TechSpot

[Closed] Logs for help with virus removal

By cableman
Jan 8, 2012
  1. It started when I got what most people call the Windows 7 2012 virus but it can affect Windows XP also I believe. Anyway, here are the logs. I hope you can help and thank you for all your attention and effort. There are a lot of us who appreciate it. I am running Windows 7 on an HP Probook laptop model 4525s The virus disabled my Avast so I installed Vipre before I started the 5 step process but it seem to be operational. I also show network connection but no connection to the internet.

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 911122308

    Windows 6.1.7601 Service Pack 1
    Internet Explorer 9.0.8112.16421

    1/8/2012 6:17:12 AM
    mbam-log-2012-01-08 (06-17-12).txt

    Scan type: Quick scan
    Objects scanned: 206956
    Time elapsed: 7 minute(s), 55 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-01-08 07:02:46
    Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK2561GSYN rev.MH000C
    Running: evensteven123.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\kwldapob.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKey + 13D1 83048369 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83081D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text C:\windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8E424000, 0x2F7634, 0xE8000020]

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\windows\system32\rpcnet.exe[1812] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7505FFF6] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\windows\system32\rpcnet.exe[1812] @ C:\windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7505FFF6] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\windows\system32\rpcnet.exe[1812] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7505FFF6] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\windows\system32\rpcnet.exe[1812] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7505FFF6] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\windows\system32\rpcnet.exe[1812] @ C:\windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [7505FFF6] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

    Device \Driver\BTHUSB \Device\00000090 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
    Device \Driver\BTHUSB \Device\00000092 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

    AttachedDevice \Driver\tdx \Device\Udp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)

    Device \Driver\ACPI_HAL \Device\0000005d halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\tdx \Device\RawIp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f3952a4dce
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f395796eb8
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\cc52af08cf2a
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\cc52af1518ac
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\cc52aff72f3f
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\cc52aff747fc
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e02a82f8005a
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\70f3952a4dce (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\70f395796eb8 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\cc52af08cf2a (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\cc52af1518ac (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\cc52aff72f3f (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\cc52aff747fc (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e02a82f8005a (not active ControlSet)

    ---- Files - GMER 1.0.15 ----

    File C:\Windows\$NtUninstallKB30953$\1800766157 0 bytes
    File C:\Windows\$NtUninstallKB30953$\3316104526 0 bytes
    File C:\Windows\$NtUninstallKB30953$\3316104526\@ 2048 bytes
    File C:\Windows\$NtUninstallKB30953$\3316104526\bckfg.tmp 863 bytes
    File C:\Windows\$NtUninstallKB30953$\3316104526\cfg.ini 208 bytes
    File C:\Windows\$NtUninstallKB30953$\3316104526\Desktop.ini 4608 bytes
    File C:\Windows\$NtUninstallKB30953$\3316104526\keywords 10 bytes
    File C:\Windows\$NtUninstallKB30953$\3316104526\kwrd.dll 223744 bytes
    File C:\Windows\$NtUninstallKB30953$\3316104526\L 0 bytes
    File C:\Windows\$NtUninstallKB30953$\3316104526\L\xadqgnnk 338944 bytes
    File C:\Windows\$NtUninstallKB30953$\3316104526\lsflt7.ver 5176 bytes
    File C:\Windows\$NtUninstallKB30953$\3316104526\U 0 bytes
    File C:\Windows\$NtUninstallKB30953$\3316104526\U\00000001.@ 2048 bytes
    File C:\Windows\$NtUninstallKB30953$\3316104526\U\00000002.@ 224768 bytes
    File C:\Windows\$NtUninstallKB30953$\3316104526\U\00000004.@ 1024 bytes
    File C:\Windows\$NtUninstallKB30953$\3316104526\U\80000000.@ 11264 bytes
    File C:\Windows\$NtUninstallKB30953$\3316104526\U\80000004.@ 12800 bytes
    File C:\Windows\$NtUninstallKB30953$\3316104526\U\80000032.@ 77312 bytes

