TechSpot

Sirefef.R and Sirefef.AH infection

Inactive
By SNuIX89
Aug 7, 2012
  1. MSE reports these infections but cannot clean them. The PC reboots every minute. I have the FRST and Search logs posted below.

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 05-08-2012 01
    Ran by SYSTEM at 06-08-2012 22:09:57
    Running from G:\
    Windows 7 Ultimate (X86) OS Language: English(US)
    The current controlset is ControlSet003

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1049896 2008-04-24] (Synaptics, Inc.)
    HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
    HKLM\...\Run: [Acer Assist Launcher] C:\Program Files\Acer\Acer Assist\launcher.exe [1261568 2007-11-19] ()
    HKLM\...\Run: [Acer Product Registration] "C:\Program Files\Acer\Acer Registration\ACE1.exe" /startup [3387392 2007-11-26] (Leader Technologies)
    HKLM\...\Run: [ArcadeDeluxeAgent] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [147456 2008-10-08] (CyberLink Corp.)
    HKLM\...\Run: [CLMLServer] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [167936 2008-10-08] (CyberLink)
    HKLM\...\Run: [eAudio] "C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe" [544768 2008-09-11] (Acer Incorporated)
    HKLM\...\Run: [eDataSecurity Loader] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe [526896 2008-07-29] (Egis Incorporated)
    HKLM\...\Run: [ePower_DMC] C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe [417792 2008-11-28] (Acer Inc.)
    HKLM\...\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun [122368 2009-08-18] (Google Inc.)
    HKLM\...\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [167936 2008-10-17] (Acer Corp.)
    HKLM\...\Run: [PLFSetI] C:\Windows\PLFSetI.exe [200704 2008-06-30] ()
    HKLM\...\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE [817672 2008-06-16] (Dritek System Inc.)
    HKLM\...\Run: [lxdxmon.exe] "C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe" [672424 2009-08-31] ()
    HKLM\...\Run: [EzPrint] "C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe" [107176 2008-06-13] (Lexmark International Inc.)
    HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-10-05] (Apple Inc.)
    HKLM\...\Run: [Belkin Storage Manager] "C:\Program Files\Belkin Storage Manager\StorageManager.exe" [858624 2009-02-03] (Belkin International, Inc.)
    HKLM\...\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe" [295304 2012-07-05] (LeapFrog Enterprises, Inc.)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
    HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
    HKLM\...\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
    HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
    HKLM\...\Run: [Anti-phishing Domain Advisor] "C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [217256 2012-05-03] (Visicom Media Inc. (Powered by Panda Security))
    HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    HKLM\...\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe" -osboot [296096 2012-06-28] (RealNetworks, Inc.)
    HKU\Andrea\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [68856 2009-08-17] (Google Inc.)
    HKU\Andrea\...\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [x]
    HKU\Andrea\...\Run: [EasyTether] "C:\Program Files\Mobile Stream\EasyTether\easytthr.exe" [x]
    HKU\Andrea\...\Run: [InstallIQUpdater] "C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe" /silent /autorun [1179648 2011-10-11] (W3i, LLC)
    HKU\Boyce\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [68856 2009-08-17] (Google Inc.)
    HKU\Boyce\...\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [x]
    HKU\Boyce\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet [5252408 2010-06-01] (Yahoo! Inc.)
    HKU\Boyce\...\Run: [Setpoint] C:\Users\Boyce\AppData\Roaming\Cryptedwithouticon.exe [x]
    HKU\Boyce\...\Run: [DW7] "C:\Program Files\The Weather Channel\The Weather Channel App\TWCApp.exe" [13003448 2012-08-06] (The Weather Channel)
    HKLM\...\Winlogon: [Userinit] userinit.exe, [x]
    Tcpip\Parameters: [DhcpNameServer] 192.168.2.1 192.168.2.1
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
    ShortcutTarget: WinZip Quick Pick.lnk -> C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
    Startup: C:\Users\Boyce\Start Menu\Programs\Startup\Disney Vacation Connection.lnk
    ShortcutTarget: Disney Vacation Connection.lnk -> C:\Program Files\Disney Vacation Connection\Disney Vacation Connection.exe (No File)
    Startup: C:\Users\Boyce\Start Menu\Programs\Startup\Dropbox.lnk
    ShortcutTarget: Dropbox.lnk -> (No File)

