TechSpot

Computer rebooting every 10-30 minutes, corrupt/unreadable .exe files

Inactive
By CoreyBZE
Dec 4, 2012
  1. Hello, new to the forum and new to trouble shooting virus/malware complications.

    I have an HP dv6000 Pavillion computer running vista-home premium on win32 with 4GB-RAM.

    When I start up the computer a couple of notifications popup on the right side of my menu bar stating the networx.exe, jusched.exe, and a couple other .exe files are corrupt and unreadable and to please run the Microsoft chkdsk scanner. I tried running this scanner but the program doesn't even launch. The folder to the jusched.exe file is located under C:\Program files\Common files\Roxio\Shared Files but when I navigate here the folder is empty, and when I run a search and locate the jusched.exe file and press 'delete' it says I am unable to do so. I have tried running scans with both AVG and Malwarebytes on the Common Files folder but neither software detects an error.

    I've tried running AVG anti-virus on the entire C drive but it doesn't find anything. I ran Malwarebytes on the entire C drive but it is unable to complete the scan before the computer shuts down. I have read on other forums of running Farbar Recovery Scan but I am unfamiliar with this. Any help would be greatly appreciated. I do not have a full backup of my laptop's contents so I would really like to avoid wiping my computer clean if possible.

    Thank you for any assistance in advance.
    Corey
     
  2. Broni

    Broni Malware Annihilator Posts: 47,066   +257

    Welcome aboard [​IMG]

    Do you have any reason to believe your computer is actually infected?
     
  3. CoreyBZE

    CoreyBZE TS Rookie Topic Starter

    Yes, I believe I may have accidentally ran a program masked as a "Java" update. That is the only thing I can think of given that the computer rebooting and corruption errors began popping up shortly after - e.g., the following morning.
     
  4. Broni

    Broni Malware Annihilator Posts: 47,066   +257

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  5. CoreyBZE

    CoreyBZE TS Rookie Topic Starter

    Thanks Broni. Running the MBAM scan now. For the DDS scan I have a question about disabling my antivirus protection. In the directions for the DDS tool it states: "After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet." By disabling do I just have to "exit" the MBAM or AVG programs or does this mean to uninstall the program?

    Thank you for the clarification.
     
  6. Broni

    Broni Malware Annihilator Posts: 47,066   +257

    Free version of MBAM doesn't run in real time so you don't have to worry about.
    Disable AVG though.
     
  7. CoreyBZE

    CoreyBZE TS Rookie Topic Starter

    Contents of the MBAM Scan:

    Malwarebytes Anti-Malware (Trial) 1.65.1.1000
    www.malwarebytes.org

    Database version: v2012.12.05.07

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 7.0.6002.18005
    Cory :: COREY-PC [administrator]

    Protection: Enabled

    12/5/2012 11:22:16 AM
    mbam-log-2012-12-05 (11-22-16).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 225228
    Time elapsed: 9 minute(s), 11 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\ProgramData\ADDICT-THING\bhoclass.dll (PUP.DownloadnSave) -> Quarantined and deleted successfully.

    (end)


    ---------------------

    Running the DDS Scan now after computer restart
     
  8. CoreyBZE

    CoreyBZE TS Rookie Topic Starter

    Contents of DDS.txt File:

