TechSpot

Sirefef... darn you!!!

Inactive
By Kendra89
Jul 30, 2012
  1. Help! My compaq presario has fallen victim to the sirefef bug and shuts down immediately (with a 60 sec warning) every time it boots. I am operating windows 7, 64 bit I think. I'm such a rookie at these things but I managed to manually remove smart hdd a few months ago myself after some research. This sirefef though has proven nearly impossible since it shuts down constantly. I really need my laptop for my school work. Can you help me please? I noticed you helped several others with the same issue.
    It seems that the types of sirefef my comp has encountered include AA, AB, AN, B, P, W, and "regular" sirefef.
     
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.
    Download Farbar Recovery Scan Tool and save it to a flash drive.

    Please make sure to download the 64-bit version.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst64 and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button.
    • type exit and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.
    Additional FRST Scan

    Once again, please boot to the System Recovery Options and run FRST, as done previously.

    Type the following text in the blank box after Search:

    services.exe

    Click: Search file(s)

    [​IMG]

    When done searching, FRST makes a log, Search.txt, on the C:\ drive.

    Please provide the Search.txt in your reply along with the first log from FRST.
     
  3. Kendra89

    Kendra89 TS Rookie Topic Starter Posts: 24

    DMJ,
    Thank you for your response! I started to complete the steps you outlined but when I went to the "repair your computer" menu option it went to a screen saying "windows failed to start. A recent hardware or software change migh be the cause...." however I do not have the windows installation disk. It says the boot selection failed because a required device is inaccessible. This is the first time this has happened.
     
  4. Kendra89

    Kendra89 TS Rookie Topic Starter Posts: 24

    Update: I removed the USB and selected safe mode with command prompt and it seemed to start. I am going to let the laptop charge a bit then try again with the flash in.
     
  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Let me know the result of trying again please.
     
  6. Kendra89

    Kendra89 TS Rookie Topic Starter Posts: 24

    DMJ,
    I tried again and the boot manager seems to not be working properly. It is telling me the boot selection failed because a required device is inaccessible. However when I exit and continue the computer starts normally. What should I do?
     
  7. Kendra89

    Kendra89 TS Rookie Topic Starter Posts: 24

    I have also noticed the computer restarts whether I sign in to my account or not after about 60 seconds post-boot.
     
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay...was that the OS giving the error or FRST?
     
  9. Kendra89

    Kendra89 TS Rookie Topic Starter Posts: 24

    I'm No expert, but I'm pretty sure it's the OS giving the error because it happens whether the flash drive is in or not. At first I was nervous because I thought my whole OS was shot but it still starts normally. I'm just not able to get the boot manager to allow me to choose "repair my computer" because the next screen won't show those options.
     
  10. Kendra89

    Kendra89 TS Rookie Topic Starter Posts: 24

    To clarify, the option to repair the computer is there, but when I select it, the screen saying that one of the required devices is inaccessible appears.
     
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Let's work with this tool...

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
     
     
  12. Kendra89

    Kendra89 TS Rookie Topic Starter Posts: 24

    Since I only have a minute to work before the computer shuts down, I have been breaking the steps up. But it seems that ComboFix slows down when the progress bar is a little past half way. It keeps staying at the "output folder:C:\..." too long and the computer forces shut down before it is finished. This is soooo frustrating!!!
     
  13. Kendra89

    Kendra89 TS Rookie Topic Starter Posts: 24

    Trying to find the log that combo fix produced but I do not see it... I'm looking in C but I don't know where to look thereafter.
     
  14. Kendra89

    Kendra89 TS Rookie Topic Starter Posts: 24

    Okay so apparently combo fix never finished its run. It seemed to have shut my computer down but actually logged me off and shut it down properly for the first time since the virus came and ruined everything. I'm excited!! It's scanning at the moment.
     
  15. Kendra89

    Kendra89 TS Rookie Topic Starter Posts: 24

    ComboFix 12-07-31.02 - Key 08/01/2012 8:13:44.1.2 - x64
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1643.561 [GMT -4:00]
    Running from: C:\Users\Key\Desktop\ComboFix.exe
    Command switches used :: C:\Users\Key\Desktop\svchost.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    C:\Windows\Installer\{80b04fcf-ecef-70ab-cf5c-291b2945d109}\@
    C:\Windows\Installer\{80b04fcf-ecef-70ab-cf5c-291b2945d109}\L\00000004.@
    C:\Windows\Installer\{80b04fcf-ecef-70ab-cf5c-291b2945d109}\L\201d3dde
    C:\Windows\Installer\{80b04fcf-ecef-70ab-cf5c-291b2945d109}\n
    C:\Windows\Installer\{80b04fcf-ecef-70ab-cf5c-291b2945d109}\U\00000008.@
    C:\Windows\svchost.exe
    Infected copy of C:\Windows\system32\services.exe was found and disinfected
    Restored copy from - C:\32788R22FWJFW\HarddiskVolumeShadowCopy6_!Windows!System32!services.exe