    ================================ Services (Whitelisted) ==================

    2 atashost; "C:\Windows\system32\atashost.exe" [20360 2010-01-20] (WebEx Communications, Inc.)
    2 CLHNService; C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [69632 2008-10-04] ()
    2 DisplayLinkService; "C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe" [4752744 2010-01-27] (DisplayLink Corp.)
    2 ETService; C:\Program Files\Acer\Empowering Technology\Service\ETService.exe [24576 2008-11-28] ()
    2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
    2 gupdate1ca4d8344bb7341; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [133104 2009-10-15] (Google Inc.)
    2 hasplms; C:\Windows\system32\hasplms.exe -run [3750400 2009-12-16] (SafeNet Inc.)
    2 lxdx_device; C:\Windows\system32\lxdxcoms.exe -service [594600 2008-02-27] ( )
    2 MDM; "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" [322120 2003-06-19] (Microsoft Corporation)
    4 MobilityService; C:\Acer\Mobility Center\MobilityService.exe -p [110592 2007-12-06] ()
    2 MsDepSvc; "C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe" -runService:MsDepSvc [67400 2011-04-01] (Microsoft Corporation)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [11552 2012-03-26] (Microsoft Corporation)
    4 MSSQL$SQLEXPRESS; "C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [43028328 2011-09-22] (Microsoft Corporation)
    4 MSSQLServerADHelper100; "C:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [47128 2009-07-22] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [214952 2012-03-26] (Microsoft Corporation)
    2 NTISchedulerSvc; C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [144632 2008-09-23] (NewTech Infosystems, Inc.)
    4 OpcEnum; C:\Windows\system32\opcenum.exe [139488 2009-02-04] (OPC Foundation)
    2 RichVideo; "C:\Program Files\Cyberlink\Shared files\RichVideo.exe" [272024 2007-01-08] ()
    2 Skype C2C Service; "C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe" [3048136 2012-05-30] (Skype Technologies S.A.)
    2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [160944 2012-06-07] (Skype Technologies)
    4 SQLAgent$SQLEXPRESS; "C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -I SQLEXPRESS [370024 2011-09-22] (Microsoft Corporation)

