TechSpot

Live Security Platinum + sirefef.y + sirefef.x

By SignoreJoe
Aug 3, 2012
  1. Hello all,

    I have a similar problem from the looks of it on this forum, from a hard try at a removal of Live Security Platinum. Long story short, I changed the name of the files that it had planted on the computer using the advice of others and deleted such files and for the most part, it worked. But it was a crude and dirty removal. I uninstalled-reinstalled my copy of MSE to find the following trojans: Sirefef.y/Sirefef.x. After detecting the trojan, I get a notification that my computer has encountered a critical error and is shutting down in 60 seconds. Using the CMD to preform "shutdown -a" does absolutely nothing. This happens in all modes and is not nearly enough time for me to do anything about this problem properly, or to install software such as MalwareBites, other than trying to mess around with my MSconfig in safe mode which hasn't given me any avail.

    I am new to these forums and I am in dire need of a solution to this issue. I see many coders giving out fixlist, but I am completely new here so I'm not sure how I should go about this.

    I have a working USB disk drive, so this is a start.

    Specs: HP Laptop Pavillion dx4
    Windows Vista Home Edition x64

    Where should I start? I can follow instructions thoroughly and hope I can fix these problems.
     
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    Download Farbar Recovery Scan Tool and save it to a flash drive.


    Depending on your type of system, you will have to select 32-bit or 64-bit accordingly. How do I tell?

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button.
    • type exit and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.
     
  3. SignoreJoe

    SignoreJoe TS Rookie Topic Starter Posts: 21

    Hello! Thank you for your patience with me, clear instruction, courtesy, and last but not least, the quick reply :)

    Posted will be the log that the FRST64.exe has recovered:
    Scan result of Farbar Recovery Scan Tool Version: 04-08-2012
    Ran by SYSTEM at 03-08-2012 20:21:24
    Running from F:\
    Windows Vista (TM) Home Premium Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
    HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [442368 2009-06-03] (IDT, Inc.)
    HKLM\...\Run: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [914224 2008-11-18] (Hewlett-Packard)
    HKLM\...\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe [246784 2008-03-31] (Alps Electric Co., Ltd.)
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
    HKLM-x32\...\Run: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter" [210216 2008-11-26] (CyberLink Corp.)
    HKLM-x32\...\Run: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam" [218408 2008-11-14] (CyberLink Corp.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)
    HKLM-x32\...\Run: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start [323640 2009-11-24] ( Hewlett-Packard Development Company, L.P.)
    HKLM-x32\...\Run: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe" [202024 2009-05-11] (CyberLink Corp.)
    HKLM-x32\...\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75008 2008-10-09] (Hewlett-Packard)
    HKLM-x32\...\Run: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [1148200 2008-11-28] (CyberLink Corp.)
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
    HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\Default\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [x]
    HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\Default User\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [x]
    HKU\Joe Rapp\...\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent [1242448 2011-09-24] (Valve Corporation)
    HKU\Joe Rapp\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
    HKU\Joe Rapp\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
    HKU\Joe Rapp\...\Run: [Google Update] "C:\Users\Joe Rapp\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-01-12] (Google Inc.)
    HKU\Joe Rapp\...\Run: [Akamai NetSession Interface] "C:\Users\Joe Rapp\AppData\Local\Akamai\netsession_win.exe" [4327744 2012-05-26] (Akamai Technologies, Inc)
    Tcpip\Parameters: [DhcpNameServer] 208.59.247.45 208.59.247.46

    ==================== Services (Whitelisted) ======

    2 Akamai; C:\program files (x86)\common files\akamai/netsession_win_4f7fccd.dll [4419392 2012-07-10] (Akamai Technologies, Inc)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
    4 Recovery Service for Windows; C:\Program Files (x86)\SMINST\BLService.exe [365952 2008-12-02] ()
    4 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_6ef279c8\STacSV64.exe [239104 2009-06-03] (IDT, Inc.)
    4 TVCapSvc; "C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe" [296320 2008-11-26] ()
    4 TVSched; "C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe" [116096 2008-11-26] ()
    4 Viewpoint Manager Service; "C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe" [24652 2007-01-04] (Viewpoint Corporation)

    ========================== Drivers (Whitelisted) =============

    1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [270912 2011-08-18] (DT Soft Ltd)
    3 hamachi; C:\Windows\System32\Drivers\hamachi.sys [21832 2010-08-31] (LogMeIn, Inc.)
    2 {55662437-DA8C-40c0-AADA-2C816A897A49}; \??\C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [146928 2008-11-28] (CyberLink Corp.)
    4 eabfiltr; [x]
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\ENG64.SYS [x]
    3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\EX64.SYS [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
    1 SRTSP; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSP64.SYS [x]
    1 SRTSPX; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSPX64.SYS [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-03 20:20 - 2012-08-03 20:20 - 00000000 ____D C:\FRST
    2012-08-02 17:21 - 2012-08-02 17:21 - 00266144 ____A C:\Windows\Minidump\Mini080212-01.dmp
    2012-08-02 17:20 - 2012-08-02 17:56 - 289041449 ____A C:\Windows\MEMORY.DMP
    2012-08-02 12:21 - 2012-08-02 12:21 - 09827016 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
    2012-08-02 12:17 - 2012-08-02 12:18 - 00000726 ____A C:\Users\Joe Rapp\Desktop\shutdown.exe.lnk
    2012-08-02 04:53 - 2012-08-02 05:00 - 00384512 ____A (Microsoft Corporation) C:\services.exe
    2012-08-01 19:43 - 2012-08-01 19:44 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-08-01 19:43 - 2012-08-01 19:43 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-08-01 04:15 - 2012-08-01 04:15 - 00000000 ____D C:\Windows\pss
    2012-08-01 03:22 - 2012-08-01 03:22 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-07-31 19:09 - 2012-08-01 11:09 - 00000000 ____D C:\Users\All Users\Application Data\0C1D1A01E0DC8EA1FE0241162F3B707C
    2012-07-31 19:09 - 2012-08-01 11:09 - 00000000 ____D C:\Users\All Users\0C1D1A01E0DC8EA1FE0241162F3B707C
    2012-07-31 19:09 - 2012-07-31 19:09 - 00450048 ____A (Andrew Zhezherun) C:\Users\Joe Rapp\Application Data\ntshcs.dll
    2012-07-31 19:09 - 2012-07-31 19:09 - 00450048 ____A (Andrew Zhezherun) C:\Users\Joe Rapp\AppData\Roaming\ntshcs.dll
    2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\Local Settings\Application Data\{41F71C6E-DB86-11E1-8270-B8AC6F996F26}
    2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\Local Settings\Application Data\{41F6EAF3-DB86-11E1-8270-B8AC6F996F26}
    2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\Local Settings\{41F71C6E-DB86-11E1-8270-B8AC6F996F26}
    2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\Local Settings\{41F6EAF3-DB86-11E1-8270-B8AC6F996F26}
    2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\Application Data\TeamViewer
    2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\Application Data\Sun
    2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\AppData\Roaming\TeamViewer
    2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\AppData\Roaming\Sun
    2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\AppData\Local\{41F71C6E-DB86-11E1-8270-B8AC6F996F26}
    2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\AppData\Local\{41F6EAF3-DB86-11E1-8270-B8AC6F996F26}
    2012-07-31 19:07 - 2012-07-31 19:08 - 00000000 ____D C:\Users\Joe Rapp\Application Data\Pefeoq
    2012-07-31 19:07 - 2012-07-31 19:08 - 00000000 ____D C:\Users\Joe Rapp\AppData\Roaming\Pefeoq
    2012-07-31 19:07 - 2012-07-31 19:07 - 00128512 __ASH (Crytek) C:\Users\Joe Rapp\Application Data\apshux.dll
    2012-07-31 19:07 - 2012-07-31 19:07 - 00128512 __ASH (Crytek) C:\Users\Joe Rapp\AppData\Roaming\apshux.dll
    2012-07-31 19:07 - 2012-07-31 19:07 - 00000000 ____D C:\Users\Joe Rapp\Application Data\Opymbo
    2012-07-31 19:07 - 2012-07-31 19:07 - 00000000 ____D C:\Users\Joe Rapp\Application Data\Adedn
    2012-07-31 19:07 - 2012-07-31 19:07 - 00000000 ____D C:\Users\Joe Rapp\AppData\Roaming\Opymbo
    2012-07-31 19:07 - 2012-07-31 19:07 - 00000000 ____D C:\Users\Joe Rapp\AppData\Roaming\Adedn
    2012-07-25 21:11 - 2012-07-25 21:11 - 00010404 ____A C:\Users\Joe Rapp\Desktop\Untitled 1.ods
    2012-07-15 14:40 - 2012-07-16 08:56 - 00023638 ____A C:\Users\Joe Rapp\My Documents\Untitled 1.odt
    2012-07-15 14:40 - 2012-07-16 08:56 - 00023638 ____A C:\Users\Joe Rapp\Documents\Untitled 1.odt
    2012-07-10 20:30 - 2012-07-10 20:30 - 00000000 ____D C:\Users\Joe Rapp\Desktop\GAI Logos
    2012-07-10 20:29 - 2012-07-23 11:17 - 00000000 ____D C:\Users\Joe Rapp\Desktop\Customer 1
    2012-07-10 20:29 - 2012-07-18 06:45 - 00000000 ____D C:\Users\Joe Rapp\Desktop\Machine Mayhem
    2012-07-10 18:19 - 2012-07-10 18:18 - 00017896 ____A C:\paola.ttf
    2012-07-05 16:00 - 2012-07-23 08:46 - 00000000 ____D C:\Users\Joe Rapp\Application Data\Ventrilo
    2012-07-05 16:00 - 2012-07-23 08:46 - 00000000 ____D C:\Users\Joe Rapp\AppData\Roaming\Ventrilo
    2012-07-05 15:59 - 2012-07-05 15:59 - 00000752 ____A C:\Users\Joe Rapp\Desktop\Ventrilo.lnk
    2012-07-05 15:59 - 2012-07-05 15:59 - 00000262 ____A C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
    2012-07-05 15:59 - 2012-07-05 15:59 - 00000000 ____D C:\Program Files\Ventrilo
    2012-07-04 06:34 - 2012-07-04 06:34 - 00000528 ____A C:\Users\Joe Rapp\Desktop\Rules.txt

