also @ TechSpot: AMD A4-5000 Review: Kabini, the affordable ultraportable APU

Sirefef got me

Discussion in 'Virus and Malware Removal' started by Vitharr, Jul 28, 2012.

Post New Reply
Page 2 of 2

  1. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Back to Normal Mode, if you can...

    ComboFix

    Please download ComboFix[IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
    Jay Pfoutz, Aug 1, 2012
    #21

  2. Vitharr Newcomer, in training Posts: 22

    It's nice to be back on my own computer, even if it's not yet entirely mine again. Thanks again for the help. Wish me luck with this... I've heard bad things about this program. XD I won't be on tomorrow, so I'm not bailing or anything. I'll let ya know how it goes in a bit. It just annoys me that people make these things...
    Vitharr, Aug 1, 2012
    #22

  3. Vitharr Newcomer, in training Posts: 22

    ComboFix 12-07-31.03 - cal 08/01/2012 12:58:52.1.2 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4094.2689 [GMT -4:00]
    Running from: c:\users\cal\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\Install.exe
    c:\programdata\6IYqpdniL7Y909
    c:\users\cal\AppData\Roaming\condmt.dll
    c:\users\cal\AppData\Roaming\Microsoft\Windows\Cookies\index (1).dat
    c:\users\cal\AppData\Roaming\Microsoft\Windows\Recent\Desktop (1).ini
    c:\users\cal\Documents\~WRL0608.tmp
    c:\users\cal\Documents\~WRL1080.tmp
    c:\users\cal\Documents\~WRL2369.tmp
    c:\users\cal\Documents\~WRL3619.tmp
    c:\users\cal\WINDOWS
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-01 to 2012-08-01 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-01 17:07 . 2012-08-01 17:07 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BF1719D9-6B84-4653-805E-2F86211F2178}\offreg.dll
    2012-07-28 21:42 . 2012-07-28 21:42 -------- d-----w- C:\FRST
    2012-07-28 17:53 . 2012-07-28 17:53 328704 ----a-w- c:\windows\system32\services.exe.B4A9B7D8D1348223
    2012-07-28 04:31 . 2012-07-28 04:31 328704 ----a-w- c:\windows\system32\services.exe.8CCD3E78FA98C94F
    2012-07-28 04:27 . 2012-07-28 04:27 328704 ----a-w- c:\windows\system32\services.exe.8DA43F55A93E6778
    2012-07-28 04:23 . 2012-07-28 04:23 328704 ----a-w- c:\windows\system32\services.exe.E43C101B53DC252A
    2012-07-28 04:19 . 2012-07-28 04:19 328704 ----a-w- c:\windows\system32\services.exe.52BD5E387BA128FF
    2012-07-28 04:15 . 2012-07-28 04:15 328704 ----a-w- c:\windows\system32\services.exe.3DB948AC1CCBCA63
    2012-07-28 04:08 . 2012-07-28 04:08 328704 ----a-w- c:\windows\system32\services.exe.F6FB4C57B0E967DB
    2012-07-28 04:00 . 2012-07-28 04:00 328704 ----a-w- c:\windows\system32\services.exe.172582619AC913D0
    2012-07-28 03:56 . 2012-07-28 03:56 328704 ----a-w- c:\windows\system32\services.exe.6A5B2A4F40A08197
    2012-07-28 03:52 . 2012-07-28 03:52 328704 ----a-w- c:\windows\system32\services.exe.2DB9DB67B32946F3
    2012-07-28 03:49 . 2012-07-28 03:49 328704 ----a-w- c:\windows\system32\services.exe.087F909DA29B6998
    2012-07-28 03:41 . 2012-07-28 03:41 328704 ----a-w- c:\windows\system32\services.exe.9DEBCF7F21934A0E
    2012-07-28 03:33 . 2012-07-28 03:33 328704 ----a-w- c:\windows\system32\services.exe.54601271FD8226CF
    2012-07-28 03:22 . 2012-07-28 03:22 328704 ----a-w- c:\windows\system32\services.exe.1EEC17ED03A57CAB
    2012-07-28 03:18 . 2012-07-28 03:18 328704 ----a-w- c:\windows\system32\services.exe.E95369A8A87D1F6E
    2012-07-28 03:07 . 2012-07-28 03:07 328704 ----a-w- c:\windows\system32\services.exe.B6A597B8AAF6770A
    2012-07-28 03:03 . 2012-07-28 03:03 328704 ----a-w- c:\windows\system32\services.exe.65C9F1F2CD98556F
    2012-07-28 01:15 . 2012-07-28 01:15 328704 ----a-w- c:\windows\system32\services.exe.183FA52B3A5C0912
