Inactive Malware virus won't remove

Status
Not open for further replies.
1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\users\bbailey\UserProfile\SystemBoot.lnk
c:\users\bbailey\SoftRecovery\RegWrite.lnk



Folder::

Driver::
SafeBoot
SbAlg
SbFsLock
RsvLock


Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemBootNQtdP6TDS6cn0vSDlYFgIHWxSydqQbiS"=-
"RegWriteNQtdP6TDS6cn0vSDlYFgIHWxSydqQbiS"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000

ClearJavaCache::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
Have a problem after running combofix my PC won't log on saying "windows failed to start up" and asking me to start up in repair mode. I'm using my iPhone to send this
 
I only get to options 1) start up normally which won't work or 2) start up repair. Running the repair it said windows cannot repair just fyi
 
Hi again managed to log on using F8 and using last known restore point. Logged on & the PC went straight to combofix & is preparing the log report :)
 
ok back to normal, was worried there :)

ComboFix 12-01-10.02 - bbailey 01/12/2012 8:46.7.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2991.1729 [GMT 9:00]
Running from: c:\combofix\ComboFix.exe
Command switches used :: \\rn-fs2\Users$\bbailey\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Symantec Endpoint Protection *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\bbailey\SoftRecovery\RegWrite.lnk"
"c:\users\bbailey\UserProfile\SystemBoot.lnk"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\bbailey\SoftRecovery\RegWrite.lnk
c:\users\bbailey\UserProfile\SystemBoot.lnk
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_RSVLOCK
-------\Legacy_SBALG
-------\Legacy_SBFSLOCK
-------\Service_RsvLock
-------\Service_SafeBoot
-------\Service_SbAlg
-------\Service_SbFsLock
.
.
((((((((((((((((((((((((( Files Created from 2011-12-12 to 2012-01-12 )))))))))))))))))))))))))))))))
.
.
2012-01-11 23:52 . 2012-01-11 23:52 -------- d-----w- c:\users\Radisson\AppData\Local\temp
2012-01-11 23:52 . 2012-01-11 23:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-11 23:52 . 2012-01-11 23:52 -------- d-----w- c:\users\administrator\AppData\Local\temp
2012-01-11 20:02 . 2012-01-12 00:29 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4A3E672D-BABD-445D-B812-5178A4EF8919}\offreg.dll
2012-01-11 17:17 . 2012-01-11 17:17 -------- d-----w- C:\HP_RECOVERY_mountHPSF
2012-01-10 19:43 . 2012-01-12 00:32 -------- d-----w- c:\users\bbailey\AppData\Local\temp
2012-01-06 23:50 . 2011-12-10 06:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-06 23:50 . 2012-01-06 23:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-06 21:58 . 2012-01-06 21:58 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-01-06 14:24 . 2012-01-06 14:24 -------- d-----w- c:\program files\iPod
2012-01-06 14:24 . 2012-01-06 14:25 -------- d-----w- c:\program files\iTunes
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2012-01-06 14:20 . 2012-01-06 14:20 -------- d-----w- c:\program files\QuickTime
2012-01-06 09:28 . 2012-01-06 09:53 -------- d-----w- c:\programdata\AVAST Software
2012-01-06 09:28 . 2012-01-06 09:28 -------- d-----w- c:\program files\AVAST Software
2012-01-05 23:47 . 2012-01-05 23:47 -------- d-----w- c:\users\bbailey\AppData\Roaming\GlarySoft
2012-01-05 23:06 . 2012-01-05 23:06 -------- d-----w- c:\program files\WinASO
2012-01-05 19:56 . 2012-01-05 19:56 -------- d-----w- c:\users\bbailey\AppData\Local\Apps
2012-01-05 04:45 . 2012-01-05 04:45 -------- d-----w- c:\users\administrator\AppData\Local\Google
2012-01-05 04:40 . 2012-01-05 04:40 -------- d-----w- c:\users\administrator\AppData\Roaming\hpqlog
2012-01-05 04:39 . 2012-01-05 04:39 -------- d-----w- c:\users\administrator\AppData\Roaming\IObit
2012-01-05 04:38 . 2012-01-05 04:38 -------- d-----w- c:\users\administrator\AppData\Roaming\Synaptics
2012-01-05 04:30 . 2012-01-05 04:30 -------- d-----w- C:\a4a5b20479313b238579215fc2
2012-01-02 23:43 . 2012-01-03 03:04 -------- d-----w- c:\program files\PC Tools Security
2012-01-02 23:41 . 2012-01-02 23:52 -------- d-----w- c:\programdata\PC Tools
2012-01-02 03:59 . 2012-01-02 04:14 -------- d-----w- c:\users\bbailey\AppData\Roaming\IObit
2012-01-02 03:59 . 2012-01-02 03:59 -------- d-----w- c:\program files\IObit
2012-01-02 03:35 . 2010-01-10 09:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2012-01-02 03:34 . 2012-01-05 04:51 -------- d-----w- c:\program files\SpywareBlaster
2012-01-02 01:55 . 2012-01-02 01:55 -------- d-----w- c:\users\bbailey\AppData\Roaming\Malwarebytes
2012-01-02 01:55 . 2012-01-02 01:55 -------- d-----w- c:\programdata\Malwarebytes
2011-12-31 09:36 . 2011-12-31 09:36 -------- d-----w- c:\users\bbailey\AppData\Roaming\Synaptics
2011-12-30 23:39 . 2012-01-11 21:29 -------- d-----w- c:\users\bbailey\AppData\Local\PokerStars
