[Closed] Another hard drive clusters partly damaged

[jeff12345]

I just received a laptop from a family member for a trip to Spain, however it is completely infected with viruses. After doing a little research it seems to be the same problem that many here have had. I am COMPLETELY not computer saavy at all and was hoping for some help.

Thanks!!

 

[Bobbye]

Welcome to TechSpot, Jeff. About this:

I am COMPLETELY not computer saavy at all and was hoping for some help.

I will be glad to help and I promise that if you read the instructions carefully and pay close attention to any directions I give you, you will come away much more 'computer savy that you are now!
==============================================
The 'hard drive cluster' message you are getting has been generated by a fake (Rogue) computer analysis and optimization program. .

You may be experiencing some of the following:

• The 'alerts' tell you the problems have lead to corrupt and missing data
• It will display false error messages and security warnings.
• It "hides" Icons, desktop, programs and files so that they appear to be missing and some programs can't be run
• This can be installed through hacked sites that exploit vulnerabilities on the system or through fake online scanner pages
• The malware is configured to automatically start when you logon to Windows.
• It can also be started if you click on any of these alerts.

The scam of the malware is for you to think you have multiple problems and need to pay for their program to fix them.
Note: You may not experience all of the above, but it is important to tell me what problems you do have.

It's important that you do not click on any of these, nor try to act on any.
It is also possible that the malware won't allow you to download the programs directly to the infected computer- a flash drive may be needed.
=============================================
Please follow these steps: Preliminary Virus and Malware Removal.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
========================================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't follow directions given to someone else
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.

If I haven't replied back to you within 48 hours, you can send a PM with your thread link in it as a reminder. Do not include technical problems from your thread. Support is given only in the forum.
Threads are closed after 5 days if there is no reply.

 

[jeff12345]

Thank you so much for your help! GMER did not find any modifications and thus did not produce a log. here are the other three logs:


Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.28.04

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 7.0.6002.18005
Ryan :: RYAN-PC [administrator]

Protection: Enabled

2/28/2012 5:59:30 PM
mbam-log-2012-02-28 (17-59-30).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 199684
Time elapsed: 23 minute(s), 48 second(s)

Memory Processes Detected: 1
C:\Users\Ryan\AppData\Local\SanctionedMedia\Smad\Smad.exe (Trojan.Agent) -> 2452 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 8
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smad (Trojan.Agent) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKCU\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKCU\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKCU\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKCU\Software\YVIBBBHA8C (Trojan.Agent) -> Quarantined and deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

Registry Values Detected: 5
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Smad (Trojan.Agent) -> Data: "C:\Users\Ryan\AppData\Local\SanctionedMedia\Smad\Smad.exe" -> Quarantined and deleted successfully.
HKCU\SOFTWARE|7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Data: -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer|WINID (Malware.Trace) -> Data: 1CAE5C76D214530 -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|ujaupuig (Rogue.AntivirusSuite.Gen) -> Data: C:\Users\Ryan\AppData\Local\gntmsruib\lmiyarrtssd.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Regedit32 (Trojan.Agent) -> Data: C:\Windows\system32\regedit.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 11
C:\Users\Ryan\AppData\Local\SanctionedMedia\Smad\Smad.exe (Trojan.Agent) -> Delete on reboot.
C:\ProgramData\3iuAwOhA4fislu.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Ryan\AppData\Local\Temp\Du1nkNBbkHLjEv.exe.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Ryan\AppData\Local\Temp\zatT1QVuW8zQiM.exe.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\coldnx\setup.exe (Trojan.Agent.PE5) -> Quarantined and deleted successfully.
C:\Users\Ryan\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Ryan\Local Settings\Application Data\SanctionedMedia\Smad\Smad.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\Ryan\AppData\Local\Temp\ms0cfg32.exe (Exploit.Drop.CFG) -> Quarantined and deleted successfully.
C:\Windows\System32\regedit.exe (Trojan.Agent) -> Quarantined and deleted successfully.

(end)




