Malware virus won't remove

Inactive
By stijpn2012
Jan 9, 2012
Topic Status:
Not open for further replies.
  1. Broni

    Broni Malware Annihilator Posts: 46,321   +252

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\users\bbailey\UserProfile\SystemBoot.lnk
    c:\users\bbailey\SoftRecovery\RegWrite.lnk
    
    
    
    Folder::
    
    Driver::
    SafeBoot
    SbAlg
    SbFsLock
    RsvLock
    
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SystemBootNQtdP6TDS6cn0vSDlYFgIHWxSydqQbiS"=-
    "RegWriteNQtdP6TDS6cn0vSDlYFgIHWxSydqQbiS"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000000
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  2. stijpn2012

    stijpn2012 Newcomer, in training Topic Starter Posts: 40

    Have a problem after running combofix my PC won't log on saying "windows failed to start up" and asking me to start up in repair mode. I'm using my iPhone to send this
  3. stijpn2012

    stijpn2012 Newcomer, in training Topic Starter Posts: 40

    I only get to options 1) start up normally which won't work or 2) start up repair. Running the repair it said windows cannot repair just fyi
  4. stijpn2012

    stijpn2012 Newcomer, in training Topic Starter Posts: 40

    Hi again managed to log on using F8 and using last known restore point. Logged on & the PC went straight to combofix & is preparing the log report :)
  5. stijpn2012

    stijpn2012 Newcomer, in training Topic Starter Posts: 40

    ok back to normal, was worried there :)