    ============ 3 Months Modified Files ========================

    2012-08-03 02:53 - 2009-09-23 23:56 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-08-03 02:51 - 2011-07-09 17:50 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-08-03 02:51 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-03 02:51 - 2006-11-02 07:22 - 00003344 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-03 02:51 - 2006-11-02 07:22 - 00003344 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-02 17:56 - 2012-08-02 17:20 - 289041449 ____A C:\Windows\MEMORY.DMP
    2012-08-02 17:21 - 2012-08-02 17:21 - 00266144 ____A C:\Windows\Minidump\Mini080212-01.dmp
    2012-08-02 12:21 - 2012-08-02 12:21 - 09827016 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
    2012-08-02 12:20 - 2012-04-10 08:14 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-02 12:18 - 2012-08-02 12:17 - 00000726 ____A C:\Users\Joe Rapp\Desktop\shutdown.exe.lnk
    2012-08-02 05:00 - 2012-08-02 04:53 - 00384512 ____A (Microsoft Corporation) C:\services.exe
    2012-08-01 19:44 - 2011-01-31 12:27 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-01 19:44 - 2009-06-12 14:02 - 00129288 ____A C:\Users\Joe Rapp\Local Settings\GDIPFONTCACHEV1.DAT
    2012-08-01 19:44 - 2009-06-12 14:02 - 00129288 ____A C:\Users\Joe Rapp\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2012-08-01 19:44 - 2009-06-12 14:02 - 00129288 ____A C:\Users\Joe Rapp\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-08-01 19:43 - 2011-01-31 12:26 - 00709162 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-08-01 19:39 - 2011-07-09 17:50 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-08-01 19:39 - 2011-01-12 16:23 - 00000920 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2448708025-4140109235-615150339-1000UA.job
    2012-08-01 11:59 - 2006-11-02 07:42 - 00032564 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-08-01 11:59 - 2006-11-02 07:21 - 05048416 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-08-01 11:58 - 2009-03-07 00:41 - 00000012 ____A C:\Windows\bthservsdp.dat
    2012-07-31 19:09 - 2012-07-31 19:09 - 00450048 ____A (Andrew Zhezherun) C:\Users\Joe Rapp\Application Data\ntshcs.dll
    2012-07-31 19:09 - 2012-07-31 19:09 - 00450048 ____A (Andrew Zhezherun) C:\Users\Joe Rapp\AppData\Roaming\ntshcs.dll
    2012-07-31 19:07 - 2012-07-31 19:07 - 00128512 __ASH (Crytek) C:\Users\Joe Rapp\Application Data\apshux.dll
    2012-07-31 19:07 - 2012-07-31 19:07 - 00128512 __ASH (Crytek) C:\Users\Joe Rapp\AppData\Roaming\apshux.dll
    2012-07-31 07:39 - 2011-01-12 16:23 - 00000868 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2448708025-4140109235-615150339-1000Core.job
    2012-07-29 19:44 - 2012-01-21 10:45 - 00000346 ____A C:\Windows\Tasks\HPCeeScheduleForJoe Rapp.job
    2012-07-28 17:00 - 2009-06-13 09:19 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
    2012-07-27 07:04 - 2012-04-10 08:14 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-07-27 07:04 - 2011-08-30 13:45 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-07-25 21:11 - 2012-07-25 21:11 - 00010404 ____A C:\Users\Joe Rapp\Desktop\Untitled 1.ods
    2012-07-20 03:39 - 2009-06-15 10:10 - 00146432 ____A C:\Users\Joe Rapp\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-07-20 03:39 - 2009-06-15 10:10 - 00146432 ____A C:\Users\Joe Rapp\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-07-20 03:39 - 2009-06-15 10:10 - 00146432 ____A C:\Users\Joe Rapp\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-07-16 08:56 - 2012-07-15 14:40 - 00023638 ____A C:\Users\Joe Rapp\My Documents\Untitled 1.odt
    2012-07-16 08:56 - 2012-07-15 14:40 - 00023638 ____A C:\Users\Joe Rapp\Documents\Untitled 1.odt
    2012-07-15 16:16 - 2009-06-13 08:24 - 00007052 ____A C:\Users\Joe Rapp\Local Settings\d3d9caps.dat
    2012-07-15 16:16 - 2009-06-13 08:24 - 00007052 ____A C:\Users\Joe Rapp\Local Settings\Application Data\d3d9caps.dat
    2012-07-15 16:16 - 2009-06-13 08:24 - 00007052 ____A C:\Users\Joe Rapp\AppData\Local\d3d9caps.dat
    2012-07-10 18:18 - 2012-07-10 18:19 - 00017896 ____A C:\paola.ttf
    2012-07-05 15:59 - 2012-07-05 15:59 - 00000752 ____A C:\Users\Joe Rapp\Desktop\Ventrilo.lnk
    2012-07-05 15:59 - 2012-07-05 15:59 - 00000262 ____A C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
    2012-07-04 06:34 - 2012-07-04 06:34 - 00000528 ____A C:\Users\Joe Rapp\Desktop\Rules.txt
    2012-06-29 07:02 - 2012-06-29 07:02 - 00368820 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI0320.txt
    2012-06-29 07:02 - 2012-06-29 07:02 - 00368820 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI0320.txt
    2012-06-29 07:02 - 2012-06-29 07:02 - 00368820 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI0320.txt
    2012-06-29 07:02 - 2012-06-29 07:02 - 00011418 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI0320.txt
    2012-06-29 07:02 - 2012-06-29 07:02 - 00011418 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI0320.txt
    2012-06-29 07:02 - 2012-06-29 07:02 - 00011418 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI0320.txt
    2012-06-29 07:00 - 2012-06-29 07:00 - 00370702 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI0126.txt
    2012-06-29 07:00 - 2012-06-29 07:00 - 00370702 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI0126.txt
    2012-06-29 07:00 - 2012-06-29 07:00 - 00370702 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI0126.txt
    2012-06-29 07:00 - 2012-06-29 07:00 - 00011386 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI0126.txt
    2012-06-29 07:00 - 2012-06-29 07:00 - 00011386 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI0126.txt
    2012-06-29 07:00 - 2012-06-29 07:00 - 00011386 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI0126.txt
    2012-06-29 03:04 - 2010-08-13 19:36 - 00466456 ____A (Creative Labs) C:\Windows\System32\wrap_oal.dll
    2012-06-29 03:04 - 2010-08-13 19:36 - 00444952 ____A (Creative Labs) C:\Windows\SysWOW64\wrap_oal.dll
    2012-06-29 03:04 - 2010-08-13 19:36 - 00122904 ____A (Portions (C) Creative Labs Inc. and NVIDIA Corp.) C:\Windows\System32\OpenAL32.dll
    2012-06-29 03:04 - 2010-08-13 19:36 - 00109080 ____A (Portions (C) Creative Labs Inc. and NVIDIA Corp.) C:\Windows\SysWOW64\OpenAL32.dll
    2012-06-25 11:40 - 2012-06-25 11:40 - 00000902 ____A C:\Users\Public\Desktop\Adobe Download Assistant.lnk
    2012-06-25 11:40 - 2012-06-25 11:40 - 00000902 ____A C:\Users\All Users\Desktop\Adobe Download Assistant.lnk
    2012-06-23 14:33 - 2006-11-02 04:33 - 67895296 ____A C:\Windows\System32\config\software_previous
    2012-06-23 14:33 - 2006-11-02 04:33 - 56623104 ____A C:\Windows\System32\config\components_previous
    2012-06-23 14:33 - 2006-11-02 04:33 - 23855104 ____A C:\Windows\System32\config\system_previous
    2012-06-23 14:33 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\security_previous
    2012-06-23 14:33 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\sam_previous
    2012-06-23 14:33 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\default_previous
    2012-06-23 09:22 - 2012-06-23 09:22 - 00369184 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI1902.txt
    2012-06-23 09:22 - 2012-06-23 09:22 - 00369184 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI1902.txt
    2012-06-23 09:22 - 2012-06-23 09:22 - 00369184 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI1902.txt
    2012-06-23 09:22 - 2012-06-23 09:22 - 00011434 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI1902.txt
    2012-06-23 09:22 - 2012-06-23 09:22 - 00011434 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI1902.txt
    2012-06-23 09:22 - 2012-06-23 09:22 - 00011434 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI1902.txt
    2012-06-23 09:20 - 2012-06-23 09:20 - 00370318 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI1766.txt
    2012-06-23 09:20 - 2012-06-23 09:20 - 00370318 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI1766.txt
    2012-06-23 09:20 - 2012-06-23 09:20 - 00370318 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI1766.txt
    2012-06-23 09:20 - 2012-06-23 09:20 - 00011370 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI1766.txt
    2012-06-23 09:20 - 2012-06-23 09:20 - 00011370 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI1766.txt
    2012-06-23 09:20 - 2012-06-23 09:20 - 00011370 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI1766.txt
    2012-06-20 09:22 - 2012-06-20 09:22 - 00000770 ____A C:\Users\Public\Desktop\CCleaner.lnk
    2012-06-20 09:22 - 2012-06-20 09:22 - 00000770 ____A C:\Users\All Users\Desktop\CCleaner.lnk
    2012-06-15 07:33 - 2012-06-15 07:32 - 06877439 ____A C:\Users\Joe Rapp\ROBLOX.zip
    2012-06-11 10:48 - 2012-06-11 10:48 - 00001684 ____A C:\Users\Joe Rapp\Desktop\HydraIRC.lnk
    2012-06-11 10:05 - 2012-06-11 10:05 - 00001702 ____A C:\Users\Joe Rapp\DesktopGods and Idols.lnk
    2012-06-02 14:19 - 2012-06-23 14:47 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-23 14:47 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-23 14:47 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
    2012-06-02 14:19 - 2012-06-23 14:47 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-23 14:47 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-23 14:47 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:19 - 2012-06-23 14:47 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
    2012-06-02 14:15 - 2012-06-23 14:47 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-23 14:47 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 14:12 - 2012-06-23 14:47 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
    2012-06-02 11:19 - 2012-06-23 14:46 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 11:19 - 2012-06-23 14:46 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2012-06-02 11:15 - 2012-06-23 14:46 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 11:12 - 2012-06-23 14:46 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
    2012-05-31 02:41 - 2012-05-30 18:57 - 00118905 ____A C:\Users\Joe Rapp\PaperDraft.odt
    2012-05-22 16:58 - 2012-05-22 16:57 - 00369912 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI318B.txt
    2012-05-22 16:58 - 2012-05-22 16:57 - 00369912 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI318B.txt
    2012-05-22 16:58 - 2012-05-22 16:57 - 00369912 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI318B.txt
    2012-05-22 16:58 - 2012-05-22 16:57 - 00011466 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI318B.txt
    2012-05-22 16:58 - 2012-05-22 16:57 - 00011466 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI318B.txt
    2012-05-22 16:58 - 2012-05-22 16:57 - 00011466 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI318B.txt
    2012-05-22 16:56 - 2012-05-22 16:56 - 00373006 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI3041.txt
    2012-05-22 16:56 - 2012-05-22 16:56 - 00373006 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI3041.txt
    2012-05-22 16:56 - 2012-05-22 16:56 - 00373006 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI3041.txt
    2012-05-22 16:56 - 2012-05-22 16:56 - 00011482 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI3041.txt
    2012-05-22 16:56 - 2012-05-22 16:56 - 00011482 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI3041.txt
    2012-05-22 16:56 - 2012-05-22 16:56 - 00011482 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI3041.txt
    2012-05-22 11:25 - 2012-05-22 11:25 - 02500792 ____A C:\Users\Joe Rapp\Downloads\AdobeDownloadAssistant.exe
    2012-05-19 19:16 - 2012-05-19 19:15 - 00438054 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI3051.txt
    2012-05-19 19:16 - 2012-05-19 19:15 - 00438054 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI3051.txt
    2012-05-19 19:16 - 2012-05-19 19:15 - 00438054 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI3051.txt
    2012-05-19 19:16 - 2012-05-19 19:15 - 00013988 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI3051.txt
    2012-05-19 19:16 - 2012-05-19 19:15 - 00013988 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI3051.txt
    2012-05-19 19:16 - 2012-05-19 19:15 - 00013988 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI3051.txt
    2012-05-12 13:16 - 2006-11-02 04:46 - 00694396 ____A C:\Windows\System32\PerfStringBackup.INI