.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 7.0.6002.18005
Run by Ryan at 19:56:35 on 2012-02-28
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3998.2689 [GMT 1:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_8aadd48d\STacSV64.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_8aadd48d\AESTSr64.exe
C:\Windows\system32\agr64svc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\SMINST\BLService.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
C:\Windows\system32\taskeng.exe
c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\Core\mchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.comcast.net/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe,
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120228125454.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
uRun: [HPAdvisor] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet
uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
uRun: [79bjm5me7g] C:\Users\Ryan\79bjm5me7g.exe
uRun: [hhBUqpMjwRyef.exe] C:\ProgramData\hhBUqpMjwRyef.exe
mRun: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
mRun: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
mRun: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
mRun: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe"
mRun: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
mRun: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
mRun: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
mRun: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun: [UpdatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Nikon Message Center 2] C:\Program Files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe -s
mRun: [ArcSoft Connection Service] "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
dRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10v_ActiveX.exe -update activex
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 80.58.61.250 80.58.61.254
TCP: Interfaces\{367DC0B2-5AEC-4CF4-A9A4-8B0C4560A6D2} : DhcpNameServer = 80.58.61.250 80.58.61.254
TCP: Interfaces\{C2370A83-364F-4105-905A-275EB21DFC24} : DhcpNameServer = 68.87.69.150 68.87.85.102 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\McAfee\MSC\McSnIePl.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120228125454.dll
BHO-X64: scriptproxy - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun-x64: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
mRun-x64: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
mRun-x64: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
mRun-x64: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe"
mRun-x64: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
mRun-x64: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
mRun-x64: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
mRun-x64: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun-x64: [UpdatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun-x64: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun-x64: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [Nikon Message Center 2] C:\Program Files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe -s
mRun-x64: [ArcSoft Connection Service] "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
Hosts: 93.115.241.28 www.google-analytics.com.
Hosts: 93.115.241.28 ad-emea.doubleclick.net.
Hosts: 93.115.241.28 www.statcounter.com.
Hosts: 69.72.252.254 www.google-analytics.com.
Hosts: 69.72.252.254 ad-emea.doubleclick.net.
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
R1 mfenlfk;McAfee NDIS Light Filter;C:\Windows\system32\DRIVERS\mfenlfk.sys --> C:\Windows\system32\DRIVERS\mfenlfk.sys [?]
R1 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\system32\drivers\mfewfpk.sys --> C:\Windows\system32\drivers\mfewfpk.sys [?]
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/07/20 03:25:39];C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2008-11-29 146928]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_8aadd48d\AESTSr64.exe --> C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_8aadd48d\AESTSr64.exe [?]
R2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-2-28 652360]
R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-8-15 249936]
R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-8-15 249936]
R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-8-15 249936]
R2 McShield;McAfee McShield;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2010-8-15 199272]
R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [2010-8-15 208536]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-8-15 161168]
R2 Recovery Service for Windows;Recovery Service for Windows;C:\Program Files (x86)\SMINST\BLService.exe [2009-1-13 365952]
R2 TVCapSvc;TV Background Capture Service (TVBCS);C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe [2008-11-27 296320]
R2 TVSched;TV Task Scheduler (TVTS);C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe [2008-11-27 116096]
R3 cfwids;McAfee Inc. cfwids;C:\Windows\system32\drivers\cfwids.sys --> C:\Windows\system32\drivers\cfwids.sys [?]
R3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-1-13 222512]
R3 enecir;ENE CIR Receiver;C:\Windows\system32\DRIVERS\enecir.sys --> C:\Windows\system32\DRIVERS\enecir.sys [?]
R3 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\system32\drivers\mfefirek.sys --> C:\Windows\system32\drivers\mfefirek.sys [?]
S2 Norton Internet Security;Norton Internet Security;"C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 --> C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [?]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2010-3-18 89920]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
S3 NETw3v64;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw3v64.sys --> C:\Windows\system32\DRIVERS\NETw3v64.sys [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-21 19968]
S3 ssrangdr;ssrangdr;C:\Windows\system32\DRIVERS\ssrangdr.sys --> C:\Windows\system32\DRIVERS\ssrangdr.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x64.sys --> C:\Windows\system32\DRIVERS\yk60x64.sys [?]
.
=============== Created Last 30 ================
.
2012-02-28 16:57:17 -------- d-----w- C:\Users\Ryan\AppData\Roaming\Malwarebytes
2012-02-28 16:56:14 -------- d-----w- C:\ProgramData\Malwarebytes
