TechSpot

[Closed] Another hard drive clusters partly damaged

By jeff12345
Feb 28, 2012
  1. I just received a laptop from a family member for a trip to Spain, however it is completely infected with viruses. After doing a little research it seems to be the same problem that many here have had. I am COMPLETELY not computer saavy at all and was hoping for some help.

    Thanks!!
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot, Jeff. About this:
    I will be glad to help and I promise that if you read the instructions carefully and pay close attention to any directions I give you, you will come away much more 'computer savy that you are now!
    ==============================================
    The 'hard drive cluster' message you are getting has been generated by a fake (Rogue) computer analysis and optimization program. .

    You may be experiencing some of the following:
    • The 'alerts' tell you the problems have lead to corrupt and missing data
    • It will display false error messages and security warnings.
    • It "hides" Icons, desktop, programs and files so that they appear to be missing and some programs can't be run
    • This can be installed through hacked sites that exploit vulnerabilities on the system or through fake online scanner pages
    • The malware is configured to automatically start when you logon to Windows.
    • It can also be started if you click on any of these alerts.
    The scam of the malware is for you to think you have multiple problems and need to pay for their program to fix them.
    Note: You may not experience all of the above, but it is important to tell me what problems you do have.

    It's important that you do not click on any of these, nor try to act on any.
    It is also possible that the malware won't allow you to download the programs directly to the infected computer- a flash drive may be needed.
    =============================================
    Please follow these steps: Preliminary Virus and Malware Removal.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    ========================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.

    If I haven't replied back to you within 48 hours, you can send a PM with your thread link in it as a reminder. Do not include technical problems from your thread. Support is given only in the forum.
    Threads are closed after 5 days if there is no reply.
     
  3. jeff12345

    jeff12345 TS Rookie Topic Starter

    Thank you so much for your help! GMER did not find any modifications and thus did not produce a log. here are the other three logs:


    Malwarebytes Anti-Malware (Trial) 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.02.28.04

    Windows Vista Service Pack 2 x64 NTFS
    Internet Explorer 7.0.6002.18005
    Ryan :: RYAN-PC [administrator]

    Protection: Enabled

    2/28/2012 5:59:30 PM
    mbam-log-2012-02-28 (17-59-30).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 199684
    Time elapsed: 23 minute(s), 48 second(s)

    Memory Processes Detected: 1
    C:\Users\Ryan\AppData\Local\SanctionedMedia\Smad\Smad.exe (Trojan.Agent) -> 2452 -> Delete on reboot.

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 8
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smad (Trojan.Agent) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKCU\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
    HKCU\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
    HKCU\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
    HKCU\Software\YVIBBBHA8C (Trojan.Agent) -> Quarantined and deleted successfully.
    HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

    Registry Values Detected: 5
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Smad (Trojan.Agent) -> Data: "C:\Users\Ryan\AppData\Local\SanctionedMedia\Smad\Smad.exe" -> Quarantined and deleted successfully.
    HKCU\SOFTWARE|7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Data: -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer|WINID (Malware.Trace) -> Data: 1CAE5C76D214530 -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|ujaupuig (Rogue.AntivirusSuite.Gen) -> Data: C:\Users\Ryan\AppData\Local\gntmsruib\lmiyarrtssd.exe -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Regedit32 (Trojan.Agent) -> Data: C:\Windows\system32\regedit.exe -> Quarantined and deleted successfully.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 11
    C:\Users\Ryan\AppData\Local\SanctionedMedia\Smad\Smad.exe (Trojan.Agent) -> Delete on reboot.
    C:\ProgramData\3iuAwOhA4fislu.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Users\Ryan\AppData\Local\Temp\Du1nkNBbkHLjEv.exe.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Users\Ryan\AppData\Local\Temp\zatT1QVuW8zQiM.exe.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Windows\Temp\coldnx\setup.exe (Trojan.Agent.PE5) -> Quarantined and deleted successfully.
    C:\Users\Ryan\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
    C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Users\Ryan\Local Settings\Application Data\SanctionedMedia\Smad\Smad.exe (Trojan.Agent) -> Delete on reboot.
    C:\Users\Ryan\AppData\Local\Temp\ms0cfg32.exe (Exploit.Drop.CFG) -> Quarantined and deleted successfully.
    C:\Windows\System32\regedit.exe (Trojan.Agent) -> Quarantined and deleted successfully.

    (end)