    ---- EOF - GMER 1.0.15 ----


    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
    Run by Administrator at 7:07:04 on 2012-01-08
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1782.834 [GMT -5:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\windows\system32\wininit.exe
    C:\windows\system32\lsm.exe
    C:\windows\system32\svchost.exe -k DcomLaunch
    C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
    C:\windows\system32\svchost.exe -k RPCSS
    C:\windows\system32\atiesrxx.exe
    C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\windows\system32\svchost.exe -k netsvcs
    C:\Program Files\IDT\WDM\STacSV.exe
    C:\windows\system32\svchost.exe -k LocalService
    C:\windows\system32\Hpservice.exe
    C:\windows\system32\atieclxx.exe
    C:\windows\system32\vcsFPService.exe
    C:\windows\system32\svchost.exe -k NetworkService
    C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\windows\system32\WLANExt.exe
    C:\windows\system32\conhost.exe
    C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
    C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\ActivIdentity\ActivClient\acevents.exe
    C:\Program Files\IDT\WDM\aestsrv.exe
    C:\Program Files\LSI SoftModem\agrsmsvc.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
    c:\Program Files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe
    C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
    C:\Program Files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\PDF Complete\pdfsvc.exe
    C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
    C:\Program Files\QUALCOMM\QDLService2k\QDLService2kHP.exe
    C:\ProgramData\Rpcnet\Bin\rpcld.exe
    C:\windows\system32\rpcnet.exe
    C:\windows\system32\Dwm.exe
    C:\windows\Explorer.EXE
    C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
    C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
    C:\windows\system32\wbem\unsecapp.exe
    C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
    C:\windows\system32\wbem\wmiprvse.exe
    C:\windows\system32\svchost.exe -k bthsvcs
    C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\IDT\WDM\sttray.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe
    C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
    C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
    C:\windows\system32\SearchIndexer.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe
    C:\Program Files\Hewlett-Packard\HP Support Framework\hpsa_service.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    C:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\windows\system32\SearchProtocolHost.exe
    C:\windows\system32\SearchFilterHost.exe
    C:\windows\system32\conhost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: File Sanitizer for HP ProtectTools: {3134413b-49b4-425c-98a5-893c1f195601} - c:\program files\hewlett-packard\file sanitizer\IEBHO.dll
    BHO: RoboForm BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    uRun: [HPAdvisorDock] c:\program files\hewlett-packard\hp advisor\dock\HPAdvisorDock.exe
    uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
    mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRun: [SBAMTray] "c:\program files\sunbelt software\vipre\SBAMTray.exe"
    uPolicies-explorer: HideSCAHealth = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
    IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
    IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
    Trusted Zone: //about.htm/
    Trusted Zone: //Exclude.htm/
    Trusted Zone: //FWEvent.htm/
    Trusted Zone: //LanguageSelection.htm/
    Trusted Zone: //Message.htm/
    Trusted Zone: //MyAgttryCmd.htm/
    Trusted Zone: //MyAgttryNag.htm/
    Trusted Zone: //MyNotification.htm/
    Trusted Zone: //NOCLessUpdate.htm/
    Trusted Zone: //quarantine.htm/
    Trusted Zone: //ScanNow.htm/
    Trusted Zone: //strings.vbs/
    Trusted Zone: //Template.htm/
    Trusted Zone: //Update.htm/
    Trusted Zone: //VirFound.htm/
    Trusted Zone: mcafee.com\*
    Trusted Zone: mcafeeasap.com\betavscan
    Trusted Zone: mcafeeasap.com\vs
    Trusted Zone: mcafeeasap.com\www
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{29A50975-73AB-4414-8C8B-AF094183C9D1} : DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{386C4CDF-B88A-4FB1-9A4D-51A5E7F17435} : DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{386C4CDF-B88A-4FB1-9A4D-51A5E7F17435}\D4963627F61476568435 : DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}\854414D275966696D23586162796E676 : DhcpNameServer = 192.168.1.1
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\xibtwus7.default\
    FF - prefs.js: network.proxy.type - 4
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-25 64288]
    R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2012-1-4 220760]
    R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-5-13 98392]
    R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2011-12-13 78936]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
    R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\common files\actividentity\ac.sharedstore.exe [2009-6-3 207400]
    R2 AESTFilters;Andrea ST Filters Service;c:\program files\idt\wdm\AEstSrv.exe [2011-11-6 81920]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-4-8 172032]
    R2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\hewlett-packard\hp power assistant\HPPA_Service.exe [2011-6-2 133688]
    R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\hewlett-packard\hp support framework\HPSA_Service.exe [2011-6-21 85560]
    R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\hewlett-packard\hp wireless assistant\HPWA_Service.exe [2010-4-5 103992]
    R2 HPDayStarterService;HP DayStarter Service;c:\program files\hewlett-packard\hp quicklook\HPDayStarterService.exe [2010-3-25 90112]
    R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\hewlett-packard\shared\HPDrvMntSvc.exe [2011-5-21 103992]
    R2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\hewlett-packard\file sanitizer\HPFSService.exe [2010-1-19 297984]
    R2 hpHotkeyMonitor;HP Hotkey Monitor;c:\program files\hewlett-packard\hp hotkey support\hpHotkeyMonitor.exe [2010-3-1 264248]
    R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2010-6-15 26168]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-15 366152]
    R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2010-5-23 635416]
    R2 PdiService;Portrait Displays SDK Service;c:\program files\common files\portrait displays\drivers\pdisrvc.exe [2011-11-6 113264]
    R2 QDLService2kHP;Qualcomm Gobi 2000 Download Service (HP);c:\program files\qualcomm\qdlservice2k\QDLService2kHP.exe [2010-3-15 331000]
    R2 rpcld;Remote Procedure Call (RPC) LD;c:\programdata\rpcnet\bin\rpcld.exe --> c:\programdata\rpcnet\bin\rpcld.exe [?]
    R2 SBAMSvc;VIPRE Antivirus Premium;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2010-8-20 2763080]
    R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-6-14 69976]
    R2 SBPIMSvc;SB Recovery Service;c:\program files\sunbelt software\vipre\SBPIMSvc.exe [2010-8-20 181584]
    R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2009-10-30 1021256]
    R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2010-2-18 1664304]
    R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-4-8 5429760]
    R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-4-8 157184]
    R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-6-20 29472]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-15 22216]
    R3 SBFWIMCLMP;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2012-1-4 68696]
    R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-23 136176]
    S2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-6-20 48640]
    S2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-6-20 47616]
    S2 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2010-6-20 38912]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-23 136176]
    S3 qcfilterhp2k;Gobi 2000 USB Composite Device Filter Driver(03F0-251D);c:\windows\system32\drivers\qcfilterhp2k.sys [2010-3-15 5248]
    S3 qcusbnethp2k;Gobi 2000 USB-NDIS miniport(03F0-251D);c:\windows\system32\drivers\qcusbnethp2k.sys [2010-3-15 208384]
    S3 qcusbserhp2k;Gobi 2000 USB Device for Legacy Serial Communication(03F0-251D);c:\windows\system32\drivers\qcusbserhp2k.sys [2010-3-15 106880]
    S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2009-11-23 1120752]
    S3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxMediaDB12OEM.exe [2011-1-15 1116656]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-9-29 279656]
    S3 rtsuvc;HP Webcam [2 MP Fixed];c:\windows\system32\drivers\rtsuvc.sys [2010-6-20 73344]
    S3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Service;c:\windows\system32\drivers\SbFwIm.sys [2012-1-4 68696]
    S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2011-12-13 94040]
    S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-8-12 52224]
    S3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\drivers\vpcuxd.sys [2011-8-12 12800]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-25 1343400]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2010-1-8 316416]
    .
    =============== Created Last 30 ================
    .
    2012-01-04 18:44:46 -------- d-----w- c:\users\administrator\appdata\roaming\Sunbelt
    2012-01-04 18:43:00 68696 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
    2012-01-04 18:43:00 220760 ----a-w- c:\windows\system32\drivers\SbFw.sys
    2011-12-16 00:20:32 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-15 14:02:56 29512 ----a-w- c:\windows\system32\TURegOpt.exe
    2011-12-15 14:02:51 30024 ----a-w- c:\windows\system32\uxtuneup.dll
    2011-12-15 14:02:51 21320 ----a-w- c:\windows\system32\authuitu.dll
    2011-12-15 14:02:42 -------- d-----w- c:\users\administrator\appdata\roaming\TuneUp Software
    2011-12-15 14:02:36 -------- d-----w- c:\program files\TuneUp Utilities 2010
    2011-12-15 14:02:09 -------- d-----w- c:\programdata\TuneUp Software
    2011-12-15 14:01:59 -------- d-sh--w- c:\programdata\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
    2011-12-15 08:02:58 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-12-15 00:47:58 2342912 ----a-w- c:\windows\system32\win32k.sys
    2011-12-15 00:47:54 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-15 00:47:49 534528 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-15 00:47:48 38912 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-15 00:47:44 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-12-15 00:47:42 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-12-14 20:10:55 -------- d-----w- c:\program files\AVAST Software
    2011-12-13 20:02:29 -------- d-----w- c:\programdata\Sunbelt
    2011-12-13 20:00:08 94040 ----a-w- c:\windows\system32\drivers\sbhips.sys
    2011-12-13 20:00:05 78936 ----a-w- c:\windows\system32\drivers\sbtis.sys
    2011-12-13 19:59:49 -------- d-----w- c:\program files\Sunbelt Software
    2011-12-13 17:00:32 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{2aa5de23-5ed8-470a-9f0e-6367571ac127}\mpengine.dll
    2011-12-13 16:55:38 -------- d-----w- c:\windows\system32\wbem\repository
    2011-12-13 09:28:48 -------- d-----w- c:\users\administrator\appdata\roaming\Malwarebytes
    2011-12-12 08:09:37 -------- d-----w- c:\program files\W3i, LLC
    2011-12-12 08:09:11 -------- d-----w- c:\programdata\WeCareReminder
    2011-12-12 07:40:39 -------- d-sh--w- c:\windows\system32\AI_RecycleBin
    .
    ==================== Find3M ====================
    .
    2012-01-04 23:14:19 17920 ----a-w- c:\windows\system32\rpcnetp.exe