2012-02-28 16:56:11 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-02-28 16:56:11 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-02-28 10:55:31 -------- d-----w- C:\Users\Ryan\AppData\Local\{80806DB6-0B61-4D04-9DE3-5009EAC84700}
2012-02-28 10:55:11 -------- d-----w- C:\Users\Ryan\AppData\Local\{9108106B-4EEE-44C7-8939-B1FF2BB8FCDC}
2012-02-27 22:54:34 -------- d-----w- C:\Users\Ryan\AppData\Local\{C6AE0565-6C6A-439B-807A-9C7582C41BE0}
2012-02-27 22:54:08 -------- d-----w- C:\Users\Ryan\AppData\Local\{3663558B-E936-4C3D-947A-1B6547DC00A0}
2012-02-20 13:29:48 -------- d-----w- C:\Users\Ryan\AppData\Local\{74FC797F-ACE0-4771-92B8-9FC670E96452}
2012-02-20 13:28:53 -------- d-----w- C:\Users\Ryan\AppData\Local\{60F7777E-C56A-4D38-9920-F8A8126BEA11}
2012-02-19 10:53:59 -------- d-----w- C:\Users\Ryan\AppData\Local\{4679E03F-2F7C-4F6E-B10C-A402E393338A}
2012-02-19 10:53:39 -------- d-----w- C:\Users\Ryan\AppData\Local\{2317C15A-E2E2-46AC-9A14-0EC36D518403}
2012-02-18 09:14:16 -------- d-----w- C:\Users\Ryan\AppData\Local\{6AAE1291-0081-4E1A-BFD0-6DDE7A5357F9}
2012-02-17 13:07:56 -------- d-----w- C:\Users\Ryan\AppData\Local\{15EB5A8F-9ECE-4DE5-9A98-4B71F6EC7B03}
2012-02-17 13:07:30 -------- d-----w- C:\Users\Ryan\AppData\Local\{57605270-8A41-401D-8831-E60400756468}
2012-02-16 14:01:47 -------- d-----w- C:\Users\Ryan\AppData\Local\{0BE2ACB7-52B2-4903-AE35-C0EA1C5EE60E}
2012-02-16 14:01:27 -------- d-----w- C:\Users\Ryan\AppData\Local\{640BC5EC-4D92-42B3-8DE6-AE6E7486F8E2}
2012-02-16 02:00:50 -------- d-----w- C:\Users\Ryan\AppData\Local\{5CB289F5-E8BD-4203-AE27-6B3976322E81}
2012-02-16 02:00:28 -------- d-----w- C:\Users\Ryan\AppData\Local\{9CC7CAED-5DC4-473A-BBDB-C4DEF69C64FB}
2012-02-15 11:18:20 -------- d-----w- C:\Users\Ryan\AppData\Local\{32BE97B8-263C-4DFD-BD69-65A076DD0C2F}
2012-02-15 11:17:59 -------- d-----w- C:\Users\Ryan\AppData\Local\{DE0DAD8C-8BCD-4CE0-BD25-3AB2BD849C32}
2012-02-14 17:29:59 -------- d-----w- C:\Users\Ryan\AppData\Local\{54A459DA-8A9E-4718-822B-87C2426A3380}
2012-02-14 17:29:38 -------- d-----w- C:\Users\Ryan\AppData\Local\{7E82CA83-5E70-4D1D-BA32-2ABE8476EABF}
2012-02-14 00:25:29 -------- d-----w- C:\Users\Ryan\AppData\Local\{6E0FD7A3-BD97-46B3-86C8-D03C87D74EB7}
2012-02-14 00:25:09 -------- d-----w- C:\Users\Ryan\AppData\Local\{C4EB6A71-55DC-4622-B1BC-CA48FD119B29}
2012-02-12 13:37:28 -------- d-----w- C:\Users\Ryan\AppData\Local\{46F5407B-592F-4AD5-B5E6-F202969385F7}
2012-02-12 01:36:45 -------- d-----w- C:\Users\Ryan\AppData\Local\{2AFDC2ED-73B0-426E-BCD9-69FFA60AE66B}
2012-02-12 01:36:24 -------- d-----w- C:\Users\Ryan\AppData\Local\{7FC6E8C9-E22C-4554-A41D-67B7E7D7A72D}
2012-02-11 10:44:31 -------- d-----w- C:\Users\Ryan\AppData\Local\{EBFC3746-FA12-42F8-8792-09B7D546673A}
2012-02-10 22:12:14 -------- d-----w- C:\Users\Ryan\AppData\Local\{B8C47ED2-7D13-4434-89B7-D33FCE22BFCB}
2012-02-10 22:11:53 -------- d-----w- C:\Users\Ryan\AppData\Local\{FF97AECE-70A5-4B99-B92F-CF5906F5335A}
2012-02-10 10:11:05 -------- d-----w- C:\Users\Ryan\AppData\Local\{BEB101C9-6069-4B61-A13D-F8EA71F59DE3}
2012-02-10 10:09:33 -------- d-----w- C:\Users\Ryan\AppData\Local\{A06E9723-497A-4C81-AF4D-1ED6317D11DA}
2012-02-10 01:48:53 -------- d-----w- C:\Users\Ryan\AppData\Local\{0E39E607-D8F7-422B-950D-1979DAD53287}
2012-02-09 12:03:02 -------- d-----w- C:\Users\Ryan\AppData\Local\{165D6A25-61B3-4011-8EEE-146A5EDA529A}
2012-02-09 12:02:35 -------- d-----w- C:\Users\Ryan\AppData\Local\{8E66F33E-C614-4B42-B191-99BE0D77A52E}
2012-02-08 13:13:20 -------- d-----w- C:\Users\Ryan\AppData\Local\{CA663667-5509-4785-952F-09AB94FF8264}
2012-02-08 13:12:15 -------- d-----w- C:\Users\Ryan\AppData\Local\{6B51E0D2-7042-4217-A85D-1AF9FCBECE8E}
2012-02-07 20:20:49 -------- d-----w- C:\Users\Ryan\AppData\Local\{154124FD-148B-4405-B2F2-A899A9BD0C17}
2012-02-07 20:20:27 -------- d-----w- C:\Users\Ryan\AppData\Local\{BA5B5503-FED2-48EE-B6EF-2B5FA50F20D0}
2012-02-07 08:19:40 -------- d-----w- C:\Users\Ryan\AppData\Local\{EBC8AE4C-78EC-4943-A7A3-B48EFD2C79AD}
2012-02-06 13:08:05 -------- d-----w- C:\Users\Ryan\AppData\Local\{69736DBF-DE53-4627-A243-D6693165E6EA}
2012-02-06 13:07:42 -------- d-----w- C:\Users\Ryan\AppData\Local\{44DFDFA6-7E1D-4A14-9FD3-3F3BE4E93421}
2012-02-05 21:54:12 -------- d-----w- C:\Users\Ryan\AppData\Local\{A81238FA-8298-41E2-A8DA-FA9E4859A809}
2012-02-05 21:52:34 -------- d-----w- C:\Users\Ryan\AppData\Local\{DC37FECD-4FF6-4C2E-B0C3-54CB202B8D1C}
2012-02-05 21:50:40 0 --sha-w- C:\Windows\System32\dds_trash_log.cmd
2012-02-03 08:12:08 -------- d-----w- C:\Users\Ryan\AppData\Local\{597A9F80-CF2C-4054-BACF-EDF093475264}
2012-02-03 08:11:45 -------- d-----w- C:\Users\Ryan\AppData\Local\{13EC93F5-DF23-4FE0-A35E-55D55398B85F}
2012-02-02 12:36:00 -------- d-----w- C:\Users\Ryan\AppData\Local\{8EE17CE3-4395-4A42-A283-EC9D1A432888}
2012-02-02 12:35:38 -------- d-----w- C:\Users\Ryan\AppData\Local\{1BC7E13F-E5F0-45C5-A823-064F3E01C107}
2012-02-01 12:58:57 -------- d-----w- C:\Users\Ryan\AppData\Local\{E956FA40-052A-45A5-8C7D-109A455C40CD}
2012-02-01 12:58:23 -------- d-----w- C:\Users\Ryan\AppData\Local\{514CC86C-7D17-4EC2-A14A-5140C548E478}
2012-01-30 22:45:37 -------- d-----w- C:\Users\Ryan\AppData\Local\{AED9D9AF-BA2F-491C-8096-223EE589143C}
2012-01-30 22:45:15 -------- d-----w- C:\Users\Ryan\AppData\Local\{EEFB8D92-79EB-4904-957A-E08E31112C38}
.
==================== Find3M ====================
.
2012-01-13 05:34:10 106496 ----a-w- C:\Windows\SysWow64\ATL71.DLL
2012-01-12 20:16:28 2765824 ----a-w- C:\Windows\System32\win32k.sys
2012-01-03 14:25:21 404992 ----a-w- C:\Windows\System32\drivers\afd.sys
2011-12-16 16:10:36 1032192 ----a-w- C:\Windows\System32\wininet.dll
2011-12-16 15:59:20 834048 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-12-16 14:43:45 485376 ----a-w- C:\Windows\System32\html.iec
2011-12-16 14:11:42 389632 ----a-w- C:\Windows\SysWow64\html.iec
2011-12-16 14:08:31 1383424 ----a-w- C:\Windows\System32\mshtml.tlb
2011-12-16 13:46:35 1383424 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-12-14 16:38:07 621056 ----a-w- C:\Windows\System32\msvcrt.dll
2011-12-14 16:17:47 680448 ----a-w- C:\Windows\SysWow64\msvcrt.dll
.
============= FINISH: 19:57:19.05 ===============