    ComboFix 12-01-10.02 - bbailey 01/12/2012 8:46.7.4 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2991.1729 [GMT 9:00]
    Running from: c:\combofix\ComboFix.exe
    Command switches used :: \\rn-fs2\Users$\bbailey\Desktop\CFScript.txt
    AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    FW: Symantec Endpoint Protection *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
    SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\users\bbailey\SoftRecovery\RegWrite.lnk"
    "c:\users\bbailey\UserProfile\SystemBoot.lnk"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\bbailey\SoftRecovery\RegWrite.lnk
    c:\users\bbailey\UserProfile\SystemBoot.lnk
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_RSVLOCK
    -------\Legacy_SBALG
    -------\Legacy_SBFSLOCK
    -------\Service_RsvLock
    -------\Service_SafeBoot
    -------\Service_SbAlg
    -------\Service_SbFsLock
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-12 to 2012-01-12 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-11 23:52 . 2012-01-11 23:52 -------- d-----w- c:\users\Radisson\AppData\Local\temp
    2012-01-11 23:52 . 2012-01-11 23:52 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-01-11 23:52 . 2012-01-11 23:52 -------- d-----w- c:\users\administrator\AppData\Local\temp
    2012-01-11 20:02 . 2012-01-12 00:29 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4A3E672D-BABD-445D-B812-5178A4EF8919}\offreg.dll
    2012-01-11 17:17 . 2012-01-11 17:17 -------- d-----w- C:\HP_RECOVERY_mountHPSF
    2012-01-10 19:43 . 2012-01-12 00:32 -------- d-----w- c:\users\bbailey\AppData\Local\temp
    2012-01-06 23:50 . 2011-12-10 06:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-06 23:50 . 2012-01-06 23:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-06 21:58 . 2012-01-06 21:58 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-01-06 14:24 . 2012-01-06 14:24 -------- d-----w- c:\program files\iPod
    2012-01-06 14:24 . 2012-01-06 14:25 -------- d-----w- c:\program files\iTunes
    2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
    2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
    2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
    2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
    2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
    2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
    2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
    2012-01-06 14:20 . 2012-01-06 14:20 -------- d-----w- c:\program files\QuickTime
    2012-01-06 09:28 . 2012-01-06 09:53 -------- d-----w- c:\programdata\AVAST Software
    2012-01-06 09:28 . 2012-01-06 09:28 -------- d-----w- c:\program files\AVAST Software
    2012-01-05 23:47 . 2012-01-05 23:47 -------- d-----w- c:\users\bbailey\AppData\Roaming\GlarySoft
    2012-01-05 23:06 . 2012-01-05 23:06 -------- d-----w- c:\program files\WinASO
    2012-01-05 19:56 . 2012-01-05 19:56 -------- d-----w- c:\users\bbailey\AppData\Local\Apps
    2012-01-05 04:45 . 2012-01-05 04:45 -------- d-----w- c:\users\administrator\AppData\Local\Google
    2012-01-05 04:40 . 2012-01-05 04:40 -------- d-----w- c:\users\administrator\AppData\Roaming\hpqlog
    2012-01-05 04:39 . 2012-01-05 04:39 -------- d-----w- c:\users\administrator\AppData\Roaming\IObit
    2012-01-05 04:38 . 2012-01-05 04:38 -------- d-----w- c:\users\administrator\AppData\Roaming\Synaptics
    2012-01-05 04:30 . 2012-01-05 04:30 -------- d-----w- C:\a4a5b20479313b238579215fc2
    2012-01-02 23:43 . 2012-01-03 03:04 -------- d-----w- c:\program files\PC Tools Security
    2012-01-02 23:41 . 2012-01-02 23:52 -------- d-----w- c:\programdata\PC Tools
    2012-01-02 03:59 . 2012-01-02 04:14 -------- d-----w- c:\users\bbailey\AppData\Roaming\IObit
    2012-01-02 03:59 . 2012-01-02 03:59 -------- d-----w- c:\program files\IObit
    2012-01-02 03:35 . 2010-01-10 09:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
    2012-01-02 03:34 . 2012-01-05 04:51 -------- d-----w- c:\program files\SpywareBlaster
    2012-01-02 01:55 . 2012-01-02 01:55 -------- d-----w- c:\users\bbailey\AppData\Roaming\Malwarebytes
    2012-01-02 01:55 . 2012-01-02 01:55 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-31 09:36 . 2011-12-31 09:36 -------- d-----w- c:\users\bbailey\AppData\Roaming\Synaptics
    2011-12-30 23:39 . 2012-01-11 21:29 -------- d-----w- c:\users\bbailey\AppData\Local\PokerStars
    2011-12-30 23:38 . 2012-01-09 13:58 -------- d-----w- c:\program files\PokerStars
    2011-12-30 23:02 . 2011-12-30 23:02 -------- d-----w- c:\programdata\Synaptics
    2011-12-30 23:02 . 2011-03-31 10:30 218408 ----a-w- c:\windows\system32\SynCtrl.dll
    2011-12-30 23:02 . 2011-03-31 10:32 1335472 ----a-w- c:\windows\system32\drivers\SynTP.sys
    2011-12-30 23:02 . 2011-03-31 10:30 173352 ----a-w- c:\windows\system32\SynTPAPI.dll
    2011-12-30 23:02 . 2011-03-31 10:30 120104 ----a-w- c:\windows\system32\SynTPCo9.dll
    2011-12-29 03:50 . 2011-12-29 03:50 -------- d-----w- c:\users\bbailey\AppData\Local\Roxio
    2011-12-28 20:05 . 2012-01-05 04:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-12-28 20:05 . 2012-01-05 04:50 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2011-12-28 19:41 . 2011-12-28 19:41 2560 ----a-w- c:\windows\_MSRSTRT.EXE
    2011-12-28 19:37 . 2011-12-28 19:37 -------- d-----w- c:\program files\Panicware
    2011-12-28 19:18 . 2011-11-29 17:21 6823496 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4A3E672D-BABD-445D-B812-5178A4EF8919}\mpengine.dll
    2011-12-28 19:18 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-12-28 16:24 . 2011-12-28 16:24 -------- d-----w- c:\users\bbailey\AppData\Local\Downloaded Installations
    2011-12-28 16:22 . 2011-12-28 16:22 -------- d-----w- c:\program files\Common Files\Portrait Displays
    2011-12-28 16:21 . 2011-12-28 16:21 -------- d-----w- c:\users\bbailey\AppData\Roaming\Hewlett-Packard Company
    2011-12-28 16:18 . 2011-12-28 16:18 7435264 ----a-w- c:\windows\system32\drivers\NETwNs32.sys
    2011-12-28 16:18 . 2011-12-28 16:18 684032 ----a-w- c:\windows\system32\NETwNc32.dll
    2011-12-28 16:18 . 2011-12-28 16:18 2760704 ----a-w- c:\windows\system32\NETwNr32.dll
    2011-12-28 16:17 . 2011-12-28 16:17 -------- d-----w- c:\users\bbailey\AppData\Roaming\InstallShield
    2011-12-28 16:17 . 2011-12-28 16:17 -------- d-----w- c:\program files\Common Files\Roxio Shared
    2011-12-28 16:17 . 2011-12-28 16:17 -------- d-----w- c:\programdata\Uninstall
    2011-12-28 14:31 . 2012-01-11 17:00 -------- d-----w- c:\users\bbailey\AppData\Local\ElevatedDiagnostics
    2011-12-27 23:23 . 2011-12-27 23:23 -------- d-----w- c:\users\bbailey\AppData\Roaming\SumatraPDF
    2011-12-27 23:22 . 2011-12-27 23:22 1490 ----a-w- C:\user.js
    2011-12-27 23:22 . 2011-12-27 23:22 -------- d-----w- c:\users\bbailey\AppData\Roaming\Babylon
    2011-12-27 23:22 . 2011-12-27 23:22 -------- d-----w- c:\users\bbailey\AppData\Local\Babylon
    2011-12-27 23:22 . 2011-12-27 23:22 -------- d-----w- c:\programdata\Babylon
    2011-12-27 23:04 . 2012-01-11 23:52 -------- d--h--w- c:\users\bbailey\UserProfile
    2011-12-27 23:04 . 2012-01-11 23:52 -------- d--h--w- c:\users\bbailey\SoftRecovery
    2011-12-15 06:11 . 2011-11-24 04:25 2342912 ----a-w- c:\windows\system32\win32k.sys