    2012-07-28 01:13 . 2012-07-16 06:40 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BF1719D9-6B84-4653-805E-2F86211F2178}\mpengine.dll
    2012-07-28 01:09 . 2012-07-28 01:09 328704 ----a-w- c:\windows\system32\services.exe.E02BD63384EBEFC3
    2012-07-28 01:05 . 2012-07-28 01:05 328704 ----a-w- c:\windows\system32\services.exe.4E1151B4E8C78FA3
    2012-07-28 01:01 . 2012-07-28 01:01 328704 ----a-w- c:\windows\system32\services.exe.8F0769342A623DAD
    2012-07-28 00:45 . 2012-07-28 00:45 328704 ----a-w- c:\windows\system32\services.exe.D030BC8E5374ED16
    2012-07-28 00:39 . 2012-07-28 00:39 328704 ----a-w- c:\windows\system32\services.exe.0E7575F09342F79F
    2012-07-28 00:35 . 2012-07-28 00:35 328704 ----a-w- c:\windows\system32\services.exe.8C6E621C39A9E46D
    2012-07-28 00:31 . 2012-07-28 00:31 328704 ----a-w- c:\windows\system32\services.exe.28DD07FDFA27BE06
    2012-07-28 00:27 . 2012-07-28 00:27 328704 ----a-w- c:\windows\system32\services.exe.A7F6501B8F6C1DAE
    2012-07-28 00:23 . 2012-07-28 00:23 328704 ----a-w- c:\windows\system32\services.exe.DE4C12491C5F496B
    2012-07-28 00:19 . 2012-07-28 00:19 328704 ----a-w- c:\windows\system32\services.exe.5F8F3497207FF759
    2012-07-28 00:15 . 2012-07-28 00:15 328704 ----a-w- c:\windows\system32\services.exe.46656B8CD5C97199
    2012-07-28 00:11 . 2012-07-28 00:11 328704 ----a-w- c:\windows\system32\services.exe.B4AFCCB56669F834
    2012-07-28 00:07 . 2012-07-28 00:07 328704 ----a-w- c:\windows\system32\services.exe.3AE9664CF1F1BA88
    2012-07-28 00:03 . 2012-07-28 00:03 328704 ----a-w- c:\windows\system32\services.exe.23DBB95DEBB5DFE5
    2012-07-27 23:59 . 2012-07-27 23:59 328704 ----a-w- c:\windows\system32\services.exe.9D34D7738608BCE2
    2012-07-27 23:55 . 2012-07-27 23:55 328704 ----a-w- c:\windows\system32\services.exe.006D7B19150FE90A
    2012-07-27 23:51 . 2012-07-27 23:51 328704 ----a-w- c:\windows\system32\services.exe.0FCEF6B3D10240A0
    2012-07-27 23:47 . 2012-07-27 23:47 328704 ----a-w- c:\windows\system32\services.exe.2FC8CFCACB986FDF
    2012-07-27 23:42 . 2012-07-27 23:42 328704 ----a-w- c:\windows\system32\services.exe.1C3C7BAD0C51867F
    2012-07-27 23:38 . 2012-07-27 23:38 328704 ----a-w- c:\windows\system32\services.exe.D5BB2AE0AD490D84
    2012-07-27 23:34 . 2012-07-27 23:34 328704 ----a-w- c:\windows\system32\services.exe.111861B8E64D1708
    2012-07-27 23:30 . 2012-07-27 23:30 328704 ----a-w- c:\windows\system32\services.exe.10156286EBCFC62C
    2012-07-27 23:26 . 2012-07-27 23:26 328704 ----a-w- c:\windows\system32\services.exe.41BBF73EAE0287E9
    2012-07-27 23:22 . 2012-07-27 23:22 328704 ----a-w- c:\windows\system32\services.exe.C6C2502E00EA8519
    2012-07-27 23:18 . 2012-07-27 23:18 328704 ----a-w- c:\windows\system32\services.exe.170A9607A1BFB923
    2012-07-27 23:12 . 2012-07-27 23:12 328704 ----a-w- c:\windows\system32\services.exe.3B1FB702AAF3475C
    2012-07-27 23:08 . 2012-07-27 23:08 328704 ----a-w- c:\windows\system32\services.exe.D961E3F22833B4E3
    2012-07-27 23:03 . 2012-07-27 23:03 328704 ----a-w- c:\windows\system32\services.exe.CCC50B6C5D566056
    2012-07-27 22:59 . 2012-07-27 22:59 328704 ----a-w- c:\windows\system32\services.exe.784C1F5459BCD752
    2012-07-27 22:55 . 2012-07-27 22:55 328704 ----a-w- c:\windows\system32\services.exe.2502682792C162C7
    2012-07-27 22:51 . 2012-07-27 22:51 328704 ----a-w- c:\windows\system32\services.exe.B192EAF2E46BF521
    2012-07-27 22:47 . 2012-07-27 22:47 328704 ----a-w- c:\windows\system32\services.exe.9AA3071B934410DF
    2012-07-27 22:41 . 2012-07-27 22:41 328704 ----a-w- c:\windows\system32\services.exe.40283D2C7A8708F7
    2012-07-27 22:37 . 2012-07-27 22:37 328704 ----a-w- c:\windows\system32\services.exe.E5BF994858A91B83
    2012-07-27 22:33 . 2012-07-27 22:33 328704 ----a-w- c:\windows\system32\services.exe.61927ED55B06619A