    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 10.7.2
    Run by Cory at 11:39:56 on 2012-12-05
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3061.1564 [GMT -6:00]
    .
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\SLsvc.exe
    C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Windows\system32\rpcnet.exe
    C:\Program Files\Vongo\VongoService.exe
    C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\AVG\AVG2012\avgtray.exe
    C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\igfxpers.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\HP\QuickPlay\QPService.exe
    C:\Program Files\HP\HP Software Update\hpwuschd2.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    C:\Program Files\AVG Secure Search\vprot.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\WINDOWS\RtHDVCpl.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\NetWorx\networx.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
    C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    C:\Users\Cory\AppData\Local\Google\Update\GoogleUpdate.exe
    C:\Windows\system32\msiexec.exe
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Program Files\AVG\AVG2012\avgcfgex.exe
    C:\Program Files\Hewlett-Packard\HP Advisor\SSDK04.exe
    c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    \\?\C:\Windows\system32\wbem\WMIADAP.EXE
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/ig?hl=en&tab=vw
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
    dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
    BHO: Yahoo! Toolbar Helper: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg2012\avgssie.dll
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
    BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\13.2.0.5\AVG Secure Search_toolbar.dll
    BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
    TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
    TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\13.2.0.5\AVG Secure Search_toolbar.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autoRun
    uRun: [Google Update] "c:\users\cory\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [Facebook Update] "c:\users\cory\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
    mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
    mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [QlbCtrl] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
    mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
    mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
    mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
    mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
    mRun: [IAStorIcon] c:\program files\intel\intel(r) rapid storage technology\IAStorIcon.exe
    mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
    mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [HF_G_Jul] "c:\program files\avg secure search\HF_G_Jul.exe" /DoAction
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [NetWorx] "c:\program files\networx\networx.exe" /auto
    mRunOnce: [Launcher] c:\windows\sminst\launcher.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vongot~1.lnk - c:\windows\installer\{8c3ae2d1-854d-4650-a73d-c7cc7ee36b80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:149
    uPolicies-Explorer: NoDriveAutoRun = dword:0
    mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    mPolicies-System: HideFastUserSwitching = dword:1
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
    IE: Free YouTube to MP3 Converter - c:\users\cory\appdata\roaming\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
    IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {AC3FC1E2-26B3-46E5-8EC2-B1D5E4C90331} - hxxp://www.microseven.com/software/M7IE.cab
    DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    TCP: NameServer = 68.94.156.1 68.94.157.1
    TCP: Interfaces\{630707CE-97FE-4D65-A6A0-7A2598704B1D} : DHCPNameServer = 68.94.156.1 68.94.157.1
    TCP: Interfaces\{EC302945-AED3-4D1F-96C8-3D97C28F4FC1} : DHCPNameServer = 192.168.1.254
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\13.2.0\ViProtocol.dll
    Notify: igfxcui - igfxdev.dll
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
    LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-7-26 237408]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-8-24 301920]
    R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-11-8 26984]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-9-7 21504]
    R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\intel\intel(r) rapid storage technology\IAStorDataMgrSvc.exe [2010-12-21 13336]
    R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-12-4 399432]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-12-4 676936]
    R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2010-5-5 583360]
    R2 vToolbarUpdater13.2.0;vToolbarUpdater13.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\13.2.0\ToolbarUpdater.exe [2012-11-8 711112]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-4 22856]
    R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-8-13 5167736]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-12 167264]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2012-12-04 20:01:03 -------- d-----w- c:\users\cory\appdata\roaming\Malwarebytes
    2012-12-04 20:00:54 -------- d-----w- c:\programdata\Malwarebytes
    2012-12-04 20:00:51 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-12-04 20:00:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-11-14 19:33:28 75776 ----a-w- c:\windows\system32\synceng.dll
    2012-11-14 19:32:55 2047488 ----a-w- c:\windows\system32\win32k.sys
    2012-11-09 04:24:04 26984 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
    .
    ==================== Find3M ====================
    .
    2012-12-05 17:34:44 17408 ----a-w- c:\windows\system32\rpcnetp.exe
    2012-12-05 17:34:42 58288 ----a-w- c:\windows\system32\rpcnet.dll
    2012-10-20 17:25:55 58288 ------w- c:\windows\system32\rpcnet.exe
    2012-10-09 03:49:17 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-10-09 03:49:17 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-09-26 17:41:31 17408 ----a-w- c:\windows\system32\rpcnetp.dll
    2012-09-13 13:28:08 2048 ----a-w- c:\windows\system32\tzres.dll
    2012-09-09 01:39:39 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
    2012-09-09 01:39:36 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
    2012-09-09 01:39:36 746984 ----a-w- c:\windows\system32\deployJava1.dll
    .
    ============= FINISH: 11:42:00.89 ===============
     