    2012-01-04 23:14:16 58288 ----a-w- c:\windows\system32\rpcnet.dll
    2012-01-04 18:32:18 17920 ----a-w- c:\windows\system32\rpcnetp.dll
    2011-11-15 19:29:56 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-11-13 19:54:06 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-06 05:40:43 431616 ----a-w- c:\windows\system32\drivers\stwrt.sys
    2011-11-06 05:40:42 934912 ----a-w- c:\windows\system32\stapo.dll
    2011-11-06 05:40:42 531968 ------w- c:\windows\system32\stapi32.dll
    2011-11-06 05:40:42 495708 ----a-w- c:\windows\sttray.exe
    2011-11-06 05:40:42 405504 ----a-w- c:\windows\system32\stcplx.dll
    2011-11-06 05:40:42 1953792 ----a-w- c:\windows\system32\stlang.dll
    2011-11-06 05:40:42 179712 ----a-w- c:\windows\system32\staco.dll
    2011-11-06 05:40:41 86016 ----a-w- c:\windows\system32\AESTCom.dll
    2011-11-06 05:40:41 380928 ----a-w- c:\windows\system32\aestecap.dll
    2011-11-06 05:40:41 12705884 ----a-w- c:\windows\system32\idtcpl.cpl
    2011-11-06 05:40:40 61440 ----a-w- c:\windows\system32\aestaren.dll
    2011-11-06 05:40:40 140288 ----a-w- c:\windows\system32\aestacap.dll
    2011-11-03 22:47:42 1798144 ----a-w- c:\windows\system32\jscript9.dll
    2011-11-03 22:39:47 1127424 ----a-w- c:\windows\system32\wininet.dll
    2011-11-03 22:31:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    .
    ============= FINISH: 7:07:33.09 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 7/25/2011 10:40:56 AM
    System Uptime: 1/4/2012 6:13:53 PM (85 hours ago)
    .
    Motherboard: Hewlett-Packard | | 142C
    Processor: AMD Athlon(tm) II P360 Dual-Core Processor | Unknown | 2300/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 231 GiB total, 181.21 GiB free.
    D: is CDROM ()
    E: is Removable
    G: is FIXED (FAT32) - 2 GiB total, 1.986 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Description: Flash Drive
    Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_USB2.0&PROD_FLASH_DRIVE&REV_8.00#12345678&0#
    Manufacturer: USB2.0
    Name: E:\
    PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_USB2.0&PROD_FLASH_DRIVE&REV_8.00#12345678&0#
    Service: WUDFRd
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: HTTP
    Device ID: ROOT\LEGACY_HTTP\0000
    Manufacturer:
    Name: HTTP
    PNP Device ID: ROOT\LEGACY_HTTP\0000
    Service: HTTP
    .
    ==== System Restore Points ===================
    .
    RP120: 12/13/2011 2:50:59 PM - avast! Free Antivirus Setup
    RP121: 12/13/2011 2:59:27 PM - Installed VIPRE Antivirus Premium.
    RP122: 12/14/2011 3:00:15 AM - Windows Update
    RP123: 12/14/2011 3:10:40 PM - avast! Free Antivirus Setup
    RP124: 12/14/2011 3:26:21 PM - avast! Free Antivirus Setup
    RP125: 12/15/2011 3:00:22 AM - Windows Update
    RP126: 12/15/2011 9:02:16 AM - Installed TuneUp Utilities
    RP127: 12/23/2011 2:52:52 AM - Scheduled Checkpoint
    RP128: 12/31/2011 4:43:10 PM - Scheduled Checkpoint
    RP129: 1/4/2012 12:01:45 PM - Restore Operation
    RP130: 1/4/2012 1:41:48 PM - avast! Free Antivirus Setup
    RP131: 1/4/2012 1:42:42 PM - Installed VIPRE Antivirus Premium.
    RP132: 1/4/2012 6:08:43 PM - Restore Operation
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    ĀµTorrent
    ActivClient x86
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader 8.2.0
    Adobe Shockwave Player 11.5
    Apple Application Support
    Apple Software Update
    ATI Catalyst Install Manager
    Broadcom 2070 Bluetooth 2.1 + EDR
    Broadcom 802.11 Wireless LAN Adapter
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization All
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    DirectX 9 Runtime
    File Sanitizer For HP ProtectTools
    Google Chrome
    Google Update Helper
    Hewlett-Packard ACLM.NET v1.1.1.0
    HP 3D DriveGuard
    HP Advisor
    HP Customer Experience Enhancements
    HP ESU for Microsoft Windows 7
    HP HotKey Support
    HP Power Assistant
    HP Power Data
    HP QuickLook
    HP QuickWeb
    HP Setup
    HP SoftPaq Download Manager
    HP Software Framework
    HP Software Setup
    HP Support Assistant
    HP User Guides 0185
    HP Web Camera
    HP Webcam
    HP Webcam Driver
    HP Wireless Assistant
    IDT Audio
    Java Auto Updater
    Java Card Security for HP ProtectTools
    Java(TM) 6 Update 26
    LightScribe System Software
    LiveUpdate 3.3 (Symantec Corporation)
    LSI HDA Modem
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Marvell Miniport Driver
    Microsoft .NET Framework 4 Client Profile
    Microsoft Choice Guard
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Plus 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Suite Activation Assistant
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Mozilla Firefox 8.0.1 (x86 en-US)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Norton Online Backup
    PDF Complete Special Edition
    Qualcomm Gobi 2000 Package for HP
    QuickTime
    RealPlayer
    Realtek Ethernet Controller All-In-One Windows Driver
    RealUpgrade 1.0
    RICOH Media Driver
    RoboForm 7-4-2 (All Users)
    Roxio Activation Module
    Roxio CinePlayer Decoder Pack
    Roxio Creator Audio
    Roxio Creator Business
    Roxio Creator Business v10
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio MyDVD
    Roxio MyDVD Business 2010
    SDK
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office InfoPath 2007 (KB2510061)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Sonic CinePlayer Decoder Pack
    Synaptics Pointing Device Driver
    Theft Recovery
    TuneUp Utilities
    TuneUp Utilities Language Pack (en-US)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office Outlook 2007 (KB2583910)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2596560)
    Validity Fingerprint Driver
    VIPRE Antivirus Premium
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    Windows 7 Default Setting
    Windows Driver Package - Broadcom Bluetooth (07/30/2009 6.2.0.9405)
    Windows Driver Package - Broadcom Bluetooth (12/16/2009 6.2.0.9414)
    Windows Driver Package - Broadcom HIDClass (07/28/2009 6.2.0.9800)
    Windows Live Essentials
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    WinRAR archiver
    WinZip 14.0
    Wisdom-soft Set up ScreenHunter 5.1 Free
    WSOP-USA.com
    .
    ==== Event Viewer Messages From Past Week ========
    .
    1/8/2012 7:07:24 AM, Error: Service Control Manager [7001] - The Workstation service depends on the SMB 2.0 MiniRedirector service which failed to start because of the following error: The dependency service or group failed to start.
    1/8/2012 7:07:24 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The device does not recognize the command.
    1/8/2012 7:07:24 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The device does not recognize the command.
    1/8/2012 7:07:24 AM, Error: Service Control Manager [7001] - The Remote Desktop Configuration service depends on the Workstation service which failed to start because of the following error: The dependency service or group failed to start.
    1/8/2012 7:07:24 AM, Error: Service Control Manager [7000] - The SMB MiniRedirector Wrapper and Engine service failed to start due to the following error: The device does not recognize the command.
    1/8/2012 6:28:03 AM, Error: Service Control Manager [7003] - The DHCP Client service depends the following service: Afd. This service might not be installed.
    1/8/2012 6:28:03 AM, Error: Service Control Manager [7001] - The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: The dependency service does not exist or has been marked for deletion.
    1/8/2012 6:09:16 AM, Error: Service Control Manager [7000] - The MBAMSwissArmy service failed to start due to the following error: The system cannot find the file specified.
    1/7/2012 6:18:49 PM, Error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error %%-2147014846.
    1/7/2012 6:18:49 PM, Error: Microsoft-Windows-Bits-Client [16392] - The BITS service failed to start. Error 0x80072742.
    1/4/2012 6:27:47 PM, Error: Service Control Manager [7001] - The Function Discovery Provider Host service depends on the HTTP service which failed to start because of the following error: The device does not recognize the command.
    1/4/2012 6:27:47 PM, Error: Service Control Manager [7000] - The HTTP service failed to start due to the following error: The device does not recognize the command.
    1/4/2012 6:24:58 PM, Error: Service Control Manager [7001] - The SSDP Discovery service depends on the HTTP service which failed to start because of the following error: The device does not recognize the command.
    1/4/2012 6:24:58 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
    1/4/2012 6:24:58 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    1/4/2012 6:16:33 PM, Error: Service Control Manager [7023] - The Windows Update service terminated with the following error: %%-2147014846
    1/4/2012 6:14:26 PM, Error: Microsoft-Windows-DNS-Client [1012] - There was an error while attempting to read the local hosts file.
    1/4/2012 6:14:15 PM, Error: Service Control Manager [7000] - The rixdpcie service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    1/4/2012 6:14:14 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    1/4/2012 6:14:14 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    1/4/2012 6:14:14 PM, Error: Service Control Manager [7000] - The risdpcie service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    1/4/2012 6:14:14 PM, Error: Service Control Manager [7000] - The rimspci service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    1/4/2012 6:14:12 PM, Error: Service Control Manager [7001] - The Server SMB 2.xxx Driver service depends on the srvnet service which failed to start because of the following error: The device does not recognize the command.
    1/4/2012 6:14:12 PM, Error: Service Control Manager [7001] - The Server SMB 1.xxx Driver service depends on the Server SMB 2.xxx Driver service which failed to start because of the following error: The dependency service or group failed to start.
    1/4/2012 6:14:12 PM, Error: Service Control Manager [7001] - The Server service depends on the Server SMB 1.xxx Driver service which failed to start because of the following error: The dependency service or group failed to start.
    1/4/2012 6:14:12 PM, Error: Service Control Manager [7001] - The Print Spooler service depends on the HTTP service which failed to start because of the following error: The device does not recognize the command.
    1/4/2012 6:14:12 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Workstation service which failed to start because of the following error: The dependency service or group failed to start.
    1/4/2012 6:14:12 PM, Error: Service Control Manager [7000] - The srvnet service failed to start due to the following error: The device does not recognize the command.
    1/4/2012 6:14:11 PM, Error: Service Control Manager [7003] - The TCP/IP NetBIOS Helper service depends the following service: Afd. This service might not be installed.
    1/4/2012 10:51:18 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the UmRdpService service.
    1/4/2012 10:04:43 AM, Error: Service Control Manager [7034] - The Remote Procedure Call (RPC) LD service terminated unexpectedly. It has done this 1 time(s).
    1/4/2012 1:32:18 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SBRE
    .
    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! Yes, this rogue hit Vista, Win XP and Win 7! It's not particular. I will help you remove it but I'd like you to run the following first.

