Sirefef.# strikes again

Inactive
By abks26
Jul 30, 2012
  1. Hi all! It's not pretty. I'm running Windows 7 Profession x64 and had major problems. Now my computer shuts down within 1 minute. I did see that I have Sirefef.y, Sirefef.ah, Sirefef.a or something like that (multiple variations... not sure if it matters). I'm spending most of my night changing passwords on all my accounts and then I'll contact my banks tomorrow.

    I have checked out the reads already here and did the FRST64/Service logs since that was the general first step. I can barely log into my computer now.. Not touching my laptop at all until I get a reply. Thanks for any help you can provide!

    Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
    Ran by SYSTEM at 30-07-2012 01:23:08
    Running from F:\
    Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [592240 2011-01-04] (Alps Electric Co., Ltd.)
    HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [525312 2011-01-25] (IDT, Inc.)
    HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [167960 2011-03-30] (Intel Corporation)
    HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [391704 2011-03-30] (Intel Corporation)
    HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [418328 2011-03-30] (Intel Corporation)
    HKLM\...\Run: [FreeFallProtection] C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe [686704 2010-12-17] ()
    HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe [6492672 2011-01-15] (Dell Inc.)
    HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [500208 2010-03-06] (Adobe Systems Incorporated)
    HKLM\...\Run: [gdasn] "C:\Windows\System32\rundll32.exe" "C:\Users\Anne\AppData\Roaming\gdasn.dll",set_read_fn [420352 2012-07-25] ()
    HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
    HKLM-x32\...\Run: [IMSS] "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [112152 2010-12-03] (Intel Corporation)
    HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [462993 2010-03-12] (Creative Technology Ltd)
    HKLM-x32\...\Run: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [87336 2009-07-06] (CyberLink Corp.)
    HKLM-x32\...\Run: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [50472 2010-04-29] (CyberLink Corp.)
    HKLM-x32\...\Run: [] [x]
    HKLM-x32\...\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)
    HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-06-06] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin [406992 2010-02-22] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
    HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-06] (Apple Inc.)
    HKLM-x32\...\Run: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe" [979328 2010-10-12] (SEIKO EPSON CORPORATION)
    HKLM-x32\...\Run: [FUFAXRCV] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe" [495616 2011-03-08] (SEIKO EPSON CORPORATION)
    HKLM-x32\...\Run: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [856064 2011-03-08] (SEIKO EPSON CORPORATION)
    HKU\Anne\...\Run: [Google Update] "C:\Users\Anne\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-12-23] (Google Inc.)
    HKU\Anne\...\Run: [AdobeBridge] [x]
    HKU\Anne\...\Run: [googletalk] C:\Users\Anne\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart [3739648 2007-01-01] (Google)
    HKU\Anne\...\Run: [DAEMON Tools Pro Agent] "C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe" -autorun [3111744 2012-04-26] (DT Soft Ltd)
    HKU\Anne\...\Run: [EPLTarget\P0000000000000000] C:\Windows\system32\spool\DRIVERS\x64\3\E_YATIHVA.EXE /EPT "EPLTarget\P0000000000000000" /M "WorkForce 645" [239488 2011-04-24] (SEIKO EPSON CORPORATION)
    HKU\Anne\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
    HKU\Anne\...\Run: [gdasn] "C:\Windows\System32\rundll32.exe" "C:\Users\Anne\AppData\Roaming\gdasn.dll",set_read_fn [420352 2012-07-25] ()
    Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
    Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll (UPEK Inc.)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
    Lsa: [Authentication Packages] msv1_0
    wvauth
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Dell System Manager.lnk
    ShortcutTarget: Dell System Manager.lnk -> C:\Program Files\Dell\Dell System Manager\DCPSysMgr.exe (Dell Inc.)
    Startup: C:\Users\Anne\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
    ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

    ==================== Services (Whitelisted) ======

    2 ABBYY.Licensing.FineReader.Sprint.9.0; "C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe" -service [759048 2009-05-14] (ABBYY)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
    2 O2SDIOAssist; C:\Windows\SysWOW64\srvany.exe [8192 2003-04-18] ()
    2 RoxWatch12; "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe" [219632 2010-11-25] (Sonic Solutions)
    3 stllssvr; "C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe" [74392 2010-11-08] (MicroVision Development, Inc.)
    2 tcsd_win32.exe; "C:\Program Files (x86)\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe" [1629696 2010-07-13] ()
    2 UNS; "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe" [2656280 2010-12-03] (Intel Corporation)

    ========================== Drivers (Whitelisted) =============

    0 sptd; C:\Windows\System32\Drivers\sptd.sys [560184 2012-04-27] (Duplex Secure Ltd.)