    ========================== Drivers (Whitelisted) =============

    3 AgereSoftModem; C:\Windows\System32\DRIVERS\AGRSM.sys [1035776 2009-07-13] (LSI Corp)
    2 aksfridge; \??\C:\Windows\system32\drivers\aksfridge.sys [358400 2010-04-13] (SafeNet Inc.)
    3 DisplayLinkUsbPort; C:\Windows\System32\DRIVERS\DisplayLinkUsbPort_5.2.23219.0.sys [21888 2010-01-27] (http://libusb-win32.sourceforge.net)
    3 dlkmd; C:\Windows\system32\drivers\dlkmd.sys [165488 2010-01-27] (DisplayLink Corp.)
    0 dlkmdldr; C:\Windows\System32\drivers\dlkmdldr.sys [13936 2010-01-27] (DisplayLink Corp.)
    3 FlyUsb; C:\Windows\System32\DRIVERS\FlyUsb.sys [19456 2008-04-01] (LeapFrog)
    2 hardlock; \??\C:\Windows\system32\drivers\hardlock.sys [588800 2009-12-09] (SafeNet Inc.)
    3 L1E; C:\Windows\System32\DRIVERS\L1E62x86.sys [48640 2009-08-23] (Atheros Communications, Inc.)
    3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2012-07-31] (Malwarebytes Corporation)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    3 PalmUSBD; C:\Windows\System32\drivers\PalmUSBD.sys [16640 2007-12-04] (PalmSource, Inc.)
    3 pneteth; C:\Windows\System32\DRIVERS\pneteth.sys [13440 2011-11-24] (June Fabrics Technology Inc.)
    3 PTAPCBUS; C:\Windows\System32\DRIVERS\PTAPCBUS.sys [84608 2011-06-23] (DEVGURU Co., LTD.)
    3 PTAPCMDM; C:\Windows\System32\DRIVERS\PTAPCMDM.sys [168704 2011-06-23] (DEVGURU Co., LTD.(www.devguru.co.kr))
    3 PTAPCVSP; C:\Windows\System32\DRIVERS\PTAPCVSP.sys [168704 2011-06-23] (DEVGURU Co., LTD.(www.devguru.co.kr))
    4 RsFx0105; C:\Windows\System32\DRIVERS\RsFx0105.sys [238696 2011-09-22] (Microsoft Corporation)
    3 RTHDMIAzAudService; C:\Windows\System32\drivers\RtHDMIV.sys [155808 2008-12-25] (Realtek Semiconductor Corp.)
    3 SMSIVZAM5; \??\C:\PROGRA~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [32408 2009-05-25] (Smith Micro Inc.)
    3 usbkey; C:\Windows\System32\DRIVERS\USBKey.sys [33852 2009-05-06] ()
    3 usb_rndisx; C:\Windows\System32\DRIVERS\usb8023x.sys [15872 2009-07-13] (Microsoft Corporation)
    3 vpcbus; C:\Windows\System32\DRIVERS\vpchbus.sys [172416 2010-11-20] (Microsoft Corporation)
    1 vpcnfltr; C:\Windows\System32\DRIVERS\vpcnfltr.sys [48128 2010-11-20] (Microsoft Corporation)
    3 vpcusb; C:\Windows\System32\DRIVERS\vpcusb.sys [78336 2010-11-20] (Microsoft Corporation)
    1 vpcvmm; C:\Windows\System32\drivers\vpcvmm.sys [296064 2010-11-20] (Microsoft Corporation)
    3 winbondcir; C:\Windows\System32\DRIVERS\winbondcir.sys [43008 2007-03-28] (Winbond Electronics Corporation)
    3 easytether; C:\Windows\System32\DRIVERS\easytthr.sys [x]
    4 MySql; C:\mysql\bin\mysqld-nt [x]
    3 RimUsb; C:\Windows\System32\Drivers\RimUsb.sys [x]
    3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
    3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
    3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-06 22:09 - 2012-08-06 22:09 - 00000000 ____D C:\FRST
    2012-08-06 13:53 - 2012-08-06 13:53 - 00000000 ____D C:\Program Files\ESET
    2012-08-06 07:35 - 2012-08-06 06:12 - 00607260 ____R (Swearware) C:\Users\Boyce\Desktop\dds.com
    2012-08-06 07:35 - 2011-07-16 18:21 - 00302592 ____A C:\Users\Boyce\Desktop\gmer.exe
    2012-08-06 07:31 - 2012-08-06 07:31 - 00001270 ____A C:\Users\Public\Desktop\The Weather Channel App.lnk
    2012-07-31 04:18 - 2012-07-31 04:18 - 00000000 ____D C:\Users\Andrea\AppData\Roaming\Malwarebytes
    2012-07-31 04:03 - 2012-07-31 15:44 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
    2012-07-29 05:13 - 2012-07-29 05:13 - 00000000 ____D C:\Users\Boyce\AppData\Local\{54DFEE3D-F430-4C8D-8D6A-ABC38EA0E626}
    2012-07-29 05:13 - 2012-07-29 05:13 - 00000000 ____D C:\Users\Boyce\AppData\Local\{4F6D0E9A-23CA-41D7-8627-4E16BE48F020}
    2012-07-28 10:27 - 2012-07-28 10:27 - 00000000 ____D C:\Users\Boyce\AppData\Local\{66D40EB2-6617-4EE4-B255-8FC26D0286CD}
    2012-07-28 10:26 - 2012-07-28 10:27 - 00000000 ____D C:\Users\Boyce\AppData\Local\{1652FF50-4D57-4A50-8A29-2C886FCB9341}
    2012-07-27 23:23 - 2012-07-27 23:23 - 00424448 ____A (Stardock Systems, Inc) C:\Users\Boyce\Application Data\wuisht.dll
    2012-07-27 23:23 - 2012-07-27 23:23 - 00424448 ____A (Stardock Systems, Inc) C:\Users\Boyce\AppData\Roaming\wuisht.dll