    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 7.0.6002.18005
    Run by Ryan at 19:56:35 on 2012-02-28
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3998.2689 [GMT 1:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_8aadd48d\STacSV64.exe
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\Hpservice.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_8aadd48d\AESTSr64.exe
    C:\Windows\system32\agr64svc.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Windows\System32\igfxtray.exe
    C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files (x86)\SMINST\BLService.exe
    C:\Windows\System32\hkcmd.exe
    C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
    C:\Program Files\IDT\WDM\sttray64.exe
    C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
    C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
    C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
    C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\Hp\HP Software Update\hpwuSchd2.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
    C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
    C:\Windows\system32\taskeng.exe
    c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\Core\mchost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.comcast.net/
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: H - No File
    mWinlogon: Userinit=userinit.exe,
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120228125454.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    uRun: [HPAdvisor] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
    uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
    uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
    uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
    uRun: [79bjm5me7g] C:\Users\Ryan\79bjm5me7g.exe
    uRun: [hhBUqpMjwRyef.exe] C:\ProgramData\hhBUqpMjwRyef.exe
    mRun: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
    mRun: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
    mRun: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
    mRun: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe"
    mRun: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
    mRun: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
    mRun: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
    mRun: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
    mRun: [UpdatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
    mRun: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun: [Nikon Message Center 2] C:\Program Files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe -s
    mRun: [ArcSoft Connection Service] "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
    mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    dRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10v_ActiveX.exe -update activex
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
    LSP: mswsock.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    TCP: DhcpNameServer = 80.58.61.250 80.58.61.254
    TCP: Interfaces\{367DC0B2-5AEC-4CF4-A9A4-8B0C4560A6D2} : DhcpNameServer = 80.58.61.250 80.58.61.254
    TCP: Interfaces\{C2370A83-364F-4105-905A-275EB21DFC24} : DhcpNameServer = 68.87.69.150 68.87.85.102 192.168.1.1
    Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\McAfee\MSC\McSnIePl.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
    BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO-X64: 0x1 - No File
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120228125454.dll
    BHO-X64: scriptproxy - No File
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    mRun-x64: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
    mRun-x64: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
    mRun-x64: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
    mRun-x64: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe"
    mRun-x64: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
    mRun-x64: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
    mRun-x64: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
    mRun-x64: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
    mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun-x64: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
    mRun-x64: [UpdatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
    mRun-x64: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    mRun-x64: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun-x64: [Nikon Message Center 2] C:\Program Files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe -s
    mRun-x64: [ArcSoft Connection Service] "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
    mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    Hosts: 93.115.241.28 www.google-analytics.com.
    Hosts: 93.115.241.28 ad-emea.doubleclick.net.
    Hosts: 93.115.241.28 www.statcounter.com.
    Hosts: 69.72.252.254 www.google-analytics.com.
    Hosts: 69.72.252.254 ad-emea.doubleclick.net.
    .
    Note: multiple HOSTS entries found. Please refer to Attach.txt
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
    R1 mfenlfk;McAfee NDIS Light Filter;C:\Windows\system32\DRIVERS\mfenlfk.sys --> C:\Windows\system32\DRIVERS\mfenlfk.sys [?]
    R1 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\system32\drivers\mfewfpk.sys --> C:\Windows\system32\drivers\mfewfpk.sys [?]
    R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/07/20 03:25:39];C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2008-11-29 146928]
    R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_8aadd48d\AESTSr64.exe --> C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_8aadd48d\AESTSr64.exe [?]
    R2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
    R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-2-28 652360]
    R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-8-15 249936]
    R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-8-15 249936]
    R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-8-15 249936]
    R2 McShield;McAfee McShield;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2010-8-15 199272]
    R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [2010-8-15 208536]
    R2 mfevtp;McAfee Validation Trust Protection Service;C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-8-15 161168]
    R2 Recovery Service for Windows;Recovery Service for Windows;C:\Program Files (x86)\SMINST\BLService.exe [2009-1-13 365952]
    R2 TVCapSvc;TV Background Capture Service (TVBCS);C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe [2008-11-27 296320]
    R2 TVSched;TV Task Scheduler (TVTS);C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe [2008-11-27 116096]
    R3 cfwids;McAfee Inc. cfwids;C:\Windows\system32\drivers\cfwids.sys --> C:\Windows\system32\drivers\cfwids.sys [?]
    R3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-1-13 222512]
    R3 enecir;ENE CIR Receiver;C:\Windows\system32\DRIVERS\enecir.sys --> C:\Windows\system32\DRIVERS\enecir.sys [?]
    R3 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]
    R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
    R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
    R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\system32\drivers\mfefirek.sys --> C:\Windows\system32\drivers\mfefirek.sys [?]