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-07-29 20:50 - 2012-07-29 20:50 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.03E86C6D05C1E43F
    2012-07-29 20:42 - 2012-07-29 20:42 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.58886290833A4289
    2012-07-29 20:35 - 2012-07-29 20:35 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2C31D00BBF6CF89F
    2012-07-29 20:31 - 2012-07-29 20:31 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.211AFBF5E4391C5E
    2012-07-29 20:25 - 2012-07-29 20:25 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.47B664D89E53D58B
    2012-07-29 20:17 - 2012-07-29 20:19 - 00347424 ____A (Microsoft Corporation) C:\Users\Anne\Downloads\MicrosoftFixit.WindowsFirewall.RNP.19267051685286478.3.1.Run.exe
    2012-07-29 20:11 - 2012-07-29 20:11 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.887F2746A8C90C90
    2012-07-29 19:59 - 2012-07-29 19:59 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-07-29 19:59 - 2012-07-29 19:59 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-07-29 19:51 - 2012-07-29 19:51 - 12621696 ____A (Microsoft Corporation) C:\Users\Anne\Downloads\mseinstall.exe
    2012-07-29 19:11 - 2012-07-29 19:11 - 00000000 ____D C:\Users\Anne\Downloads\Rosetta Stone v3 Portuguese (Brazil) & speech
    2012-07-29 18:53 - 2012-07-29 19:07 - 50957919 ____A C:\Users\Anne\Downloads\Rosetta Stone v3 Portuguese (Brazil) & speech.part6.rar
    2012-07-29 18:38 - 2012-07-29 18:38 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-07-29 18:09 - 2012-07-29 18:24 - 263192577 ____A C:\Users\Anne\Downloads\Rosetta Stone v3 Portuguese (Brazil) & speech.part5.rar
    2012-07-29 17:35 - 2012-07-29 17:48 - 263192577 ____A C:\Users\Anne\Downloads\Rosetta Stone v3 Portuguese (Brazil) & speech.part3.rar
    2012-07-29 16:20 - 2012-07-29 17:32 - 263192576 ____A C:\Users\Anne\Downloads\Rosetta Stone v3 Portuguese (Brazil) & speech.part2.rar
    2012-07-29 16:10 - 2012-07-29 17:21 - 263192577 ____A C:\Users\Anne\Downloads\Rosetta Stone v3 Portuguese (Brazil) & speech.part1.rar
    2012-07-26 19:58 - 2012-07-26 19:58 - 00000000 ____D C:\Users\Anne\Downloads\iTunes-Jay-Z_and_Kanye_West-Watch_The_Throne_(Deluxe_Version)-(2011)
    2012-07-25 12:57 - 2012-07-25 13:16 - 152948744 ____A C:\Users\Anne\Downloads\iTunes-Jay-Z_and_Kanye_West-Watch_The_Throne_(Deluxe_Version)-(2011).rar
    2012-07-25 12:41 - 2012-07-25 12:41 - 00420352 ____A C:\Users\Anne\AppData\Roaming\gdasn.dll
    2012-07-25 12:41 - 2012-07-25 12:41 - 00000000 ____D C:\Users\Anne\AppData\Local\{215B93C0-D699-11E1-8270-B8AC6F996F26}
    2012-07-25 12:41 - 2012-07-25 12:41 - 00000000 ____D C:\Users\Anne\AppData\Local\{215B6270-D699-11E1-8270-B8AC6F996F26}
    2012-07-21 10:22 - 2012-07-21 10:40 - 00000000 ____D C:\Users\Anne\Desktop\NAIL POLISH
    2012-07-20 20:48 - 2012-07-23 09:29 - 00000000 ____D C:\Users\Anne\Desktop\Summer 2012 Vision Board
    2012-07-20 07:06 - 2012-07-20 07:06 - 00112121 ____A C:\Users\Anne\Downloads\644 - Making Small Talk in English a.pptx
    2012-07-20 07:04 - 2012-07-20 07:04 - 03338947 ____A C:\Users\Anne\Downloads\644 - Making Small Talk in English .pptx
    2012-07-12 15:11 - 2012-07-12 15:11 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-495499240-2845497790-2203762804-1003Core1cd6083b0707453.job
    2012-07-11 20:42 - 2012-06-11 19:08 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-07-11 20:37 - 2012-06-02 04:49 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-07-11 20:37 - 2012-06-02 04:17 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-07-11 20:37 - 2012-06-02 04:12 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-07-11 20:37 - 2012-06-02 04:05 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-07-11 20:37 - 2012-06-02 04:05 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-07-11 20:37 - 2012-06-02 04:04 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-07-11 20:37 - 2012-06-02 04:04 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-07-11 20:37 - 2012-06-02 04:03 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-07-11 20:37 - 2012-06-02 04:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-07-11 20:37 - 2012-06-02 04:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-07-11 20:37 - 2012-06-02 03:59 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-07-11 20:37 - 2012-06-02 03:57 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-07-11 20:37 - 2012-06-02 03:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-07-11 20:37 - 2012-06-02 03:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-07-11 20:37 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-07-11 20:37 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-07-11 20:37 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-07-11 20:37 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-07-11 20:37 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-07-11 20:37 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-07-11 20:37 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-07-11 20:37 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-07-11 20:37 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-07-11 20:37 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-07-11 20:37 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-07-11 20:37 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-07-11 20:37 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-07-11 20:37 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-07-11 06:10 - 2012-07-11 06:11 - 00118044 ____A C:\Users\Anne\Downloads\547 - Discussing Work in English.pptx
    2012-07-11 04:00 - 2012-06-08 21:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-07-11 04:00 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
    2012-07-11 04:00 - 2012-06-05 22:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-07-11 04:00 - 2012-06-05 22:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-07-11 04:00 - 2012-06-05 22:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
    2012-07-11 04:00 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
    2012-07-11 04:00 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
    2012-07-11 04:00 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
    2012-07-11 04:00 - 2012-06-01 21:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
    2012-07-11 04:00 - 2012-06-01 21:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
    2012-07-11 04:00 - 2012-06-01 21:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-07-11 04:00 - 2012-06-01 21:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-07-11 04:00 - 2012-06-01 21:44 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-07-11 04:00 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
    2012-07-11 04:00 - 2012-06-01 20:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
    2012-07-11 04:00 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
    2012-07-11 04:00 - 2012-06-01 20:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
    2012-07-11 04:00 - 2010-06-25 19:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
    2012-07-11 04:00 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
    2012-07-10 15:54 - 2012-07-10 15:54 - 00000215 ____A C:\Users\Anne\AppData\Roaming\My Profile.xml
    2012-07-10 05:08 - 2012-07-10 05:09 - 03701449 ____A C:\Users\Anne\Desktop\Integrated Reasoning2.pptx
    2012-07-10 05:02 - 2012-07-10 05:04 - 03701449 ____A C:\Users\Anne\Desktop\Integrated Reasoning.pptx
    2012-07-08 14:22 - 2012-07-08 14:22 - 00000000 ____D C:\Users\Anne\AppData\Roaming\Leadertech
    2012-07-08 14:20 - 2012-07-08 14:22 - 00000000 ____D C:\Program Files (x86)\ABBYY FineReader 9.0 Sprint
    2012-07-08 14:20 - 2012-07-08 14:20 - 00000000 ____D C:\Users\Anne\AppData\Local\ABBYY
    2012-07-08 14:20 - 2012-07-08 14:20 - 00000000 ____D C:\Users\All Users\ABBYY
    2012-07-08 14:11 - 2012-07-08 14:11 - 00000000 ____D C:\Program Files\Common Files\EPSON
    2012-07-08 14:09 - 2012-07-08 14:09 - 00000000 ____D C:\Users\Anne\AppData\Roaming\InstallShield
    2012-07-08 14:09 - 2012-07-08 14:09 - 00000000 ____D C:\Program Files\EpsonNet
    2012-07-08 14:09 - 2012-07-08 14:09 - 00000000 ____D C:\Program Files\EPSON
    2012-07-08 14:09 - 2010-09-13 11:01 - 00538112 ____A (SEIKO EPSON CORPORATION) C:\Windows\System32\ensppui.dll
    2012-07-08 14:09 - 2010-09-13 11:01 - 00538112 ____A (SEIKO EPSON CORPORATION) C:\Windows\System32\enppui.dll
    2012-07-08 14:09 - 2010-09-13 11:00 - 00558592 ____A (SEIKO EPSON CORPORATION) C:\Windows\System32\ensppmon.dll
    2012-07-08 14:09 - 2010-09-13 11:00 - 00558592 ____A (SEIKO EPSON CORPORATION) C:\Windows\System32\enppmon.dll
    2012-07-08 14:09 - 2008-06-18 07:49 - 00250880 ____A (SEIKO EPSON CORPORATION) C:\Windows\System32\enspres.dll
    2012-07-08 14:09 - 2008-06-18 07:49 - 00250880 ____A (SEIKO EPSON CORPORATION) C:\Windows\System32\enpres.dll
    2012-07-08 14:08 - 2012-07-12 02:59 - 00000000 ____D C:\Users\Anne\AppData\Roaming\Epson
    2012-07-08 14:07 - 2012-07-08 14:07 - 00000000 ____D C:\Program Files (x86)\Epson America Inc
    2012-07-08 14:06 - 2012-07-08 14:26 - 00000000 ____D C:\Program Files (x86)\Epson Software
    2012-07-08 14:05 - 2012-07-08 14:13 - 00000000 ____D C:\Users\All Users\EPSON
    2012-07-08 14:05 - 2012-07-08 14:06 - 00000000 ____D C:\Program Files (x86)\epson
    2012-07-08 14:05 - 2012-07-08 14:05 - 00000934 ____A C:\Users\Public\Desktop\EPSON Scan.lnk
    2012-07-08 14:05 - 2010-09-28 06:01 - 00118784 ____A (SEIKO EPSON CORPORATION) C:\Windows\System32\E_YLMHVA.DLL
    2012-07-08 14:05 - 2010-08-09 06:02 - 00083456 ____A (SEIKO EPSON CORPORATION) C:\Windows\System32\E_YD4BHVA.DLL
    2012-07-08 14:05 - 2009-12-08 20:00 - 00464384 ____A (Seiko Epson Corporation) C:\Windows\System32\esxw2ud.dll
    2012-07-08 14:05 - 2009-10-15 20:00 - 00132560 ____A (Seiko Epson Corporation) C:\Windows\System32\esdevapp.exe
    2012-07-08 14:05 - 2009-10-15 20:00 - 00013824 ____A (Seiko Epson Corporation) C:\Windows\System32\esxcdev.dll
    2012-07-08 13:56 - 2012-07-08 14:27 - 00000106 ____A C:\Windows\EWF645.ini
    2012-07-02 17:23 - 2012-07-02 17:23 - 07301084 ____A C:\Users\Anne\Downloads\570 - English for Road Trips Around the U.S..pptx
    2012-07-02 16:57 - 2012-07-02 17:08 - 00000000 ____D C:\Users\Anne\Desktop\Bank Statements


