TechSpot

Please help. ZeroAccess virus now caught in restart loop

Inactive
By NailBeater
Aug 7, 2012
  1. Hi all -
    Like so many others, I seem to have picked up the ZeroAccess trojan, and am now disabled due to the "Windows has encountered a critical error..." restart loop.

    I hadn't been paying any attention to my McAfee AV. Looking back - my updates had been failing since around July 9 of this year. My fault - I should know better. I had intended to move to MS Essentials anyway - so I took this as an opportunity to do just that. As soon as I installed MSE and began a scan - the restart loop commenced.

    The machine is an older HP laptop with a blown motherboard network adapter, using a very tempermental external NIC card. It's 32-bit running Vista Home Professional.

    I have been able to get onto the machine through the system repair option and have run the frst tool scan - and have those results available if someone can offer help.

    Thanks!
    Steve
     
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    Download Farbar Recovery Scan Tool and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button.
    • type exit and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.
     
  3. NailBeater

    NailBeater TS Rookie Topic Starter

    Hi. Thanks for taking the time to assist me. I really appreciate the guidance.

    Here's the log from the initial scan:

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 05-08-2012 01
    Ran by SYSTEM at 07-08-2012 12:14:46
    Running from F:\
    Windows Vista (TM) Home Premium (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [833072 2007-06-07] (Synaptics, Inc.)
    HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [138008 2007-02-26] (Intel Corporation)
    HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [154392 2007-02-26] (Intel Corporation)
    HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [133912 2007-02-26] (Intel Corporation)
    HKLM\...\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" [176128 2007-03-28] (CyberLink Corp.)
    HKLM\...\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [159744 2007-02-13] ( Hewlett-Packard Development Company, L.P.)
    HKLM\...\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [50696 2007-03-12] (Hewlett-Packard)
    HKLM\...\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [472776 2007-03-01] (Hewlett-Packard Development Company, L.P.)
    HKLM\...\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe [317128 2007-01-10] (Hewlett-Packard Development Company, L.P.)
    HKLM\...\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard)
    HKLM\...\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript [973488 2012-07-03] (Malwarebytes Corporation)
    HKLM\...\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe [176128 2006-11-02] (Microsoft Corporation)
    HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [40368 2011-08-30] (Adobe Systems Incorporated)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-03-29] (Adobe Systems Incorporated)
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)
    HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2011-08-18] (Apple Inc.)
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    HKU\CAMILLE\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1773568 2007-03-20] (Hewlett-Packard)
    HKU\CAMILLE\...\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler [x]
    HKU\CAMILLE\...\Policies\system: [LogonHoursAction] 2
    HKU\CAMILLE\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
    HKU\Default\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1773568 2007-03-20] (Hewlett-Packard)
    HKU\Default User\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1773568 2007-03-20] (Hewlett-Packard)
    HKU\Hammers\...\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [4280184 2012-03-08] (Microsoft Corporation)
    HKU\Hammers\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
    HKU\Hammers\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [8704 2006-11-02] (Microsoft Corporation)
    HKU\Hammers\...\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
    HKU\Hammers\...\Run: [SansaDispatch] C:\Users\Hammers\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe [79872 2012-01-07] (SanDisk Corporation)
    HKU\Hammers\...\Policies\system: [LogonHoursAction] 2
    HKU\Hammers\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
    HKU\Steve\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1773568 2007-03-20] (Hewlett-Packard)
    HKU\Steve\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [4280184 2012-03-08] (Microsoft Corporation)
    HKU\Steve\...\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler [x]
    HKU\Steve\...\Policies\system: [LogonHoursAction] 2
    HKU\Steve\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
    HKLM\...\Runonce: [Launcher] %WINDIR%\SMINST\launcher.exe [x]
    Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
    Tcpip\Parameters: [DhcpNameServer] 74.81.99.1 74.81.99.2
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\NETGEAR WNA3100 Smart Wizard.lnk
    ShortcutTarget: NETGEAR WNA3100 Smart Wizard.lnk -> C:\Program Files\NETGEAR\WNA3100\WNA3100.exe ()

    ================================ Services (Whitelisted) ==================

    2 aawservice; "C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe" [611664 2008-07-07] (Lavasoft)
    2 CLCapSvc; "C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe" [270431 2007-03-28] ()
    2 CLSched; "C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe" [118877 2007-03-28] ()
    3 Com4Qlb; "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe" [110592 2007-01-09] (Hewlett-Packard Development Company, L.P.)
    2 dsNcService; C:\Program Files\Juniper Networks\Common Files\dsNcService.exe [683080 2012-04-12] (Juniper Networks)
    2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)
    2 HP Health Check Service; "C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe" [62984 2007-03-14] (Hewlett-Packard)
    2 hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [135168 2006-05-02] (Hewlett-Packard Development Company, L.P.)
    2 JuniperAccessService; C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [198520 2011-10-16] (Juniper Networks, Inc.)
    2 WSWNA3100; C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe [285152 2010-08-26] ()
    2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
    4 NetMsmqActivator; "c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe" -NetMsmqActivator [x]
    4 NetPipeActivator; c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [x]
    4 NetTcpActivator; c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [x]
    4 NetTcpPortSharing; c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [x]
    3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

