[Inactive] Hard drive cluster is partly corrupted. Malware?

Bobbye · Feb 2, 2012

I have 5 email feedback notifications from you- all from within a few hours. All except the Combofix log are short sentences that could have all been put on 1 post. Please use the Edit feature in the future.
------------------------------------------
How did you get Combofix to run? If you read my guidelines posted you would have seen:

If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.

And per Combofix instructions:

2. Before you run the Combofix scan, please disable any security software you have running.

and again

[*].Close/disable all anti virus and anti malware programs
(If you need help with this, please see HERE)

Your Combofix heading:

AV: avast! Antivirus *Enabled/Updated*
SP: avast! Antivirus *Enabled/Updated*

There are reasons we ask you to do this.
==================================
This is a 'new' occasion: Please uninstall TDSSKiller if you already have it on the system. Then download from the link I left, follow the directions, and post the log. If you have a problem, let me know what it is.
==================================
Please run this Custom CFScript:

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code:
File::
DDS::
uURLSearchHooks: H - No File
uURLSearchHooks: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\prxtbDVDV.dll
mURLSearchHooks: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\prxtbDVDV.dll
mURLSearchHooks: H - No File
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll
BHO: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\prxtbDVDV.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\prxtbDVDV.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
BHO-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll
BHO-X64: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\prxtbDVDV.dll
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB-X64: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\prxtbDVDV.dll
TB-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}].
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{872b5b88-9db5-4310-bdd0-ac189557e5f5}"=-
"{30F9B915-B755-4826-820B-08FBA6BD249D}"=-
[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

Clearjavacache::
Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Please update the following:
Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.
Adobe Reader:> Current is vX(10.xx)> Adobe Reader Update
Java:> Current is v6u30> Java Updates .
Uninstall any earlier versions in of both as they are vulnerabilities for the system.
=====================
Please uninstall the following:
Conduit Engine
DVD Video Soft Toolbar
Uninstall them in the Programs section. Then use Windows Explorer (Win key + E) tro access Computer> Local Drive (usually C)> Programs> find the program folder for each the right click> Delete on each.
========================
Please give me an update on how the system is doing.