2011-12-30 23:38 . 2012-01-09 13:58 -------- d-----w- c:\program files\PokerStars
2011-12-30 23:02 . 2011-12-30 23:02 -------- d-----w- c:\programdata\Synaptics
2011-12-30 23:02 . 2011-03-31 10:30 218408 ----a-w- c:\windows\system32\SynCtrl.dll
2011-12-30 23:02 . 2011-03-31 10:32 1335472 ----a-w- c:\windows\system32\drivers\SynTP.sys
2011-12-30 23:02 . 2011-03-31 10:30 173352 ----a-w- c:\windows\system32\SynTPAPI.dll
2011-12-30 23:02 . 2011-03-31 10:30 120104 ----a-w- c:\windows\system32\SynTPCo9.dll
2011-12-29 03:50 . 2011-12-29 03:50 -------- d-----w- c:\users\bbailey\AppData\Local\Roxio
2011-12-28 20:05 . 2012-01-05 04:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-12-28 20:05 . 2012-01-05 04:50 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-28 19:41 . 2011-12-28 19:41 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2011-12-28 19:37 . 2011-12-28 19:37 -------- d-----w- c:\program files\Panicware
2011-12-28 19:18 . 2011-11-29 17:21 6823496 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4A3E672D-BABD-445D-B812-5178A4EF8919}\mpengine.dll
2011-12-28 19:18 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-12-28 16:24 . 2011-12-28 16:24 -------- d-----w- c:\users\bbailey\AppData\Local\Downloaded Installations
2011-12-28 16:22 . 2011-12-28 16:22 -------- d-----w- c:\program files\Common Files\Portrait Displays
2011-12-28 16:21 . 2011-12-28 16:21 -------- d-----w- c:\users\bbailey\AppData\Roaming\Hewlett-Packard Company
2011-12-28 16:18 . 2011-12-28 16:18 7435264 ----a-w- c:\windows\system32\drivers\NETwNs32.sys
2011-12-28 16:18 . 2011-12-28 16:18 684032 ----a-w- c:\windows\system32\NETwNc32.dll
2011-12-28 16:18 . 2011-12-28 16:18 2760704 ----a-w- c:\windows\system32\NETwNr32.dll
2011-12-28 16:17 . 2011-12-28 16:17 -------- d-----w- c:\users\bbailey\AppData\Roaming\InstallShield
2011-12-28 16:17 . 2011-12-28 16:17 -------- d-----w- c:\program files\Common Files\Roxio Shared
2011-12-28 16:17 . 2011-12-28 16:17 -------- d-----w- c:\programdata\Uninstall
2011-12-28 14:31 . 2012-01-11 17:00 -------- d-----w- c:\users\bbailey\AppData\Local\ElevatedDiagnostics
2011-12-27 23:23 . 2011-12-27 23:23 -------- d-----w- c:\users\bbailey\AppData\Roaming\SumatraPDF
2011-12-27 23:22 . 2011-12-27 23:22 1490 ----a-w- C:\user.js
2011-12-27 23:22 . 2011-12-27 23:22 -------- d-----w- c:\users\bbailey\AppData\Roaming\Babylon
2011-12-27 23:22 . 2011-12-27 23:22 -------- d-----w- c:\users\bbailey\AppData\Local\Babylon
2011-12-27 23:22 . 2011-12-27 23:22 -------- d-----w- c:\programdata\Babylon
2011-12-27 23:04 . 2012-01-11 23:52 -------- d--h--w- c:\users\bbailey\UserProfile
2011-12-27 23:04 . 2012-01-11 23:52 -------- d--h--w- c:\users\bbailey\SoftRecovery
2011-12-15 06:11 . 2011-11-24 04:25 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-12-15 06:10 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-15 06:08 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-15 06:08 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-05 03:07 . 2011-12-05 03:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-24 09:28 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-11-16 13:32 . 2011-11-16 13:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 05:29 . 2011-10-24 05:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 05:29 . 2011-10-24 05:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-15 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-11 287800]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2010-04-05 186904]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-03-31 2221352]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-06-03 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-06-03 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-06-03 170008]
"IMSS"="c:\program files\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [2009-11-04 111640]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-04-21 115560]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-01 59240]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"HPPowerAssistant"="c:\program files\Hewlett-Packard\HP Power Assistant\DelayedAppStarter.exe" [2011-08-17 14904]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-07 421736]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2012-01-08 495708]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-9-5 795936]
Scrybe.lnk - c:\windows\Installer\{147DFAD8-34C3-4DE1-9FCA-ACEFDE9EF810}\NewShortcut11_8ACB210B42E44145A8C31F8E3DD765A3.exe [2011-12-31 45056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ DPPassFilter scecli
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 MpKsl32e3c7cb;MpKsl32e3c7cb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6839C83D-EE69-41E2-8E4C-DC7FAF42A1F5}\MpKsl32e3c7cb.sys [x]
