless Network Adapter Service 7.7;c:\windows\system32\DRIVERS\ts_athwx.sys [2011-01-06 18:45 2156968]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-26 1255736]
    R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 23040]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2011-11-03 69376]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-07-03 71064]
    S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe [2010-03-03 325200]
    S2 ePowerSvc;Acer ePower Service;c:\program files\eMachines\eMachines Power Management\ePowerSvc.exe [2010-02-06 865824]
    S2 GREGService;GREGService;c:\program files (x86)\eMachines\Registration\GREGsvc.exe [2010-01-08 23584]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2012-05-29 2152720]
    S2 Updater Service;Updater Service;c:\program files\eMachines\eMachines Updater\UpdaterService.exe [2010-01-28 243232]
    S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2010-02-22 75304]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [2012-01-17 17152]
    S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2009-12-16 1084448]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - LAVASOFT_KERNEXPLORER
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-11-03 06:11]
    .
    2012-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-21 11:42]
    .
    2012-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-21 11:42]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-07-03 16:21 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-03-23 10134560]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-15 165912]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-15 387608]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-03-15 365592]
    "Acer ePower Management"="c:\program files\eMachines\eMachines Power Management\ePowerTray.exe" [2010-02-06 860192]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e527&r=27360810l225l0454z1j5r4582r21r
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\users\Bobby\AppData\Roaming\Mozilla\Firefox\Profiles\9dnwcabq.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - google.com
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Toolbar-Locked - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{207A1422-7CE2-3F0D-CB0619EAC3E5A348}\{36711064-4D57-673B-128E50084FEF4668}\{C13F5A8B-0B9D-FCC2-F6ECFF62882D3E51}*]
    "XOGCPEUPGZA3BTOUPKIJ6FJXTE1"=hex:01,00,01,00,00,00,00,00,9a,27,1e,8a,da,80,81,
    12,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-19 21:40:23 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-20 02:40
    .
    Pre-Run: 19,524,304,896 bytes free
    Post-Run: 19,892,490,240 bytes free
    .
    - - End Of File - - A70B2ED97C5C815C7E5C0A7AE8153254
     
  9. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    You're running two AV programs, Lavasoft Ad-Watch Live! Anti-Virus and Avast.
    You must uninstall one of them.
    I suggest Lavasoft goes.

    Next...

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    RegNull::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{207A1422-7CE2-3F0D-CB0619EAC3E5A348}\{36711064-4D57-673B-128E50084FEF4668}\{C13F5A8B-0B9D-FCC2-F6ECFF62882D3E51}*]
    
    Folder::
    C:\Users\Bobby\AppData\Local\11e30dbc
    C:\FRST
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  10. bbbbbb

    bbbbbb TS Rookie Topic Starter

    Done and done.