    2011-12-15 06:10 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-15 06:08 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-12-15 06:08 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-05 03:07 . 2011-12-05 03:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-11-24 09:28 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-11-16 13:32 . 2011-11-16 13:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-24 05:29 . 2011-10-24 05:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 05:29 . 2011-10-24 05:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-15 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-11 287800]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2010-04-05 186904]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-03-31 2221352]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-06-03 136216]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-06-03 171032]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-06-03 170008]
    "IMSS"="c:\program files\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [2009-11-04 111640]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-04-21 115560]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-01 59240]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "HPPowerAssistant"="c:\program files\Hewlett-Packard\HP Power Assistant\DelayedAppStarter.exe" [2011-08-17 14904]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-07 421736]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2012-01-08 495708]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-9-5 795936]
    Scrybe.lnk - c:\windows\Installer\{147DFAD8-34C3-4DE1-9FCA-ACEFDE9EF810}\NewShortcut11_8ACB210B42E44145A8C31F8E3DD765A3.exe [2011-12-31 45056]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "SoftwareSASGeneration"= 3 (0x3)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ DPPassFilter scecli
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    R1 MpKsl32e3c7cb;MpKsl32e3c7cb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6839C83D-EE69-41E2-8E4C-DC7FAF42A1F5}\MpKsl32e3c7cb.sys [x]
    R1 MpKsl3dcb8ff4;MpKsl3dcb8ff4;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{531D348C-33A2-48BA-9CCF-50D0BD38BBC9}\MpKsl3dcb8ff4.sys [x]
    R1 MpKsl5fad6417;MpKsl5fad6417;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A65FA436-245B-432A-A60E-5123D8B17809}\MpKsl5fad6417.sys [x]
    R1 MpKsl6a02d7a0;MpKsl6a02d7a0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6839C83D-EE69-41E2-8E4C-DC7FAF42A1F5}\MpKsl6a02d7a0.sys [x]
    R1 MpKsleba0c0bf;MpKsleba0c0bf;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{39DB4C9C-805A-4EAE-AA68-B09ABDA1B971}\MpKsleba0c0bf.sys [x]
    R1 MpKsledfc84ef;MpKsledfc84ef;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{972F4AEC-8798-434E-BA50-9C931C86E223}\MpKsledfc84ef.sys [x]
    R1 MpKsleee50011;MpKsleee50011;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9765E7B4-97F9-4B37-A695-C6A31DA655D1}\MpKsleee50011.sys [x]
    R1 MpKslf6bcd812;MpKslf6bcd812;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A65FA436-245B-432A-A60E-5123D8B17809}\MpKslf6bcd812.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 136176]
    R2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-10-26 48640]
    R2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2009-10-29 47616]
    R2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2009-09-28 38912]
    R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 136176]
    R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2011-05-27 6758912]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
    S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2012-01-08 81920]
    S2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [2011-08-17 133176]
    S2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [2010-10-19 32768]
    S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]
    S2 Hp.Skyroom.Windows.Service;HP SkyRoom;c:\program files\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe [2009-11-20 124984]
    S2 HPDayStarterService;HP DayStarter Service;c:\program files\Hewlett-Packard\HP FastLook\HPDayStarterService.exe [2010-07-13 95800]
    S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-07-05 227384]
    S2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2009-11-11 277096]
    S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-03-15 26168]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
    S2 rgsender;Remote Graphics Sender Service;c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe [2009-11-19 379904]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-09-17 29472]
    S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2010-04-05 224424]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-08 106104]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 132480]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-02-04 232960]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
    S3 NETwNs32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2011-12-28 7435264]
    S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\DRIVERS\rismc32.sys [2009-07-20 49152]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 05:39]
    .
    2012-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 05:39]
    .
    2011-12-29 c:\windows\Tasks\HPCeeScheduleForbbailey.job
    - c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 11:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.ninemsn.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
    IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 4.2.2.1
    DPF: {4E1318B0-53F0-4274-99FB-F5621625340D} - hxxp://rdnariw2k302/installOperaPrintCtrl.exe
    DPF: {DAAC8ECF-DB09-4821-8126-E2C9499A20BA} - hxxp://rdnariw2k302/installregterm.exe
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(640)
    c:\windows\system32\DPFPApi.DLL
    .
    - - - - - - - > 'Explorer.exe'(5292)
    c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\IDT\WDM\STacSV.exe
    c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
    c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
    c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe
    c:\program files\LSI SoftModem\agrsmsvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
    c:\program files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    c:\program files\Synaptics\Scrybe\Service\ScrybeUpdater.exe
    c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender.exe
    c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
    c:\windows\servicing\TrustedInstaller.exe
    c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Authentication\Hp.SkyRoom.Windows.RgsPlugin.Authentication.exe
    c:\windows\system32\conhost.exe
    c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Lens\Hp.SkyRoom.Windows.RgsPlugin.Lens.exe
    c:\windows\system32\conhost.exe
    c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Licensing\Hp.SkyRoom.Windows.RgsPlugin.Licensing.exe
    c:\windows\system32\conhost.exe
    c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    c:\windows\system32\taskhost.exe
    c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender_gui.exe
    c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    c:\windows\system32\conhost.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-12 09:37:09 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-12 00:37
    ComboFix2.txt 2012-01-11 22:57
    ComboFix3.txt 2012-01-11 19:00
    ComboFix4.txt 2012-01-10 19:43
    ComboFix5.txt 2012-01-11 23:43
    .
    Pre-Run: 167,649,124,352 bytes free
    Post-Run: 167,357,329,408 bytes free
    .
    - - End Of File - - E17AE34E0D90C10A59F16A7C29395433
  6. Broni