R1 MpKsl3dcb8ff4;MpKsl3dcb8ff4;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{531D348C-33A2-48BA-9CCF-50D0BD38BBC9}\MpKsl3dcb8ff4.sys [x]
R1 MpKsl5fad6417;MpKsl5fad6417;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A65FA436-245B-432A-A60E-5123D8B17809}\MpKsl5fad6417.sys [x]
R1 MpKsl6a02d7a0;MpKsl6a02d7a0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6839C83D-EE69-41E2-8E4C-DC7FAF42A1F5}\MpKsl6a02d7a0.sys [x]
R1 MpKsleba0c0bf;MpKsleba0c0bf;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{39DB4C9C-805A-4EAE-AA68-B09ABDA1B971}\MpKsleba0c0bf.sys [x]
R1 MpKsledfc84ef;MpKsledfc84ef;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{972F4AEC-8798-434E-BA50-9C931C86E223}\MpKsledfc84ef.sys [x]
R1 MpKsleee50011;MpKsleee50011;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9765E7B4-97F9-4B37-A695-C6A31DA655D1}\MpKsleee50011.sys [x]
R1 MpKslf6bcd812;MpKslf6bcd812;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A65FA436-245B-432A-A60E-5123D8B17809}\MpKslf6bcd812.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 136176]
R2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-10-26 48640]
R2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2009-10-29 47616]
R2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2009-09-28 38912]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 136176]
R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2011-05-27 6758912]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2012-01-08 81920]
S2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [2011-08-17 133176]
S2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [2010-10-19 32768]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]
S2 Hp.Skyroom.Windows.Service;HP SkyRoom;c:\program files\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe [2009-11-20 124984]
S2 HPDayStarterService;HP DayStarter Service;c:\program files\Hewlett-Packard\HP FastLook\HPDayStarterService.exe [2010-07-13 95800]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-07-05 227384]
S2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2009-11-11 277096]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-03-15 26168]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
S2 rgsender;Remote Graphics Sender Service;c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe [2009-11-19 379904]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-09-17 29472]
S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2010-04-05 224424]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-08 106104]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 132480]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-02-04 232960]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 NETwNs32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2011-12-28 7435264]
S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\DRIVERS\rismc32.sys [2009-07-20 49152]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 05:39]
.
2012-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 05:39]
.
2011-12-29 c:\windows\Tasks\HPCeeScheduleForbbailey.job
- c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 11:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ninemsn.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 4.2.2.1
DPF: {4E1318B0-53F0-4274-99FB-F5621625340D} - hxxp://rdnariw2k302/installOperaPrintCtrl.exe
DPF: {DAAC8ECF-DB09-4821-8126-E2C9499A20BA} - hxxp://rdnariw2k302/installregterm.exe
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(640)
c:\windows\system32\DPFPApi.DLL
.
- - - - - - - > 'Explorer.exe'(5292)
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\IDT\WDM\STacSV.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\program files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\program files\Synaptics\Scrybe\Service\ScrybeUpdater.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Authentication\Hp.SkyRoom.Windows.RgsPlugin.Authentication.exe
c:\windows\system32\conhost.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Lens\Hp.SkyRoom.Windows.RgsPlugin.Lens.exe
c:\windows\system32\conhost.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Licensing\Hp.SkyRoom.Windows.RgsPlugin.Licensing.exe
c:\windows\system32\conhost.exe
c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
c:\windows\system32\taskhost.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender_gui.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-01-12 09:37:09 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-12 00:37
ComboFix2.txt 2012-01-11 22:57
ComboFix3.txt 2012-01-11 19:00
ComboFix4.txt 2012-01-10 19:43
ComboFix5.txt 2012-01-11 23:43
.
Pre-Run: 167,649,124,352 bytes free
Post-Run: 167,357,329,408 bytes free
.
- - End Of File - - E17AE34E0D90C10A59F16A7C29395433
 