    2012-07-27 22:16 . 2012-07-27 22:16 50392 ----a-w- c:\windows\system32\drivers\bxaknppc.sys
    2012-07-27 22:16 . 2012-07-27 22:16 328704 ----a-w- c:\windows\system32\services.exe.801A96E38371FA75
    2012-07-27 22:07 . 2012-07-27 22:07 328704 ----a-w- c:\windows\system32\services.exe.94263988E22B912F
    2012-07-27 21:59 . 2012-02-09 18:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F287D2A5-A0A7-4CEE-83C2-3F3696D59572}\gapaengine.dll
    2012-07-27 21:58 . 2012-07-27 21:58 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2012-07-27 21:58 . 2012-07-27 21:59 -------- d-----w- c:\program files\Microsoft Security Client
    2012-07-27 16:06 . 2012-07-27 16:06 -------- d-----w- c:\users\cal\AppData\Local\{0BBF6C3D-D805-11E1-8270-B8AC6F996F26}
    2012-07-27 16:05 . 2012-07-27 16:14 -------- d-----w- c:\users\cal\AppData\Roaming\xsecva
    2012-07-26 02:29 . 2012-07-26 02:30 -------- d-----w- c:\users\cal\AppData\Roaming\SPORE
    2012-07-26 02:22 . 2012-07-26 02:22 -------- d-----w- c:\program files (x86)\Electronic Arts
    2012-07-26 00:41 . 2012-07-26 00:48 -------- d-----w- c:\program files (x86)\Amnesia - The Dark Descent
    2012-07-26 00:35 . 2012-07-26 00:35 -------- d-----w- c:\program files (x86)\DAMN NFO Viewer
    2012-07-24 17:45 . 2012-07-24 17:45 -------- d-----w- c:\program files (x86)\R.G. Catalyst
    2012-07-24 17:13 . 2012-07-24 17:14 -------- d-----w- c:\program files\Perfect Uninstaller
    2012-07-23 23:15 . 2012-07-24 18:02 -------- d-----w- c:\users\cal\AppData\Local\Ubisoft Game Launcher
    2012-07-19 02:23 . 2012-07-19 02:23 -------- d-----w- c:\users\cal\AppData\Roaming\InstallShield
    2012-07-14 05:53 . 2012-07-14 05:53 189248 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
    2012-07-14 05:53 . 2012-07-14 05:53 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
    2012-07-14 05:53 . 2012-07-14 05:53 -------- d-----w- c:\users\cal\AppData\Roaming\PunkBuster
    2012-07-11 07:05 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
    2012-07-11 06:42 . 2012-06-06 06:06 2004480 ----a-w- c:\windows\system32\msxml6.dll
    2012-07-10 19:48 . 2012-07-24 18:02 -------- d-----w- c:\programdata\Ubisoft
    2012-07-10 19:48 . 2012-07-19 02:43 -------- d-----w- c:\users\cal\AppData\Roaming\Ubisoft
    2012-07-10 19:15 . 2012-07-24 17:14 -------- d-----w- c:\program files (x86)\Ubisoft
    2012-07-05 00:41 . 2012-07-05 00:41 -------- d-----w- c:\users\cal\AppData\Local\Electronic Arts
    2012-07-04 23:49 . 2012-07-04 23:49 -------- d-----w- c:\users\cal\AppData\Local\ArmA 2 Free
    2012-07-04 23:43 . 2012-07-04 23:43 -------- d-----w- c:\program files (x86)\Bohemia Interactive
    2012-07-03 01:16 . 2012-07-03 01:16 -------- d-----w- c:\users\cal\AppData\Local\EA Games
    2012-07-02 22:44 . 2012-07-05 00:37 -------- d--h--w- c:\windows\msdownld.tmp
    2012-07-02 22:08 . 2012-07-02 22:39 -------- d-----w- c:\program files (x86)\Dead Space 2
    2012-07-02 18:32 . 2012-07-02 18:32 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
    2012-07-02 18:32 . 2012-07-02 18:32 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
    2012-07-02 18:32 . 2012-07-02 18:32 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
    2012-07-02 18:32 . 2012-07-02 18:32 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
    2012-07-02 18:32 . 2012-07-02 18:32 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
    2012-07-02 18:32 . 2012-07-02 18:32 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
    2012-07-02 18:32 . 2012-07-02 18:32 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
    2012-07-02 18:31 . 2012-07-02 18:32 -------- d-----w- c:\program files (x86)\QuickTime