    ((((((((((((((((((((((((( Files Created from 2012-07-01 to 2012-08-01 )))))))))))))))))))))))))))))))

    2012-08-01 12:34:43 . 2012-08-01 12:34:43 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A8AC37E4-F8A9-48E4-8203-D43CEB191C54}\offreg.dll
    2012-08-01 12:28:58 . 2012-08-01 12:28:58 -------- d-----w- C:\Users\Default\AppData\Local\temp
    2012-07-30 03:20:58 . 2012-07-16 06:40:12 9133488 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A8AC37E4-F8A9-48E4-8203-D43CEB191C54}\mpengine.dll
    2012-07-30 03:18:50 . 2012-07-30 03:18:50 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-07-30 02:16:17 . 2012-07-30 02:16:17 50392 ----a-w- C:\Windows\system32\drivers\faslozju.sys
    2012-07-30 02:15:25 . 2012-07-30 02:15:34 50392 ----a-w- C:\Windows\system32\drivers\vhqmcfzw.sys
    2012-07-30 00:43:03 . 2012-02-09 18:17:24 927800 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{BAA9A428-A79B-499A-83F5-B18CB89443D9}\gapaengine.dll
    2012-07-30 00:40:32 . 2012-07-30 00:40:33 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
    2012-07-30 00:40:19 . 2012-07-30 00:40:48 -------- d-----w- C:\Program Files\Microsoft Security Client
    2012-07-28 00:30:40 . 2012-07-28 00:30:40 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
    2012-07-12 11:43:09 . 2012-06-12 03:02:52 3147264 ----a-w- C:\Windows\system32\win32k.sys
    2012-07-12 07:03:59 . 2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\system32\jscript9.dll
    2012-07-11 13:16:28 . 2012-06-06 05:50:50 1880064 ----a-w- C:\Windows\system32\msxml3.dll
    2012-07-11 13:16:27 . 2012-06-06 05:50:50 2003968 ----a-w- C:\Windows\system32\msxml6.dll
    2012-07-11 13:16:24 . 2012-06-06 05:09:46 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll
    2012-07-11 13:16:22 . 2012-06-06 05:09:46 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
    2012-07-11 13:16:02 . 2012-06-09 05:30:56 14165504 ----a-w- C:\Windows\system32\shell32.dll
    2012-07-11 13:15:50 . 2012-06-02 05:37:45 459216 ----a-w- C:\Windows\system32\drivers\cng.sys
    2012-07-11 13:15:50 . 2012-06-02 05:27:02 340992 ----a-w- C:\Windows\system32\schannel.dll
    2012-07-11 13:15:49 . 2012-06-02 05:38:24 152432 ----a-w- C:\Windows\system32\drivers\ksecpkg.sys
    2012-07-11 13:15:49 . 2012-06-02 05:27:00 307200 ----a-w- C:\Windows\system32\ncrypt.dll
    2012-07-11 13:15:48 . 2012-06-02 05:38:26 95088 ----a-w- C:\Windows\system32\drivers\ksecdd.sys
    2012-07-11 13:15:48 . 2012-06-02 04:47:31 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
    2012-07-11 13:15:47 . 2012-06-02 04:48:35 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
    2012-07-11 13:15:45 . 2012-06-02 04:48:39 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
    2012-07-11 13:15:44 . 2012-06-02 04:42:51 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
    2012-07-11 13:15:39 . 2012-06-06 05:50:28 1425408 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
    2012-07-11 13:15:33 . 2012-06-06 05:09:25 987136 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll
    2012-07-08 00:11:38 . 2012-07-08 00:11:38 -------- d-----w- C:\Users\Key\AppData\Roaming\Malwarebytes
    2012-07-08 00:10:06 . 2012-07-08 00:10:06 -------- d-----w- C:\ProgramData\Malwarebytes
    .

