File recovery rogue scanner infection

ComboFix 12-09-03.07 - IdHusseys 09/03/2012 23:23:59.7.2 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2812.2087 [GMT -6:00]
Running from: c:\users\IdHusseys\Desktop\ComboFix.exe
AV: GFI Software VIPRE *Disabled/Updated* {E0D97DD4-42BA-B3F2-A5A7-22E9ACE81FC7}
SP: GFI Software VIPRE *Disabled/Updated* {5BB89C30-6480-BC7C-9F17-199BD76F557A}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\data
c:\data\ZORK1.DAT
C:\Install.exe
c:\program files (x86)\Netpeak\NP Checker\RnD.ICS.HelperServiceLibrary.dll
c:\programdata\ntuser.dat
c:\users\IdHusseys\AppData\Roaming\.#
c:\users\IdHusseys\AppData\Roaming\.#\MBX@1040@2102780.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@1040@21027B0.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@1268@3F2780.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@1268@3F27B0.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@1390@962780.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@1390@9627B0.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@14C@672780.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@14C@6727B0.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@1630@1FA2780.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@1630@1FA27B0.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@604@292780.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@604@2927B0.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@8C0@3D2780.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@8C0@3D27B0.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@9EC@1FD2780.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@9EC@1FD27B0.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@A50@20E2780.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@A50@20E27B0.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@D5C@3E2780.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@D5C@3E27B0.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@E9C@1F92780.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@E9C@1F927B0.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@F28@1F02780.###
c:\users\IdHusseys\AppData\Roaming\.#\MBX@F28@1F027B0.###
c:\users\IdHusseys\AppData\Roaming\47f5ae1b-24d4-466b-a5db-c9e5ddf8e247.jpg
c:\users\IdHusseys\AppData\Roaming\50589760-8184-4ca2-bbaa-cd8f71321bd1.jpg
c:\users\IdHusseys\AppData\Roaming\7cc09f13-c726-4ba4-ab0c-6ee1c1ae3041.jpg
c:\users\IdHusseys\AppData\Roaming\867ace52-bbbd-4d66-8b80-6fc6a75e6d09.jpg
c:\users\IdHusseys\AppData\Roaming\af283af5-d03c-4303-aae4-e645209e6e1a.jpg
c:\users\IdHusseys\AppData\Roaming\b3b29eab-1fe4-4a5c-91de-7d4947a97ded.jpg
c:\users\IdHusseys\AppData\Roaming\cead7579-067e-42bf-b761-630e82ccc47f.jpg
c:\users\IdHusseys\AppData\Roaming\d410ac74-5aad-4b67-8e1b-99eb43872416.jpg
c:\users\IdHusseys\AppData\Roaming\df262f7d-e504-4498-9a99-65424493037f.jpg
c:\users\IdHusseys\AppData\Roaming\fd9b4e5b-1383-4f1b-9646-bad6d0ea8428.jpg
c:\users\IdHusseys\AppData\Roaming\Mozilla\Firefox\Profiles\d1hd1tuj.default\searchplugins\bing-zugo.xml
c:\users\IdHusseys\AppData\Roaming\ubot
c:\users\IdHusseys\g2mdlhlpx.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-04 to 2012-09-04 )))))))))))))))))))))))))))))))
.
.
2012-09-04 06:02 . 2012-09-04 06:02 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-09-04 06:02 . 2012-09-04 06:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-04 06:02 . 2012-09-04 06:02 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-09-01 12:26 . 2012-09-01 12:26 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-09-01 07:27 . 2010-05-21 20:13 6851408 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{75EE6CA2-C53E-4E4F-BADA-3E07FA354116}\mpengine.dll
2012-09-01 00:19 . 2012-09-01 00:19 93 ----a-w- c:\users\IdHusseys\AppData\Roaming\netstat.bat
2012-08-29 23:41 . 2012-08-29 23:41 47496 ----a-w- c:\windows\SysWow64\sbbd.exe
2012-08-28 06:50 . 2012-08-28 06:50 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-08-27 01:25 . 2012-08-28 03:34 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-26 19:26 . 2012-08-26 19:26 86816 ----a-w- c:\windows\system32\drivers\sbwtis.sys
2012-08-24 05:34 . 2012-08-24 05:34 14790243 ----a-w- c:\program files (x86)\SERPAttacks_Video.exe
2012-08-24 05:22 . 2012-09-01 00:51 -------- d-----w- c:\program files (x86)\Market Samurai
2012-08-24 05:22 . 2012-09-01 00:25 -------- d-----w- c:\program files (x86)\Common Files\Adobe AIR
2012-08-24 03:32 . 2012-08-24 03:38 135933721 ----a-w- c:\program files (x86)\Apache_OpenOffice_incubating_3.4.1_Win_x86_install_en-US.exe
2012-08-22 09:05 . 2012-08-22 09:05 73416 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-22 09:05 . 2012-08-22 09:05 696520 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-22 08:08 . 2012-09-01 00:51 -------- d-----w- C:\lynx_w32
2012-08-20 22:28 . 2012-08-22 06:27 -------- d--h--w- c:\users\IdHusseys\AppData\Local\ElevatedDiagnostics
2012-08-15 18:28 . 2012-05-05 08:36 503808 ----a-w- c:\windows\system32\srcore.dll
2012-08-15 18:28 . 2012-05-05 07:46 43008 ----a-w- c:\windows\SysWow64\srclient.dll
2012-08-15 18:28 . 2012-02-11 06:43 751104 ----a-w- c:\windows\system32\win32spl.dll
2012-08-15 18:28 . 2012-02-11 06:36 559104 ----a-w- c:\windows\system32\spoolsv.exe
