Malware virus won't remove

stijpn2012 · Jan 11, 2012

ComboFix 12-01-11.01 - bbailey 01/12/2012 12:54:47.8.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2991.1707 [GMT 9:00]
Running from: c:\combofix\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-12 to 2012-01-12 )))))))))))))))))))))))))))))))
.
.
2012-01-12 04:01 . 2012-01-12 04:01 -------- d-----w- c:\users\Radisson\AppData\Local\temp
2012-01-12 04:01 . 2012-01-12 04:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-12 04:01 . 2012-01-12 04:01 -------- d-----w- c:\users\administrator\AppData\Local\temp
2012-01-12 03:19 . 2012-01-12 04:04 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4A3E672D-BABD-445D-B812-5178A4EF8919}\offreg.dll
2012-01-11 17:17 . 2012-01-11 17:17 -------- d-----w- C:\HP_RECOVERY_mountHPSF
2012-01-10 19:43 . 2012-01-12 04:04 -------- d-----w- c:\users\bbailey\AppData\Local\temp
2012-01-06 23:50 . 2011-12-10 06:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-06 23:50 . 2012-01-06 23:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-06 21:58 . 2012-01-06 21:58 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-01-06 14:24 . 2012-01-06 14:24 -------- d-----w- c:\program files\iPod
2012-01-06 14:24 . 2012-01-06 14:25 -------- d-----w- c:\program files\iTunes
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2012-01-06 14:20 . 2012-01-06 14:20 -------- d-----w- c:\program files\QuickTime
2012-01-06 09:28 . 2012-01-06 09:53 -------- d-----w- c:\programdata\AVAST Software
2012-01-06 09:28 . 2012-01-06 09:28 -------- d-----w- c:\program files\AVAST Software
2012-01-05 23:47 . 2012-01-05 23:47 -------- d-----w- c:\users\bbailey\AppData\Roaming\GlarySoft
2012-01-05 23:06 . 2012-01-05 23:06 -------- d-----w- c:\program files\WinASO
2012-01-05 19:56 . 2012-01-05 19:56 -------- d-----w- c:\users\bbailey\AppData\Local\Apps
2012-01-05 04:45 . 2012-01-05 04:45 -------- d-----w- c:\users\administrator\AppData\Local\Google
2012-01-05 04:40 . 2012-01-05 04:40 -------- d-----w- c:\users\administrator\AppData\Roaming\hpqlog
2012-01-05 04:39 . 2012-01-05 04:39 -------- d-----w- c:\users\administrator\AppData\Roaming\IObit
2012-01-05 04:38 . 2012-01-05 04:38 -------- d-----w- c:\users\administrator\AppData\Roaming\Synaptics
2012-01-05 04:30 . 2012-01-05 04:30 -------- d-----w- C:\a4a5b20479313b238579215fc2
2012-01-02 23:43 . 2012-01-03 03:04 -------- d-----w- c:\program files\PC Tools Security
2012-01-02 23:41 . 2012-01-02 23:52 -------- d-----w- c:\programdata\PC Tools
2012-01-02 03:59 . 2012-01-02 04:14 -------- d-----w- c:\users\bbailey\AppData\Roaming\IObit
2012-01-02 03:59 . 2012-01-02 03:59 -------- d-----w- c:\program files\IObit
2012-01-02 03:35 . 2010-01-10 09:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2012-01-02 03:34 . 2012-01-05 04:51 -------- d-----w- c:\program files\SpywareBlaster
2012-01-02 01:55 . 2012-01-02 01:55 -------- d-----w- c:\users\bbailey\AppData\Roaming\Malwarebytes
2012-01-02 01:55 . 2012-01-02 01:55 -------- d-----w- c:\programdata\Malwarebytes
2011-12-31 09:36 . 2011-12-31 09:36 -------- d-----w- c:\users\bbailey\AppData\Roaming\Synaptics
2011-12-30 23:39 . 2012-01-12 00:51 -------- d-----w- c:\users\bbailey\AppData\Local\PokerStars
2011-12-30 23:38 . 2012-01-09 13:58 -------- d-----w- c:\program files\PokerStars
2011-12-30 23:02 . 2011-12-30 23:02 -------- d-----w- c:\programdata\Synaptics
2011-12-30 23:02 . 2011-03-31 10:30 218408 ----a-w- c:\windows\system32\SynCtrl.dll
2011-12-30 23:02 . 2011-03-31 10:32 1335472 ----a-w- c:\windows\system32\drivers\SynTP.sys
2011-12-30 23:02 . 2011-03-31 10:30 173352 ----a-w- c:\windows\system32\SynTPAPI.dll
2011-12-30 23:02 . 2011-03-31 10:30 120104 ----a-w- c:\windows\system32\SynTPCo9.dll
2011-12-29 03:50 . 2011-12-29 03:50 -------- d-----w- c:\users\bbailey\AppData\Local\Roxio
2011-12-28 20:05 . 2012-01-05 04:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-12-28 20:05 . 2012-01-05 04:50 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-28 19:41 . 2011-12-28 19:41 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2011-12-28 19:37 . 2011-12-28 19:37 -------- d-----w- c:\program files\Panicware
2011-12-28 19:18 . 2011-11-29 17:21 6823496 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4A3E672D-BABD-445D-B812-5178A4EF8919}\mpengine.dll
2011-12-28 19:18 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-12-28 16:24 . 2011-12-28 16:24 -------- d-----w- c:\users\bbailey\AppData\Local\Downloaded Installations