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    2012-07-30 00:04:18 . 2012-07-30 00:04:18 5120 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\6403.tmp
    2012-07-30 00:04:18 . 2012-07-30 00:04:18 5120 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\63C3.tmp
    2012-07-20 12:10:01 . 2012-05-09 01:38:09 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-07-20 12:10:01 . 2011-09-06 00:16:47 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-07-12 07:07:08 . 2011-09-06 17:54:03 59701280 ----a-w- C:\Windows\system32\MRT.exe
    2012-06-24 16:02:00 . 2012-06-24 16:02:14 113152 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\5753.tmp.dat
    2012-06-02 22:19:46 . 2012-06-19 14:01:20 38424 ----a-w- C:\Windows\system32\wups.dll
    2012-06-02 22:19:43 . 2012-06-19 14:01:55 2428952 ----a-w- C:\Windows\system32\wuaueng.dll
    2012-06-02 22:19:42 . 2012-06-19 14:01:57 44056 ----a-w- C:\Windows\system32\wups2.dll
    2012-06-02 22:19:42 . 2012-06-19 14:01:56 57880 ----a-w- C:\Windows\system32\wuauclt.exe
    2012-06-02 22:19:23 . 2012-06-19 14:01:19 701976 ----a-w- C:\Windows\system32\wuapi.dll
    2012-06-02 22:15:31 . 2012-06-19 14:01:55 2622464 ----a-w- C:\Windows\system32\wucltux.dll
    2012-06-02 22:15:08 . 2012-06-19 14:01:20 99840 ----a-w- C:\Windows\system32\wudriver.dll
    2012-06-02 19:19:42 . 2012-06-19 14:00:48 186752 ----a-w- C:\Windows\system32\wuwebv.dll
    2012-06-02 19:15:12 . 2012-06-19 14:00:47 36864 ----a-w- C:\Windows\system32\wuapp.exe
    2012-05-28 11:53:54 . 2012-05-28 11:54:07 19736 ----a-w- C:\ProgramData\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2012-05-04 10:52:22 . 2012-06-14 11:01:06 5505392 ----a-w- C:\Windows\system32\ntoskrnl.exe
    2012-05-04 10:08:16 . 2012-06-14 11:01:02 3958128 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2012-05-04 10:08:15 . 2012-06-14 11:01:03 3902320 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel"="C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-11-22 21:20:48 2736128]
    "MobileDocuments"="C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 16:30:40 59240]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-02-12 07:15:46 336384]
    "HP Quick Launch"="C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 23:20:36 586296]
    "Adobe Reader Speed Launcher"="C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-04-04 05:53:56 35736]
    "Adobe ARM"="C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 07:37:53 843712]
    "HPOSD"="C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2010-12-13 20:48:18 318520]
    "APSDaemon"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 01:28:32 59240]
    "iTunesHelper"="C:\Program Files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 09:09:24 421736]
    "QuickTime Task"="C:\Program Files (x86)\QuickTime\QTTask.exe" [2012-04-19 00:56:22 421888]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 21:27:14 138576]
    R2 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-07-21 22:33:00 103992]
    R3 80729929;80729929; [x]
    R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys [2009-06-10 20:35:28 5434368]
    R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 00:44:12 98688]
    R3 NisSrv;Microsoft Network Inspection;c:\Program Files\Microsoft Security Client\NisSrv.exe [2012-03-26 22:49:56 291696]
    R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 04:34:24 4925184]
    R3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 21:01:11 292864]
    R3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 21:01:11 1485312]
    R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 21:01:11 740864]
    R3 ssmirrdr;ssmirrdr;C:\Windows\system32\DRIVERS\ssmirrdr.sys [2011-03-15 05:11:10 10112]
    R3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys [2012-02-15 15:01:50 52736]
    R3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe [2011-07-18 06:42:52 1255736]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys [2009-06-10 20:35:33 389120]
    R4 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-07-11 21:37:34 116648]
    R4 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-07-11 21:37:34 116648]
    R4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 02:10:10 57184]
    S0 amd_sata;amd_sata;C:\Windows\system32\DRIVERS\amd_sata.sys [2010-11-12 01:15:58 77952]
    S0 amd_xata;amd_xata;C:\Windows\system32\DRIVERS\amd_xata.sys [2010-11-12 01:16:00 37504]
    S1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys [2009-07-14 00:07:22 59904]
    S2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 10:10:42 63928]
    S2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 02:14:26 98208]
    S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe [2011-07-05 20:08:28 204288]
    S2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-02-12 07:31:26 354304]
    S2 AMD Reservation Manager;AMD Reservation Manager;C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-17 12:23:36 194496]
    S2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 19:22:40 822624]
    S2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-08-06 03:51:08 291896]
    S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2010-12-16 22:53:58 92216]
    S2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 23:20:34 26680]
    S2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-09-11 09:02:22 399344]
    S2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 13:30:18 508776]
    S3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys [2010-02-18 16:18:24 46136]
    S3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2011-07-05 20:50:30 9359872]
    S3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys [2011-07-05 19:32:22 309760]
    S3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\system32\DRIVERS\clwvd.sys [2011-03-23 13:17:06 31088]
    S3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\system32\DRIVERS\RtsPStor.sys [2010-12-22 04:10:00 333416]
    S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 11:34:52 539240]
    S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\system32\DRIVERS\rtl8192Ce.sys [2011-01-05 09:08:58 1109096]
    S3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 13:30:10 764264]
    S3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 13:30:18 268648]
    S3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 13:30:18 25960]
    S3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 13:30:22 22376]
    S3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 13:30:22 219496]
    S3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys [2010-11-29 11:50:38 44672]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys [2009-07-14 00:07:28 17920]

    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2010-11-22 21:18:50 451872 ----a-w- C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe
    Contents of the 'Scheduled Tasks' folder
    2012-08-01 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-07-11 21:37:43 . 2012-07-11 21:37:34]
    2012-08-01 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-07-11 21:37:43 . 2012-07-11 21:37:34]