    ComboFix 12-07-19.02 - Bobby 07/19/2012 23:22:49.3.1 - x64
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1978.995 [GMT -5:00]
    Running from: c:\users\Bobby\Downloads\ComboFix.exe
    Command switches used :: c:\users\Bobby\Downloads\cfscript.txt
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\FRST
    c:\frst\Hives\default
    c:\frst\Hives\sam
    c:\frst\Hives\security
    c:\frst\Hives\software
    c:\frst\Hives\system
    c:\frst\Logs\ct
    c:\frst\Logs\Fixlog_19-07-2012_01-27-49.txt
    c:\frst\Logs\Fixlog_19-07-2012_05-14-08.txt
    c:\frst\Logs\FRST_18-07-2012_02-26-38.txt
    c:\frst\Logs\FRST_19-07-2012_21-06-39.txt
    c:\frst\softdebug
    c:\users\Bobby\AppData\Local\11e30dbc
    c:\users\Bobby\AppData\Local\11e30dbc\@
    c:\users\Bobby\AppData\Local\11e30dbc\loader.tlb
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-20 to 2012-07-20 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-20 04:33 . 2012-07-20 04:33 -------- d-----w- c:\users\Test\AppData\Local\temp
    2012-07-20 04:33 . 2012-07-20 04:33 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-07-19 10:37 . 2012-07-19 10:37 -------- d-----w- c:\program files\HitmanPro
    2012-07-11 06:07 . 2012-07-13 23:26 -------- d-----w- c:\windows\Cursors
    2012-07-11 02:45 . 2012-07-11 06:18 -------- d-----w- c:\programdata\HitmanPro
    2012-07-08 04:55 . 2012-07-08 04:56 -------- d-----w- C:\Malwarebytes' Anti-Malware
    2012-07-04 05:54 . 2012-07-03 16:21 355856 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-07-04 05:54 . 2012-07-03 16:21 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-07-04 05:53 . 2012-07-03 16:21 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
    2012-07-04 05:53 . 2012-07-03 16:21 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-07-04 05:53 . 2012-07-03 16:21 958400 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-07-04 05:53 . 2012-07-03 16:21 71064 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-07-04 05:53 . 2012-07-03 16:21 285328 ----a-w- c:\windows\system32\aswBoot.exe
    2012-07-04 05:52 . 2012-07-03 16:21 41224 ----a-w- c:\windows\avastSS.scr
    2012-07-04 05:52 . 2012-07-03 16:21 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
    2012-07-04 05:52 . 2012-07-04 05:52 -------- d-----w- c:\programdata\AVAST Software
    2012-07-04 05:52 . 2012-07-04 05:52 -------- d-----w- c:\program files\AVAST Software
    2012-06-27 06:45 . 2012-06-27 06:45 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
    2012-06-27 06:45 . 2012-06-27 06:45 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
    2012-06-25 08:19 . 2010-10-24 05:56 49664 ----a-w- c:\windows\system32\CamCodec.dll
    2012-06-22 06:24 . 2012-06-22 06:24 -------- d-----w- c:\windows\SysWow64\CSIDL_PERSONAL
    2012-06-22 06:23 . 2012-06-22 06:25 -------- d-----w- c:\users\Bobby\AppData\Local\uTIPu
    2012-06-22 06:22 . 2012-06-22 06:41 -------- d-----w- c:\program files (x86)\uTIPu
    2012-06-22 06:17 . 2012-06-22 06:46 -------- d-----w- c:\program files (x86)\UltraVNC Addons
    2012-06-22 06:01 . 2012-06-25 08:19 -------- d-----w- c:\program files (x86)\CamStudio 2.6b
    2012-06-21 16:13 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-21 16:13 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-21 16:13 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-21 16:13 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-21 16:13 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-21 16:13 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-21 16:13 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-21 16:12 . 2012-06-02 20:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-21 16:12 . 2012-06-02 20:15 36864 ----a-w- c:\windows\system32\wuapp.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-17 22:36 . 2012-06-07 01:17 2468520 ----a-w- c:\windows\SysWow64\BootMan.exe
    2012-05-15 16:13 . 2012-06-07 01:17 3316736 ----a-w- c:\windows\system32\BootMan.exe
    2012-04-27 01:03 . 2010-08-31 04:11 57848688 ----a-w- c:\windows\system32\MRT.exe
    2006-05-03 16:06 163328 --sha-r- c:\windows\SysWOW64\flvDX.dll
    2007-02-21 17:47 31232 --sha-r- c:\windows\SysWOW64\msfDX.dll
    2008-03-16 19:30 216064 --sha-r- c:\windows\SysWOW64\nbDX.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-07-20_02.32.38 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2009-07-14 04:54 . 2012-07-20 02:30 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:54 . 2012-07-20 04:36 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-07-14 04:54 . 2012-07-20 02:30 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2012-07-20 04:36 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:54 . 2012-07-20 02:30 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:54 . 2012-07-20 04:36 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-04-02 06:02 . 2012-07-20 02:34 41104 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2012-07-20 02:34 42330 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2010-08-21 11:23 . 2012-07-20 02:34 10904 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2574007798-2293190819-3817904843-1000_UserData.bin