    Broni Malware Annihilator Posts: 46,321   +252

    Is pop-up still there?
  7. stijpn2012

    stijpn2012 Newcomer, in training Topic Starter Posts: 40

    Just rebooted and yes the pop up was there again. Also i had trouble with the start up again with a error message "windows failed to start up". I had to log in under F8 - Last know good config to get back in. The repair failed to fix this issue before and advance settings said there was a "Root Causes - 1" and it was System Disk/device/hard disk just FYI
  8. Broni

    Broni Malware Annihilator Posts: 46,321   +252

    We'll reset your MBR...

    Please Boot to the System Recovery Options
    If you have Windows 7 installation disc, just insert a DVD to the drive, restart computer and it should load automatically (option two presented in the article).
    It's possible also that your computer has a pre-installed recovery partition instead - in such a case use a method one (by pressing F8 before Windows starts loading)...

    On the System Recovery Options menu you will get the following options:

    • Startup Repair
    • System Restore
    • Windows Complete PC Restore
    • Windows Memory Diagnostic Tool
    • Command Prompt

    Choose Command Prompt
    You should see X:\SOURCES>...

    Execute the following commands in bold.
    Press Enter after every one of them.

    bootrec /fixmbr (<--- there is a "space" after "bootrec")

    bootrec /fixboot (<--- there is a "space" after "bootrec")

    exit

    Restart computer.

    Re-run Combofix.
  9. stijpn2012

    stijpn2012 Newcomer, in training Topic Starter Posts: 40

    I don't have the Windows 7 installation disk and looks like i don't have a pre-installed recovery partition as when i pressed F8 i didn't get those options. I have been able to reboot a number of times without any issues recently.