    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe BC81150939BD52DBC7A08C245F1FB229 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 17%
    Total physical RAM: 3836.89 MB
    Available physical RAM: 3178.53 MB
    Total Pagefile: 3523.62 MB
    Available Pagefile: 3162.99 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:219.77 GB) (Free:43.2 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (RECOVERY) (Fixed) (Total:13.11 GB) (Free:2.03 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    3 Drive e: (SC4DELUXE2) (CDROM) (Total:0.63 GB) (Free:0 GB) CDFS
    4 Drive f: (FD) (Removable) (Total:1.89 GB) (Free:0.49 GB) FAT32
    5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 233 GB 1024 KB
    Disk 1 Online 1936 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 220 GB 1024 KB
    Partition 2 Primary 13 GB 220 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 220 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 D RECOVERY NTFS Partition 13 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 1936 MB 16 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0C
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F FD FAT32 Removable 1936 MB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-08-01 12:59

    ======================= End Of Log ==========================

    Thanks for your help so far :D
     
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    You're welcome. :)

    Additional FRST Scan

    Once again, please boot to the System Recovery Options and run FRST, as done previously.

    Type the following text in the blank box after Search:

    services.exe

    Click: Search file(s)

    [​IMG]

    When done searching, FRST makes a log, Search.txt, on the C:\ drive.

    Please provide the Search.txt in your reply.
     
  5. SignoreJoe

    SignoreJoe TS Rookie Topic Starter Posts: 21

    Hello again!

    Is there something the matter with my Services.exe file? I heard the virus can corrupt it.

    Below is the search.txt that has been created. Thanks again for reviewing!

    Farbar Recovery Scan Tool Version: 04-08-2012
    Ran by SYSTEM at 2012-08-04 11:35:57
    Running from F:\

    ================== Search: "services.exe" ===================

    C:\services.exe
    [2012-08-02 04:53] - [2012-08-02 05:00] - 0384512 ____A (Microsoft Corporation) BC81150939BD52DBC7A08C245F1FB229

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
    [2009-09-23 23:56] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
    [2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
    [2009-09-23 23:56] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
    [2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

    C:\Windows\SysWOW64\services.exe
    [2009-09-23 23:56] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

    C:\Windows\System32\services.exe
    [2009-09-23 23:56] - [2012-08-03 02:53] - 0384512 ____A (Microsoft Corporation) BC81150939BD52DBC7A08C245F1FB229

    ====== End Of Search ======
     
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    It is indeed corrupted. Now, time to fix it!

    FRST64 Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
     
  7. SignoreJoe

    SignoreJoe TS Rookie Topic Starter Posts: 21

    I am not on a Windows PC, however I have used the Mac program "Text Edit" to paste the information. I had to save as an .rtf, would it be OK if I just changed the file extension to .txt?

    Forget about it, I found a work around :)
     
  8. SignoreJoe

    SignoreJoe TS Rookie Topic Starter Posts: 21

    Ok, the boot seemed normal, however I haven't had the time to babysit it yet so I will boot it up later and tell you how it looks. So far, I haven't received the 1 minute error, which is good. It still seems to run slowly. I have my PC sound turned off, but that's an issue with MSconfig after I tried to fiddle around with the services/bootups before coming here.

    Posted is the Fixlog:

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 04-08-2012
    Ran by SYSTEM at 2012-08-04 12:25:04 Run:1
    Running from F:\

    ==============================================

    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe copied successfully to C:\Windows\System32\services.exe

    ==== End of Fixlog ====

    Thanks!
     
  9. SignoreJoe

    SignoreJoe TS Rookie Topic Starter Posts: 21

    Ok, so after rebooting and moving to a new location, the computer ran a CHKDSK it seems on startup, but I didn't see an results. Running a full MSE scan now. Things seem to be working, except my sound device is disabled in MSconfig, haven't changed anything since I've been told not to xD Will do if I have permission.
    Anything I should do now that I have control of my computer back? Sorry for conescutive post, seems I can't edit them when they're strung out.
     
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
     
  11. SignoreJoe

    SignoreJoe TS Rookie Topic Starter Posts: 21

    Hello DragonMaster. Please bear with me, as I am a bit dazed on some heavy painkillers. I managed to break my arm in a nasty sport accident. I won't be able to write very prompt replies, I apologize.
    The ComboFix seems not to be working, no logs are left. I tried different names to no avail. Maybe it's something wrong on my end.
    I've taken three screenshots of shady activity. I've run a full MSE scan before the ComboFix and found/removed the dozens of sirfefs the scan found.
    One of the issues is that MSE can't update its dictionaries.
    Another is that I can't view my firewall options.
    The final, even more strange, is that there are several "iexplorer.exe"s running when I look at the task manager...but I use Firefox.

    Screenshots to come when I get some rest. Until then, ciao
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    That's okay, and sorry to hear that.

    Please post a new log from FRST when you can.
     
  13. SignoreJoe

    SignoreJoe TS Rookie Topic Starter Posts: 21

    Ok, here are the pictures and the FRST log. My computer is running extremely slow, I had to upload from another.