Just rebooted and yes the pop up was there again. Also i had trouble with the start up again with a error message "windows failed to start up". I had to log in under F8 - Last know good config to get back in. The repair failed to fix this issue before and advance settings said there was a "Root Causes - 1" and it was System Disk/device/hard disk just FYI
 
We'll reset your MBR...

Please Boot to the System Recovery Options
If you have Windows 7 installation disc, just insert a DVD to the drive, restart computer and it should load automatically (option two presented in the article).
It's possible also that your computer has a pre-installed recovery partition instead - in such a case use a method one (by pressing F8 before Windows starts loading)...

On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt

Choose Command Prompt
You should see X:\SOURCES>...

Execute the following commands in bold.
Press Enter after every one of them.

bootrec /fixmbr (<--- there is a "space" after "bootrec")

bootrec /fixboot (<--- there is a "space" after "bootrec")

exit

Restart computer.

Re-run Combofix.
 
I don't have the Windows 7 installation disk and looks like i don't have a pre-installed recovery partition as when i pressed F8 i didn't get those options. I have been able to reboot a number of times without any issues recently.

Should i just re-run combofix?
 
ComboFix 12-01-11.01 - bbailey 01/12/2012 12:54:47.8.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2991.1707 [GMT 9:00]
Running from: c:\combofix\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-12 to 2012-01-12 )))))))))))))))))))))))))))))))
.
.
2012-01-12 04:01 . 2012-01-12 04:01 -------- d-----w- c:\users\Radisson\AppData\Local\temp
2012-01-12 04:01 . 2012-01-12 04:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-12 04:01 . 2012-01-12 04:01 -------- d-----w- c:\users\administrator\AppData\Local\temp
2012-01-12 03:19 . 2012-01-12 04:04 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4A3E672D-BABD-445D-B812-5178A4EF8919}\offreg.dll
2012-01-11 17:17 . 2012-01-11 17:17 -------- d-----w- C:\HP_RECOVERY_mountHPSF
2012-01-10 19:43 . 2012-01-12 04:04 -------- d-----w- c:\users\bbailey\AppData\Local\temp
2012-01-06 23:50 . 2011-12-10 06:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-06 23:50 . 2012-01-06 23:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-06 21:58 . 2012-01-06 21:58 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-01-06 14:24 . 2012-01-06 14:24 -------- d-----w- c:\program files\iPod
2012-01-06 14:24 . 2012-01-06 14:25 -------- d-----w- c:\program files\iTunes
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2012-01-06 14:20 . 2012-01-06 14:20 -------- d-----w- c:\program files\QuickTime
2012-01-06 09:28 . 2012-01-06 09:53 -------- d-----w- c:\programdata\AVAST Software
2012-01-06 09:28 . 2012-01-06 09:28 -------- d-----w- c:\program files\AVAST Software
2012-01-05 23:47 . 2012-01-05 23:47 -------- d-----w- c:\users\bbailey\AppData\Roaming\GlarySoft
2012-01-05 23:06 . 2012-01-05 23:06 -------- d-----w- c:\program files\WinASO
2012-01-05 19:56 . 2012-01-05 19:56 -------- d-----w- c:\users\bbailey\AppData\Local\Apps
2012-01-05 04:45 . 2012-01-05 04:45 -------- d-----w- c:\users\administrator\AppData\Local\Google
2012-01-05 04:40 . 2012-01-05 04:40 -------- d-----w- c:\users\administrator\AppData\Roaming\hpqlog
2012-01-05 04:39 . 2012-01-05 04:39 -------- d-----w- c:\users\administrator\AppData\Roaming\IObit
2012-01-05 04:38 . 2012-01-05 04:38 -------- d-----w- c:\users\administrator\AppData\Roaming\Synaptics
2012-01-05 04:30 . 2012-01-05 04:30 -------- d-----w- C:\a4a5b20479313b238579215fc2
2012-01-02 23:43 . 2012-01-03 03:04 -------- d-----w- c:\program files\PC Tools Security
2012-01-02 23:41 . 2012-01-02 23:52 -------- d-----w- c:\programdata\PC Tools
2012-01-02 03:59 . 2012-01-02 04:14 -------- d-----w- c:\users\bbailey\AppData\Roaming\IObit
2012-01-02 03:59 . 2012-01-02 03:59 -------- d-----w- c:\program files\IObit
2012-01-02 03:35 . 2010-01-10 09:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2012-01-02 03:34 . 2012-01-05 04:51 -------- d-----w- c:\program files\SpywareBlaster
2012-01-02 01:55 . 2012-01-02 01:55 -------- d-----w- c:\users\bbailey\AppData\Roaming\Malwarebytes
2012-01-02 01:55 . 2012-01-02 01:55 -------- d-----w- c:\programdata\Malwarebytes
2011-12-31 09:36 . 2011-12-31 09:36 -------- d-----w- c:\users\bbailey\AppData\Roaming\Synaptics
2011-12-30 23:39 . 2012-01-12 00:51 -------- d-----w- c:\users\bbailey\AppData\Local\PokerStars
2011-12-30 23:38 . 2012-01-09 13:58 -------- d-----w- c:\program files\PokerStars
2011-12-30 23:02 . 2011-12-30 23:02 -------- d-----w- c:\programdata\Synaptics
2011-12-30 23:02 . 2011-03-31 10:30 218408 ----a-w- c:\windows\system32\SynCtrl.dll
2011-12-30 23:02 . 2011-03-31 10:32 1335472 ----a-w- c:\windows\system32\drivers\SynTP.sys