    Should i just re-run combofix?
  10. Broni

    Broni Malware Annihilator Posts: 46,321   +252

    Go ahead.
    We can try one more time.
  11. stijpn2012

    stijpn2012 Newcomer, in training Topic Starter Posts: 40

    ComboFix 12-01-11.01 - bbailey 01/12/2012 12:54:47.8.4 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2991.1707 [GMT 9:00]
    Running from: c:\combofix\ComboFix.exe
    AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
    SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Infected copy of c:\windows\system32\userinit.exe was found and disinfected
    Restored copy from - c:\windows\ERDNT\cache\userinit.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-12 to 2012-01-12 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-12 04:01 . 2012-01-12 04:01 -------- d-----w- c:\users\Radisson\AppData\Local\temp
    2012-01-12 04:01 . 2012-01-12 04:01 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-01-12 04:01 . 2012-01-12 04:01 -------- d-----w- c:\users\administrator\AppData\Local\temp
    2012-01-12 03:19 . 2012-01-12 04:04 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4A3E672D-BABD-445D-B812-5178A4EF8919}\offreg.dll
    2012-01-11 17:17 . 2012-01-11 17:17 -------- d-----w- C:\HP_RECOVERY_mountHPSF
    2012-01-10 19:43 . 2012-01-12 04:04 -------- d-----w- c:\users\bbailey\AppData\Local\temp
    2012-01-06 23:50 . 2011-12-10 06:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-06 23:50 . 2012-01-06 23:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-06 21:58 . 2012-01-06 21:58 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-01-06 14:24 . 2012-01-06 14:24 -------- d-----w- c:\program files\iPod
    2012-01-06 14:24 . 2012-01-06 14:25 -------- d-----w- c:\program files\iTunes
    2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
    2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
    2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
    2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
    2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
    2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
    2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
    2012-01-06 14:20 . 2012-01-06 14:20 -------- d-----w- c:\program files\QuickTime
    2012-01-06 09:28 . 2012-01-06 09:53 -------- d-----w- c:\programdata\AVAST Software
    2012-01-06 09:28 . 2012-01-06 09:28 -------- d-----w- c:\program files\AVAST Software
    2012-01-05 23:47 . 2012-01-05 23:47 -------- d-----w- c:\users\bbailey\AppData\Roaming\GlarySoft
    2012-01-05 23:06 . 2012-01-05 23:06 -------- d-----w- c:\program files\WinASO
    2012-01-05 19:56 . 2012-01-05 19:56 -------- d-----w- c:\users\bbailey\AppData\Local\Apps
    2012-01-05 04:45 . 2012-01-05 04:45 -------- d-----w- c:\users\administrator\AppData\Local\Google
    2012-01-05 04:40 . 2012-01-05 04:40 -------- d-----w- c:\users\administrator\AppData\Roaming\hpqlog
    2012-01-05 04:39 . 2012-01-05 04:39 -------- d-----w- c:\users\administrator\AppData\Roaming\IObit
    2012-01-05 04:38 . 2012-01-05 04:38 -------- d-----w- c:\users\administrator\AppData\Roaming\Synaptics
    2012-01-05 04:30 . 2012-01-05 04:30 -------- d-----w- C:\a4a5b20479313b238579215fc2
    2012-01-02 23:43 . 2012-01-03 03:04 -------- d-----w- c:\program files\PC Tools Security
    2012-01-02 23:41 . 2012-01-02 23:52 -------- d-----w- c:\programdata\PC Tools
    2012-01-02 03:59 . 2012-01-02 04:14 -------- d-----w- c:\users\bbailey\AppData\Roaming\IObit
    2012-01-02 03:59 . 2012-01-02 03:59 -------- d-----w- c:\program files\IObit
    2012-01-02 03:35 . 2010-01-10 09:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
    2012-01-02 03:34 . 2012-01-05 04:51 -------- d-----w- c:\program files\SpywareBlaster
    2012-01-02 01:55 . 2012-01-02 01:55 -------- d-----w- c:\users\bbailey\AppData\Roaming\Malwarebytes
    2012-01-02 01:55 . 2012-01-02 01:55 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-31 09:36 . 2011-12-31 09:36 -------- d-----w- c:\users\bbailey\AppData\Roaming\Synaptics
    2011-12-30 23:39 . 2012-01-12 00:51 -------- d-----w- c:\users\bbailey\AppData\Local\PokerStars
    2011-12-30 23:38 . 2012-01-09 13:58 -------- d-----w- c:\program files\PokerStars
    2011-12-30 23:02 . 2011-12-30 23:02 -------- d-----w- c:\programdata\Synaptics
    2011-12-30 23:02 . 2011-03-31 10:30 218408 ----a-w- c:\windows\system32\SynCtrl.dll
    2011-12-30 23:02 . 2011-03-31 10:32 1335472 ----a-w- c:\windows\system32\drivers\SynTP.sys
    2011-12-30 23:02 . 2011-03-31 10:30 173352 ----a-w- c:\windows\system32\SynTPAPI.dll
    2011-12-30 23:02 . 2011-03-31 10:30 120104 ----a-w- c:\windows\system32\SynTPCo9.dll
    2011-12-29 03:50 . 2011-12-29 03:50 -------- d-----w- c:\users\bbailey\AppData\Local\Roxio
    2011-12-28 20:05 . 2012-01-05 04:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-12-28 20:05 . 2012-01-05 04:50 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2011-12-28 19:41 . 2011-12-28 19:41 2560 ----a-w- c:\windows\_MSRSTRT.EXE
    2011-12-28 19:37 . 2011-12-28 19:37 -------- d-----w- c:\program files\Panicware
    2011-12-28 19:18 . 2011-11-29 17:21 6823496 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4A3E672D-BABD-445D-B812-5178A4EF8919}\mpengine.dll
    2011-12-28 19:18 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-12-28 16:24 . 2011-12-28 16:24 -------- d-----w- c:\users\bbailey\AppData\Local\Downloaded Installations
    2011-12-28 16:22 . 2011-12-28 16:22 -------- d-----w- c:\program files\Common Files\Portrait Displays
    2011-12-28 16:21 . 2011-12-28 16:21 -------- d-----w- c:\users\bbailey\AppData\Roaming\Hewlett-Packard Company
    2011-12-28 16:18 . 2011-12-28 16:18 7435264 ----a-w- c:\windows\system32\drivers\NETwNs32.sys
    2011-12-28 16:18 . 2011-12-28 16:18 684032 ----a-w- c:\windows\system32\NETwNc32.dll
    2011-12-28 16:18 . 2011-12-28 16:18 2760704 ----a-w- c:\windows\system32\NETwNr32.dll
    2011-12-28 16:17 . 2011-12-28 16:17 -------- d-----w- c:\users\bbailey\AppData\Roaming\InstallShield
    2011-12-28 16:17 . 2011-12-28 16:17 -------- d-----w- c:\program files\Common Files\Roxio Shared
    2011-12-28 16:17 . 2011-12-28 16:17 -------- d-----w- c:\programdata\Uninstall
    2011-12-28 14:31 . 2012-01-11 17:00 -------- d-----w- c:\users\bbailey\AppData\Local\ElevatedDiagnostics
    2011-12-27 23:23 . 2011-12-27 23:23 -------- d-----w- c:\users\bbailey\AppData\Roaming\SumatraPDF
    2011-12-27 23:22 . 2011-12-27 23:22 1490 ----a-w- C:\user.js
    2011-12-27 23:22 . 2011-12-27 23:22 -------- d-----w- c:\users\bbailey\AppData\Roaming\Babylon
    2011-12-27 23:22 . 2011-12-27 23:22 -------- d-----w- c:\users\bbailey\AppData\Local\Babylon
    2011-12-27 23:22 . 2011-12-27 23:22 -------- d-----w- c:\programdata\Babylon
    2011-12-27 23:04 . 2012-01-12 00:53 -------- d--h--w- c:\users\bbailey\UserProfile
    2011-12-27 23:04 . 2012-01-12 00:53 -------- d--h--w- c:\users\bbailey\SoftRecovery
    2011-12-15 06:11 . 2011-11-24 04:25 2342912 ----a-w- c:\windows\system32\win32k.sys
    2011-12-15 06:10 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-15 06:08 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-12-15 06:08 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-05 03:07 . 2011-12-05 03:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-11-24 09:28 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-11-16 13:32 . 2011-11-16 13:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-24 05:29 . 2011-10-24 05:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 05:29 . 2011-10-24 05:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-15 39408]