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-03 17:46 . 2012-04-05 01:19 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-02 22:19 . 2012-06-19 09:19 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-19 09:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:19 . 2012-06-19 09:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-19 09:19 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-19 09:19 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:15 . 2012-06-19 09:19 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:15 . 2012-06-19 09:19 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 19:19 . 2012-06-19 09:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 19:15 . 2012-06-19 09:19 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-05-10 07:16 . 2012-04-04 01:40 57848688 ----a-w- c:\windows\system32\MRT.exe
    2012-05-04 11:06 . 2012-06-13 15:18 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-05-04 10:03 . 2012-06-13 15:18 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2012-05-04 10:03 . 2012-06-13 15:18 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-04-05 1242448]
    "DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-04-17 3671872]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-03-09 636032]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-06 421736]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
    .
    c:\users\cal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    desktop (1).ini [2004-6-6 84]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-29 253088]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 51740536]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
    R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-21 88960]
    R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 34816]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-04 1255736]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-04-21 283200]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-03-09 235520]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-03-09 361984]
    S2 AntUpdaterService;Ant Toolbar updater service;c:\program files (x86)\Ant.com\IE add-on\AntUpdaterService.exe [2011-06-29 520216]
    S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [2010-02-18 46136]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2012-03-09 10857984]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2012-03-09 328704]
    S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2011-12-05 95248]
    S3 VST64_DPV;VST64_DPV;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
    S3 VST64HWBS2;VST64HWBS2;c:\windows\system32\DRIVERS\VSTBS26.SYS [2009-06-10 411136]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-01 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 16:37]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 112512]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.facebook.com/
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
    Trusted Zone: kongregate.com\www
    Trusted Zone: newgrounds.com\www
    TCP: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.3.1
    FF - ProfilePath - c:\users\cal\AppData\Roaming\Mozilla\Firefox\Profiles\yemr2qba.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Wow6432Node-HKCU-Run-condmt - c:\users\cal\AppData\Roaming\condmt.dll
    AddRemove-BattlEye A2 Free - c:\program files (x86)\Bohemia Interactive\ArmA 2 FreeBattlEye\UnInstallBE.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\windows\SysWOW64\PnkBstrA.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-01 13:16:28 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-01 17:16
    .
    Pre-Run: 21,405,380,608 bytes free
    Post-Run: 22,538,944,512 bytes free
    .
    - - End Of File - - 0C696F7E0CE3DF6714AB9782D9B2700A
    Vitharr, Aug 1, 2012
    #23