2011-12-28 16:22 . 2011-12-28 16:22 -------- d-----w- c:\program files\Common Files\Portrait Displays
2011-12-28 16:21 . 2011-12-28 16:21 -------- d-----w- c:\users\bbailey\AppData\Roaming\Hewlett-Packard Company
2011-12-28 16:18 . 2011-12-28 16:18 7435264 ----a-w- c:\windows\system32\drivers\NETwNs32.sys
2011-12-28 16:18 . 2011-12-28 16:18 684032 ----a-w- c:\windows\system32\NETwNc32.dll
2011-12-28 16:18 . 2011-12-28 16:18 2760704 ----a-w- c:\windows\system32\NETwNr32.dll
2011-12-28 16:17 . 2011-12-28 16:17 -------- d-----w- c:\users\bbailey\AppData\Roaming\InstallShield
2011-12-28 16:17 . 2011-12-28 16:17 -------- d-----w- c:\program files\Common Files\Roxio Shared
2011-12-28 16:17 . 2011-12-28 16:17 -------- d-----w- c:\programdata\Uninstall
2011-12-28 14:31 . 2012-01-11 17:00 -------- d-----w- c:\users\bbailey\AppData\Local\ElevatedDiagnostics
2011-12-27 23:23 . 2011-12-27 23:23 -------- d-----w- c:\users\bbailey\AppData\Roaming\SumatraPDF
2011-12-27 23:22 . 2011-12-27 23:22 1490 ----a-w- C:\user.js
2011-12-27 23:22 . 2011-12-27 23:22 -------- d-----w- c:\users\bbailey\AppData\Roaming\Babylon
2011-12-27 23:22 . 2011-12-27 23:22 -------- d-----w- c:\users\bbailey\AppData\Local\Babylon
2011-12-27 23:22 . 2011-12-27 23:22 -------- d-----w- c:\programdata\Babylon
2011-12-27 23:04 . 2012-01-12 00:53 -------- d--h--w- c:\users\bbailey\UserProfile
2011-12-27 23:04 . 2012-01-12 00:53 -------- d--h--w- c:\users\bbailey\SoftRecovery
2011-12-15 06:11 . 2011-11-24 04:25 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-12-15 06:10 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-15 06:08 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-15 06:08 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-05 03:07 . 2011-12-05 03:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-24 09:28 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-11-16 13:32 . 2011-11-16 13:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 05:29 . 2011-10-24 05:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 05:29 . 2011-10-24 05:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-15 39408]
"SystemBootNQtdP6TDS6cn0vSDlYFgIHWxSydqQbiS"="c:\users\bbailey\UserProfile\SystemBoot.lnk" [2012-01-12 882]
"RegWriteNQtdP6TDS6cn0vSDlYFgIHWxSydqQbiS"="c:\users\bbailey\SoftRecovery\RegWrite.lnk" [2012-01-12 990]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-11 287800]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2010-04-05 186904]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-03-31 2221352]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-06-03 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-06-03 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-06-03 170008]
"IMSS"="c:\program files\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [2009-11-04 111640]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-04-21 115560]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-01 59240]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"HPPowerAssistant"="c:\program files\Hewlett-Packard\HP Power Assistant\DelayedAppStarter.exe" [2011-08-17 14904]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-07 421736]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2012-01-08 495708]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-9-5 795936]
Scrybe.lnk - c:\windows\Installer\{147DFAD8-34C3-4DE1-9FCA-ACEFDE9EF810}\NewShortcut11_8ACB210B42E44145A8C31F8E3DD765A3.exe [2011-12-31 45056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ DPPassFilter scecli
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R1 MpKsl32e3c7cb;MpKsl32e3c7cb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6839C83D-EE69-41E2-8E4C-DC7FAF42A1F5}\MpKsl32e3c7cb.sys [x]
R1 MpKsl3dcb8ff4;MpKsl3dcb8ff4;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{531D348C-33A2-48BA-9CCF-50D0BD38BBC9}\MpKsl3dcb8ff4.sys [x]
R1 MpKsl5fad6417;MpKsl5fad6417;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A65FA436-245B-432A-A60E-5123D8B17809}\MpKsl5fad6417.sys [x]
R1 MpKsl6a02d7a0;MpKsl6a02d7a0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6839C83D-EE69-41E2-8E4C-DC7FAF42A1F5}\MpKsl6a02d7a0.sys [x]
R1 MpKsleba0c0bf;MpKsleba0c0bf;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{39DB4C9C-805A-4EAE-AA68-B09ABDA1B971}\MpKsleba0c0bf.sys [x]