2011-12-30 23:02 . 2011-03-31 10:30 173352 ----a-w- c:\windows\system32\SynTPAPI.dll
2011-12-30 23:02 . 2011-03-31 10:30 120104 ----a-w- c:\windows\system32\SynTPCo9.dll
2011-12-29 03:50 . 2011-12-29 03:50 -------- d-----w- c:\users\bbailey\AppData\Local\Roxio
2011-12-28 20:05 . 2012-01-05 04:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-12-28 20:05 . 2012-01-05 04:50 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-28 19:41 . 2011-12-28 19:41 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2011-12-28 19:37 . 2011-12-28 19:37 -------- d-----w- c:\program files\Panicware
2011-12-28 19:18 . 2011-11-29 17:21 6823496 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4A3E672D-BABD-445D-B812-5178A4EF8919}\mpengine.dll
2011-12-28 19:18 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-12-28 16:24 . 2011-12-28 16:24 -------- d-----w- c:\users\bbailey\AppData\Local\Downloaded Installations
2011-12-28 16:22 . 2011-12-28 16:22 -------- d-----w- c:\program files\Common Files\Portrait Displays
2011-12-28 16:21 . 2011-12-28 16:21 -------- d-----w- c:\users\bbailey\AppData\Roaming\Hewlett-Packard Company
2011-12-28 16:18 . 2011-12-28 16:18 7435264 ----a-w- c:\windows\system32\drivers\NETwNs32.sys
2011-12-28 16:18 . 2011-12-28 16:18 684032 ----a-w- c:\windows\system32\NETwNc32.dll
2011-12-28 16:18 . 2011-12-28 16:18 2760704 ----a-w- c:\windows\system32\NETwNr32.dll
2011-12-28 16:17 . 2011-12-28 16:17 -------- d-----w- c:\users\bbailey\AppData\Roaming\InstallShield
2011-12-28 16:17 . 2011-12-28 16:17 -------- d-----w- c:\program files\Common Files\Roxio Shared
2011-12-28 16:17 . 2011-12-28 16:17 -------- d-----w- c:\programdata\Uninstall
2011-12-28 14:31 . 2012-01-11 17:00 -------- d-----w- c:\users\bbailey\AppData\Local\ElevatedDiagnostics
2011-12-27 23:23 . 2011-12-27 23:23 -------- d-----w- c:\users\bbailey\AppData\Roaming\SumatraPDF
2011-12-27 23:22 . 2011-12-27 23:22 1490 ----a-w- C:\user.js
2011-12-27 23:22 . 2011-12-27 23:22 -------- d-----w- c:\users\bbailey\AppData\Roaming\Babylon
2011-12-27 23:22 . 2011-12-27 23:22 -------- d-----w- c:\users\bbailey\AppData\Local\Babylon
2011-12-27 23:22 . 2011-12-27 23:22 -------- d-----w- c:\programdata\Babylon
2011-12-27 23:04 . 2012-01-12 00:53 -------- d--h--w- c:\users\bbailey\UserProfile
2011-12-27 23:04 . 2012-01-12 00:53 -------- d--h--w- c:\users\bbailey\SoftRecovery
2011-12-15 06:11 . 2011-11-24 04:25 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-12-15 06:10 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-15 06:08 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-15 06:08 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-05 03:07 . 2011-12-05 03:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-24 09:28 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-11-16 13:32 . 2011-11-16 13:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 05:29 . 2011-10-24 05:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 05:29 . 2011-10-24 05:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-15 39408]
"SystemBootNQtdP6TDS6cn0vSDlYFgIHWxSydqQbiS"="c:\users\bbailey\UserProfile\SystemBoot.lnk" [2012-01-12 882]
"RegWriteNQtdP6TDS6cn0vSDlYFgIHWxSydqQbiS"="c:\users\bbailey\SoftRecovery\RegWrite.lnk" [2012-01-12 990]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-11 287800]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2010-04-05 186904]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-03-31 2221352]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-06-03 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-06-03 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-06-03 170008]
"IMSS"="c:\program files\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [2009-11-04 111640]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-04-21 115560]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-01 59240]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"HPPowerAssistant"="c:\program files\Hewlett-Packard\HP Power Assistant\DelayedAppStarter.exe" [2011-08-17 14904]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-07 421736]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2012-01-08 495708]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-9-5 795936]
Scrybe.lnk - c:\windows\Installer\{147DFAD8-34C3-4DE1-9FCA-ACEFDE9EF810}\NewShortcut11_8ACB210B42E44145A8C31F8E3DD765A3.exe [2011-12-31 45056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ DPPassFilter scecli
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R1 MpKsl32e3c7cb;MpKsl32e3c7cb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6839C83D-EE69-41E2-8E4C-DC7FAF42A1F5}\MpKsl32e3c7cb.sys [x]
R1 MpKsl3dcb8ff4;MpKsl3dcb8ff4;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{531D348C-33A2-48BA-9CCF-50D0BD38BBC9}\MpKsl3dcb8ff4.sys [x]