    [​IMG]

    [​IMG]
    Combofix renamed itself after its attempt to work. I also don't recall it disconnecting me from the internet...
    [​IMG]


    Scan result of Farbar Recovery Scan Tool Version: 04-08-2012
    Ran by SYSTEM at 06-08-2012 11:33:33
    Running from F:\
    Windows Vista (TM) Home Premium Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
    HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [442368 2009-06-03] (IDT, Inc.)
    HKLM\...\Run: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [914224 2008-11-18] (Hewlett-Packard)
    HKLM\...\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe [246784 2008-03-31] (Alps Electric Co., Ltd.)
    HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [x]
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
    HKLM-x32\...\Run: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter" [210216 2008-11-26] (CyberLink Corp.)
    HKLM-x32\...\Run: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam" [218408 2008-11-14] (CyberLink Corp.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)
    HKLM-x32\...\Run: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start [323640 2009-11-24] ( Hewlett-Packard Development Company, L.P.)
    HKLM-x32\...\Run: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe" [202024 2009-05-11] (CyberLink Corp.)
    HKLM-x32\...\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75008 2008-10-09] (Hewlett-Packard)
    HKLM-x32\...\Run: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [1148200 2008-11-28] (CyberLink Corp.)
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
    HKLM-x32\...\Run: [SwitchBoard] "C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [x]
    HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [61440 2008-08-29] (Advanced Micro Devices, Inc.)
    HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
    HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
    HKLM-x32\...\Run: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin [x]
    HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [x]
    HKLM-x32\...\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [x]
    HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\Default\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [x]
    HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\Default User\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [x]
    HKU\Joe Rapp\...\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent [1353080 2012-08-04] (Valve Corporation)
    HKU\Joe Rapp\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
    HKU\Joe Rapp\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
    HKU\Joe Rapp\...\Run: [Google Update] "C:\Users\Joe Rapp\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-01-12] (Google Inc.)
    HKU\Joe Rapp\...\Run: [Akamai NetSession Interface] "C:\Users\Joe Rapp\AppData\Local\Akamai\netsession_win.exe" [4327744 2012-05-26] (Akamai Technologies, Inc)
    HKU\Joe Rapp\...\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZED [880496 2012-05-19] (BitTorrent, Inc.)
    HKU\Joe Rapp\...\Run: [Urozaghyp] "C:\Users\Joe Rapp\AppData\Roaming\Opymbo\uxixb.exe" [186880 2010-06-16] ()
    HKU\Joe Rapp\...\Run: [renovator] C:\Users\Joe Rapp\AppData\Roaming\Sun\{0B3CB77C-A41B-4C99-B89A-B4BF948DAB9F}\renovator.exe [383488 2012-07-31] ()
    HKU\Joe Rapp\...\Run: [ntshcs] "C:\Users\Joe Rapp\AppData\Roaming\ntshcs.dll",List_SetSlice [x]
    HKU\Joe Rapp\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [4910912 2011-08-01] (DT Soft Ltd)
    HKU\Joe Rapp\...\Run: [apshux] rundll32.exe "C:\Users\Joe Rapp\AppData\Roaming\apshux.dll",RetrieveColumn [128512 2012-07-31] (Crytek)
    HKU\Joe Rapp\...\Run: [owudtx] "C:\Users\Joe Rapp\AppData\Roaming\owudtx.dll",SetInterrupt [458752 2012-08-05] (Andrew Zhezherun)
    Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
    Startup: C:\Users\Joe Rapp\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
    ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

    ==================== Services (Whitelisted) ======

    2 Akamai; C:\program files (x86)\common files\akamai/netsession_win_4f7fccd.dll [4419392 2012-07-10] (Akamai Technologies, Inc)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
    2 Recovery Service for Windows; C:\Program Files (x86)\SMINST\BLService.exe [365952 2008-12-02] ()
    2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_6ef279c8\STacSV64.exe [239104 2009-06-03] (IDT, Inc.)
    2 TVCapSvc; "C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe" [296320 2008-11-26] ()
    2 TVSched; "C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe" [116096 2008-11-26] ()
    2 Viewpoint Manager Service; "C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe" [24652 2007-01-04] (Viewpoint Corporation)

    ========================== Drivers (Whitelisted) =============

    1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [270912 2011-08-18] (DT Soft Ltd)
    3 hamachi; C:\Windows\System32\Drivers\hamachi.sys [21832 2010-08-31] (LogMeIn, Inc.)
    2 {55662437-DA8C-40c0-AADA-2C816A897A49}; \??\C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [146928 2008-11-28] (CyberLink Corp.)
    4 eabfiltr; [x]
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\ENG64.SYS [x]
    3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\EX64.SYS [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
    1 SRTSP; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSP64.SYS [x]
    1 SRTSPX; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSPX64.SYS [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-05 18:32 - 2012-08-05 18:32 - 00000398 ____A C:\Windows\PFRO.log
    2012-08-05 17:08 - 2012-08-05 17:08 - 04725168 ____R (Swearware) C:\Users\Joe Rapp\Desktop\explorer.exe
    2012-08-05 16:56 - 2012-08-05 16:57 - 00000000 ____D C:\Qoobox
    2012-08-05 16:51 - 2012-08-05 17:10 - 00000000 ___SD C:\32788R22FWJFW
    2012-08-05 16:51 - 2012-08-05 16:51 - 00000000 ____D C:\Windows\erdnt
    2012-08-05 16:16 - 2012-08-05 16:16 - 00000000 ____D C:\Users\Joe Rapp\Application Data\Help
    2012-08-05 16:16 - 2012-08-05 16:16 - 00000000 ____D C:\Users\Joe Rapp\AppData\Roaming\Help
    2012-08-05 10:04 - 2012-08-05 10:04 - 00458752 ____A (Andrew Zhezherun) C:\Users\Joe Rapp\Application Data\owudtx.dll
    2012-08-05 10:04 - 2012-08-05 10:04 - 00458752 ____A (Andrew Zhezherun) C:\Users\Joe Rapp\AppData\Roaming\owudtx.dll
    2012-08-04 09:35 - 2012-08-05 18:44 - 00044834 ____A C:\Windows\WindowsUpdate.log
    2012-08-03 20:20 - 2012-08-03 20:20 - 00000000 ____D C:\FRST
    2012-08-02 17:21 - 2012-08-02 17:21 - 00266144 ____A C:\Windows\Minidump\Mini080212-01.dmp
    2012-08-02 17:20 - 2012-08-02 17:56 - 289041449 ____A C:\Windows\MEMORY.DMP
    2012-08-02 12:21 - 2012-08-05 10:20 - 09827016 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
    2012-08-02 12:17 - 2012-08-02 12:18 - 00000726 ____A C:\Users\Joe Rapp\Desktop\shutdown.exe.lnk
    2012-08-01 19:43 - 2012-08-01 19:44 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-08-01 19:43 - 2012-08-01 19:43 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-08-01 04:15 - 2012-08-05 10:00 - 00000000 ____D C:\Windows\pss
    2012-08-01 03:22 - 2012-08-01 03:22 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-07-31 19:09 - 2012-08-01 11:09 - 00000000 ____D C:\Users\All Users\Application Data\0C1D1A01E0DC8EA1FE0241162F3B707C
    2012-07-31 19:09 - 2012-08-01 11:09 - 00000000 ____D C:\Users\All Users\0C1D1A01E0DC8EA1FE0241162F3B707C
    2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\Local Settings\Application Data\{41F71C6E-DB86-11E1-8270-B8AC6F996F26}
    2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\Local Settings\Application Data\{41F6EAF3-DB86-11E1-8270-B8AC6F996F26}
    2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\Local Settings\{41F71C6E-DB86-11E1-8270-B8AC6F996F26}
    2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\Local Settings\{41F6EAF3-DB86-11E1-8270-B8AC6F996F26}
    2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\Application Data\TeamViewer
    2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\Application Data\Sun
    2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\AppData\Roaming\TeamViewer
    2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\AppData\Roaming\Sun
    2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\AppData\Local\{41F71C6E-DB86-11E1-8270-B8AC6F996F26}
    2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\AppData\Local\{41F6EAF3-DB86-11E1-8270-B8AC6F996F26}
    2012-07-31 19:07 - 2012-08-05 18:45 - 00000000 ____D C:\Users\Joe Rapp\Application Data\Pefeoq
    2012-07-31 19:07 - 2012-08-05 18:45 - 00000000 ____D C:\Users\Joe Rapp\AppData\Roaming\Pefeoq
    2012-07-31 19:07 - 2012-07-31 19:07 - 00128512 __ASH (Crytek) C:\Users\Joe Rapp\Application Data\apshux.dll
    2012-07-31 19:07 - 2012-07-31 19:07 - 00128512 __ASH (Crytek) C:\Users\Joe Rapp\AppData\Roaming\apshux.dll
    2012-07-31 19:07 - 2012-07-31 19:07 - 00000000 ____D C:\Users\Joe Rapp\Application Data\Opymbo
    2012-07-31 19:07 - 2012-07-31 19:07 - 00000000 ____D C:\Users\Joe Rapp\Application Data\Adedn
    2012-07-31 19:07 - 2012-07-31 19:07 - 00000000 ____D C:\Users\Joe Rapp\AppData\Roaming\Opymbo
    2012-07-31 19:07 - 2012-07-31 19:07 - 00000000 ____D C:\Users\Joe Rapp\AppData\Roaming\Adedn
    2012-07-25 21:11 - 2012-07-25 21:11 - 00010404 ____A C:\Users\Joe Rapp\Desktop\Untitled 1.ods
    2012-07-15 14:40 - 2012-07-16 08:56 - 00023638 ____A C:\Users\Joe Rapp\My Documents\Untitled 1.odt
    2012-07-15 14:40 - 2012-07-16 08:56 - 00023638 ____A C:\Users\Joe Rapp\Documents\Untitled 1.odt
    2012-07-10 20:30 - 2012-07-10 20:30 - 00000000 ____D C:\Users\Joe Rapp\Desktop\GAI Logos
    2012-07-10 20:29 - 2012-07-23 11:17 - 00000000 ____D C:\Users\Joe Rapp\Desktop\Customer 1
    2012-07-10 20:29 - 2012-07-18 06:45 - 00000000 ____D C:\Users\Joe Rapp\Desktop\Machine Mayhem
    2012-07-10 18:19 - 2012-07-10 18:18 - 00017896 ____A C:\paola.ttf