    --------- X64 Entries -----------

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter]
    @="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
    [HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
    2010-12-11 02:32:56 2240000 ----a-w- C:\Program Files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter]
    @="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
    [HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
    2010-12-11 02:32:56 2240000 ----a-w- C:\Program Files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter]
    @="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
    [HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
    2010-12-11 02:32:56 2240000 ----a-w- C:\Program Files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter]
    @="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
    [HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
    2010-12-11 02:32:56 2240000 ----a-w- C:\Program Files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter]
    @="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
    [HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
    2010-12-11 02:32:56 2240000 ----a-w- C:\Program Files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDVCPL"="C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" [2011-01-11 22:10:58 6602856]
    "HPWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-07-21 22:33:00 8192]
    "MSC"="c:\Program Files\Microsoft Security Client\msseces.exe" [2012-03-26 22:54:34 1271168]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    ------- Supplementary Scan -------
    uStart Page = hxxp://www.google.com/
    uLocal Page = C:\Windows\system32\blank.htm
    mLocal Page = C:\Windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
    Trusted Zone: phoenix.edu\classroom
    TCP: DhcpNameServer = 192.168.1.1
    - - - - ORPHANS REMOVED - - - -
    URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
    Wow6432Node-HKCU-Run-uUvtuwLOevUVX.exe - C:\ProgramData\uUvtuwLOevUVX.exe
    Wow6432Node-HKCU-Run-Norton - C:\Users\Key\AppData\Roaming\54D91C.exe
    Wow6432Node-HKU-Default-RunOnce-FlashPlayerUpdate - C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10l_ActiveX.exe
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKLM-Run-SynTPEnh - C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
    AddRemove-{9FEFA8C2-80EB-4B7A-BDE0-E077D94C36C4} - C:\Program Files (x86)\InstallShield Installation Information\{9FEFA8C2-80EB-4B7A-BDE0-E077D94C36C4}\setup.exe
     
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    At this time, your computer should start on its own and keep on without shutting down.

    Let me know if this works out...

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.
     
  17. Kendra89

    Kendra89 TS Rookie Topic Starter Posts: 24

    ComboFix 12-07-31.03 - Key 08/02/2012 12:37:27.2.2 - x64
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1643.546 [GMT -4:00]
    Running from: C:\Users\Key\Desktop\ComboFix.exe
    Command switches used :: C:\Users\Key\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ((((((((((((((((((((((((( Files Created from 2012-07-02 to 2012-08-02 )))))))))))))))))))))))))))))))

    2012-08-02 16:54:50 . 2012-08-02 16:54:50 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A8AC37E4-F8A9-48E4-8203-D43CEB191C54}\offreg.dll
    2012-08-02 16:52:42 . 2012-08-02 16:52:42 -------- d-----w- C:\Users\Temp\AppData\Local\temp
    2012-08-02 16:52:42 . 2012-08-02 16:52:42 -------- d-----w- C:\Users\Default\AppData\Local\temp
    2012-08-02 16:52:42 . 2012-08-02 16:52:42 -------- d-----w- C:\Users\Administrator\AppData\Local\temp
    2012-07-30 03:20:58 . 2012-07-16 06:40:12 9133488 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A8AC37E4-F8A9-48E4-8203-D43CEB191C54}\mpengine.dll
    2012-07-30 03:18:50 . 2012-07-30 03:18:50 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-07-30 02:16:17 . 2012-07-30 02:16:17 50392 ----a-w- C:\Windows\system32\drivers\faslozju.sys
    2012-07-30 02:15:25 . 2012-07-30 02:15:34 50392 ----a-w- C:\Windows\system32\drivers\vhqmcfzw.sys
    2012-07-30 00:43:03 . 2012-02-09 18:17:24 927800 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{BAA9A428-A79B-499A-83F5-B18CB89443D9}\gapaengine.dll
    2012-07-30 00:40:32 . 2012-07-30 00:40:33 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
    2012-07-30 00:40:19 . 2012-07-30 00:40:48 -------- d-----w- C:\Program Files\Microsoft Security Client
    2012-07-28 00:30:40 . 2012-07-28 00:30:40 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
    2012-07-12 11:43:09 . 2012-06-12 03:02:52 3147264 ----a-w- C:\Windows\system32\win32k.sys
    2012-07-12 07:03:59 . 2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\system32\jscript9.dll
    2012-07-11 13:16:28 . 2012-06-06 05:50:50 1880064 ----a-w- C:\Windows\system32\msxml3.dll
    2012-07-11 13:16:27 . 2012-06-06 05:50:50 2003968 ----a-w- C:\Windows\system32\msxml6.dll
    2012-07-11 13:16:24 . 2012-06-06 05:09:46 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll
    2012-07-11 13:16:22 . 2012-06-06 05:09:46 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
    2012-07-11 13:16:02 . 2012-06-09 05:30:56 14165504 ----a-w- C:\Windows\system32\shell32.dll
    2012-07-11 13:15:50 . 2012-06-02 05:37:45 459216 ----a-w- C:\Windows\system32\drivers\cng.sys
    2012-07-11 13:15:50 . 2012-06-02 05:27:02 340992 ----a-w- C:\Windows\system32\schannel.dll
    2012-07-11 13:15:49 . 2012-06-02 05:38:24 152432 ----a-w- C:\Windows\system32\drivers\ksecpkg.sys
    2012-07-11 13:15:49 . 2012-06-02 05:27:00 307200 ----a-w- C:\Windows\system32\ncrypt.dll
    2012-07-11 13:15:48 . 2012-06-02 05:38:26 95088 ----a-w- C:\Windows\system32\drivers\ksecdd.sys
    2012-07-11 13:15:48 . 2012-06-02 04:47:31 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
    2012-07-11 13:15:47 . 2012-06-02 04:48:35 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
    2012-07-11 13:15:45 . 2012-06-02 04:48:39 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
    2012-07-11 13:15:44 . 2012-06-02 04:42:51 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
    2012-07-11 13:15:39 . 2012-06-06 05:50:28 1425408 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
    2012-07-11 13:15:33 . 2012-06-06 05:09:25 987136 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll
    2012-07-08 00:11:38 . 2012-07-08 00:11:38 -------- d-----w- C:\Users\Key\AppData\Roaming\Malwarebytes
    2012-07-08 00:10:06 . 2012-07-08 00:10:06 -------- d-----w- C:\ProgramData\Malwarebytes
    .