  4. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Scan for malware

    [IMG] Please download Malwarebytes Anti-Malware from HERE.


    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
    • Copy and paste the entire report in your next reply.
    Jay Pfoutz, Aug 2, 2012
    #24

  5. Vitharr Newcomer, in training Posts: 22

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org
    Database version: v2012.08.03.02
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    cal :: CAL_DELL531S [administrator]
    8/2/2012 11:17:55 PM
    mbam-log-2012-08-02 (23-17-55).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 208258
    Time elapsed: 4 minute(s), 6 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)

    I ran malwarebytes before my computer really hit the wall and died on me. I removed some stuff back then, which may be why it didn't find anything this time. I'll see if I can find those logs.
    Vitharr, Aug 2, 2012
    #25

  6. Vitharr Newcomer, in training Posts: 22

    This is an old log, from before I even came to this site. Not sure if it will be of any use to you.
    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org
    Database version: v2012.07.27.08
    Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
    Internet Explorer 9.0.8112.16421
    cal :: CAL_DELL531S [administrator]
    7/27/2012 12:49:19 PM
    mbam-log-2012-07-27 (12-49-19).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 201796
    Time elapsed: 7 minute(s), 57 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 4
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|tTAXlNdYqeIHN.exe (Trojan.FakeAlert.3CH) -> Data: C:\ProgramData\tTAXlNdYqeIHN.exe -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|XSECVA (Trojan.Agent) -> Data: "C:\Users\cal\AppData\Roaming\xsecva\xsecva.exe" -s -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|lsaco (Trojan.Midhos) -> Data: rundll32.exe "C:\Users\cal\AppData\Roaming\lsaco.dll",HrGetStreamPos -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|6IYqpdniL7Y909 (Backdoor.Agent.RC2Gen) -> Data: C:\ProgramData\6IYqpdniL7Y909.exe -> Quarantined and deleted successfully.
    Registry Data Items Detected: 2
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 7
    C:\ProgramData\tTAXlNdYqeIHN.exe (Trojan.FakeAlert.3CH) -> Quarantined and deleted successfully.
    C:\Users\cal\AppData\Roaming\xsecva\xsecva.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Users\cal\AppData\Roaming\lsaco.dll (Trojan.Midhos) -> Quarantined and deleted successfully.
    C:\ProgramData\6IYqpdniL7Y909.exe (Backdoor.Agent.RC2Gen) -> Quarantined and deleted successfully.
    C:\Users\cal\AppData\Local\Temp\4B68.tmp (Trojan.Agent.EXPD1) -> Quarantined and deleted successfully.
    C:\Users\cal\AppData\Local\Temp\Av8IspC2tLCJcJ.exe.tmp (Trojan.FakeAlert.3CH) -> Quarantined and deleted successfully.
    C:\Windows\Installer\{c87bc561-eefd-ed9f-5262-78af73b1c897}\n (Trojan.Sirefef) -> Quarantined and deleted successfully.
    (end)
    Vitharr, Aug 2, 2012
    #26
     

  7. Vitharr Newcomer, in training Posts: 22

    Another log, from a full scan. Felt it might be important because it has a Sirefef file listed. This was done right after the first scan back before I came here.
    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org
    Database version: v2012.07.27.08
    Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
    Internet Explorer 9.0.8112.16421
    cal :: CAL_DELL531S [administrator]
    7/27/2012 1:02:07 PM
    mbam-log-2012-07-27 (13-02-07).txt
    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 440102
    Time elapsed: 1 hour(s), 3 minute(s), 23 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 4
    C:\Program Files (x86)\Ubisoft\Assassin's Creed II\ubiorbitapi_r2.dll (Trojan.Agent.CK) -> No action taken.
    C:\Users\cal\Downloads\Assassin's Creed II + Patch 1.01 [PC ~ ENG GER FRA SPA ITA DEN NOR SWE][SKIDROW][Colombo-BT.i2p]\Assassin's Creed II + Patch 1.01 [PC ~ ENG GER FRA SPA ITA DEN NOR SWE][SKIDROW]\Patch 1.01 + Crack\Crack\ubiorbitapi_r2.dll (Trojan.Agent.CK) -> No action taken.
    C:\ProgramData\Microsoft\Windows\DRM\3F73.tmp.dat (Trojan.Agent.EXPD1) -> Quarantined and deleted successfully.
    C:\Users\cal\AppData\Local\{c87bc561-eefd-ed9f-5262-78af73b1c897}\n (Trojan.Sirefef) -> Delete on reboot.
    (end)
    Vitharr, Aug 2, 2012
    #27