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 7/20/2009 11:41:15 AM
System Uptime: 2/28/2012 6:36:21 PM (1 hours ago)
.
Motherboard: Quanta | | 3627
Processor: Intel(R) Core(TM)2 Duo CPU T6500 @ 2.10GHz | CPU | 2100/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 285 GiB total, 177.726 GiB free.
D: is FIXED (NTFS) - 13 GiB total, 2.033 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Hosts File Hijack ======================
.
Hosts: 93.115.241.28 www.google-analytics.com.
Hosts: 93.115.241.28 ad-emea.doubleclick.net.
Hosts: 93.115.241.28 www.statcounter.com.
Hosts: 69.72.252.254 www.google-analytics.com.
Hosts: 69.72.252.254 ad-emea.doubleclick.net.
Hosts: 69.72.252.254 www.statcounter.com.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
ActiveCheck component for HP Active Support Library
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Apple Application Support
Apple Software Update
ArcSoft Panorama Maker 5
Compatibility Pack for the 2007 Office system
CyberLink DVD Suite
D3DX10
Download Updater (AOL LLC)
ESU for Microsoft Vista
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Common Access Service Library
HP Customer Experience Enhancements
HP Help and Support
HP MediaSmart DVD
HP MediaSmart Music/Photo/Video
HP MediaSmart TV
HP MediaSmart Webcam
HP Quick Launch Buttons 6.40 L1
HP Total Care Advisor
HP Total Care Setup
HP Update
HP User Guides 0126
HP Wireless Assistant
HPAsset component for HP Active Support Library
IDT Audio
Java Auto Updater
Java(TM) 6 Update 24
Java(TM) 6 Update 7
LabelPrint
LightScribe System Software 1.14.17.1
Malwarebytes Anti-Malware version 1.60.1.1000
McAfee AntiVirus Plus
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Move Media Player
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nikon Message Center 2
Picture Control Utility
Power2Go
PowerDirector
QuickTime
Realtek 8169 8168 8101E 8102E Ethernet Driver
Realtek USB 2.0 Card Reader
Rosetta Stone Version 3
Safari
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Segoe UI
Skype™ 5.1
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
ViewNX 2
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Messenger
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
.
==== Event Viewer Messages From Past Week ========
.
2/28/2012 6:46:16 PM, Error: Service Control Manager [7031] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
2/28/2012 6:39:25 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SRTSP SRTSPX
2/28/2012 6:38:48 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
2/28/2012 6:38:48 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
2/28/2012 6:38:48 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
2/28/2012 6:38:48 PM, Error: Service Control Manager [7000] - The Norton Internet Security service failed to start due to the following error: The system cannot find the path specified.
2/28/2012 6:35:34 PM, Error: Service Control Manager [7043] - The Windows Update service did not shut down properly after receiving a preshutdown control.
2/28/2012 5:47:36 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
2/28/2012 5:43:51 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the McAfee Scanner service to connect.
2/28/2012 5:43:51 PM, Error: Service Control Manager [7000] - The McAfee Scanner service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/28/2012 5:43:51 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service MCODS with arguments "" in order to run the server: {C98F04D7-CD30-4BB0-B7D7-8DD7448520F2}
2/28/2012 5:43:00 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Media Player Network Sharing Service service to connect.
2/28/2012 5:43:00 PM, Error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/28/2012 5:37:51 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the netprofm service.
2/28/2012 5:37:21 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the fdPHost service.
2/28/2012 5:25:19 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LanmanWorkstation service.
2/28/2012 5:24:49 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the W32Time service.
2/28/2012 5:24:19 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the FDResPub service.
.
==== End Of File ===========================