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    2012-07-30 00:04:18 . 2012-07-30 00:04:18 5120 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\6403.tmp
    2012-07-30 00:04:18 . 2012-07-30 00:04:18 5120 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\63C3.tmp
    2012-07-20 12:10:01 . 2012-05-09 01:38:09 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-07-20 12:10:01 . 2011-09-06 00:16:47 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-07-12 07:07:08 . 2011-09-06 17:54:03 59701280 ----a-w- C:\Windows\system32\MRT.exe
    2012-06-24 16:02:00 . 2012-06-24 16:02:14 113152 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\5753.tmp.dat
    2012-06-02 22:19:46 . 2012-06-19 14:01:20 38424 ----a-w- C:\Windows\system32\wups.dll
    2012-06-02 22:19:43 . 2012-06-19 14:01:55 2428952 ----a-w- C:\Windows\system32\wuaueng.dll
    2012-06-02 22:19:42 . 2012-06-19 14:01:57 44056 ----a-w- C:\Windows\system32\wups2.dll
    2012-06-02 22:19:42 . 2012-06-19 14:01:56 57880 ----a-w- C:\Windows\system32\wuauclt.exe
    2012-06-02 22:19:23 . 2012-06-19 14:01:19 701976 ----a-w- C:\Windows\system32\wuapi.dll
    2012-06-02 22:15:31 . 2012-06-19 14:01:55 2622464 ----a-w- C:\Windows\system32\wucltux.dll
    2012-06-02 22:15:08 . 2012-06-19 14:01:20 99840 ----a-w- C:\Windows\system32\wudriver.dll
    2012-06-02 19:19:42 . 2012-06-19 14:00:48 186752 ----a-w- C:\Windows\system32\wuwebv.dll
    2012-06-02 19:15:12 . 2012-06-19 14:00:47 36864 ----a-w- C:\Windows\system32\wuapp.exe
    2012-05-28 11:53:54 . 2012-05-28 11:54:07 19736 ----a-w- C:\ProgramData\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