  9. CoreyBZE

    CoreyBZE TS Rookie Topic Starter

    Contents of Attach.txt File:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 8/31/2007 1:10:59 PM
    System Uptime: 12/5/2012 11:33:13 AM (0 hours ago)
    .
    Motherboard: Quanta | | 30CC
    Processor: Intel(R) Core(TM)2 Duo CPU T5250 @ 1.50GHz | U2E1 | 1000/667mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 141 GiB total, 3.091 GiB free.
    D: is FIXED (NTFS) - 7 GiB total, 0.422 GiB free.
    E: is FIXED (NTFS) - 1 GiB total, 0.877 GiB free.
    F: is CDROM ()
    G: is Removable
    H: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
    Device ID: ROOT\NET\0000
    Manufacturer: Cisco Systems
    Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
    PNP Device ID: ROOT\NET\0000
    Service: vpnva
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    µTorrent
    7-Zip 9.20
    ACDSee Pro 3
    Activation Assistant for the 2007 Microsoft Office suites
    ActiveCheck component for HP Active Support Library
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Reader 8.3.1
    Apple Application Support
    Apple Software Update
    AVG 2012
    AVG Security Toolbar
    Baldur's Gate(TM) II - Throne of Bhaal (TM)
    CCleaner
    Cisco AnyConnect VPN Client
    Cisco AnyConnect VPN Client Start Before Login Components
    Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    Diablo II
    Download Manager 2.3.10
    Dropbox
    ESU for Microsoft Vista
    Facebook Video Calling 1.2.0.287
    Free YouTube Downloader 3.5.126
    Free YouTube to MP3 Converter version 3.11.17.319
    Google Chrome
    Google Earth
    Google Talk Plugin
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Active Support Library
    HP Active Support Library 32 bit components
    HP Customer Experience Enhancements
    HP Doc Viewer
    HP Easy Setup - Frontend
    HP Help and Support
    HP Photosmart Essential 2.0
    HP Photosmart Essential2.5
    HP Quick Launch Buttons 6.20 B1
    HP QuickPlay 3.6
    HP Total Care Advisor
    HP Update
    HP User Guides 0057
    HP Wireless Assistant
    HPAsset component for HP Active Support Library
    HPNetworkAssistant
    Icewind Dale II
    Intel(R) Control Center
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Rapid Storage Technology
    iTunes
    Java 7 Update 7
    Java Auto Updater
    Java(TM) SE Runtime Environment 6
    LightScribe 1.4.136.1
    LiveUpdate 3.2 (Symantec Corporation)
    LiveUpdate Notice (Symantec Corporation)
    Malwarebytes Anti-Malware version 1.65.1.1000
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Office 2010 Service Pack 1 (SP1)
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional Plus 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Works
    Motorola SM56 Data Fax Modem
    MSCU for Microsoft Vista
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    muvee autoProducer 6.0
    My HP Games
    NetWorx 5.2.4
    OGA Notifier 2.0.0048.0
    PowerISO
    PSSWCORE
    QuickPlay SlingPlayer 0.4.6
    QuickTime
    R for Windows 2.11.1
    Realtek 8169, 8168, 8101E and 8102E Ethernet Network Card Driver for Windows Vista
    Realtek High Definition Audio Driver
    Rhapsody
    Rhapsody Player Engine
    Rosetta Stone V3
    Roxio Activation Module
    Roxio Creator Audio
    Roxio Creator Basic v9
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator EasyArchive
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio MyDVD Basic v9
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit Edition
    Security Update for Microsoft InfoPath 2010 (KB2687417) 32-Bit Edition
    Security Update for Microsoft InfoPath 2010 (KB2687436) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2553091)
    Security Update for Microsoft Office 2010 (KB2553096)
    Security Update for Microsoft Office 2010 (KB2553260) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2589322) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2597986) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
    Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
    Security Update for Microsoft Visio Viewer 2010 (KB2598287) 32-Bit Edition
    Security Update for Microsoft Word 2010 (KB2553488) 32-Bit Edition
    Skype Click to Call
    Skype™ 5.10
    Synaptics Pointing Device Driver
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2600217)
    Update for Microsoft Office 2010 (KB2494150)
    Update for Microsoft Office 2010 (KB2553065)
    Update for Microsoft Office 2010 (KB2553092)
    Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553272) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2566458)
    Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition
    Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
    Update for Microsoft OneNote 2010 (KB2687277) 32-Bit Edition
    Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
    Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
    Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition
    VLC media player 2.0.1
    Vongo
    Windows Mobile Device Updater Component
    Yahoo! Messenger
    Yahoo! Toolbar
    Yahoo! Toolbar for Internet Explorer
    Zune
    Zune Language Pack (CHS)
    Zune Language Pack (CHT)
    Zune Language Pack (CSY)
    Zune Language Pack (DAN)
    Zune Language Pack (DEU)
    Zune Language Pack (ELL)
    Zune Language Pack (ESP)
    Zune Language Pack (FIN)
    Zune Language Pack (FRA)
    Zune Language Pack (HUN)
    Zune Language Pack (IND)
    Zune Language Pack (ITA)
    Zune Language Pack (JPN)
    Zune Language Pack (KOR)
    Zune Language Pack (MSL)
    Zune Language Pack (NLD)
    Zune Language Pack (NOR)
    Zune Language Pack (PLK)
    Zune Language Pack (PTB)
    Zune Language Pack (PTG)
    Zune Language Pack (RUS)
    Zune Language Pack (SVE)
    .
    ==== End Of File ===========================
     
  10. CoreyBZE

    CoreyBZE TS Rookie Topic Starter

    Computer still automatically restarting itself every so often despite the successful quarantine / removal following the MBAM scan.
     
  11. Broni

    Broni Malware Annihilator Posts: 47,066   +257

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    ============================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
     
     
  12. CoreyBZE

    CoreyBZE TS Rookie Topic Starter

    Errors came up upon running the roguekiller.exe and aswMBR.exe programs stating they are "corrupt." Likely the virus or malware falsely labeling them as such but just thought I should mention it. Here are the results:

    RogueKiller V8.3.1 [Dec 2 2012] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
    Started in : Normal mode
    User : Cory [Admin rights]
    Mode : Remove -- Date : 12/05/2012 12:02:31

    ¤¤¤ Bad processes : 1 ¤¤¤
    [SUSP PATH] RtHDVCpl.exe -- C:\WINDOWS\RtHDVCpl.exe -> KILLED [TermProc]