    2012-07-27 23:23 - 2012-07-27 23:23 - 00000000 ____D C:\Users\Boyce\AppData\Local\{1D16C45F-D885-11E1-8270-B8AC6F996F26}
    2012-07-27 22:56 - 2012-07-27 22:56 - 00056832 ___AH (FRISK Software International) C:\Windows\System32\DFDWetup.dll
    2012-07-27 22:03 - 2012-07-27 22:03 - 00000000 ____D C:\Users\Boyce\AppData\Local\{F1DE1626-8C49-467B-A427-2657E52C2148}
    2012-07-27 22:03 - 2012-07-27 22:03 - 00000000 ____D C:\Users\Boyce\AppData\Local\{F005AEEF-5C7E-4D79-A277-472523D66DB2}
    2012-07-22 20:04 - 2012-07-22 20:04 - 00000000 ____D C:\Users\Boyce\AppData\Local\{87415C22-87A5-4F84-9B03-99A4ACB430D8}
    2012-07-22 20:03 - 2012-07-22 20:03 - 00000000 ____D C:\Users\Boyce\AppData\Local\{139C18D9-CF16-483F-8542-147AF4A1BF92}
    2012-07-22 18:38 - 2012-07-22 18:38 - 00000000 ____D C:\Users\Boyce\AppData\Local\LogMeIn
    2012-07-22 18:38 - 2012-07-22 18:38 - 00000000 ____D C:\Users\All Users\LogMeIn
    2012-07-21 17:12 - 2012-07-21 17:12 - 00007609 ____A C:\Users\Boyce\AppData\Local\Resmon.ResmonCfg
    2012-07-16 21:48 - 2012-07-16 21:48 - 00000000 ____D C:\Users\Boyce\AppData\Local\{D79A5797-F7FB-46ED-8C87-B6C183B913E6}
    2012-07-16 21:48 - 2012-07-16 21:48 - 00000000 ____D C:\Users\Boyce\AppData\Local\{7D61F582-3AD4-4180-B69B-78B572BCEA2B}
    2012-07-16 18:38 - 2012-07-16 20:21 - 00000000 ____D C:\Bin
    2012-07-16 03:58 - 2012-07-30 14:13 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-07-13 17:09 - 2012-07-13 17:10 - 00749832 ____A C:\Users\Andrea\Downloads\The-Virgin-s-Daughters-In-the-Court-of-Elizabeth-I.azw
    2012-07-12 20:03 - 2012-07-12 20:03 - 00000000 ____D C:\Users\Boyce\AppData\Local\{9D23C051-6455-4E1C-9AD8-0CAC171232EB}
    2012-07-12 20:03 - 2012-07-12 20:03 - 00000000 ____D C:\Users\Boyce\AppData\Local\{4FCD3611-6904-41A0-88DF-BDE737D00E14}
    2012-07-12 05:24 - 2012-07-12 05:24 - 00000000 ____D C:\Windows\0A94AE0C677C491D8A72A5AB2DAA68C1.TMP
    2012-07-12 05:23 - 2012-07-12 05:23 - 00000000 ____D C:\Windows\60431C725C624BD0A248E839C2FC0950.TMP
    2012-07-11 18:27 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-07-11 18:27 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-07-11 18:27 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-07-11 18:27 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-07-11 18:27 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-07-11 18:27 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-07-11 18:27 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-07-11 18:27 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-07-11 18:27 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-07-11 18:27 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-07-11 18:27 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-07-11 18:27 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-07-11 18:27 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-07-11 18:27 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-07-11 18:13 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-07-11 17:15 - 2012-07-11 17:16 - 00000000 ____D C:\Users\Boyce\AppData\Local\{825510F5-FA49-48B8-A406-B8B240E52EA9}
    2012-07-11 17:15 - 2012-07-11 17:15 - 00000000 ____D C:\Users\Boyce\AppData\Local\{48A703D0-A2EE-4AF8-8014-0678DFA40EB1}
    2012-07-11 02:23 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-07-11 02:23 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-07-11 02:23 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-07-11 02:23 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
    2012-07-11 02:23 - 2012-06-01 20:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
    2012-07-11 02:23 - 2012-06-01 20:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-07-11 02:23 - 2012-06-01 20:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
    2012-07-11 02:23 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-07-11 02:23 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-07-11 02:23 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
    2012-07-09 15:56 - 2012-07-30 03:50 - 00030720 ____A C:\Users\Boyce\Documents\RosterMASL.xls
    2012-07-08 12:49 - 2012-07-08 13:07 - 00000000 ____D C:\Windows\System32\Adobe