    ((((((((((((((((((((((((((((( SnapShot@2012-08-01_12.35.33 )))))))))))))))))))))))))))))))))))))))))
    + 2011-03-05 19:05:34 . 2012-08-02 16:29:07 53700 C:\Windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10:35 . 2012-08-02 16:29:07 52838 C:\Windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2011-07-17 05:26:44 . 2012-08-02 16:29:09 17064 C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1983032248-2406907208-74079150-1001_UserData.bin
    - 2012-08-01 12:33:13 . 2012-08-01 12:33:14 1820 C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
    + 2012-08-02 16:53:28 . 2012-08-02 16:53:28 1820 C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
    - 2012-08-01 12:34:29 . 2012-08-01 12:34:29 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-08-02 16:54:39 . 2012-08-02 16:54:39 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-08-02 16:54:39 . 2012-08-02 16:54:39 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-08-01 12:34:29 . 2012-08-01 12:34:29 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2009-07-14 05:01:48 . 2012-08-01 12:33:07 433800 C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 05:01:48 . 2012-08-02 16:53:16 433800 C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2009-07-14 02:34:08 . 2012-08-01 12:20:16 10485760 C:\Windows\system32\SMI\Store\Machine\SCHEMA.DAT
    + 2009-07-14 02:34:08 . 2012-08-02 16:39:19 10485760 C:\Windows\system32\SMI\Store\Machine\SCHEMA.DAT
    + 2011-07-17 06:18:23 . 2012-08-02 16:53:19 20483376 C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1983032248-2406907208-74079150-1001-8192.dat
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel"="C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-11-22 21:20:48 2736128]
    "MobileDocuments"="C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 16:30:40 59240]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-02-12 07:15:46 336384]
    "HP Quick Launch"="C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 23:20:36 586296]
    "Adobe Reader Speed Launcher"="C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-04-04 05:53:56 35736]
    "Adobe ARM"="C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 07:37:53 843712]
    "HPOSD"="C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2010-12-13 20:48:18 318520]
    "APSDaemon"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 01:28:32 59240]
    "iTunesHelper"="C:\Program Files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 09:09:24 421736]
    "QuickTime Task"="C:\Program Files (x86)\QuickTime\QTTask.exe" [2012-04-19 00:56:22 421888]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 21:27:14 138576]
    R3 80729929;80729929; [x]
    R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys [2009-06-10 20:35:28 5434368]
    R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 00:44:12 98688]
    R3 NisSrv;Microsoft Network Inspection;c:\Program Files\Microsoft Security Client\NisSrv.exe [2012-03-26 22:49:56 291696]
    R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 04:34:24 4925184]
    R3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 21:01:11 292864]
    R3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 21:01:11 1485312]
    R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 21:01:11 740864]
    R3 ssmirrdr;ssmirrdr;C:\Windows\system32\DRIVERS\ssmirrdr.sys [2011-03-15 05:11:10 10112]
    R3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys [2012-02-15 15:01:50 52736]
    R3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe [2011-07-18 06:42:52 1255736]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys [2009-06-10 20:35:33 389120]
    R4 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-07-11 21:37:34 116648]
    R4 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-07-11 21:37:34 116648]
    R4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 02:10:10 57184]
    S0 amd_sata;amd_sata;C:\Windows\system32\DRIVERS\amd_sata.sys [2010-11-12 01:15:58 77952]
    S0 amd_xata;amd_xata;C:\Windows\system32\DRIVERS\amd_xata.sys [2010-11-12 01:16:00 37504]
    S1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys [2009-07-14 00:07:22 59904]
    S2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 10:10:42 63928]
    S2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 02:14:26 98208]
    S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe [2011-07-05 20:08:28 204288]
    S2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-02-12 07:31:26 354304]
    S2 AMD Reservation Manager;AMD Reservation Manager;C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-17 12:23:36 194496]
    S2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 19:22:40 822624]
    S2 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-07-21 22:33:00 103992]
    S2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-08-06 03:51:08 291896]
    S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2010-12-16 22:53:58 92216]
    S2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 23:20:34 26680]
    S2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-09-11 09:02:22 399344]
    S2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 13:30:18 508776]
    S3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys [2010-02-18 16:18:24 46136]
    S3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2011-07-05 20:50:30 9359872]
    S3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys [2011-07-05 19:32:22 309760]
    S3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\system32\DRIVERS\clwvd.sys [2011-03-23 13:17:06 31088]
    S3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\system32\DRIVERS\RtsPStor.sys [2010-12-22 04:10:00 333416]
    S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 11:34:52 539240]
    S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\system32\DRIVERS\rtl8192Ce.sys [2011-01-05 09:08:58 1109096]
    S3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 13:30:10 764264]
    S3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 13:30:18 268648]
    S3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 13:30:18 25960]
    S3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 13:30:22 22376]
    S3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 13:30:22 219496]
    S3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys [2010-11-29 11:50:38 44672]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys [2009-07-14 00:07:28 17920]

    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2010-11-22 21:18:50 451872 ----a-w- C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe
    Contents of the 'Scheduled Tasks' folder
    2012-08-02 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-07-11 21:37:43 . 2012-07-11 21:37:34]
    2012-08-02 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-07-11 21:37:43 . 2012-07-11 21:37:34]

    --------- X64 Entries -----------

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter]
    @="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
    [HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
    2010-12-11 02:32:56 2240000 ----a-w- C:\Program Files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter]
    @="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
    [HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
    2010-12-11 02:32:56 2240000 ----a-w- C:\Program Files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter]
    @="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
    [HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
    2010-12-11 02:32:56 2240000 ----a-w- C:\Program Files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter]
    @="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
    [HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
    2010-12-11 02:32:56 2240000 ----a-w- C:\Program Files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter]
    @="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
    [HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
    2010-12-11 02:32:56 2240000 ----a-w- C:\Program Files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
    "RTHDVCPL"="C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" [2011-01-11 22:10:58 6602856]
    "HPWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-07-21 22:33:00 8192]
    "MSC"="c:\Program Files\Microsoft Security Client\msseces.exe" [2012-03-26 22:54:34 1271168]
    ------- Supplementary Scan -------
    uStart Page = hxxp://www.google.com/
    uLocal Page = C:\Windows\system32\blank.htm
    mLocal Page = C:\Windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
    Trusted Zone: phoenix.edu\classroom
    TCP: DhcpNameServer = 192.168.1.1
    - - - - ORPHANS REMOVED - - - -
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
     
  18. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.
     