    ¤¤¤ Registry Entries : 5 ¤¤¤
    [HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
    [HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
    [HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [LOADED] ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    127.0.0.1 localhost
    ::1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: ST9160821AS +++++
    --- User ---
    [MBR] 9f39aa781f315766724b9a0327af36cd
    [BSP] c39d26b2944779cb28c982f13ef7cac7 : HP tatooed MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 144145 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 295210440 | Size: 7346 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 310257664 | Size: 1133 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: FLASH Drive SM_USB20 USB Device +++++
    --- User ---
    [MBR] 9ce65dd10b564194fc9c920b30411fe1
    [BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 3863 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[2]_D_12052012_02d1202.txt >>
    RKreport[1]_S_12052012_02d1202.txt ; RKreport[2]_D_12052012_02d1202.txt
     
  13. CoreyBZE

    CoreyBZE TS Rookie Topic Starter

    And the other:

    aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
    Run date: 2012-12-05 12:03:20
    -----------------------------
    12:03:20.603 OS Version: Windows 6.0.6002 Service Pack 2
    12:03:20.603 Number of processors: 2 586 0xF0D
    12:03:20.607 ComputerName: COREY-PC UserName: Cory
    12:03:22.018 Initialize success
    12:03:26.534 AVAST engine download error: 0
    12:03:32.870 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
    12:03:32.874 Disk 0 Vendor: ST916082 3.BH Size: 152627MB BusType: 3
    12:03:32.886 Disk 0 MBR read successfully
    12:03:32.890 Disk 0 MBR scan
    12:03:32.895 Disk 0 unknown MBR code
    12:03:32.900 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 144145 MB offset 63
    12:03:32.929 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 7346 MB offset 295210440
    12:03:32.943 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 1133 MB offset 310257664
    12:03:32.975 Disk 0 scanning sectors +312578048
    12:03:33.051 Disk 0 scanning C:\Windows\system32\drivers
    12:03:42.536 Service scanning
    12:04:04.218 Modules scanning
    12:04:10.761 Disk 0 trace - called modules:
    12:04:10.794 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
    12:04:10.803 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x877c0458]
    12:04:10.812 3 CLASSPNP.SYS[8a99e8b3] -> nt!IofCallDriver -> [0x84b6f298]
    12:04:10.821 5 acpi.sys[8268c6bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x85520028]
    12:04:10.830 Scan finished successfully
    12:04:31.539 Disk 0 MBR has been saved successfully to "G:\MBR.dat"
    12:04:31.567 The log file has been saved successfully to "G:\aswMBR.txt"
     
  14. Broni

    Broni Malware Annihilator Posts: 47,066   +257

    Create new restore point before proceeding with the next step....
    How to:
    - Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    ==============================

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
     
  15. CoreyBZE

    CoreyBZE TS Rookie Topic Starter

    Computer restarted itself during the scanning process of combofix. Will attempt to rerun program upon start up.
     
  16. CoreyBZE

    CoreyBZE TS Rookie Topic Starter

    Computer restarts are getting worse - quicker than before. Made it to Stage 3_Completed with Combofix then computer restarted again. Will try it a 3rd time.
     
  17. CoreyBZE

    CoreyBZE TS Rookie Topic Starter

    Unable to run combofix without computer restarting. Restarted within 5 minutes. Please advise.
     
  18. Broni

    Broni Malware Annihilator Posts: 47,066   +257

    Let's try something else...

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
     
  19. CoreyBZE

    CoreyBZE TS Rookie Topic Starter

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 02-12-2012
    Ran by SYSTEM at 05-12-2012 14:01:45
    Running from G:\
    Windows Vista (TM) Home Premium (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [x]
    HKLM\...\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe [634880 2007-01-16] (Motorola Inc.)
    HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [827392 2007-01-12] (Synaptics, Inc.)
    HKLM\...\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [x]
    HKLM\...\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75008 2008-10-09] (Hewlett-Packard)
    HKLM\...\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" [398728 2008-01-29] (Symantec Corporation)
    HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
    HKLM\...\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe" [2596984 2012-07-31] (AVG Technologies CZ, s.r.o.)
    HKLM\...\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
    HKLM\...\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [480560 2007-10-03] (Hewlett-Packard Development Company, L.P.)
    HKLM\...\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" [468264 2007-12-19] (CyberLink Corp.)
    HKLM\...\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-02-18] (Hewlett-Packard)
    HKLM\...\Run: [] [x]
    HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [40368 2011-08-30] (Adobe Systems Incorporated)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-03-29] (Adobe Systems Incorporated)
    HKLM\...\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe" [997320 2012-11-08] ()
    HKLM\...\Run: [ROC_roc_dec12] "C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12 [x]
    HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
    HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-03-06] (Apple Inc.)
    HKLM\...\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" [159456 2011-08-05] (Microsoft Corporation)
    HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
    HKLM\...\Run: [HF_G_Jul] "C:\Program Files\AVG Secure Search\HF_G_Jul.exe" /DoAction [36960 2012-07-18] ()
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
    HKLM\...\Run: [NetWorx] "C:\Program Files\NetWorx\networx.exe" /auto [3246992 2012-09-18] (SoftPerfect Research)
    HKU\Cory\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2153472 2009-04-10] (Microsoft Corporation)
    HKU\Cory\...\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1773568 2007-03-20] (Hewlett-Packard)
    HKU\Cory\...\Run: [Google Update] "C:\Users\Cory\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-10-17] (Google Inc.)
    HKU\Cory\...\Run: [Facebook Update] "C:\Users\Cory\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-07-11] (Facebook Inc.)
    HKU\Default\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1773568 2007-03-20] (Hewlett-Packard)
    HKU\Default User\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1773568 2007-03-20] (Hewlett-Packard)
    HKLM\...\Runonce: [Launcher] %WINDIR%\SMINST\launcher.exe [x]
    Tcpip\Parameters: [DhcpNameServer] 68.94.156.1 68.94.157.1
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Vongo Tray.lnk
    ShortcutTarget: Vongo Tray.lnk -> C:\Windows\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe (Macrovision Corporation)