    ============ 3 Months Modified Files ========================

    2012-07-29 21:17 - 2009-07-13 20:51 - 00065427 ____A C:\Windows\setupact.log
    2012-07-29 21:15 - 2010-11-20 19:47 - 00051642 ____A C:\Windows\PFRO.log
    2012-07-29 21:15 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-29 20:50 - 2012-07-29 20:50 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.03E86C6D05C1E43F
    2012-07-29 20:42 - 2012-07-29 20:42 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.58886290833A4289
    2012-07-29 20:35 - 2012-07-29 20:35 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2C31D00BBF6CF89F
    2012-07-29 20:31 - 2012-07-29 20:31 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.211AFBF5E4391C5E
    2012-07-29 20:25 - 2012-07-29 20:25 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.47B664D89E53D58B
    2012-07-29 20:22 - 2009-07-13 20:45 - 00021312 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-07-29 20:22 - 2009-07-13 20:45 - 00021312 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-07-29 20:19 - 2012-07-29 20:17 - 00347424 ____A (Microsoft Corporation) C:\Users\Anne\Downloads\MicrosoftFixit.WindowsFirewall.RNP.19267051685286478.3.1.Run.exe
    2012-07-29 20:14 - 2011-11-24 21:09 - 00000940 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-495499240-2845497790-2203762804-1000UA.job
    2012-07-29 20:11 - 2012-07-29 20:11 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.887F2746A8C90C90
    2012-07-29 20:00 - 2011-12-05 19:54 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-07-29 20:00 - 2011-06-18 17:12 - 01294915 ____A C:\Windows\WindowsUpdate.log
    2012-07-29 19:59 - 2011-02-10 06:33 - 00796678 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-07-29 19:51 - 2012-07-29 19:51 - 12621696 ____A (Microsoft Corporation) C:\Users\Anne\Downloads\mseinstall.exe
    2012-07-29 19:14 - 2011-11-24 21:09 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-495499240-2845497790-2203762804-1000Core.job
    2012-07-29 19:07 - 2012-07-29 18:53 - 50957919 ____A C:\Users\Anne\Downloads\Rosetta Stone v3 Portuguese (Brazil) & speech.part6.rar
    2012-07-29 19:05 - 2009-07-13 21:13 - 00782592 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-29 18:24 - 2012-07-29 18:09 - 263192577 ____A C:\Users\Anne\Downloads\Rosetta Stone v3 Portuguese (Brazil) & speech.part5.rar
    2012-07-29 17:48 - 2012-07-29 17:35 - 263192577 ____A C:\Users\Anne\Downloads\Rosetta Stone v3 Portuguese (Brazil) & speech.part3.rar
    2012-07-29 17:32 - 2012-07-29 16:20 - 263192576 ____A C:\Users\Anne\Downloads\Rosetta Stone v3 Portuguese (Brazil) & speech.part2.rar
    2012-07-29 17:21 - 2012-07-29 16:10 - 263192577 ____A C:\Users\Anne\Downloads\Rosetta Stone v3 Portuguese (Brazil) & speech.part1.rar
    2012-07-25 13:16 - 2012-07-25 12:57 - 152948744 ____A C:\Users\Anne\Downloads\iTunes-Jay-Z_and_Kanye_West-Watch_The_Throne_(Deluxe_Version)-(2011).rar
    2012-07-25 12:41 - 2012-07-25 12:41 - 00420352 ____A C:\Users\Anne\AppData\Roaming\gdasn.dll
    2012-07-20 07:06 - 2012-07-20 07:06 - 00112121 ____A C:\Users\Anne\Downloads\644 - Making Small Talk in English a.pptx
    2012-07-20 07:04 - 2012-07-20 07:04 - 03338947 ____A C:\Users\Anne\Downloads\644 - Making Small Talk in English .pptx
    2012-07-12 15:11 - 2012-07-12 15:11 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-495499240-2845497790-2203762804-1003Core1cd6083b0707453.job
    2012-07-12 02:57 - 2009-07-13 20:45 - 05023264 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-11 20:38 - 2011-11-26 05:11 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-07-11 09:34 - 2011-12-23 12:59 - 00002392 ____A C:\Users\Anne\Desktop\Google Chrome.lnk
    2012-07-11 06:11 - 2012-07-11 06:10 - 00118044 ____A C:\Users\Anne\Downloads\547 - Discussing Work in English.pptx
    2012-07-10 15:54 - 2012-07-10 15:54 - 00000215 ____A C:\Users\Anne\AppData\Roaming\My Profile.xml
    2012-07-10 05:09 - 2012-07-10 05:08 - 03701449 ____A C:\Users\Anne\Desktop\Integrated Reasoning2.pptx
    2012-07-10 05:04 - 2012-07-10 05:02 - 03701449 ____A C:\Users\Anne\Desktop\Integrated Reasoning.pptx
    2012-07-08 14:27 - 2012-07-08 13:56 - 00000106 ____A C:\Windows\EWF645.ini
    2012-07-08 14:05 - 2012-07-08 14:05 - 00000934 ____A C:\Users\Public\Desktop\EPSON Scan.lnk
    2012-07-02 17:23 - 2012-07-02 17:23 - 07301084 ____A C:\Users\Anne\Downloads\570 - English for Road Trips Around the U.S..pptx
    2012-06-28 15:30 - 2012-06-28 15:30 - 01796041 ____A C:\Users\Anne\Downloads\551 - Useful Objects.pptx
    2012-06-24 09:29 - 2012-06-24 09:29 - 03465508 ____A C:\Users\Anne\Downloads\Time_Magazine_6-25-12.rar
    2012-06-22 14:46 - 2012-04-04 03:10 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-06-22 14:46 - 2011-12-20 15:21 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-06-19 06:54 - 2012-06-19 06:28 - 316975859 ____A C:\Users\Anne\Downloads\Scientific_American_Magazine_2011___[12_eBooks_(pdf)].rar
    2012-06-14 19:41 - 2012-06-14 19:41 - 00064833 ____A C:\Users\Anne\Desktop\monitor.txt
    2012-06-11 19:08 - 2012-07-11 20:42 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-09 14:04 - 2011-12-13 11:59 - 00000132 ____A C:\Users\Anne\AppData\Roaming\Adobe PNG Format CS5 Prefs
    2012-06-08 21:43 - 2012-07-11 04:00 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-08 20:41 - 2012-07-11 04:00 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
    2012-06-07 20:51 - 2012-06-07 20:48 - 21332022 ____A C:\Users\Anne\Downloads\0470500778Tests.rar
    2012-06-07 10:08 - 2012-06-07 09:39 - 170083563 ____A C:\Users\Anne\Downloads\The_Economist_Jan_7th_-_13th_2012.rar
    2012-06-07 09:25 - 2012-06-07 09:19 - 91583475 ____A C:\Users\Anne\Downloads\The_Economist_UK_21st_April 2012.rar
    2012-06-05 22:06 - 2012-07-11 04:00 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-05 22:06 - 2012-07-11 04:00 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-05 22:02 - 2012-07-11 04:00 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
    2012-06-05 21:05 - 2012-07-11 04:00 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
    2012-06-05 21:05 - 2012-07-11 04:00 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
    2012-06-05 21:03 - 2012-07-11 04:00 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
    2012-06-05 06:29 - 2012-06-05 06:29 - 01308672 ____A C:\Users\Anne\Downloads\Awesome Error Log_V2-1.xls
    2012-06-05 06:23 - 2012-06-05 06:23 - 00362496 ____A C:\Users\Anne\Downloads\og12-gmat-error-log.xls
    2012-06-05 06:23 - 2012-06-05 06:23 - 00043008 ____A C:\Users\Anne\Downloads\gmat-error-log.xls
    2012-06-05 06:23 - 2012-06-05 06:23 - 00041984 ____A C:\Users\Anne\Downloads\gmat-progress-chart.xls
    2012-06-03 12:06 - 2012-06-03 12:06 - 00015012 ____A C:\Users\Anne\Downloads\mental-math.html
    2012-06-02 14:19 - 2012-06-21 03:12 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-21 03:12 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-21 03:12 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-21 03:12 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-21 03:12 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:15 - 2012-06-21 03:12 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-21 03:12 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 11:19 - 2012-06-21 03:11 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 11:15 - 2012-06-21 03:11 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 04:49 - 2012-07-11 20:37 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-02 04:17 - 2012-07-11 20:37 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-02 04:12 - 2012-07-11 20:37 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-02 04:05 - 2012-07-11 20:37 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-02 04:05 - 2012-07-11 20:37 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-02 04:04 - 2012-07-11 20:37 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-02 04:04 - 2012-07-11 20:37 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-02 04:03 - 2012-07-11 20:37 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-02 04:01 - 2012-07-11 20:37 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-02 04:00 - 2012-07-11 20:37 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-02 03:59 - 2012-07-11 20:37 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-02 03:57 - 2012-07-11 20:37 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-02 03:57 - 2012-07-11 20:37 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-02 03:54 - 2012-07-11 20:37 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-02 01:07 - 2012-07-11 20:37 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-06-02 00:43 - 2012-07-11 20:37 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-06-02 00:33 - 2012-07-11 20:37 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-06-02 00:26 - 2012-07-11 20:37 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-06-02 00:25 - 2012-07-11 20:37 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-06-02 00:25 - 2012-07-11 20:37 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-06-02 00:23 - 2012-07-11 20:37 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-06-02 00:21 - 2012-07-11 20:37 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-06-02 00:20 - 2012-07-11 20:37 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-06-02 00:19 - 2012-07-11 20:37 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-06-02 00:19 - 2012-07-11 20:37 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-06-02 00:17 - 2012-07-11 20:37 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-06-02 00:16 - 2012-07-11 20:37 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-06-02 00:14 - 2012-07-11 20:37 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-06-01 21:50 - 2012-07-11 04:00 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
    2012-06-01 21:48 - 2012-07-11 04:00 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
    2012-06-01 21:48 - 2012-07-11 04:00 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-06-01 21:45 - 2012-07-11 04:00 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-01 21:44 - 2012-07-11 04:00 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-06-01 20:40 - 2012-07-11 04:00 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
    2012-06-01 20:40 - 2012-07-11 04:00 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
    2012-06-01 20:39 - 2012-07-11 04:00 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
    2012-06-01 20:34 - 2012-07-11 04:00 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
    2012-06-01 14:09 - 2012-06-01 14:09 - 00067839 ____A C:\Users\Anne\Desktop\test.wma
    2012-05-18 17:33 - 2012-05-18 17:33 - 01512195 ____A C:\Users\Anne\Downloads\Magnificent.zip
    2012-05-17 05:38 - 2012-05-17 05:38 - 372862715 ____A C:\Windows\MEMORY.DMP
    2012-05-17 05:38 - 2012-05-17 05:38 - 00262144 ____A C:\Windows\Minidump\051712-33228-01.dmp
    2012-05-15 21:49 - 2012-05-15 21:49 - 00522399 ____A C:\Users\Anne\Downloads\Ai 261.zip
    2012-05-15 21:48 - 2012-05-15 21:47 - 03886302 ____A C:\Users\Anne\Downloads\Trees Brushes.zip
    2012-05-15 21:48 - 2012-05-15 21:47 - 03635023 ____A C:\Users\Anne\Downloads\Trees Png.zip
    2012-05-15 21:47 - 2012-05-15 21:46 - 07167924 ____A C:\Users\Anne\Downloads\21.zip
    2012-05-15 17:25 - 2012-05-15 17:25 - 00256423 ____A C:\Users\Anne\Downloads\Fresh Sliding Thumbnails Gallery with jQuery and PHP _ Codrops.htm
    2012-05-15 08:10 - 2012-05-15 08:09 - 07518054 ____A C:\Users\Anne\Downloads\SimplePressPSD.zip
    2012-05-15 08:09 - 2012-05-15 08:09 - 01364630 ____A C:\Users\Anne\Downloads\SimplePress.zip
    2012-05-14 17:30 - 2012-05-14 17:30 - 01309354 ____A C:\Users\Anne\Downloads\summernight.zip
    2012-05-14 17:17 - 2012-05-14 17:17 - 00974889 ____A C:\Users\Anne\Downloads\cloriato-lite.1.4.zip
    2012-05-14 16:58 - 2012-05-14 16:58 - 00110692 ____A C:\Users\Anne\Downloads\ambrosia.1.1.1.zip
    2012-05-14 16:56 - 2012-05-14 16:56 - 00059900 ____A C:\Users\Anne\Downloads\softgreen.1.2.zip
    2012-05-10 07:08 - 2012-05-10 07:08 - 02530939 ____A C:\Users\Anne\Downloads\GMAT Math Bible.rar
    2012-05-06 05:07 - 2012-05-06 05:07 - 00739832 ____A (Google Inc.) C:\Users\Anne\Downloads\GoogleVoiceAndVideoSetup.exe
    2012-05-05 10:46 - 2012-04-04 03:47 - 08744608 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
    2012-05-04 03:06 - 2012-06-13 11:14 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2012-05-04 02:03 - 2012-06-13 11:14 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2012-05-04 02:03 - 2012-06-13 11:14 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe

    ZeroAccess:
    C:\Windows\Installer\{00b598d9-c12d-228a-e17a-a95173c1bd79}
    C:\Windows\Installer\{00b598d9-c12d-228a-e17a-a95173c1bd79}\@
    C:\Windows\Installer\{00b598d9-c12d-228a-e17a-a95173c1bd79}\L
    C:\Windows\Installer\{00b598d9-c12d-228a-e17a-a95173c1bd79}\n
    C:\Windows\Installer\{00b598d9-c12d-228a-e17a-a95173c1bd79}\U
    C:\Windows\Installer\{00b598d9-c12d-228a-e17a-a95173c1bd79}\U\00000001.@

    ZeroAccess:
    C:\Users\Anne\AppData\Local\{00b598d9-c12d-228a-e17a-a95173c1bd79}
    C:\Users\Anne\AppData\Local\{00b598d9-c12d-228a-e17a-a95173c1bd79}\@
    C:\Users\Anne\AppData\Local\{00b598d9-c12d-228a-e17a-a95173c1bd79}\L
    C:\Users\Anne\AppData\Local\{00b598d9-c12d-228a-e17a-a95173c1bd79}\U
    C:\Users\Anne\AppData\Local\{00b598d9-c12d-228a-e17a-a95173c1bd79}\U\00000001.@

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 15%
    Total physical RAM: 3976.9 MB
    Available physical RAM: 3340.92 MB
    Total Pagefile: 3975.1 MB
    Available Pagefile: 3335.76 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ======================= Partitions =========================

    1 Drive c: (Anne) (Fixed) (Total:232.11 GB) (Free:21.79 GB) NTFS
    3 Drive f: () (Removable) (Total:0.25 GB) (Free:0.24 GB) FAT
    4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    5 Drive y: (RECOVERY) (Fixed) (Total:0.73 GB) (Free:0.51 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 232 GB 2048 KB
    Disk 1 Online 253 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 39 MB 31 KB
    Partition 2 Primary 752 MB 40 MB
    Partition 3 Primary 232 GB 792 MB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 FAT Partition 39 MB Healthy Hidden

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y RECOVERY NTFS Partition 752 MB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C Anne NTFS Partition 232 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 253 MB 16 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 06
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F FAT Removable 253 MB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-07-19 09:13

    ======================= End Of Log ==========================










    Farbar Recovery Scan Tool Version: 25-07-2012 01
    Ran by SYSTEM at 2012-07-30 01:27:18
    Running from F:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\System32\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    ====== End Of Search ======
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    FRST64 Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
  3. abks26

    abks26 Newcomer, in training Topic Starter Posts: 41

    Good morning!

    Thank you for the fix. Ran it and did a normal reboot. Computer worked fine as if the last 12hrs didn't happen.

    Quick question. I was using my external hard drive around the time the virus went bonkers on me. Is it also compromised too? I'm not sure how this virus replicates.

    These are the results:

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
    Ran by SYSTEM at 2012-07-30 07:06:39 Run:1
    Running from F:\

    ==============================================

    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
    C:\Windows\Installer\{00b598d9-c12d-228a-e17a-a95173c1bd79} moved successfully.
    C:\Users\Anne\AppData\Local\{00b598d9-c12d-228a-e17a-a95173c1bd79} moved successfully.

    ==== End of Fixlog ====
  4. abks26

    abks26 Newcomer, in training Topic Starter Posts: 41

    I also still have issues with my Google search. I get ad links in my search results and it's a pain. Is it still the virus?

    If it helps, I use Mozilla Firefox.
  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Probably still issues with the virus, yes.