 

[Bobbye]

Okay, I see the Rogue.Antivirus Suite, among other malware- funny thing about malware> if one malware finds the way into the system, others will follow! So we'll hopefully remove what's on the system now, then check the security to make sure it's current and adequate.

Note: If you have a problem running Combofix first, run the second part the begins with The Specifics, then run Combofix after.

We'll start with Combofix as it will help remove some of the entries, then go into more specific scans for the rogues :
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe
  
  & follow the prompts.
• If prompted for Recovery Console, please allow.
• Once installed, you should see a blue screen prompt that says:
  • The Recovery Console was successfully installed.[/b]
  • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
  • Note: No query will be made if the Recovery Console is already on the system.
• .Close/disable all anti virus and anti malware programs
  (If you need help with this, please see HERE)
• .Close any open browsers.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=========================================================================
Now to the specifics
Description of the malware:

1. Pretends to be a security update for Windows installed via Automatic Updates. It will then install itself as a single executable that has a random consisting of three characters
2. Clicking on any executable loads the malware
3. Display fake security alerts on the infected computer.
4. May not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer
5. Changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program.

To fix #5, you start here: Download a Registry file that will fix these changes.
Please download FixNCR.reg and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.

• Insert the removable device into the infected computer and open the folder the drive letter associated with it.(Usually C)
• Double click the FixNCR.reg file
• You should now be able to run the .exe files.

-------------------------------------
To end the processes that belong to the rogue program:
Please click on RKill

• At the download page, click on Download now button for iExplore.exe download link and save to the desktop
• Double click on the iExplore.exe icon
• Please be patient- it may take a bit.
• The black Window will close when through and you can continue.

Note: If you get a message that RKill is malware, ignore it> it's from the malware.
=======================================
Do not reboot your computer after running RKill as the malware programs will start again.
================================
Update and rescan with Malwarebytes:

• Select Perform Full Scan on the Scanner tab
• Click on the Scan button.
• When scan has finished, you will see this image:
  
  
• Click on OK to close box and continue.
• Click on the Show Results button.
• Click on the Remove Selected button to remove all the listed malware.
• At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.

==============================
This should remove the major offender. Reboot the Computer into Normal Mode and run the following:
To run the Eset Online Virus Scan:
If you use Internet Explorer:

1. Open the ESETOnlineScan
2. Skip to #4 to "Continue with the directions"
   
   If you are using a browser other than Internet Explorer
3. Open Eset Smart Installer
   [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
   [o] Double click on the desktop icon to run.
   [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
   
4. Continue with the directions.
   
5. Check 'Yes I accept terms of use.'
6. Click Start button
7. Accept any security warnings from your browser.
   
   
8. Uncheck 'Remove found threats'
9. Check 'Scan archives/
10. Leave remaining settings as is.
11. Press the Start button.
12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
13. When the scan completes, press List of found threats
14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
15. Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
=======================
Please leave the logs for Combofix, Mbam full scan and Eset online scan in your next reply.

 

[jeff12345]

ComboFix 12-02-29.01 - Ryan 02/29/2012 19:10:25.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3998.2309 [GMT 1:00]
Running from: c:\users\Ryan\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Ryan\79bjm5me7g.exe
c:\users\Ryan\AppData\Local\{E75CD9D8-3476-4574-9C55-6119BE05B405}
c:\users\Ryan\AppData\Local\{E75CD9D8-3476-4574-9C55-6119BE05B405}\chrome.manifest
c:\users\Ryan\AppData\Local\{E75CD9D8-3476-4574-9C55-6119BE05B405}\chrome\content\_cfg.js
c:\users\Ryan\AppData\Local\{E75CD9D8-3476-4574-9C55-6119BE05B405}\chrome\content\overlay.xul
c:\users\Ryan\AppData\Local\{E75CD9D8-3476-4574-9C55-6119BE05B405}\install.rdf
c:\users\Ryan\AppData\Local\Windows Server
c:\users\Ryan\AppData\Roaming\Adobe\plugs
c:\users\Ryan\AppData\Roaming\Adobe\shed
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\System Check.lnk
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\users\Ryan\Desktop\System Check.lnk
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\assembly\temp\@
c:\windows\system32\consrv.dll
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2012-01-28 to 2012-02-29 )))))))))))))))))))))))))))))))
.
.
2012-02-29 18:36 . 2012-02-29 18:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-28 16:57 . 2012-02-28 16:57 -------- d-----w- c:\users\Ryan\AppData\Roaming\Malwarebytes
2012-02-28 16:56 . 2012-02-28 16:56 -------- d-----w- c:\programdata\Malwarebytes
2012-02-28 16:56 . 2012-02-28 16:56 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-02-28 16:56 . 2011-12-10 14:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-05 21:50 . 2012-02-29 18:44 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-21 11:07 . 2011-04-11 21:36 0 ----a-w- c:\users\Ryan\AppData\Local\Qjaliwekes.bin
2012-01-13 05:37 . 2012-01-13 05:37 57344 ----a-r- c:\users\Ryan\AppData\Roaming\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2012-01-13 05:34 . 2008-11-29 01:04 106496 ----a-w- c:\windows\SysWow64\ATL71.DLL
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"HPAdvisor"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-11-18 966656]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-01-03 15028104]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2008-11-29 1148200]
"TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-12-25 1316136]
"CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-12-25 189736]
"TVAgent"="c:\program files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe" [2009-05-09 206120]
"UCam_Menu"="c:\program files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" [2008-11-15 218408]
"UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-11-26 210216]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-10-10 206128]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-10-30 210216]
"UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"WirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-12-08 432432]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1675160]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-06-08 421160]
"Nikon Message Center 2"="c:\program files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-26 619008]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\SysWOW64\Macromed\Flash\FlashUtil10v_ActiveX.exe" [2011-09-17 243360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_8aadd48d\AESTSr64.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-06 c:\windows\Tasks\HPCeeScheduleForRyan.job
- c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2009-01-13 19:34]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-11 153624]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-11 225816]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-11 200216]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-24 1560872]
"MRT"="c:\windows\system32\MRT.exe" [2012-02-16 54585368]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
adaptecstoragemanageragent
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mLocal Page = %SystemRoot%\system32\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
LSP: mswsock.dll
TCP: DhcpNameServer = 80.58.61.250 80.58.61.254
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
Wow6432Node-HKCU-Run-Messenger (Yahoo!) - c:\progra~2\Yahoo!\Messenger\YahooMessenger.exe
Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
Wow6432Node-HKCU-Run-79bjm5me7g - c:\users\Ryan\79bjm5me7g.exe
Wow6432Node-HKCU-Run-hhBUqpMjwRyef.exe - c:\programdata\hhBUqpMjwRyef.exe
HKLM-Run-SmartMenu - c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
HKLM-Run-SysTrayApp - c:\program files (x86)\IDT\WDM\sttray64.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\SMINST\BLService.exe
c:\program files (x86)\CyberLink\Shared files\RichVideo.exe
c:\program files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
c:\program files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
c:\windows\SysWOW64\ping.exe
.
**************************************************************************
.
Completion time: 2012-02-29 19:54:20 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-29 18:54
.
Pre-Run: 191,563,935,744 bytes free
Post-Run: 194,336,518,144 bytes free
.
- - End Of File - - 432A54E59081CF602A3EB9C8932F78A6




Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.29.03

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 7.0.6002.18005
Ryan :: RYAN-PC [administrator]

Protection: Disabled

2/29/2012 8:06:55 PM
mbam-log-2012-02-29 (20-06-55).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 444678
Time elapsed: 1 hour(s), 48 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Ryan\Desktop\null0.8805230546209267.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

(end)




C:\Qoobox\Quarantine\C\Windows\assembly\GAC_32\Desktop.ini.vir Win32/Sirefef.DN trojan
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_64\Desktop.ini.vir Win64/Sirefef.G trojan
C:\Users\Ryan\AppData\Roaming\C9EF9997AF2F19B06B5AF1C7244D545C\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Users\Ryan\AppData\Roaming\C9EF9997AF2F19B06B5AF1C7244D545C\local.ini Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Windows\system64\consrv.dll Win64/Sirefef.G trojan
C:\Windows\system64\drivers\etc\hosts Win32/Qhost trojan
Operating memory a variant of Win32/Sirefef.DN trojan

 

[Bobbye]

Okay, we have some work cutout for us! It appears that you had Norton Internet Security at one time, but now use McAfee.
Step 1:
There are still files loading for Norton, so please uninstall it using
Norton Removal Tool
Please reboot the computer when finished
=========================================
Step 2: For the Eset entries:
Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files 
  C:\Users\Ryan\AppData\Roaming\C9EF9997AF2F19B06B5AF1C7244D545C\enemies-names.txt 
  C:\Users\Ryan\AppData\Roaming\C9EF9997AF2F19B06B5AF1C7244D545C\local.ini 
  C:\Windows\system64\consrv.dll 
  C:\Windows\system64\drivers\etc\hosts 
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==================================
Step 3:Zero Access and Sirefef

• Download AntiZeroAccess and save to the Desktop
  ---------------------
• Also download and save ESETSirefefRemover and save to the Desktop
  --------------------
• Now double click on AntiZeroAccess to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
  o Type y and press enter to run the scan
  o Please paste the AntiZeroAccess_Log.txt log to your next message. (This file is saved in the same location as AntiZeroAccess program.)
  
• Now run the Win32/Sirefef tool while in Normal Mode and follow the prompts as directed.

===================================
Step 4: TDSSKiller

• Download the file TDSSKiller.zip and save to the desktop.
  (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
• Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
• Double click on TDSSKiller.exe. to run the scan
• When the scan is over, the utility outputs a list of detected objects with description.
  The utility automatically selects an action (Cure or Delete) for malicious objects.
  The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
• Select the action Quarantine to quarantine detected objects.
  The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
• After clicking Next, the utility applies selected actions and outputs the result.
• A reboot is required after disinfection.

==============================================
Step 5: OTL

• Download OTL from one of the links below and save it to your desktop.
  OTL.exe
  OTL.com
  OTL.scr
  You just need one. Sometimes the file extension gets blocked.
  
  Note: When using these links, use Internet Explorer to download. If using Firefox, you should right-click and use "Save link As". Otherwise, on some systems, FF attempts to open the file as a script and just a bunch of gibberish is displayed.
• Double click the OTL icon to run it.
• The opened console will resemble this:
  
• Set Output at the top to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Copy the entries in the Codebox below> Paste in the Custom Scan box.
  

  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  explorer.exe
  winlogon.exe
  userinit.exe
  /md5stop
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  Make sure all other windows are closed and to let it run uninterrupted.
• When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

=====================================
All logs in your next reply please. You can use more than one post if needed.

 

[jeff12345]

I tried the first two steps and they both required me to restart my computer. When I restarted the system could not begin and I was forced to restore to a previous time. Both times I restored took me to right before I did the steps.

 

[Bobbye]

Are these the 2 steps you did?
Step 1> Run Norton Removal Tool
Step 2> Run OTM for the Eset processes

I was forced to restore to a previous time. Both times I restored took me to right before I did the steps.

No, you choose to restore and you pick the restore point.

You have now removed everything we've done between the restore date and the present.
-------------------------
I don't know what "the system could not begin" means. You should have used some device to access the internet and let me know so I could try to help.

Start over please. You will have to download everything again

 

[jeff12345]

All of the tools prior to the nortan removal tool remain on my desktop with the logs still available. When the nortan removal tool restarted the computer, the computer could not start without a restore. The restore screen came up without giving me the option to pick the restore date and eventually started my computer with everything in tact except for the nortan removal tool. Seeing as I still have all of the other tools and logs should I remove them, redownload them and run them again or do something else? Thanks

 

[Bobbye]

Up until you mentioned a date, it sounded more like a reboot rather than a restore. And you would have had a reboot to finish the Norton Removal. If you still have the program and logs, it must have been a funky Norton restore of some kind, not a System Restore! Weird.