    S2 Norton Internet Security;Norton Internet Security;"C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 --> C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [?]
    S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2010-3-18 89920]
    S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
    S3 NETw3v64;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw3v64.sys --> C:\Windows\system32\DRIVERS\NETw3v64.sys [?]
    S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-21 19968]
    S3 ssrangdr;ssrangdr;C:\Windows\system32\DRIVERS\ssrangdr.sys --> C:\Windows\system32\DRIVERS\ssrangdr.sys [?]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
    S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x64.sys --> C:\Windows\system32\DRIVERS\yk60x64.sys [?]
    .
    =============== Created Last 30 ================
    .
    2012-02-28 16:57:17 -------- d-----w- C:\Users\Ryan\AppData\Roaming\Malwarebytes
    2012-02-28 16:56:14 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-02-28 16:56:11 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-02-28 16:56:11 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-02-28 10:55:31 -------- d-----w- C:\Users\Ryan\AppData\Local\{80806DB6-0B61-4D04-9DE3-5009EAC84700}
    2012-02-28 10:55:11 -------- d-----w- C:\Users\Ryan\AppData\Local\{9108106B-4EEE-44C7-8939-B1FF2BB8FCDC}
    2012-02-27 22:54:34 -------- d-----w- C:\Users\Ryan\AppData\Local\{C6AE0565-6C6A-439B-807A-9C7582C41BE0}
    2012-02-27 22:54:08 -------- d-----w- C:\Users\Ryan\AppData\Local\{3663558B-E936-4C3D-947A-1B6547DC00A0}
    2012-02-20 13:29:48 -------- d-----w- C:\Users\Ryan\AppData\Local\{74FC797F-ACE0-4771-92B8-9FC670E96452}
    2012-02-20 13:28:53 -------- d-----w- C:\Users\Ryan\AppData\Local\{60F7777E-C56A-4D38-9920-F8A8126BEA11}
    2012-02-19 10:53:59 -------- d-----w- C:\Users\Ryan\AppData\Local\{4679E03F-2F7C-4F6E-B10C-A402E393338A}
    2012-02-19 10:53:39 -------- d-----w- C:\Users\Ryan\AppData\Local\{2317C15A-E2E2-46AC-9A14-0EC36D518403}
    2012-02-18 09:14:16 -------- d-----w- C:\Users\Ryan\AppData\Local\{6AAE1291-0081-4E1A-BFD0-6DDE7A5357F9}
    2012-02-17 13:07:56 -------- d-----w- C:\Users\Ryan\AppData\Local\{15EB5A8F-9ECE-4DE5-9A98-4B71F6EC7B03}
    2012-02-17 13:07:30 -------- d-----w- C:\Users\Ryan\AppData\Local\{57605270-8A41-401D-8831-E60400756468}
    2012-02-16 14:01:47 -------- d-----w- C:\Users\Ryan\AppData\Local\{0BE2ACB7-52B2-4903-AE35-C0EA1C5EE60E}
    2012-02-16 14:01:27 -------- d-----w- C:\Users\Ryan\AppData\Local\{640BC5EC-4D92-42B3-8DE6-AE6E7486F8E2}
    2012-02-16 02:00:50 -------- d-----w- C:\Users\Ryan\AppData\Local\{5CB289F5-E8BD-4203-AE27-6B3976322E81}
    2012-02-16 02:00:28 -------- d-----w- C:\Users\Ryan\AppData\Local\{9CC7CAED-5DC4-473A-BBDB-C4DEF69C64FB}
    2012-02-15 11:18:20 -------- d-----w- C:\Users\Ryan\AppData\Local\{32BE97B8-263C-4DFD-BD69-65A076DD0C2F}
    2012-02-15 11:17:59 -------- d-----w- C:\Users\Ryan\AppData\Local\{DE0DAD8C-8BCD-4CE0-BD25-3AB2BD849C32}
    2012-02-14 17:29:59 -------- d-----w- C:\Users\Ryan\AppData\Local\{54A459DA-8A9E-4718-822B-87C2426A3380}
    2012-02-14 17:29:38 -------- d-----w- C:\Users\Ryan\AppData\Local\{7E82CA83-5E70-4D1D-BA32-2ABE8476EABF}
    2012-02-14 00:25:29 -------- d-----w- C:\Users\Ryan\AppData\Local\{6E0FD7A3-BD97-46B3-86C8-D03C87D74EB7}
    2012-02-14 00:25:09 -------- d-----w- C:\Users\Ryan\AppData\Local\{C4EB6A71-55DC-4622-B1BC-CA48FD119B29}
    2012-02-12 13:37:28 -------- d-----w- C:\Users\Ryan\AppData\Local\{46F5407B-592F-4AD5-B5E6-F202969385F7}
    2012-02-12 01:36:45 -------- d-----w- C:\Users\Ryan\AppData\Local\{2AFDC2ED-73B0-426E-BCD9-69FFA60AE66B}
    2012-02-12 01:36:24 -------- d-----w- C:\Users\Ryan\AppData\Local\{7FC6E8C9-E22C-4554-A41D-67B7E7D7A72D}
    2012-02-11 10:44:31 -------- d-----w- C:\Users\Ryan\AppData\Local\{EBFC3746-FA12-42F8-8792-09B7D546673A}
    2012-02-10 22:12:14 -------- d-----w- C:\Users\Ryan\AppData\Local\{B8C47ED2-7D13-4434-89B7-D33FCE22BFCB}
    2012-02-10 22:11:53 -------- d-----w- C:\Users\Ryan\AppData\Local\{FF97AECE-70A5-4B99-B92F-CF5906F5335A}
    2012-02-10 10:11:05 -------- d-----w- C:\Users\Ryan\AppData\Local\{BEB101C9-6069-4B61-A13D-F8EA71F59DE3}
    2012-02-10 10:09:33 -------- d-----w- C:\Users\Ryan\AppData\Local\{A06E9723-497A-4C81-AF4D-1ED6317D11DA}
    2012-02-10 01:48:53 -------- d-----w- C:\Users\Ryan\AppData\Local\{0E39E607-D8F7-422B-950D-1979DAD53287}
    2012-02-09 12:03:02 -------- d-----w- C:\Users\Ryan\AppData\Local\{165D6A25-61B3-4011-8EEE-146A5EDA529A}
    2012-02-09 12:02:35 -------- d-----w- C:\Users\Ryan\AppData\Local\{8E66F33E-C614-4B42-B191-99BE0D77A52E}
    2012-02-08 13:13:20 -------- d-----w- C:\Users\Ryan\AppData\Local\{CA663667-5509-4785-952F-09AB94FF8264}
    2012-02-08 13:12:15 -------- d-----w- C:\Users\Ryan\AppData\Local\{6B51E0D2-7042-4217-A85D-1AF9FCBECE8E}
    2012-02-07 20:20:49 -------- d-----w- C:\Users\Ryan\AppData\Local\{154124FD-148B-4405-B2F2-A899A9BD0C17}
    2012-02-07 20:20:27 -------- d-----w- C:\Users\Ryan\AppData\Local\{BA5B5503-FED2-48EE-B6EF-2B5FA50F20D0}
    2012-02-07 08:19:40 -------- d-----w- C:\Users\Ryan\AppData\Local\{EBC8AE4C-78EC-4943-A7A3-B48EFD2C79AD}
    2012-02-06 13:08:05 -------- d-----w- C:\Users\Ryan\AppData\Local\{69736DBF-DE53-4627-A243-D6693165E6EA}
    2012-02-06 13:07:42 -------- d-----w- C:\Users\Ryan\AppData\Local\{44DFDFA6-7E1D-4A14-9FD3-3F3BE4E93421}
    2012-02-05 21:54:12 -------- d-----w- C:\Users\Ryan\AppData\Local\{A81238FA-8298-41E2-A8DA-FA9E4859A809}
    2012-02-05 21:52:34 -------- d-----w- C:\Users\Ryan\AppData\Local\{DC37FECD-4FF6-4C2E-B0C3-54CB202B8D1C}
    2012-02-05 21:50:40 0 --sha-w- C:\Windows\System32\dds_trash_log.cmd
    2012-02-03 08:12:08 -------- d-----w- C:\Users\Ryan\AppData\Local\{597A9F80-CF2C-4054-BACF-EDF093475264}
    2012-02-03 08:11:45 -------- d-----w- C:\Users\Ryan\AppData\Local\{13EC93F5-DF23-4FE0-A35E-55D55398B85F}
    2012-02-02 12:36:00 -------- d-----w- C:\Users\Ryan\AppData\Local\{8EE17CE3-4395-4A42-A283-EC9D1A432888}
    2012-02-02 12:35:38 -------- d-----w- C:\Users\Ryan\AppData\Local\{1BC7E13F-E5F0-45C5-A823-064F3E01C107}
    2012-02-01 12:58:57 -------- d-----w- C:\Users\Ryan\AppData\Local\{E956FA40-052A-45A5-8C7D-109A455C40CD}
    2012-02-01 12:58:23 -------- d-----w- C:\Users\Ryan\AppData\Local\{514CC86C-7D17-4EC2-A14A-5140C548E478}
    2012-01-30 22:45:37 -------- d-----w- C:\Users\Ryan\AppData\Local\{AED9D9AF-BA2F-491C-8096-223EE589143C}
    2012-01-30 22:45:15 -------- d-----w- C:\Users\Ryan\AppData\Local\{EEFB8D92-79EB-4904-957A-E08E31112C38}
    .
    ==================== Find3M ====================
    .
    2012-01-13 05:34:10 106496 ----a-w- C:\Windows\SysWow64\ATL71.DLL
    2012-01-12 20:16:28 2765824 ----a-w- C:\Windows\System32\win32k.sys
    2012-01-03 14:25:21 404992 ----a-w- C:\Windows\System32\drivers\afd.sys
    2011-12-16 16:10:36 1032192 ----a-w- C:\Windows\System32\wininet.dll
    2011-12-16 15:59:20 834048 ----a-w- C:\Windows\SysWow64\wininet.dll
    2011-12-16 14:43:45 485376 ----a-w- C:\Windows\System32\html.iec
    2011-12-16 14:11:42 389632 ----a-w- C:\Windows\SysWow64\html.iec
    2011-12-16 14:08:31 1383424 ----a-w- C:\Windows\System32\mshtml.tlb
    2011-12-16 13:46:35 1383424 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2011-12-14 16:38:07 621056 ----a-w- C:\Windows\System32\msvcrt.dll
    2011-12-14 16:17:47 680448 ----a-w- C:\Windows\SysWow64\msvcrt.dll
    .
    ============= FINISH: 19:57:19.05 ===============