R1 MpKsledfc84ef;MpKsledfc84ef;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{972F4AEC-8798-434E-BA50-9C931C86E223}\MpKsledfc84ef.sys [x]
R1 MpKsleee50011;MpKsleee50011;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9765E7B4-97F9-4B37-A695-C6A31DA655D1}\MpKsleee50011.sys [x]
R1 MpKslf6bcd812;MpKslf6bcd812;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A65FA436-245B-432A-A60E-5123D8B17809}\MpKslf6bcd812.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 136176]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]
R2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-10-26 48640]
R2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2009-10-29 47616]
R2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2009-09-28 38912]
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2009-10-22 1639728]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 136176]
R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2011-05-27 6758912]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-19 52224]
S0 SafeBoot;SafeBoot; [x]
S0 SbAlg;SbAlg; [x]
S0 SbFsLock;SbFsLock; [x]
S1 RsvLock;RsvLock; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2012-01-08 81920]
S2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [2011-08-17 133176]
S2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [2010-10-19 32768]
S2 Hp.Skyroom.Windows.Service;HP SkyRoom;c:\program files\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe [2009-11-20 124984]
S2 HPDayStarterService;HP DayStarter Service;c:\program files\Hewlett-Packard\HP FastLook\HPDayStarterService.exe [2010-07-13 95800]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-07-05 227384]
S2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2009-11-11 277096]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-03-15 26168]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
S2 rgsender;Remote Graphics Sender Service;c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe [2009-11-19 379904]
S2 ScrybeUpdater;Scrybe Updater;c:\program files\Synaptics\Scrybe\Service\ScrybeUpdater.exe [2011-05-27 1300264]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-11-04 2320920]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-09-17 29472]
S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2010-04-05 224424]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-08 106104]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 132480]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-02-04 232960]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 NETwNs32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2011-12-28 7435264]
S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\DRIVERS\rismc32.sys [2009-07-20 49152]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 05:39]
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 05:39]
.
2011-12-29 c:\windows\Tasks\HPCeeScheduleForbbailey.job
- c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 11:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ninemsn.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 4.2.2.1
DPF: {4E1318B0-53F0-4274-99FB-F5621625340D} - hxxp://rdnariw2k302/installOperaPrintCtrl.exe
DPF: {DAAC8ECF-DB09-4821-8126-E2C9499A20BA} - hxxp://rdnariw2k302/installregterm.exe
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(640)
c:\windows\system32\DPFPApi.DLL
.
- - - - - - - > 'Explorer.exe'(5124)
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\IDT\WDM\STacSV.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\program files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Authentication\Hp.SkyRoom.Windows.RgsPlugin.Authentication.exe
c:\windows\system32\conhost.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Lens\Hp.SkyRoom.Windows.RgsPlugin.Lens.exe
c:\windows\system32\conhost.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Licensing\Hp.SkyRoom.Windows.RgsPlugin.Licensing.exe
c:\windows\system32\conhost.exe
c:\windows\system32\taskhost.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender_gui.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-01-12 13:09:28 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-12 04:09
ComboFix2.txt 2012-01-12 00:37
ComboFix3.txt 2012-01-11 22:57
ComboFix4.txt 2012-01-11 19:00
ComboFix5.txt 2012-01-12 03:52
.
Pre-Run: 167,108,362,240 bytes free
Post-Run: 167,092,195,328 bytes free
.
- - End Of File - - E0638203FE656A25F18B82CC55F622B4