  8. Jay Pfoutz Malware Helper Posts: 4,286   +49

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
    Jay Pfoutz, Aug 3, 2012
    #28

  9. Vitharr Newcomer, in training Posts: 22

    [IMG]As I was scanning with ESET, MSE, which I had turned off before starting the scan, suddenly popped up with this about halfway through. I'm not sure what I should do.
    Vitharr, Aug 3, 2012
    #29

  10. Vitharr Newcomer, in training Posts: 22

    I removed it, and then checked the MSE Quarantine. There was a whole bunch of files, including files like Sirefef and Sirefef.Y, which I removed as well. Here is the ESET scan log.

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner64.ocx - registred OK
    OnlineScanner.ocx - registred OK
    ESETSmartInstaller@High as downloader log:
    all ok
    Vitharr, Aug 3, 2012
    #30

  11. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Was most likely Sirefef in Quarantine, which is a reliably designated place to securely prevent those threats from starting again.

    Let's get one more opinion...

    Please run the F-Secure Online Scanner
    • Accept the License Agreement and check the box. Then click on Run Check.
    • [IMG]
    • It will ask you to Run the Java plugin. Please confirm.
    • Once the download completes, the window for the scanner will launch.
    • Please confirm anymore prompts, and then select Full Scan.
    • The scan will take some time to finish, so please be patient.
    • When the scan completes, click the Automatic cleaning (recommended) button.
    • It will run its cleaning.
    • Click the Full report button and Copy & Paste the entire report (except the bold text at the foot of the page) in your next reply. Once that's done, click the Close button on the scan window.
    Jay Pfoutz, Aug 4, 2012
    #31

  12. Vitharr Newcomer, in training Posts: 22

    Scanning Report

    Sunday, August 5, 2012 13:44:47 - 14:46:40

    Computer name: CAL_DELL531S
    Scanning type: Scan system for malware, spyware and rootkits
    Target: C:\
    20 malware found

    TrackingCookie.Questionmarket (spyware)
    • System (Disinfected)
    TrackingCookie.Adinterax (spyware)
    • System (Disinfected)
    TrackingCookie.Research-int (spyware)
    • System (Disinfected)
    TrackingCookie.2o7 (spyware)
    • System (Disinfected)
    TrackingCookie.Advertising (spyware)
    • System (Disinfected)
    TrackingCookie.Atdmt (spyware)
    • System (Disinfected)
    TrackingCookie.Adtech (spyware)
    • System (Disinfected)
    TrackingCookie.Adform (spyware)
    • System (Disinfected)
    TrackingCookie.Revsci (spyware)
    • System (Disinfected)
    TrackingCookie.WebTrendsLive (spyware)
    • System (Disinfected)
    TrackingCookie.Zanox (spyware)
    • System (Disinfected)
    TrackingCookie.Fastclick (spyware)
    • System (Disinfected)
    TrackingCookie.Adbrite (spyware)
    • System (Disinfected)
    TrackingCookie.Xiti (spyware)
    • System (Disinfected)
    TrackingCookie.Webtrends (spyware)
    • System (Disinfected)
    TrackingCookie.Mediaplex (spyware)
    • System (Disinfected)
    TrackingCookie.Liveperson (spyware)
    • System (Disinfected)
    TrackingCookie.Statistik-Gallup (spyware)
    • System (Disinfected)
    TrackingCookie.Atwola (spyware)
    • System (Disinfected)
    TrackingCookie.Yieldmanager (spyware)
    • System (Disinfected)
    Statistics