    ========================== Drivers (Whitelisted) =============

    3 BCMH43XX; C:\Windows\System32\DRIVERS\bcmwlhigh6.sys [1082432 2010-09-29] (Broadcom Corporation)
    3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA.sys [5275 2007-01-18] (Cisco Systems, Inc.)
    3 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [125328 2008-03-29] (Deterministic Networks, Inc.)
    3 dsNcAdpt; C:\Windows\System32\DRIVERS\dsNcAdpt.sys [26624 2011-11-14] (Juniper Networks)
    1 eabfiltr; C:\Windows\System32\DRIVERS\eabfiltr.sys [8192 2006-11-30] (Hewlett-Packard Development Company, L.P.)
    3 HBtnKey; C:\Windows\System32\DRIVERS\cpqbttn.sys [9472 2006-06-28] (Hewlett-Packard Development Company, L.P.)
    3 HdAudAddService; C:\Windows\System32\drivers\CHDART.sys [148992 2006-12-12] (Conexant Systems Inc.)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    3 NPF; C:\Windows\System32\DRIVERS\npf.sys [50704 2010-02-03] (CACE Technologies, Inc.)
    0 SCMNdisP; C:\Windows\System32\DRIVERS\scmndisp.sys [21728 2007-01-19] (Windows (R) Codename Longhorn DDK provider)
    3 usbbus; C:\Windows\System32\DRIVERS\lgusbbus.sys [13056 2008-11-11] (LG Electronics Inc.)
    3 UsbDiag; C:\Windows\System32\DRIVERS\lgusbdiag.sys [19968 2008-11-11] (LG Electronics Inc.)
    3 USBModem; C:\Windows\System32\DRIVERS\lgusbmodem.sys [24832 2008-11-11] (LG Electronics Inc.)
    3 WEC600N; C:\Windows\System32\DRIVERS\WEC600N.SYS [1187320 2008-01-23] (Broadcom Corporation)
    4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
    1 ehxgpslq; \??\C:\Windows\system32\drivers\ehxgpslq.sys [x]
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    1 mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
    3 UIUSys; C:\Windows\System32\DRIVERS\UIUSYS.SYS [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-07 08:54 - 2012-08-07 08:54 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\plgoiwsk.sys
    2012-08-06 19:50 - 2012-08-06 19:50 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-06 19:49 - 2012-08-06 19:49 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-08-06 19:38 - 2012-08-06 19:39 - 10288512 ____A (Microsoft Corporation) C:\Users\Hammers\Desktop\mseinstall.exe
    2012-08-06 15:23 - 2012-08-06 15:23 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{09352410-7C3E-494F-AC2F-35271A862F9B}
    2012-08-06 15:23 - 2012-08-06 15:23 - 00000000 ____D C:\Users\Hammers\Local Settings\{09352410-7C3E-494F-AC2F-35271A862F9B}
    2012-08-06 15:23 - 2012-08-06 15:23 - 00000000 ____D C:\Users\Hammers\AppData\Local\{09352410-7C3E-494F-AC2F-35271A862F9B}
    2012-08-06 15:22 - 2012-08-06 15:23 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{A5EACD77-0AC6-4AD4-BD08-4E46F8C17381}
    2012-08-06 15:22 - 2012-08-06 15:23 - 00000000 ____D C:\Users\Hammers\Local Settings\{A5EACD77-0AC6-4AD4-BD08-4E46F8C17381}
    2012-08-06 15:22 - 2012-08-06 15:23 - 00000000 ____D C:\Users\Hammers\AppData\Local\{A5EACD77-0AC6-4AD4-BD08-4E46F8C17381}
    2012-08-04 18:59 - 2012-08-04 19:00 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{FDAA18B6-3268-419B-88D3-4B65A353812E}
    2012-08-04 18:59 - 2012-08-04 19:00 - 00000000 ____D C:\Users\Hammers\Local Settings\{FDAA18B6-3268-419B-88D3-4B65A353812E}
    2012-08-04 18:59 - 2012-08-04 19:00 - 00000000 ____D C:\Users\Hammers\AppData\Local\{FDAA18B6-3268-419B-88D3-4B65A353812E}
    2012-08-04 18:59 - 2012-08-04 18:59 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{7B193C5F-C41D-44B6-9102-DE39989C52D0}
    2012-08-04 18:59 - 2012-08-04 18:59 - 00000000 ____D C:\Users\Hammers\Local Settings\{7B193C5F-C41D-44B6-9102-DE39989C52D0}
    2012-08-04 18:59 - 2012-08-04 18:59 - 00000000 ____D C:\Users\Hammers\AppData\Local\{7B193C5F-C41D-44B6-9102-DE39989C52D0}
    2012-08-04 12:38 - 2012-08-04 12:38 - 00142768 ____A C:\Windows\Minidump\Mini080412-01.dmp
    2012-08-04 06:58 - 2012-08-04 06:58 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{D0940DBD-F7F3-4F23-894B-E16B84E40544}
    2012-08-04 06:58 - 2012-08-04 06:58 - 00000000 ____D C:\Users\Hammers\Local Settings\{D0940DBD-F7F3-4F23-894B-E16B84E40544}
    2012-08-04 06:58 - 2012-08-04 06:58 - 00000000 ____D C:\Users\Hammers\AppData\Local\{D0940DBD-F7F3-4F23-894B-E16B84E40544}
    2012-08-03 15:13 - 2012-08-03 15:13 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{99FAC73A-CE82-47A0-A0B6-043947427E3A}
    2012-08-03 15:13 - 2012-08-03 15:13 - 00000000 ____D C:\Users\Hammers\Local Settings\{99FAC73A-CE82-47A0-A0B6-043947427E3A}