2012-08-15 18:28 . 2012-02-11 05:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
2012-08-15 18:28 . 2012-02-11 06:36 67072 ----a-w- c:\windows\splwow64.exe
2012-08-15 18:28 . 2012-07-04 22:13 59392 ----a-w- c:\windows\system32\browcli.dll
2012-08-15 18:28 . 2012-07-04 22:13 136704 ----a-w- c:\windows\system32\browser.dll
2012-08-15 18:28 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-08-15 18:28 . 2012-07-04 21:14 41984 ----a-w- c:\windows\SysWow64\browcli.dll
2012-08-15 18:28 . 2012-07-18 18:15 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-08-15 18:28 . 2012-05-14 05:26 956928 ----a-w- c:\windows\system32\localspl.dll
2012-08-14 22:24 . 2012-08-23 21:23 15428440 ----a-w- c:\program files (x86)\AdobeAIRInstaller.exe
2012-08-11 21:18 . 2012-08-23 00:56 -------- d--h--w- c:\users\IdHusseys\AppData\Roaming\Microsys
2012-08-11 21:17 . 2012-09-01 00:33 -------- d-----w- c:\program files\Microsys
2012-08-09 21:04 . 2012-08-09 21:04 -------- d--h--w- c:\users\IdHusseys\temp
2012-08-09 20:55 . 1997-06-06 21:52 11264 ----a-w- c:\windows\SysWow64\SPORDER.DLL
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-29 23:41 . 2010-04-17 16:15 47496 ----a-w- c:\windows\system32\sbbd.exe
2012-08-28 03:34 . 2011-10-22 00:50 916456 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-24 09:02 . 2012-06-18 01:22 821736 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-08-24 09:02 . 2010-04-16 04:03 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-08-16 19:07 . 2010-04-11 22:46 62134624 ----a-w- c:\windows\system32\MRT.exe
2012-08-01 20:36 . 2012-08-01 20:36 82872 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2012-06-09 05:43 . 2012-07-10 18:02 14172672 ----a-w- c:\windows\system32\shell32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-03-19 2363392]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-02-15 17145992]
"MP3 Skype Recorder"="c:\program files (x86)\MP3 Skype Recorder\MP3 Skype Recorder.exe" [2011-11-18 1975296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-08-05 98304]
"WirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2010-03-23 500792]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"SBAMTray"="c:\program files (x86)\GFI Software\VIPRE\SBAMTray.exe" [2012-08-29 3149704]
.
c:\users\IdHusseys\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
OpenOffice.org 3.4.1.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2012-8-13 1199104]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-08-07 113120]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-06-24 216576]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-05-10 51712]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-17 1255736]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [2009-03-02 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-05 203264]
S2 SBAMSvc;VIPRE Antivirus;c:\program files (x86)\GFI Software\VIPRE\SBAMSvc.exe [2012-08-29 3677000]
S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [2012-08-01 82872]
S2 SBPIMSvc;SB Recovery Service;c:\program files (x86)\GFI Software\VIPRE\SBPIMSvc.exe [2012-08-29 175496]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-07-29 52584]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-04-13 45432]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-05-23 215040]
S3 sbwtis;sbwtis;c:\windows\system32\DRIVERS\sbwtis.sys [2012-08-26 86816]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2009-03-09 36408]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-03-19 17:15 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3455346300-1148100813-3106168065-1000Core.job
- c:\users\IdHusseys\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-25 10:18]
.
2012-09-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3455346300-1148100813-3106168065-1000UA.job
- c:\users\IdHusseys\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-25 10:18]
.
2012-08-12 c:\windows\Tasks\HPCeeScheduleForIdHusseys.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 11:22]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\IdHusseys\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-07-22 450048]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 2399632]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-04-13 1860496]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: LastPass - file://c:\users\IdHusseys\AppData\LocalLow\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\users\IdHusseys\AppData\LocalLow\LastPass\context.html?cmd=fillforms
TCP: DhcpNameServer = 24.116.2.50 24.116.2.34
FF - ProfilePath - c:\users\IdHusseys\AppData\Roaming\Mozilla\Firefox\Profiles\d1hd1tuj.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&q=
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-WinLiveSuite - c:\program files (x86)\Windows Live\Installer\wlarp.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10e.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10e.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
.
**************************************************************************
.
Completion time: 2012-09-04 01:10:11 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-04 07:09
.
Pre-Run: 160,869,343,232 bytes free
Post-Run: 160,759,435,264 bytes free
.
- - End Of File - - 9C622B88A26383E89A9730C23EDF1EA8