Broni · Jan 11, 2012

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\users\bbailey\UserProfile\SystemBoot.lnk


Folder::
c:\programdata\AVAST Software
c:\program files\AVAST Software
c:\users\bbailey\SoftRecovery
c:\users\bbailey\UserProfile

Driver::
MpKslf6bcd812
MpKsleee50011
MpKsledfc84ef
MpKsleba0c0bf
MpKsl6a02d7a0
MpKsl5fad6417
MpKsl3dcb8ff4
MpKsl32e3c7cb

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemBootNQtdP6TDS6cn0vSDlYFgIHWxSydqQbiS"=-
"RegWriteNQtdP6TDS6cn0vSDlYFgIHWxSydqQbiS"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000

ClearJavaCache::
3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

stijpn2012 · Jan 11, 2012

ComboFix 12-01-11.01 - bbailey 01/12/2012 13:37:38.9.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2991.1576 [GMT 9:00]
Running from: c:\combofix\ComboFix.exe
Command switches used :: \\rn-fs2\Users$\bbailey\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\bbailey\UserProfile\SystemBoot.lnk"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\AVAST Software
c:\program files\AVAST Software\Avast\Setup\setup.ini
c:\programdata\AVAST Software
c:\users\bbailey\SoftRecovery
c:\users\bbailey\SoftRecovery\RegWrite.lnk
c:\users\bbailey\UserProfile
c:\users\bbailey\UserProfile\htmlapp.exe
c:\users\bbailey\UserProfile\SystemBoot.lnk
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MPKSL32E3C7CB
-------\Legacy_MPKSL3DCB8FF4
-------\Legacy_MPKSL5FAD6417
-------\Legacy_MPKSL6A02D7A0
-------\Legacy_MPKSLEBA0C0BF
-------\Legacy_MPKSLEDFC84EF
-------\Legacy_MPKSLEEE50011
-------\Legacy_MPKSLF6BCD812
-------\Service_MpKsl32e3c7cb
-------\Service_MpKsl3dcb8ff4
-------\Service_MpKsl5fad6417
-------\Service_MpKsl6a02d7a0
-------\Service_MpKsleba0c0bf
-------\Service_MpKsledfc84ef
-------\Service_MpKsleee50011
-------\Service_MpKslf6bcd812
.
.
((((((((((((((((((((((((( Files Created from 2011-12-12 to 2012-01-12 )))))))))))))))))))))))))))))))
.
.
2012-01-12 04:43 . 2012-01-12 04:46 -------- d-----w- c:\users\bbailey\AppData\Local\temp
2012-01-12 04:43 . 2012-01-12 04:43 -------- d-----w- c:\users\Radisson\AppData\Local\temp
2012-01-12 04:43 . 2012-01-12 04:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-12 04:43 . 2012-01-12 04:43 -------- d-----w- c:\users\administrator\AppData\Local\temp
2012-01-12 03:19 . 2012-01-12 04:45 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4A3E672D-BABD-445D-B812-5178A4EF8919}\offreg.dll
2012-01-11 17:17 . 2012-01-11 17:17 -------- d-----w- C:\HP_RECOVERY_mountHPSF
2012-01-06 23:50 . 2011-12-10 06:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-06 23:50 . 2012-01-06 23:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-06 21:58 . 2012-01-06 21:58 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-01-06 14:24 . 2012-01-06 14:24 -------- d-----w- c:\program files\iPod
2012-01-06 14:24 . 2012-01-06 14:25 -------- d-----w- c:\program files\iTunes
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2012-01-06 14:20 . 2012-01-06 14:20 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2012-01-06 14:20 . 2012-01-06 14:20 -------- d-----w- c:\program files\QuickTime
2012-01-05 23:47 . 2012-01-05 23:47 -------- d-----w- c:\users\bbailey\AppData\Roaming\GlarySoft
2012-01-05 23:06 . 2012-01-05 23:06 -------- d-----w- c:\program files\WinASO
2012-01-05 19:56 . 2012-01-05 19:56 -------- d-----w- c:\users\bbailey\AppData\Local\Apps
2012-01-05 04:45 . 2012-01-05 04:45 -------- d-----w- c:\users\administrator\AppData\Local\Google
