Another Sirefef infection, laptop keeps rebooting!!

Solved
By Slammy
Aug 11, 2012
  1. Ran FRST as ive read over and over but apparently someone has to write a file to stop the rebooting so here I am.

    Please help me guys! This is my work laptop so formatting is not an option!

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===========================================

    Please observe forum rules: http://www.techspot.com/community/topics/read-this-or-you-might-not-get-help.182638/
    5. All required logs have to be PASTED. Attached logs will NOT be reviewed.
    If a log or logs exceed the limit for one reply, you may use more than one reply. The above rule will be strictly enforced. Pasted logs can be handled easier and faster by malware helpers.
  3. Slammy

    Slammy Newcomer, in training Topic Starter Posts: 19

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 10-08-2012
    Ran by SYSTEM at 11-08-2012 13:25:26
    Running from D:\
    Windows Vista (TM) Home Premium Service Pack 1 (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [288040 2010-04-05] (Alps Electric Co., Ltd.)
    HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe [3810304 2008-11-17] (Dell Inc.)
    HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2009-01-16] (Intel Corporation)
    HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [173592 2009-01-16] (Intel Corporation)
    HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [150552 2009-01-16] (Intel Corporation)
    HKLM\...\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [1439496 2010-10-19] (Intuit Inc. All rights reserved.)
    HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [2960032 2010-06-09] (Dell Inc.)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe [495708 2010-02-25] (IDT, Inc.)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    HKU\slammy\...\Run: [VistaBatterySaver] C:\Program Files\SharpSoft\Vista Battery Saver\VistaBatterySaver.exe [481280 2009-04-14] (Tamir Khason)
    HKU\slammy\...\Run: [WLSync] "C:\Program Files\Windows Live\Mesh\WLSync.exe" /background [1449824 2012-03-08] (Microsoft Corporation)
    Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
    Tcpip\Parameters: [DhcpNameServer] 68.113.206.10 24.217.0.5 71.92.29.130
    Startup: C:\Users\slammy\Start Menu\Programs\Startup\Dell Dock.lnk
    ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

    ================================ Services (Whitelisted) ==================

    2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_0145da1d\aestsrv.exe [81920 2009-03-02] (Andrea Electronics Corporation)
    2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [155648 2010-01-11] (Stardock Corporation)
    2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-20] (Microsoft Corporation)
    2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_0145da1d\STacSV.exe [229458 2010-02-25] (IDT, Inc.)
    2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
    3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
    2 QBCFMonitorService; "c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe" [x]
    3 QBFCService; "c:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe" [x]
    2 yksvc; RUNDLL32.EXE ykx32coinst,serviceStartProc [x]