    The malware has added domains to the Trusted Zone. NONE of these domains need to be there. We need to get them out because the security settings are lower in this zone so it makes the system more vulnerable. The following have been set. The program you run will remove all:
    ----------------------------------------
    Please download DelDomains with .zip and unzip it to your desktop. Do not run it yet.
    • Close all open browsers
    • Right click on deldomains.inf and select Install
    Note: this will remove all entries in the Trusted Zone and Restricted Zone.
    =====================================
    Rogue Antispyware, Antivirus, Security, Home Security , Internet Security 2012
    1. Pretends to be a security update for Windows installed via Automatic Updates. It will then install itself as a single executable that has a random consisting of three characters
    2. Clicking on any executable loads the malware
    3. Display fake security alerts on the infected computer.
    4. May not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer
    5. Changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program.

    To fix #5, you start here: Download a Registry file that will fix these changes.
    Please download FixNCR.reg and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.
    • Insert the removable device into the infected computer and open the folder the drive letter associated with it.(Usually C)
    • Double click the FixNCR.reg file
    • You should now be able to run the .exe files.
    -------------------------------------
    To end the processes that belong to the rogue program:
    Please click on RKill
    • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
    • Double click on the iExplore.exe icon
    • Please be patient- it may take a bit.
    • The black Window will close when through and you can continue.
    Note: If you get a message that RKill is malware, ignore it> it's from the malware.
    =======================================
    Do not reboot your computer after running RKill as the malware programs will start again.
    ================================
    Update and rescan with Malwarebytes:
    • Select Perform Full Scan on the Scanner tab
    • Click on the Scan button.
    • When scan has finished, you will see this image:
      [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    ==============================
    This should remove the major offender. Reboot the Computer into Normal Mode and run the following:
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =======================================
    FYI: regarding the network not functioning:
    C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
    We will be fixing this- you do not need to do anything with these entries. They are information only.
    =======================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =======================================
    Please leave the logs in your next reply. Advise me if you have a problem running the scans. Important you follow the order given.
    =====================================
     
  3. cableman

    cableman TS Enthusiast Topic Starter Posts: 178

    I performed your instructions to the letter up until I needed to run the ESET Smart Security Program. I still cannot get online. I show a connection but no internet service and I have no password configured on my network or router. All the other computers are connecting fine. Here is the log from Malware:

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 911122308

    Windows 6.1.7601 Service Pack 1
    Internet Explorer 9.0.8112.16421

    1/9/2012 10:23:58 AM
    mbam-log-2012-01-09 (10-23-58).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 353806
    Time elapsed: 25 minute(s), 1 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    I have done nothing different from what you have instructed.
     