2012-01-05 04:40 . 2012-01-05 04:40 -------- d-----w- c:\users\administrator\AppData\Roaming\hpqlog
2012-01-05 04:39 . 2012-01-05 04:39 -------- d-----w- c:\users\administrator\AppData\Roaming\IObit
2012-01-05 04:38 . 2012-01-05 04:38 -------- d-----w- c:\users\administrator\AppData\Roaming\Synaptics
2012-01-05 04:30 . 2012-01-05 04:30 -------- d-----w- C:\a4a5b20479313b238579215fc2
2012-01-02 23:43 . 2012-01-03 03:04 -------- d-----w- c:\program files\PC Tools Security
2012-01-02 23:41 . 2012-01-02 23:52 -------- d-----w- c:\programdata\PC Tools
2012-01-02 03:59 . 2012-01-02 04:14 -------- d-----w- c:\users\bbailey\AppData\Roaming\IObit
2012-01-02 03:59 . 2012-01-02 03:59 -------- d-----w- c:\program files\IObit
2012-01-02 03:35 . 2010-01-10 09:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2012-01-02 03:34 . 2012-01-05 04:51 -------- d-----w- c:\program files\SpywareBlaster
2012-01-02 01:55 . 2012-01-02 01:55 -------- d-----w- c:\users\bbailey\AppData\Roaming\Malwarebytes
2012-01-02 01:55 . 2012-01-02 01:55 -------- d-----w- c:\programdata\Malwarebytes
2011-12-31 09:36 . 2011-12-31 09:36 -------- d-----w- c:\users\bbailey\AppData\Roaming\Synaptics
2011-12-30 23:39 . 2012-01-12 00:51 -------- d-----w- c:\users\bbailey\AppData\Local\PokerStars
2011-12-30 23:38 . 2012-01-09 13:58 -------- d-----w- c:\program files\PokerStars
2011-12-30 23:02 . 2011-12-30 23:02 -------- d-----w- c:\programdata\Synaptics
2011-12-30 23:02 . 2011-03-31 10:30 218408 ----a-w- c:\windows\system32\SynCtrl.dll
2011-12-30 23:02 . 2011-03-31 10:32 1335472 ----a-w- c:\windows\system32\drivers\SynTP.sys
2011-12-30 23:02 . 2011-03-31 10:30 173352 ----a-w- c:\windows\system32\SynTPAPI.dll
2011-12-30 23:02 . 2011-03-31 10:30 120104 ----a-w- c:\windows\system32\SynTPCo9.dll
2011-12-29 03:50 . 2011-12-29 03:50 -------- d-----w- c:\users\bbailey\AppData\Local\Roxio
2011-12-28 20:05 . 2012-01-05 04:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-12-28 20:05 . 2012-01-05 04:50 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-28 19:41 . 2011-12-28 19:41 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2011-12-28 19:37 . 2011-12-28 19:37 -------- d-----w- c:\program files\Panicware
2011-12-28 19:18 . 2011-11-29 17:21 6823496 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4A3E672D-BABD-445D-B812-5178A4EF8919}\mpengine.dll
2011-12-28 19:18 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-12-28 16:24 . 2011-12-28 16:24 -------- d-----w- c:\users\bbailey\AppData\Local\Downloaded Installations
2011-12-28 16:22 . 2011-12-28 16:22 -------- d-----w- c:\program files\Common Files\Portrait Displays
2011-12-28 16:21 . 2011-12-28 16:21 -------- d-----w- c:\users\bbailey\AppData\Roaming\Hewlett-Packard Company
2011-12-28 16:18 . 2011-12-28 16:18 7435264 ----a-w- c:\windows\system32\drivers\NETwNs32.sys
2011-12-28 16:18 . 2011-12-28 16:18 684032 ----a-w- c:\windows\system32\NETwNc32.dll
2011-12-28 16:18 . 2011-12-28 16:18 2760704 ----a-w- c:\windows\system32\NETwNr32.dll
2011-12-28 16:17 . 2011-12-28 16:17 -------- d-----w- c:\users\bbailey\AppData\Roaming\InstallShield
2011-12-28 16:17 . 2011-12-28 16:17 -------- d-----w- c:\program files\Common Files\Roxio Shared
2011-12-28 16:17 . 2011-12-28 16:17 -------- d-----w- c:\programdata\Uninstall
2011-12-28 14:31 . 2012-01-11 17:00 -------- d-----w- c:\users\bbailey\AppData\Local\ElevatedDiagnostics
2011-12-27 23:23 . 2011-12-27 23:23 -------- d-----w- c:\users\bbailey\AppData\Roaming\SumatraPDF