Broni -

I can't connect to the internet on the infected PC. It states:

Problem with wireless adapter or access point
"Wireless Network Connection" doesn't have a valid IP configuration

You mentioned to restart the PC if it can't connect to the internet after Combofix, but it won't reconnect.

OK will do that. Then what is the next step? I noticed a lot of hidden files still.

When I go to "Computer > System and Security > Find a Restore point (or whatever it says) > Open System Restore (however it's worded)"

The last restore point is when I noticed the File Recovery rogue infection on August 31st. How do I access the Combofix restore?

OK will do tomorrow, everything's closed right now. Can I do that from an external hard drive?

OK great! I'll get on that. Pls don't close the thread, I'm doing this first thing, and I know you have other things to attend, but I'm not earning anything with my clients until this gets solved. So for me it's critical to get it fixed. Thanks for hanging in there with me.

I'm looking at the titles of your pinned topics at smartestcomputing.us.com and I'm not sure to which one you're referring? (Sorry, I'm trying to follow - you mentioned making a Windows 7 DVD, there are several threads that seem to relate to the topic, and I'm not familiar with most of the jargon.)

OK, I see you've linked to a resource in this:

http://www.smartestcomputing.us.com/topic/38243-clean-install-windows-7-with-upgrade-media-dvd/

Re: making a bootable Win 7 ISO (I got confused b/c I don't know what is meant by "ISO"). Is that the right topic or am I way off course?