    "SystemBootNQtdP6TDS6cn0vSDlYFgIHWxSydqQbiS"="c:\users\bbailey\UserProfile\SystemBoot.lnk" [2012-01-12 882]
    "RegWriteNQtdP6TDS6cn0vSDlYFgIHWxSydqQbiS"="c:\users\bbailey\SoftRecovery\RegWrite.lnk" [2012-01-12 990]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-11 287800]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2010-04-05 186904]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-03-31 2221352]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-06-03 136216]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-06-03 171032]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-06-03 170008]
    "IMSS"="c:\program files\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [2009-11-04 111640]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-04-21 115560]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-01 59240]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "HPPowerAssistant"="c:\program files\Hewlett-Packard\HP Power Assistant\DelayedAppStarter.exe" [2011-08-17 14904]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-07 421736]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2012-01-08 495708]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-9-5 795936]
    Scrybe.lnk - c:\windows\Installer\{147DFAD8-34C3-4DE1-9FCA-ACEFDE9EF810}\NewShortcut11_8ACB210B42E44145A8C31F8E3DD765A3.exe [2011-12-31 45056]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "SoftwareSASGeneration"= 3 (0x3)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ DPPassFilter scecli
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    R1 MpKsl32e3c7cb;MpKsl32e3c7cb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6839C83D-EE69-41E2-8E4C-DC7FAF42A1F5}\MpKsl32e3c7cb.sys [x]
    R1 MpKsl3dcb8ff4;MpKsl3dcb8ff4;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{531D348C-33A2-48BA-9CCF-50D0BD38BBC9}\MpKsl3dcb8ff4.sys [x]
    R1 MpKsl5fad6417;MpKsl5fad6417;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A65FA436-245B-432A-A60E-5123D8B17809}\MpKsl5fad6417.sys [x]
    R1 MpKsl6a02d7a0;MpKsl6a02d7a0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6839C83D-EE69-41E2-8E4C-DC7FAF42A1F5}\MpKsl6a02d7a0.sys [x]
    R1 MpKsleba0c0bf;MpKsleba0c0bf;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{39DB4C9C-805A-4EAE-AA68-B09ABDA1B971}\MpKsleba0c0bf.sys [x]
    R1 MpKsledfc84ef;MpKsledfc84ef;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{972F4AEC-8798-434E-BA50-9C931C86E223}\MpKsledfc84ef.sys [x]
    R1 MpKsleee50011;MpKsleee50011;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9765E7B4-97F9-4B37-A695-C6A31DA655D1}\MpKsleee50011.sys [x]
    R1 MpKslf6bcd812;MpKslf6bcd812;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A65FA436-245B-432A-A60E-5123D8B17809}\MpKslf6bcd812.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 136176]
    R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]
    R2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-10-26 48640]
    R2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2009-10-29 47616]
    R2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2009-09-28 38912]
    R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2009-10-22 1639728]
    R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 136176]
    R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2011-05-27 6758912]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-19 52224]
    S0 SafeBoot;SafeBoot; [x]
    S0 SbAlg;SbAlg; [x]
    S0 SbFsLock;SbFsLock; [x]
    S1 RsvLock;RsvLock; [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2012-01-08 81920]
    S2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [2011-08-17 133176]
    S2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [2010-10-19 32768]
    S2 Hp.Skyroom.Windows.Service;HP SkyRoom;c:\program files\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe [2009-11-20 124984]
    S2 HPDayStarterService;HP DayStarter Service;c:\program files\Hewlett-Packard\HP FastLook\HPDayStarterService.exe [2010-07-13 95800]
    S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-07-05 227384]
    S2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2009-11-11 277096]
    S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-03-15 26168]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
    S2 rgsender;Remote Graphics Sender Service;c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe [2009-11-19 379904]
    S2 ScrybeUpdater;Scrybe Updater;c:\program files\Synaptics\Scrybe\Service\ScrybeUpdater.exe [2011-05-27 1300264]
    S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-11-04 2320920]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-09-17 29472]
    S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2010-04-05 224424]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-08 106104]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 132480]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-02-04 232960]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
    S3 NETwNs32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2011-12-28 7435264]
    S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\DRIVERS\rismc32.sys [2009-07-20 49152]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 05:39]
    .
    2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 05:39]
    .
    2011-12-29 c:\windows\Tasks\HPCeeScheduleForbbailey.job
    - c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 11:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.ninemsn.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
    IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 4.2.2.1
    DPF: {4E1318B0-53F0-4274-99FB-F5621625340D} - hxxp://rdnariw2k302/installOperaPrintCtrl.exe
    DPF: {DAAC8ECF-DB09-4821-8126-E2C9499A20BA} - hxxp://rdnariw2k302/installregterm.exe
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(640)
    c:\windows\system32\DPFPApi.DLL
    .
    - - - - - - - > 'Explorer.exe'(5124)
    c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\IDT\WDM\STacSV.exe
    c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
    c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
    c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe
    c:\program files\LSI SoftModem\agrsmsvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
    c:\program files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender.exe
    c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Authentication\Hp.SkyRoom.Windows.RgsPlugin.Authentication.exe
    c:\windows\system32\conhost.exe
    c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
    c:\windows\servicing\TrustedInstaller.exe
    c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Lens\Hp.SkyRoom.Windows.RgsPlugin.Lens.exe
    c:\windows\system32\conhost.exe
    c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Licensing\Hp.SkyRoom.Windows.RgsPlugin.Licensing.exe
    c:\windows\system32\conhost.exe
    c:\windows\system32\taskhost.exe
    c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender_gui.exe
    c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    c:\windows\system32\conhost.exe
    c:\windows\system32\sppsvc.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-12 13:09:28 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-12 04:09
    ComboFix2.txt 2012-01-12 00:37
    ComboFix3.txt 2012-01-11 22:57
    ComboFix4.txt 2012-01-11 19:00
    ComboFix5.txt 2012-01-12 03:52
    .
    Pre-Run: 167,108,362,240 bytes free
    Post-Run: 167,092,195,328 bytes free
    .
    - - End Of File - - E0638203FE656A25F18B82CC55F622B4
     
