Another Win64 sirefef victim - constant auto reboot of PC

Solved
By MagsL
Jul 16, 2012
Topic Status:
Not open for further replies.
  1. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    It will not wipe anything. It is a Windows Recovery Environment used only to look at your PC's files through a different lens, so to speak.

    Now, for that Update new data...no clue. Is it preventing you from moving forward past the boot screen?
  2. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    Hi
    Yes it is stopping me doing anything else. Is it potentially ok to run off a USB stick or do I need find a way to copy to CD for thsi to work?
  3. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    If you cannot boot the computer at all because of the error, you'll have to talk to your manufacturer's tech support agents.
  4. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    No, I can boot it if I let it boot as normal., but not f I follow your instrcutions to make it boot from CD (As that file wont download - it just sits a 0% extracting to CD) or does as above if I reboot to removal disk drive.
    If I boot to hard drive its fine, but your instrcutiosn said to change to boot from another drive with the OTLPEN programme?
  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Indeed. That's weird.

    Can you still not run any programs as suggested earlier in this topic?
  6. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    PC status is as it was before the instructions to download and reboot from cd
    If you can let me know how to get the download file onto CD any other way I can try it? As I said I can copy the download on USB but can't get it onto a CD from my laptop?
    I haven't used anything on disc for years! I will see if someone else can download it onto cd for me in meantime

    Also has noted when I followed instructions sent to reboot from cd drive, the option on my PC was DVD drive not cd
    It does run CDs, but should I save to a DVD instead?
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Definitely check in to getting that CD/DVD done please. Let me know what you find out.
  8. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    OK, managed to get programme onto disc. Went to Packard Bell website see if boot to disc details correct as PB not listed on our link, gave new instructions to press F12 and given 4 drive reboot options so selected DVD drive
    NVIDIA Boot agent screen came up
    After a few minutes I get a "No boot filename received"
    then
    PXE-M)F: EXiting NVIDIA Boot agent
    DISK BOOT FAILURE, INSERT SYSTEM DISK AND PRESS ENTER

    Concerned its wanting me to put total system restore into action so have I found wring menu?
    File is definitely on the disk... but its not opening at all
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Arrgh.

    You're trying same method as was for FRST...? Are you able to run FRST and produce a new log?
  10. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    Sorry - this is like groundhog day!!
    FRST below .. just a thought though, the NVIDEA message ... when I set up to boot from disc I set CD/DVD to 1st boot then what should I set for 2nd. I think 2nd was NVIDEA something or other ... should I have that set to hard drive?

    Scan result of Farbar Recovery Scan Tool Version: 16-07-2012 01
    Ran by SYSTEM at 24-07-2012 21:45:50
    Running from K:\
    Windows Vista (TM) Home Premium Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
    HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
    HKU\Rob\...\Policies\system: [DisableLockWorkstation] 0
    HKU\Rob\...\Policies\system: [DisableChangePassword] 0
    Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

    ==================== Services (Whitelisted) ======

    2 BcmSqlStartupSvc; "C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [30312 2009-02-20] (Microsoft Corporation)
    2 ForceWare Intelligent Application Manager (IAM); C:\Program Files\bin32\nSvcAppFlt.exe [920064 2008-01-29] ()
    2 GenericHidService; HidService.exe [83264 2008-05-29] (Packard Bell Services)
    2 GenericHidService; HidService.exe [83264 2008-05-29] (Packard Bell Services)
    2 HsdService; "C:\Program Files (x86)\Virgin Media\Digital Home Support\HsdService.exe" [1406264 2011-03-23] (Virgin Media)
    2 lxduCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\lxduserv.exe [33960 2009-08-19] (Lexmark International, Inc.)
    2 lxdu_device; C:\Windows\system32\lxducoms.exe -service [1044136 2009-08-19] ( )
    2 lxdu_device; C:\Windows\SysWow64\lxducoms.exe -service [1040552 2008-05-23] ( )
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
    3 MSSQL$MSSMLBIZ; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [29293408 2010-12-10] (Microsoft Corporation)
    4 Nero BackItUp Scheduler 3; C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe [877864 2008-02-18] (Nero AG)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
    4 NMIndexingService; "C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe" [529704 2008-04-28] (Nero AG)
    2 nSvcIp; C:\Program Files\bin32\nSvcIp.exe [193024 2008-01-29] ()
    2 PLFlash DeviceIoControl Service; C:\Windows\SysWOW64\IoctlSvc.exe [81920 2006-12-19] (Prolific Technology Inc.)
    2 ServicepointService; "C:\Program Files (x86)\Virgin Media\Service Manager\ServicepointService.exe" [689464 2011-03-25] (Radialpoint Inc.)
    2 TomTomHOMEService; C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [92592 2011-04-22] (TomTom)

    ========================== Drivers (Whitelisted) =============

    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-07-16 11:08 - 2012-07-16 11:08 - 00000000 ____D C:\FRST
    2012-07-16 07:19 - 2012-07-16 07:19 - 00000036 ____A C:\Users\Rob\AppData\Local\housecall.guid.cache
    2012-07-16 07:19 - 2011-05-16 02:15 - 02433672 ____A (Trend Micro Inc.) C:\Users\Rob\Desktop\FakeAVRemover.exe
    2012-07-16 07:05 - 2012-07-16 06:42 - 03875048 ____A (AVG Technologies) C:\Users\Rob\Desktop\avg_avct_stb_all_2012_2195_ppc2.exe
    2012-07-16 06:49 - 2012-07-16 07:26 - 00000000 ____D C:\Users\All Users\MFAData
    2012-07-08 03:30 - 2012-07-08 03:30 - 00000000 ____D C:\Users\Rob\AppData\Roaming\SpeedMaxPc
    2012-07-08 03:30 - 2012-07-08 03:30 - 00000000 ____D C:\Users\Rob\AppData\Roaming\DriverCure
    2012-07-08 03:30 - 2012-07-08 03:30 - 00000000 ____D C:\Users\All Users\SpeedMaxPc
    2012-07-08 03:30 - 2012-07-08 03:30 - 00000000 ____D C:\Program Files (x86)\SpeedMaxPc
    2012-07-07 14:08 - 2012-07-07 14:08 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-07-07 14:08 - 2012-07-07 14:08 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-07-06 14:00 - 2012-07-06 14:00 - 00000012 ____A C:\Windows\srun.log
    2012-06-24 10:13 - 2012-06-24 10:13 - 00538624 ____A C:\Users\Rob\Downloads\rent statement (1).xls
    2012-06-24 10:11 - 2012-06-24 10:11 - 00538624 ____A C:\Users\Rob\Downloads\rent statement.xls
    2012-06-24 10:11 - 2012-06-24 10:11 - 00445687 ____A C:\Users\Rob\Downloads\fwdfff40st_loenardsavenuehove.zip
    2012-06-24 02:10 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-24 02:10 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-24 02:10 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
    2012-06-24 02:10 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-24 02:10 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-24 02:10 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
    2012-06-24 02:10 - 2012-06-02 06:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-24 02:10 - 2012-06-02 06:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2012-06-24 02:10 - 2012-06-02 06:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-24 02:10 - 2012-06-02 06:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe

    ============ 3 Months Modified Files ========================

    2012-07-16 08:24 - 2010-10-23 02:56 - 00034709 ____A C:\Users\All Users\nvModes.dat
    2012-07-16 08:24 - 2010-10-23 02:56 - 00034709 ____A C:\Users\All Users\nvModes.001
    2012-07-16 08:24 - 2010-01-31 02:35 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-07-16 08:24 - 2006-11-02 07:42 - 00032602 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-07-16 08:24 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-16 08:24 - 2006-11-02 07:22 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-07-16 08:24 - 2006-11-02 07:22 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-07-16 07:40 - 2010-01-31 02:35 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-07-16 07:19 - 2012-07-16 07:19 - 00000036 ____A C:\Users\Rob\AppData\Local\housecall.guid.cache
    2012-07-16 06:42 - 2012-07-16 07:05 - 03875048 ____A (AVG Technologies) C:\Users\Rob\Desktop\avg_avct_stb_all_2012_2195_ppc2.exe
    2012-07-07 14:41 - 2009-07-09 15:35 - 01534265 ____A C:\Windows\WindowsUpdate.log
    2012-07-07 14:08 - 2011-05-15 09:11 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-07-07 14:08 - 2010-05-03 09:32 - 00778976 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-07-07 13:59 - 2011-04-15 03:14 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1198968773-186493069-1406013737-1000UA.job
    2012-07-07 12:53 - 2006-11-02 04:46 - 00772686 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-06 14:16 - 2012-05-05 01:02 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-07-06 14:16 - 2011-11-20 03:53 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-07-06 14:00 - 2012-07-06 14:00 - 00000012 ____A C:\Windows\srun.log
    2012-07-03 14:59 - 2011-04-15 03:14 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1198968773-186493069-1406013737-1000Core.job
    2012-07-03 13:04 - 2011-04-15 03:14 - 00002034 ____A C:\Users\Rob\Desktop\Google Chrome.lnk
    2012-06-24 10:13 - 2012-06-24 10:13 - 00538624 ____A C:\Users\Rob\Downloads\rent statement (1).xls
    2012-06-24 10:11 - 2012-06-24 10:11 - 00538624 ____A C:\Users\Rob\Downloads\rent statement.xls
    2012-06-24 10:11 - 2012-06-24 10:11 - 00445687 ____A C:\Users\Rob\Downloads\fwdfff40st_loenardsavenuehove.zip
    2012-06-24 06:17 - 2006-11-02 07:27 - 00025630 ____A C:\Windows\setupact.log
    2012-06-15 10:22 - 2006-11-02 07:21 - 00408992 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-06-15 09:47 - 2006-11-02 04:35 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-06-13 12:51 - 2012-06-13 12:51 - 00001696 ____A C:\Users\Public\Desktop\iTunes.lnk
    2012-06-04 05:52 - 2012-06-04 05:39 - 00022362 ____A C:\Users\Rob\Downloads\Saint Lucia stats - Tropical Sky 2012 at 31 May 2012.xlsx
    2012-06-04 05:39 - 2012-06-04 05:39 - 00022157 ____A C:\Users\Rob\Downloads\Saint Lucia stats - Tropical Sky 2012 at 30Apr2012.xlsx
    2012-06-04 04:40 - 2012-06-04 04:40 - 02586352 ____A C:\Users\Rob\Downloads\IMG_0971 (1).MOV
    2012-06-04 04:39 - 2012-06-04 04:39 - 05228241 ____A C:\Users\Rob\Downloads\IMG_0971.MOV
    2012-06-04 04:26 - 2009-11-16 00:07 - 00000069 ____A C:\Windows\NeroDigital.ini
    2012-06-04 03:42 - 2012-06-04 03:42 - 00000126 ____A C:\Users\Rob\Desktop\Download.url
    2012-06-04 03:41 - 2012-06-04 03:40 - 13583705 ____A C:\Users\Rob\Downloads\Charlotte playing and singing.wmv
    2012-06-02 14:19 - 2012-06-24 02:10 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-24 02:10 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:19 - 2012-06-24 02:10 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
    2012-06-02 14:15 - 2012-06-24 02:10 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-24 02:10 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 14:12 - 2012-06-24 02:10 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
    2012-06-02 06:19 - 2012-06-24 02:10 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 06:19 - 2012-06-24 02:10 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2012-06-02 06:15 - 2012-06-24 02:10 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 06:12 - 2012-06-24 02:10 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
    2012-05-31 14:39 - 2012-05-31 14:39 - 00001758 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
    2012-05-31 03:25 - 2009-12-11 10:57 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2012-05-17 18:47 - 2012-06-15 09:54 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-05-17 18:16 - 2012-06-15 09:54 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-05-17 18:06 - 2012-06-15 09:54 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-05-17 17:59 - 2012-06-15 09:54 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-05-17 17:59 - 2012-06-15 09:54 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-05-17 17:58 - 2012-06-15 09:54 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-05-17 17:58 - 2012-06-15 09:54 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-05-17 17:56 - 2012-06-15 09:54 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-05-17 17:55 - 2012-06-15 09:54 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-05-17 17:55 - 2012-06-15 09:54 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-05-17 17:54 - 2012-06-15 09:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-05-17 17:51 - 2012-06-15 09:54 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-05-17 17:51 - 2012-06-15 09:54 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-05-17 17:47 - 2012-06-15 09:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-05-17 15:11 - 2012-06-15 09:54 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-05-17 14:48 - 2012-06-15 09:54 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-05-17 14:45 - 2012-06-15 09:54 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-05-17 14:36 - 2012-06-15 09:54 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-05-17 14:35 - 2012-06-15 09:54 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-05-17 14:35 - 2012-06-15 09:54 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-05-17 14:33 - 2012-06-15 09:54 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-05-17 14:31 - 2012-06-15 09:54 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-05-17 14:29 - 2012-06-15 09:54 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-05-17 14:29 - 2012-06-15 09:54 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-05-17 14:27 - 2012-06-15 09:54 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-05-17 14:25 - 2012-06-15 09:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-05-17 14:24 - 2012-06-15 09:54 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-05-17 14:20 - 2012-06-15 09:54 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-05-15 12:15 - 2012-06-13 11:54 - 02767360 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-05-12 22:45 - 2008-01-20 19:26 - 00377380 ____A C:\Windows\PFRO.log
    2012-05-10 14:25 - 2009-11-17 14:59 - 00007680 ____A C:\Users\Rob\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-05-01 06:29 - 2012-06-13 11:54 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys


    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe
    [2009-10-20 12:05] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 13%
    Total physical RAM: 4093.62 MB
    Available physical RAM: 3543.96 MB
    Total Pagefile: 3970.49 MB
    Available Pagefile: 3530.35 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB

    ======================= Partitions =========================

    1 Drive c: (OS) (Fixed) (Total:342.02 GB) (Free:193.01 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    7 Drive I: (DATA) (Fixed) (Total:341.97 GB) (Free:341.65 GB) NTFS
    9 Drive k: () (Removable) (Total:0.97 GB) (Free:0.97 GB) FAT
    10 Drive x: (PQSERVICE) (Fixed) (Total:14.65 GB) (Free:4.16 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 699 GB 0 B
    Disk 1 No Media 0 B 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Disk 5 No Media 0 B 0 B
    Disk 6 Online 992 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 15 GB 1024 KB
    Partition 2 Primary 342 GB 15 GB
    Partition 3 Primary 342 GB 357 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 27
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 9 X PQSERVICE NTFS Partition 15 GB Healthy Hidden

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C OS NTFS Partition 342 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 I DATA NTFS Partition 342 GB Healthy

    ==================================================================================

    Partitions of Disk 6:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 992 MB 16 KB

    ==================================================================================

    Disk: 6
    Partition 1
    Type : 06
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 8 K FAT Removable 992 MB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-07-07 12:57

    ======================= End Of Log ==========================
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    nVidia option should be network card, right?

    Let's try a couple of things over again. I looked a lot closer and am trying a couple of things...

    FRST64 Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
     
  12. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    Here you go:
    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 16-07-2012 01
    Ran by SYSTEM at 2012-07-25 21:52:19 Run:4
    Running from H:\

    ==============================================

    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
    HKEY_USERS\Rob\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableLockWorkstation Value deleted successfully.
    HKEY_USERS\Rob\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableChangePassword Value deleted successfully.
    C:\windows\system32\services.exe moved successfully.
    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe copied successfully to C:\windows\system32\services.exe

    ==== End of Fixlog ====


    I dont know if its relevant, but on running frst, I noted the USB ports have bee assigned different letter .. I was using K and this is now the CD/DVD drive?? What was K is now H as you can see above ...

    I AM PASSED THE BLACK SCREEN!!
    Windows welcome screen up and logged in OK ...
    No messages coming up ...
    internet up OK
    I think I must have managed to disable some of the start up apps so poss no protection of any kind running ... do I run a malware programme of some kind now?!

    This is fantastic!! See a light at end of tunnel ...:) Thank you

    Await next move....
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Excellent News!



    ComboFix


    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
  14. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    All looking good .... still have virus protection etc switched off as per above so let me know if should reinstate? ...
    :)