  4. cableman

    cableman TS Enthusiast Topic Starter Posts: 178

    I guess you gave up on helping me,
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    No, I didn't and I extend my apology for the delay. I took some time off during the holidays to enjoy my 'other life..' The penalty for that enjoyment is being incredibly behind!

    However, in all fairness, your thread is more current than some others.
    ===============================
    Please download Farbar Service Scanner
    • Check Include all files option
    • Press the Scan button
    • Log named FSS.txt will be created in the same directory as the tool
    • Please paste the log into your next reply
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Expect these- they are normal:
    1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
    2. Before you run the Combofix scan, please disable any security software you have running.
    3. Combofix may need to reboot your computer more than once to do its job this is normal.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ======================================
    Questions/Comments:
    1. Did the DelDomains remove the sites from the Trusted Zone? Did you check?
    2. Other than not being able to access the internet, what malware related problems are you having.
    3. Did you have internet access before you got this malware?
    4. "The virus disabled my Avast so I installed Vipre">> it is strange that malware disabled one AV, but allowed you to install another one! It is possible that you downloaded Avast but didn't install it therefore it wasn't actually running.

    It appears that you downloaded the Avast setup 4 times> first time 12/13, last time 1/4. Avast . Did you ever double click on the Program to run/install? Avast shows running on 1/8. But is doesn't show as an installed program.

    You installed VIPRE twice> 12/13 and 1/4.> it shows as an installed program.

    Dates, downloads, installs and restores in Restore Points:
    RP120: 12/13/2011 2:50:59 PM - avast! Free Antivirus Setup> 1
    RP121: 12/13/2011 2:59:27 PM - Installed VIPRE Antivirus Premium.> 1
    RP123: 12/14/2011 3:10:40 PM - avast! Free Antivirus Setup> 2
    RP124: 12/14/2011 3:26:21 PM - avast! Free Antivirus Setup> 3

    RP129: 1/4/2012 12:01:45 PM - Restore Operation
    RP130: 1/4/2012 1:41:48 PM - avast! Free Antivirus Setup
    RP131: 1/4/2012 1:42:42 PM - Installed VIPRE Antivirus Premium.> 2
    RP132: 1/4/2012 6:08:43 PM - Restore Operation
    -----------------------------------------
    You did System Restore twice on 1/4.> how far back did you go?
    =======================================
    Please leave Combofix log and answers to Questions/Comments in next reply.
     
  6. cableman

    cableman TS Enthusiast Topic Starter Posts: 178

    I can't check anything or change any settings. I keep getting message "Illegal operation attempted on a registry key that has been marked for deletion."

    Here are the logs:

    Farbar Service Scanner
    Ran by Administrator (administrator) on 12-01-2012 at 11:35:32
    Microsoft Windows 7 Professional Service Pack 1 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============
    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    afd Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open afd registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open afd registry key. The service key does not exist.


    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============
    MpsSvc Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.

    bfe Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.

    mpsdrv Service is not running. Checking service configuration:
    The start type of mpsdrv service is OK.
    The ImagePath of mpsdrv service is OK.


    Firewall Disabled Policy:
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall"=DWORD:0
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "EnableFirewall"=DWORD:0


    System Restore:
    ============
    VSS Service is not running. Checking service configuration:
    The start type of VSS service is OK.
    The ImagePath of VSS service is OK.


    System Restore Disabled Policy:
    ========================


    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.


    Windows Update:
    ===========
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is OK.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv service is OK.

    BITS Service is not running. Checking service configuration:
    The start type of BITS service is OK.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS service is OK.


    File Check:
    ========
    C:\windows\system32\nsisvc.dll => MD5 is legit
    C:\windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\windows\system32\dhcpcore.dll => MD5 is legit
    C:\windows\system32\Drivers\afd.sys => MD5 is legit
    C:\windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\windows\system32\dnsrslvr.dll => MD5 is legit
    C:\windows\system32\mpssvc.dll => MD5 is legit
    C:\windows\system32\bfe.dll => MD5 is legit
    C:\windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\windows\system32\SDRSVC.dll => MD5 is legit
    C:\windows\system32\vssvc.exe => MD5 is legit
    C:\windows\system32\wscsvc.dll => MD5 is legit
    C:\windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\windows\system32\wuaueng.dll => MD5 is legit
    C:\windows\system32\qmgr.dll => MD5 is legit
    C:\windows\system32\es.dll => MD5 is legit
    C:\windows\system32\cryptsvc.dll => MD5 is legit
    C:\windows\system32\svchost.exe => MD5 is legit
    C:\windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****