  12. Broni

    Broni Malware Annihilator Posts: 46,321   +252

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\users\bbailey\UserProfile\SystemBoot.lnk
    
    
    Folder::
    c:\programdata\AVAST Software
    c:\program files\AVAST Software
    c:\users\bbailey\SoftRecovery
    c:\users\bbailey\UserProfile
    
    Driver::
    MpKslf6bcd812
    MpKsleee50011
    MpKsledfc84ef
    MpKsleba0c0bf
    MpKsl6a02d7a0
    MpKsl5fad6417
    MpKsl3dcb8ff4
    MpKsl32e3c7cb
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SystemBootNQtdP6TDS6cn0vSDlYFgIHWxSydqQbiS"=-
    "RegWriteNQtdP6TDS6cn0vSDlYFgIHWxSydqQbiS"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000000
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  13. stijpn2012

    stijpn2012 Newcomer, in training Topic Starter Posts: 40

    ComboFix 12-01-11.01 - bbailey 01/12/2012 13:37:38.9.4 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2991.1576 [GMT 9:00]
    Running from: c:\combofix\ComboFix.exe
    Command switches used :: \\rn-fs2\Users$\bbailey\Desktop\CFScript.txt
    AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
    SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\users\bbailey\UserProfile\SystemBoot.lnk"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\AVAST Software
    c:\program files\AVAST Software\Avast\Setup\setup.ini
    c:\programdata\AVAST Software
    c:\users\bbailey\SoftRecovery
    c:\users\bbailey\SoftRecovery\RegWrite.lnk
    c:\users\bbailey\UserProfile
    c:\users\bbailey\UserProfile\htmlapp.exe
    c:\users\bbailey\UserProfile\SystemBoot.lnk
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_MPKSL32E3C7CB
    -------\Legacy_MPKSL3DCB8FF4
    -------\Legacy_MPKSL5FAD6417
    -------\Legacy_MPKSL6A02D7A0
    -------\Legacy_MPKSLEBA0C0BF
    -------\Legacy_MPKSLEDFC84EF
    -------\Legacy_MPKSLEEE50011
    -------\Legacy_MPKSLF6BCD812
    -------\Service_MpKsl32e3c7cb
    -------\Service_MpKsl3dcb8ff4
    -------\Service_MpKsl5fad6417
    -------\Service_MpKsl6a02d7a0
    -------\Service_MpKsleba0c0bf
    -------\Service_MpKsledfc84ef
    -------\Service_MpKsleee50011
    -------\Service_MpKslf6bcd812
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-12 to 2012-01-12 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-12 04:43 . 2012-01-12 04:46 -------- d-----w- c:\users\bbailey\AppData\Local\temp
    2012-01-12 04:43 . 2012-01-12 04:43 -------- d-----w- c:\users\Radisson\AppData\Local\temp
    2012-01-12 04:43 . 2012-01-12 04:43 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-01-12 04:43 . 2012-01-12 04:43 -------- d-----w- c:\users\administrator\AppData\Local\temp
    2012-01-12 03:19 . 2012-01-12 04:45 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4A3E672D-BABD-445D-B812-5178A4EF8919}\offreg.dll
    2012-01-11 17:17 . 2012-01-11 17:17 -------- d-----w- C:\HP_RECOVERY_mountHPSF
    2012-01-06 23:50 . 2011-12-10 06:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-06 23:50 . 2012-01-06 23:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-06 21:58 . 2012-01-06 21:58 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-01-06 14:24 . 2012-01-06 14:24 -------- d-----w- c:\program files\iPod
    2012-01-06 14:24 . 2012-01-06 14:25 -------- d-----w- c:\program files\iTunes
    2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
    2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
    2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
    2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
    2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
    2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
    2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
    2012-01-06 14:20 . 2012-01-06 14:20 -------- d-----w- c:\program files\QuickTime
    2012-01-05 23:47 . 2012-01-05 23:47 -------- d-----w- c:\users\bbailey\AppData\Roaming\GlarySoft
    2012-01-05 23:06 . 2012-01-05 23:06 -------- d-----w- c:\program files\WinASO
    2012-01-05 19:56 . 2012-01-05 19:56 -------- d-----w- c:\users\bbailey\AppData\Local\Apps
    2012-01-05 04:45 . 2012-01-05 04:45 -------- d-----w- c:\users\administrator\AppData\Local\Google
    2012-01-05 04:40 . 2012-01-05 04:40 -------- d-----w- c:\users\administrator\AppData\Roaming\hpqlog
    2012-01-05 04:39 . 2012-01-05 04:39 -------- d-----w- c:\users\administrator\AppData\Roaming\IObit
    2012-01-05 04:38 . 2012-01-05 04:38 -------- d-----w- c:\users\administrator\AppData\Roaming\Synaptics
    2012-01-05 04:30 . 2012-01-05 04:30 -------- d-----w- C:\a4a5b20479313b238579215fc2
    2012-01-02 23:43 . 2012-01-03 03:04 -------- d-----w- c:\program files\PC Tools Security
    2012-01-02 23:41 . 2012-01-02 23:52 -------- d-----w- c:\programdata\PC Tools
    2012-01-02 03:59 . 2012-01-02 04:14 -------- d-----w- c:\users\bbailey\AppData\Roaming\IObit
    2012-01-02 03:59 . 2012-01-02 03:59 -------- d-----w- c:\program files\IObit
    2012-01-02 03:35 . 2010-01-10 09:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
    2012-01-02 03:34 . 2012-01-05 04:51 -------- d-----w- c:\program files\SpywareBlaster
    2012-01-02 01:55 . 2012-01-02 01:55 -------- d-----w- c:\users\bbailey\AppData\Roaming\Malwarebytes
    2012-01-02 01:55 . 2012-01-02 01:55 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-31 09:36 . 2011-12-31 09:36 -------- d-----w- c:\users\bbailey\AppData\Roaming\Synaptics
    2011-12-30 23:39 . 2012-01-12 00:51 -------- d-----w- c:\users\bbailey\AppData\Local\PokerStars
    2011-12-30 23:38 . 2012-01-09 13:58 -------- d-----w- c:\program files\PokerStars
    2011-12-30 23:02 . 2011-12-30 23:02 -------- d-----w- c:\programdata\Synaptics
    2011-12-30 23:02 . 2011-03-31 10:30 218408 ----a-w- c:\windows\system32\SynCtrl.dll
    2011-12-30 23:02 . 2011-03-31 10:32 1335472 ----a-w- c:\windows\system32\drivers\SynTP.sys
    2011-12-30 23:02 . 2011-03-31 10:30 173352 ----a-w- c:\windows\system32\SynTPAPI.dll
    2011-12-30 23:02 . 2011-03-31 10:30 120104 ----a-w- c:\windows\system32\SynTPCo9.dll
    2011-12-29 03:50 . 2011-12-29 03:50 -------- d-----w- c:\users\bbailey\AppData\Local\Roxio
    2011-12-28 20:05 . 2012-01-05 04:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-12-28 20:05 . 2012-01-05 04:50 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2011-12-28 19:41 . 2011-12-28 19:41 2560 ----a-w- c:\windows\_MSRSTRT.EXE
    2011-12-28 19:37 . 2011-12-28 19:37 -------- d-----w- c:\program files\Panicware
    2011-12-28 19:18 . 2011-11-29 17:21 6823496 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4A3E672D-BABD-445D-B812-5178A4EF8919}\mpengine.dll
    2011-12-28 19:18 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-12-28 16:24 . 2011-12-28 16:24 -------- d-----w- c:\users\bbailey\AppData\Local\Downloaded Installations
    2011-12-28 16:22 . 2011-12-28 16:22 -------- d-----w- c:\program files\Common Files\Portrait Displays
    2011-12-28 16:21 . 2011-12-28 16:21 -------- d-----w- c:\users\bbailey\AppData\Roaming\Hewlett-Packard Company
    2011-12-28 16:18 . 2011-12-28 16:18 7435264 ----a-w- c:\windows\system32\drivers\NETwNs32.sys
    2011-12-28 16:18 . 2011-12-28 16:18 684032 ----a-w- c:\windows\system32\NETwNc32.dll
    2011-12-28 16:18 . 2011-12-28 16:18 2760704 ----a-w- c:\windows\system32\NETwNr32.dll
    2011-12-28 16:17 . 2011-12-28 16:17 -------- d-----w- c:\users\bbailey\AppData\Roaming\InstallShield
    2011-12-28 16:17 . 2011-12-28 16:17 -------- d-----w- c:\program files\Common Files\Roxio Shared
    2011-12-28 16:17 . 2011-12-28 16:17 -------- d-----w- c:\programdata\Uninstall
    2011-12-28 14:31 . 2012-01-11 17:00 -------- d-----w- c:\users\bbailey\AppData\Local\ElevatedDiagnostics