No, you don't have to download and run again if everything is still on the system. I hope I got back to you in time.

 

[jeff12345]

So where should I go from here? Where I currently stand: from what I can see it appears everything that had previously been done remains on the computer with the exception of the Norton Removal step. This step appears to have been lost when I was forced to restore while the computer rebooted after the Norton step. So I do not know how to make that step happen now.

 

[Bobbye]

Okay, so far you ran the preliminary scans, Eset Online scan and Combofix.

But you were not able to complete OTM for the Eset entries.

If you want to continue, go back to my Reply #8 and pick up Step 2, 3, 4 and 5 and see what you can run.
Please follow the directions as best you can. If you can't do something, don't try to work around it> come back and let me know- I may be able to help without losing anything.

The Host files have been hijacked and are in OTM to be removed so we have to replace them. If you can run OTL, I can do it through that program. The other option is to do it manually which involves several steps.

Please leave the logs from the scans.

 

[jeff12345]

Ok the same problem remains. I downloaded OTmovit and carried out the step as instructed, it did ask me to reboot the machine so I did click yes. As it was rebooting, once again a message came up saying that the computer could not be started and startup repair automatically started, at which point a system restore was needed. I still have all of the old programs and logs but OTmovit is no longer here. I havent gone past step two because it did not work. Thanks!

 

[Bobbye]

Okay, the program is gone because the system was restored to a state that didn't have OTM yet. I'm not sure what this restore message is about, but let's see if the following will help:

Replace Hosts files

The malware also changes your Windows HOSTS file. We will need to replace the default version for your operating system. (Note:if you or your company has added custom entries to your HOSTS file then you will need to add them again after restoring the default HOSTS file.)

The malware, in order to protect itself,may change the permissions of the HOSTS file so you can't edit or delete it. To fix these permissions please download the following batch file and save it to your desktop:

Step 1: Restoring Permissions

• Please download Hostsperm.bat and save it to your desktop.
• Double-click on the hostsperm.bat file that is now on your desktop. If Windows asks if you if you are sure you want to run it, please allow it to run.
• Once it starts you will see a small black window that opens, then goes away. This is normal.

You should now be able to access your HOSTS file.

Step 2: Show Hidden Files and Folders in Windows Vista:

• Click on the Start button and select Computer
• Select Folder Options> View tab
• Check Show hidden files and folders
• Uncheck Hide protected operating system files(Recommended)> Confirm Yes
• Then, uncheck the box next to Hide extensions for known file types
• Click Apply then click OK

Step 3: Delete the hosts file

• Using Windows Explorer> navigate to C:\Windows\System32\drivers\etc and do a right click> Delete and delete the hosts file.
• Once it is deleted, go to next Step.

Step 4: Replacing the Hosts file for your operating system:

• Download the following HOSTS file that corresponds to Vista HERE
• Save it in the C:\Windows\System32\Drivers\etc folder.

Note: If the contents of the HOSTS file opens in your browser when you click on a link, then right-click on the ink and select Save Target As for in Internet Explorer, or Save Link As if in Firefox, to download the file.

Important: Go back to Folder Options> View tab> recheck 'don't show hidden files and folders'> recheck 'hide protected system files and folders (Recommended)
Now reboot your computer.
===========================================
Please explain exactly what happens here:

When I restarted the system could not begin and I was forced to restore to a previous time. Both times I restored took me to right before I did the steps.

1. How could the system not begin? What happens or doesn't happen?
2. Why did you think you needed to restore?

After the Host files have been replaced and you explain the 'forced to restore', I will decide what needs to be done.

Do not do another System restore!
As far as I know, you're not aware that there are options for starting up in a different mode.

I'd like to prepare you for the possibility that you may need to do a reformat and reinstall due to all the corrupted files from the badly infected system.

 

[jeff12345]

was i supposed to search for the C:\Windows\System32\drivers\etc in the computer section? because I have done that and nothing came up. In regards to the restore, here is exactly what happens: I turn on the computer, before starting it takes me to a screen saying something along the lines of windows could not start. It then takes me to a startup repair screen at which point it says once again windows can not be started. I then have the option to click restore, at that point the computer starts or I can click do not restore. When I do not restore the computer turns off and if I turn it on again the same process is repeated. Sorry I am being so difficult, I told you I was not very computer savy

 

[Bobbye]

I'm sorry for the delay- I've been sick.

I'm leaving you a description of what the rogue program will do>> please read it and understand that the messages you are getting are being created by the rogue malware. The trick is NOT to click on any of these messages, nor do the option being suggested.

When you have read the information, please go through the sequence of scan following, taking care to use the specific order in which they are given.

System Check will be configured to start automatically when you login to Windows. Once started, it will display numerous error messages when you attempt to launch programs or delete files. System Check will then prompt you to scan your computer, which will then find a variety of errors that it states it cannot fix until you purchase the program. It will then prompt you to repair your PC, where it will pretend to fix fake problems on your computer and state that it was unable to repair some of them in order to make you feel there is a problem with your computer:

Examples of malware 'created fake errors'
Hard drive clusters are partly damaged. Segment load failure.

Critical Error
Hard drive critical error. Start a system diagnostics application to scan your hard disk for errors and performance problems.

These are just further alerts trying to make you think your computer has a serious hard drive problem. It should be noted that if you attempt to run a program enough times it will eventually work.