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
  6. abks26

    abks26 Newcomer, in training Topic Starter Posts: 41

    Ok, now I think that the virus got into my network because I lost internet connectivity! I don't know what to do now.
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Try to get the downloads from a separate computer, and load it to the infected computer via flash drive.
  8. abks26

    abks26 Newcomer, in training Topic Starter Posts: 41

    Just a quick update since I just calmed down, I was on the infected computer since I needed to use it for my job (I was borrowing my brother's since it was fine), but then my internet just stopped. I was worried because my brother's internet also stopped on his computer. I restarted everything and I think things are ok now. It could have been my network, but the virus has me uber paranoid now....

    Real sorry for my post. I feel sheepish. I'm going to fix it right now.
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay. Run ComboFix when you can. I'll be back tomorrow morning, ET.
  10. abks26

    abks26 Newcomer, in training Topic Starter Posts: 41

    Ran it... I still get those referred links in Google Search.

    I also got this error Run DLL message:

    ComboFix 12-07-30.01 - Anne 07/30/2012 17:13:21.1.4 - x64
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3977.2648 [GMT -4:00]
    Running from: c:\users\Anne\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\Install.exe
    c:\users\Anne\AppData\Roaming\4489240.exe
    c:\users\Anne\AppData\Roaming\4527913.exe
    c:\users\Anne\AppData\Roaming\gdasn.dll
    c:\windows\SysWow64\instsrv.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-30 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-30 09:23 . 2012-07-30 09:23 -------- d-----w- C:\FRST
    2012-07-30 04:50 . 2012-07-30 04:50 328704 ----a-w- c:\windows\system32\services.exe.03E86C6D05C1E43F
    2012-07-30 04:42 . 2012-07-30 04:42 328704 ----a-w- c:\windows\system32\services.exe.58886290833A4289
    2012-07-30 04:35 . 2012-07-30 04:35 328704 ----a-w- c:\windows\system32\services.exe.2C31D00BBF6CF89F
    2012-07-30 04:31 . 2012-07-30 04:31 328704 ----a-w- c:\windows\system32\services.exe.211AFBF5E4391C5E
    2012-07-30 04:25 . 2012-07-30 04:25 328704 ----a-w- c:\windows\system32\services.exe.47B664D89E53D58B
    2012-07-30 04:11 . 2012-07-30 04:11 328704 ----a-w- c:\windows\system32\services.exe.887F2746A8C90C90
    2012-07-30 04:04 . 2012-02-09 18:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{99794924-8C8A-4462-8DA0-96A56F94A368}\gapaengine.dll
    2012-07-30 04:04 . 2012-07-16 06:40 9133488 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A7485AA7-A507-4C0F-AB8A-8976BCBA00C7}\mpengine.dll
    2012-07-30 03:59 . 2012-07-30 03:59 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2012-07-30 03:59 . 2012-07-30 03:59 -------- d-----w- c:\program files\Microsoft Security Client
    2012-07-30 02:38 . 2012-07-30 02:38 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-07-25 20:41 . 2012-07-25 20:41 -------- d-----w- c:\users\Anne\AppData\Local\{215B93C0-D699-11E1-8270-B8AC6F996F26}
    2012-07-25 20:41 . 2012-07-25 20:41 -------- d-----w- c:\users\Anne\AppData\Local\{215B6270-D699-11E1-8270-B8AC6F996F26}
    2012-07-12 04:42 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
    2012-07-11 12:00 . 2012-06-06 06:06 2004480 ----a-w- c:\windows\system32\msxml6.dll
    2012-07-08 22:22 . 2012-07-08 22:22 -------- d-----w- c:\users\Anne\AppData\Roaming\Leadertech
    2012-07-08 22:20 . 2012-07-08 22:20 -------- d-----w- c:\users\Anne\AppData\Local\ABBYY
    2012-07-08 22:20 . 2012-07-08 22:22 -------- d-----w- c:\program files (x86)\ABBYY FineReader 9.0 Sprint
    2012-07-08 22:20 . 2012-07-08 22:20 -------- d-----w- c:\programdata\ABBYY
    2012-07-08 22:20 . 2012-07-08 22:20 -------- d-----w- c:\program files (x86)\Common Files\ABBYY
    2012-07-08 22:11 . 2012-07-08 22:11 -------- d-----w- c:\program files\Common Files\EPSON
    2012-07-08 22:09 . 2012-07-08 22:09 -------- d-----w- c:\program files\EPSON
    2012-07-08 22:09 . 2012-07-08 22:09 -------- d-----w- c:\program files\EpsonNet
    2012-07-08 22:09 . 2010-09-13 19:01 538112 ----a-w- c:\windows\system32\ensppui.dll
    2012-07-08 22:09 . 2010-09-13 19:01 538112 ----a-w- c:\windows\system32\enppui.dll
    2012-07-08 22:09 . 2010-09-13 19:00 558592 ----a-w- c:\windows\system32\ensppmon.dll
    2012-07-08 22:09 . 2010-09-13 19:00 558592 ----a-w- c:\windows\system32\enppmon.dll
    2012-07-08 22:09 . 2008-06-18 15:49 250880 ----a-w- c:\windows\system32\enspres.dll
    2012-07-08 22:09 . 2008-06-18 15:49 250880 ----a-w- c:\windows\system32\enpres.dll
    2012-07-08 22:09 . 2012-07-08 22:09 -------- d-----w- c:\users\Anne\AppData\Roaming\InstallShield
    2012-07-08 22:08 . 2012-07-08 22:08 -------- d-----w- c:\program files (x86)\Common Files\EPSON
    2012-07-08 22:08 . 2012-07-12 10:59 -------- d-----w- c:\users\Anne\AppData\Roaming\Epson
    2012-07-08 22:07 . 2012-07-08 22:07 -------- d-----w- c:\program files (x86)\Epson America Inc
    2012-07-08 22:07 . 2001-09-05 07:18 225280 ----a-w- c:\program files (x86)\Common Files\InstallShield\IScript\iscript.dll
    2012-07-08 22:07 . 2001-09-05 07:18 77824 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
    2012-07-08 22:07 . 2001-09-05 07:14 176128 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
    2012-07-08 22:07 . 2001-09-05 07:13 32768 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
    2012-07-08 22:07 . 2004-03-16 17:05 614532 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
    2012-07-08 22:06 . 2012-07-08 22:26 -------- d-----w- c:\program files (x86)\Epson Software
    2012-07-08 22:05 . 2010-09-28 14:01 118784 ----a-w- c:\windows\system32\E_YLMHVA.DLL
    2012-07-08 22:05 . 2010-08-09 14:02 83456 ----a-w- c:\windows\system32\E_YD4BHVA.DLL
    2012-07-08 22:05 . 2012-07-08 22:13 -------- d-----w- c:\programdata\EPSON
    2012-07-08 22:05 . 2012-07-08 22:06 -------- d-----w- c:\program files (x86)\epson
    2012-07-08 22:05 . 2009-12-09 04:00 464384 ----a-w- c:\windows\system32\esxw2ud.dll
    2012-07-08 22:05 . 2009-10-16 04:00 13824 ----a-w- c:\windows\system32\esxcdev.dll
    2012-07-08 22:05 . 2009-10-16 04:00 132560 ----a-w- c:\windows\system32\esdevapp.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-12 04:38 . 2011-11-26 13:11 59701280 ----a-w- c:\windows\system32\MRT.exe
    2012-06-22 22:46 . 2012-04-04 11:10 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-06-22 22:46 . 2011-12-20 23:21 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-06-02 22:19 . 2012-06-21 11:12 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 11:12 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:19 . 2012-06-21 11:12 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 11:12 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 11:12 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:15 . 2012-06-21 11:12 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:15 . 2012-06-21 11:12 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 19:19 . 2012-06-21 11:11 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 19:15 . 2012-06-21 11:11 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-05-05 18:46 . 2012-04-04 11:47 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
    2012-05-04 11:06 . 2012-06-13 19:14 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-05-04 10:03 . 2012-06-13 19:14 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2012-05-04 10:03 . 2012-06-13 19:14 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "googletalk"="c:\users\Anne\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "DAEMON Tools Pro Agent"="c:\program files (x86)\DAEMON Tools Pro\DTAgent.exe" [2012-04-26 3111744]
    "EPLTarget\P0000000000000000"="c:\windows\system32\spool\DRIVERS\x64\3\E_YATIHVA.EXE" [2011-04-24 239488]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "IMSS"="c:\program files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [2010-12-03 112152]
    "Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2010-03-12 462993]
    "RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
    "PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2010-04-29 50472]
    "RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]
    "Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
    "SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-06 421736]
    "EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2010-10-12 979328]
    "FUFAXRCV"="c:\program files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe" [2011-03-09 495616]
    "FUFAXSTM"="c:\program files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [2011-03-09 856064]
    .
    c:\users\Anne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell System Manager.lnk - c:\program files\Dell\Dell System Manager\DCPSysMgr.exe [2011-1-20 1552240]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    "DisableCAD"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-20 113120]
    R3 netvsc;netvsc;c:\windows\system32\DRIVERS\netvsc60.sys [2010-11-21 168448]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
    R3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\O2MDRw7x64.sys [2011-01-03 74984]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
    R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 SynthVid;SynthVid;c:\windows\system32\DRIVERS\VMBusVideoM.sys [2010-11-21 22528]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-11-25 1255736]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]
    S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
    S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [2010-08-20 21616]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [2009-05-14 759048]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
    S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]
    S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2010-10-28 1035680]
    S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2010-10-28 36768]
    S2 dcpsysmgrsvc;Dell System Manager Service;c:\program files\Dell\Dell System Manager\DCPSysMgrSvc.exe [2011-01-20 517488]
    S2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [2011-06-09 555392]
    S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-09-22 165032]
    S2 jhi_service;Intel(R) Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [2010-11-29 210896]
    S2 O2SDIOAssist;O2SDIOAssist;c:\windows\SysWOW64\srvany.exe [2003-04-19 8192]
    S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-12-03 2656280]
    S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2010-12-13 27760]
    S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-09-16 172960]
    S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2010-08-24 38440]
    S3 e1cexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c62x64.sys [2010-10-28 315568]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 317440]
    S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-20 56344]
    S3 O2MDFRDR;O2MDFRDR;c:\windows\system32\DRIVERS\O2MDFw7x64.sys [2011-01-03 72808]
    S3 O2SDJRDR;O2SDJRDR;c:\windows\system32\DRIVERS\o2sdjw7x64.sys [2011-03-23 83560]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-495499240-2845497790-2203762804-1003Core1cd6083b0707453.job
    - c:\users\Anne\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-23 20:52]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
    @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
    [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
    2011-03-04 21:12 139128 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
    @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
    [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
    2011-03-04 21:12 139128 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-01-05 592240]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-01-25 525312]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-30 167960]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-30 391704]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-30 418328]
    "FreeFallProtection"="c:\program files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe" [2010-12-17 686704]
    "Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2011-01-15 6492672]
    "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
    "combofix"="c:\combofix\CF4927.3XE" [2010-11-21 345088]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Anne\AppData\Roaming\Mozilla\Firefox\Profiles\exlzpcgg.default\
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Wow6432Node-HKCU-Run-AdobeBridge - (no file)
    Wow6432Node-HKCU-Run-gdasn - c:\users\Anne\AppData\Roaming\gdasn.dll
    Toolbar-Locked - (no file)
    HKLM-Run-gdasn - c:\users\Anne\AppData\Roaming\gdasn.dll
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-495499240-2845497790-2203762804-1003\Software\SecuROM\License information*]
    "datasecu"=hex:a3,64,e8,b2,f1,93,8b,8c,25,b9,3b,9c,cd,8b,a5,5e,b3,ef,71,ec,f4,
    5d,7b,48,11,53,bb,01,1f,93,60,5c,08,af,d8,30,f4,29,e7,cd,41,6b,bc,d4,e5,4f,\
    "rkeysecu"=hex:88,0b,dd,04,aa,98,a3,b1,e9,47,88,63,e9,42,e4,a7
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\windows\system32\DRIVERS\o2flash.exe
    c:\windows\sysWOW64\SDIOAssist.exe
    c:\program files (x86)\DAEMON Tools Pro\DTShellHlp.exe
    c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-30 17:31:52 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-30 21:31
    .
    Pre-Run: 25,316,352,000 bytes free
    Post-Run: 32,141,901,824 bytes free
    .
    - - End Of File - - D3F3D6A29AFCC90C18CA936F15E962C2
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay...thanks for info.