    ComboFix 12-01-12.02 - Administrator 01/12/2012 15:56:50.1.2 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1782.1236 [GMT -5:00]
    Running from: c:\users\Administrator\Desktop\ComboFix.exe
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\Thumbs.db
    c:\windows\$NtUninstallKB30953$
    c:\windows\$NtUninstallKB30953$\1800766157
    c:\windows\$NtUninstallKB30953$\3316104526\@
    c:\windows\$NtUninstallKB30953$\3316104526\bckfg.tmp
    c:\windows\$NtUninstallKB30953$\3316104526\cfg.ini
    c:\windows\$NtUninstallKB30953$\3316104526\Desktop.ini
    c:\windows\$NtUninstallKB30953$\3316104526\keywords
    c:\windows\$NtUninstallKB30953$\3316104526\kwrd.dll
    c:\windows\$NtUninstallKB30953$\3316104526\L\xadqgnnk
    c:\windows\$NtUninstallKB30953$\3316104526\lsflt7.ver
    c:\windows\$NtUninstallKB30953$\3316104526\U\00000001.@
    c:\windows\$NtUninstallKB30953$\3316104526\U\00000002.@
    c:\windows\$NtUninstallKB30953$\3316104526\U\00000004.@
    c:\windows\$NtUninstallKB30953$\3316104526\U\80000000.@
    c:\windows\$NtUninstallKB30953$\3316104526\U\80000004.@
    c:\windows\$NtUninstallKB30953$\3316104526\U\80000032.@
    .
    Infected copy of c:\windows\System32\autochk.exe was found and disinfected
    Restored copy from - c:\windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7600.20538_none_e28cf2983c0715a1\autochk.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-12 to 2012-01-12 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-12 21:15 . 2012-01-12 21:15 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-01-12 21:15 . 2012-01-12 21:15 -------- d-----w- c:\users\user\AppData\Local\temp
    2012-01-12 19:03 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
    2012-01-12 05:46 . 2012-01-12 05:46 -------- d-----w- c:\users\Administrator\AppData\Local\VirtualStore
    2012-01-12 04:22 . 2012-01-12 04:22 -------- d-----w- c:\windows\system32\drivers\ar-SA - Copy
    2012-01-09 16:23 . 2012-01-09 16:23 -------- d-----w- c:\program files\ESET
    2012-01-08 15:47 . 2012-01-08 15:38 338944 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-01-04 18:44 . 2012-01-04 18:44 -------- d-----w- c:\users\Administrator\AppData\Roaming\Sunbelt
    2012-01-04 18:43 . 2010-07-27 09:48 220760 ----a-w- c:\windows\system32\drivers\SbFw.sys
    2012-01-04 18:43 . 2010-04-15 23:35 68696 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
    2011-12-15 14:02 . 2009-10-30 20:08 29512 ----a-w- c:\windows\system32\TURegOpt.exe
    2011-12-15 14:02 . 2009-10-30 20:01 21320 ----a-w- c:\windows\system32\authuitu.dll
    2011-12-15 14:02 . 2009-10-30 20:01 30024 ----a-w- c:\windows\system32\uxtuneup.dll
    2011-12-15 14:02 . 2011-12-15 14:02 -------- d-----w- c:\users\Administrator\AppData\Roaming\TuneUp Software
    2011-12-15 14:02 . 2011-12-15 14:02 -------- d-----w- c:\program files\TuneUp Utilities 2010
    2011-12-15 14:02 . 2011-12-15 14:02 -------- d-----w- c:\programdata\TuneUp Software
    2011-12-15 14:01 . 2011-12-15 14:01 -------- d-sh--w- c:\programdata\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
    2011-12-15 08:02 . 2011-11-03 22:40 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-12-15 00:47 . 2011-11-24 04:25 2342912 ----a-w- c:\windows\system32\win32k.sys
    2011-12-15 00:47 . 2011-11-05 04:26 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-15 00:47 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-15 00:47 . 2011-10-26 04:28 38912 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-15 00:47 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-12-15 00:47 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-12-14 20:10 . 2011-12-14 20:10 -------- d-----w- c:\program files\AVAST Software
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-12 21:16 . 2010-10-07 00:01 17920 ----a-w- c:\windows\system32\rpcnetp.exe
    2012-01-12 21:16 . 2010-07-28 16:16 58288 ----a-w- c:\windows\system32\rpcnet.dll
    2012-01-04 18:32 . 2010-10-07 00:02 17920 ----a-w- c:\windows\system32\rpcnetp.dll
    2011-11-21 10:47 . 2011-12-13 17:00 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2AA5DE23-5ED8-470A-9F0E-6367571AC127}\mpengine.dll
    2011-11-15 19:29 . 2010-06-25 17:29 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-11-13 19:54 . 2011-08-16 14:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-06 05:40 . 2011-11-06 05:41 431616 ----a-w- c:\windows\system32\drivers\stwrt.sys
    2011-11-06 05:40 . 2011-11-06 05:43 531968 ------w- c:\windows\system32\stapi32.dll
    2011-11-06 05:40 . 2011-11-06 05:42 495708 ----a-w- c:\windows\sttray.exe
    2011-11-06 05:40 . 2011-11-06 05:42 1953792 ----a-w- c:\windows\system32\stlang.dll
    2011-11-06 05:40 . 2011-11-06 05:42 179712 ----a-w- c:\windows\system32\staco.dll
    2011-11-06 05:40 . 2011-11-06 05:41 934912 ----a-w- c:\windows\system32\stapo.dll
    2011-11-06 05:40 . 2011-11-06 05:41 405504 ----a-w- c:\windows\system32\stcplx.dll
    2011-11-06 05:40 . 2011-11-06 05:42 380928 ----a-w- c:\windows\system32\aestecap.dll
    2011-11-06 05:40 . 2011-11-06 05:42 86016 ----a-w- c:\windows\system32\AESTCom.dll
    2011-11-06 05:40 . 2011-11-06 05:42 12705884 ----a-w- c:\windows\system32\idtcpl.cpl
    2011-11-06 05:40 . 2011-11-06 05:42 61440 ----a-w- c:\windows\system32\aestaren.dll
    2011-11-06 05:40 . 2011-11-06 05:42 140288 ----a-w- c:\windows\system32\aestacap.dll
    2011-12-18 20:01 . 2011-09-14 23:51 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPAdvisorDock"="c:\program files\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe" [2010-02-10 1515576]
    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2011-09-29 107000]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-03 1791272]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2011-11-06 495708]
    "SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2010-08-20 1348944]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
    @="Service"
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "LightScribe Control Panel"=c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe"
    "acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe"
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    "estar"=c:\system.sav\Util\HideDOS.EXE c:\system.sav\util\estartwk\twk7.bat
    "NortonOnlineBackupReminder"="c:\program files\Symantec\Norton Online Backup\Activation\NOBuActivation.exe" UNATTENDED
    "PDF Complete"=c:\program files\PDF Complete\pdfsty.exe
    "QLBController"=c:\program files\Hewlett-Packard\HP HotKey Support\QLBController.exe /start
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
    "HPWirelessAssistant"=c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden
    "HPPowerAssistant"=c:\program files\Hewlett-Packard\HP Power Assistant\DelayedAppStarter.exe 120 c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe /hidden
    "File Sanitizer"=c:\program files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-09-23 136176]
    R2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-10-26 48640]
    R2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2009-10-29 47616]
    R2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2009-12-12 38912]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-09-23 136176]
    R3 qcfilterhp2k;Gobi 2000 USB Composite Device Filter Driver(03F0-251D);c:\windows\system32\DRIVERS\qcfilterhp2k.sys [2010-03-15 5248]
    R3 qcusbnethp2k;Gobi 2000 USB-NDIS miniport(03F0-251D);c:\windows\system32\DRIVERS\qcusbnethp2k.sys [2010-03-15 208384]
    R3 qcusbserhp2k;Gobi 2000 USB Device for Legacy Serial Communication(03F0-251D);c:\windows\system32\DRIVERS\qcusbserhp2k.sys [2010-03-15 106880]
    R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-11-23 1120752]
    R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2011-01-15 1116656]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-09-29 279656]
    R3 rtsuvc;HP Webcam [2 MP Fixed];c:\windows\system32\DRIVERS\rtsuvc.sys [2010-01-30 05:45 73344]
    R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Service;c:\windows\system32\DRIVERS\sbfwim.sys [2010-04-15 68696]
    R3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2010-07-27 94040]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\drivers\vpcuxd.sys [2010-11-20 12800]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-25 1343400]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2010-01-08 316416]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-06-25 64288]
    S1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2010-07-27 220760]
    S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2010-05-13 98392]
    S1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2010-07-27 78936]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-06-03 207400]
    S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2011-11-06 81920]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-04-08 172032]
    S2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [2011-06-02 133688]
    S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]
    S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-04-05 103992]
    S2 HPDayStarterService;HP DayStarter Service;c:\program files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe [2010-03-25 90112]
    S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-05-21 103992]
    S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\Hewlett-Packard\File Sanitizer\HPFSService.exe [2010-01-19 297984]
    S2 hpHotkeyMonitor;HP Hotkey Monitor;c:\program files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe [2010-03-01 264248]
    S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2010-06-15 26168]
    S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2010-03-06 635416]
    S2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [2011-03-16 113264]
    S2 QDLService2kHP;Qualcomm Gobi 2000 Download Service (HP);c:\program files\QUALCOMM\QDLService2k\QDLService2kHP.exe [2010-03-15 331000]
    S2 rpcld;Remote Procedure Call (RPC) LD;c:\programdata\Rpcnet\Bin\rpcld.exe [x]
    S2 SBAMSvc;VIPRE Antivirus Premium;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [2010-08-20 2763080]
    S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [2010-06-14 69976]
    S2 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe [2010-08-20 181584]
    S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2009-10-30 1021256]
    S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2010-02-18 1664304]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-04-08 5429760]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-04-08 157184]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-01-07 29472]
    S3 SBFWIMCLMP;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\DRIVERS\SBFWIM.sys [2010-04-15 68696]
    S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
    .
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2010-02-22 18:38 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-09-23 23:48]
    .
    2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-09-23 23:48]
    .
    2012-01-02 c:\windows\Tasks\HPCeeScheduleForAdministrator.job
    - c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-01-05 10:53]
    .
    2012-01-06 c:\windows\Tasks\TuneUpUtilities_Task_BkGndMaintenance.job
    - c:\program files\TuneUp Utilities 2010\OneClick.exe [2009-10-30 20:13]
    .
    2012-01-12 c:\windows\Tasks\User_Feed_Synchronization-{19480436-369E-4C2B-AD5E-B736E2BA19A1}.job
    - c:\windows\system32\msfeedssync.exe [2011-09-29 13:48]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = <local>
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\
    FF - prefs.js: network.proxy.type - 4
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    SafeBoot-wctsys
    AddRemove-LSI Soft Modem - c:\windows\agrsmdel
    AddRemove-{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226} - c:\program files\InstallShield Installation Information\{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226}\setup.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\pdfcDispatcher]
    "ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
    @Denied: (2) (Administrator)
    "Timestamp"=hex:64,8b,c6,12,14,8d,cc,01
    .
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,48,24,5a,38,11,8c,bf,43,be,81,3d,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,48,24,5a,38,11,8c,bf,43,be,81,3d,\
    .
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="IE.AssocFile.MHT"
    .
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="IE.AssocFile.MHT"
    .
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.partial\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="IE.AssocFile.PARTIAL"
    .
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="IE.AssocFile.SVG"
    .
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="IE.AssocFile.URL"
    .
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.website\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="IE.AssocFile.WEBSITE"
    .
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(3960)
    c:\program files\Hewlett-Packard\HP Support Framework\Resources\HPSFMessenger\HPSFTaskbar.dll
    c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\IDT\WDM\STacSV.exe
    c:\windows\system32\atieclxx.exe
    c:\windows\system32\WLANExt.exe
    c:\windows\system32\conhost.exe
    c:\program files\LSI SoftModem\agrsmsvc.exe
    c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\windows\system32\rpcnet.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\system32\sppsvc.exe
    c:\windows\system32\taskhost.exe
    c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
    c:\windows\system32\conhost.exe
    c:\program files\Synaptics\SynTP\SynTPHelper.exe
    c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
    c:\program files\TuneUp Utilities 2010\TuneUpSystemStatusCheck.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-12 16:23:54 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-12 21:23
    .
    Pre-Run: 210,002,137,088 bytes free
    Post-Run: 210,442,407,936 bytes free
    .
    - - End Of File - - 4DDB77C7469246736A56F793D9B16602