R1 MpKsl5fad6417;MpKsl5fad6417;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A65FA436-245B-432A-A60E-5123D8B17809}\MpKsl5fad6417.sys [x]
R1 MpKsl6a02d7a0;MpKsl6a02d7a0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6839C83D-EE69-41E2-8E4C-DC7FAF42A1F5}\MpKsl6a02d7a0.sys [x]
R1 MpKsleba0c0bf;MpKsleba0c0bf;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{39DB4C9C-805A-4EAE-AA68-B09ABDA1B971}\MpKsleba0c0bf.sys [x]
R1 MpKsledfc84ef;MpKsledfc84ef;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{972F4AEC-8798-434E-BA50-9C931C86E223}\MpKsledfc84ef.sys [x]
R1 MpKsleee50011;MpKsleee50011;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9765E7B4-97F9-4B37-A695-C6A31DA655D1}\MpKsleee50011.sys [x]
R1 MpKslf6bcd812;MpKslf6bcd812;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A65FA436-245B-432A-A60E-5123D8B17809}\MpKslf6bcd812.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 136176]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]
R2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-10-26 48640]
R2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2009-10-29 47616]
R2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2009-09-28 38912]
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2009-10-22 1639728]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 136176]
R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2011-05-27 6758912]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-19 52224]
S0 SafeBoot;SafeBoot; [x]
S0 SbAlg;SbAlg; [x]
S0 SbFsLock;SbFsLock; [x]
S1 RsvLock;RsvLock; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2012-01-08 81920]
S2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [2011-08-17 133176]
S2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [2010-10-19 32768]
S2 Hp.Skyroom.Windows.Service;HP SkyRoom;c:\program files\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe [2009-11-20 124984]
S2 HPDayStarterService;HP DayStarter Service;c:\program files\Hewlett-Packard\HP FastLook\HPDayStarterService.exe [2010-07-13 95800]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-07-05 227384]
S2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2009-11-11 277096]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-03-15 26168]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
S2 rgsender;Remote Graphics Sender Service;c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe [2009-11-19 379904]
S2 ScrybeUpdater;Scrybe Updater;c:\program files\Synaptics\Scrybe\Service\ScrybeUpdater.exe [2011-05-27 1300264]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-11-04 2320920]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-09-17 29472]
S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2010-04-05 224424]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-08 106104]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 132480]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-02-04 232960]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 NETwNs32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2011-12-28 7435264]
S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\DRIVERS\rismc32.sys [2009-07-20 49152]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 05:39]
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 05:39]
.
2011-12-29 c:\windows\Tasks\HPCeeScheduleForbbailey.job
- c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 11:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ninemsn.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 4.2.2.1
DPF: {4E1318B0-53F0-4274-99FB-F5621625340D} - hxxp://rdnariw2k302/installOperaPrintCtrl.exe
DPF: {DAAC8ECF-DB09-4821-8126-E2C9499A20BA} - hxxp://rdnariw2k302/installregterm.exe
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(640)
c:\windows\system32\DPFPApi.DLL
.
- - - - - - - > 'Explorer.exe'(5124)
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\IDT\WDM\STacSV.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\program files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Authentication\Hp.SkyRoom.Windows.RgsPlugin.Authentication.exe
c:\windows\system32\conhost.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Lens\Hp.SkyRoom.Windows.RgsPlugin.Lens.exe
c:\windows\system32\conhost.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Licensing\Hp.SkyRoom.Windows.RgsPlugin.Licensing.exe
c:\windows\system32\conhost.exe
c:\windows\system32\taskhost.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender_gui.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-01-12 13:09:28 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-12 04:09
ComboFix2.txt 2012-01-12 00:37
ComboFix3.txt 2012-01-11 22:57
ComboFix4.txt 2012-01-11 19:00
ComboFix5.txt 2012-01-12 03:52
.
Pre-Run: 167,108,362,240 bytes free
Post-Run: 167,092,195,328 bytes free
.
- - End Of File - - E0638203FE656A25F18B82CC55F622B4
 