    2011-12-27 23:23 . 2011-12-27 23:23 -------- d-----w- c:\users\bbailey\AppData\Roaming\SumatraPDF
    2011-12-27 23:22 . 2011-12-27 23:22 1490 ----a-w- C:\user.js
    2011-12-27 23:22 . 2011-12-27 23:22 -------- d-----w- c:\users\bbailey\AppData\Roaming\Babylon
    2011-12-27 23:22 . 2011-12-27 23:22 -------- d-----w- c:\users\bbailey\AppData\Local\Babylon
    2011-12-27 23:22 . 2011-12-27 23:22 -------- d-----w- c:\programdata\Babylon
    2011-12-15 06:11 . 2011-11-24 04:25 2342912 ----a-w- c:\windows\system32\win32k.sys
    2011-12-15 06:10 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-15 06:08 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-12-15 06:08 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-05 03:07 . 2011-12-05 03:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-11-24 09:28 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-11-16 13:32 . 2011-11-16 13:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-24 05:29 . 2011-10-24 05:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 05:29 . 2011-10-24 05:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-15 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-11 287800]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2010-04-05 186904]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-03-31 2221352]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-06-03 136216]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-06-03 171032]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-06-03 170008]
    "IMSS"="c:\program files\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [2009-11-04 111640]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-04-21 115560]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-01 59240]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "HPPowerAssistant"="c:\program files\Hewlett-Packard\HP Power Assistant\DelayedAppStarter.exe" [2011-08-17 14904]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-07 421736]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2012-01-08 495708]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-9-5 795936]
    Scrybe.lnk - c:\windows\Installer\{147DFAD8-34C3-4DE1-9FCA-ACEFDE9EF810}\NewShortcut11_8ACB210B42E44145A8C31F8E3DD765A3.exe [2011-12-31 45056]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "SoftwareSASGeneration"= 3 (0x3)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ DPPassFilter scecli
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 136176]
    R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]
    R2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-10-26 48640]
    R2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2009-10-29 47616]
    R2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2009-09-28 38912]
    R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2009-10-22 1639728]
    R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 136176]
    R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2011-05-27 6758912]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-19 52224]
    S0 SafeBoot;SafeBoot; [x]
    S0 SbAlg;SbAlg; [x]
    S0 SbFsLock;SbFsLock; [x]
    S1 RsvLock;RsvLock; [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2012-01-08 81920]
    S2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [2011-08-17 133176]
    S2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [2010-10-19 32768]
    S2 Hp.Skyroom.Windows.Service;HP SkyRoom;c:\program files\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe [2009-11-20 124984]
    S2 HPDayStarterService;HP DayStarter Service;c:\program files\Hewlett-Packard\HP FastLook\HPDayStarterService.exe [2010-07-13 95800]
    S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-07-05 227384]
    S2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2009-11-11 277096]
    S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-03-15 26168]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
    S2 rgsender;Remote Graphics Sender Service;c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe [2009-11-19 379904]
    S2 ScrybeUpdater;Scrybe Updater;c:\program files\Synaptics\Scrybe\Service\ScrybeUpdater.exe [2011-05-27 1300264]
    S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-11-04 2320920]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-09-17 29472]
    S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2010-04-05 224424]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-08 106104]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 132480]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-02-04 232960]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
    S3 NETwNs32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2011-12-28 7435264]
    S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\DRIVERS\rismc32.sys [2009-07-20 49152]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 05:39]
    .
    2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 05:39]
    .
    2011-12-29 c:\windows\Tasks\HPCeeScheduleForbbailey.job
    - c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 11:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.ninemsn.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
    IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 4.2.2.1
    DPF: {4E1318B0-53F0-4274-99FB-F5621625340D} - hxxp://rdnariw2k302/installOperaPrintCtrl.exe
    DPF: {DAAC8ECF-DB09-4821-8126-E2C9499A20BA} - hxxp://rdnariw2k302/installregterm.exe
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(700)
    c:\windows\system32\DPFPApi.DLL
    .
    - - - - - - - > 'Explorer.exe'(3836)
    c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\IDT\WDM\STacSV.exe
    c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
    c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
    c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe
    c:\program files\LSI SoftModem\agrsmsvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
    c:\program files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender.exe
    c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
    c:\windows\servicing\TrustedInstaller.exe
    c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Authentication\Hp.SkyRoom.Windows.RgsPlugin.Authentication.exe
    c:\windows\system32\conhost.exe
    c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Lens\Hp.SkyRoom.Windows.RgsPlugin.Lens.exe
    c:\windows\system32\conhost.exe
    c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Licensing\Hp.SkyRoom.Windows.RgsPlugin.Licensing.exe
    c:\windows\system32\conhost.exe
    c:\windows\system32\taskhost.exe
    c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender_gui.exe
    c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    c:\windows\system32\conhost.exe
    c:\windows\system32\sppsvc.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-12 13:50:46 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-12 04:50
    ComboFix2.txt 2012-01-12 04:09
    ComboFix3.txt 2012-01-12 00:37
    ComboFix4.txt 2012-01-11 22:57
    ComboFix5.txt 2012-01-12 04:36
    .
    Pre-Run: 167,174,021,120 bytes free
    Post-Run: 166,828,851,200 bytes free
    .
    - - End Of File - - 1F89E76BBD822241B92F5AB4E97FF8F6
  14. Broni

    Broni Malware Annihilator Posts: 46,321   +252

    How is pop-up?
  15. stijpn2012

    stijpn2012 Newcomer, in training Topic Starter Posts: 40

    I just rebooted and the pop up came back again :(
  16. Broni

    Broni Malware Annihilator Posts: 46,321   +252

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.