2011-12-27 23:22 . 2011-12-27 23:22 1490 ----a-w- C:\user.js
2011-12-27 23:22 . 2011-12-27 23:22 -------- d-----w- c:\users\bbailey\AppData\Roaming\Babylon
2011-12-27 23:22 . 2011-12-27 23:22 -------- d-----w- c:\users\bbailey\AppData\Local\Babylon
2011-12-27 23:22 . 2011-12-27 23:22 -------- d-----w- c:\programdata\Babylon
2011-12-15 06:11 . 2011-11-24 04:25 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-12-15 06:10 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-15 06:08 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-15 06:08 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-05 03:07 . 2011-12-05 03:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-24 09:28 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-11-16 13:32 . 2011-11-16 13:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 05:29 . 2011-10-24 05:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 05:29 . 2011-10-24 05:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-15 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-11 287800]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2010-04-05 186904]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-03-31 2221352]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-06-03 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-06-03 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-06-03 170008]
"IMSS"="c:\program files\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [2009-11-04 111640]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-04-21 115560]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-01 59240]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"HPPowerAssistant"="c:\program files\Hewlett-Packard\HP Power Assistant\DelayedAppStarter.exe" [2011-08-17 14904]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-07 421736]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2012-01-08 495708]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-9-5 795936]
Scrybe.lnk - c:\windows\Installer\{147DFAD8-34C3-4DE1-9FCA-ACEFDE9EF810}\NewShortcut11_8ACB210B42E44145A8C31F8E3DD765A3.exe [2011-12-31 45056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ DPPassFilter scecli
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 136176]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]
R2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-10-26 48640]
R2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2009-10-29 47616]
R2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2009-09-28 38912]
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2009-10-22 1639728]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 136176]
R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2011-05-27 6758912]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-19 52224]
S0 SafeBoot;SafeBoot; [x]
S0 SbAlg;SbAlg; [x]
S0 SbFsLock;SbFsLock; [x]
S1 RsvLock;RsvLock; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2012-01-08 81920]
S2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [2011-08-17 133176]
S2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [2010-10-19 32768]
S2 Hp.Skyroom.Windows.Service;HP SkyRoom;c:\program files\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe [2009-11-20 124984]
S2 HPDayStarterService;HP DayStarter Service;c:\program files\Hewlett-Packard\HP FastLook\HPDayStarterService.exe [2010-07-13 95800]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-07-05 227384]