    • Download RogueKiller and save it on your desktop.
    • Quit all programs
    • Start RogueKiller.exe.
    • Wait until Prescan has finished ...
    • Click on Scan
    [​IMG]

    • Wait for the end of the scan.
    • The report has been created on the desktop.
    • Click on the Delete button.
    [​IMG]

    • The report has been created on the desktop.
    • Next click on the ShortcutsFix

      [​IMG]
    • The report has been created on the desktop.
    Please post:

    All RKreport.txt text files located on your desktop.
  12. abks26

    abks26 Newcomer, in training Topic Starter Posts: 41

    Okay, I did the Rogue Killer. These are the reports

    Report I
    RogueKiller V7.6.4 [07/17/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User: Anne [Admin rights]
    Mode: Scan -- Date: 07/31/2012 08:18:42

    ¤¤¤ Bad processes: 0 ¤¤¤

    ¤¤¤ Registry Entries: 6 ¤¤¤
    [BLACKLIST DLL] HKLM\[...]\Run : gdasn ("C:\Windows\System32\rundll32.exe" "C:\Users\Anne\AppData\Roaming\gdasn.dll",set_read_fn) -> FOUND
    [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
    [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
    [HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver: [NOT LOADED] ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD2500BEVT-75A23T0 +++++
    --- User ---
    [MBR] 999525086f6bcb5ad1197328a00ba359
    [BSP] cbd08ccc9ad0ee10e2aa56fec5f845e3 : Windows Vista MBR Code
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 752 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1622016 | Size: 237680 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[1].txt >>
    RKreport[1].txt




    Report II
    RogueKiller V7.6.4 [07/17/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User: Anne [Admin rights]
    Mode: Remove -- Date: 07/31/2012 08:19:05

    ¤¤¤ Bad processes: 0 ¤¤¤

    ¤¤¤ Registry Entries: 6 ¤¤¤
    [BLACKLIST DLL] HKLM\[...]\Run : gdasn ("C:\Windows\System32\rundll32.exe" "C:\Users\Anne\AppData\Roaming\gdasn.dll",set_read_fn) -> DELETED
    [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
    [HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
    [HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
    [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver: [NOT LOADED] ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD2500BEVT-75A23T0 +++++
    --- User ---
    [MBR] 999525086f6bcb5ad1197328a00ba359
    [BSP] cbd08ccc9ad0ee10e2aa56fec5f845e3 : Windows Vista MBR Code
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 752 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1622016 | Size: 237680 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[2].txt >>
    RKreport[1].txt ; RKreport[2].txt





    Report III
    RogueKiller V7.6.4 [07/17/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User: Anne [Admin rights]
    Mode: Shortcuts HJfix -- Date: 07/31/2012 08:22:15

    ¤¤¤ Bad processes: 0 ¤¤¤

    ¤¤¤ Driver: [NOT LOADED] ¤¤¤

    ¤¤¤ File attributes restored: ¤¤¤
    Desktop: Success 4 / Fail 0
    Quick launch: Success 1 / Fail 0
    Programs: Success 15 / Fail 0
    Start menu: Success 1 / Fail 0
    User folder: Success 198 / Fail 0
    My documents: Success 329 / Fail 0
    My favorites: Success 0 / Fail 0
    My pictures: Success 0 / Fail 0
    My music: Success 81 / Fail 0
    My videos: Success 0 / Fail 0
    Local drives: Success 91 / Fail 0
    Backup: [NOT FOUND]

    Drives:
    [C:] \Device\HarddiskVolume3 -- 0x3 --> Restored
    [D:] \Device\CdRom0 -- 0x5 --> Skipped
    [E:] \Device\CdRom1 -- 0x5 --> Skipped
    [G:] \Device\HarddiskVolume4 -- 0x2 --> Restored
    [Z:] \Device\LanmanRedirector\;Z:0000000000018dcf\EPSONE24D7C\MEMORYCARD -- 0x4 --> Skipped

    ¤¤¤ Infection : ¤¤¤

    Finished : << RKreport[3].txt >>
    RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
     
  14. abks26

    abks26 Newcomer, in training Topic Starter Posts: 41

    Ok, here you go.