    ComboFix 12-07-27.03 - Rob 27/07/2012 19:43:05.1.3 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.4094.2716 [GMT 1:00]
    Running from: c:\users\Rob\Desktop\svchost.exe.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\SPL6CA7.tmp
    c:\users\Rob\AppData\Local\{9E77D259-A81E-4160-850E-26E1A90DE62E}
    c:\users\Rob\AppData\Local\{9E77D259-A81E-4160-850E-26E1A90DE62E}\chrome.manifest
    c:\users\Rob\AppData\Local\{9E77D259-A81E-4160-850E-26E1A90DE62E}\chrome\content\_cfg.js
    c:\users\Rob\AppData\Local\{9E77D259-A81E-4160-850E-26E1A90DE62E}\chrome\content\overlay.xul
    c:\users\Rob\AppData\Local\{9E77D259-A81E-4160-850E-26E1A90DE62E}\install.rdf
    c:\users\Rob\AppData\Roaming\Adobe\plugs
    c:\users\Rob\AppData\Roaming\Adobe\plugs\mmc106.exe
    c:\users\Rob\AppData\Roaming\Adobe\plugs\mmc146.exe
    c:\users\Rob\AppData\Roaming\Adobe\plugs\mmc163.exe
    c:\users\Rob\AppData\Roaming\Adobe\plugs\mmc238.exe
    c:\users\Rob\AppData\Roaming\Adobe\shed
    c:\users\Rob\AppData\Roaming\Adobe\shed\thr1.chm
    c:\users\Rob\Taskmgr.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-27 to 2012-07-27 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-25 21:06 . 2012-06-29 10:049133488----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{696BC3A1-BA6E-464C-B7EC-49F8A3E862FA}\mpengine.dll
    2012-07-16 19:08 . 2012-07-16 19:08--------d-----w-C:\FRST
    2012-07-16 14:49 . 2012-07-16 15:26--------d-----w-c:\programdata\MFAData
    2012-07-16 14:49 . 2012-07-16 14:49--------d--h--w-c:\programdata\Common Files
    2012-07-08 11:30 . 2012-07-08 11:30--------d-----w-c:\users\Rob\AppData\Roaming\DriverCure
    2012-07-08 11:30 . 2012-07-08 11:30--------d-----w-c:\users\Rob\AppData\Roaming\SpeedMaxPc
    2012-07-08 11:30 . 2012-07-08 11:30--------d-----w-c:\program files (x86)\Common Files\SpeedMaxPc
    2012-07-08 11:30 . 2012-07-08 11:30--------d-----w-c:\programdata\SpeedMaxPc
    2012-07-08 11:30 . 2012-07-08 11:30--------d-----w-c:\program files (x86)\SpeedMaxPc
    2012-07-07 22:10 . 2012-02-09 13:17927800----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{09A9BD8A-9120-471F-AB78-5000EF23E417}\gapaengine.dll
    2012-07-07 22:09 . 2012-06-18 02:129013136----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-07-07 22:08 . 2012-07-07 22:08--------d-----w-c:\program files (x86)\Microsoft Security Client
    2012-07-07 22:08 . 2012-07-07 22:08--------d-----w-c:\program files\Microsoft Security Client
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-06 22:16 . 2012-05-05 09:02426184----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
    2012-07-06 22:16 . 2011-11-20 11:5370344----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-06-15 17:47 . 2006-11-02 12:3558957832----a-w-c:\windows\system32\mrt.exe
    2012-06-02 22:19 . 2012-06-24 10:1038424----a-w-c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-24 10:102428952----a-w-c:\windows\system32\wuaueng.dll
    2012-06-02 22:19 . 2012-06-24 10:1044056----a-w-c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-24 10:1057880----a-w-c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-24 10:1035864----a-w-c:\windows\SysWow64\wups.dll
    2012-06-02 22:19 . 2012-06-24 10:10701976----a-w-c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-24 10:10577048----a-w-c:\windows\SysWow64\wuapi.dll
    2012-06-02 22:15 . 2012-06-24 10:102622464----a-w-c:\windows\system32\wucltux.dll
    2012-06-02 22:15 . 2012-06-24 10:1099840----a-w-c:\windows\system32\wudriver.dll
    2012-06-02 22:12 . 2012-06-24 10:1088576----a-w-c:\windows\SysWow64\wudriver.dll
    2012-06-02 14:19 . 2012-06-24 10:10186752----a-w-c:\windows\system32\wuwebv.dll
    2012-06-02 14:19 . 2012-06-24 10:10171904----a-w-c:\windows\SysWow64\wuwebv.dll
    2012-06-02 14:15 . 2012-06-24 10:1036864----a-w-c:\windows\system32\wuapp.exe
    2012-06-02 14:12 . 2012-06-24 10:1033792----a-w-c:\windows\SysWow64\wuapp.exe
    2012-05-31 11:25 . 2009-12-11 18:57279656------w-c:\windows\system32\MpSigStub.exe
    2012-05-18 02:47 . 2012-06-15 17:5417807360----a-w-c:\windows\system32\mshtml.dll
    2012-05-18 02:16 . 2012-06-15 17:5410924032----a-w-c:\windows\system32\ieframe.dll
    2012-05-18 02:06 . 2012-06-15 17:542311680----a-w-c:\windows\system32\jscript9.dll
    2012-05-18 01:59 . 2012-06-15 17:541346048----a-w-c:\windows\system32\urlmon.dll
    2012-05-18 01:59 . 2012-06-15 17:541392128----a-w-c:\windows\system32\wininet.dll
    2012-05-18 01:58 . 2012-06-15 17:541494528----a-w-c:\windows\system32\inetcpl.cpl
    2012-05-18 01:58 . 2012-06-15 17:54237056----a-w-c:\windows\system32\url.dll
    2012-05-18 01:56 . 2012-06-15 17:5485504----a-w-c:\windows\system32\jsproxy.dll
    2012-05-18 01:55 . 2012-06-15 17:54173056----a-w-c:\windows\system32\ieUnatt.exe
    2012-05-18 01:55 . 2012-06-15 17:54818688----a-w-c:\windows\system32\jscript.dll
    2012-05-18 01:54 . 2012-06-15 17:542144768----a-w-c:\windows\system32\iertutil.dll
    2012-05-18 01:51 . 2012-06-15 17:5496768----a-w-c:\windows\system32\mshtmled.dll
    2012-05-18 01:51 . 2012-06-15 17:542382848----a-w-c:\windows\system32\mshtml.tlb
    2012-05-18 01:47 . 2012-06-15 17:54248320----a-w-c:\windows\system32\ieui.dll
    2012-05-17 22:45 . 2012-06-15 17:541800192----a-w-c:\windows\SysWow64\jscript9.dll
    2012-05-17 22:35 . 2012-06-15 17:541129472----a-w-c:\windows\SysWow64\wininet.dll
    2012-05-17 22:35 . 2012-06-15 17:541427968----a-w-c:\windows\SysWow64\inetcpl.cpl
    2012-05-17 22:29 . 2012-06-15 17:54142848----a-w-c:\windows\SysWow64\ieUnatt.exe
    2012-05-17 22:24 . 2012-06-15 17:542382848----a-w-c:\windows\SysWow64\mshtml.tlb
    2012-05-15 20:15 . 2012-06-13 19:542767360----a-w-c:\windows\system32\win32k.sys
    2012-05-01 14:29 . 2012-06-13 19:54209920----a-w-c:\windows\system32\drivers\rdpwd.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    "HideFastUserSwitching"= 0 (0x0)
    .
    [hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HsdService]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
    @="Service"
    .
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
    .
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Themes
    ezSharedSvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-31 10:34]
    .
    2012-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-31 10:34]
    .
    2012-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1198968773-186493069-1406013737-1000Core.job
    - c:\users\Rob\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-15 18:53]
    .
    2012-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1198968773-186493069-1406013737-1000UA.job
    - c:\users\Rob\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-15 18:53]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&m=imedia_s3210&r=1v3607091106p03e5vq35y46219303
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 192.168.0.1
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    .
    - - - - ORPHANS REMOVED - - - -
    .
    SafeBoot-mcmscsvc
    SafeBoot-MCODS
    AddRemove-EasyBits Magic Desktop - c:\windows\system32\ezMDUninstall.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
    c:\windows\system32\HidService.exe
    c:\program files (x86)\Virgin Media\Digital Home Support\HsdService.exe
    c:\windows\SysWOW64\IoctlSvc.exe
    c:\program files (x86)\Virgin Media\Service Manager\ServicepointService.exe
    c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-27 19:58:17 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-27 18:58
    .
    Pre-Run: 206,397,480,960 bytes free
    Post-Run: 207,322,128,384 bytes free
    .
    - - End Of File - - 7D2E4BD84DECEF2733DC26C8850551CF
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Might as well get rid of these while we're at it...