    ============ 3 Months Modified Files ========================

    2012-08-05 18:44 - 2012-08-04 09:35 - 00044834 ____A C:\Windows\WindowsUpdate.log
    2012-08-05 18:39 - 2011-01-12 16:23 - 00000920 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2448708025-4140109235-615150339-1000UA.job
    2012-08-05 18:33 - 2006-11-02 07:22 - 00003344 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-05 18:33 - 2006-11-02 07:22 - 00003344 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-05 18:32 - 2012-08-05 18:32 - 00000398 ____A C:\Windows\PFRO.log
    2012-08-05 18:32 - 2011-07-09 17:50 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-08-05 18:32 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-05 17:08 - 2012-08-05 17:08 - 04725168 ____R (Swearware) C:\Users\Joe Rapp\Desktop\explorer.exe
    2012-08-05 16:20 - 2012-04-10 08:14 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-05 16:14 - 2011-07-09 17:50 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-08-05 16:13 - 2012-04-10 08:14 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-08-05 16:13 - 2011-08-30 13:45 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-08-05 10:20 - 2012-08-02 12:21 - 09827016 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
    2012-08-05 10:04 - 2012-08-05 10:04 - 00458752 ____A (Andrew Zhezherun) C:\Users\Joe Rapp\Application Data\owudtx.dll
    2012-08-05 10:04 - 2012-08-05 10:04 - 00458752 ____A (Andrew Zhezherun) C:\Users\Joe Rapp\AppData\Roaming\owudtx.dll
    2012-08-05 10:00 - 2009-03-07 00:41 - 00000012 ____A C:\Windows\bthservsdp.dat
    2012-08-05 10:00 - 2006-11-02 07:42 - 00032564 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-08-05 07:39 - 2011-01-12 16:23 - 00000868 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2448708025-4140109235-615150339-1000Core.job
    2012-08-02 17:56 - 2012-08-02 17:20 - 289041449 ____A C:\Windows\MEMORY.DMP
    2012-08-02 17:21 - 2012-08-02 17:21 - 00266144 ____A C:\Windows\Minidump\Mini080212-01.dmp
    2012-08-02 12:18 - 2012-08-02 12:17 - 00000726 ____A C:\Users\Joe Rapp\Desktop\shutdown.exe.lnk
    2012-08-01 19:44 - 2011-01-31 12:27 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-01 19:44 - 2009-06-12 14:02 - 00129288 ____A C:\Users\Joe Rapp\Local Settings\GDIPFONTCACHEV1.DAT
    2012-08-01 19:44 - 2009-06-12 14:02 - 00129288 ____A C:\Users\Joe Rapp\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2012-08-01 19:44 - 2009-06-12 14:02 - 00129288 ____A C:\Users\Joe Rapp\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-08-01 19:43 - 2011-01-31 12:26 - 00709162 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-08-01 11:59 - 2006-11-02 07:21 - 05048416 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-31 19:07 - 2012-07-31 19:07 - 00128512 __ASH (Crytek) C:\Users\Joe Rapp\Application Data\apshux.dll
    2012-07-31 19:07 - 2012-07-31 19:07 - 00128512 __ASH (Crytek) C:\Users\Joe Rapp\AppData\Roaming\apshux.dll
    2012-07-29 19:44 - 2012-01-21 10:45 - 00000346 ____A C:\Windows\Tasks\HPCeeScheduleForJoe Rapp.job
    2012-07-28 17:00 - 2009-06-13 09:19 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
    2012-07-25 21:11 - 2012-07-25 21:11 - 00010404 ____A C:\Users\Joe Rapp\Desktop\Untitled 1.ods
    2012-07-20 03:39 - 2009-06-15 10:10 - 00146432 ____A C:\Users\Joe Rapp\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-07-20 03:39 - 2009-06-15 10:10 - 00146432 ____A C:\Users\Joe Rapp\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-07-20 03:39 - 2009-06-15 10:10 - 00146432 ____A C:\Users\Joe Rapp\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-07-16 08:56 - 2012-07-15 14:40 - 00023638 ____A C:\Users\Joe Rapp\My Documents\Untitled 1.odt
    2012-07-16 08:56 - 2012-07-15 14:40 - 00023638 ____A C:\Users\Joe Rapp\Documents\Untitled 1.odt
    2012-07-15 16:16 - 2009-06-13 08:24 - 00007052 ____A C:\Users\Joe Rapp\Local Settings\d3d9caps.dat
    2012-07-15 16:16 - 2009-06-13 08:24 - 00007052 ____A C:\Users\Joe Rapp\Local Settings\Application Data\d3d9caps.dat
    2012-07-15 16:16 - 2009-06-13 08:24 - 00007052 ____A C:\Users\Joe Rapp\AppData\Local\d3d9caps.dat
    2012-07-10 18:18 - 2012-07-10 18:19 - 00017896 ____A C:\paola.ttf
    2012-07-05 15:59 - 2012-07-05 15:59 - 00000752 ____A C:\Users\Joe Rapp\Desktop\Ventrilo.lnk
    2012-07-05 15:59 - 2012-07-05 15:59 - 00000262 ____A C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
    2012-07-04 06:34 - 2012-07-04 06:34 - 00000528 ____A C:\Users\Joe Rapp\Desktop\Rules.txt
    2012-06-29 07:02 - 2012-06-29 07:02 - 00368820 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI0320.txt
    2012-06-29 07:02 - 2012-06-29 07:02 - 00368820 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI0320.txt
    2012-06-29 07:02 - 2012-06-29 07:02 - 00368820 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI0320.txt
    2012-06-29 07:02 - 2012-06-29 07:02 - 00011418 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI0320.txt
    2012-06-29 07:02 - 2012-06-29 07:02 - 00011418 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI0320.txt
    2012-06-29 07:02 - 2012-06-29 07:02 - 00011418 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI0320.txt
    2012-06-29 07:00 - 2012-06-29 07:00 - 00370702 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI0126.txt
    2012-06-29 07:00 - 2012-06-29 07:00 - 00370702 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI0126.txt
    2012-06-29 07:00 - 2012-06-29 07:00 - 00370702 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI0126.txt
    2012-06-29 07:00 - 2012-06-29 07:00 - 00011386 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI0126.txt
    2012-06-29 07:00 - 2012-06-29 07:00 - 00011386 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI0126.txt
    2012-06-29 07:00 - 2012-06-29 07:00 - 00011386 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI0126.txt
    2012-06-29 03:04 - 2010-08-13 19:36 - 00466456 ____A (Creative Labs) C:\Windows\System32\wrap_oal.dll
    2012-06-29 03:04 - 2010-08-13 19:36 - 00444952 ____A (Creative Labs) C:\Windows\SysWOW64\wrap_oal.dll
    2012-06-29 03:04 - 2010-08-13 19:36 - 00122904 ____A (Portions (C) Creative Labs Inc. and NVIDIA Corp.) C:\Windows\System32\OpenAL32.dll
    2012-06-29 03:04 - 2010-08-13 19:36 - 00109080 ____A (Portions (C) Creative Labs Inc. and NVIDIA Corp.) C:\Windows\SysWOW64\OpenAL32.dll
    2012-06-25 11:40 - 2012-06-25 11:40 - 00000902 ____A C:\Users\Public\Desktop\Adobe Download Assistant.lnk
    2012-06-25 11:40 - 2012-06-25 11:40 - 00000902 ____A C:\Users\All Users\Desktop\Adobe Download Assistant.lnk
    2012-06-23 14:33 - 2006-11-02 04:33 - 67895296 ____A C:\Windows\System32\config\software_previous
    2012-06-23 14:33 - 2006-11-02 04:33 - 56623104 ____A C:\Windows\System32\config\components_previous
    2012-06-23 14:33 - 2006-11-02 04:33 - 23855104 ____A C:\Windows\System32\config\system_previous
    2012-06-23 14:33 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\security_previous
    2012-06-23 14:33 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\sam_previous
    2012-06-23 14:33 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\default_previous
    2012-06-23 09:22 - 2012-06-23 09:22 - 00369184 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI1902.txt
    2012-06-23 09:22 - 2012-06-23 09:22 - 00369184 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI1902.txt
    2012-06-23 09:22 - 2012-06-23 09:22 - 00369184 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI1902.txt
    2012-06-23 09:22 - 2012-06-23 09:22 - 00011434 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI1902.txt
    2012-06-23 09:22 - 2012-06-23 09:22 - 00011434 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI1902.txt
    2012-06-23 09:22 - 2012-06-23 09:22 - 00011434 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI1902.txt
    2012-06-23 09:20 - 2012-06-23 09:20 - 00370318 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI1766.txt
    2012-06-23 09:20 - 2012-06-23 09:20 - 00370318 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI1766.txt
    2012-06-23 09:20 - 2012-06-23 09:20 - 00370318 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI1766.txt
    2012-06-23 09:20 - 2012-06-23 09:20 - 00011370 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI1766.txt
    2012-06-23 09:20 - 2012-06-23 09:20 - 00011370 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI1766.txt
    2012-06-23 09:20 - 2012-06-23 09:20 - 00011370 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI1766.txt
    2012-06-20 09:22 - 2012-06-20 09:22 - 00000770 ____A C:\Users\Public\Desktop\CCleaner.lnk
    2012-06-20 09:22 - 2012-06-20 09:22 - 00000770 ____A C:\Users\All Users\Desktop\CCleaner.lnk
    2012-06-15 07:33 - 2012-06-15 07:32 - 06877439 ____A C:\Users\Joe Rapp\ROBLOX.zip
    2012-06-11 10:48 - 2012-06-11 10:48 - 00001684 ____A C:\Users\Joe Rapp\Desktop\HydraIRC.lnk
    2012-06-11 10:05 - 2012-06-11 10:05 - 00001702 ____A C:\Users\Joe Rapp\DesktopGods and Idols.lnk
    2012-06-02 14:19 - 2012-06-23 14:47 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-23 14:47 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-23 14:47 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
    2012-06-02 14:19 - 2012-06-23 14:47 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-23 14:47 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-23 14:47 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:19 - 2012-06-23 14:47 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
    2012-06-02 14:15 - 2012-06-23 14:47 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-23 14:47 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 14:12 - 2012-06-23 14:47 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
    2012-06-02 11:19 - 2012-06-23 14:46 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 11:19 - 2012-06-23 14:46 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2012-06-02 11:15 - 2012-06-23 14:46 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 11:12 - 2012-06-23 14:46 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
    2012-05-31 02:41 - 2012-05-30 18:57 - 00118905 ____A C:\Users\Joe Rapp\PaperDraft.odt
    2012-05-22 16:58 - 2012-05-22 16:57 - 00369912 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI318B.txt
    2012-05-22 16:58 - 2012-05-22 16:57 - 00369912 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI318B.txt
    2012-05-22 16:58 - 2012-05-22 16:57 - 00369912 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI318B.txt
    2012-05-22 16:58 - 2012-05-22 16:57 - 00011466 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI318B.txt
    2012-05-22 16:58 - 2012-05-22 16:57 - 00011466 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI318B.txt
    2012-05-22 16:58 - 2012-05-22 16:57 - 00011466 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI318B.txt
    2012-05-22 16:56 - 2012-05-22 16:56 - 00373006 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI3041.txt
    2012-05-22 16:56 - 2012-05-22 16:56 - 00373006 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI3041.txt
    2012-05-22 16:56 - 2012-05-22 16:56 - 00373006 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI3041.txt
    2012-05-22 16:56 - 2012-05-22 16:56 - 00011482 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI3041.txt
    2012-05-22 16:56 - 2012-05-22 16:56 - 00011482 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI3041.txt
    2012-05-22 16:56 - 2012-05-22 16:56 - 00011482 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI3041.txt
    2012-05-22 11:25 - 2012-05-22 11:25 - 02500792 ____A C:\Users\Joe Rapp\Downloads\AdobeDownloadAssistant.exe
    2012-05-19 19:16 - 2012-05-19 19:15 - 00438054 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI3051.txt
    2012-05-19 19:16 - 2012-05-19 19:15 - 00438054 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI3051.txt
    2012-05-19 19:16 - 2012-05-19 19:15 - 00438054 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI3051.txt
    2012-05-19 19:16 - 2012-05-19 19:15 - 00013988 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI3051.txt
    2012-05-19 19:16 - 2012-05-19 19:15 - 00013988 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI3051.txt
    2012-05-19 19:16 - 2012-05-19 19:15 - 00013988 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI3051.txt
    2012-05-12 13:16 - 2006-11-02 04:46 - 00694396 ____A C:\Windows\System32\PerfStringBackup.INI