    When I got the Windows 7 virus it turned off my Avast virus protection and the only virus software I got get to install was the Vipre. I tried to restore to an earlier point so I could try and fix the problems but the restore option would not work. I tried to restore it to December 15, 2011 before the problems began but no luck. I don't know what kind of virus or malware I have but it seems to be getting worse. It seems to be keeping essential Windows programs from running, I could not confirm if the trusted zones were deleted or not because I can't get access and I am running administrator. If I have to re-install Windows 7 Professional I think I will lose my Microsoft office 2007 that came installed with the computer. Does Windows 7 Professional come with that program?
     
  7. cableman

    cableman TS Enthusiast Topic Starter Posts: 178

    I did a system restart and so far all the programs I have tried are working. Is there anything else I need to do to make sure the virus is gone? I now have internet access also.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Entry in the Combofix instructions:

    Do you mean a reboot or a restore?
    --------------------------------------------------
    There are numerous Services that are not running. They will need to be set to either Manual or Automatic Startup.
    DHPC Service isn't running: Dynamic Host Configuration Protocol (DHCP) Should be Automatic
    Security Center Service isn't running> Should be Automatic.
    Windows Firewall Service isn't running.
    Windows Update isn't running.
    Restore Points Service isn't running Should be Manual

    Some needed Services are missing the registry entries
    ---------------------
    Basically, the Service to connect isn't running, none of the security for the OS is running, restore points are stopped. You system will crash, you will loose the connection, you will not have any restore points to use because the system isn't making any.
     
  9. cableman

    cableman TS Enthusiast Topic Starter Posts: 178

    All I did was reboot the system. You told me not to do anything you didn't tell me to do and I haven't I was just locked out of every program. I couldn't even open the device manager or any software program. The only thing I haven't run that you suggested was the ESET Online Scan because I just now got internet back. What should I do to finish fixing?
     
  10. cableman

    cableman TS Enthusiast Topic Starter Posts: 178

    I may not have thanked you yet but I do know that you have put a good deal of time in helping me and I appreciate it. I was not able to run the ESET Scanner until now because I did not have internet access but since I have access now here are the results.

    Edit: Duplicate Combofix log has been deleted by Bobbye. No Eset log was posted.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Cableman did you want to finish up? You still owe me the Eset log. I'm getting ready to close the thread so please let me know.
     
     
  12. cableman

    cableman TS Enthusiast Topic Starter Posts: 178

    I thought I posted the log and it looks like you deleted it. I don't know anything about a duplicate log. I would not do that. If I can't run a scan or something I'm not going to post a fake or duplicate.

    Everything is still running fine but yes, of course I want to make sure the virus is gone and the computer is thoroughly clean. Otherwise what is the use of doing anything?

    Where do I need to start now? Do I just need to go back to the beginning and start all over? And sorry about not getting back to you, I thought you gave up on me and also last week was my final week of the semester so it was crazy. I didn't even get any time off between semesters, I am already in new semester now so I have been swamped.