    - 2010-08-21 11:30 . 2012-07-20 01:27 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-08-21 11:30 . 2012-07-20 02:35 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-08-21 11:30 . 2012-07-20 02:35 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2010-08-21 11:30 . 2012-07-20 01:27 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2010-08-21 11:30 . 2012-07-20 01:27 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-08-21 11:30 . 2012-07-20 02:35 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2010-08-21 11:25 . 2012-07-20 02:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-08-21 11:25 . 2012-07-20 04:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-08-21 11:25 . 2012-07-20 02:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-08-21 11:25 . 2012-07-20 04:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2012-07-20 02:30 . 2012-07-20 02:30 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-07-20 04:34 . 2012-07-20 04:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-07-20 04:34 . 2012-07-20 04:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-07-20 02:30 . 2012-07-20 02:30 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2009-07-14 05:01 . 2012-07-20 02:29 411128 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 05:01 . 2012-07-20 04:33 411128 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2011-10-31 09:02 . 2012-07-20 04:33 1227688 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2574007798-2293190819-3817904843-1000-12288.dat
    - 2011-10-31 09:02 . 2012-07-20 02:29 1227688 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2574007798-2293190819-3817904843-1000-12288.dat
    - 2009-07-14 02:34 . 2012-07-19 10:43 10485760 c:\windows\system32\SMI\Store\Machine\schema.dat
    + 2009-07-14 02:34 . 2012-07-20 04:06 10485760 c:\windows\system32\SMI\Store\Machine\schema.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2009-12-24 284696]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]
    .
    c:\users\Bobby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    RocketDock.lnk - c:\program files (x86)\RocketDock\RocketDock.exe [2010-8-21 495616]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\prwntdrv]
    @=""
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-21 135664]
    R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-07-28 52584]
    R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-07-29 16776]
    R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-07-29 9096]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-21 135664]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-27 113120]
    R3 prwntdrv;prwntdrv;c:\windows\system32\prwntdrv.sys [2010-08-26 16776]
    R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2012-01-18 19936]
    R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2012-01-18 13280]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-09-02 225280]
    R3 TS_AR5416;[CommView] Atheros AR5008 Wireless Network Adapter Service 7.7;c:\windows\system32\DRIVERS\ts_athwx.sys [2011-01-06 18:45 2156968]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-26 1255736]
    R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 23040]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-07-03 71064]
    S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe [2010-03-03 325200]
    S2 ePowerSvc;Acer ePower Service;c:\program files\eMachines\eMachines Power Management\ePowerSvc.exe [2010-02-06 865824]
    S2 GREGService;GREGService;c:\program files (x86)\eMachines\Registration\GREGsvc.exe [2010-01-08 23584]
    S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-12-24 13336]
    S2 Updater Service;Updater Service;c:\program files\eMachines\eMachines Updater\UpdaterService.exe [2010-01-28 243232]
    S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2010-02-22 75304]
    S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2009-12-16 1084448]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-21 11:42]
    .
    2012-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-21 11:42]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-07-03 16:21 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-03-23 10134560]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-15 165912]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-15 387608]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-03-15 365592]
    "Acer ePower Management"="c:\program files\eMachines\eMachines Power Management\ePowerTray.exe" [2010-02-06 860192]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e527&r=27360810l225l0454z1j5r4582r21r
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\users\Bobby\AppData\Roaming\Mozilla\Firefox\Profiles\9dnwcabq.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - google.com
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-19 23:43:54 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-20 04:43
    ComboFix2.txt 2012-07-20 02:40
    .
    Pre-Run: 20,225,941,504 bytes free
    Post-Run: 19,706,200,064 bytes free
    .
    - - End Of File - - 6C9141501BAA54748BF73000B56D43D9
     
  11. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Looks good :)

    Any current issues?

    ==================================

    Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
    NOTE. If you already have MBAM installed, update it before running the scan.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer IF MBAM asks you to do so.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    =======================================

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  12. bbbbbb

    bbbbbb TS Rookie Topic Starter

    Computer runs great! Thank you.

    Ran malwarebytes. No detections. Left out OTL.

    Thank you so much for your help!

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.07.20.03

    Windows 7 x64 NTFS
    Internet Explorer 8.0.7600.16385
    Bobby :: BOBBY-LAPTOP [administrator]

    7/19/2012 11:59:20 PM
    mbam-log-2012-07-19 (23-59-20).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 211470
    Time elapsed: 5 minute(s), 14 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  13. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Good :)

    Go on....
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...