    ========================== Drivers (Whitelisted) =============

    4 adpu160m; C:\Windows\system32\drivers\adpu160m.sys [101432 2008-01-20] (Adaptec, Inc.)
    3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18424 2008-11-17] (Broadcom Corporation)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    3 pneteth; C:\Windows\System32\DRIVERS\pneteth.sys [13312 2010-09-02] (June Fabrics Technology Inc.)
    3 pnetmdm; C:\Windows\System32\DRIVERS\pnetmdm.sys [9472 2006-09-28] (June Fabrics Technology)
    3 RDPDISPM; C:\Windows\System32\DRIVERS\rdpdispm.sys [15488 2010-09-22] (Microsoft Corporation)
    3 USB_RNDIS; C:\Windows\System32\DRIVERS\usb8023.sys [15872 2009-04-10] (Microsoft Corporation)
    3 usb_rndisx; C:\Windows\System32\DRIVERS\usb8023x.sys [15872 2009-04-10] (Microsoft Corporation)
    3 DFSR; [x]
    0 iaStor; C:\Windows\System32\drivers\iastor.sys [x]
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
    4 UmRdpService; [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-11 12:12 - 2012-08-11 12:12 - 00000000 ____D C:\FRST
    2012-08-11 09:22 - 2012-08-11 09:22 - 00000000 ____D C:\Users\Public\Desktop\CC Support
    2012-08-11 09:02 - 2012-08-11 08:56 - 04731392 ____A (AVAST Software) C:\Users\slammy\Desktop\aswMBR.exe
    2012-08-11 08:23 - 2012-08-11 08:23 - 00000680 ____A C:\Users\slammy\AppData\Local\d3d9caps.dat
    2012-08-10 23:20 - 2012-08-10 23:20 - 00001974 ____A C:\Windows\PFRO.log
    2012-08-10 23:10 - 2012-08-11 08:25 - 00005079 ____A C:\Windows\WindowsUpdate.log
    2012-08-10 23:10 - 2012-08-10 23:10 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-08-10 19:37 - 2012-08-10 19:37 - 10288512 ____A (Microsoft Corporation) C:\Users\slammy\Desktop\mseinstall.exe
    2012-08-10 19:35 - 2012-08-10 19:35 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-08-10 19:01 - 2012-08-10 19:01 - 00000000 ____D C:\Users\slammy\AppData\Local\{AE77CC3B-94CF-44A9-B073-B12554291EC5}
    2012-08-10 19:01 - 2012-08-10 19:01 - 00000000 ____D C:\Users\slammy\AppData\Local\{A0AD0FDA-1BA1-450C-A6ED-CE4805D6AD00}
    2012-08-05 16:31 - 2012-08-05 16:31 - 00000000 ____D C:\Users\slammy\AppData\Local\{DEFAEDA8-605F-4D8F-84D8-45A0435C0B35}
    2012-08-05 16:31 - 2012-08-05 16:31 - 00000000 ____D C:\Users\slammy\AppData\Local\{C2E83932-F32F-4D1D-8928-FB7F04A468EA}
    2012-08-03 13:03 - 2012-08-03 13:04 - 00000374 ____A C:\Users\slammy\Desktop\Cover Page.txt
    2012-08-03 12:49 - 2012-08-03 12:50 - 00000000 ____D C:\Users\slammy\AppData\Local\{96828AE6-655C-4111-A54B-FC7DC45E6BBD}
    2012-08-03 12:49 - 2012-08-03 12:49 - 00000000 ____D C:\Users\slammy\AppData\Local\{9407B296-49A1-436A-99A3-BE9BA2333014}
    2012-08-02 16:49 - 2012-08-02 16:49 - 00000000 ____D C:\Users\slammy\AppData\Local\{9CFC2084-F7AF-4FEF-8CED-030AE3F80C1A}
    2012-08-02 16:48 - 2012-08-02 16:49 - 00000000 ____D C:\Users\slammy\AppData\Local\{77650C92-F427-412E-8FE6-DE3E2AE65BA8}
    2012-08-02 04:48 - 2012-08-02 04:48 - 00000000 ____D C:\Users\slammy\AppData\Local\{FE600656-1544-42E5-B3C1-024058755D38}
    2012-08-02 04:48 - 2012-08-02 04:48 - 00000000 ____D C:\Users\slammy\AppData\Local\{B2A4DD7D-C50B-4803-B5F7-4BE819C0D894}
    2012-08-01 08:57 - 2012-08-01 08:57 - 00000000 ____D C:\Users\slammy\AppData\Local\{EC76A203-D0C3-4A77-BC8E-DC422D680B94}
    2012-08-01 08:57 - 2012-08-01 08:57 - 00000000 ____D C:\Users\slammy\AppData\Local\{B419E3A5-6A20-4FD3-B44B-542F95F34964}
    2012-07-31 20:37 - 2012-07-31 20:37 - 00000000 ____D C:\Users\slammy\AppData\Local\{AA5DBF74-24FF-4004-A865-C1626B1BF298}
    2012-07-31 08:36 - 2012-07-31 20:37 - 00000000 ____D C:\Users\slammy\AppData\Local\{159331AE-3643-4079-8A19-02DED5A94E4F}
    2012-07-31 08:36 - 2012-07-31 08:36 - 00000000 ____D C:\Users\slammy\AppData\Local\{8E6433A0-686F-46E6-A6C3-19065DD24005}
    2012-07-30 19:20 - 2012-07-30 19:21 - 00000000 ____D C:\Users\slammy\AppData\Local\{29D5ABC8-33EE-4A4B-B484-01DF5F6B4FB8}
    2012-07-30 07:20 - 2012-07-30 19:20 - 00000000 ____D C:\Users\slammy\AppData\Local\{F22B3001-BC05-4B32-A065-1B7355CDD5FC}
    2012-07-30 07:20 - 2012-07-30 07:20 - 00000000 ____D C:\Users\slammy\AppData\Local\{F05A302C-BCF1-4D43-B050-AB3A30A540D0}
    2012-07-29 09:07 - 2012-07-29 09:08 - 00000000 ____D C:\Users\slammy\AppData\Local\{AC3BD8B3-4A82-42BE-8AD4-68FF1FAAC685}
    2012-07-29 09:07 - 2012-07-29 09:07 - 00000000 ____D C:\Users\slammy\AppData\Local\{641DDA37-4C01-46F5-BEED-D90298353001}
    2012-07-20 05:16 - 2012-07-20 05:16 - 00000000 ____D C:\Users\slammy\AppData\Local\{C37CEB8B-E731-4F68-880B-B9EEDAAA6FFA}
    2012-07-20 05:15 - 2012-07-20 05:16 - 00000000 ____D C:\Users\slammy\AppData\Local\{27A67F9A-6834-416F-BE87-99983D76650D}
    2012-07-19 11:52 - 2012-07-19 11:52 - 00000000 ____D C:\Users\slammy\AppData\Local\{F6E7BCD4-D596-47E2-9AC4-14E01938F730}
    2012-07-19 11:52 - 2012-07-19 11:52 - 00000000 ____D C:\Users\slammy\AppData\Local\{5ECF5A32-0EBF-4A07-99A4-8718FBF2D762}
    2012-07-18 20:43 - 2012-07-18 20:43 - 00000000 ____D C:\Users\slammy\AppData\Local\{F15880ED-D9C1-48E2-8AB9-AD18DA26E324}
    2012-07-18 20:43 - 2012-07-18 20:43 - 00000000 ____D C:\Users\slammy\AppData\Local\{ACA9FF47-C8F3-4D1D-9BA3-E495CA42CAA3}
    2012-07-18 08:42 - 2012-07-18 08:42 - 00000000 ____D C:\Users\slammy\AppData\Local\{3AE6CB12-ED06-4B73-9800-51BFFDB79A3B}
    2012-07-18 08:42 - 2012-07-18 08:42 - 00000000 ____D C:\Users\slammy\AppData\Local\{299EEC4D-98CC-4A91-910D-134992D3EA9B}
    2012-07-17 08:17 - 2012-07-17 08:17 - 00000000 ____D C:\Users\slammy\AppData\Local\{F9236600-E5A1-45D9-9EDA-129D55FEF9C4}
    2012-07-17 08:17 - 2012-07-17 08:17 - 00000000 ____D C:\Users\slammy\AppData\Local\{6B370060-A394-4E2D-B55A-B08BA38F05BD}
    2012-07-16 20:16 - 2012-07-16 20:17 - 00000000 ____D C:\Users\slammy\AppData\Local\{783DF1A1-E3E9-4B8B-B7C9-4E510240C3F0}
    2012-07-16 08:16 - 2012-07-16 08:16 - 00000000 ____D C:\Users\slammy\AppData\Local\{3ED17D7F-8BBE-46A8-9F35-684BF854E353}
    2012-07-16 08:15 - 2012-07-16 20:16 - 00000000 ____D C:\Users\slammy\AppData\Local\{39941FAA-1ABA-4837-B566-BF024A27C78F}
    2012-07-15 17:56 - 2012-07-15 17:56 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-07-15 09:04 - 2012-07-15 09:04 - 00000000 ____D C:\Users\slammy\AppData\Local\{B98E6E5D-6F91-4EAE-9AD2-9891C0646FEA}
    2012-07-15 09:03 - 2012-07-15 09:04 - 00000000 ____D C:\Users\slammy\AppData\Local\{F69B395B-82A4-456A-9ACE-D2CDF386D817}
    2012-07-14 20:21 - 2012-06-13 05:40 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-07-14 20:19 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-07-14 20:19 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-07-14 20:19 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-07-14 20:19 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-07-14 20:19 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-07-14 20:19 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-07-14 20:19 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-07-14 20:19 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-07-14 20:19 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-07-14 20:19 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-07-14 20:19 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-07-14 20:19 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-07-14 20:19 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-07-14 20:19 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-07-14 20:18 - 2012-06-08 09:47 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-07-14 20:18 - 2012-06-05 08:47 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-07-14 20:18 - 2012-06-05 08:47 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-07-14 20:17 - 2012-06-04 07:26 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-07-14 20:17 - 2012-06-01 16:04 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-07-14 20:17 - 2012-06-01 16:03 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-07-14 19:19 - 2012-07-14 19:19 - 06660096 ____A C:\Users\slammy\Documents\Slammys Garage2 (Backup Jul 14,2012 10 19 PM).QBB
    2012-07-14 14:06 - 2012-07-14 14:06 - 00000000 ____D C:\Users\slammy\AppData\Local\{47F020FB-FEE8-45E5-ACBD-A5150059AE18}
    2012-07-14 14:05 - 2012-07-14 14:06 - 00000000 ____D C:\Users\slammy\AppData\Local\{DCE94A03-CF5B-4C37-8CB3-95DA47DA6339}
    2012-07-13 19:06 - 2012-07-13 19:06 - 00000000 ____D C:\Users\slammy\AppData\Local\{DDEEE0F7-F798-4D10-BFD2-3DB56B91EE05}
    2012-07-13 19:06 - 2012-07-13 19:06 - 00000000 ____D C:\Users\slammy\AppData\Local\{8A1B7B34-BB5D-456D-A61C-89D4516050CA}
    2012-07-13 06:38 - 2012-07-13 06:39 - 00000000 ____D C:\Users\slammy\AppData\Local\{D2155C7D-D45C-415B-910D-23F12B81333D}
    2012-07-13 06:38 - 2012-07-13 06:38 - 00000000 ____D C:\Users\slammy\AppData\Local\{3700BD2C-6B66-4D16-BCDD-2B593134351A}
    2012-07-12 11:23 - 2012-07-12 11:23 - 00000000 ____D C:\Users\slammy\AppData\Local\{CD50EBFD-96EE-4E77-9C75-63E6A4C31516}
    2012-07-12 11:23 - 2012-07-12 11:23 - 00000000 ____D C:\Users\slammy\AppData\Local\{7278598E-F5BE-47B6-A298-1401A340DD6E}