    ==================== Services (Whitelisted) ===================

    2 Automatic LiveUpdate Scheduler; "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [554352 2007-09-12] (Symantec Corporation)
    3 AVG Security Toolbar Service; C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe [167264 2011-11-10] ()
    2 AVGIDSAgent; "C:\Program Files\AVG\AVG2012\avgidsagent.exe" [5167736 2012-08-13] (AVG Technologies CZ, s.r.o.)
    2 avgwd; "C:\Program Files\AVG\AVG2012\avgwdsvc.exe" [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)
    3 LiveUpdate; "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" [2999664 2007-09-12] (Symantec Corporation)
    2 LiveUpdate Notice Service; "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll" [537992 2008-04-10] (Symantec Corporation)
    2 MBAMScheduler; "C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-29] (Malwarebytes Corporation)
    2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-29] (Malwarebytes Corporation)
    2 QPCapSvc; "C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe" [271760 2007-12-19] ()
    2 QPSched; "C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe" [112016 2007-12-19] ()
    2 rpcnet; C:\Windows\system32\rpcnet.exe [58288 2012-10-20] (Absolute Software Corp.)
    2 vToolbarUpdater13.2.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [711112 2012-11-08] ()
    2 HP Health Check Service; "c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe" [x]
    2 LiveUpdate Notice Ex; "c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]
    3 RoxMediaDB9; "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe" [x]

    ==================== Drivers (Whitelisted) ====================

    3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [139856 2011-12-23] (AVG Technologies CZ, s.r.o. )
    3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfilterx.sys [24144 2011-12-23] (AVG Technologies CZ, s.r.o. )
    0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [24896 2012-04-19] (AVG Technologies CZ, s.r.o. )
    3 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [17232 2011-12-23] (AVG Technologies CZ, s.r.o. )
    1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [237408 2012-07-26] (AVG Technologies CZ, s.r.o.)
    1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [41040 2011-12-23] (AVG Technologies CZ, s.r.o.)
    0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [31952 2012-01-31] (AVG Technologies CZ, s.r.o.)
    1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [301920 2012-08-24] (AVG Technologies CZ, s.r.o.)
    1 avgtp; \??\C:\Windows\system32\drivers\avgtpx86.sys [26984 2012-11-08] (AVG Technologies)
    1 eabfiltr; C:\Windows\System32\DRIVERS\eabfiltr.sys [8192 2006-11-30] (Hewlett-Packard Development Company, L.P.)
    3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22856 2012-09-29] (Malwarebytes Corporation)
    4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
    3 catchme; \??\C:\Users\Cory\AppData\Local\Temp\catchme.sys [x]
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2012-12-05 14:01 - 2012-12-05 14:01 - 00000000 ____D C:\FRST
    2012-12-05 11:46 - 2012-12-05 11:47 - 00000000 ___SD C:\32788R22FWJFW
    2012-12-05 11:00 - 2012-12-05 11:00 - 00000000 ____D C:\Qoobox
    2012-12-05 11:00 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
    2012-12-05 11:00 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
    2012-12-05 11:00 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2012-12-05 11:00 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2012-12-05 11:00 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2012-12-05 11:00 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
    2012-12-05 11:00 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
    2012-12-05 11:00 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
    2012-12-05 10:59 - 2012-12-05 10:59 - 00000000 ____D C:\Windows\erdnt
    2012-12-05 10:59 - 2012-12-05 10:30 - 05009321 ____R (Swearware) C:\Users\Cory\Desktop\ComboFix.exe
    2012-12-05 10:14 - 2012-12-05 10:15 - 00000000 ____D C:\Users\Cory\Desktop\Malware Protection Stuff
    2012-12-04 13:29 - 2012-12-05 11:40 - 00002964 ____A C:\Windows\PFRO.log
    2012-12-04 12:01 - 2012-12-04 12:01 - 00000000 ____D C:\Users\Cory\Application Data\Malwarebytes
    2012-12-04 12:01 - 2012-12-04 12:01 - 00000000 ____D C:\Users\Cory\AppData\Roaming\Malwarebytes
    2012-12-04 12:00 - 2012-12-04 12:00 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-12-04 12:00 - 2012-12-04 12:00 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
    2012-12-04 12:00 - 2012-12-04 12:00 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
    2012-12-04 12:00 - 2012-09-29 17:54 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-12-02 23:56 - 2012-12-02 23:56 - 00000000 ____D C:\Users\Cory\Desktop\Belize Work Cam
    2012-11-21 18:00 - 2012-11-23 18:16 - 00000000 ____D C:\Users\Cory\Desktop\November Photos
    2012-11-20 09:04 - 2012-04-08 12:04 - 673695744 ____A C:\Users\Cory\Desktop\Scarface 4 minutes.mts
    2012-11-19 18:21 - 2012-11-19 18:21 - 00000000 ____D C:\Users\Cory\Application Data\GTek
    2012-11-19 18:21 - 2012-11-19 18:21 - 00000000 ____D C:\Users\Cory\AppData\Roaming\GTek
    2012-11-14 11:33 - 2012-09-25 08:19 - 00075776 ____A (Microsoft Corporation) C:\Windows\System32\synceng.dll
    2012-11-14 11:32 - 2012-10-12 06:29 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-11-13 09:33 - 2012-11-13 09:33 - 00104779 ____A C:\Users\Cory\Downloads\Camera Check protocol documents VB.zip
    2012-11-08 20:24 - 2012-11-08 20:23 - 00026984 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx86.sys