  19. Kendra89

    Kendra89 TS Rookie Topic Starter Posts: 24

    ComboFix 12-07-31.06 - Key 08/03/2012 18:41:47.3.2 - x64
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1643.687 [GMT -4:00]
    Running from: c:\users\Key\Desktop\ComboFix.exe
    Command switches used :: c:\users\Key\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\programdata\Microsoft\Windows\DRM\5753.tmp.dat"
    "c:\programdata\Microsoft\Windows\DRM\63C3.tmp"
    "c:\programdata\Microsoft\Windows\DRM\6403.tmp"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\Microsoft\Windows\DRM\5753.tmp.dat
    c:\programdata\Microsoft\Windows\DRM\63C3.tmp
    c:\programdata\Microsoft\Windows\DRM\6403.tmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-04 to 2012-08-04 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-03 22:59 . 2012-08-03 22:59 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A8AC37E4-F8A9-48E4-8203-D43CEB191C54}\offreg.dll
    2012-08-03 22:56 . 2012-08-03 22:56 -------- d-----w- c:\users\Temp\AppData\Local\temp
    2012-08-03 22:56 . 2012-08-03 22:56 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-08-03 22:56 . 2012-08-03 22:56 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2012-07-30 03:20 . 2012-07-16 06:40 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A8AC37E4-F8A9-48E4-8203-D43CEB191C54}\mpengine.dll
    2012-07-30 03:18 . 2012-07-30 03:18 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-07-30 02:16 . 2012-07-30 02:16 50392 ----a-w- c:\windows\system32\drivers\faslozju.sys
    2012-07-30 02:15 . 2012-07-30 02:15 50392 ----a-w- c:\windows\system32\drivers\vhqmcfzw.sys
    2012-07-30 00:43 . 2012-02-09 18:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BAA9A428-A79B-499A-83F5-B18CB89443D9}\gapaengine.dll
    2012-07-30 00:40 . 2012-07-30 00:40 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2012-07-30 00:40 . 2012-07-30 00:40 -------- d-----w- c:\program files\Microsoft Security Client
    2012-07-28 00:30 . 2012-07-28 00:30 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
    2012-07-12 11:43 . 2012-06-12 03:02 3147264 ----a-w- c:\windows\system32\win32k.sys
    2012-07-12 07:03 . 2012-06-02 12:12 2311680 ----a-w- c:\windows\system32\jscript9.dll
    2012-07-11 13:16 . 2012-06-06 05:50 1880064 ----a-w- c:\windows\system32\msxml3.dll
    2012-07-11 13:16 . 2012-06-06 05:50 2003968 ----a-w- c:\windows\system32\msxml6.dll
    2012-07-11 13:16 . 2012-06-06 05:09 1389568 ----a-w- c:\windows\SysWow64\msxml6.dll
    2012-07-11 13:16 . 2012-06-06 05:09 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
    2012-07-11 13:16 . 2012-06-09 05:30 14165504 ----a-w- c:\windows\system32\shell32.dll
    2012-07-11 13:15 . 2012-06-02 05:37 459216 ----a-w- c:\windows\system32\drivers\cng.sys
    2012-07-11 13:15 . 2012-06-02 05:27 340992 ----a-w- c:\windows\system32\schannel.dll
    2012-07-11 13:15 . 2012-06-02 05:38 152432 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2012-07-11 13:15 . 2012-06-02 05:27 307200 ----a-w- c:\windows\system32\ncrypt.dll
    2012-07-11 13:15 . 2012-06-02 05:38 95088 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-07-11 13:15 . 2012-06-02 04:47 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll
    2012-07-11 13:15 . 2012-06-02 04:48 225280 ----a-w- c:\windows\SysWow64\schannel.dll
    2012-07-11 13:15 . 2012-06-02 04:48 22016 ----a-w- c:\windows\SysWow64\secur32.dll
    2012-07-11 13:15 . 2012-06-02 04:42 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
    2012-07-11 13:15 . 2012-06-06 05:50 1425408 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
    2012-07-11 13:15 . 2012-06-06 05:09 987136 ----a-w- c:\program files (x86)\Common Files\System\ado\msado15.dll
    2012-07-08 00:11 . 2012-07-08 00:11 -------- d-----w- c:\users\Key\AppData\Roaming\Malwarebytes
    2012-07-08 00:10 . 2012-07-08 00:10 -------- d-----w- c:\programdata\Malwarebytes
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-20 12:10 . 2012-05-09 01:38 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-07-20 12:10 . 2011-09-06 00:16 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-07-12 07:07 . 2011-09-06 17:54 59701280 ----a-w- c:\windows\system32\MRT.exe
    2012-06-02 22:19 . 2012-06-19 14:01 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-19 14:01 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:19 . 2012-06-19 14:01 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-19 14:01 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-19 14:01 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:15 . 2012-06-19 14:01 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:15 . 2012-06-19 14:01 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 19:19 . 2012-06-19 14:00 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 19:15 . 2012-06-19 14:00 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-05-28 11:53 . 2012-05-28 11:54 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-08-01_12.35.33 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-03-05 19:05 . 2012-08-03 22:31 53898 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2012-08-03 22:31 52838 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2011-07-17 05:26 . 2012-08-03 22:31 17364 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1983032248-2406907208-74079150-1001_UserData.bin
    + 2011-07-16 09:02 . 2012-08-03 23:31 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2011-07-16 09:02 . 2012-08-01 12:04 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2011-07-16 09:02 . 2012-08-01 12:04 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2011-07-16 09:02 . 2012-08-03 23:31 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2012-08-03 23:31 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:54 . 2012-08-01 12:04 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2012-08-01 12:33 . 2012-08-01 12:33 1820 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
    + 2012-08-03 22:58 . 2012-08-03 22:58 1820 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
    + 2011-07-19 06:00 . 2012-08-02 17:22 8612 c:\windows\system32\wdi\ERCQueuedResolutions.dat
    - 2012-08-01 12:34 . 2012-08-01 12:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-08-03 22:59 . 2012-08-03 22:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-08-01 12:34 . 2012-08-01 12:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-08-03 22:59 . 2012-08-03 22:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2009-07-14 05:01 . 2012-08-01 12:33 433800 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 05:01 . 2012-08-03 22:57 433800 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 02:34 . 2012-08-03 23:20 10485760 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
    - 2009-07-14 02:34 . 2012-08-01 12:20 10485760 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
    + 2011-07-17 06:18 . 2012-08-03 22:57 20528312 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1983032248-2406907208-74079150-1001-8192.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-11-22 2736128]
    "MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-02-12 336384]
    "HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-04-04 35736]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2010-12-13 318520]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 80729929;80729929; [x]
    R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
    R3 ssmirrdr;ssmirrdr;c:\windows\system32\DRIVERS\ssmirrdr.sys [2011-03-15 10112]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-07-18 1255736]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
    R4 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-11 116648]
    R4 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-11 116648]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
    S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [2010-11-12 77952]
    S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [2010-11-12 37504]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
    S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-07-05 204288]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-02-12 354304]
    S2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-17 194496]
    S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
    S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-07-21 103992]
    S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-08-06 291896]
    S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2010-12-16 92216]
    S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 26680]
    S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-09-11 399344]
    S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
    S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [2010-02-18 46136]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-07-05 9359872]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-07-05 309760]
    S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [2011-03-23 31088]
    S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [2010-12-22 333416]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240]
    S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2011-01-05 1109096]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2010-11-29 44672]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2010-11-22 21:18 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-11 21:37]
    .
    2012-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-11 21:37]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter]
    @="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
    [HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
    2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter]
    @="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
    [HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
    2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter]
    @="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
    [HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
    2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter]
    @="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
    [HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
    2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter]
    @="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
    [HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
    2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
    "RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2011-01-11 6602856]
    "HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-07-21 8192]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    Trusted Zone: phoenix.edu\classroom
    TCP: DhcpNameServer = 192.168.1.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
    @Denied: (2) (LocalSystem)
    "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
    1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
    "{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
    94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
    "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
    df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
    @Denied: (2) (LocalSystem)
    "Timestamp"=hex:f3,30,1d,4d,f6,79,cc,01
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,cd,14,76,11,c2,ce,d1,45,8c,28,ef,\
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7a,6a,30,15,4d,ca,5a,45,a2,8f,d5,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7a,6a,30,15,4d,ca,5a,45,a2,8f,d5,\
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
    c:\program files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
    c:\program files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
    c:\program files (x86)\CyberLink\YouCam\YCMMirage.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-03 20:08:21 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-04 00:08
    ComboFix2.txt 2012-08-01 12:47
    .
    Pre-Run: 171,077,976,064 bytes free
    Post-Run: 171,015,630,848 bytes free
    .
    - - End Of File - - EC8060790BAED82AA7204FFA84E1F7F2
     