    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 7/20/2009 11:41:15 AM
    System Uptime: 2/28/2012 6:36:21 PM (1 hours ago)
    .
    Motherboard: Quanta | | 3627
    Processor: Intel(R) Core(TM)2 Duo CPU T6500 @ 2.10GHz | CPU | 2100/800mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 285 GiB total, 177.726 GiB free.
    D: is FIXED (NTFS) - 13 GiB total, 2.033 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    .
    ==== Hosts File Hijack ======================
    .
    Hosts: 93.115.241.28 www.google-analytics.com.
    Hosts: 93.115.241.28 ad-emea.doubleclick.net.
    Hosts: 93.115.241.28 www.statcounter.com.
    Hosts: 69.72.252.254 www.google-analytics.com.
    Hosts: 69.72.252.254 ad-emea.doubleclick.net.
    Hosts: 69.72.252.254 www.statcounter.com.
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    Acrobat.com
    Activation Assistant for the 2007 Microsoft Office suites
    ActiveCheck component for HP Active Support Library
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9
    Apple Application Support
    Apple Software Update
    ArcSoft Panorama Maker 5
    Compatibility Pack for the 2007 Office system
    CyberLink DVD Suite
    D3DX10
    Download Updater (AOL LLC)
    ESU for Microsoft Vista
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Active Support Library
    HP Common Access Service Library
    HP Customer Experience Enhancements
    HP Help and Support
    HP MediaSmart DVD
    HP MediaSmart Music/Photo/Video
    HP MediaSmart TV
    HP MediaSmart Webcam
    HP Quick Launch Buttons 6.40 L1
    HP Total Care Advisor
    HP Total Care Setup
    HP Update
    HP User Guides 0126
    HP Wireless Assistant
    HPAsset component for HP Active Support Library
    IDT Audio
    Java Auto Updater
    Java(TM) 6 Update 24
    Java(TM) 6 Update 7
    LabelPrint
    LightScribe System Software 1.14.17.1
    Malwarebytes Anti-Malware version 1.60.1.1000
    McAfee AntiVirus Plus
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Works
    Move Media Player
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nikon Message Center 2
    Picture Control Utility
    Power2Go
    PowerDirector
    QuickTime
    Realtek 8169 8168 8101E 8102E Ethernet Driver
    Realtek USB 2.0 Card Reader
    Rosetta Stone Version 3
    Safari
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Segoe UI
    Skype™ 5.1
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    ViewNX 2
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Installer
    Windows Live Messenger
    Windows Live Photo Common
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    .
    ==== Event Viewer Messages From Past Week ========
    .
    2/28/2012 6:46:16 PM, Error: Service Control Manager [7031] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    2/28/2012 6:39:25 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SRTSP SRTSPX
    2/28/2012 6:38:48 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    2/28/2012 6:38:48 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    2/28/2012 6:38:48 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    2/28/2012 6:38:48 PM, Error: Service Control Manager [7000] - The Norton Internet Security service failed to start due to the following error: The system cannot find the path specified.
    2/28/2012 6:35:34 PM, Error: Service Control Manager [7043] - The Windows Update service did not shut down properly after receiving a preshutdown control.
    2/28/2012 5:47:36 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    2/28/2012 5:43:51 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the McAfee Scanner service to connect.
    2/28/2012 5:43:51 PM, Error: Service Control Manager [7000] - The McAfee Scanner service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    2/28/2012 5:43:51 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service MCODS with arguments "" in order to run the server: {C98F04D7-CD30-4BB0-B7D7-8DD7448520F2}
    2/28/2012 5:43:00 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Media Player Network Sharing Service service to connect.
    2/28/2012 5:43:00 PM, Error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    2/28/2012 5:37:51 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the netprofm service.
    2/28/2012 5:37:21 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the fdPHost service.
    2/28/2012 5:25:19 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LanmanWorkstation service.
    2/28/2012 5:24:49 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the W32Time service.
    2/28/2012 5:24:19 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the FDResPub service.
    .
    ==== End Of File ===========================
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, I see the Rogue.Antivirus Suite, among other malware- funny thing about malware> if one malware finds the way into the system, others will follow! So we'll hopefully remove what's on the system now, then check the security to make sure it's current and adequate.