    ==================== One Month Modified Files and Folders ========

    2012-12-05 11:56 - 2007-05-14 03:50 - 00000279 ____A C:\Users\Public\Documents\hpqp.ini
    2012-12-05 11:56 - 2007-05-14 03:50 - 00000279 ____A C:\Users\All Users\Documents\hpqp.ini
    2012-12-05 11:56 - 2006-11-02 05:01 - 00032578 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-12-05 11:56 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-12-05 11:55 - 2007-05-14 04:17 - 00000000 ____D C:\Windows\SMINST
    2012-12-05 11:53 - 2010-09-18 16:13 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-12-05 11:53 - 2010-08-26 12:32 - 00058288 ____A (Absolute Software Corp.) C:\Windows\System32\rpcnet.dll
    2012-12-05 11:53 - 2010-06-11 20:50 - 00017408 ____A C:\Windows\System32\rpcnetp.exe
    2012-12-05 11:53 - 2006-11-02 04:47 - 00003168 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-12-05 11:53 - 2006-11-02 04:47 - 00003168 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-12-05 11:48 - 2012-06-27 04:44 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-12-05 11:47 - 2012-12-05 11:46 - 00000000 ___SD C:\32788R22FWJFW
    2012-12-05 11:40 - 2012-12-04 13:29 - 00002964 ____A C:\Windows\PFRO.log
    2012-12-05 11:34 - 2006-11-02 02:33 - 00755906 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-12-05 11:33 - 2007-08-31 11:10 - 01612258 ____A C:\Windows\WindowsUpdate.log
    2012-12-05 11:13 - 2012-03-10 14:26 - 00000924 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4025681765-3106409962-2676753595-1000UA.job
    2012-12-05 11:00 - 2012-12-05 11:00 - 00000000 ____D C:\Qoobox
    2012-12-05 10:59 - 2012-12-05 10:59 - 00000000 ____D C:\Windows\erdnt
    2012-12-05 10:30 - 2012-12-05 10:59 - 05009321 ____R (Swearware) C:\Users\Cory\Desktop\ComboFix.exe
    2012-12-05 10:15 - 2012-12-05 10:14 - 00000000 ____D C:\Users\Cory\Desktop\Malware Protection Stuff
    2012-12-05 09:31 - 2012-05-12 17:37 - 00000000 ____D C:\Users\All Users\Application Data\ADDICT-THING
    2012-12-05 09:31 - 2012-05-12 17:37 - 00000000 ____D C:\Users\All Users\ADDICT-THING
    2012-12-05 09:19 - 2010-10-14 21:22 - 00000000 ____D C:\Windows\System32\Drivers\AVG
    2012-12-05 09:19 - 2010-10-14 17:52 - 00000000 ____D C:\Users\All Users\MFAData
    2012-12-05 09:19 - 2010-10-14 17:52 - 00000000 ____D C:\Users\All Users\Application Data\MFAData
    2012-12-04 12:06 - 2011-03-27 12:33 - 00000000 ____D C:\Users\Cory\Application Data\HpUpdate
    2012-12-04 12:06 - 2011-03-27 12:33 - 00000000 ____D C:\Users\Cory\AppData\Roaming\HpUpdate
    2012-12-04 12:01 - 2012-12-04 12:01 - 00000000 ____D C:\Users\Cory\Application Data\Malwarebytes
    2012-12-04 12:01 - 2012-12-04 12:01 - 00000000 ____D C:\Users\Cory\AppData\Roaming\Malwarebytes
    2012-12-04 12:00 - 2012-12-04 12:00 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-12-04 12:00 - 2012-12-04 12:00 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
    2012-12-04 12:00 - 2012-12-04 12:00 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
    2012-12-04 12:00 - 2010-09-22 13:54 - 00000680 ____A C:\Users\Cory\Local Settings\d3d9caps.dat
    2012-12-04 12:00 - 2010-09-22 13:54 - 00000680 ____A C:\Users\Cory\Local Settings\Application Data\d3d9caps.dat
    2012-12-04 12:00 - 2010-09-22 13:54 - 00000680 ____A C:\Users\Cory\AppData\Local\d3d9caps.dat
    2012-12-02 23:56 - 2012-12-02 23:56 - 00000000 ____D C:\Users\Cory\Desktop\Belize Work Cam
    2012-12-01 18:20 - 2010-09-18 16:28 - 00001971 ____A C:\Users\Public\Desktop\Google Chrome.lnk
    2012-12-01 18:20 - 2010-09-18 16:28 - 00001971 ____A C:\Users\All Users\Desktop\Google Chrome.lnk
    2012-11-29 11:47 - 2010-08-22 13:46 - 00090112 ____A C:\Users\Cory\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-11-29 11:47 - 2010-08-22 13:46 - 00090112 ____A C:\Users\Cory\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-11-29 11:47 - 2010-08-22 13:46 - 00090112 ____A C:\Users\Cory\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-11-29 10:31 - 2010-12-16 20:58 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4025681765-3106409962-2676753595-1000UA.job