    ============ 3 Months Modified Files ========================

    2012-08-11 10:20 - 2006-11-02 04:47 - 00003744 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-11 10:20 - 2006-11-02 04:47 - 00003744 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-11 10:19 - 2011-11-05 13:32 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cc9c027b1db267.job
    2012-08-11 10:19 - 2009-05-26 09:31 - 00279552 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-08-11 10:18 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-11 10:13 - 2012-01-01 12:11 - 00002243 ____A C:\Windows\epplauncher.mif
    2012-08-11 09:22 - 2006-11-02 02:33 - 00706654 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-11 08:56 - 2012-08-11 09:02 - 04731392 ____A (AVAST Software) C:\Users\slammy\Desktop\aswMBR.exe
    2012-08-11 08:25 - 2012-08-10 23:10 - 00005079 ____A C:\Windows\WindowsUpdate.log
    2012-08-11 08:23 - 2012-08-11 08:23 - 00000680 ____A C:\Users\slammy\AppData\Local\d3d9caps.dat
    2012-08-10 23:20 - 2012-08-10 23:20 - 00001974 ____A C:\Windows\PFRO.log
    2012-08-10 23:18 - 2011-11-05 13:27 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-08-10 22:44 - 2006-11-02 05:01 - 00032632 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-08-10 19:40 - 2009-03-03 02:59 - 00000516 ____A C:\Users\slammy\AppData\Roaming\wklnhst.dat
    2012-08-10 19:37 - 2012-08-10 19:37 - 10288512 ____A (Microsoft Corporation) C:\Users\slammy\Desktop\mseinstall.exe
    2012-08-10 19:35 - 2012-08-10 19:35 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-08-10 19:35 - 2011-06-16 15:01 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-08-03 13:04 - 2012-08-03 13:03 - 00000374 ____A C:\Users\slammy\Desktop\Cover Page.txt
    2012-07-14 22:37 - 2006-11-02 02:23 - 00443459 ___RA C:\Windows\System32\Drivers\etc\hosts.20120810-223925.backup
    2012-07-14 21:56 - 2006-11-02 04:47 - 00288264 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-14 20:20 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-07-14 19:19 - 2012-07-14 19:19 - 06660096 ____A C:\Users\slammy\Documents\Slammys Garage2 (Backup Jul 14,2012 10 19 PM).QBB
    2012-06-17 20:16 - 2006-11-02 02:23 - 00442859 ___RA C:\Windows\System32\Drivers\etc\hosts.20120715-013738.backup
    2012-06-13 05:40 - 2012-07-14 20:21 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-11 18:32 - 2012-06-11 18:32 - 06664192 ____A C:\Users\slammy\Documents\Slammys Garage2 (Backup Jun 11,2012 09 32 PM).QBB
    2012-06-08 09:47 - 2012-07-14 20:18 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-05 08:47 - 2012-07-14 20:18 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-05 08:47 - 2012-07-14 20:18 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-04 07:26 - 2012-07-14 20:17 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-06-02 14:19 - 2012-06-24 09:10 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-24 09:10 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-24 09:10 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-24 09:09 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-24 09:09 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:12 - 2012-06-24 09:10 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:12 - 2012-06-24 09:09 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 12:19 - 2012-06-24 09:09 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 12:12 - 2012-06-24 09:09 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 01:07 - 2012-07-14 20:19 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-02 00:43 - 2012-07-14 20:19 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-02 00:33 - 2012-07-14 20:19 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-02 00:26 - 2012-07-14 20:19 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-02 00:25 - 2012-07-14 20:19 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-02 00:25 - 2012-07-14 20:19 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-02 00:23 - 2012-07-14 20:19 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-02 00:21 - 2012-07-14 20:19 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-02 00:20 - 2012-07-14 20:19 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-02 00:19 - 2012-07-14 20:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-02 00:19 - 2012-07-14 20:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-02 00:17 - 2012-07-14 20:19 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-02 00:16 - 2012-07-14 20:19 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-02 00:14 - 2012-07-14 20:19 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-01 16:04 - 2012-07-14 20:17 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-01 16:03 - 2012-07-14 20:17 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

    ZeroAccess:
    C:\Windows\Installer\{20a3a2df-46fb-b1a8-904f-0d447c9082db}
    C:\Windows\Installer\{20a3a2df-46fb-b1a8-904f-0d447c9082db}\@
    C:\Windows\Installer\{20a3a2df-46fb-b1a8-904f-0d447c9082db}\L
    C:\Windows\Installer\{20a3a2df-46fb-b1a8-904f-0d447c9082db}\n
    C:\Windows\Installer\{20a3a2df-46fb-b1a8-904f-0d447c9082db}\U

    ZeroAccess:
    C:\Users\slammy\AppData\Local\{20a3a2df-46fb-b1a8-904f-0d447c9082db}
    C:\Users\slammy\AppData\Local\{20a3a2df-46fb-b1a8-904f-0d447c9082db}\@
    C:\Users\slammy\AppData\Local\{20a3a2df-46fb-b1a8-904f-0d447c9082db}\L
    C:\Users\slammy\AppData\Local\{20a3a2df-46fb-b1a8-904f-0d447c9082db}\U
    C:\Users\slammy\AppData\Local\{20a3a2df-46fb-b1a8-904f-0d447c9082db}\U\00000001.@

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 8737764F4FD36D6808EE80578409C843 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 9%
    Total physical RAM: 3031.63 MB
    Available physical RAM: 2734.35 MB
    Total Pagefile: 2932.28 MB
    Available Pagefile: 2802.96 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1980.93 MB

    ======================= Partitions =========================

    1 Drive c: (OS) (Fixed) (Total:139.24 GB) (Free:84.51 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: () (Removable) (Total:1.92 GB) (Free:1.84 GB) FAT
    5 Drive x: (RECOVERY) (Fixed) (Total:9.77 GB) (Free:4.54 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 149 GB 0 B
    Disk 1 No Media 0 B 0 B
    Disk 2 Online 1968 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 39 MB 32 KB
    Partition 2 Primary 10 GB 40 MB
    Partition 3 Primary 139 GB 10 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 5 FAT Partition 39 MB Healthy Hidden

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 X RECOVERY NTFS Partition 10 GB Healthy Boot

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C OS NTFS Partition 139 GB Healthy

    ==================================================================================

    Partitions of Disk 2:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 1968 MB 32 KB

    ==================================================================================

    Disk: 2
    Partition 1
    Type : 06
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 D FAT Removable 1968 MB Healthy

    ==================================================================================

    Last Boot: 2012-08-10 23:05

    ======================= End Of Log ==========================
  4. Slammy

    Slammy Newcomer, in training Topic Starter Posts: 19

    Farbar Recovery Scan Tool Version: 10-08-2012
    Ran by SYSTEM at 2012-08-11 13:39:45
    Running from D:\
    ================== Search: "services.exe" ===================
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
    [2009-05-26 09:31] - [2009-04-10 20:28] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
    C:\Windows\System32\services.exe
    [2009-05-26 09:31] - [2012-08-11 10:19] - 0279552 ____A (Microsoft Corporation) 8737764F4FD36D6808EE80578409C843
    === End Of Search ===
  5. Slammy

    Slammy Newcomer, in training Topic Starter Posts: 19

  6. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next...

    Restart normally.

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    http://download.bleepingcomputer.com/grinler/beta/rkill.exe
    http://download.bleepingcomputer.com/grinler/beta/iExplore.exe

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    Please post BOTH logs, rKillt.xt and Combofix.txt.

    Attached Files:

  7. Slammy

    Slammy Newcomer, in training Topic Starter Posts: 19

    ComboFix 12-08-10.02 - slammy 08/11/2012 14:28:04.1.2 - x86
    Running from: F:\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-11 to 2012-08-11 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-11 20:12 . 2012-08-11 20:12--------d-----w-C:\FRST
    2012-08-11 07:14 . 2012-02-09 19:17713784----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2012-08-11 07:14 . 2012-02-09 19:17713784----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1B2841D3-9EE5-405A-8A89-342C215ABD62}\gapaengine.dll
    2012-08-11 07:13 . 2012-07-16 07:416891424------w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{20F1389F-EA2B-4CE4-94CC-EF200C87DD27}\mpengine.dll
    2012-08-11 07:10 . 2012-08-11 07:10--------d-----w-c:\program files\Microsoft Security Client
    2012-08-11 03:35 . 2012-08-11 03:35426184----a-w-c:\windows\system32\FlashPlayerApp.exe
    2012-07-16 01:56 . 2012-07-16 01:56--------d-sh--w-c:\windows\system32\%APPDATA%
    2012-07-15 04:21 . 2012-06-13 13:402047488----a-w-c:\windows\system32\win32k.sys
    2012-07-15 04:18 . 2012-06-05 16:47708608----a-w-c:\program files\Common Files\System\ado\msado15.dll
    2012-07-15 04:18 . 2012-06-05 16:471401856----a-w-c:\windows\system32\msxml6.dll
    2012-07-15 04:18 . 2012-06-05 16:471248768----a-w-c:\windows\system32\msxml3.dll
    2012-07-15 04:17 . 2012-06-04 15:26440704----a-w-c:\windows\system32\drivers\ksecdd.sys
    2012-07-15 04:17 . 2012-06-02 00:04278528----a-w-c:\windows\system32\schannel.dll
    2012-07-15 04:17 . 2012-06-02 00:03204288----a-w-c:\windows\system32\ncrypt.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-11 03:35 . 2011-06-16 23:0170344----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-02 22:19 . 2012-06-24 17:1045080----a-w-c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-24 17:1053784----a-w-c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-24 17:0935864----a-w-c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-24 17:09577048----a-w-c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-24 17:101933848----a-w-c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-24 17:102422272----a-w-c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-24 17:0988576----a-w-c:\windows\system32\wudriver.dll
    2012-06-02 20:19 . 2012-06-24 17:09171904----a-w-c:\windows\system32\wuwebv.dll
    2012-06-02 20:12 . 2012-06-24 17:0933792----a-w-c:\windows\system32\wuapp.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "VistaBatterySaver"="c:\program files\SharpSoft\Vista Battery Saver\VistaBatterySaver.exe" [2009-04-15 481280]
    "WLSync"="c:\program files\Windows Live\Mesh\WLSync.exe" [2012-03-08 1449824]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-04-05 288040]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-11-17 3810304]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-16 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-16 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-16 150552]
    "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-10-19 1439496]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-02-26 495708]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Intuit SyncManager"=c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-846782583-1659375038-321502968-1000]
    "EnableNotificationsRef"=dword:00000002
    .
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_0145da1d\aestsrv.exe [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    LocalServiceAndNoImpersonationREG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc9c027b1db267.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-11-05 21:26]
    .
    2012-08-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-11-05 21:26]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    TCP: DhcpNameServer = 68.113.206.10 24.217.0.5 71.92.29.130
    .
    - - - - ORPHANS REMOVED - - - -
    .
    MSConfigStartUp-Client Server Runtime Process - c:\users\slammy\AppData\Roaming\csrss.exe
    MSConfigStartUp-Service Host Process for Windows - c:\users\slammy\AppData\Roaming\System32\svchost.exe
    .
    .
    .
    **************************************************************************
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files:
    .
    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Microsoft Security Client\MsMpEng.exe
    c:\windows\System32\DriverStore\FileRepository\stwrt.inf_0145da1d\STacSV.exe
    c:\program files\Dell\DellDock\DockLogin.exe
    c:\windows\System32\WLTRYSVC.EXE
    c:\windows\System32\bcmwltry.exe
    c:\windows\system32\WLANExt.exe
    c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    c:\program files\Windows Live\Mesh\wlcrasvc.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\windows\system32\RUNDLL32.EXE
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\system32\WUDFHost.exe
    c:\program files\Dell\DellDock\DellDock.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Windows Live\Mesh\MOE.exe
    c:\program files\Windows Live\Contacts\wlcomm.exe
    c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
    c:\windows\servicing\TrustedInstaller.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-11 14:43:41 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-11 19:43
    .
    Pre-Run: 90,248,564,736 bytes free
    Post-Run: 90,268,585,984 bytes free
    .
    - - End Of File - - AEA39B419695E2809F65D49F73754205
  8. Slammy

    Slammy Newcomer, in training Topic Starter Posts: 19

    Rkill 2.1.0 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2012 BleepingComputer.com
    More Information about Rkill can be found at this link:
    http://www.bleepingcomputer.com/forums/topic308364.html
    Program started at: 08/11/2012 02:50:15 PM in x86 mode.
    Windows Version: Windows Vista
    Checking for Windows services to stop.
    * No malware services found to stop.
    Checking for processes to terminate.
    * No malware processes found to kill.
    Checking Registry for malware related settings.
    * No issues found in the Registry.
    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
    * HKLM\Software\Classes\.com "@" has been changed to ComFile!
    * HKLM\Software\Classes\.com "@" was reset to comfile!
    Performing miscellaneous checks.
    * No issues found.
    Searching for Missing Digital Signatures:
    * No issues found.
    Restarting Explorer.exe in order to apply changes.
    Program finished at: 08/11/2012 02:50:37 PM
    Execution time: 0 hours(s), 0 minute(s), and 22 seconds(s)
  9. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    Looks good :)

    Any current issues?

    ================================

    Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
    NOTE. If you already have MBAM installed, update it before running the scan.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer IF MBAM asks you to do so.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    ===============================

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  10. Slammy

    Slammy Newcomer, in training Topic Starter Posts: 19

    Seems to be ok . Tried to update MSE but it failed for some reason but it did let me run a scan. Ill run these two programs now.
  11. Broni

    Broni Malware Annihilator Posts: 45,175   +242

  12. Slammy

    Slammy Newcomer, in training Topic Starter Posts: 19

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.08.11.04

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 9.0.8112.16421
    slammy :: SAMMYLAPTOP [administrator]

    8/11/2012 3:50:18 PM
    mbam-log-2012-08-11 (15-50-18).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 200017
    Time elapsed: 12 minute(s), 48 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
  13. Slammy

    Slammy Newcomer, in training Topic Starter Posts: 19

    OTL logfile created on: 8/11/2012 4:04:05 PM - Run 1
    OTL by OldTimer - Version 3.2.56.0 Folder = C:\Users\slammy\Desktop
    Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.96 Gb Total Physical Memory | 1.71 Gb Available Physical Memory | 57.61% Memory free
    7.36 Gb Paging File | 6.12 Gb Available in Paging File | 83.26% Paging File free
    Paging file location(s): c:\pagefile.sys 4546 4546 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 139.24 Gb Total Space | 83.99 Gb Free Space | 60.32% Space Free | Partition Type: NTFS
    Drive E: | 9.77 Gb Total Space | 4.54 Gb Free Space | 46.47% Space Free | Partition Type: NTFS

    Computer Name: SAMMYLAPTOP | User Name: slammy | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/08/11 15:27:30 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Slammy\Desktop\OTL.exe
    PRC - [2012/03/26 17:08:12 | 000,931,200 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
    PRC - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
    PRC - [2012/02/04 07:40:44 | 000,045,056 | ---- | M] (Intuit) -- c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    PRC - [2012/01/03 08:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    PRC - [2010/10/12 09:45:37 | 001,324,384 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DellDock.exe
    PRC - [2010/04/05 16:46:08 | 000,288,040 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
    PRC - [2010/03/23 13:22:26 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
    PRC - [2010/02/26 02:03:00 | 000,495,708 | ---- | M] (IDT, Inc.) -- C:\Program Files\IDT\WDM\sttray.exe
    PRC - [2010/02/26 02:03:00 | 000,229,458 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_0145da1d\stacsv.exe
    PRC - [2010/02/17 15:34:40 | 000,054,568 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
    PRC - [2010/01/11 13:20:48 | 000,155,648 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DockLogin.exe
    PRC - [2009/04/15 01:46:04 | 000,481,280 | ---- | M] (Tamir Khason) -- C:\Program Files\SharpSoft\Vista Battery Saver\VistaBatterySaver.exe
    PRC - [2009/04/10 23:27:38 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2009/03/03 02:43:08 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_0145da1d\AEstSrv.exe
    PRC - [2009/01/31 22:43:30 | 000,049,250 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe


    ========== Modules (No Company Name) ==========

    MOD - [2012/06/18 00:30:50 | 015,881,728 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\MenuSkinning\3b5151bbd0e6de9d28585589bda695cd\MenuSkinning.ni.dll
    MOD - [2012/06/18 00:30:41 | 001,711,616 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\2467a133aee73396c830b9b0a9c7ec0d\Microsoft.VisualBasic.ni.dll
    MOD - [2012/06/18 00:30:32 | 000,284,160 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\VistaBridgeLibrary\4665c10b713844b5a2e77e5ed50f9cfe\VistaBridgeLibrary.ni.dll
    MOD - [2012/06/18 00:30:31 | 002,584,064 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\DellDock\b46f17d6b131711060172ef5b72c71df\DellDock.ni.exe
    MOD - [2012/06/18 00:30:29 | 000,291,840 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\MyDock.Util\8607754d59549e501cd716c679fd03ff\MyDock.Util.ni.dll
    MOD - [2012/06/18 00:30:27 | 011,820,032 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\508b444db523c5cf20ff12c7f440837b\System.Web.ni.dll
    MOD - [2012/06/18 00:17:18 | 012,433,920 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\f2691cfa7671cdc58179e56ba9227591\System.Windows.Forms.ni.dll
    MOD - [2012/06/18 00:17:03 | 001,592,320 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\18f9789aa214c657113e676b3a9015aa\System.Drawing.ni.dll
    MOD - [2012/06/01 18:15:28 | 000,998,400 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\f3d4d5fe5ab848fbfcf91a49960dc8ae\System.Management.ni.dll
    MOD - [2012/06/01 18:15:20 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\846b9cf2756fdd15f704c9bab9c70b6f\System.Runtime.Remoting.ni.dll
    MOD - [2012/06/01 18:15:00 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\bd76aaaa03ddc15d1840207b5a480644\System.Configuration.ni.dll
    MOD - [2012/06/01 18:14:58 | 000,025,600 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\1b337cf9a031145849bc48c11b2cfe58\Accessibility.ni.dll
    MOD - [2012/06/01 18:11:19 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\d2630342a066a7cb9056d9eb6157687a\System.Xml.ni.dll
    MOD - [2012/06/01 01:50:46 | 007,953,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\28d633338fc8d29f8af31935ef7d001b\System.ni.dll
    MOD - [2012/06/01 01:50:32 | 011,492,352 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\af9c9e9d7e0523cd444f8b551baa9cbf\mscorlib.ni.dll
    MOD - [2011/03/02 12:40:51 | 000,140,288 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
    MOD - [2008/11/17 08:29:10 | 000,054,784 | ---- | M] () -- C:\Windows\System32\bcmwlrmt.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2012/03/26 17:03:40 | 000,214,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
    SRV - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
    SRV - [2012/02/04 07:40:44 | 000,045,056 | ---- | M] (Intuit) [Auto | Running] -- c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
    SRV - [2012/01/03 08:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
    SRV - [2010/02/26 02:03:00 | 000,229,458 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_0145da1d\stacsv.exe -- (STacSV)
    SRV - [2010/01/11 13:20:48 | 000,155,648 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
    SRV - [2009/07/23 22:10:38 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- c:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
    SRV - [2009/03/03 02:43:08 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_0145da1d\AEstSrv.exe -- (AESTFilters)
    SRV - [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
    DRV - File not found [Kernel | Boot | Stopped] -- system32\drivers\iastor.sys -- (iaStor)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
    DRV - [2012/08/11 15:44:01 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3E0F4FA0-1783-459E-BDD0-F85D05E86899}\MpKslab090886.sys -- (MpKslab090886)
    DRV - [2012/03/20 20:44:12 | 000,074,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
    DRV - [2010/09/22 16:17:32 | 000,015,488 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rdpdispm.sys -- (RDPDISPM)
    DRV - [2010/09/02 17:49:06 | 000,013,312 | ---- | M] (June Fabrics Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pneteth.sys -- (pneteth)
    DRV - [2010/04/15 13:36:40 | 000,252,536 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
    DRV - [2010/02/26 02:03:00 | 000,423,424 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
    DRV - [2009/04/10 21:46:10 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usb8023.sys -- (USB_RNDIS)
    DRV - [2009/04/10 21:42:54 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUSB)
    DRV - [2008/11/17 08:29:08 | 000,018,424 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\bcm42rly.sys -- (BCM42RLY)
    DRV - [2008/01/20 21:23:25 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express)
    DRV - [2008/01/20 21:23:21 | 000,016,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
    DRV - [2006/11/02 02:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
    DRV - [2006/09/28 15:32:14 | 000,009,472 | ---- | M] (June Fabrics Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pnetmdm.sys -- (pnetmdm)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
    IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...&oe={outputEncoding}&sourceid=ie7&rlz=1I7DKUS


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-846782583-1659375038-321502968-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default Download Directory = C:\Users\slammy\Desktop
    IE - HKU\S-1-5-21-846782583-1659375038-321502968-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\S-1-5-21-846782583-1659375038-321502968-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
    IE - HKU\S-1-5-21-846782583-1659375038-321502968-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
    IE - HKU\S-1-5-21-846782583-1659375038-321502968-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7
    IE - HKU\S-1-5-21-846782583-1659375038-321502968-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    ========== FireFox ==========

    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3555.0308: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