    2012-08-03 15:13 - 2012-08-03 15:13 - 00000000 ____D C:\Users\Hammers\AppData\Local\{99FAC73A-CE82-47A0-A0B6-043947427E3A}
    2012-08-03 15:12 - 2012-08-04 06:58 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{44C6204A-1F39-499B-A566-3A0101C66CC5}
    2012-08-03 15:12 - 2012-08-04 06:58 - 00000000 ____D C:\Users\Hammers\Local Settings\{44C6204A-1F39-499B-A566-3A0101C66CC5}
    2012-08-03 15:12 - 2012-08-04 06:58 - 00000000 ____D C:\Users\Hammers\AppData\Local\{44C6204A-1F39-499B-A566-3A0101C66CC5}
    2012-08-02 17:04 - 2012-08-02 17:04 - 00000000 ____D C:\Users\Hammers\Local Settings\Macromedia
    2012-08-02 17:04 - 2012-08-02 17:04 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\Macromedia
    2012-08-02 17:04 - 2012-08-02 17:04 - 00000000 ____D C:\Users\Hammers\AppData\Local\Macromedia
    2012-08-02 16:52 - 2012-08-02 16:52 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{5BFB8407-C9FB-403C-A7E9-ADF99D166C45}
    2012-08-02 16:52 - 2012-08-02 16:52 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{18FC2494-77CA-4189-8C52-C4769234A6C4}
    2012-08-02 16:52 - 2012-08-02 16:52 - 00000000 ____D C:\Users\Hammers\Local Settings\{5BFB8407-C9FB-403C-A7E9-ADF99D166C45}
    2012-08-02 16:52 - 2012-08-02 16:52 - 00000000 ____D C:\Users\Hammers\Local Settings\{18FC2494-77CA-4189-8C52-C4769234A6C4}
    2012-08-02 16:52 - 2012-08-02 16:52 - 00000000 ____D C:\Users\Hammers\AppData\Local\{5BFB8407-C9FB-403C-A7E9-ADF99D166C45}
    2012-08-02 16:52 - 2012-08-02 16:52 - 00000000 ____D C:\Users\Hammers\AppData\Local\{18FC2494-77CA-4189-8C52-C4769234A6C4}
    2012-08-02 06:02 - 2012-08-02 06:02 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{D8B235AE-71A3-4FD7-BD8D-610617055C1E}
    2012-08-02 06:02 - 2012-08-02 06:02 - 00000000 ____D C:\Users\Hammers\Local Settings\{D8B235AE-71A3-4FD7-BD8D-610617055C1E}
    2012-08-02 06:02 - 2012-08-02 06:02 - 00000000 ____D C:\Users\Hammers\AppData\Local\{D8B235AE-71A3-4FD7-BD8D-610617055C1E}
    2012-08-02 05:56 - 2012-08-02 06:02 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{14536B0F-E9F4-4B2C-95B1-4373CA5FBA00}
    2012-08-02 05:56 - 2012-08-02 06:02 - 00000000 ____D C:\Users\Hammers\Local Settings\{14536B0F-E9F4-4B2C-95B1-4373CA5FBA00}
    2012-08-02 05:56 - 2012-08-02 06:02 - 00000000 ____D C:\Users\Hammers\AppData\Local\{14536B0F-E9F4-4B2C-95B1-4373CA5FBA00}
    2012-08-01 20:15 - 2012-08-01 20:15 - 00000352 ____A C:\Users\Hammers\My Documents\wilco.txt
    2012-08-01 20:15 - 2012-08-01 20:15 - 00000352 ____A C:\Users\Hammers\Documents\wilco.txt
    2012-07-30 19:16 - 2012-07-30 19:16 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{F578EBCD-30AC-45AA-8C40-1E4A1EEB644F}
    2012-07-30 19:16 - 2012-07-30 19:16 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{0351C3F4-1569-4276-AB5D-0BB0FF7E943C}
    2012-07-30 19:16 - 2012-07-30 19:16 - 00000000 ____D C:\Users\Hammers\Local Settings\{F578EBCD-30AC-45AA-8C40-1E4A1EEB644F}
    2012-07-30 19:16 - 2012-07-30 19:16 - 00000000 ____D C:\Users\Hammers\Local Settings\{0351C3F4-1569-4276-AB5D-0BB0FF7E943C}
    2012-07-30 19:16 - 2012-07-30 19:16 - 00000000 ____D C:\Users\Hammers\AppData\Local\{F578EBCD-30AC-45AA-8C40-1E4A1EEB644F}
    2012-07-30 19:16 - 2012-07-30 19:16 - 00000000 ____D C:\Users\Hammers\AppData\Local\{0351C3F4-1569-4276-AB5D-0BB0FF7E943C}
    2012-07-30 13:53 - 2012-07-30 13:53 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{9176AEBF-A040-45C4-880C-0B533A318F79}
    2012-07-30 13:53 - 2012-07-30 13:53 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{4B27FC21-784F-47E5-A30D-83D1F8A33AB6}
    2012-07-30 13:53 - 2012-07-30 13:53 - 00000000 ____D C:\Users\Hammers\Local Settings\{9176AEBF-A040-45C4-880C-0B533A318F79}
    2012-07-30 13:53 - 2012-07-30 13:53 - 00000000 ____D C:\Users\Hammers\Local Settings\{4B27FC21-784F-47E5-A30D-83D1F8A33AB6}
    2012-07-30 13:53 - 2012-07-30 13:53 - 00000000 ____D C:\Users\Hammers\AppData\Local\{9176AEBF-A040-45C4-880C-0B533A318F79}
    2012-07-30 13:53 - 2012-07-30 13:53 - 00000000 ____D C:\Users\Hammers\AppData\Local\{4B27FC21-784F-47E5-A30D-83D1F8A33AB6}
    2012-07-30 13:29 - 2012-07-30 13:29 - 00000000 ____D C:\Users\Hammers\Local Settings\IsolatedStorage
    2012-07-30 13:29 - 2012-07-30 13:29 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\IsolatedStorage
    2012-07-30 13:29 - 2012-07-30 13:29 - 00000000 ____D C:\Users\Hammers\AppData\Local\IsolatedStorage
    2012-07-30 13:20 - 2012-07-30 13:20 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{18B472F9-FD1B-48E3-AAF6-6157F941913A}