    ============ 3 Months Modified Files ========================

    2012-08-06 18:04 - 2011-07-30 03:56 - 03721278 ____A C:\Windows\setupact.log
    2012-08-06 13:50 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-06 13:46 - 2009-11-12 21:37 - 01568289 ____A C:\Windows\WindowsUpdate.log
    2012-08-06 13:46 - 2009-10-15 02:47 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-08-06 08:09 - 2009-06-17 20:07 - 00000000 ____A C:\Windows\System32\LogConfigTemp.xml
    2012-08-06 08:02 - 2009-10-15 02:47 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-08-06 07:31 - 2012-08-06 07:31 - 00001270 ____A C:\Users\Public\Desktop\The Weather Channel App.lnk
    2012-08-06 06:12 - 2012-08-06 07:35 - 00607260 ____R (Swearware) C:\Users\Boyce\Desktop\dds.com
    2012-07-31 15:46 - 2009-07-13 20:34 - 00012288 _____ C:\Windows\System32\umstartup.etl
    2012-07-31 15:44 - 2012-07-31 04:03 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
    2012-07-31 15:41 - 2009-07-13 15:11 - 00259072 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-07-30 14:17 - 2009-11-12 20:59 - 00011104 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-07-30 14:17 - 2009-11-12 20:59 - 00011104 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-07-30 14:13 - 2012-07-16 03:58 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-07-30 03:50 - 2012-07-09 15:56 - 00030720 ____A C:\Users\Boyce\Documents\RosterMASL.xls
    2012-07-28 04:26 - 2009-11-12 21:27 - 00760992 ____A C:\Windows\PFRO.log
    2012-07-27 23:36 - 2012-02-05 15:15 - 00001071 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-07-27 23:23 - 2012-07-27 23:23 - 00424448 ____A (Stardock Systems, Inc) C:\Users\Boyce\Application Data\wuisht.dll
    2012-07-27 23:23 - 2012-07-27 23:23 - 00424448 ____A (Stardock Systems, Inc) C:\Users\Boyce\AppData\Roaming\wuisht.dll
    2012-07-27 22:56 - 2012-07-27 22:56 - 00056832 ___AH (FRISK Software International) C:\Windows\System32\DFDWetup.dll
    2012-07-26 16:13 - 2012-04-04 17:16 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-07-26 16:13 - 2011-05-20 02:45 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-07-21 17:12 - 2012-07-21 17:12 - 00007609 ____A C:\Users\Boyce\AppData\Local\Resmon.ResmonCfg
    2012-07-16 18:21 - 2009-07-13 20:53 - 00032572 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-07-13 17:15 - 2009-11-12 21:47 - 00945640 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-13 17:10 - 2012-07-13 17:09 - 00749832 ____A C:\Users\Andrea\Downloads\The-Virgin-s-Daughters-In-the-Court-of-Elizabeth-I.azw
    2012-07-12 05:24 - 2009-01-20 22:44 - 00121120 ____A C:\Windows\DPINST.LOG
    2012-07-12 03:42 - 2009-07-13 20:33 - 00420744 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-11 18:13 - 2009-12-09 16:01 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-07-11 18:12 - 2006-11-02 02:23 - 00000240 ____A C:\Windows\win.ini
    2012-07-03 09:46 - 2012-02-05 15:14 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-06-30 09:05 - 2012-06-27 18:04 - 00015360 ___RA C:\Users\Boyce\Documents\9F1F5600
    2012-06-30 04:08 - 2012-06-27 18:04 - 00015360 ___RA C:\Users\Boyce\Documents\roster.xls
    2012-06-28 15:00 - 2011-11-28 15:27 - 00198864 ____A (RealNetworks, Inc.) C:\Windows\System32\rmoc3260.dll
    2012-06-28 14:59 - 2011-11-28 15:26 - 00272896 ____A (Progressive Networks) C:\Windows\System32\pncrt.dll
    2012-06-28 14:59 - 2011-11-28 15:26 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\System32\pndx5016.dll
    2012-06-28 14:59 - 2011-11-28 15:26 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\System32\pndx5032.dll
    2012-06-25 19:44 - 2012-06-25 19:44 - 00000094 ____A C:\Windows\family.ini
    2012-06-25 18:25 - 2011-01-31 18:48 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-06-25 18:20 - 2012-06-25 18:19 - 10288512 ____A (Microsoft Corporation) C:\Users\Boyce\Downloads\mseinstall.exe
    2012-06-22 11:47 - 2012-06-22 11:47 - 00005879 ____A C:\Users\Andrea\Downloads\Fall Registration Open- (1)
    2012-06-22 11:47 - 2012-06-22 11:47 - 00005879 ____A C:\Users\Andrea\Downloads\Fall Registration Open-
    2012-06-21 10:42 - 2012-06-21 10:42 - 00000196 ____A C:\cca.lic.sfold
    2012-06-21 10:42 - 2012-06-21 10:42 - 00000196 ____A C:\cca.lic
    2012-06-19 18:06 - 2012-06-19 18:04 - 83541290 ____A C:\Users\Boyce\Downloads\Punching Bag.zip
    2012-06-17 18:36 - 2012-06-17 18:36 - 00000218 ____A C:\Users\Boyce\.recently-used.xbel
    2012-06-13 12:57 - 2012-06-13 12:57 - 00001970 ____A C:\Users\Andrea\Desktop\Disney for Frame - Shortcut.lnk
    2012-06-13 12:56 - 2012-06-13 12:56 - 00001259 ____A C:\Users\Andrea\Desktop\IMG_0177 - Shortcut.lnk
    2012-06-11 18:40 - 2012-07-11 18:13 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-09 04:48 - 2012-06-09 05:06 - 00002831 ____A C:\msgbox.log
    2012-06-09 02:32 - 2012-06-09 04:42 - 00008452 ____A C:\OldKPServReg5.log
    2012-06-08 20:41 - 2012-07-11 02:23 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-08 14:26 - 2012-06-09 04:53 - 00000374 ____A C:\FATAL.LOG
    2012-06-05 21:05 - 2012-07-11 02:23 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-05 21:05 - 2012-07-11 02:23 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-05 21:03 - 2012-07-11 02:23 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
    2012-06-02 14:19 - 2012-06-21 02:54 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-21 02:54 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-21 02:54 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-21 02:53 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-21 02:53 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:12 - 2012-06-21 02:54 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:12 - 2012-06-21 02:53 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 11:19 - 2012-06-21 02:53 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 11:12 - 2012-06-21 02:53 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 01:07 - 2012-07-11 18:27 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-02 00:43 - 2012-07-11 18:27 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-02 00:33 - 2012-07-11 18:27 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-02 00:26 - 2012-07-11 18:27 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-02 00:25 - 2012-07-11 18:27 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-02 00:25 - 2012-07-11 18:27 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-02 00:23 - 2012-07-11 18:27 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-02 00:21 - 2012-07-11 18:27 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-02 00:20 - 2012-07-11 18:27 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-02 00:19 - 2012-07-11 18:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-02 00:19 - 2012-07-11 18:27 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-02 00:17 - 2012-07-11 18:27 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-02 00:16 - 2012-07-11 18:27 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-02 00:14 - 2012-07-11 18:27 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-01 20:45 - 2012-07-11 02:23 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
    2012-06-01 20:45 - 2012-07-11 02:23 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-06-01 20:40 - 2012-07-11 02:23 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
    2012-06-01 20:40 - 2012-07-11 02:23 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-01 20:39 - 2012-07-11 02:23 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-05-31 08:25 - 2010-08-09 19:22 - 00237072 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2012-05-27 04:27 - 2012-05-27 04:27 - 00001053 ____A C:\Users\Public\Desktop\CardRecoveryPro.lnk
    2012-05-27 03:57 - 2012-05-27 03:57 - 00001819 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
    2012-05-09 15:46 - 2012-05-09 15:46 - 00174024 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
    2012-05-09 15:46 - 2012-05-09 15:46 - 00174024 ____A (Oracle Corporation) C:\Windows\System32\java.exe