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.
    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
  16. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    Great

    1st text file for you, now scanning so will update further in a few hours:


    ComboFix 12-07-27.03 - Rob 28/07/2012 20:56:18.2.3 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.4094.2262 [GMT 1:00]
    Running from: c:\users\Rob\Desktop\svchost.exe.exe
    Command switches used :: c:\users\Rob\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files (x86)\Common Files\SpeedMaxPc
    c:\program files (x86)\Common Files\SpeedMaxPc\UUS3\Images\close.png
    c:\program files (x86)\Common Files\SpeedMaxPc\UUS3\Images\close_md.png
    c:\program files (x86)\Common Files\SpeedMaxPc\UUS3\Images\close_mo.png
    c:\program files (x86)\Common Files\SpeedMaxPc\UUS3\Images\close_pu.png
    c:\program files (x86)\Common Files\SpeedMaxPc\UUS3\Images\close_pu_md.png
    c:\program files (x86)\Common Files\SpeedMaxPc\UUS3\Images\close_pu_mo.png
    c:\program files (x86)\Common Files\SpeedMaxPc\UUS3\Images\Logo.png
    c:\program files (x86)\Common Files\SpeedMaxPc\UUS3\Images\min.png
    c:\program files (x86)\Common Files\SpeedMaxPc\UUS3\Images\min_md.png
    c:\program files (x86)\Common Files\SpeedMaxPc\UUS3\Images\min_mo.png
    c:\program files (x86)\Common Files\SpeedMaxPc\UUS3\Images\topbar_gradient.png
    c:\program files (x86)\Common Files\SpeedMaxPc\UUS3\LiteUnzip.dll
    c:\program files (x86)\Common Files\SpeedMaxPc\UUS3\settings.xml
    c:\program files (x86)\Common Files\SpeedMaxPc\UUS3\Update3.exe
    c:\program files (x86)\Common Files\SpeedMaxPc\UUS3\UUS3.dll
    c:\program files (x86)\SpeedMaxPc
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\7ZipDLL.dll
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\colors.xml
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\CommonLoggingExtension.pxt
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\CommonSpecialist.pxt
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\ExtensionManager.dll
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HandleUpdate.dll
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\0_days.htm
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\1_days.htm
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\15_days.htm
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\2_days.htm
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\30_days.htm
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\5_days.htm
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\container_content_bkimg.gif
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\container_content_leftimg.gif
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\container_content_rightimg.gif
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\error_connect.html
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\images\10x10.gif
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\images\10x10tile.gif
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\images\contentwrapper.gif
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\images\error_internet.jpg
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\images\footerbarfill.gif
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\images\info_bubble.jpg
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\images\pcha_background.jpg
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\images\tile_footerbarbase.jpg
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\images\tile_subheadbarbase.jpg
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\images\tile_titlebarbase.jpg
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\main.css
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\main_error.css
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\package_titlebar_bkimg.jpg
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\uninstall\box_screen.jpg
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\uninstall\default_button.gif
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\uninstall\default_button_over.gif
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\uninstall\header_background.jpg
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\HTML\uninstall\index.html
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Audio\cancel.wav
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Audio\complete.wav
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\buttons\btn.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\buttons\btn_over.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\buttons\button_bho.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\buttons\button_defrag.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\buttons\button_file.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\buttons\button_generalsettings.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\buttons\button_ignore.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\buttons\button_junk.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\buttons\button_privacy.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\buttons\button_process.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\buttons\button_registry.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\buttons\button_schedule.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\buttons\button_startup.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\buttons\register.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\buttons\register_over.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\buttons\register_over_small.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\buttons\register_small.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\buttons\renew.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\buttons\renew_over.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\buttons\settings_button.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\buttons\settings_button_over.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\buttons\start.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\buttons\start_over.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\defrag\c_empty.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\defrag\c_frag.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\defrag\c_unfrag.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\defrag\c_unknown.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\defrag\c_unmove.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Frame\close.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Frame\dlg_title.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Frame\logo.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Frame\max.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Frame\min.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Frame\register.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Frame\register_close.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Frame\register_close_over.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Frame\register_over.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Frame\renew.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Frame\renew_over.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Frame\restore.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Frame\tab_bg.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Frame\tabactive_bg.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Frame\tabover_bg.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Frame\tfn_bg.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Frame\tfn_logo.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Frame\title_bar.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Frame\upper_divider.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\general\collapse.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\general\delete.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\general\expand.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\general\progress_glow.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\bho.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\dup_audio.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\dup_doc.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\dup_image.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\dup_other.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\dup_video.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\ig_drivers.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\ig_proc.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\ig_reg.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\junk.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\priv_3rd.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\priv_browser.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\priv_email.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\priv_fs.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\priv_im.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\priv_multi.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\priv_office.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\priv_other.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\priv_windows.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\reg_apppath.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\reg_com.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\reg_dll.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\reg_empty.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\reg_extensions.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\reg_filepath.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\reg_font.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\reg_help.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\reg_shortcut.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\reg_startup.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\reg_uninstall.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\group\startup.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\headers\header_about.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\headers\header_bho.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\headers\header_clean.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\headers\header_defrag.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\headers\header_file.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\headers\header_junk.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\headers\header_junk_settings.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\headers\header_malware.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\headers\header_performance.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\headers\header_privacy.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\headers\header_process.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\headers\header_registry.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\headers\header_restore.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\headers\header_settings.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\headers\header_startup.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\headers\header_tools.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\headers\settings_general.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\headers\settings_ignore.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\headers\settings_privacy.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\headers\settings_registry.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\headers\settings_schedule.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Icons\info.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Icons\warning.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\list\other.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\list\process\bho.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\list\process\process.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\list\process\startup.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\list\recommendations\rec_malware16.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\list\recommendations\rec_malware24.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\list\recommendations\rec_malware32.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\list\recommendations\rec_system16.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\list\recommendations\rec_system24.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\list\recommendations\rec_system32.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\list\recommendations\rec_unknown16.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\list\recommendations\rec_unknown24.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\list\recommendations\rec_unknown32.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\list\recommendations\rec_unwanted16.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\list\recommendations\rec_unwanted24.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\list\recommendations\rec_unwanted32.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\list\recommendations\rec_userapp16.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\list\recommendations\rec_userapp24.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\list\recommendations\rec_userapp32.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\011.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\012.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\animation\01.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\animation\02.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\animation\03.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\animation\04.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\animation\05.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\animation\06.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\animation\07.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\animation\08.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\animation\09.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\check.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\damage1.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\damage2.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\damage3.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\damage4.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\damage5.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\damage6.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\error.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\error_large.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\Fix.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\Fix_over.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\junk.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\malware.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\md5.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\privacy.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\process-animation.gif