  20. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
     
  21. Kendra89

    Kendra89 TS Rookie Topic Starter Posts: 24

    Im not sure if this is the right file, but I ran the scan before leaving for work and this is the only thing that is on my computer right now.
     
  22. Kendra89

    Kendra89 TS Rookie Topic Starter Posts: 24

  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Last one, hopefully :)

    Please run the F-Secure Online Scanner
    • Accept the License Agreement and check the box. Then click on Run Check.
    • [​IMG]
    • It will ask you to Run the Java plugin. Please confirm.
    • Once the download completes, the window for the scanner will launch.
    • Please confirm anymore prompts, and then select Full Scan.
    • The scan will take some time to finish, so please be patient.
    • When the scan completes, click the Automatic cleaning (recommended) button.
    • It will run its cleaning.
    • Click the Full report button and Copy & Paste the entire report (except the bold text at the foot of the page) in your next reply. Once that's done, click the Close button on the scan window.
     
  24. Kendra89

    Kendra89 TS Rookie Topic Starter Posts: 24

    I didn't see the full report option, but it said the scan was completed and nothing was found. Should I run it again and look for the option?
     
  25. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    That's okay.

    Your logs appear to be clean. If there are no more issues, then we shall clean up!

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Tell me in your next reply, if you have completed these tasks:
    • Cleaned System Restore
    • Ran OTC
    • Ran CCleaner
    • Ran Security Check
    Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.