    O1 HOSTS File: ([2012/08/11 14:36:56 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
    O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
    O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
    O4 - HKU\S-1-5-21-846782583-1659375038-321502968-1000..\Run: [VistaBatterySaver] C:\Program Files\SharpSoft\Vista Battery Saver\VistaBatterySaver.exe (Tamir Khason)
    O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    O4 - Startup: C:\Users\slammy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-846782583-1659375038-321502968-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-846782583-1659375038-321502968-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.113.206.10 24.217.0.5 71.92.29.130
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2665BFDB-6A12-4B64-B31B-FFB73BB8D960}: DhcpNameServer = 68.113.206.10 24.217.0.5 71.92.29.130
    O18 - Protocol\Handler\intu-help-qb3 {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\boombox_1920x1200.jpg
    O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\boombox_1920x1200.jpg
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/08/11 15:48:34 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Roaming\Malwarebytes
    [2012/08/11 15:48:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/08/11 15:48:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012/08/11 15:48:17 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2012/08/11 15:48:17 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2012/08/11 15:47:59 | 010,652,120 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\slammy\Desktop\mbam-setup-1.62.0.1300.exe
    [2012/08/11 15:47:52 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\slammy\Desktop\OTL.exe
    [2012/08/11 15:12:38 | 000,000,000 | ---D | C] -- C:\FRST
    [2012/08/11 14:43:44 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2012/08/11 14:43:43 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\temp
    [2012/08/11 14:38:24 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012/08/11 14:27:03 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012/08/11 14:27:03 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012/08/11 14:27:03 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012/08/11 14:27:00 | 000,000,000 | ---D | C] -- C:\ComboFix
    [2012/08/11 14:26:57 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/08/11 14:26:30 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
    [2012/08/11 14:23:19 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{D3219952-47EC-4F34-B34F-9E4BD5A52CE6}
    [2012/08/11 14:23:06 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{07BF56E4-0461-47C5-B32A-C85EA9A619F2}
    [2012/08/11 02:10:04 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
    [2012/08/10 22:01:22 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{A0AD0FDA-1BA1-450C-A6ED-CE4805D6AD00}
    [2012/08/10 22:01:08 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{AE77CC3B-94CF-44A9-B073-B12554291EC5}
    [2012/08/05 19:31:23 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{DEFAEDA8-605F-4D8F-84D8-45A0435C0B35}
    [2012/08/05 19:31:09 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{C2E83932-F32F-4D1D-8928-FB7F04A468EA}
    [2012/08/03 15:49:52 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{96828AE6-655C-4111-A54B-FC7DC45E6BBD}
    [2012/08/03 15:49:40 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{9407B296-49A1-436A-99A3-BE9BA2333014}
    [2012/08/02 19:49:08 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{9CFC2084-F7AF-4FEF-8CED-030AE3F80C1A}
    [2012/08/02 19:48:46 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{77650C92-F427-412E-8FE6-DE3E2AE65BA8}
    [2012/08/02 07:48:19 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{FE600656-1544-42E5-B3C1-024058755D38}
    [2012/08/02 07:48:03 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{B2A4DD7D-C50B-4803-B5F7-4BE819C0D894}
    [2012/08/01 11:57:25 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{B419E3A5-6A20-4FD3-B44B-542F95F34964}
    [2012/08/01 11:57:07 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{EC76A203-D0C3-4A77-BC8E-DC422D680B94}
    [2012/07/31 23:37:20 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{AA5DBF74-24FF-4004-A865-C1626B1BF298}
    [2012/07/31 11:36:41 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{8E6433A0-686F-46E6-A6C3-19065DD24005}
    [2012/07/31 11:36:27 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{159331AE-3643-4079-8A19-02DED5A94E4F}
    [2012/07/30 22:20:54 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{29D5ABC8-33EE-4A4B-B484-01DF5F6B4FB8}
    [2012/07/30 10:20:17 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{F05A302C-BCF1-4D43-B050-AB3A30A540D0}
    [2012/07/30 10:20:00 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{F22B3001-BC05-4B32-A065-1B7355CDD5FC}
    [2012/07/29 12:07:57 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{AC3BD8B3-4A82-42BE-8AD4-68FF1FAAC685}
    [2012/07/29 12:07:43 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{641DDA37-4C01-46F5-BEED-D90298353001}
    [2012/07/20 08:16:06 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{C37CEB8B-E731-4F68-880B-B9EEDAAA6FFA}
    [2012/07/20 08:15:51 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{27A67F9A-6834-416F-BE87-99983D76650D}
    [2012/07/19 14:52:20 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{F6E7BCD4-D596-47E2-9AC4-14E01938F730}
    [2012/07/19 14:52:07 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{5ECF5A32-0EBF-4A07-99A4-8718FBF2D762}
    [2012/07/18 23:43:37 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{ACA9FF47-C8F3-4D1D-9BA3-E495CA42CAA3}
    [2012/07/18 23:43:17 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{F15880ED-D9C1-48E2-8AB9-AD18DA26E324}
    [2012/07/18 11:42:49 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{299EEC4D-98CC-4A91-910D-134992D3EA9B}
    [2012/07/18 11:42:33 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{3AE6CB12-ED06-4B73-9800-51BFFDB79A3B}
    [2012/07/17 11:17:38 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{6B370060-A394-4E2D-B55A-B08BA38F05BD}
    [2012/07/17 11:17:16 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{F9236600-E5A1-45D9-9EDA-129D55FEF9C4}
    [2012/07/16 23:16:51 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{783DF1A1-E3E9-4B8B-B7C9-4E510240C3F0}
    [2012/07/16 11:16:04 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{3ED17D7F-8BBE-46A8-9F35-684BF854E353}
    [2012/07/16 11:15:53 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{39941FAA-1ABA-4837-B566-BF024A27C78F}
    [2012/07/15 20:56:28 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
    [2012/07/15 12:04:26 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{B98E6E5D-6F91-4EAE-9AD2-9891C0646FEA}
    [2012/07/15 12:03:50 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{F69B395B-82A4-456A-9ACE-D2CDF386D817}
    [2012/07/14 17:06:25 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{47F020FB-FEE8-45E5-ACBD-A5150059AE18}
    [2012/07/14 17:05:57 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{DCE94A03-CF5B-4C37-8CB3-95DA47DA6339}
    [2012/07/13 22:06:43 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{DDEEE0F7-F798-4D10-BFD2-3DB56B91EE05}
    [2012/07/13 22:06:07 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{8A1B7B34-BB5D-456D-A61C-89D4516050CA}
    [2012/07/13 09:38:44 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{D2155C7D-D45C-415B-910D-23F12B81333D}
    [2012/07/13 09:38:10 | 000,000,000 | ---D | C] -- C:\Users\slammy\AppData\Local\{3700BD2C-6B66-4D16-BCDD-2B593134351A}
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/08/11 15:49:24 | 000,606,826 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2012/08/11 15:49:24 | 000,105,394 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2012/08/11 15:48:26 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/08/11 15:27:46 | 010,652,120 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\slammy\Desktop\mbam-setup-1.62.0.1300.exe
    [2012/08/11 15:27:30 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\slammy\Desktop\OTL.exe
    [2012/08/11 15:18:01 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2012/08/11 15:05:29 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/08/11 15:05:29 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/08/11 15:05:05 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore1cc9c027b1db267.job
    [2012/08/11 15:04:47 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/08/11 14:36:56 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2012/08/11 13:13:46 | 000,002,243 | ---- | M] () -- C:\Windows\epplauncher.mif
    [2012/08/11 11:23:50 | 000,000,680 | ---- | M] () -- C:\Users\slammy\AppData\Local\d3d9caps.dat
    [2012/08/10 22:40:15 | 000,000,516 | ---- | M] () -- C:\Users\slammy\AppData\Roaming\wklnhst.dat
    [2012/08/01 20:44:20 | 000,069,792 | ---- | M] () -- C:\Users\slammy\Desktop\Pic.jpg
    [2012/07/15 01:37:38 | 000,443,459 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20120810-223925.backup
    [2012/07/15 00:56:39 | 000,288,264 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [2012/07/14 22:19:19 | 006,660,096 | ---- | M] () -- C:\Users\slammy\Documents\Slammys Garage2 (Backup Jul 14,2012 10 19 PM).QBB
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/08/11 15:48:26 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/08/11 14:27:03 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012/08/11 14:27:03 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012/08/11 14:27:03 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012/08/11 14:27:03 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012/08/11 14:27:03 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012/08/11 11:23:50 | 000,000,680 | ---- | C] () -- C:\Users\slammy\AppData\Local\d3d9caps.dat
    [2012/08/11 02:10:36 | 000,001,828 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
    [2012/08/01 20:44:48 | 000,069,792 | ---- | C] () -- C:\Users\slammy\Desktop\Pic.jpg
    [2012/07/14 22:19:13 | 006,660,096 | ---- | C] () -- C:\Users\slammy\Documents\Slammys Garage2 (Backup Jul 14,2012 10 19 PM).QBB
    [2009/03/03 05:59:28 | 000,000,516 | ---- | C] () -- C:\Users\slammy\AppData\Roaming\wklnhst.dat
    [2009/03/03 03:30:57 | 000,019,456 | ---- | C] () -- C:\Users\slammy\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

    ========== LOP Check ==========

    [2010/01/14 15:08:06 | 000,000,000 | ---D | M] -- C:\Users\slammy\AppData\Roaming\acccore
    [2009/08/13 15:22:21 | 000,000,000 | ---D | M] -- C:\Users\slammy\AppData\Roaming\Image Zone Express
    [2009/08/13 15:22:20 | 000,000,000 | ---D | M] -- C:\Users\slammy\AppData\Roaming\Printer Info Cache
    [2009/03/03 06:04:05 | 000,000,000 | ---D | M] -- C:\Users\slammy\AppData\Roaming\Template
    [2012/08/11 14:47:12 | 000,032,632 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========


    < End of report >
     
  14. Slammy

    Slammy Newcomer, in training Topic Starter Posts: 19

    OTL Extras logfile created on: 8/11/2012 4:04:05 PM - Run 1
    OTL by OldTimer - Version 3.2.56.0 Folder = C:\Users\slammy\Desktop
    Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.96 Gb Total Physical Memory | 1.71 Gb Available Physical Memory | 57.61% Memory free
    7.36 Gb Paging File | 6.12 Gb Available in Paging File | 83.26% Paging File free
    Paging file location(s): c:\pagefile.sys 4546 4546 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 139.24 Gb Total Space | 83.99 Gb Free Space | 60.32% Space Free | Partition Type: NTFS
    Drive E: | 9.77 Gb Total Space | 4.54 Gb Free Space | 46.47% Space Free | Partition Type: NTFS