S2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2009-11-11 277096]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-03-15 26168]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
S2 rgsender;Remote Graphics Sender Service;c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe [2009-11-19 379904]
S2 ScrybeUpdater;Scrybe Updater;c:\program files\Synaptics\Scrybe\Service\ScrybeUpdater.exe [2011-05-27 1300264]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-11-04 2320920]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-09-17 29472]
S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2010-04-05 224424]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-08 106104]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 132480]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-02-04 232960]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 NETwNs32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2011-12-28 7435264]
S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\DRIVERS\rismc32.sys [2009-07-20 49152]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 05:39]
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-15 05:39]
.
2011-12-29 c:\windows\Tasks\HPCeeScheduleForbbailey.job
- c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 11:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ninemsn.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 4.2.2.1
DPF: {4E1318B0-53F0-4274-99FB-F5621625340D} - hxxp://rdnariw2k302/installOperaPrintCtrl.exe
DPF: {DAAC8ECF-DB09-4821-8126-E2C9499A20BA} - hxxp://rdnariw2k302/installregterm.exe
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(700)
c:\windows\system32\DPFPApi.DLL
.
- - - - - - - > 'Explorer.exe'(3836)
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\IDT\WDM\STacSV.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\program files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Authentication\Hp.SkyRoom.Windows.RgsPlugin.Authentication.exe
c:\windows\system32\conhost.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Lens\Hp.SkyRoom.Windows.RgsPlugin.Lens.exe
c:\windows\system32\conhost.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Licensing\Hp.SkyRoom.Windows.RgsPlugin.Licensing.exe
c:\windows\system32\conhost.exe
c:\windows\system32\taskhost.exe
c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender_gui.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-01-12 13:50:46 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-12 04:50
ComboFix2.txt 2012-01-12 04:09
ComboFix3.txt 2012-01-12 00:37
ComboFix4.txt 2012-01-11 22:57
ComboFix5.txt 2012-01-12 04:36
.
Pre-Run: 167,174,021,120 bytes free
Post-Run: 166,828,851,200 bytes free
.
- - End Of File - - 1F89E76BBD822241B92F5AB4E97FF8F6

Broni · Jan 12, 2012

How is pop-up?

stijpn2012 · Jan 12, 2012

I just rebooted and the pop up came back again

Broni · Jan 12, 2012

We need to reset your MBR.

Go back to my reply #58.

Go to listed link: http://www.sevenforums.com/tutorials/668-system-recovery-options.html
In "Option two" there is a link how to create System Repair Disc.
Create it, boot from it and follow the rest of my reply #58.

TechSpot

Welcome to TechSpot

Malware virus won't remove

stijpn2012 Newcomer, in training Posts: 40

Broni Malware Annihilator Posts: 39,324 +175

stijpn2012 Newcomer, in training Posts: 40

Broni Malware Annihilator Posts: 39,324 +175

stijpn2012 Newcomer, in training Posts: 40

Broni Malware Annihilator Posts: 39,324 +175

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.