    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 17%
    Total physical RAM: 3836.89 MB
    Available physical RAM: 3177.88 MB
    Total Pagefile: 3523.62 MB
    Available Pagefile: 3162.84 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:219.77 GB) (Free:40.13 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (RECOVERY) (Fixed) (Total:13.11 GB) (Free:2.03 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    3 Drive e: (SC4DELUXE2) (CDROM) (Total:0.63 GB) (Free:0 GB) CDFS
    4 Drive f: (FD) (Removable) (Total:1.89 GB) (Free:0.49 GB) FAT32
    5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 233 GB 1024 KB
    Disk 1 Online 1936 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 220 GB 1024 KB
    Partition 2 Primary 13 GB 220 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 220 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 D RECOVERY NTFS Partition 13 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 1936 MB 16 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0C
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F FD FAT32 Removable 1936 MB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-08-05 18:38

    ======================= End Of Log ==========================

    Thanks!!!
     
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    We'll take care of that...

    FRST64 Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
     
  15. SignoreJoe

    SignoreJoe TS Rookie Topic Starter Posts: 21

    OK, going to boot in a couple minutes.
    Here's the fixlog:

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 04-08-2012
    Ran by SYSTEM at 2012-08-06 16:36:44 Run:2
    Running from F:\

    ==============================================

    HKEY_USERS\Joe Rapp\Software\Microsoft\Windows\CurrentVersion\Run\\Urozaghyp Value deleted successfully.
    HKEY_USERS\Joe Rapp\Software\Microsoft\Windows\CurrentVersion\Run\\renovator Value deleted successfully.
    HKEY_USERS\Joe Rapp\Software\Microsoft\Windows\CurrentVersion\Run\\ntshcs Value deleted successfully.
    HKEY_USERS\Joe Rapp\Software\Microsoft\Windows\CurrentVersion\Run\\apshux Value deleted successfully.
    HKEY_USERS\Joe Rapp\Software\Microsoft\Windows\CurrentVersion\Run\\owudtx Value deleted successfully.
    Viewpoint Manager Service service deleted successfully.
    C:\Users\Joe Rapp\Application Data\owudtx.dll moved successfully.
    C:\Users\Joe Rapp\AppData\Roaming\owudtx.dll not found.
    C:\Users\Joe Rapp\AppData\Roaming\apshux.dll moved successfully.
    C:\Users\Joe Rapp\AppData\Roaming\ntshcs.dll not found.
    C:\Users\Joe Rapp\AppData\Roaming\Sun\{0B3CB77C-A41B-4C99-B89A-B4BF948DAB9F}\renovator.exe moved successfully.
    C:\Users\Joe Rapp\AppData\Roaming\Opymbo moved successfully.

    ==== End of Fixlog ====

    Things seem to be smoother. MSE can't update and the firewall is still funny. ComboFix is the next step?
     
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    We will take care of that stuff. It happens all the time.

    Actually, there is evidence of rogue software, so we're going to use RogueKiller, please:

    • Download RogueKiller and save it on your desktop.
    • Quit all programs
    • Start RogueKiller.exe.
    • Wait until Prescan has finished ...
    • Click on Scan
    [​IMG]

    • Wait for the end of the scan.
    • The report has been created on the desktop.
    • Click on the Delete button.
    [​IMG]

    • The report has been created on the desktop.
    • Next click on the ShortcutsFix

      [​IMG]
    • The report has been created on the desktop.
    Please post:

    All RKreport.txt text files located on your desktop.
     
  17. SignoreJoe

    SignoreJoe TS Rookie Topic Starter Posts: 21

    Done. Here's the 3 reports:

    Report 1:
    RogueKiller V7.6.5 [08/03/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows Vista (6.0.6002 Service Pack 2) 64 bits version
    Started in : Normal mode
    User: Joe Rapp [Admin rights]
    Mode: Scan -- Date: 08/07/2012 15:49:40

    ¤¤¤ Bad processes: 0 ¤¤¤

    ¤¤¤ Registry Entries: 4 ¤¤¤
    [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver: [NOT LOADED] ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    127.0.0.1 localhost
    ::1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: Hitachi HTS543225L9A300 ATA Device +++++
    --- User ---
    [MBR] 45b10501e7e6151d070f775a69dd1dcf
    [BSP] f4c7988f8bb01accb63c005743f441fe : Toshiba tatooed MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 225045 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 460894208 | Size: 13426 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[1].txt >>
    RKreport[1].txt


    Report2:

    RogueKiller V7.6.5 [08/03/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows Vista (6.0.6002 Service Pack 2) 64 bits version
    Started in : Normal mode
    User: Joe Rapp [Admin rights]
    Mode: Remove -- Date: 08/07/2012 15:52:01

    ¤¤¤ Bad processes: 0 ¤¤¤

    ¤¤¤ Registry Entries: 4 ¤¤¤
    [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    [HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    [HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver: [NOT LOADED] ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    127.0.0.1 localhost
    ::1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: Hitachi HTS543225L9A300 ATA Device +++++
    --- User ---
    [MBR] 45b10501e7e6151d070f775a69dd1dcf
    [BSP] f4c7988f8bb01accb63c005743f441fe : Toshiba tatooed MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 225045 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 460894208 | Size: 13426 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[2].txt >>
    RKreport[1].txt ; RKreport[2].txt

    Report3:

    RogueKiller V7.6.5 [08/03/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows Vista (6.0.6002 Service Pack 2) 64 bits version
    Started in : Normal mode
    User: Joe Rapp [Admin rights]
    Mode: Shortcuts HJfix -- Date: 08/07/2012 16:01:30

    ¤¤¤ Bad processes: 0 ¤¤¤

    ¤¤¤ Driver: [NOT LOADED] ¤¤¤

    ¤¤¤ File attributes restored: ¤¤¤
    Desktop: Success 1 / Fail 0
    Quick launch: Success 0 / Fail 0
    Programs: Success 33 / Fail 0
    Start menu: Success 1 / Fail 0
    User folder: Success 144 / Fail 0
    My documents: Success 1 / Fail 0
    My favorites: Success 5 / Fail 0
    My pictures: Success 0 / Fail 0
    My music: Success 122 / Fail 0
    My videos: Success 0 / Fail 0
    Local drives: Success 343 / Fail 0
    Backup: [NOT FOUND]

    Drives:
    [C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
    [D:] \Device\HarddiskVolume2 -- 0x3 --> Restored
    [E:] \Device\CdRom0 -- 0x5 --> Skipped
    [F:] \Device\CdRom1 -- 0x5 --> Skipped

    ¤¤¤ Infection : ¤¤¤

    Finished : << RKreport[3].txt >>
    RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt




    Thanks again!
     
  18. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
     
  19. SignoreJoe

    SignoreJoe TS Rookie Topic Starter Posts: 21

    Here's the combofix log!