1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\users\bbailey\UserProfile\SystemBoot.lnk


Folder::
c:\programdata\AVAST Software
c:\program files\AVAST Software
c:\users\bbailey\SoftRecovery
c:\users\bbailey\UserProfile

Driver::
MpKslf6bcd812
MpKsleee50011
MpKsledfc84ef
MpKsleba0c0bf
MpKsl6a02d7a0
MpKsl5fad6417
MpKsl3dcb8ff4
MpKsl32e3c7cb

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemBootNQtdP6TDS6cn0vSDlYFgIHWxSydqQbiS"=-
"RegWriteNQtdP6TDS6cn0vSDlYFgIHWxSydqQbiS"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000

ClearJavaCache::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
ComboFix 12-01-11.01 - bbailey 01/12/2012 13:37:38.9.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2991.1576 [GMT 9:00]
Running from: c:\combofix\ComboFix.exe
Command switches used :: \\rn-fs2\Users$\bbailey\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\bbailey\UserProfile\SystemBoot.lnk"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\AVAST Software
c:\program files\AVAST Software\Avast\Setup\setup.ini
c:\programdata\AVAST Software
c:\users\bbailey\SoftRecovery
c:\users\bbailey\SoftRecovery\RegWrite.lnk
c:\users\bbailey\UserProfile
c:\users\bbailey\UserProfile\htmlapp.exe
c:\users\bbailey\UserProfile\SystemBoot.lnk
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MPKSL32E3C7CB
-------\Legacy_MPKSL3DCB8FF4
-------\Legacy_MPKSL5FAD6417
-------\Legacy_MPKSL6A02D7A0
-------\Legacy_MPKSLEBA0C0BF
-------\Legacy_MPKSLEDFC84EF
-------\Legacy_MPKSLEEE50011
-------\Legacy_MPKSLF6BCD812
-------\Service_MpKsl32e3c7cb
-------\Service_MpKsl3dcb8ff4
-------\Service_MpKsl5fad6417
-------\Service_MpKsl6a02d7a0
-------\Service_MpKsleba0c0bf
-------\Service_MpKsledfc84ef
-------\Service_MpKsleee50011
-------\Service_MpKslf6bcd812
.
.
((((((((((((((((((((((((( Files Created from 2011-12-12 to 2012-01-12 )))))))))))))))))))))))))))))))
.
.
2012-01-12 04:43 . 2012-01-12 04:46 -------- d-----w- c:\users\bbailey\AppData\Local\temp
2012-01-12 04:43 . 2012-01-12 04:43 -------- d-----w- c:\users\Radisson\AppData\Local\temp
2012-01-12 04:43 . 2012-01-12 04:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-12 04:43 . 2012-01-12 04:43 -------- d-----w- c:\users\administrator\AppData\Local\temp
2012-01-12 03:19 . 2012-01-12 04:45 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4A3E672D-BABD-445D-B812-5178A4EF8919}\offreg.dll
2012-01-11 17:17 . 2012-01-11 17:17 -------- d-----w- C:\HP_RECOVERY_mountHPSF
2012-01-06 23:50 . 2011-12-10 06:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-06 23:50 . 2012-01-06 23:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-06 21:58 . 2012-01-06 21:58 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-01-06 14:24 . 2012-01-06 14:24 -------- d-----w- c:\program files\iPod
2012-01-06 14:24 . 2012-01-06 14:25 -------- d-----w- c:\program files\iTunes
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2012-01-06 14:20 . 2012-01-06 14:20 -------- d-----w- c:\program files\QuickTime
2012-01-05 23:47 . 2012-01-05 23:47 -------- d-----w- c:\users\bbailey\AppData\Roaming\GlarySoft
2012-01-05 23:06 . 2012-01-05 23:06 -------- d-----w- c:\program files\WinASO
2012-01-05 19:56 . 2012-01-05 19:56 -------- d-----w- c:\users\bbailey\AppData\Local\Apps
2012-01-05 04:45 . 2012-01-05 04:45 -------- d-----w- c:\users\administrator\AppData\Local\Google
2012-01-05 04:40 . 2012-01-05 04:40 -------- d-----w- c:\users\administrator\AppData\Roaming\hpqlog
2012-01-05 04:39 . 2012-01-05 04:39 -------- d-----w- c:\users\administrator\AppData\Roaming\IObit
2012-01-05 04:38 . 2012-01-05 04:38 -------- d-----w- c:\users\administrator\AppData\Roaming\Synaptics
2012-01-05 04:30 . 2012-01-05 04:30 -------- d-----w- C:\a4a5b20479313b238579215fc2
2012-01-02 23:43 . 2012-01-03 03:04 -------- d-----w- c:\program files\PC Tools Security
2012-01-02 23:41 . 2012-01-02 23:52 -------- d-----w- c:\programdata\PC Tools
2012-01-02 03:59 . 2012-01-02 04:14 -------- d-----w- c:\users\bbailey\AppData\Roaming\IObit
2012-01-02 03:59 . 2012-01-02 03:59 -------- d-----w- c:\program files\IObit
2012-01-02 03:35 . 2010-01-10 09:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2012-01-02 03:34 . 2012-01-05 04:51 -------- d-----w- c:\program files\SpywareBlaster
2012-01-02 01:55 . 2012-01-02 01:55 -------- d-----w- c:\users\bbailey\AppData\Roaming\Malwarebytes
2012-01-02 01:55 . 2012-01-02 01:55 -------- d-----w- c:\programdata\Malwarebytes
2011-12-31 09:36 . 2011-12-31 09:36 -------- d-----w- c:\users\bbailey\AppData\Roaming\Synaptics
2011-12-30 23:39 . 2012-01-12 00:51 -------- d-----w- c:\users\bbailey\AppData\Local\PokerStars
2011-12-30 23:38 . 2012-01-09 13:58 -------- d-----w- c:\program files\PokerStars
2011-12-30 23:02 . 2011-12-30 23:02 -------- d-----w- c:\programdata\Synaptics
2011-12-30 23:02 . 2011-03-31 10:30 218408 ----a-w- c:\windows\system32\SynCtrl.dll
2011-12-30 23:02 . 2011-03-31 10:32 1335472 ----a-w- c:\windows\system32\drivers\SynTP.sys
2011-12-30 23:02 . 2011-03-31 10:30 173352 ----a-w- c:\windows\system32\SynTPAPI.dll
2011-12-30 23:02 . 2011-03-31 10:30 120104 ----a-w- c:\windows\system32\SynTPCo9.dll
2011-12-29 03:50 . 2011-12-29 03:50 -------- d-----w- c:\users\bbailey\AppData\Local\Roxio
2011-12-28 20:05 . 2012-01-05 04:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-12-28 20:05 . 2012-01-05 04:50 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-28 19:41 . 2011-12-28 19:41 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2011-12-28 19:37 . 2011-12-28 19:37 -------- d-----w- c:\program files\Panicware
2011-12-28 19:18 . 2011-11-29 17:21 6823496 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4A3E672D-BABD-445D-B812-5178A4EF8919}\mpengine.dll
2011-12-28 19:18 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-12-28 16:24 . 2011-12-28 16:24 -------- d-----w- c:\users\bbailey\AppData\Local\Downloaded Installations
2011-12-28 16:22 . 2011-12-28 16:22 -------- d-----w- c:\program files\Common Files\Portrait Displays
2011-12-28 16:21 . 2011-12-28 16:21 -------- d-----w- c:\users\bbailey\AppData\Roaming\Hewlett-Packard Company
2011-12-28 16:18 . 2011-12-28 16:18 7435264 ----a-w- c:\windows\system32\drivers\NETwNs32.sys
2011-12-28 16:18 . 2011-12-28 16:18 684032 ----a-w- c:\windows\system32\NETwNc32.dll
2011-12-28 16:18 . 2011-12-28 16:18 2760704 ----a-w- c:\windows\system32\NETwNr32.dll
2011-12-28 16:17 . 2011-12-28 16:17 -------- d-----w- c:\users\bbailey\AppData\Roaming\InstallShield
2011-12-28 16:17 . 2011-12-28 16:17 -------- d-----w- c:\program files\Common Files\Roxio Shared