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\rating_h.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\rating_h_scan.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\rating_l.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\rating_l_scan.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\rating_m.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\rating_m_scan.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\rating_mh.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\rating_mh_scan.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\rating_ml.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\rating_ml_scan.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\registry.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\security_high.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\security_low.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Scan\warning.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Tabs\overview.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Tabs\restore.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Tabs\scan.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Tabs\settings.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Images\Tabs\tools.png
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\LiteUnzip.dll
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\LiteZip.dll
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\LogSettings.xml
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\MyResources.dll
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\privacy.db
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\RegHookSpecialist.pxt
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\SandBoxer.dll
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\settings.xml
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\SpeedMaxPc.exe
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\sqlite3.dll
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\uninstall.exe
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\UNS.xml
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\Utility.pxt
    c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\whitelist.dat
    c:\programdata\MFAData
    c:\programdata\MFAData\logs\mfa-20120716-150558.log
    c:\programdata\MFAData\logs\mfa-20120716-152251.log
    c:\programdata\MFAData\logs\mfa-20120716-152614.log
    c:\programdata\MFAData\logs\msi-20120716-150058.log
    c:\programdata\MFAData\logs\msi-20120716-152251.log
    c:\programdata\MFAData\logs\msi-20120716-152614.log
    c:\programdata\MFAData\mfaurlconf.ini
    c:\programdata\MFAData\msistorg.dat
    c:\programdata\MFAData\msistorg.dat.bkp
    c:\programdata\MFAData\pack\AlertMga.cab
    c:\programdata\MFAData\pack\AntiRka.cab
    c:\programdata\MFAData\pack\Antivira.cab
    c:\programdata\MFAData\pack\avg12infoavi.ctf
    c:\programdata\MFAData\pack\avg12infooi.ctf
    c:\programdata\MFAData\pack\avg12infowin.ctf
    c:\programdata\MFAData\pack\Avgx64.msi
    c:\programdata\MFAData\pack\AVIsa.cab
    c:\programdata\MFAData\pack\basea.cab
    c:\programdata\MFAData\pack\bins\poi12ppc2_dtc26dv.bin
    c:\programdata\MFAData\pack\bins\poi12ppc2_lic15ih.bin
    c:\programdata\MFAData\pack\bins\w12alertmga2195sv.bin
    c:\programdata\MFAData\pack\bins\w12antirka2195bp.bin
    c:\programdata\MFAData\pack\bins\w12antivira2195tq.bin
    c:\programdata\MFAData\pack\bins\w12avga2195gi.bin
    c:\programdata\MFAData\pack\bins\w12avisa2195ef.bin
    c:\programdata\MFAData\pack\bins\w12basa2195ph.bin
    c:\programdata\MFAData\pack\bins\w12corea2437iv.bin
    c:\programdata\MFAData\pack\bins\w12emailsa2195in.bin
    c:\programdata\MFAData\pack\bins\w12guia2195wk.bin
    c:\programdata\MFAData\pack\bins\w12idata2195rz.bin
    c:\programdata\MFAData\pack\bins\w12idpa2195fy.bin
    c:\programdata\MFAData\pack\bins\w12lng_usa2195jj.bin
    c:\programdata\MFAData\pack\bins\w12onlnsca2195oc.bin
    c:\programdata\MFAData\pack\bins\w12rdsta2195ez.bin
    c:\programdata\MFAData\pack\bins\w12rdstx2195dv.bin
    c:\programdata\MFAData\pack\bins\w12resshlda2195ug.bin
    c:\programdata\MFAData\pack\bins\w12srchsrfa2195qa.bin
    c:\programdata\MFAData\pack\bins\w12sshttpba2195sx.bin
    c:\programdata\MFAData\pack\bins\w12tdidrva2195qb.bin
    c:\programdata\MFAData\pack\bins\w12tuneupa2195mm.bin
    c:\programdata\MFAData\pack\bins\w12update2a2195ol.bin
    c:\programdata\MFAData\pack\bins\w12updatea2195fn.bin
    c:\programdata\MFAData\pack\bins\w12xpla2195mt.bin
    c:\programdata\MFAData\pack\COREa.cab
    c:\programdata\MFAData\pack\COREx64.msi
    c:\programdata\MFAData\pack\crt_x64.msi
    c:\programdata\MFAData\pack\Emailsa.cab
    c:\programdata\MFAData\pack\GUIa.cab
    c:\programdata\MFAData\pack\idata.cab
    c:\programdata\MFAData\pack\IDPa.cab
    c:\programdata\MFAData\pack\lic.mdf
    c:\programdata\MFAData\pack\lng_usa.cab
    c:\programdata\MFAData\pack\OnlnSca.cab
    c:\programdata\MFAData\pack\ppc2_dtc.mdf
    c:\programdata\MFAData\pack\ResShlda.cab
    c:\programdata\MFAData\pack\SrchSrfa.cab
    c:\programdata\MFAData\pack\SSHttpBa.cab
    c:\programdata\MFAData\pack\TDIDrva.cab
    c:\programdata\MFAData\pack\TuneUpa.cab
    c:\programdata\MFAData\pack\Update2a.cab
    c:\programdata\MFAData\pack\Updatea.cab
    c:\programdata\MFAData\pack\vc_red.cab
    c:\programdata\MFAData\pack\vc_red.msi
    c:\programdata\MFAData\pack\xpla.cab
    c:\programdata\MFAData\public_installation_log.xml
    c:\programdata\SpeedMaxPc
    c:\programdata\SpeedMaxPc\SpeedMaxPc\dc_db.db
    c:\programdata\SpeedMaxPc\UUS3\Master.xml
    c:\programdata\SpeedMaxPc\UUS3\Patch.xml
    c:\programdata\SpeedMaxPc\UUS3\speedmaxpc\Database.xml
    c:\programdata\SpeedMaxPc\UUS3\speedmaxpc\Master.xml
    c:\programdata\SpeedMaxPc\UUS3\speedmaxpc\Patch.xml
    c:\programdata\SpeedMaxPc\UUS3\speedmaxpc\Update.xml
    c:\programdata\SpeedMaxPc\UUS3\Update.xml
    c:\users\Rob\AppData\Roaming\DriverCure
    c:\users\Rob\AppData\Roaming\DriverCure\LogFile.txt
    c:\users\Rob\AppData\Roaming\SpeedMaxPc
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-28 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-28 20:06 . 2012-07-28 20:0669000----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{696BC3A1-BA6E-464C-B7EC-49F8A3E862FA}\offreg.dll
    2012-07-28 20:05 . 2012-07-28 20:08--------d-----w-c:\users\Rob\AppData\Local\temp
    2012-07-28 20:05 . 2012-07-28 20:05--------d-----w-c:\users\Default\AppData\Local\temp
    2012-07-25 21:06 . 2012-06-29 10:049133488----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{696BC3A1-BA6E-464C-B7EC-49F8A3E862FA}\mpengine.dll
    2012-07-16 19:08 . 2012-07-16 19:08--------d-----w-C:\FRST
    2012-07-16 14:49 . 2012-07-16 14:49--------d--h--w-c:\programdata\Common Files
    2012-07-07 22:10 . 2012-02-09 13:17927800----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{09A9BD8A-9120-471F-AB78-5000EF23E417}\gapaengine.dll
    2012-07-07 22:09 . 2012-06-18 02:129013136----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-07-07 22:08 . 2012-07-07 22:08--------d-----w-c:\program files (x86)\Microsoft Security Client
    2012-07-07 22:08 . 2012-07-07 22:08--------d-----w-c:\program files\Microsoft Security Client
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-06 22:16 . 2012-05-05 09:02426184----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
    2012-07-06 22:16 . 2011-11-20 11:5370344----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-06-15 17:47 . 2006-11-02 12:3558957832----a-w-c:\windows\system32\mrt.exe
    2012-06-02 22:19 . 2012-06-24 10:1038424----a-w-c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-24 10:102428952----a-w-c:\windows\system32\wuaueng.dll
    2012-06-02 22:19 . 2012-06-24 10:1044056----a-w-c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-24 10:1057880----a-w-c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-24 10:1035864----a-w-c:\windows\SysWow64\wups.dll
    2012-06-02 22:19 . 2012-06-24 10:10701976----a-w-c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-24 10:10577048----a-w-c:\windows\SysWow64\wuapi.dll
    2012-06-02 22:15 . 2012-06-24 10:102622464----a-w-c:\windows\system32\wucltux.dll
    2012-06-02 22:15 . 2012-06-24 10:1099840----a-w-c:\windows\system32\wudriver.dll
    2012-06-02 22:12 . 2012-06-24 10:1088576----a-w-c:\windows\SysWow64\wudriver.dll
    2012-06-02 14:19 . 2012-06-24 10:10186752----a-w-c:\windows\system32\wuwebv.dll
    2012-06-02 14:19 . 2012-06-24 10:10171904----a-w-c:\windows\SysWow64\wuwebv.dll
    2012-06-02 14:15 . 2012-06-24 10:1036864----a-w-c:\windows\system32\wuapp.exe
    2012-06-02 14:12 . 2012-06-24 10:1033792----a-w-c:\windows\SysWow64\wuapp.exe
    2012-05-31 11:25 . 2009-12-11 18:57279656------w-c:\windows\system32\MpSigStub.exe
    2012-05-18 02:47 . 2012-06-15 17:5417807360----a-w-c:\windows\system32\mshtml.dll
    2012-05-18 02:16 . 2012-06-15 17:5410924032----a-w-c:\windows\system32\ieframe.dll
    2012-05-18 02:06 . 2012-06-15 17:542311680----a-w-c:\windows\system32\jscript9.dll
    2012-05-18 01:59 . 2012-06-15 17:541346048----a-w-c:\windows\system32\urlmon.dll
    2012-05-18 01:59 . 2012-06-15 17:541392128----a-w-c:\windows\system32\wininet.dll
    2012-05-18 01:58 . 2012-06-15 17:541494528----a-w-c:\windows\system32\inetcpl.cpl
    2012-05-18 01:58 . 2012-06-15 17:54237056----a-w-c:\windows\system32\url.dll
    2012-05-18 01:56 . 2012-06-15 17:5485504----a-w-c:\windows\system32\jsproxy.dll
    2012-05-18 01:55 . 2012-06-15 17:54173056----a-w-c:\windows\system32\ieUnatt.exe
    2012-05-18 01:55 . 2012-06-15 17:54818688----a-w-c:\windows\system32\jscript.dll
    2012-05-18 01:54 . 2012-06-15 17:542144768----a-w-c:\windows\system32\iertutil.dll
    2012-05-18 01:51 . 2012-06-15 17:5496768----a-w-c:\windows\system32\mshtmled.dll
    2012-05-18 01:51 . 2012-06-15 17:542382848----a-w-c:\windows\system32\mshtml.tlb
    2012-05-18 01:47 . 2012-06-15 17:54248320----a-w-c:\windows\system32\ieui.dll
    2012-05-17 22:45 . 2012-06-15 17:541800192----a-w-c:\windows\SysWow64\jscript9.dll
    2012-05-17 22:35 . 2012-06-15 17:541129472----a-w-c:\windows\SysWow64\wininet.dll
    2012-05-17 22:35 . 2012-06-15 17:541427968----a-w-c:\windows\SysWow64\inetcpl.cpl
    2012-05-17 22:29 . 2012-06-15 17:54142848----a-w-c:\windows\SysWow64\ieUnatt.exe
    2012-05-17 22:24 . 2012-06-15 17:542382848----a-w-c:\windows\SysWow64\mshtml.tlb
    2012-05-15 20:15 . 2012-06-13 19:542767360----a-w-c:\windows\system32\win32k.sys
    2012-05-01 14:29 . 2012-06-13 19:54209920----a-w-c:\windows\system32\drivers\rdpwd.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-07-27_18.53.39 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-21 02:23 . 2012-07-28 20:0979052 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2006-11-02 15:45 . 2012-07-28 19:4997478 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2009-09-12 12:25 . 2012-07-28 19:4919562 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1198968773-186493069-1406013737-1000_UserData.bin
    + 2012-07-28 19:52 . 2012-07-28 19:5211442 c:\windows\SoftwareDistribution\EventCache\{AF9B929C-A957-476B-880A-39F3BD7026D2}.bin
    + 2009-10-14 21:53 . 2012-07-27 19:072246 c:\windows\system32\WDI\ERCQueuedResolutions.dat
    - 2012-07-27 18:53 . 2012-07-27 18:532048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-07-28 20:06 . 2012-07-28 20:062048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-07-27 18:53 . 2012-07-27 18:532048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-07-28 20:06 . 2012-07-28 20:062048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2006-11-02 12:46 . 2012-07-27 18:37658124 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2012-07-28 19:53658124 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2012-07-28 19:53127346 c:\windows\system32\perfc009.dat
    - 2006-11-02 12:46 . 2012-07-27 18:37127346 c:\windows\system32\perfc009.dat
    - 2011-02-10 08:37 . 2012-07-27 18:52410332 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2011-02-10 08:37 . 2012-07-28 20:05410332 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2011-04-30 03:34 . 2012-07-06 22:212467004 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1198968773-186493069-1406013737-1000-8192.dat
    + 2011-04-30 03:34 . 2012-07-27 19:072467004 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1198968773-186493069-1406013737-1000-8192.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    "HideFastUserSwitching"= 0 (0x0)
    .
    [hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HsdService]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
    @="Service"
    .
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
    .
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Themes
    ezSharedSvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-31 10:34]
    .
    2012-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-31 10:34]
    .
    2012-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1198968773-186493069-1406013737-1000Core.job
    - c:\users\Rob\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-15 18:53]
    .
    2012-07-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1198968773-186493069-1406013737-1000UA.job
    - c:\users\Rob\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-15 18:53]
    .
    .
    --------- X64 Entries -----------
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&m=imedia_s3210&r=1v3607091106p03e5vq35y46219303
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 192.168.0.1
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-{EF4F8650-7710-4CA0-831D-4AA9C1CF6D87} - c:\program files (x86)\SpeedMaxPc\SpeedMaxPc\uninstall.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
    c:\windows\system32\HidService.exe
    c:\program files (x86)\Virgin Media\Digital Home Support\HsdService.exe
    c:\windows\SysWOW64\IoctlSvc.exe
    c:\program files (x86)\Virgin Media\Service Manager\ServicepointService.exe
    c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-28 21:12:51 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-28 20:12
    ComboFix2.txt 2012-07-27 18:58
    .
    Pre-Run: 207,189,356,544 bytes free
    Post-Run: 207,114,833,920 bytes free
    .
    - - End Of File - - B7BABA362BBEE261656609F5119848A6
  17. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner64.ocx - registred OK
    OnlineScanner.ocx - registred OK
  18. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    (y) Not sure if you want this one too ... list of scan results:

    C:\FRST\Quarantine\xsecva\xsecva.exea variant of Win32/Vcaredrix.A trojancleaned by deleting - quarantined
    C:\FRST\Quarantine\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\nWin64/Sirefef.W trojancleaned by deleting - quarantined
    C:\FRST\Quarantine\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\U\80000000.@Win64/Sirefef.AL trojancleaned by deleting - quarantined
    C:\FRST\Quarantine\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\U\00000008.@Win64/Agent.BA trojancleaned by deleting - quarantined
    C:\FRST\Quarantine\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\U\000000cb.@Win64/Conedex.B trojancleaned by deleting - quarantined
    C:\FRST\Quarantine\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\U\80000000.@Win64/Sirefef.AE trojancleaned by deleting - quarantined
    C:\FRST\Quarantine\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\U\80000032.@a variant of Win32/Sirefef.FD trojancleaned by deleting - quarantined
    C:\FRST\Quarantine\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\{86fe38bd-e6ce-2fa3-84c1-225639a4b68b}\U\80000064.@Win64/Sirefef.AN trojancleaned by deleting - quarantined
    C:\Users\Rob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7YRXO72W\I[1].htmJS/Kryptik.NX trojancleaned by deleting - quarantined
    C:\Users\Rob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8250MDMI\jelly-in-shirt-sponsorship-with-crystal-palace[1].htmHTML/Iframe.B.Gen virusdeleted - quarantined
    C:\Users\Rob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GBSJ5AV5\jelly-in-shirt-sponsorship-with-crystal-palace[1].htmHTML/Iframe.B.Gen virusdeleted - quarantined
    C:\Users\Rob\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\3e060fc1-1affdcb8a variant of Java/TrojanDownloader.OpenStream.NCM trojancleaned by deleting - quarantined
    C:\Users\Rob\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\5cfe6714-74c7a6d9a variant of Win32/Kryptik.QXK trojancleaned by deleting - quarantined
  19. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi! Your logs appear to be clean. If there are no more issues, then we shall clean up!