    2012-07-30 13:20 - 2012-07-30 13:20 - 00000000 ____D C:\Users\Hammers\Local Settings\{18B472F9-FD1B-48E3-AAF6-6157F941913A}
    2012-07-30 13:20 - 2012-07-30 13:20 - 00000000 ____D C:\Users\Hammers\AppData\Local\{18B472F9-FD1B-48E3-AAF6-6157F941913A}
    2012-07-30 12:31 - 2012-07-30 12:31 - 00000000 ____D C:\Users\Steve\Local Settings\Windows Live
    2012-07-30 12:31 - 2012-07-30 12:31 - 00000000 ____D C:\Users\Steve\Local Settings\Application Data\Windows Live
    2012-07-30 12:31 - 2012-07-30 12:31 - 00000000 ____D C:\Users\Steve\Local Settings\Application Data\{25AF984C-6576-42FC-AD24-2F8D51BD4D67}
    2012-07-30 12:31 - 2012-07-30 12:31 - 00000000 ____D C:\Users\Steve\Local Settings\{25AF984C-6576-42FC-AD24-2F8D51BD4D67}
    2012-07-30 12:31 - 2012-07-30 12:31 - 00000000 ____D C:\Users\Steve\AppData\Local\Windows Live
    2012-07-30 12:31 - 2012-07-30 12:31 - 00000000 ____D C:\Users\Steve\AppData\Local\{25AF984C-6576-42FC-AD24-2F8D51BD4D67}
    2012-07-30 11:02 - 2012-07-30 11:02 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{88214784-3482-4F48-BE36-E6F45225844A}
    2012-07-30 11:02 - 2012-07-30 11:02 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{11C5A58A-8708-4E5A-8480-0AB796DEB23C}
    2012-07-30 11:02 - 2012-07-30 11:02 - 00000000 ____D C:\Users\Hammers\Local Settings\{88214784-3482-4F48-BE36-E6F45225844A}
    2012-07-30 11:02 - 2012-07-30 11:02 - 00000000 ____D C:\Users\Hammers\Local Settings\{11C5A58A-8708-4E5A-8480-0AB796DEB23C}
    2012-07-30 11:02 - 2012-07-30 11:02 - 00000000 ____D C:\Users\Hammers\AppData\Local\{88214784-3482-4F48-BE36-E6F45225844A}
    2012-07-30 11:02 - 2012-07-30 11:02 - 00000000 ____D C:\Users\Hammers\AppData\Local\{11C5A58A-8708-4E5A-8480-0AB796DEB23C}
    2012-07-30 09:37 - 2012-07-30 09:37 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{9FB26FC4-17AA-4AE6-B4BC-B28BA435CEBE}
    2012-07-30 09:37 - 2012-07-30 09:37 - 00000000 ____D C:\Users\Hammers\Local Settings\{9FB26FC4-17AA-4AE6-B4BC-B28BA435CEBE}
    2012-07-30 09:37 - 2012-07-30 09:37 - 00000000 ____D C:\Users\Hammers\AppData\Local\{9FB26FC4-17AA-4AE6-B4BC-B28BA435CEBE}
    2012-07-30 09:36 - 2012-07-30 09:37 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{A546534A-D4F2-423D-B913-866A370DD949}
    2012-07-30 09:36 - 2012-07-30 09:37 - 00000000 ____D C:\Users\Hammers\Local Settings\{A546534A-D4F2-423D-B913-866A370DD949}
    2012-07-30 09:36 - 2012-07-30 09:37 - 00000000 ____D C:\Users\Hammers\AppData\Local\{A546534A-D4F2-423D-B913-866A370DD949}
    2012-07-30 09:33 - 2012-07-30 13:40 - 04503728 ___AT C:\Users\All Users\ras_0oed.pad
    2012-07-30 09:33 - 2012-07-30 13:40 - 04503728 ___AT C:\Users\All Users\Application Data\ras_0oed.pad
    2012-07-25 10:51 - 2012-07-25 10:51 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{9A7FADE8-0CD9-481D-9E8B-75F75243BC30}
    2012-07-25 10:51 - 2012-07-25 10:51 - 00000000 ____D C:\Users\Hammers\Local Settings\{9A7FADE8-0CD9-481D-9E8B-75F75243BC30}
    2012-07-25 10:51 - 2012-07-25 10:51 - 00000000 ____D C:\Users\Hammers\AppData\Local\{9A7FADE8-0CD9-481D-9E8B-75F75243BC30}
    2012-07-25 10:50 - 2012-07-25 10:51 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{78C33939-B245-425B-97E8-13ED45D3E3DE}
    2012-07-25 10:50 - 2012-07-25 10:51 - 00000000 ____D C:\Users\Hammers\Local Settings\{78C33939-B245-425B-97E8-13ED45D3E3DE}
    2012-07-25 10:50 - 2012-07-25 10:51 - 00000000 ____D C:\Users\Hammers\AppData\Local\{78C33939-B245-425B-97E8-13ED45D3E3DE}
    2012-07-24 18:14 - 2012-07-24 18:14 - 00142768 ____A C:\Windows\Minidump\Mini072412-01.dmp
    2012-07-24 15:49 - 2012-07-24 15:49 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{EB179074-2751-45C1-BD5E-B80F777A5D5D}
    2012-07-24 15:49 - 2012-07-24 15:49 - 00000000 ____D C:\Users\Hammers\Local Settings\{EB179074-2751-45C1-BD5E-B80F777A5D5D}
    2012-07-24 15:49 - 2012-07-24 15:49 - 00000000 ____D C:\Users\Hammers\AppData\Local\{EB179074-2751-45C1-BD5E-B80F777A5D5D}
    2012-07-22 18:12 - 2012-07-22 18:14 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{E5A82100-6E1F-4528-86AF-8DF2860CC9B0}
    2012-07-22 18:12 - 2012-07-22 18:14 - 00000000 ____D C:\Users\Hammers\Local Settings\{E5A82100-6E1F-4528-86AF-8DF2860CC9B0}
    2012-07-22 18:12 - 2012-07-22 18:14 - 00000000 ____D C:\Users\Hammers\AppData\Local\{E5A82100-6E1F-4528-86AF-8DF2860CC9B0}
    2012-07-21 11:42 - 2012-07-24 15:49 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{7A268A90-2D4B-45C2-A2A0-3E7D817E9ADD}
    2012-07-21 11:42 - 2012-07-24 15:49 - 00000000 ____D C:\Users\Hammers\Local Settings\{7A268A90-2D4B-45C2-A2A0-3E7D817E9ADD}