    ZeroAccess:
    C:\Windows\Installer\{29705fd8-db4a-7a33-8362-eac4941e9aa3}
    C:\Windows\Installer\{29705fd8-db4a-7a33-8362-eac4941e9aa3}\@
    C:\Windows\Installer\{29705fd8-db4a-7a33-8362-eac4941e9aa3}\L
    C:\Windows\Installer\{29705fd8-db4a-7a33-8362-eac4941e9aa3}\U
    C:\Windows\Installer\{29705fd8-db4a-7a33-8362-eac4941e9aa3}\U\00000001.@
    C:\Windows\Installer\{29705fd8-db4a-7a33-8362-eac4941e9aa3}\U\80000000.@
    C:\Windows\Installer\{29705fd8-db4a-7a33-8362-eac4941e9aa3}\U\800000cb.@

    ZeroAccess:
    C:\Users\Boyce\AppData\Local\{29705fd8-db4a-7a33-8362-eac4941e9aa3}
    C:\Users\Boyce\AppData\Local\{29705fd8-db4a-7a33-8362-eac4941e9aa3}\@
    C:\Users\Boyce\AppData\Local\{29705fd8-db4a-7a33-8362-eac4941e9aa3}\L
    C:\Users\Boyce\AppData\Local\{29705fd8-db4a-7a33-8362-eac4941e9aa3}\U

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 16%
    Total physical RAM: 2814.36 MB
    Available physical RAM: 2336.5 MB
    Total Pagefile: 2812.64 MB
    Available Pagefile: 2340.43 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1968.7 MB

    ======================= Partitions =========================

    1 Drive c: (ACER) (Fixed) (Total:110.44 GB) (Free:16.1 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (DATA) (Fixed) (Total:106.9 GB) (Free:73.74 GB) NTFS
    3 Drive e: (PQSERVICE) (Fixed) (Total:12 GB) (Free:1.12 GB) NTFS
    5 Drive g: (PENDRIVE) (Removable) (Total:1.92 GB) (Free:1.91 GB) FAT
    7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 232 GB 0 B
    Disk 1 Online 1967 MB 0 B
    Disk 2 No Media 0 B 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Recovery 12 GB 1024 KB
    Partition 2 Primary 110 GB 12 GB
    Partition 3 Primary 106 GB 122 GB
    Partition 4 OEM 3628 MB 229 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 27
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E PQSERVICE NTFS Partition 12 GB Healthy Hidden

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C ACER NTFS Partition 110 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 D DATA NTFS Partition 106 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 4
    Type : 12
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 6 NTFS Partition 3628 MB Healthy Hidden

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 1966 MB 16 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0E
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 G PENDRIVE FAT Removable 1966 MB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-07-28 03:26

    ======================= End Of Log ==========================
  2. SNuIX89

    SNuIX89 TS Rookie Topic Starter

    Farbar Recovery Scan Tool Version: 05-08-2012 01
    Ran by SYSTEM at 2012-08-07 07:49:43
    Running from G:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

    C:\Windows\System32\services.exe
    [2009-07-13 15:11] - [2012-07-31 15:41] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

    === End Of Search ===
  3. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    FRST Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
  4. SNuIX89

    SNuIX89 TS Rookie Topic Starter

    No joy with that one.

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 05-08-2012 01
    Ran by SYSTEM at 2012-08-07 16:30:42 Run:2
    Running from G:\

    ==============================================

    Could not find C:\Windows\System32\services.exe.
    Could not find C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe.

    ==== End of Fixlog ====
  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    FRST Fixlist

    Download the fixlist.txt and put it on your flashdrive to replace the current fixlist.txt.


    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.

    Attached Files:

  6. SNuIX89

    SNuIX89 TS Rookie Topic Starter

    Ok, everything seems to be running normally. There are no reboots or infections found.
  7. SNuIX89

    SNuIX89 TS Rookie Topic Starter

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 05-08-2012 01
    Ran by SYSTEM at 2012-08-08 19:09:09 Run:3
    Running from G:\
    ==============================================
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe
    C:\Windows\Installer\{29705fd8-db4a-7a33-8362-eac4941e9aa3} moved successfully.
    C:\Users\Boyce\AppData\Local\{29705fd8-db4a-7a33-8362-eac4941e9aa3} moved successfully.
    ==== End of Fixlog ====
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
  9. SNuIX89