2011-12-28 16:17 . 2011-12-28 16:17 -------- d-----w- c:\programdata\Uninstall
2011-12-28 14:31 . 2012-01-11 17:00 -------- d-----w- c:\users\bbailey\AppData\Local\ElevatedDiagnostics
2011-12-27 23:23 . 2011-12-27 23:23 -------- d-----w- c:\users\bbailey\AppData\Roaming\SumatraPDF
2011-12-27 23:22 . 2011-12-27 23:22 1490 ----a-w- C:\user.js
2011-12-27 23:22 . 2011-12-27 23:22 -------- d-----w- c:\users\bbailey\AppData\Roaming\Babylon
2011-12-27 23:22 . 2011-12-27 23:22 -------- d-----w- c:\users\bbailey\AppData\Local\Babylon
2011-12-27 23:22 . 2011-12-27 23:22 -------- d-----w- c:\programdata\Babylon
2011-12-15 06:11 . 2011-11-24 04:25 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-12-15 06:10 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-15 06:08 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-15 06:08 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-05 03:07 . 2011-12-05 03:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-24 09:28 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-11-16 13:32 . 2011-11-16 13:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 05:29 . 2011-10-24 05:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 05:29 . 2011-10-24 05:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-15 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-11 287800]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2010-04-05 186904]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-03-31 2221352]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-06-03 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-06-03 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-06-03 170008]
"IMSS"="c:\program files\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [2009-11-04 111640]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-04-21 115560]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-01 59240]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"HPPowerAssistant"="c:\program files\Hewlett-Packard\HP Power Assistant\DelayedAppStarter.exe" [2011-08-17 14904]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-07 421736]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2012-01-08 495708]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-9-5 795936]
Scrybe.lnk - c:\windows\Installer\{147DFAD8-34C3-4DE1-9FCA-ACEFDE9EF810}\NewShortcut11_8ACB210B42E44145A8C31F8E3DD765A3.exe [2011-12-31 45056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ DPPassFilter scecli
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 136176]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]
R2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-10-26 48640]
R2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2009-10-29 47616]
R2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2009-09-28 38912]
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2009-10-22 1639728]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 136176]
R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2011-05-27 6758912]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-19 52224]
S0 SafeBoot;SafeBoot; [x]
S0 SbAlg;SbAlg; [x]
S0 SbFsLock;SbFsLock; [x]
S1 RsvLock;RsvLock; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2012-01-08 81920]
S2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [2011-08-17 133176]
S2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [2010-10-19 32768]
S2 Hp.Skyroom.Windows.Service;HP SkyRoom;c:\program files\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe [2009-11-20 124984]
S2 HPDayStarterService;HP DayStarter Service;c:\program files\Hewlett-Packard\HP FastLook\HPDayStarterService.exe [2010-07-13 95800]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-07-05 227384]
S2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2009-11-11 277096]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-03-15 26168]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
S2 rgsender;Remote Graphics Sender Service;c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe [2009-11-19 379904]
S2 ScrybeUpdater;Scrybe Updater;c:\program files\Synaptics\Scrybe\Service\ScrybeUpdater.exe [2011-05-27 1300264]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-11-04 2320920]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-09-17 29472]
S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2010-04-05 224424]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-08 106104]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 132480]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-02-04 232960]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 NETwNs32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2011-12-28 7435264]
S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\DRIVERS\rismc32.sys [2009-07-20 49152]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 05:39]
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 05:39]
.
2011-12-29 c:\windows\Tasks\HPCeeScheduleForbbailey.job
- c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 11:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ninemsn.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 4.2.2.1
DPF: {4E1318B0-53F0-4274-99FB-F5621625340D} - hxxp://rdnariw2k302/installOperaPrintCtrl.exe
DPF: {DAAC8ECF-DB09-4821-8126-E2C9499A20BA} - hxxp://rdnariw2k302/installregterm.exe
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(700)
c:\windows\system32\DPFPApi.DLL
.
- - - - - - - > 'Explorer.exe'(3836)
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\IDT\WDM\STacSV.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\program files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Authentication\Hp.SkyRoom.Windows.RgsPlugin.Authentication.exe
c:\windows\system32\conhost.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Lens\Hp.SkyRoom.Windows.RgsPlugin.Lens.exe
c:\windows\system32\conhost.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Licensing\Hp.SkyRoom.Windows.RgsPlugin.Licensing.exe
c:\windows\system32\conhost.exe
c:\windows\system32\taskhost.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender_gui.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-01-12 13:50:46 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-12 04:50
ComboFix2.txt 2012-01-12 04:09
ComboFix3.txt 2012-01-12 00:37
ComboFix4.txt 2012-01-11 22:57
ComboFix5.txt 2012-01-12 04:36
.
Pre-Run: 167,174,021,120 bytes free
Post-Run: 166,828,851,200 bytes free
.
- - End Of File - - 1F89E76BBD822241B92F5AB4E97FF8F6
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
796
uber_beetle
uber_beetle
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni

Latest posts

Back