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6583
    # api_version=3.0.2
    # EOSSerial=f4e9f46c4885fd4cacf0bac5ae605b99
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=false
    # utc_time=2012-08-01 10:23:20
    # local_time=2012-08-01 06:23:20 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=1033
    # osver=6.1.7601 NT Service Pack 1
    # compatibility_mode=5893 16776574 100 94 0 95397388 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=247689
    # found=10
    # cleaned=10
    # scan_time=5861
    C:\FRST\Quarantine\{00b598d9-c12d-228a-e17a-a95173c1bd79}\n Win64/Sirefef.W trojan (cleaned by deleting - quarantined) A7BF6F31D148E6236C89CDCCEB9A1E85 C
    C:\Qoobox\Quarantine\C\Users\Anne\AppData\Roaming\gdasn.dll.vir a variant of Win32/Medfos.BH trojan (cleaned by deleting - quarantined) A01ABAD040EC039F198848EEF1403EBB C
    C:\Users\Anne\AppData\Local\{215B6270-D699-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan (cleaned by deleting - quarantined) BEC1708519EDBC7F382DBBA8A9E2EE9C C
    C:\Users\Anne\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\a850b9d-658269ca a variant of Win32/Injector.UEZ trojan (cleaned by deleting - quarantined) FFBE7CC05310A2E1895B51EE1F1F9A9B C
    C:\Users\Anne\Downloads\Fluenz French 1-2\Youtube Get _5.0.5\yg.exe MSIL/Agent.NAX trojan (cleaned by deleting - quarantined) 7ADD85F5910555D5C0E105E1CC948130 C
    C:\Users\Anne\Downloads\Programs\cnet2_BullzipPDFPrinter_4_0_0_463_zip.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) D5A7EF7068B30EA8A18A4FC228317290 C
    C:\Users\Anne\Downloads\Programs\SoftonicDownloader_for_jdownloader.exe Win32/SoftonicDownloader application (cleaned by deleting - quarantined) E92E1D227062DEBD01FF2FD2D864A9F7 C
    C:\Users\Anne\Downloads\Youtube Get _5.0.5\yg.exe MSIL/Agent.NAX trojan (cleaned by deleting - quarantined) 7ADD85F5910555D5C0E105E1CC948130 C
    C:\Users\Anne\Downloads\JDownloader.exe multiple threats (cleaned by deleting - quarantined) 118473965E925DABD51AB16B863645F4 C
    C:\Windows\KMSEmulator.exe a variant of Win32/HackKMS.A application (cleaned by deleting - quarantined) 485055033BCDDFDE56325C0D2FEEA4F2 C
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.
  16. abks26