    SNuIX89 TS Rookie Topic Starter

    ComboFix 12-08-08.03 - Boyce 08/09/2012 6:25.1.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2814.1255 [GMT -4:00]
    Running from: c:\users\Boyce\Downloads\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\Mozilla Firefox\searchplugins\search.xml
    c:\programdata\SPLC102.tmp
    c:\users\Boyce\AppData\Roaming\.#
    c:\users\Boyce\g2mdlhlpx.exe
    c:\windows\My.ini
    c:\windows\security\Database\tmp.edb
    c:\windows\system32\MSDCSC
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-09 to 2012-08-09 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-09 10:50 . 2012-08-09 10:50--------d-----w-c:\users\DefaultAppPool\AppData\Local\temp
    2012-08-09 10:50 . 2012-08-09 10:50--------d-----w-c:\users\Default\AppData\Local\temp
    2012-08-09 10:50 . 2012-08-09 10:50--------d-----w-c:\users\Classic .NET AppPool\AppData\Local\temp
    2012-08-09 10:50 . 2012-08-09 10:50--------d-----w-c:\users\Andrea\AppData\Local\temp
    2012-08-09 10:50 . 2012-08-09 10:50--------d-----w-c:\windows\system32\config\systemprofile\AppData\Local\temp
    2012-08-09 01:29 . 2012-08-09 01:2929904----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{136A6CFB-B708-425C-B27E-C2EC25BAB8EF}\MpKslae55a37f.sys
    2012-08-09 00:47 . 2012-08-09 00:47--------d-----w-c:\program files\iPod
    2012-08-08 23:16 . 2012-06-29 08:446891424----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{F41587BA-2837-4AA8-B245-B5B924F531D6}\mpengine.dll
    2012-08-08 23:10 . 2012-08-08 23:1056200----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{136A6CFB-B708-425C-B27E-C2EC25BAB8EF}\offreg.dll
    2012-08-07 20:26 . 2012-06-29 08:446891424----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{136A6CFB-B708-425C-B27E-C2EC25BAB8EF}\mpengine.dll
    2012-08-07 06:09 . 2012-08-07 06:09--------d-----w-C:\FRST
    2012-08-06 21:53 . 2012-08-06 21:53--------d-----w-c:\program files\ESET
    2012-07-31 12:18 . 2012-07-31 12:18--------d-----w-c:\users\Andrea\AppData\Roaming\Malwarebytes
    2012-07-31 12:03 . 2012-07-31 23:4440776----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
    2012-07-28 07:23 . 2012-07-28 07:23--------d-----w-c:\users\Boyce\AppData\Local\{1D16C45F-D885-11E1-8270-B8AC6F996F26}
    2012-07-28 05:09 . 2012-07-28 05:09--------d-----w-c:\users\Boyce\temp
    2012-07-27 12:24 . 2012-06-29 08:446891424----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-07-23 02:38 . 2012-07-23 02:38--------d-----w-c:\users\Boyce\AppData\Local\LogMeIn
    2012-07-23 02:38 . 2012-07-23 02:38--------d-----w-c:\programdata\LogMeIn
    2012-07-17 02:38 . 2012-07-17 04:21--------d-----w-C:\Bin
    2012-07-12 13:24 . 2012-07-12 13:24--------d-----w-c:\windows\0A94AE0C677C491D8A72A5AB2DAA68C1.TMP
    2012-07-12 13:23 . 2012-07-12 13:23--------d-----w-c:\windows\60431C725C624BD0A248E839C2FC0950.TMP
    2012-07-12 02:13 . 2012-06-12 02:402345984----a-w-c:\windows\system32\win32k.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-09 00:13 . 2012-04-05 01:16426184----a-w-c:\windows\system32\FlashPlayerApp.exe
    2012-08-09 00:13 . 2011-05-20 10:4570344----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-07-03 17:46 . 2012-02-05 23:1422344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-06-02 22:19 . 2012-06-21 10:5445080----a-w-c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 10:5453784----a-w-c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 10:5335864----a-w-c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 10:53577048----a-w-c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-21 10:541933848----a-w-c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-21 10:542422272----a-w-c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-21 10:5388576----a-w-c:\windows\system32\wudriver.dll
    2012-06-02 19:19 . 2012-06-21 10:53171904----a-w-c:\windows\system32\wuwebv.dll
    2012-06-02 19:12 . 2012-06-21 10:5333792----a-w-c:\windows\system32\wuapp.exe
    2012-05-31 16:25 . 2010-08-10 03:22237072------w-c:\windows\system32\MpSigStub.exe
    2012-07-18 11:55 . 2012-02-11 12:53136672----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
    2009-10-31 16:43 . 2009-10-31 16:43119808----a-w-c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{96b985b7-3cf9-456a-9db6-791710e60f5f}"= "c:\program files\MyPoints Toolbar 2.0\Helper.dll" [2010-05-03 242688]
    "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn0\YTNavAssist.dll" [2011-01-21 213816]
    .
    [HKEY_CLASSES_ROOT\clsid\{96b985b7-3cf9-456a-9db6-791710e60f5f}]
    [HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
    [HKEY_CLASSES_ROOT\TypeLib\{9FEBEA6D-4801-4D23-97E7-A771B698E442}]
    [HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]
    .
    [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
    [HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
    [HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
    [HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{614BDA1F-9BEF-4CD1-BDE4-FA4804929B4A}]
    2010-05-03 13:421529856----a-w-c:\program files\MyPoints Toolbar 2.0\Toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Toolbar 2.0\Toolbar.dll" [2010-05-03 1529856]
    .
    [HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
    [HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]
    [HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
    [HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Toolbar 2.0\Toolbar.dll" [2010-05-03 1529856]
    .
    [HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
    [HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]
    [HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
    [HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:1294208----a-w-c:\users\Boyce\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:1294208----a-w-c:\users\Boyce\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:1294208----a-w-c:\users\Boyce\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:1294208----a-w-c:\users\Boyce\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
    @="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
    [HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
    2008-07-30 01:52121392----a-w-c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-18 68856]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
    "DW7"="c:\program files\The Weather Channel\The Weather Channel App\TWCApp.exe" [2012-08-06 13003448]
    "MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-09-18 6294048]
    "Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
    "Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
    "ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-10-09 147456]