    2012-11-29 10:31 - 2010-09-18 16:13 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-11-28 18:41 - 2012-03-10 14:26 - 00000902 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4025681765-3106409962-2676753595-1000Core.job
    2012-11-28 07:46 - 2012-04-24 09:02 - 00000318 ____A C:\Windows\Tasks\HPCeeScheduleForCory.job
    2012-11-27 16:03 - 2010-12-16 20:58 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4025681765-3106409962-2676753595-1000Core.job
    2012-11-23 21:48 - 2012-05-14 15:10 - 00000000 ____D C:\Users\Cory\Application Data\vlc
    2012-11-23 21:48 - 2012-05-14 15:10 - 00000000 ____D C:\Users\Cory\AppData\Roaming\vlc
    2012-11-23 18:16 - 2012-11-21 18:00 - 00000000 ____D C:\Users\Cory\Desktop\November Photos
    2012-11-20 20:52 - 2012-02-20 17:22 - 00000000 ____D C:\Users\Cory\My Documents\Lamanai
    2012-11-20 20:52 - 2012-02-20 17:22 - 00000000 ____D C:\Users\Cory\Documents\Lamanai
    2012-11-20 10:10 - 2010-06-11 19:57 - 00000000 ____D C:\users\Cory
    2012-11-20 10:09 - 2010-12-15 12:59 - 00000052 ____A C:\Windows\System32\DOErrors.log
    2012-11-19 18:21 - 2012-11-19 18:21 - 00000000 ____D C:\Users\Cory\Application Data\GTek
    2012-11-19 18:21 - 2012-11-19 18:21 - 00000000 ____D C:\Users\Cory\AppData\Roaming\GTek
    2012-11-15 02:37 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\Microsoft.NET
    2012-11-15 02:15 - 2006-11-02 04:47 - 00437200 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-11-15 01:55 - 2007-05-14 03:45 - 00000000 ____D C:\Users\All Users\Microsoft Help
    2012-11-15 01:55 - 2007-05-14 03:45 - 00000000 ____D C:\Users\All Users\Application Data\Microsoft Help
    2012-11-15 01:07 - 2006-11-02 02:24 - 64010424 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-11-15 01:04 - 2006-11-02 03:18 - 00000000 ____D C:\Program Files\Common Files\System
    2012-11-15 01:04 - 2006-11-02 02:23 - 00000219 ____A C:\Windows\win.ini
    2012-11-14 15:02 - 2010-11-30 12:56 - 00000000 ____D C:\Users\Cory\Application Data\Skype
    2012-11-14 15:02 - 2010-11-30 12:56 - 00000000 ____D C:\Users\Cory\AppData\Roaming\Skype
    2012-11-13 15:22 - 2010-10-03 11:16 - 00000000 ____D C:\Users\Cory\My Documents\Resumes
    2012-11-13 15:22 - 2010-10-03 11:16 - 00000000 ____D C:\Users\Cory\Documents\Resumes
    2012-11-13 09:33 - 2012-11-13 09:33 - 00104779 ____A C:\Users\Cory\Downloads\Camera Check protocol documents VB.zip
    2012-11-11 14:34 - 2010-10-05 09:33 - 00002613 ____A C:\Users\Cory\Desktop\Microsoft Word 2010.lnk
    2012-11-11 10:22 - 2012-01-02 21:13 - 00000000 ____D C:\Users\Cory\My Documents\System_Restore_Docs
    2012-11-11 10:22 - 2012-01-02 21:13 - 00000000 ____D C:\Users\Cory\Documents\System_Restore_Docs
    2012-11-10 09:07 - 2012-09-01 14:39 - 26079592 ____A C:\Users\Cory\Desktop\LFRC_Wildcat_Presentation_2012_Anco.pptx
    2012-11-08 20:24 - 2012-04-30 17:06 - 00000000 ____D C:\Users\Cory\Local Settings\AVG Secure Search
    2012-11-08 20:24 - 2012-04-30 17:06 - 00000000 ____D C:\Users\Cory\Local Settings\Application Data\AVG Secure Search
    2012-11-08 20:24 - 2012-04-30 17:06 - 00000000 ____D C:\Users\Cory\AppData\Local\AVG Secure Search
    2012-11-08 20:24 - 2012-02-14 17:18 - 00000000 ____D C:\Users\All Users\AVG Secure Search
    2012-11-08 20:24 - 2012-02-14 17:18 - 00000000 ____D C:\Users\All Users\Application Data\AVG Secure Search
    2012-11-08 20:24 - 2012-02-14 17:18 - 00000000 ____D C:\Program Files\Common Files\AVG Secure Search
    2012-11-08 20:24 - 2012-02-14 17:18 - 00000000 ____D C:\Program Files\AVG Secure Search
    2012-11-08 20:23 - 2012-11-08 20:24 - 00026984 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx86.sys
    2012-11-08 09:09 - 2012-10-13 12:17 - 00784176 ____A C:\Users\Cory\Desktop\LFRC_PhotoData.xlsx