    Note: If you have a problem running Combofix first, run the second part the begins with The Specifics, then run Combofix after.

    We'll start with Combofix as it will help remove some of the entries, then go into more specific scans for the rogues :
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =========================================================================
    Now to the specifics
    Description of the malware:
    1. Pretends to be a security update for Windows installed via Automatic Updates. It will then install itself as a single executable that has a random consisting of three characters
    2. Clicking on any executable loads the malware
    3. Display fake security alerts on the infected computer.
    4. May not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer
    5. Changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program.

    To fix #5, you start here: Download a Registry file that will fix these changes.
    Please download FixNCR.reg and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.
    • Insert the removable device into the infected computer and open the folder the drive letter associated with it.(Usually C)
    • Double click the FixNCR.reg file
    • You should now be able to run the .exe files.
    -------------------------------------
    To end the processes that belong to the rogue program:
    Please click on RKill
    • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
    • Double click on the iExplore.exe icon
    • Please be patient- it may take a bit.
    • The black Window will close when through and you can continue.
    Note: If you get a message that RKill is malware, ignore it> it's from the malware.
    =======================================
    Do not reboot your computer after running RKill as the malware programs will start again.
    ================================
    Update and rescan with Malwarebytes:
    • Select Perform Full Scan on the Scanner tab
    • Click on the Scan button.
    • When scan has finished, you will see this image:
      [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    ==============================
    This should remove the major offender. Reboot the Computer into Normal Mode and run the following:
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =======================
    Please leave the logs for Combofix, Mbam full scan and Eset online scan in your next reply.
     