    "CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-10-09 167936]
    "eAudio"="c:\program files\Acer\Empowering Technology\eAudio\eAudio.exe" [2008-09-12 544768]
    "eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-07-30 526896]
    "ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-11-28 417792]
    "Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-08-19 122368]
    "PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-10-17 167936]
    "PLFSetI"="c:\windows\PLFSetI.exe" [2008-07-01 200704]
    "LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-06-17 817672]
    "lxdxmon.exe"="c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe" [2009-08-31 672424]
    "EzPrint"="c:\program files\Lexmark 3600-4600 Series\ezprint.exe" [2008-06-13 107176]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
    "Belkin Storage Manager"="c:\program files\Belkin Storage Manager\StorageManager.exe" [2009-02-03 858624]
    "Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2012-07-05 295304]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
    "Anti-phishing Domain Advisor"="c:\programdata\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [2012-05-03 217256]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-06-28 296096]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
    .
    c:\users\Boyce\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Disney Vacation Connection.lnk - c:\program files\Disney Vacation Connection\Disney Vacation Connection.exe [N/A]
    Dropbox.lnk - c:\users\Boyce\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-1-30 118784]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security PackagesREG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    R2 gupdate1ca4d8344bb7341;Google Update Service (gupdate1ca4d8344bb7341);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]
    R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
    R3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\DRIVERS\DisplayLinkUsbPort_5.2.23219.0.sys [x]
    R3 easytether;easytether;c:\windows\system32\DRIVERS\easytthr.sys [x]
    R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\DRIVERS\btblan.sys [x]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
    R3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28.sys [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
    R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [x]
    R3 pneteth;PdaNet Broadband;c:\windows\system32\DRIVERS\pneteth.sys [x]
    R3 PTAPCBUS;Pantech Android USB Composite Device (PTAPC);c:\windows\system32\DRIVERS\PTAPCBUS.sys [x]
    R3 PTAPCMDM;Pantech Android USB Modem Drivers (PTAPC);c:\windows\system32\DRIVERS\PTAPCMDM.sys [x]
    R3 PTAPCVSP;Pantech Android USB Serial Port (PTAPC);c:\windows\system32\DRIVERS\PTAPCVSP.sys [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
    R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [x]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
    R3 usbkey;USB Dongle;c:\windows\system32\DRIVERS\USBKey.sys [x]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
    R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [x]
    R4 RsFx0105;RsFx0105 Driver;c:\windows\system32\DRIVERS\RsFx0105.sys [x]
    R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [x]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
    S0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [x]
    S1 MpKslae55a37f;MpKslae55a37f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{136A6CFB-B708-425C-B27E-C2EC25BAB8EF}\MpKslae55a37f.sys [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    S2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [x]
    S2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [x]
    S2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [x]
    S2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [x]
    S2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run [x]
    S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe [x]
    S2 MsDepSvc;Web Deployment Agent Service;c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe [x]
    S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [x]
    S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [x]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
    S3 winbondcir;Winbond IR Transceiver;c:\windows\system32\DRIVERS\winbondcir.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MPKSLAE55A37F
    *Deregistered* - mfeavfk
    *Deregistered* - mfebopk
    *Deregistered* - mferkdk
    *Deregistered* - mfesmfk
    *Deregistered* - MPFP
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    iissvcsREG_MULTI_SZ w3svc was
    apphostREG_MULTI_SZ apphostsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-09 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 00:13]
    .
    2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-15 10:35]
    .
    2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-15 10:35]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
    FF - ProfilePath - c:\users\Boyce\AppData\Roaming\Mozilla\Firefox\Profiles\uxl0h02x.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: keyword.URL - hxxp://blekko.com/ws/?source=c3348dd4&tbp=rbox&toolbarid=blekkotb_031&u=00207CDA65671690272B7A4FC25BA431&q=
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
    HKCU-Run-Setpoint - c:\users\Boyce\AppData\Roaming\Cryptedwithouticon.exe
    SafeBoot-mcmscsvc
    SafeBoot-MCODS
    AddRemove-The Weather Channel Desktop 6 - c:\program files\The Weather Channel FW\Desktop\TheWeatherChannelCustomUninstall.exe
    AddRemove-{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC} - c:\program files\Realtek\Audio\HDA\RtlUpd.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\services\MsDepSvc]
    "ImagePath"="\"c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe\" -runService:MsDepSvc"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\services\MySql]
    "ImagePath"="c:\mysql\bin\mysqld-nt"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-08-09 06:59:02
    ComboFix-quarantined-files.txt 2012-08-09 10:59
    .
    Pre-Run: 16,734,269,440 bytes free
    Post-Run: 22,026,092,544 bytes free
    .
    - - End Of File - - BCC99AFB9B0CC0F58298198B8A1C656E
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Scan for malware

    [​IMG] Please download Malwarebytes Anti-Malware from HERE.


    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
    • Copy and paste the entire report in your next reply.


    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello. Are you still with us?

    Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

    Thanks.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.