    Computer Name: SAMMYLAPTOP | User Name: slammy | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    htmlfile [edit] -- Reg Error: Key error.
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "VistaSp2" = Reg Error: Unknown registry data type -- File not found

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-846782583-1659375038-321502968-1000]
    "EnableNotifications" = 0
    "EnableNotificationsRef" = 2

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "Host-process Windows (Rundll32.exe)" = C:\Users\slammy\AppData\Roaming\System32\csrss.exe
    "Client Server Runtime Process" = C:\Users\slammy\AppData\Roaming\csrss.exe
    "Service Host Process for Windows" = C:\Users\slammy\AppData\Roaming\System32\svchost.exe


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{0294BB2F-6178-459D-8C46-8D1C40D6AD6B}" = rport=445 | protocol=6 | dir=out | app=system |
    "{057550CC-1C7E-4C7B-A2F8-3A8DDC978C8C}" = lport=138 | protocol=17 | dir=in | app=system |
    "{08E024BB-596A-4DFF-A430-159062EB67CE}" = lport=10243 | protocol=6 | dir=in | app=system |
    "{19A5737B-0BEE-43C8-BCD3-3CC714AA4FD3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{25B9D31D-64EC-44F5-900B-17177C3E5D3C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{295EF879-34FC-4A05-A484-51AA1443280E}" = lport=445 | protocol=6 | dir=in | app=system |
    "{2FA65B31-3A9D-4C20-AFC6-469495F0EF44}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{4084E937-EAAA-47EE-9520-7BE7CE434C09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
    "{4BF5EB07-06A2-40E2-B5B6-244EF5C49A0F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
    "{5456EA1E-AF45-48BD-9C96-AB99A6CCF1D9}" = lport=139 | protocol=6 | dir=in | app=system |
    "{6364B77A-8796-4078-B3CC-5963A3E70B4F}" = rport=139 | protocol=6 | dir=out | app=system |
    "{6EFD3216-D4DB-448C-81DA-E8838C66FFD2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{7C7BD74E-D59D-40F9-8481-A74C4729E9DD}" = rport=138 | protocol=17 | dir=out | app=system |
    "{86444BB3-291D-4D31-A046-BB4AA3243C28}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{AF8150A9-8B4A-4262-900E-D368942052B3}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{BE10AB93-C4A6-464B-BE93-069E778BFF99}" = rport=10243 | protocol=6 | dir=out | app=system |
    "{C232D951-55E7-4D04-9346-F88A07FC0B22}" = lport=137 | protocol=17 | dir=in | app=system |
    "{C428A183-FD79-40B5-990D-895328F43AC8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{CF0676E6-E2EC-438A-9741-7029DEBD00CE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{F534D21D-02A4-4E48-A237-A3745ED5E6D3}" = rport=137 | protocol=17 | dir=out | app=system |
    "{F9C1EEE5-72B7-40C6-BC7C-64E9DF7DEB39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{003C7A18-60D9-4C89-94D8-DE42C1AA1D76}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
    "{02A4D600-582A-4C14-ADFE-C125CF0CB18F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{1473D86F-6F04-46A3-9153-CD04272511DC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
    "{4849799C-D8E9-4360-8F9A-6B5F2BCC7EA4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
    "{56E808A1-BFD0-4B79-B567-B9FA848D697F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
    "{61FB8AD2-C831-45AB-9DFB-D685C3A8300D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{62F27534-2769-4D2F-B42F-E96E62F64F44}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{65901CFC-D156-4C8F-90EA-C26D256CA195}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{68F6992D-6E9D-4F14-88EC-3E0B8BEC7EFF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{8642AF85-31DC-4BB3-8E9D-1E478C224084}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{A5589677-56C4-46C1-A86B-1F0B5425786F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{AB3FBA72-52C3-4476-9A38-230DBE05659B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{BC7833D1-AE4B-4CAB-BDD5-6EA587E5C763}" = protocol=6 | dir=out | app=system |
    "{CE504808-152F-4073-8BB9-0F8E7C4D30C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{D3648D1D-2BA3-4973-9B7E-EDC907B6E342}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{E8715BB0-E132-4617-B344-62E03BFE2C1C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
    "{E926E57D-011D-4F63-BCC5-FFCFDC28D091}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{EFA98652-B437-42AA-B7D3-EFFD71ED4ECD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{F7DCF881-DB9D-4779-8D1C-CCCBAC7C73FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "TCP Query User{6EAEE391-33F3-4B2F-B518-1EEC87647133}C:\program files\windows live\mesh\moe.exe" = protocol=6 | dir=in | app=c:\program files\windows live\mesh\moe.exe |
    "UDP Query User{641F36DA-5AEF-44BE-963C-45D06E0CFABA}C:\program files\windows live\mesh\moe.exe" = protocol=17 | dir=in | app=c:\program files\windows live\mesh\moe.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    "{06A9E630-DBA6-4D92-9DE7-A235AA6496C7}" = QuickBooks
    "{0700E22B-A419-40A5-BD20-04BF618CA0F9}" = QuickBooks Simple Start 2010 Free Edition
    "{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
    "{0F842B77-56EA-4AAF-8295-81A022350B5E}" = Microsoft Security Client
    "{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
    "{17504ED4-DB08-40A8-81C2-27D8C01581DA}" = Windows Live Remote Service Resources
    "{19A4A990-5343-4FF7-B3B5-6F046C091EDF}" = Windows Live Remote Client
    "{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
    "{227E8782-B2F4-4E97-B0EE-49DE9CC1C0C0}" = Windows Live Remote Service
    "{2614F54E-A828-49FA-93BA-45A3F756BFAA}" = 32 Bit HP CIO Components Installer
    "{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
    "{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
    "{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
    "{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
    "{36E78769-56BE-483C-9E27-EDE73E6ECC78}" = Bend-Tech PRO
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{415B2719-AD3A-4944-B404-C472DB6085B3}" = Cisco EAP-FAST Module
    "{464B3406-A4D0-4914-910F-7CA4380DCC13}" = Windows Live Remote Client Resources
    "{47BBA5AA-CA6F-4A41-858D-A7A776F29A8B}" = Google SketchUp 8
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
    "{5DD4FCBD-A3C1-4155-9E17-4161C70AAABA}" = Segoe UI
    "{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}" = Cisco PEAP Module
    "{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
    "{6D6664A9-3342-4948-9B7E-034EFE366F0F}" = HTC Driver Installer
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{83770D14-21B9-44B3-8689-F7B523F94560}" = Cisco LEAP Module
    "{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
    "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    "{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
    "{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
    "{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
    "{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
    "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
    "{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{C4972073-2BFE-475D-8441-564EA97DA161}" = QuickSet32
    "{C6150D8A-86ED-41D3-87BB-F3BB51B0B77F}" = Windows Live ID Sign-in Assistant
    "{C73A3942-84C8-4597-9F9B-EE227DCBA758}" = Dell Dock
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
    "{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
    "{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
    "{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
    "{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
    "{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
    "{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
    "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
    "{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Broadcom 802.11 Application" = Dell Wireless WLAN Card Utility
    "CCleaner" = CCleaner
    "Dell Dock" = Dell Dock
    "Fallout" = Fallout
    "HDMI" = Intel(R) Graphics Media Accelerator Driver
    "KLiteCodecPack_is1" = K-Lite Codec Pack 6.0.4 (Basic)
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft Security Client" = Microsoft Security Essentials
    "TVWiz" = Intel(R) TV Wizard
    "WinLiveSuite" = Windows Live Essentials
    "WinRAR archiver" = WinRAR 4.00 (32-bit)