    2012-07-21 11:42 - 2012-07-24 15:49 - 00000000 ____D C:\Users\Hammers\AppData\Local\{7A268A90-2D4B-45C2-A2A0-3E7D817E9ADD}
    2012-07-21 11:10 - 2012-07-21 11:12 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{99584119-A38C-4FF8-9DBC-CF26348566E6}
    2012-07-21 11:10 - 2012-07-21 11:12 - 00000000 ____D C:\Users\Hammers\Local Settings\{99584119-A38C-4FF8-9DBC-CF26348566E6}
    2012-07-21 11:10 - 2012-07-21 11:12 - 00000000 ____D C:\Users\Hammers\AppData\Local\{99584119-A38C-4FF8-9DBC-CF26348566E6}
    2012-07-21 04:20 - 2012-07-21 04:20 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{B75C9F62-BDE7-4D73-896A-341F38D600D7}
    2012-07-21 04:20 - 2012-07-21 04:20 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{942E738E-DC9F-43A9-9BE1-88CC03D8EEAA}
    2012-07-21 04:20 - 2012-07-21 04:20 - 00000000 ____D C:\Users\Hammers\Local Settings\{B75C9F62-BDE7-4D73-896A-341F38D600D7}
    2012-07-21 04:20 - 2012-07-21 04:20 - 00000000 ____D C:\Users\Hammers\Local Settings\{942E738E-DC9F-43A9-9BE1-88CC03D8EEAA}
    2012-07-21 04:20 - 2012-07-21 04:20 - 00000000 ____D C:\Users\Hammers\AppData\Local\{B75C9F62-BDE7-4D73-896A-341F38D600D7}
    2012-07-21 04:20 - 2012-07-21 04:20 - 00000000 ____D C:\Users\Hammers\AppData\Local\{942E738E-DC9F-43A9-9BE1-88CC03D8EEAA}
    2012-07-19 17:56 - 2012-07-19 17:56 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{DC3E1F99-C41F-42E9-B3F6-305436BB4D9D}
    2012-07-19 17:56 - 2012-07-19 17:56 - 00000000 ____D C:\Users\Hammers\Local Settings\{DC3E1F99-C41F-42E9-B3F6-305436BB4D9D}
    2012-07-19 17:56 - 2012-07-19 17:56 - 00000000 ____D C:\Users\Hammers\AppData\Local\{DC3E1F99-C41F-42E9-B3F6-305436BB4D9D}
    2012-07-19 17:55 - 2012-07-19 17:55 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{7021BBF7-06CD-4BE7-89BF-08FB2EA6A0BB}
    2012-07-19 17:55 - 2012-07-19 17:55 - 00000000 ____D C:\Users\Hammers\Local Settings\{7021BBF7-06CD-4BE7-89BF-08FB2EA6A0BB}
    2012-07-19 17:55 - 2012-07-19 17:55 - 00000000 ____D C:\Users\Hammers\AppData\Local\{7021BBF7-06CD-4BE7-89BF-08FB2EA6A0BB}
    2012-07-14 18:43 - 2012-07-14 18:48 - 00000000 ____D C:\Users\Hammers\Desktop\grad pix
    2012-07-13 08:41 - 2012-07-13 08:41 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{1FAACF95-38FD-40E3-870B-195E0C3937A9}
    2012-07-13 08:41 - 2012-07-13 08:41 - 00000000 ____D C:\Users\Hammers\Local Settings\{1FAACF95-38FD-40E3-870B-195E0C3937A9}
    2012-07-13 08:41 - 2012-07-13 08:41 - 00000000 ____D C:\Users\Hammers\AppData\Local\{1FAACF95-38FD-40E3-870B-195E0C3937A9}
    2012-07-13 08:40 - 2012-07-13 08:41 - 00000000 ____D C:\Users\Hammers\Local Settings\Application Data\{565A8C6B-EBCA-477E-9E7E-2D31D715676E}
    2012-07-13 08:40 - 2012-07-13 08:41 - 00000000 ____D C:\Users\Hammers\Local Settings\{565A8C6B-EBCA-477E-9E7E-2D31D715676E}
    2012-07-13 08:40 - 2012-07-13 08:41 - 00000000 ____D C:\Users\Hammers\AppData\Local\{565A8C6B-EBCA-477E-9E7E-2D31D715676E}
    2012-07-13 01:00 - 2012-06-13 05:40 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-07-13 00:06 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-07-13 00:06 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-07-13 00:06 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-07-13 00:06 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-07-13 00:06 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-07-13 00:06 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-07-13 00:06 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-07-13 00:06 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-07-13 00:06 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-07-13 00:06 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-07-13 00:06 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-07-13 00:06 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-07-13 00:06 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-07-13 00:06 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-07-10 17:12 - 2012-06-08 09:47 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-07-10 17:10 - 2012-06-05 08:47 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-07-10 17:10 - 2012-06-05 08:47 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-07-10 17:10 - 2012-06-04 07:26 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-07-10 17:10 - 2012-06-01 16:04 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-07-10 17:10 - 2012-06-01 16:03 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll


    ============ 3 Months Modified Files ========================

    2012-08-07 08:54 - 2012-08-07 08:54 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\plgoiwsk.sys
    2012-08-07 08:54 - 2011-01-19 17:36 - 00279552 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-08-07 08:45 - 2012-04-11 01:21 - 00042672 ____A C:\Windows\PFRO.log
    2012-08-06 20:34 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-06 20:34 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-06 20:34 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-06 20:32 - 2007-04-19 10:52 - 00000149 ____A C:\Users\Public\Documents\hpqp.ini
    2012-08-06 20:32 - 2007-04-19 10:52 - 00000149 ____A C:\Users\All Users\Documents\hpqp.ini
    2012-08-06 19:50 - 2012-08-06 19:50 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-06 19:50 - 2007-07-20 12:14 - 01205994 ____A C:\Windows\WindowsUpdate.log
    2012-08-06 19:49 - 2006-11-02 02:33 - 00774508 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-06 19:39 - 2012-08-06 19:38 - 10288512 ____A (Microsoft Corporation) C:\Users\Hammers\Desktop\mseinstall.exe
    2012-08-06 18:40 - 2006-11-02 05:01 - 00032550 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-08-05 10:53 - 2008-08-24 04:43 - 00001738 ___AH C:\Users\Hammers\My Documents\Default.rdp
    2012-08-05 10:53 - 2008-08-24 04:43 - 00001738 ___AH C:\Users\Hammers\Documents\Default.rdp
    2012-08-04 12:38 - 2012-08-04 12:38 - 00142768 ____A C:\Windows\Minidump\Mini080412-01.dmp
    2012-08-04 12:38 - 2012-06-16 14:21 - 201321065 ____A C:\Windows\MEMORY.DMP
    2012-08-02 17:01 - 2012-04-12 13:23 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-08-02 17:01 - 2011-06-25 13:01 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-08-01 20:15 - 2012-08-01 20:15 - 00000352 ____A C:\Users\Hammers\My Documents\wilco.txt
    2012-08-01 20:15 - 2012-08-01 20:15 - 00000352 ____A C:\Users\Hammers\Documents\wilco.txt
    2012-07-30 13:40 - 2012-07-30 09:33 - 04503728 ___AT C:\Users\All Users\ras_0oed.pad
    2012-07-30 13:40 - 2012-07-30 09:33 - 04503728 ___AT C:\Users\All Users\Application Data\ras_0oed.pad
    2012-07-30 09:39 - 2008-04-20 19:13 - 00126448 ____A C:\Users\Steve\Local Settings\GDIPFONTCACHEV1.DAT
    2012-07-30 09:39 - 2008-04-20 19:13 - 00126448 ____A C:\Users\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2012-07-30 09:39 - 2008-04-20 19:13 - 00126448 ____A C:\Users\Steve\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-07-30 09:36 - 2011-12-27 17:55 - 00000680 ____A C:\Users\Hammers\Local Settings\d3d9caps.dat
    2012-07-30 09:36 - 2011-12-27 17:55 - 00000680 ____A C:\Users\Hammers\Local Settings\Application Data\d3d9caps.dat
    2012-07-30 09:36 - 2011-12-27 17:55 - 00000680 ____A C:\Users\Hammers\AppData\Local\d3d9caps.dat
    2012-07-29 18:18 - 2012-04-01 16:53 - 00002730 ____A C:\Windows\setupact.log
    2012-07-24 18:14 - 2012-07-24 18:14 - 00142768 ____A C:\Windows\Minidump\Mini072412-01.dmp
    2012-07-21 09:56 - 2006-11-02 04:47 - 01781856 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-21 04:31 - 2012-02-23 08:46 - 00000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-07-21 04:31 - 2012-02-23 08:46 - 00000906 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    2012-07-13 00:59 - 2006-11-02 02:23 - 00000219 ____A C:\Windows\win.ini
    2012-07-13 00:08 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-07-03 10:46 - 2010-06-15 08:43 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-06-13 05:40 - 2012-07-13 01:00 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-09 12:08 - 2012-06-09 12:08 - 00062198 ____A C:\Users\Hammers\Desktop\photo-6.jpeg
    2012-06-08 09:47 - 2012-07-10 17:12 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-05 08:47 - 2012-07-10 17:10 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-05 08:47 - 2012-07-10 17:10 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-04 07:26 - 2012-07-10 17:10 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-06-02 14:19 - 2012-06-21 10:44 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-21 10:44 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-21 10:44 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-21 10:43 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-21 10:43 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:12 - 2012-06-21 10:44 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:12 - 2012-06-21 10:43 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 12:19 - 2012-06-21 10:41 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 12:12 - 2012-06-21 10:41 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 01:07 - 2012-07-13 00:06 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-02 00:43 - 2012-07-13 00:06 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-02 00:33 - 2012-07-13 00:06 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-02 00:26 - 2012-07-13 00:06 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-02 00:25 - 2012-07-13 00:06 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-02 00:25 - 2012-07-13 00:06 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-02 00:23 - 2012-07-13 00:06 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-02 00:21 - 2012-07-13 00:06 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-02 00:20 - 2012-07-13 00:06 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-02 00:19 - 2012-07-13 00:06 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-02 00:19 - 2012-07-13 00:06 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-02 00:17 - 2012-07-13 00:06 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-02 00:16 - 2012-07-13 00:06 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-02 00:14 - 2012-07-13 00:06 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-01 16:04 - 2012-07-10 17:10 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-01 16:03 - 2012-07-10 17:10 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-06-01 11:11 - 2012-05-30 12:37 - 00012099 ____A C:\Users\Hammers\My Documents\master.xlsx
    2012-06-01 11:11 - 2012-05-30 12:37 - 00012099 ____A C:\Users\Hammers\Documents\master.xlsx
    2012-05-16 13:47 - 2012-05-16 12:25 - 00010206 ____A C:\Users\Hammers\My Documents\Crush Lineup 20120516.xlsx
    2012-05-16 13:47 - 2012-05-16 12:25 - 00010206 ____A C:\Users\Hammers\Documents\Crush Lineup 20120516.xlsx