    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2012-11-03 19:27:52
    Restore point made on: 2012-11-05 10:21:03
    Restore point made on: 2012-11-06 08:13:22
    Restore point made on: 2012-11-07 13:58:40
    Restore point made on: 2012-11-08 20:10:23
    Restore point made on: 2012-11-11 08:54:58
    Restore point made on: 2012-11-15 01:01:15
    Restore point made on: 2012-11-18 10:56:33
    Restore point made on: 2012-11-23 07:58:36
    Restore point made on: 2012-11-27 21:51:27
    Restore point made on: 2012-11-28 11:28:11
    Restore point made on: 2012-12-05 10:42:37

    ==================== Memory info ===========================

    Percentage of memory in use: 14%
    Total physical RAM: 4085.63 MB
    Available physical RAM: 3505.3 MB
    Total Pagefile: 3751.53 MB
    Available Pagefile: 3579.06 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1975.54 MB

    ==================== Partitions =============================

    1 Drive c: () (Fixed) (Total:140.77 GB) (Free:3.01 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (HP_RECOVERY) (Fixed) (Total:7.17 GB) (Free:0.52 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    3 Drive e: () (Fixed) (Total:1.11 GB) (Free:0.78 GB) NTFS
    5 Drive g: (CA_BLUGOOSE) (Removable) (Total:3.77 GB) (Free:2.45 GB) FAT32
    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 149 GB 1532 KB
    Disk 1 Online 3864 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 141 GB 32 KB
    Partition 2 Primary 7347 MB 141 GB
    Partition 3 Primary 1133 MB 148 GB

    =========================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 141 GB Healthy

    =========================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 D HP_RECOVERY NTFS Partition 7347 MB Healthy

    =========================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 E NTFS Partition 1133 MB Healthy

    =========================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 3864 MB 32 KB

    =========================================================

    Disk: 1
    Partition 1
    Type : 0C
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 G CA_BLUGOOSE FAT32 Removable 3864 MB Healthy

    =========================================================

    Last Boot: 2012-12-05 11:39

    ==================== End Of Log ============================
     
  20. CoreyBZE

    CoreyBZE TS Rookie Topic Starter

    I am curious, could I have run the Combofix tool from the command line the same way I had just run Farbar scan?
     
  21. Broni

    Broni Malware Annihilator Posts: 47,066   +257

    No but it doesn't matter at this point.
    I don't see anything malicious there.
    The other scans were not finding anything either.

    At this point...

    In this forum, we make sure, your computer is free of malware and your computer is clean :)
    Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
    You'll get more attention.

    Good luck :)
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.