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 8/11/2012 3:29:30 AM | Computer Name = SammyLaptop | Source = EventSystem | ID = 4609
    Description =

    Error - 8/11/2012 3:30:08 AM | Computer Name = SammyLaptop | Source = WinMgmt | ID = 10
    Description =

    Error - 8/11/2012 3:31:18 AM | Computer Name = SammyLaptop | Source = Microsoft-Windows-CAPI2 | ID = 131584
    Description =

    Error - 8/11/2012 3:35:57 AM | Computer Name = SammyLaptop | Source = EventSystem | ID = 4609
    Description =

    Error - 8/11/2012 3:36:07 AM | Computer Name = SammyLaptop | Source = WinMgmt | ID = 10
    Description =

    Error - 8/11/2012 3:37:57 AM | Computer Name = SammyLaptop | Source = Microsoft-Windows-CAPI2 | ID = 131584
    Description =

    Error - 8/11/2012 3:41:18 AM | Computer Name = SammyLaptop | Source = WinMgmt | ID = 10
    Description =

    Error - 8/11/2012 12:18:12 PM | Computer Name = SammyLaptop | Source = EventSystem | ID = 4609
    Description =

    Error - 8/11/2012 12:18:32 PM | Computer Name = SammyLaptop | Source = WinMgmt | ID = 10
    Description =

    Error - 8/11/2012 12:20:04 PM | Computer Name = SammyLaptop | Source = Microsoft-Windows-CAPI2 | ID = 131584
    Description =

    [ System Events ]
    Error - 8/11/2012 4:11:44 PM | Computer Name = SammyLaptop | Source = Microsoft Antimalware | ID = 2001
    Description = %%860 has encountered an error trying to update signatures. New Signature
    Version: Previous Signature Version: 1.131.1793.0 Update Source: %%859 Update Stage:
    %%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803
    User:
    NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error
    code: 0x80240022 Error description: The program can't check for definition updates.


    Error - 8/11/2012 4:11:44 PM | Computer Name = SammyLaptop | Source = Microsoft Antimalware | ID = 2001
    Description = %%860 has encountered an error trying to update signatures. New Signature
    Version: Previous Signature Version: 1.131.1793.0 Update Source: %%859 Update Stage:
    %%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803
    User:
    NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error
    code: 0x80240022 Error description: The program can't check for definition updates.


    Error - 8/11/2012 4:12:19 PM | Computer Name = SammyLaptop | Source = Microsoft Antimalware | ID = 2001
    Description = %%860 has encountered an error trying to update signatures. New Signature
    Version: Previous Signature Version: 1.131.1793.0 Update Source: %%859 Update Stage:
    %%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803
    User:
    NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error
    code: 0x80240022 Error description: The program can't check for definition updates.


    Error - 8/11/2012 4:12:19 PM | Computer Name = SammyLaptop | Source = Microsoft Antimalware | ID = 2001
    Description = %%860 has encountered an error trying to update signatures. New Signature
    Version: Previous Signature Version: 1.131.1793.0 Update Source: %%859 Update Stage:
    %%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803
    User:
    NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error
    code: 0x80240022 Error description: The program can't check for definition updates.


    Error - 8/11/2012 4:15:58 PM | Computer Name = SammyLaptop | Source = DCOM | ID = 10016
    Description =

    Error - 8/11/2012 4:25:58 PM | Computer Name = SammyLaptop | Source = DCOM | ID = 10016
    Description =

    Error - 8/11/2012 4:35:58 PM | Computer Name = SammyLaptop | Source = DCOM | ID = 10016
    Description =

    Error - 8/11/2012 4:45:58 PM | Computer Name = SammyLaptop | Source = DCOM | ID = 10016
    Description =

    Error - 8/11/2012 4:55:58 PM | Computer Name = SammyLaptop | Source = DCOM | ID = 10016
    Description =

    Error - 8/11/2012 5:05:58 PM | Computer Name = SammyLaptop | Source = DCOM | ID = 10016
    Description =


    < End of report >
  15. Slammy

    Slammy Newcomer, in training Topic Starter Posts: 19

    Running Spybot and CCleaner now
  16. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
      O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      [2012/08/11 15:12:38 | 000,000,000 | ---D | C] -- C:\FRST
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    NOTE. If for any reason OTL stalls (most likely at "killing processes..." step) run the fix from safe mode.

    ==========================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  17. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    WHY???

    Please observe my rules:
  18. Slammy

    Slammy Newcomer, in training Topic Starter Posts: 19

    did everything you asked, running ESET now and seems to have found one problem so far but its taking awhile. Ill post those logs files also once its done. Thanks again!
  19. Slammy

    Slammy Newcomer, in training Topic Starter Posts: 19

    Results of screen317's Security Check version 0.99.43
    Windows Vista Service Pack 2 x86 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    WMI entry may not exist for antivirus; attempting automatic update.
    `````````Anti-malware/Other Utilities Check:`````````
    Spybot - Search & Destroy
    Malwarebytes Anti-Malware version 1.62.0.1300
    CCleaner
    Java(TM) 6 Update 31
    Java version out of Date!
    Adobe Reader X (10.1.3)
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0 %
    ````````````````````End of Log``````````````````````
  20. Slammy

    Slammy Newcomer, in training Topic Starter Posts: 19

    Farbar Service Scanner Version: 06-08-2012
    Ran by slammy (administrator) on 11-08-2012 at 16:59:09
    Running from "C:\Users\slammy\Desktop"
    Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Attempt to access Google.com returned error: Google.com is offline
    Yahoo IP is accessible.
    Yahoo.com is accessible.
    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================
    System Restore:
    ============
    System Restore Disabled Policy:
    ========================
    Security Center:
    ============
    Windows Update:
    ============
    BITS Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS service is OK.
    Windows Autoupdate Disabled Policy:
    ============================
    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.
    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1
    Other Services:
    ==============
    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit
    **** End of log ****
  21. Slammy

    Slammy Newcomer, in training Topic Starter Posts: 19

    C:\ProgramData\Spybot - Search & Destroy\Recovery\WinBifrost.zipWin32/Bagle.gen.zip wormcleaned by deleting - quarantined
    C:\_OTL\MovedFiles\08112012_165009\C_FRST\Quarantine\services.exeWin32/Sirefef.FB.Gen trojandeleted - quarantined
    C:\_OTL\MovedFiles\08112012_165009\C_FRST\Quarantine\{20a3a2df-46fb-b1a8-904f-0d447c9082db}\nWin32/Sirefef.EV trojancleaned by deleting - quarantined
  22. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it.
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    ===================================

    We have one corrupted registry key affecting Windows updates.

    Following steps involve registry editing. Please create new restore point before proceeding!!!
    How to:
    XP - http://support.microsoft.com/kb/948247
    Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/


    Download Vista.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
    Unzip the file.
    You'll find several files inside.
    Double click on bits.reg file and confirm the prompt.
    Restart computer.
    Post new FSS log.
  23. Slammy

    Slammy Newcomer, in training Topic Starter Posts: 19

    Farbar Service Scanner Version: 06-08-2012
    Ran by slammy (administrator) on 11-08-2012 at 20:25:02
    Running from "C:\Users\slammy\Desktop"
    Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.

    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================

    System Restore:
    ============
    System Restore Disabled a
    ========================

    Security Center:
    ============
    Windows Update:
    ============
    Windows Autoupdate Disabled Policy:
    ============================

    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.

    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1

    Other Services:
    ==============

    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit

    **** End of log ****
  24. Slammy

    Slammy Newcomer, in training Topic Starter Posts: 19

  25. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    See here: http://support.microsoft.com/kb/330132

    ================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.