    ComboFix 12-08-07.05 - Joe Rapp 08/08/2012 8:51.1.2 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3837.2206 [GMT -4:00]
    Running from: c:\users\Joe Rapp\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Joe Rapp\AppData\Roaming\Help\coredb\storage
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-08 to 2012-08-08 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-08 13:13 . 2012-08-08 13:13 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{865823A5-1A84-46F5-B68F-5197725D1428}\offreg.dll
    2012-08-08 13:11 . 2012-08-08 13:11 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-08-08 00:35 . 2012-07-16 06:40 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{865823A5-1A84-46F5-B68F-5197725D1428}\mpengine.dll
    2012-08-07 16:34 . 2012-08-07 16:34 -------- d-----w- c:\program files\iPod
    2012-08-07 16:34 . 2012-08-07 16:36 -------- d-----w- c:\program files\iTunes
    2012-08-06 20:56 . 2012-08-06 20:56 476976 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
    2012-08-04 04:20 . 2012-08-04 04:20 -------- d-----w- C:\FRST
    2012-08-02 20:21 . 2012-08-05 18:20 9827016 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
    2012-08-02 03:50 . 2012-02-09 18:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2012-08-02 03:49 . 2012-07-16 06:40 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-08-02 03:43 . 2012-08-02 03:43 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2012-08-02 03:43 . 2012-08-02 03:44 -------- d-----w- c:\program files\Microsoft Security Client
    2012-08-01 11:22 . 2012-08-01 11:22 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-08-01 03:09 . 2012-08-01 03:09 -------- d-----w- c:\users\Joe Rapp\AppData\Roaming\TeamViewer
    2012-08-01 03:09 . 2012-08-01 19:09 -------- d-----w- c:\programdata\0C1D1A01E0DC8EA1FE0241162F3B707C
    2012-08-01 03:09 . 2012-08-01 03:09 -------- d-----w- c:\users\Joe Rapp\AppData\Local\{41F71C6E-DB86-11E1-8270-B8AC6F996F26}
    2012-08-01 03:09 . 2012-08-01 03:09 -------- d-----w- c:\users\Joe Rapp\AppData\Local\{41F6EAF3-DB86-11E1-8270-B8AC6F996F26}
    2012-08-01 03:07 . 2012-08-06 02:45 -------- d-----w- c:\users\Joe Rapp\AppData\Roaming\Pefeoq
    2012-08-01 03:07 . 2012-08-01 03:07 -------- d-----w- c:\users\Joe Rapp\AppData\Roaming\Adedn
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-06 20:56 . 2010-06-10 12:28 472880 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-08-06 00:13 . 2012-04-10 16:14 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-08-06 00:13 . 2011-08-30 21:45 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-06-29 11:04 . 2010-08-14 03:36 466456 ----a-w- c:\windows\system32\wrap_oal.dll
    2012-06-29 11:04 . 2010-08-14 03:36 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
    2012-06-29 11:04 . 2010-08-14 03:36 122904 ----a-w- c:\windows\system32\OpenAL32.dll
    2012-06-29 11:04 . 2010-08-14 03:36 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
    2012-06-02 22:19 . 2012-06-23 22:47 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-23 22:47 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:19 . 2012-06-23 22:47 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-23 22:47 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-23 22:47 35864 ----a-w- c:\windows\SysWow64\wups.dll
    2012-06-02 22:19 . 2012-06-23 22:47 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-23 22:47 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
    2012-06-02 22:15 . 2012-06-23 22:47 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:15 . 2012-06-23 22:47 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 22:12 . 2012-06-23 22:47 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
    2012-06-02 19:19 . 2012-06-23 22:46 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 19:19 . 2012-06-23 22:46 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
    2012-06-02 19:15 . 2012-06-23 22:46 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-02 19:12 . 2012-06-23 22:46 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2011-10-30 . 66CFDF478939DD6388858DE06F2CE14C . 302080 . . [6.0.6000.16386] .. c:\windows\system32\shsvcs.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="c:\program files (x86)\Steam\steam.exe" [2012-08-04 1353080]
    "MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
    "Akamai NetSession Interface"="c:\users\Joe Rapp\AppData\Local\Akamai\netsession_win.exe" [2012-05-26 4327744]
    "uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2012-05-20 880496]
    "DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-08-02 4910912]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "UpdatePSTShortCut"="c:\program files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-11-26 210216]
    "UCam_Menu"="c:\program files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" [2008-11-15 218408]
    "WirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]
    "QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-24 323640]
    "TVAgent"="c:\program files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe" [2009-05-12 202024]
    "HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
    "DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2008-11-29 1148200]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
    "HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
    .
    c:\users\Joe Rapp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-27 250056]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Themes
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-06-09 17:14 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-08 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 15:04]
    .
    2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-10 01:49]
    .
    2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-10 01:49]
    .
    2012-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2448708025-4140109235-615150339-1000Core.job
    - c:\users\Joe Rapp\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-13 00:23]
    .
    2012-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2448708025-4140109235-615150339-1000UA.job
    - c:\users\Joe Rapp\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-13 00:23]
    .
    2012-07-30 c:\windows\Tasks\HPCeeScheduleForJoe Rapp.job
    - c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2009-03-07 19:34]
    .
    2010-12-16 c:\windows\Tasks\User_Feed_Synchronization-{E1B66EBE-ED5D-44FC-A4E2-B5CBD124692C}.job
    - c:\windows\system32\msfeedssync.exe [2012-02-29 08:04]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
    @="{C5994560-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
    @="{C5994561-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
    @="{C5994562-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
    @="{C5994563-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
    @="{C5994564-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
    @="{C5994565-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
    @="{C5994566-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
    @="{C5994567-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
    @="{C5994568-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-06-04 442368]
    "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-03-31 246784]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x1
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2929250
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\Joe Rapp\AppData\Roaming\Mozilla\Firefox\Profiles\zy9j3avr.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2929250&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.startup.homepage - about:home
    FF - prefs.js: keyword.URL - hxxp://serp.freecause.com/?ourmark=3&sid=100275&q=
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{ce7499e7-af3c-4662-ac92-454212345ddb} - (no file)
    Wow6432Node-HKLM-Run-SwitchBoard - c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    Wow6432Node-HKLM-Run-AdobeCS6ServiceManager - c:\program files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe
    Wow6432Node-HKLM-Run-Adobe Acrobat Speed Launcher - c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe
    Wow6432Node-HKLM-Run-Acrobat Assistant 8.0 - c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe
    WebBrowser-{CE7499E7-AF3C-4662-AC92-454212345DDB} - (no file)
    HKLM-Run-SmartMenu - c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
    HKLM-Run-AdobeAAMUpdater-1.0 - c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    AddRemove-Acid-Base Solutions - c:\windows\system32\javaws.exe
    AddRemove-RealHighway Mod - c:\users\Joe Rapp\Documents\SimCity 4\Plugins\Network Addon Mod\Real Highway Mod\uninst.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Akamai]
    "ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_4f7fccd.dll"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
    "ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10a.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
    @SACL=
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10a.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
    @SACL=
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]
    @SACL=
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]
    @SACL=
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]
    @SACL=
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @SACL=
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @SACL=
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]
    @SACL=
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @SACL=
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @SACL=
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @SACL=
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]
    @SACL=
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @SACL=
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
    @SACL=
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @SACL=
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @SACL=
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @SACL=
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @="IFlashBroker2"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid]
    @Denied: (A 2) (Everyone)
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
    @SACL=
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
    @SACL=
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @SACL=
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @SACL=
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @SACL=
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
    c:\program files (x86)\SMINST\BLService.exe
    c:\program files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
    c:\program files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
    c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
    c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-08 09:28:06 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-08 13:28
    .
    Pre-Run: 46,386,720,768 bytes free
    Post-Run: 46,338,605,056 bytes free
    .
    - - End Of File - - 0239311E05DB297733B4A722745A18B5
     
  20. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.
     
  21. SignoreJoe

    SignoreJoe TS Rookie Topic Starter Posts: 21

    Here you are, thanks!