    I still don't know what that last message means that you deleted a duplicate file. I would not post a duplicate and I was never able to run Eset log but once. Did I accidentally post the wrong file? Tell me where to start and I will be glad to do it. I am very grateful for your help. I would never do anything like that on purpose. If I posted the wrong thing then it was an accident.

    I just ran an ESET scan and here are the results:

    C:\Documents and Settings\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\1b0b81d-66b55316 multiple threats
    C:\Documents and Settings\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\64a5ca89-7edcc387 a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\Documents and Settings\Administrator\Downloads\[PC games]Mahjong 2006-Solsuite 2007i\SolSuite.2007.rar probably a variant of Win32/Agent.HKUDRIV trojan
    C:\Users\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\1b0b81d-66b55316 multiple threats
    C:\Users\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\64a5ca89-7edcc387 a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\Users\Administrator\Downloads\[PC games]Mahjong 2006-Solsuite 2007i\SolSuite.2007.rar probably a variant of Win32/Agent.HKUDRIV trojan
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    No, you left a duplicate log for one and no log for the other. I just fixed it.
    Edit: Duplicate Combofix log has been deleted by Bobbye. No Eset log was posted

    When I make an Edit to a post, I try to make it clear what I'm doing.

    In your case, instead of posting the log from the Eset scan, you pasted in another copy of the Combofix log. I did not place any blame on you- of course it was accidental. I knew you meant to leave the Eset log.

    Threads sometimes tend to get very long. When I review your thread, I usually go back to the beginning and review everything again. Having to go through a duplicate logs takes time and that is very precious commodity for malware helpers.
    =================================
    Thank you for the Eset log:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\Documents and Settings\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\1b 0b81d-66b55316 
      C:\Documents and Settings\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\64a 5ca89-7edcc387 
      C:\Documents and Settings\Administrator\Downloads\[PC games]Mahjong 2006-Solsuite 2007i\SolSuite.2007.rar 
      C:\Users\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\1b 0b81d-66b55316 
      C:\Users\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\64a 5ca89-7edcc387 
      C:\Users\Administrator\Downloads\[PC games]Mahjong 2006-Solsuite 2007i\SolSuite.2007.rar 
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ======================================
    Most of the entries were in the Java cache. This usually happens if an outdated version of Java is still on the system.
    --------------------------------
    There was also malware on the 2 entries for [PC games]Mahjong 2006-Solsuite 2007i\SolSuite.2007.rar These are torrent downloads and you will get malware whenever you download from torrent sites.
    ======================================
    Please consider that instead of closing the thread in 5 days, after a week, I posted instead and asked if you planned to continue. So we both have time issues. Let's get past that and go on.
    ========================================
    Some of the Services need to be reset. I'm working up a list for you to do that. I'm on a Win XP machine right now, so I'm using guidance from the Black Viper site for your Win 7.

    Go ahead with OTM. I'll be back as soon as I have the Services list and script to run in Combofix.

    Please disable TuneUp while I'm helping you. It has a registry optimizer running.
     
  14. cableman

    cableman TS Enthusiast Topic Starter Posts: 178

    Here is the results. They were hard to copy and paste:

    All processes killed
    ========== FILES ==========
    File/Folder C:\Documents and Settings\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\1b 0b81d-66b55316 not found.
    File/Folder C:\Documents and Settings\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\64a 5ca89-7edcc387 not found.
    C:\Documents and Settings\Administrator\Downloads\[PC games]Mahjong 2006-Solsuite 2007i\SolSuite.2007.rar moved successfully.
    File/Folder C:\Users\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\1b 0b81d-66b55316 not found.
    File/Folder C:\Users\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\64a 5ca89-7edcc387 not found.
    File/Folder C:\Users\Administrator\Downloads\[PC games]Mahjong 2006-Solsuite 2007i\SolSuite.2007.rar not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 56312625 bytes
    ->Temporary Internet Files folder emptied: 10747997 bytes
    ->Java cache emptied: 51360 bytes
    ->FireFox cache emptied: 802337298 bytes
    ->Google Chrome cache emptied: 21922573 bytes
    ->Flash cache emptied: 107564 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56504 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: user
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56504 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 726652 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 3837493 bytes

    Total Files Cleaned = 855.00 mb


    [EMPTYFLASH]

    User: Administrator
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Public

    User: user
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 02052012_075819

    Files moved on Reboot...
    C:\windows\temp\FXSAPIDebugLogFile.txt moved successfully.
    C:\windows\temp\FXSTIFFDebugLogFile.txt moved successfully.

    Registry entries deleted on Reboot...
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    It's been a month cableman. Please give me an update on the system.
     
  16. cableman

    cableman TS Enthusiast Topic Starter Posts: 178

    Well, when I restarted the computer it seemed to straighten out. I got control back over my programs and internet access and download abilities but I hold no misconceptions there is still some mal-ware lurking somewhere waiting to do more damage. How can I make sure to delete all bad mal-ware etc.

    I will stay on top of your instructions now, I was in the middle of a small crisis before.
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, we'll check these 2 scans:

    If you still have Malwarebytes on the system, please uninstall it. Then download and run again:

    [​IMG]
    Malwarebytes' Anti-Malware
    • Please download Malwarebytes' Anti-Malware from from HERE
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      [o] Update Malwarebytes' Anti-Malware
      [o] and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      Note: on opening Notepad, click on Format> make sure Word Wrap is unchecked.
      [o] If you accidentally close it, the log file is saved here and will be named like this:
      [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    ========================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
     
  18. cableman

    cableman TS Enthusiast Topic Starter Posts: 178

    "Here are the two logs"

    Edit: Pasted logs and attached log are all copies of previous logs. There is no new Eset scan or Malwarebytes log per the following:
    • You ran the Eset scan 2 weeks ago.
    • A week later, (1 week ago) you ran OTM and pasted the log: You made the comment "they were hard to copy and paste."
    • 5 days ago, I made this reply: " It's been a month cableman. Please give me an update on the system."
    • 1 day ago, I replied "Okay, we'll check these 2 scans:" The two scans I asked for were for a new Malwarebytes and a new Eset Online virus scan.
    • 9 hours ago, you replied "Here are the two logs"
    • Then you pasted in 5 copies of the original OTM log:
      Total Files Cleaned = 855.00 mb
      OTM by OldTimer - Version 3.1.19.0 log created on 02052012_075819
    • You added "I don't know if that last log copied right so I added it as an attachment " naming it 'malware log.'> it was another copy of the original Eset scan log from 2 weeks ago.

    I have deleted all of the logs and the attachment as they are all multiple copies of the same logs.
    Perhaps you can undertake this at another time.

    The thread was started over a month ago. This thread is now closed.

    "I don't know if that last log copied right so I added it as an attachment"> attachment is old log.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.