  5. jeff12345

    jeff12345 TS Rookie Topic Starter

    ComboFix 12-02-29.01 - Ryan 02/29/2012 19:10:25.1.2 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3998.2309 [GMT 1:00]
    Running from: c:\users\Ryan\Desktop\ComboFix.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Ryan\79bjm5me7g.exe
    c:\users\Ryan\AppData\Local\{E75CD9D8-3476-4574-9C55-6119BE05B405}
    c:\users\Ryan\AppData\Local\{E75CD9D8-3476-4574-9C55-6119BE05B405}\chrome.manifest
    c:\users\Ryan\AppData\Local\{E75CD9D8-3476-4574-9C55-6119BE05B405}\chrome\content\_cfg.js
    c:\users\Ryan\AppData\Local\{E75CD9D8-3476-4574-9C55-6119BE05B405}\chrome\content\overlay.xul
    c:\users\Ryan\AppData\Local\{E75CD9D8-3476-4574-9C55-6119BE05B405}\install.rdf
    c:\users\Ryan\AppData\Local\Windows Server
    c:\users\Ryan\AppData\Roaming\Adobe\plugs
    c:\users\Ryan\AppData\Roaming\Adobe\shed
    c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
    c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\System Check.lnk
    c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\Uninstall System Check.lnk
    c:\users\Ryan\Desktop\System Check.lnk
    c:\windows\assembly\GAC_32\Desktop.ini
    c:\windows\assembly\GAC_64\Desktop.ini
    c:\windows\assembly\temp\@
    c:\windows\system32\consrv.dll
    c:\windows\System64
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-01-28 to 2012-02-29 )))))))))))))))))))))))))))))))
    .
    .
    2012-02-29 18:36 . 2012-02-29 18:36 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-02-28 16:57 . 2012-02-28 16:57 -------- d-----w- c:\users\Ryan\AppData\Roaming\Malwarebytes
    2012-02-28 16:56 . 2012-02-28 16:56 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-28 16:56 . 2012-02-28 16:56 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-02-28 16:56 . 2011-12-10 14:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-05 21:50 . 2012-02-29 18:44 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-21 11:07 . 2011-04-11 21:36 0 ----a-w- c:\users\Ryan\AppData\Local\Qjaliwekes.bin
    2012-01-13 05:37 . 2012-01-13 05:37 57344 ----a-r- c:\users\Ryan\AppData\Roaming\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
    2012-01-13 05:34 . 2008-11-29 01:04 106496 ----a-w- c:\windows\SysWow64\ATL71.DLL
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
    "HPAdvisor"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-11-18 966656]
    "Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-01-03 15028104]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2008-11-29 1148200]
    "TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-12-25 1316136]
    "CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-12-25 189736]
    "TVAgent"="c:\program files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe" [2009-05-09 206120]
    "UCam_Menu"="c:\program files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" [2008-11-15 218408]
    "UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
    "UpdatePSTShortCut"="c:\program files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-11-26 210216]
    "QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-10-10 206128]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
    "UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-10-30 210216]
    "UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
    "HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
    "WirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-12-08 432432]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1675160]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-30 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-06-08 421160]
    "Nikon Message Center 2"="c:\program files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-26 619008]
    "ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\SysWOW64\Macromed\Flash\FlashUtil10v_ActiveX.exe" [2011-09-17 243360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_8aadd48d\AESTSr64.exe [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    *Deregistered* - mfeavfk01
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-06-09 17:14 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-02-06 c:\windows\Tasks\HPCeeScheduleForRyan.job
    - c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2009-01-13 19:34]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-11 153624]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-11 225816]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-11 200216]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-24 1560872]
    "MRT"="c:\windows\system32\MRT.exe" [2012-02-16 54585368]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    adaptecstoragemanageragent
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.comcast.net/
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    mLocal Page = %SystemRoot%\system32\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
    LSP: mswsock.dll
    TCP: DhcpNameServer = 80.58.61.250 80.58.61.254
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
    Wow6432Node-HKCU-Run-Messenger (Yahoo!) - c:\progra~2\Yahoo!\Messenger\YahooMessenger.exe
    Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
    Wow6432Node-HKCU-Run-79bjm5me7g - c:\users\Ryan\79bjm5me7g.exe
    Wow6432Node-HKCU-Run-hhBUqpMjwRyef.exe - c:\programdata\hhBUqpMjwRyef.exe
    HKLM-Run-SmartMenu - c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
    HKLM-Run-SysTrayApp - c:\program files (x86)\IDT\WDM\sttray64.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton Internet Security]
    "ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
    "ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\software\McAfee]
    "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Bonjour\mDNSResponder.exe
    c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
    c:\program files (x86)\SMINST\BLService.exe
    c:\program files (x86)\CyberLink\Shared files\RichVideo.exe
    c:\program files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
    c:\program files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
    c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
    c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    c:\program files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
    c:\windows\SysWOW64\ping.exe
    .
    **************************************************************************
    .
    Completion time: 2012-02-29 19:54:20 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-02-29 18:54
    .
    Pre-Run: 191,563,935,744 bytes free
    Post-Run: 194,336,518,144 bytes free
    .
    - - End Of File - - 432A54E59081CF602A3EB9C8932F78A6




    Malwarebytes Anti-Malware (Trial) 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.02.29.03

    Windows Vista Service Pack 2 x64 NTFS
    Internet Explorer 7.0.6002.18005
    Ryan :: RYAN-PC [administrator]

    Protection: Disabled

    2/29/2012 8:06:55 PM
    mbam-log-2012-02-29 (20-06-55).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 444678
    Time elapsed: 1 hour(s), 48 minute(s), 3 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Ryan\Desktop\null0.8805230546209267.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    (end)




    C:\Qoobox\Quarantine\C\Windows\assembly\GAC_32\Desktop.ini.vir Win32/Sirefef.DN trojan
    C:\Qoobox\Quarantine\C\Windows\assembly\GAC_64\Desktop.ini.vir Win64/Sirefef.G trojan
    C:\Users\Ryan\AppData\Roaming\C9EF9997AF2F19B06B5AF1C7244D545C\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application
    C:\Users\Ryan\AppData\Roaming\C9EF9997AF2F19B06B5AF1C7244D545C\local.ini Win32/Adware.AntimalwareDoctor.AE.Gen application
    C:\Windows\system64\consrv.dll Win64/Sirefef.G trojan
    C:\Windows\system64\drivers\etc\hosts Win32/Qhost trojan
    Operating memory a variant of Win32/Sirefef.DN trojan
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, we have some work cutout for us! It appears that you had Norton Internet Security at one time, but now use McAfee.
    Step 1:
    There are still files loading for Norton, so please uninstall it using
    Norton Removal Tool
    Please reboot the computer when finished
    =========================================
    Step 2: For the Eset entries:
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\Users\Ryan\AppData\Roaming\C9EF9997AF2F19B06B5AF1C7244D545C\enemies-names.txt 
      C:\Users\Ryan\AppData\Roaming\C9EF9997AF2F19B06B5AF1C7244D545C\local.ini 
      C:\Windows\system64\consrv.dll 
      C:\Windows\system64\drivers\etc\hosts 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ==================================
    Step 3:Zero Access and Sirefef
    • Download AntiZeroAccess and save to the Desktop
      ---------------------
    • Also download and save ESETSirefefRemover and save to the Desktop
      --------------------
    • Now double click on AntiZeroAccess to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
      o Type y and press enter to run the scan
      o Please paste the AntiZeroAccess_Log.txt log to your next message. (This file is saved in the same location as AntiZeroAccess program.)
    • Now run the Win32/Sirefef tool while in Normal Mode and follow the prompts as directed.
    ===================================
    Step 4: TDSSKiller
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ==============================================
    Step 5: OTL
    • Download OTL from one of the links below and save it to your desktop.
      OTL.exe
      OTL.com
      OTL.scr
      You just need one. Sometimes the file extension gets blocked.