    ComboFix 12-08-07.05 - Joe Rapp 08/09/2012 18:02:48.2.2 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3837.2312 [GMT -4:00]
    Running from: c:\users\Joe Rapp\Desktop\ComboFix.exe
    Command switches used :: c:\users\Joe Rapp\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Joe Rapp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum
    c:\users\Joe Rapp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum\Live Security Platinum.lnk
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-09 to 2012-08-09 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-09 22:21 . 2012-08-09 22:21 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-08-09 21:39 . 2012-08-09 21:39 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9BBAD2D4-3ED1-4F45-9BB5-707490528C36}\offreg.dll
    2012-08-08 13:34 . 2012-07-16 06:40 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9BBAD2D4-3ED1-4F45-9BB5-707490528C36}\mpengine.dll
    2012-08-07 16:34 . 2012-08-07 16:34 -------- d-----w- c:\program files\iPod
    2012-08-07 16:34 . 2012-08-07 16:36 -------- d-----w- c:\program files\iTunes
    2012-08-06 20:56 . 2012-08-06 20:56 476976 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
    2012-08-04 04:20 . 2012-08-04 04:20 -------- d-----w- C:\FRST
    2012-08-02 20:21 . 2012-08-05 18:20 9827016 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
    2012-08-02 03:50 . 2012-02-09 18:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2012-08-02 03:49 . 2012-07-16 06:40 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-08-02 03:43 . 2012-08-02 03:43 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2012-08-02 03:43 . 2012-08-02 03:44 -------- d-----w- c:\program files\Microsoft Security Client
    2012-08-01 11:22 . 2012-08-01 11:22 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-08-01 03:09 . 2012-08-01 03:09 -------- d-----w- c:\users\Joe Rapp\AppData\Roaming\TeamViewer
    2012-08-01 03:09 . 2012-08-01 19:09 -------- d-----w- c:\programdata\0C1D1A01E0DC8EA1FE0241162F3B707C
    2012-08-01 03:09 . 2012-08-01 03:09 -------- d-----w- c:\users\Joe Rapp\AppData\Local\{41F71C6E-DB86-11E1-8270-B8AC6F996F26}
    2012-08-01 03:09 . 2012-08-01 03:09 -------- d-----w- c:\users\Joe Rapp\AppData\Local\{41F6EAF3-DB86-11E1-8270-B8AC6F996F26}
    2012-08-01 03:07 . 2012-08-06 02:45 -------- d-----w- c:\users\Joe Rapp\AppData\Roaming\Pefeoq
    2012-08-01 03:07 . 2012-08-01 03:07 -------- d-----w- c:\users\Joe Rapp\AppData\Roaming\Adedn
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-06 20:56 . 2010-06-10 12:28 472880 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-08-06 00:13 . 2012-04-10 16:14 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-08-06 00:13 . 2011-08-30 21:45 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-06-29 11:04 . 2010-08-14 03:36 466456 ----a-w- c:\windows\system32\wrap_oal.dll
    2012-06-29 11:04 . 2010-08-14 03:36 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
    2012-06-29 11:04 . 2010-08-14 03:36 122904 ----a-w- c:\windows\system32\OpenAL32.dll
    2012-06-29 11:04 . 2010-08-14 03:36 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
    2012-06-02 22:19 . 2012-06-23 22:47 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-23 22:47 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:19 . 2012-06-23 22:47 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-23 22:47 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-23 22:47 35864 ----a-w- c:\windows\SysWow64\wups.dll
    2012-06-02 22:19 . 2012-06-23 22:47 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-23 22:47 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
    2012-06-02 22:15 . 2012-06-23 22:47 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:15 . 2012-06-23 22:47 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 22:12 . 2012-06-23 22:47 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
    2012-06-02 19:19 . 2012-06-23 22:46 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 19:19 . 2012-06-23 22:46 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
    2012-06-02 19:15 . 2012-06-23 22:46 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-02 19:12 . 2012-06-23 22:46 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [7] 2009-07-10 . 9235EC680D3DB17464B39C7C7DECB4DD . 301568 . . [6.0.6001.18287] .. c:\windows\winsxs\amd64_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6001.18287_none_28ff7f1fd585934f\shsvcs.dll
    [7] 2009-07-10 . 3F6101365E6319171054ADD75788516C . 300032 . . [6.0.6000.21081] .. c:\windows\winsxs\amd64_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6000.21081_none_279cb3aaf1823d60\shsvcs.dll
    [7] 2009-07-10 . C2409C9B7C7E422E7680AE4E1738BFC8 . 302080 . . [6.0.6001.22467] .. c:\windows\winsxs\amd64_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6001.22467_none_299ebda8ee92f85e\shsvcs.dll
    [7] 2009-07-10 . F33C4D0B9EEFCDE346F8753DC4D6867F . 299520 . . [6.0.6000.16883] .. c:\windows\winsxs\amd64_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6000.16883_none_27153f51d8629d02\shsvcs.dll
    [7] 2009-07-10 . 00DD742B99B278429714DEE859A73DD0 . 302080 . . [6.0.6002.22169] .. c:\windows\winsxs\amd64_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6002.22169_none_2b873024ebb78030\shsvcs.dll
    [7] 2009-07-10 . 56793271ECDEDD350C5ADD305603E963 . 302080 . . [6.0.6002.18063] .. c:\windows\winsxs\amd64_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6002.18063_none_2af7919dd29f485c\shsvcs.dll
    [7] 2009-04-11 . 2AD15758174DCC7993FF3C00A955DD66 . 301568 . . [6.0.6002.18005] .. c:\windows\winsxs\amd64_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6002.18005_none_2b3a71b9d26cd364\shsvcs.dll
    [7] 2008-01-21 . EB3114330236CF030E8EDF62881BAF67 . 301568 . . [6.0.6001.18000] .. c:\windows\winsxs\amd64_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6001.18000_none_294ef8add54b0818\shsvcs.dll
    [-] 2011-10-30 . 66CFDF478939DD6388858DE06F2CE14C . 302080 . . [6.0.6000.16386] .. c:\windows\system32\shsvcs.dll
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-08-08_13.20.23 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-21 02:23 . 2012-08-08 13:21 62780 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2006-11-02 15:45 . 2012-08-09 21:46 98928 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2009-06-12 21:57 . 2012-08-09 21:46 25024 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2448708025-4140109235-615150339-1000_UserData.bin
    - 2012-08-08 13:12 . 2012-08-08 13:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-08-08 13:12 . 2012-08-09 21:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-08-08 13:12 . 2012-08-09 21:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-08-08 13:12 . 2012-08-08 13:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="c:\program files (x86)\Steam\steam.exe" [2012-08-04 1353080]
    "MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
    "Akamai NetSession Interface"="c:\users\Joe Rapp\AppData\Local\Akamai\netsession_win.exe" [2012-05-26 4327744]
    "uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2012-05-20 880496]
    "DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-08-02 4910912]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "UpdatePSTShortCut"="c:\program files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-11-26 210216]
    "UCam_Menu"="c:\program files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" [2008-11-15 218408]
    "WirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]
    "QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-24 323640]
    "TVAgent"="c:\program files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe" [2009-05-12 202024]
    "HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
    "DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2008-11-29 1148200]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
    "HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
    .
    c:\users\Joe Rapp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-27 250056]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Themes
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-06-09 17:14 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-09 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 15:04]
    .
    2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-10 01:49]
    .
    2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-10 01:49]
    .
    2012-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2448708025-4140109235-615150339-1000Core.job
    - c:\users\Joe Rapp\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-13 00:23]
    .
    2012-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2448708025-4140109235-615150339-1000UA.job
    - c:\users\Joe Rapp\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-13 00:23]
    .
    2012-07-30 c:\windows\Tasks\HPCeeScheduleForJoe Rapp.job
    - c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2009-03-07 19:34]
    .
    2010-12-16 c:\windows\Tasks\User_Feed_Synchronization-{E1B66EBE-ED5D-44FC-A4E2-B5CBD124692C}.job
    - c:\windows\system32\msfeedssync.exe [2012-02-29 08:04]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
    @="{C5994560-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
    @="{C5994561-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
    @="{C5994562-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
    @="{C5994563-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
    @="{C5994564-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
    @="{C5994565-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
    @="{C5994566-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
    @="{C5994567-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
    @="{C5994568-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-06-04 442368]
    "SmartMenu"="c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [BU]
    "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-03-31 246784]
    "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [BU]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\Joe Rapp\AppData\Roaming\Mozilla\Firefox\Profiles\zy9j3avr.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2929250&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.startup.homepage - about:home
    FF - prefs.js: keyword.URL - hxxp://serp.freecause.com/?ourmark=3&sid=100275&q=
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Akamai]
    "ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_4f7fccd.dll"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
    "ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10a.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
    @SACL=
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10a.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
    @SACL=
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]
    @SACL=
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]
    @SACL=
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]
    @SACL=
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @SACL=
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @SACL=
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]
    @SACL=
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @SACL=
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @SACL=
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @SACL=
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]
    @SACL=
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @SACL=
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
    @SACL=
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @SACL=
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @SACL=
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @SACL=
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @="IFlashBroker2"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid]
    @Denied: (A 2) (Everyone)
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
    @SACL=
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
    @SACL=
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @SACL=
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @SACL=
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @SACL=
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    Completion time: 2012-08-09 18:27:24
    ComboFix-quarantined-files.txt 2012-08-09 22:27
    ComboFix2.txt 2012-08-08 13:28
    .
    Pre-Run: 46,188,060,672 bytes free
    Post-Run: 46,150,266,880 bytes free
    .
    - - End Of File - - 1952EAE90D79784248D099EFE1A0FA92
     
  22. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
     
  23. SignoreJoe

    SignoreJoe TS Rookie Topic Starter Posts: 21

    Here you go!

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6583
    # api_version=3.0.2
    # EOSSerial=7108aa31bd02494cb854bc344db1bbdd
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2012-08-10 04:16:34
    # local_time=2012-08-10 12:16:34 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=1033
    # osver=6.0.6002 NT Service Pack 2
    # compatibility_mode=1024 16777215 100 0 0 0 0 0
    # compatibility_mode=5892 16776574 100 56 54124841 181203832 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=338481
    # found=7
    # cleaned=7
    # scan_time=10268
    C:\FRST\Quarantine\apshux.dll a variant of Win32/Medfos.CE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\FRST\Quarantine\owudtx.dll a variant of Win32/Kryptik.AJLB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\FRST\Quarantine\renovator.exe Win32/Gataka.B trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\FRST\Quarantine\Opymbo\uxixb.exe a variant of Win32/Kryptik.AJFL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Program Files (x86)\Yontoo Layers\YontooIEClient.dll Win32/Adware.Yontoo.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Users\Joe Rapp\AppData\Local\{41F6EAF3-DB86-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
     
  24. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Hi! Your logs appear to be clean. If there are no more issues, then we shall clean up!

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Tell me in your next reply, if you have completed these tasks:
    • Cleaned System Restore
    • Ran OTC
    • Ran CCleaner
    • Ran Security Check
    Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
     
  25. SignoreJoe

    SignoreJoe TS Rookie Topic Starter Posts: 21

    I've completed a system restore and ran OTC, however I already have CCleaner on my computer, should I still install it from the links given?

    Also, MSE still can't update, not sure what's the matter with it.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...