    ZeroAccess:
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L\00000004.@
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L\201d3dde

    ZeroAccess:
    C:\Users\Hammers\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
    C:\Users\Hammers\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
    C:\Users\Hammers\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
    C:\Users\Hammers\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U

    ZeroAccess:
    C:\Windows\assembly\GAC\Desktop.ini

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 8737764F4FD36D6808EE80578409C843 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 24%
    Total physical RAM: 2037.44 MB
    Available physical RAM: 1532.2 MB
    Total Pagefile: 1767.5 MB
    Available Pagefile: 1615.44 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1983.55 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:103.66 GB) (Free:17 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (HP_RECOVERY) (Fixed) (Total:8.13 GB) (Free:1.77 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    4 Drive f: () (Removable) (Total:0.95 GB) (Free:0.31 GB) FAT
    5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 112 GB 1528 KB
    Disk 1 Online 977 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 104 GB 32 KB
    Partition 2 Primary 8 GB 104 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 104 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 D HP_RECOVERY NTFS Partition 8 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 976 MB 123 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 06
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 0 F FAT Removable 976 MB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-08-06 18:56

    ======================= End Of Log ==========================

    Any hope? Please advise on how to proceed.
     
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    [√] Hope. Definitely will get this fixed up. :)

    Additional FRST Scan

    Once again, please boot to the System Recovery Options and run FRST, as done previously.

    Type the following text in the blank box after Search:

    services.exe

    Click: Search file(s)

    [​IMG]

    When done searching, FRST makes a log, Search.txt, on the C:\ drive.

    Please provide the Search.txt in your reply.
     
  5. NailBeater

    NailBeater TS Rookie Topic Starter

    Ok - Here's the result of the 'services.exe' search .....

    Farbar Recovery Scan Tool Version: 05-08-2012 01
    Ran by SYSTEM at 2012-08-08 13:07:02
    Running from F:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
    [2011-01-19 17:36] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
    [2008-09-19 13:45] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
    [2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0

    C:\Windows\System32\services.exe
    [2011-01-19 17:36] - [2012-08-07 08:54] - 0279552 ____A (Microsoft Corporation) 8737764F4FD36D6808EE80578409C843

    === End Of Search ===

    Thanks for your time and help,
    steve
     
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    You're welcome...next step...

    FRST Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
     
  7. NailBeater

    NailBeater TS Rookie Topic Starter

    Hi!
    Ran the fix file as instructed. Here are the contents of the log from that....


    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 05-08-2012 01
    Ran by SYSTEM at 2012-08-09 06:59:13 Run:1
    Running from F:\

    ==============================================

    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe copied successfully to C:\Windows\System32\services.exe
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} moved successfully.
    C:\Users\Hammers\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} moved successfully.
    C:\Windows\assembly\GAC\Desktop.ini moved successfully.

    ====


    It took quite a while to start, but after a while came up normal. I've not yet encountered the 1 minute until restart issue - however, I've not really used the machine. I did start a MS Essentials full scan. At this time, it's still chugging, but has presented a message in the scan window saying...

    "Preliminary scan results show that malicious or potentially unwanted software might exist on your system. You can review detected items when the scan has completed."

    Hope it was alright to go ahead and scan.

    Thanks,
    Steve
     
  8. NailBeater

    NailBeater TS Rookie Topic Starter

    Hi. Things are looking much better on the machine. Applications are functioning, not getting the restart notice. However, I'm noticing that neither Windows Defender nor Firewall are running, and I'm not able to turn them on. Also, I get an error immediately when I try to check for a definitions update in MS Essentials. Could this still be part of this issue - or another. Not touching anything until I hear back. Thanks!
     
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
     
  10. NailBeater

    NailBeater TS Rookie Topic Starter

    Hi,
    ComboFix appears to have run successfully. Here are the log contents.....