So I have an external optical drive with blank DVD's to burn to. The tutorial linked above at your site had an updated version of Windows 7 ISO at:

http://www.mydigitallife.info/windo...links-ultimate-professional-and-home-premium/

It's an ISO image file, I downloaded it and burned it to the CDROM/DVD. Is that right so far? There was no point at which there were 3 files as the tutorial pointed out, just the one ISO file. Now going to the tutorial I'm confused:

Did I just basically skip down to step 8 where you have the single file for Windows? I'm confused because there's no executable file, etc.

Broni -

I went ahead and connected the USB drive with the FRST program on it and the DVD drive with the Windows 7 ISO as I mentioned above, but when I tried to click on the Windows 7 ISO I was told there was an error with the process (something to the effect: "Runtime error C++" and it's an error I recognize from the virus...

Also, the file on the DVD is apparently a zipped file, so the error happened when I tried to open that zipped file. What I did was to take the DVD and then extract the files (on an uninfected PC) onto the DVD...and I'm not sure if this is the right move or if I'm getting off track here.

The DVD now lists:

Folders:
boot
efi
sources

autorun (Setup Information)
bootmgr (File)
bootmgr.efi (EFI File)
setup (Application)
X15-65733.iso (ISO File)

So before I make things any worse, I just want to be sure I didn't mess the DVD up at this point, or if I need to re-download the Windows 7 as a single ISO file as I did before and just leave it zipped?

Broni -

Your tutorial starts with:

"For many people who order Windows 7 through online store such as Digital River, the download of Windows 7 ESD installation files is not in a single ISO image format, but as electronic digital distribution files."

I didn't order Windows 7 through a store, I have it on my PC already...so the rest of the tutorial doesn't really apply except the part about downloading the Windows 7 ISO directly, so that's what I did, and I have Windows 7 Premium Edition so I don't need to download the oscdimg file as you noted.

When I went back to your former instructions of using the thumb drive with FRST and starting off in system recovery, the DVD doesn't auto-play. I hit "restart" with the thumb drive and the DVD drive hooked up, and it simply starts normally. Please tell me what I missed. It's getting on a week and I need to get back to work.

Just an update - I'm getting a Windows 7 DVD from my brother, he's had similar problems. Hopefully that works, we have the same OS I believe. Will let you know how it goes.

Was having a difficult time because I couldn't get the Windows 7 disc to boot at startup, so on my machine (HP Compaq CQ61-420US) I had to follow the tutorial here:

http://h10025.www1.hp.com/ewfrf/wc/document?cc=us&lc=en&docname=c01867418#N696

Basically hitting "Esc" at restart > Select Boot Device > External DVD Drive

Your instructions were to:

If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.

That part about "check your BIOS settings" was where I was getting stuck, as there was no tutorial on it (and I've never heard of a BIOS). So the above link helped me, apparently it's different per manufacturer.

New Problem:

I got to the part about Repair Your Computer > Select Operating System and once I did, the following error message appeared:

System Recovery Options

This version of System Recovery Options is not compatible with the version of Windows you are trying to repair. Try using a recovery disc that is compatible with this version of Windows.
I'm using a Windows 7 Home Premium disc, it's 64 bit just exactly like I have...

Thanks, that helped. I got so far as the CMD line, found the flash drive letter and did as asked. Then this error message appeared:
This version of I:\FRST64.exe is not compatible with the version of Windows you're running. Check your computer's system information to see whether you need a x86 (32-bit) or x64 (64-bit) version of the program, and then contact the software publisher.
But here again, I have the 64-bit version of FRST from the link you gave, and a 64-bit OS along with a 64-bit disc...I'll try redownloading the FRST program again.

Broni -

Stupid question here - I was just informed the recovery disc of Windows 7 I've been using IS a 32-bit...but my machine is 64-bit...so my silly question is would it be best for me to simply buy the 64 bit Windows 7 and proceed? Or download the FRST 32 bit version and run that?

Basically I'd like to keep the 64 bit OS when all is said and done, and I'm not sure if that's possible if I run the 32-bit disc at this point.