      Note: When using these links, use Internet Explorer to download. If using Firefox, you should right-click and use "Save link As". Otherwise, on some systems, FF attempts to open the file as a script and just a bunch of gibberish is displayed.
    • Double click the OTL icon to run it.
    • The opened console will resemble this: [​IMG]
    • Set Output at the top to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Copy the entries in the Codebox below> Paste in the Custom Scan box.
      Code:
      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      explorer.exe
      winlogon.exe
      userinit.exe
      /md5stop
      %systemroot%\*. /mp /s
      CREATERESTOREPOINT
      
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      Make sure all other windows are closed and to let it run uninterrupted.
    • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
    =====================================
    All logs in your next reply please. You can use more than one post if needed.
     
  7. jeff12345

    jeff12345 TS Rookie Topic Starter

    I tried the first two steps and they both required me to restart my computer. When I restarted the system could not begin and I was forced to restore to a previous time. Both times I restored took me to right before I did the steps.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Are these the 2 steps you did?
    Step 1> Run Norton Removal Tool
    Step 2> Run OTM for the Eset processes

    No, you choose to restore and you pick the restore point.

    You have now removed everything we've done between the restore date and the present.
    -------------------------
    I don't know what "the system could not begin" means. You should have used some device to access the internet and let me know so I could try to help.

    Start over please. You will have to download everything again
     
  9. jeff12345

    jeff12345 TS Rookie Topic Starter

    All of the tools prior to the nortan removal tool remain on my desktop with the logs still available. When the nortan removal tool restarted the computer, the computer could not start without a restore. The restore screen came up without giving me the option to pick the restore date and eventually started my computer with everything in tact except for the nortan removal tool. Seeing as I still have all of the other tools and logs should I remove them, redownload them and run them again or do something else? Thanks
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Up until you mentioned a date, it sounded more like a reboot rather than a restore. And you would have had a reboot to finish the Norton Removal. If you still have the program and logs, it must have been a funky Norton restore of some kind, not a System Restore! Weird.

    No, you don't have to download and run again if everything is still on the system. I hope I got back to you in time.
     
  11. jeff12345

    jeff12345 TS Rookie Topic Starter

    So where should I go from here? Where I currently stand: from what I can see it appears everything that had previously been done remains on the computer with the exception of the Norton Removal step. This step appears to have been lost when I was forced to restore while the computer rebooted after the Norton step. So I do not know how to make that step happen now.
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, so far you ran the preliminary scans, Eset Online scan and Combofix.

    But you were not able to complete OTM for the Eset entries.

    If you want to continue, go back to my Reply #8 and pick up Step 2, 3, 4 and 5 and see what you can run.
    Please follow the directions as best you can. If you can't do something, don't try to work around it> come back and let me know- I may be able to help without losing anything.

    The Host files have been hijacked and are in OTM to be removed so we have to replace them. If you can run OTL, I can do it through that program. The other option is to do it manually which involves several steps.

    Please leave the logs from the scans.
     
  13. jeff12345

    jeff12345 TS Rookie Topic Starter

    Ok the same problem remains. I downloaded OTmovit and carried out the step as instructed, it did ask me to reboot the machine so I did click yes. As it was rebooting, once again a message came up saying that the computer could not be started and startup repair automatically started, at which point a system restore was needed. I still have all of the old programs and logs but OTmovit is no longer here. I havent gone past step two because it did not work. Thanks!
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, the program is gone because the system was restored to a state that didn't have OTM yet. I'm not sure what this restore message is about, but let's see if the following will help:

    Replace Hosts files

    The malware also changes your Windows HOSTS file. We will need to replace the default version for your operating system. (Note:if you or your company has added custom entries to your HOSTS file then you will need to add them again after restoring the default HOSTS file.)

    The malware, in order to protect itself,may change the permissions of the HOSTS file so you can't edit or delete it. To fix these permissions please download the following batch file and save it to your desktop:

    Step 1: Restoring Permissions
    • Please download Hostsperm.bat and save it to your desktop.
    • Double-click on the hostsperm.bat file that is now on your desktop. If Windows asks if you if you are sure you want to run it, please allow it to run.
    • Once it starts you will see a small black window that opens, then goes away. This is normal.
    You should now be able to access your HOSTS file.

    Step 2: Show Hidden Files and Folders in Windows Vista:
    • Click on the Start button and select Computer
    • Select Folder Options> View tab
    • Check Show hidden files and folders
    • Uncheck Hide protected operating system files(Recommended)> Confirm Yes
    • Then, uncheck the box next to Hide extensions for known file types
    • Click Apply then click OK

    Step 3: Delete the hosts file
    • Using Windows Explorer> navigate to C:\Windows\System32\drivers\etc and do a right click> Delete and delete the hosts file.
    • Once it is deleted, go to next Step.

    Step 4: Replacing the Hosts file for your operating system:
    • Download the following HOSTS file that corresponds to Vista HERE
    • Save it in the C:\Windows\System32\Drivers\etc folder.

    Note: If the contents of the HOSTS file opens in your browser when you click on a link, then right-click on the ink and select Save Target As for in Internet Explorer, or Save Link As if in Firefox, to download the file.

    Important: Go back to Folder Options> View tab> recheck 'don't show hidden files and folders'> recheck 'hide protected system files and folders (Recommended)
    Now reboot your computer.
    ===========================================
    Please explain exactly what happens here:
    1. How could the system not begin? What happens or doesn't happen?
    2. Why did you think you needed to restore?

    After the Host files have been replaced and you explain the 'forced to restore', I will decide what needs to be done.