    ComboFix 12-08-09.01 - Hammers 08/10/2012 6:46.1.2 - x86
    Running from: c:\users\Hammers\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\Packet.dll
    c:\windows\system32\pthreadVC.dll
    c:\windows\system32\wpcap.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_NPF
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-10 to 2012-08-10 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-10 11:59 . 2012-08-10 11:59 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{408AB380-0A21-4238-8FE4-A5EC882C1AC5}\offreg.dll
    2012-08-10 02:06 . 2012-07-16 07:41 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{408AB380-0A21-4238-8FE4-A5EC882C1AC5}\mpengine.dll
    2012-08-07 20:14 . 2012-08-07 20:14 -------- dc----w- C:\FRST
    2012-08-07 04:04 . 2012-02-09 19:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2012-08-07 04:04 . 2012-02-09 19:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{098D40F7-D3B2-4D48-9083-1D7F39FB7418}\gapaengine.dll
    2012-08-07 04:03 . 2012-07-16 07:41 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-08-07 03:49 . 2012-08-07 03:49 -------- d-----w- c:\program files\Microsoft Security Client
    2012-08-03 01:04 . 2012-08-03 01:04 -------- d-----w- c:\users\Hammers\AppData\Local\Macromedia
    2012-08-02 23:50 . 2012-08-02 23:50 19720 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2012-07-30 21:29 . 2012-07-30 21:29 -------- d-----w- c:\users\Hammers\AppData\Local\IsolatedStorage
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-03 01:01 . 2012-04-12 21:23 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-08-03 01:01 . 2011-06-25 21:01 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-07-03 18:46 . 2010-06-15 16:43 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-13 13:40 . 2012-07-13 09:00 2047488 ----a-w- c:\windows\system32\win32k.sys
    2012-06-05 16:47 . 2012-07-11 01:10 1401856 ----a-w- c:\windows\system32\msxml6.dll
    2012-06-05 16:47 . 2012-07-11 01:10 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2012-06-04 15:26 . 2012-07-11 01:10 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-06-02 22:19 . 2012-06-21 18:44 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 18:44 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 18:43 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 18:43 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-21 18:44 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-21 18:44 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-21 18:43 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 20:19 . 2012-06-21 18:41 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 20:12 . 2012-06-21 18:41 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-02 08:25 . 2012-07-13 08:06 1129472 ----a-w- c:\windows\system32\wininet.dll
    2012-06-02 00:04 . 2012-07-11 01:10 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-06-02 00:03 . 2012-07-11 01:10 204288 ----a-w- c:\windows\system32\ncrypt.dll
    2012-05-31 03:41 . 2012-07-06 22:13 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{35D7C0BD-4902-4931-927B-6B70A9E8B90B}\mpengine.dll
    2012-05-22 02:02 . 2012-05-22 02:02 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "SansaDispatch"="c:\users\Hammers\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe" [2012-01-07 79872]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-08 833072]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 138008]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 154392]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 133912]
    "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-03-29 176128]
    "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
    "WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-07-03 973488]
    "WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
    2007-03-12 18:54 50696 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
    2007-03-01 20:18 472776 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-08-19 06:07 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    2012-03-08 23:50 4280184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-02-12 c:\windows\Tasks\HPCeeScheduleForCAMILLE.job
    - c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-04-19 21:23]
    .
    .
    ------- Supplementary Scan -------
    .
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    LSP: c:\windows\system32\wpclsp.dll
    Trusted Zone: institution.edu\mapserver
    Trusted Zone: siu.edu\bloodstone.rocks
    TCP: DhcpNameServer = 74.81.99.1 74.81.99.2
    FF - ProfilePath - c:\users\Hammers\AppData\Roaming\Mozilla\Firefox\Profiles\75rjp6xy.default\
    FF - prefs.js: browser.search.selectedEngine - Bing
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z192&form=ZGAADF&install_date=20111122&q=
    .
    .
    **************************************************************************
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    SansaDispatch = c:\users\Hammers\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe????:????m???n???m???n???????????????????????????????????????????????????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files:
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Microsoft Security Client\MsMpEng.exe
    c:\program files\Lavasoft\Ad-Aware\aawservice.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
    c:\program files\Juniper Networks\Common Files\dsNcService.exe
    c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\system32\DRIVERS\xaudio.exe
    c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
    c:\program files\NETGEAR\WNA3100\WNA3100.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\ehome\ehmsas.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-10 07:11:33 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-10 12:11
    .
    Pre-Run: 14,647,447,552 bytes free
    Post-Run: 17,119,109,120 bytes free
    .
    - - End Of File - - 4988FD231A9FD1CE8C4BF59AAC1496A9


    Will wait to hear from you on how to proceed.

    Thanks,
    Steve
     
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Scan for malware

    [​IMG] Please download Malwarebytes Anti-Malware from HERE.


    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
    • Copy and paste the entire report in your next reply.
     
     
  12. NailBeater

    NailBeater TS Rookie Topic Starter

    Hi. Ran the malware scan. Looks like nothing detected. Log follows...


    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.08.11.03

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Hammers :: AUDI_TT [administrator]

    8/11/2012 10:49:59 AM
    mbam-log-2012-08-11 (10-49-59).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 220332
    Time elapsed: 11 minute(s), 36 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    The machine does appear operational - but still unable to update the MS Essentials definitions. I've not really released this machine for use by the family - and only connecting to the web when attemtping to update AV, or when I pulled down MBAM for this step. Any more we can do to deem it clean? Any suggestions on the MSE update issue?

    Thanks for all your help,
    steve
     
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please perform a clean boot of Windows Vista by following this article: http://support.microsoft.com/kb/929135

    Then, let me know what happens with Updates.

    For MSE, it is usually best to reinstall it, so it can fix its services.
     
  14. NailBeater

    NailBeater TS Rookie Topic Starter

    Hi DMJ,

    I went through the clean boot process. When I disabled all non-Windows services, I still got the error on the Essentials update. I wasn't sure if I was supposed to go through disabling the Windows services the way they described to find any non-Windows services that might affect the problem. Let me know whether I was supposed to try that or not - seemed kinda dangerous.

    I did go ahead and uninstall/re-install MS Essentials. The install went fine until it went to do the initial update - then flopped with the following error:

    Error code: 0x80240022
    Error description: Security Essentials couldn't download the
    definition updates. This might be caused by a missing system file,
    an incorrect system setting, or a problem with a registry file.

    Any idea?
     
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    I know this sounds silly, but check your system time and date.

    See if that's correct. We have other options to do troubleshooting.
     
  16. NailBeater

    NailBeater TS Rookie Topic Starter

    No suggestion is silly if it may lead to a solution. However - my system time and date looks to be correct. Let me know how else we might isolate the issue. It looks like MS Essentials is listed in my firewall exceptions. Not sure if that's the only place it should be, or if there are other places to verify it's set up properly.

    Thanks again for your time and patience.
     
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Click Start > type in CMD and right-click on it and select Run as administrator...

    Type this in Command Prompt and hit enter:

    sc create BITS binpath= "c:\windows\system32\svchost.exe -k netsvcs" start= delayed-auto

    Let me know if you can update after this...
     
  18. NailBeater

    NailBeater TS Rookie Topic Starter

    Things are looking much better. The BITS service was created and started. The first attempt at an Essentials update worked great. Also a single windows update worked fine. Did a reboot, then it started getting picky again. BITS was still intact. rebooted and tried again, Windows Updates worked well - had several out there to pick up, so did them one or couple at a time. Sometimes they seemed to take a very long time, but leaving them alone, they finally finished up. As of now, I'm cautiously optimistic. Anything else you'd like to see done, or do you think we can consider it a clean machine?
     
  19. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Remnants to check for...

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
     
  20. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello. Are you still with us?

    Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

    Thanks.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.