easty26977 · Feb 3, 2012

CF Script Combofix Log

ComboFix 12-02-02.01 - Dawn McGuire 03/02/2012 12:10:08.4.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3893.2027 [GMT 0:00]
Running from: c:\users\Dawn McGuire\Desktop\ComboFix.exe
Command switches used :: c:\users\Dawn McGuire\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\ConduitEngine\prxConduitEngine.dll
c:\program files (x86)\DVDVideoSoftTB\prxtbDVDV.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-01-03 to 2012-02-03 )))))))))))))))))))))))))))))))
.
.
2012-02-03 12:58 . 2012-02-03 12:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-02 09:24 . 2011-11-28 17:53 304472 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-02-02 09:24 . 2011-11-28 17:51 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-02-02 09:23 . 2011-11-28 17:52 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-02-02 09:23 . 2011-11-28 17:52 58712 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-02-02 09:23 . 2011-11-28 17:54 591192 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-02-02 09:23 . 2011-11-28 18:01 256960 ----a-w- c:\windows\system32\aswBoot.exe
2012-02-02 09:23 . 2011-11-28 17:52 66904 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-02-02 09:22 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2012-02-02 09:22 . 2011-11-28 18:01 199816 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-02-02 09:22 . 2012-02-02 09:22 -------- d-----w- c:\programdata\AVAST Software
2012-02-02 09:22 . 2012-02-02 09:22 -------- d-----w- c:\program files\AVAST Software
2012-01-31 16:33 . 2012-01-31 16:33 -------- d-----w- c:\users\Dawn McGuire\AppData\Roaming\Malwarebytes
2012-01-31 16:33 . 2012-01-31 16:33 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-01-31 16:33 . 2012-01-31 16:33 -------- d-----w- c:\programdata\Malwarebytes
2012-01-11 18:39 . 2011-10-26 04:28 1328640 ----a-w- c:\windows\SysWow64\quartz.dll
2012-01-11 18:39 . 2011-10-26 05:33 366592 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 18:39 . 2011-10-26 05:22 1572864 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 18:39 . 2011-10-26 04:33 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-01-11 18:39 . 2011-11-17 07:14 1739160 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 18:39 . 2011-11-17 05:41 1292592 ----a-w- c:\windows\SysWow64\ntdll.dll
2012-01-11 18:38 . 2011-11-19 15:07 77312 ----a-w- c:\windows\system32\packager.dll
2012-01-11 18:38 . 2011-11-19 14:06 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-01-10 17:14 . 2011-11-30 02:21 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7FA66A1C-81FC-4C95-A61E-602B27608E2A}\mpengine.dll
2012-01-06 00:06 . 2012-01-06 00:06 -------- d-----w- c:\users\Dawn McGuire\AppData\Local\Diagnostics
2012-01-06 00:04 . 2011-11-15 14:29 270720 ------w- c:\windows\system32\MpSigStub.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-03 23:04 . 2012-01-03 23:10 10752 ----a-w- c:\windows\system32\E_GCINST.DLL
2012-01-03 23:04 . 2012-01-03 23:10 88064 ----a-w- c:\windows\system32\E_IBCBGCE.DLL
2012-01-03 23:04 . 2012-01-03 23:10 118784 ----a-w- c:\windows\system32\E_ILMGCE.DLL
2011-11-24 05:00 . 2011-12-17 23:33 3141632 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-02_12.40.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:54 . 2012-02-03 13:02 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-02-02 12:40 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-02-02 12:40 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-02-03 13:02 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-02-02 12:40 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-02-03 13:02 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-11-21 04:42 . 2012-02-02 16:04 57650 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-02-02 16:04 36874 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-07-10 18:52 . 2012-02-02 16:04 17258 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-866497572-3271223047-4075824328-1001_UserData.bin
- 2011-07-10 21:11 . 2012-02-02 12:37 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-07-10 21:11 . 2012-02-03 13:01 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-01-29 16:15 . 2012-02-03 13:03 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2012-01-29 16:15 . 2012-02-02 12:39 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2012-01-29 16:15 . 2012-02-03 13:03 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
- 2012-01-29 16:15 . 2012-02-02 12:39 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
- 2012-01-29 16:15 . 2012-02-02 12:39 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
+ 2012-01-29 16:15 . 2012-02-03 13:03 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
+ 2011-07-10 21:11 . 2012-02-03 13:03 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-07-10 21:11 . 2012-02-02 12:39 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-07-10 21:11 . 2012-02-03 13:01 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-07-10 21:11 . 2012-02-02 12:37 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-07-10 18:55 . 2012-02-02 12:39 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-07-10 18:55 . 2012-02-03 13:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-07-10 18:55 . 2012-02-03 13:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-07-10 18:55 . 2012-02-02 12:39 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-02-02 12:37 . 2012-02-02 12:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-02-03 13:01 . 2012-02-03 13:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-02-03 13:01 . 2012-02-03 13:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-02-02 12:37 . 2012-02-02 12:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-07-10 21:07 . 2012-02-03 12:57 230204 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 02:36 . 2012-02-03 11:37 628808 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-02-02 11:52 628808 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-02-02 11:52 110960 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-02-03 11:37 110960 c:\windows\system32\perfc009.dat
+ 2009-07-14 05:01 . 2012-02-03 12:59 392256 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-02-02 12:36 392256 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-01-16 20:07 1811296 ----a-w- c:\program files (x86)\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll" [2012-01-16 1811296]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-11 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2010-08-20 487562]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-01-16 939872]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"ROC_roc_dec12"="c:\program files (x86)\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-16 928096]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-11 559616]
.
c:\users\Dawn McGuire\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG10\avgchsva.exe /sync\0c:\progra~2\AVG\AVG10\avgrsa.exe /sync /restart\0aswBoot.exe /A:* /L:1033 /KBD:2 /wow /dir:C:\Program
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-11 136176]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-11 136176]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc_x64.pkms [2010-07-31 25072]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [2012-01-03 166400]
S2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [2012-01-03 128512]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-08-18 1692480]
S2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-06-01 2337144]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-07-01 2533400]
S2 vToolbarUpdater;vToolbarUpdater;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe [2012-01-16 909152]
S3 BcmVWL;Broadcom Virtual Wireless;c:\windows\system32\DRIVERS\bcmvwl64.sys [x]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-11 18:47]
.
2012-02-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-11 18:47]
.
2011-07-10 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-08-06 12:47]
.
2012-02-02 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-08-06 12:47]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-04-14 10144288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-29 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-29 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-29 415256]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.co.uk/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: Free YouTube to MP3 Converter - c:\users\Dawn McGuire\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
TCP: DhcpNameServer = 192.168.1.254
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\10.0.6\ViProtocol.dll
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1]
@="131473"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\program files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
c:\program files (x86)\TeamViewer\Version6\TeamViewer.exe
c:\program files (x86)\Common Files\Java\Java Update\jusched.exe
.
**************************************************************************
.
Completion time: 2012-02-03 13:26:41 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-03 13:26
ComboFix2.txt 2012-02-02 15:39
.
Pre-Run: 254,653,149,184 bytes free
Post-Run: 254,670,036,992 bytes free
.
- - End Of File - - C4964B6B1DF12FA798ED94AF0B099C36

System appears to be doing a lot better, all of the original problems and errors seem to have gone and it has pretty much returned to its original state.