    Do not do another System restore!
    As far as I know, you're not aware that there are options for starting up in a different mode.

    I'd like to prepare you for the possibility that you may need to do a reformat and reinstall due to all the corrupted files from the badly infected system.
     
  15. jeff12345

    jeff12345 TS Rookie Topic Starter

    was i supposed to search for the C:\Windows\System32\drivers\etc in the computer section? because I have done that and nothing came up. In regards to the restore, here is exactly what happens: I turn on the computer, before starting it takes me to a screen saying something along the lines of windows could not start. It then takes me to a startup repair screen at which point it says once again windows can not be started. I then have the option to click restore, at that point the computer starts or I can click do not restore. When I do not restore the computer turns off and if I turn it on again the same process is repeated. Sorry I am being so difficult, I told you I was not very computer savy
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm sorry for the delay- I've been sick.

    I'm leaving you a description of what the rogue program will do>> please read it and understand that the messages you are getting are being created by the rogue malware. The trick is NOT to click on any of these messages, nor do the option being suggested.

    When you have read the information, please go through the sequence of scan following, taking care to use the specific order in which they are given.
    Courtesy Bleepingcomputer
    Sound familiar?
    • The malware is configured to automatically start when you logon to Windows.
    • It can also be started if you click on any of these alerts.
    .
    ============================================
    Note: If #1, #2, or #3 do not apply, skip those steps and begin with #4.

    1. If your task manager is disabled:
    Press Windows+R key> type cmd>copy and run this command
    Code:
    Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr
    Press Enter

    2. If you're desktop is blank and unable to right click on it:
    Press Windows+R key> type cmd>copy and run this command ,run this command
    Code:
    Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop[/b]
    Press Enter

    3. If programs, icons, files, desktop are 'missing: Download Unhide.exe and save to the desktop.
    • Double-click on Unhide.exe icon to run the program.
    • This program will remove the +H, or hidden, attribute from all the files on your hard drives.
    Note: This does not remove the malware- only the attribute that hides icons and programs. It is important that you continue.
    ==============================
    Please print out the following instructions. It is important that the order of the scan below be followed exactly. Please read through all of the instructions before you begin.
    ================================
    4. Boot into Safe Mode with Networking
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, using your up/down arrows to reach it and then press ENTER.
    =======================================
    5. To end the processes that belong to the rogue program:
    Please click on RKill
    • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
    • Double click on the iExplore.exe icon
    • Please be patient- it may take a bit.
    • The black Window will close when through and you can continue.
    Note: If you get a message that RKilll is malware, ignore it> it's from the malware.
    =======================================
    Do not reboot your computer after runningRKilll as the malware programs will start again.
    ================================
    6. This malware frequently comes with the TDSSrootkit, so do the following:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43 Save log and post in next reply.
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ====================================
    If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again
    ====================================
    7. Update and rescan with Malwarebytes:
    • Select Perform Full Scan on the Scanner tab
    • Click on the Scan button.
    • When scan has finished, you will see this image:
      [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format>Uncheck Word Wrap before copying the log to paste in your next reply.
    ==============================
    Note: If #8 and/or #9 don't apply, you can skip those steps.
    8.Correct Display Changes if needed:
    If the desktop background is black or if the theme has been removed:
    • Click on Start> Control Panel> Appearance & Personalization
    • Select Change Theme or Change Desktop Background
    =====================================
    10.Some items may not show on the Start menu. To add them back:
    • Right click on Start> Properties
    • Taskbar and Start Menu Properties screen appears
    • choose Start Menu tab> Click on Customize
    • For Windows XP> Choose Advanced tab
    • Check the items you want back on the Start Menu
    • When finished> click on OK> Apply and close.
    =====================================
    You can now reboot back into Normal Mode.
     
  17. jeff12345

    jeff12345 TS Rookie Topic Starter

    I have done everything in the order that you requested. I did exactly what you said but can not seem to locate the log of the quarantined item. here is the other log. Thanks!

    Malwarebytes Anti-Malware (Trial) 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.28.07

    Windows Vista Service Pack 2 x64 NTFS (Safe Mode/Networking)
    Internet Explorer 9.0.8112.16421
    Ryan :: RYAN-PC [administrator]

    Protection: Disabled

    3/29/2012 6:20:59 PM
    mbam-log-2012-03-29 (18-20-59).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 452416
    Time elapsed: 1 hour(s), 25 minute(s), 25 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 1
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|GrpConv (Trojan.Agent.Gen) -> Data: grpconv -o -> Quarantined and deleted successfully.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 3
    C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Ryan\Desktop\null0.8805230546209267.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Users\Ryan\AppData\Local\Temp\cgs8h0.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Windows\System32\grpconv.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

    (end)
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The system is still infected. Are you referring to the log from the TDSSKiller?

    If you cannot find the log, please run the program again.

    Give me an update on how the system is doing.
     
  19. jeff12345

    jeff12345 TS Rookie Topic Starter

    Thank you very much for your help.

    I just ran TDSSKiller again and no threats were detected.

    The system is running much better, I have not been getting pop-ups telling me anything is wrong.
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please update and run the Eset Online Virus scan again.
     
  21. jeff12345

    jeff12345 TS Rookie Topic Starter

    i have the scan started but am leaving on business for the week so I will not be able to respond until next week. sorry!
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Jeff, stop the scan for now. I'm going to close the thread-. Please send me a PM when you return and I'll re-open the thread.

    If the computer is offline and unused while you're gone, we can pick up where we left off. But if connected and/or used, we will need to repeat some scans- especially since the system is still infected.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...