    Scanned:
    • Files: 150308
    • System: 7450
    • Not scanned: 38
    Actions:
    • Disinfected: 20
    • Renamed: 0
    • Deleted: 0
    • Not cleaned: 0
    • Submitted: 0
    Files not scanned:
    • C:\HIBERFIL.SYS
    • C:\PAGEFILE.SYS
    • C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
    • C:\WINDOWS\SYSTEM32\CONFIG\SAM
    • C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
    • C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
    • C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
    • C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
    • C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
    • C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
    • C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
    • C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
    • C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
    • C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
    • C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{C96A8F57-3899-4428-9FEC-335CE50DB161}.BIN
    • C:\WINDOWS\CSC\V2.0.6\PQ
    • C:\WINDOWS\CSC\V2.0.6\TEMP\EA-{EF4C292B-7D49-11E1-BF91-93CF50724A96}
    • C:\USERS\CAL\APPDATA\LOCAL\TEMP\ETILQS_IVR94C48RBVYKC297CGM
    • C:\USERS\CAL\APPDATA\LOCAL\TEMP\ETILQS_IVR94C48RBVYKC297CGM-JOURNAL
    • C:\USERS\CAL\APPDATA\LOCAL\TEMP\~DF19D9DF16E7942EC9.TMP
    • C:\USERS\CAL\APPDATA\LOCAL\TEMP\~DF1B61D5A331006E65.TMP
    • C:\USERS\CAL\APPDATA\LOCAL\TEMP\~DF2A066595CC9260EB.TMP
    • C:\USERS\CAL\APPDATA\LOCAL\TEMP\~DF336B7D9B7E715A81.TMP
    • C:\USERS\CAL\APPDATA\LOCAL\TEMP\~DFA19984095D540469.TMP
    • C:\USERS\CAL\APPDATA\LOCAL\TEMP\~DFEAD02CFAC0F4B63C.TMP
    • C:\USERS\CAL\APPDATA\LOCAL\TEMP\~DF7B309C01DB9EC705.TMP
    • C:\USERS\CAL\APPDATA\LOCAL\TEMP\~DF671BB0D8A91E150B.TMP
    • C:\USERS\CAL\APPDATA\LOCAL\TEMP\HSPERFDATA_CAL\3884
    • C:\USERS\CAL\APPDATA\LOCAL\TEMP\HSPERFDATA_CAL\5520
    • C:\QOOBOX\BACKENV\SETPATH.BAT
    • C:\QOOBOX\BACKENV\VIKPEV00
    • C:\PROGRAMDATA\MICROSOFT\MICROSOFT ANTIMALWARE\SCANS\MPDIAG.BIN
    • C:\PROGRAMDATA\MICROSOFT\MICROSOFT ANTIMALWARE\SCANS\HISTORY\CACHEMANAGER\MPSCANCACHE-0.BIN
    • C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\7CA61CCE377099FCF171318B3E5E5ABB_3582A102-8769-4482-8E93-EF7C0892B5CD
    • C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\D98F3DEA7E6AD066A1F5EB01BAB57BE5_3582A102-8769-4482-8E93-EF7C0892B5CD
    • C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\56E810489351C1C3F26DD316DC76AF50_3582A102-8769-4482-8E93-EF7C0892B5CD
    • C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\B7673D716DBEF4F840EC8BA3DDA3DEBF_3582A102-8769-4482-8E93-EF7C0892B5CD
    • C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FE7D329E9E87B1C11D35ED04A2276267_3582A102-8769-4482-8E93-EF7C0892B5CD
    Options

    Scanning engines:
    Scanning options:
    • Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR TMP
    • Use advanced heuristics
    Vitharr, Aug 5, 2012
    #32

  13. Jay Pfoutz Malware Helper Posts: 4,286   +49

    :DOooh COOOOKIES!!! For us!!! :D Just kidding.

    Your logs appear to be clean. If there are no more issues, then we shall clean up!

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [IMG]
    • Select the More Options tab
      [IMG]
    • In the System Restore and Shadow Backups select Clean up
      [IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Tell me in your next reply, if you have completed these tasks:
    • Cleaned System Restore
    • Ran OTC
    • Ran TFC
    • Ran Security Check
    Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
    Jay Pfoutz, Aug 5, 2012
    #33

  14. Vitharr Newcomer, in training Posts: 22

    I apologize. Been super busy lately. Will get right on that.
    Vitharr, Aug 8, 2012
    #34

  15. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay. No problem.
    Jay Pfoutz, Aug 9, 2012
    #35

  16. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello. Are you still with us?

    Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

    Thanks.
    Jay Pfoutz, Aug 14, 2012
    #36
Page 2 of 2

Add New Comment

Social Login & Guest Posting

TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.