Thanks Dave

Bobbye · Feb 5, 2012

A question: I noticed the following entries in Combofix. I couldn't find either an English site or a safe site to identify them, nor could I find any related entries. Will you please check these files? You should be able to do a right click> Properties to get some info:

2012-01-03 23:10 10752 ----a-w- c:\windows\system32\E_GCINST.DLL
2012-01-03 23:04 . 2012-01-03 23:10 88064 ----a-w- c:\windows\system32\E_IBCBGCE.DLL
2012-01-03 23:04 . 2012-01-03 23:10 118784 ----a-w- c:\windows\system32\E_ILMGCE.DL

I recommend you stop these Scheduled Tasks:

2011-07-10 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-08-06 12:47]
.
2012-02-02 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-08-06 12:47]

Dell has kindly set them for you- neither is necessary: But stopping them is optional
Opening scheduled tasks to modify or delete them:
Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.

To delete a task> right-click the task> click Delete.
[o]c:\windows\Tasks\PCDoctorBackgroundMonitorTask
[o]c:\windows\Tasks\SystemToolsDailyTest

Both were pre-set through Dell Support.
======================================
Did you plan to do this?

This is a 'new' occasion: Please uninstall TDSSKiller if you already have it on the system. Then download from the link I left, follow the directions, and post the log. If you have a problem, let me know what it is.

======================================
I don't see that I've had you do an online virus scan, so please do this now:
To run the Eset Online Virus Scan:
If you use Internet Explorer:

Open the ESETOnlineScan

Skip to #4 to "Continue with the directions"

If you are using a browser other than Internet Explorer

Open Eset Smart Installer
[o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
[o] Double click on the desktop icon to run.
[o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window

Continue with the directions.

Check 'Yes I accept terms of use.'

Click Start button

Accept any security warnings from your browser.

Uncheck 'Remove found threats'

Check 'Scan archives/

Leave remaining settings as is.

Press the Start button.

ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.

When the scan completes, press List of found threats

Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.

Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
=====================================
If either of the following remains an issue for you, this should help:
Correct Display Changes if needed:

If the desktop background is black or if the theme has been removed:

Click on Start> Control Panel> Appearance & Personalization

Select Change Theme or Change Desktop Background

=====================================
Some items may not show on the Start menu. To add them back:

Right click on Start> Properties

Taskbar and Start Menu Properties screen appears

choose Start Menu tab> Click on Customize

For Windows XP> Choose Advanced tab

Check the items you want back on the Start Menu

When finished> click on OK> Apply and close.

easty26977 · Feb 7, 2012

Update

dll files that you mentioned are all related to Seiko Epson Corporation and seem to Bi Directional Support for my printer ? I could be wrong ?

I have deleted the scheduled tasks that you recommended.

The Eset scan returned no infected files and did not generate a report.

The TDSS Killer will still not run ! I have tried uninstalling it and re-installing it from the link you have given and this will still not run. It merely pops up the egg timer when you double click and then nothing else ? Any Help ?

Bobbye · Feb 7, 2012

Please note: I will be Offline on Wednesday, 2/8 and Thursday, 2/9. When I return on Friday, 2/10, I will pick up the oldest threads first.

easty26977 · Feb 8, 2012

Hi,

I seem to be having problems with my Internet Explorer.

I am randomly being redirected to different sites that i have never visited before ?

Any Help ?

Bobbye · Feb 11, 2012

Catching up! Thanks for your patience.

Did the Display, Startup and Desktop problems get resolved?
====================================
The redirect you describe>> this is a new problem isn't it? Is it just IE? When you do a search, then choose one of the sites, are you being redirected to a different site?

Please download MBRCheck and save to your desktop

Double click on MBRCheck.exeto run.(Vista and Windows 7 users will have to confirm the UAC prompt)

It will show a Black screen with some information that will contain either the below line if no problem is found:
[o] Done! Press ENTER to exit...

Or you will see more information like below if a problem is found:
[o] Found non-standard or infected MBR.
[o] Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.

MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

Paste this log to your next message.

=========================================
Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.
When scan has finished, you will see this image:

Click on OK to close box and continue.

Click on the Show Results button.

Click on the Remove Selected button to remove all the listed malware.

At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.

-------------------------
Note: if you have a problem updating and running Malwarebytes again, please uninstall it, then reinstall new to run the scan.

Please leave log for MBR Check and Mbam Full Scan in next reply.

TechSpot

[Inactive] Hard drive cluster is partly corrupted. Malware?

Bobbye Helper on the Fringe

easty26977 Newcomer, in training

Bobbye Helper on the Fringe

easty26977 Newcomer, in training

Bobbye Helper on the Fringe

easty26977 Newcomer, in training

Bobbye Helper on the Fringe