While System Check is running it will also display fake alerts from your Windows taskbar. These alerts are designed to further scare you into thinking that your computer has an imminent hardware failure. The text of some of the alerts you may see include:
Critical Error!
Damaged hard drive clusters detected. Private data is at risk.
Critical Error
Hard Drive not found. Missing hard drive.
Critical Error
RAM memory usage is critically high. RAM memory failure.
Critical Error
Windows can't find hard disk space. Hard drive error
Critical Error
Windows OS can't detect a free hard drive space. hard drive error.
Critical Error
A critical error has occurred while indexing data stored on hard drive. System restart required.
System Check
The system has been restored after a critical error. Data integrity and hard drive integrity verification required.

To make matters worse, recent variants of this family have been know to install the TDSS or ZeroAccess rootkits as well. These rootkits will attempt to stop you from using security programs that may help you to remove this infection. If you are infected with System Check and are unable to update your Malwarebytes's Anti-Malware definitions then you most likely have this rootkit installed.

Courtesy Bleepingcomputer
Sound familiar?

• The malware is configured to automatically start when you logon to Windows.
• It can also be started if you click on any of these alerts.

.
============================================
Note: If #1, #2, or #3 do not apply, skip those steps and begin with #4.

1. If your task manager is disabled:
Press Windows+R key> type cmd>copy and run this command

Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr

Press Enter

2. If you're desktop is blank and unable to right click on it:
Press Windows+R key> type cmd>copy and run this command ,run this command

Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop[/b]

Press Enter

3. If programs, icons, files, desktop are 'missing: Download Unhide.exe and save to the desktop.

• Double-click on Unhide.exe icon to run the program.
• This program will remove the +H, or hidden, attribute from all the files on your hard drives.

Note: This does not remove the malware- only the attribute that hides icons and programs. It is important that you continue.
==============================
Please print out the following instructions. It is important that the order of the scan below be followed exactly. Please read through all of the instructions before you begin.
================================
4. Boot into Safe Mode with Networking

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, using your up/down arrows to reach it and then press ENTER.

=======================================
5. To end the processes that belong to the rogue program:
Please click on RKill

• At the download page, click on Download now button for iExplore.exe download link and save to the desktop
• Double click on the iExplore.exe icon
• Please be patient- it may take a bit.
• The black Window will close when through and you can continue.

Note: If you get a message that RKilll is malware, ignore it> it's from the malware.
=======================================
Do not reboot your computer after runningRKilll as the malware programs will start again.
================================
6. This malware frequently comes with the TDSSrootkit, so do the following:

• Download the file TDSSKiller.zip and save to the desktop.
  (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
• Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
• Double click on TDSSKiller.exe. to run the scan
• When the scan is over, the utility outputs a list of detected objects with description.
  The utility automatically selects an action (Cure or Delete) for malicious objects.
  The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
• Select the action Quarantine to quarantine detected objects.
  The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43 Save log and post in next reply.
• After clicking Next, the utility applies selected actions and outputs the result.
• A reboot is required after disinfection.

====================================
If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again
====================================
7. Update and rescan with Malwarebytes:

• Select Perform Full Scan on the Scanner tab
• Click on the Scan button.
• When scan has finished, you will see this image:
  
  
• Click on OK to close box and continue.
• Click on the Show Results button.
• Click on the Remove Selected button to remove all the listed malware.
• At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format>Uncheck Word Wrap before copying the log to paste in your next reply.

==============================
Note: If #8 and/or #9 don't apply, you can skip those steps.
8.Correct Display Changes if needed:
If the desktop background is black or if the theme has been removed:

• Click on Start> Control Panel> Appearance & Personalization
• Select Change Theme or Change Desktop Background

=====================================
10.Some items may not show on the Start menu. To add them back:

• Right click on Start> Properties
• Taskbar and Start Menu Properties screen appears
• choose Start Menu tab> Click on Customize
• For Windows XP> Choose Advanced tab
• Check the items you want back on the Start Menu
• When finished> click on OK> Apply and close.

=====================================
You can now reboot back into Normal Mode.

 

[jeff12345]

I have done everything in the order that you requested. I did exactly what you said but can not seem to locate the log of the quarantined item. here is the other log. Thanks!

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.28.07

Windows Vista Service Pack 2 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Ryan :: RYAN-PC [administrator]

Protection: Disabled

3/29/2012 6:20:59 PM
mbam-log-2012-03-29 (18-20-59).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 452416
Time elapsed: 1 hour(s), 25 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|GrpConv (Trojan.Agent.Gen) -> Data: grpconv -o -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Ryan\Desktop\null0.8805230546209267.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Ryan\AppData\Local\Temp\cgs8h0.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\grpconv.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

(end)

 

[Bobbye]

The system is still infected. Are you referring to the log from the TDSSKiller?

# The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43 Save log and post in next reply.
# After clicking Next, the utility applies selected actions and outputs the result.

If you cannot find the log, please run the program again.

Give me an update on how the system is doing.

 

[jeff12345]

Thank you very much for your help.

I just ran TDSSKiller again and no threats were detected.

The system is running much better, I have not been getting pop-ups telling me anything is wrong.

 

[Bobbye]

Please update and run the Eset Online Virus scan again.

 

[jeff12345]

i have the scan started but am leaving on business for the week so I will not be able to respond until next week. sorry!

 

[Bobbye]

Jeff, stop the scan for now. I'm going to close the thread-. Please send me a PM when you return and I'll re-open the thread.

If the computer is offline and unused while you're gone, we can pick up where we left off. But if connected and/or used, we will need to repeat some scans- especially since the system is still infected.