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Please download TFC by OldTimer to your desktop
    • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • It will close all programs when run, so make sure you have saved all your work before you begin.
    • Click the Start
      button to begin the process. Depending on how often you clean temp
      files, execution time should be anywhere from a few seconds to a minute
      or two. Let it run uninterrupted to completion.
    • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Tell me in your next reply, if you have completed these tasks:
    • Cleaned System Restore
    • Ran OTC
    • Ran TFC
    • Ran Security Check
    Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
  20. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    Hi DMJ
    I didn't receive an email to alert me to your reply - sorry!
    I'll run this tomorrow - pls don't close the case down ... I was thinking it had taken a long time. Should have checked the forum!!
    Thanks
  21. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    Hi
    Partially done. Up to running OTC but get following message (tried to download from google search and same message)

    Internal Server Error

    The server encountered an internal error or misconfiguration and was unable to complete your request.
    Please contact the server administrator, webmaster@oldtimer.geekstogo.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.
    More information about this error may be available in the server error log.
    Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

    Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at oldtimer.geekstogo.com Port 80
  22. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

  23. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    Id like to complete it all before you show as solved - give me a few hours ... thanks
  24. MagsL

    MagsL Newcomer, in training Topic Starter Posts: 35

    I need a username and password to use that link ...
  25. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Goodness. Sorry that happened. Try again the first link that I gave you (the one hosted at GeeksToGo).
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.