    abks26 Newcomer, in training Topic Starter Posts: 41

    ComboFix 12-07-31.03 - Anne 08/02/2012 8:46.2.4 - x64
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3977.2592 [GMT -4:00]
    Running from: c:\users\Anne\Desktop\ComboFix.exe
    Command switches used :: c:\users\Anne\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-02 to 2012-08-02 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-02 12:57 . 2012-08-02 12:5769000----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A7485AA7-A507-4C0F-AB8A-8976BCBA00C7}\offreg.dll
    2012-08-02 12:56 . 2012-08-02 12:56--------d-----w-c:\users\Default\AppData\Local\temp
    2012-08-02 12:56 . 2012-08-02 12:56--------d-----w-c:\users\Charles Banty\AppData\Local\temp
    2012-08-01 20:39 . 2012-08-01 20:39--------d-----w-c:\program files (x86)\ESET
    2012-07-30 09:23 . 2012-07-30 09:23--------d-----w-C:\FRST
    2012-07-30 04:50 . 2012-07-30 04:50328704----a-w-c:\windows\system32\services.exe.03E86C6D05C1E43F
    2012-07-30 04:42 . 2012-07-30 04:42328704----a-w-c:\windows\system32\services.exe.58886290833A4289
    2012-07-30 04:35 . 2012-07-30 04:35328704----a-w-c:\windows\system32\services.exe.2C31D00BBF6CF89F
    2012-07-30 04:31 . 2012-07-30 04:31328704----a-w-c:\windows\system32\services.exe.211AFBF5E4391C5E
    2012-07-30 04:25 . 2012-07-30 04:25328704----a-w-c:\windows\system32\services.exe.47B664D89E53D58B
    2012-07-30 04:11 . 2012-07-30 04:11328704----a-w-c:\windows\system32\services.exe.887F2746A8C90C90
    2012-07-30 04:04 . 2012-02-09 18:17927800----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{99794924-8C8A-4462-8DA0-96A56F94A368}\gapaengine.dll
    2012-07-30 04:04 . 2012-07-16 06:409133488------w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A7485AA7-A507-4C0F-AB8A-8976BCBA00C7}\mpengine.dll
    2012-07-30 03:59 . 2012-07-30 03:59--------d-----w-c:\program files (x86)\Microsoft Security Client
    2012-07-30 03:59 . 2012-07-30 03:59--------d-----w-c:\program files\Microsoft Security Client
    2012-07-30 02:38 . 2012-07-30 02:38--------d-sh--w-c:\windows\system32\%APPDATA%
    2012-07-25 20:41 . 2012-07-25 20:41--------d-----w-c:\users\Anne\AppData\Local\{215B93C0-D699-11E1-8270-B8AC6F996F26}
    2012-07-25 20:41 . 2012-07-25 20:41--------d-----w-c:\users\Anne\AppData\Local\{215B6270-D699-11E1-8270-B8AC6F996F26}
    2012-07-12 04:42 . 2012-06-12 03:083148800----a-w-c:\windows\system32\win32k.sys
    2012-07-11 12:00 . 2012-06-06 06:062004480----a-w-c:\windows\system32\msxml6.dll
    2012-07-08 22:22 . 2012-07-08 22:22--------d-----w-c:\users\Anne\AppData\Roaming\Leadertech
    2012-07-08 22:20 . 2012-07-08 22:20--------d-----w-c:\users\Anne\AppData\Local\ABBYY
    2012-07-08 22:20 . 2012-07-08 22:22--------d-----w-c:\program files (x86)\ABBYY FineReader 9.0 Sprint
    2012-07-08 22:20 . 2012-07-08 22:20--------d-----w-c:\programdata\ABBYY
    2012-07-08 22:20 . 2012-07-08 22:20--------d-----w-c:\program files (x86)\Common Files\ABBYY
    2012-07-08 22:11 . 2012-07-08 22:11--------d-----w-c:\program files\Common Files\EPSON
    2012-07-08 22:09 . 2012-07-08 22:09--------d-----w-c:\program files\EPSON
    2012-07-08 22:09 . 2012-07-08 22:09--------d-----w-c:\program files\EpsonNet
    2012-07-08 22:09 . 2010-09-13 19:01538112----a-w-c:\windows\system32\ensppui.dll
    2012-07-08 22:09 . 2010-09-13 19:01538112----a-w-c:\windows\system32\enppui.dll
    2012-07-08 22:09 . 2010-09-13 19:00558592----a-w-c:\windows\system32\ensppmon.dll
    2012-07-08 22:09 . 2010-09-13 19:00558592----a-w-c:\windows\system32\enppmon.dll
    2012-07-08 22:09 . 2008-06-18 15:49250880----a-w-c:\windows\system32\enspres.dll
    2012-07-08 22:09 . 2008-06-18 15:49250880----a-w-c:\windows\system32\enpres.dll
    2012-07-08 22:09 . 2012-07-08 22:09--------d-----w-c:\users\Anne\AppData\Roaming\InstallShield
    2012-07-08 22:08 . 2012-07-08 22:08--------d-----w-c:\program files (x86)\Common Files\EPSON
    2012-07-08 22:08 . 2012-07-12 10:59--------d-----w-c:\users\Anne\AppData\Roaming\Epson
    2012-07-08 22:07 . 2012-07-08 22:07--------d-----w-c:\program files (x86)\Epson America Inc
    2012-07-08 22:07 . 2001-09-05 07:18225280----a-w-c:\program files (x86)\Common Files\InstallShield\IScript\iscript.dll
    2012-07-08 22:07 . 2001-09-05 07:1877824----a-w-c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
    2012-07-08 22:07 . 2001-09-05 07:14176128----a-w-c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
    2012-07-08 22:07 . 2001-09-05 07:1332768----a-w-c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
    2012-07-08 22:07 . 2004-03-16 17:05614532----a-w-c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
    2012-07-08 22:06 . 2012-07-08 22:26--------d-----w-c:\program files (x86)\Epson Software
    2012-07-08 22:05 . 2010-09-28 14:01118784----a-w-c:\windows\system32\E_YLMHVA.DLL
    2012-07-08 22:05 . 2010-08-09 14:0283456----a-w-c:\windows\system32\E_YD4BHVA.DLL
    2012-07-08 22:05 . 2012-07-08 22:13--------d-----w-c:\programdata\EPSON
    2012-07-08 22:05 . 2012-07-08 22:06--------d-----w-c:\program files (x86)\epson
    2012-07-08 22:05 . 2009-12-09 04:00464384----a-w-c:\windows\system32\esxw2ud.dll
    2012-07-08 22:05 . 2009-10-16 04:0013824----a-w-c:\windows\system32\esxcdev.dll
    2012-07-08 22:05 . 2009-10-16 04:00132560----a-w-c:\windows\system32\esdevapp.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-12 04:38 . 2011-11-26 13:1159701280----a-w-c:\windows\system32\MRT.exe
    2012-06-22 22:46 . 2012-04-04 11:10426184----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
    2012-06-22 22:46 . 2011-12-20 23:2170344----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-06-02 22:19 . 2012-06-21 11:1238424----a-w-c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 11:122428952----a-w-c:\windows\system32\wuaueng.dll
    2012-06-02 22:19 . 2012-06-21 11:1257880----a-w-c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 11:1244056----a-w-c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 11:12701976----a-w-c:\windows\system32\wuapi.dll
    2012-06-02 22:15 . 2012-06-21 11:122622464----a-w-c:\windows\system32\wucltux.dll
    2012-06-02 22:15 . 2012-06-21 11:1299840----a-w-c:\windows\system32\wudriver.dll
    2012-06-02 19:19 . 2012-06-21 11:11186752----a-w-c:\windows\system32\wuwebv.dll
    2012-06-02 19:15 . 2012-06-21 11:1136864----a-w-c:\windows\system32\wuapp.exe
    2012-05-05 18:46 . 2012-04-04 11:478744608----a-w-c:\windows\SysWow64\FlashPlayerInstaller.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-07-30_21.24.15 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-11-21 03:09 . 2012-07-31 20:4842522 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2012-08-02 12:5940720 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2011-12-05 17:34 . 2012-08-02 12:599130 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-495499240-2845497790-2203762804-1003_UserData.bin
    - 2012-07-30 21:23 . 2012-07-30 21:232048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-08-02 12:57 . 2012-08-02 12:572048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-08-02 12:57 . 2012-08-02 12:572048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-07-30 21:23 . 2012-07-30 21:232048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2011-11-25 00:50 . 2012-08-02 03:32368994 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
    + 2009-07-14 05:01 . 2012-08-02 12:56510660 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2009-07-14 05:01 . 2012-07-30 21:22510660 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2012-01-18 03:47 . 2012-07-31 13:256242592 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-495499240-2845497790-2203762804-1003-12288.dat
    + 2011-12-05 17:31 . 2012-08-02 12:5640931612 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-495499240-2845497790-2203762804-1003-8192.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "googletalk"="c:\users\Anne\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "DAEMON Tools Pro Agent"="c:\program files (x86)\DAEMON Tools Pro\DTAgent.exe" [2012-04-26 3111744]
    "EPLTarget\P0000000000000000"="c:\windows\system32\spool\DRIVERS\x64\3\E_YATIHVA.EXE" [2011-04-24 239488]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "IMSS"="c:\program files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [2010-12-03 112152]
    "Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2010-03-12 462993]
    "RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
    "PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2010-04-29 50472]
    "RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]
    "Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
    "SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-06 421736]
    "EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2010-10-12 979328]
    "FUFAXRCV"="c:\program files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe" [2011-03-09 495616]
    "FUFAXSTM"="c:\program files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [2011-03-09 856064]
    .
    c:\users\Anne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell System Manager.lnk - c:\program files\Dell\Dell System Manager\DCPSysMgr.exe [2011-1-20 1552240]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    "DisableCAD"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security PackagesREG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-20 113120]
    R3 netvsc;netvsc;c:\windows\system32\DRIVERS\netvsc60.sys [2010-11-21 168448]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
    R3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\O2MDRw7x64.sys [2011-01-03 74984]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
    R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 SynthVid;SynthVid;c:\windows\system32\DRIVERS\VMBusVideoM.sys [2010-11-21 22528]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-11-25 1255736]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]
    S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
    S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [2010-08-20 21616]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [2009-05-14 759048]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
    S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]
    S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2010-10-28 1035680]
    S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2010-10-28 36768]
    S2 dcpsysmgrsvc;Dell System Manager Service;c:\program files\Dell\Dell System Manager\DCPSysMgrSvc.exe [2011-01-20 517488]
    S2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [2011-06-09 555392]
    S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-09-22 165032]
    S2 jhi_service;Intel(R) Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [2010-11-29 210896]
    S2 O2SDIOAssist;O2SDIOAssist;c:\windows\SysWOW64\srvany.exe [2003-04-19 8192]
    S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-12-03 2656280]
    S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2010-12-13 27760]
    S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-09-16 172960]
    S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2010-08-24 38440]
    S3 e1cexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c62x64.sys [2010-10-28 315568]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 317440]
    S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-20 56344]
    S3 O2MDFRDR;O2MDFRDR;c:\windows\system32\DRIVERS\O2MDFw7x64.sys [2011-01-03 72808]
    S3 O2SDJRDR;O2SDJRDR;c:\windows\system32\DRIVERS\o2sdjw7x64.sys [2011-03-23 83560]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-495499240-2845497790-2203762804-1003Core1cd6083b0707453.job
    - c:\users\Anne\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-23 20:52]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
    @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
    [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
    2011-03-04 21:12139128----a-w-c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
    @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
    [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
    2011-03-04 21:12139128----a-w-c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-01-05 592240]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-01-25 525312]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-30 167960]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-30 391704]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-30 418328]
    "FreeFallProtection"="c:\program files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe" [2010-12-17 686704]
    "Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2011-01-15 6492672]
    "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Anne\AppData\Roaming\Mozilla\Firefox\Profiles\exlzpcgg.default\
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-495499240-2845497790-2203762804-1003\Software\SecuROM\License information*]
    "datasecu"=hex:a3,64,e8,b2,f1,93,8b,8c,25,b9,3b,9c,cd,8b,a5,5e,b3,ef,71,ec,f4,
    5d,7b,48,11,53,bb,01,1f,93,60,5c,08,af,d8,30,f4,29,e7,cd,41,6b,bc,d4,e5,4f,\
    "rkeysecu"=hex:88,0b,dd,04,aa,98,a3,b1,e9,47,88,63,e9,42,e4,a7
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\windows\system32\DRIVERS\o2flash.exe
    c:\windows\sysWOW64\SDIOAssist.exe
    c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-02 09:03:37 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-02 13:03
    ComboFix2.txt 2012-07-30 21:31
    .
    Pre-Run: 32,419,397,632 bytes free
    Post-Run: 32,232,824,832 bytes free
    .
    - - End Of File - - CB02BB813735324CD799829AA479990A
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
  18. abks26

    abks26 Newcomer, in training Topic Starter Posts: 41

    Hi! I decided to wait and see with the computer after your message since all seemed okay, but there are a couple of things. My browser does seem to freeze from time to time (Adobe Flash player crashes), but it's weird since it rarely used to do that. I've updated my files and everything.

    I also, I tried to reactivate Windows Defender, but I got an Error Code 0x80070005. Other than that, it's basically acting the same way. My firewall is on, Microsoft Security Essentials is on. It's as if nothing happened, lol :D
  19. abks26

    abks26 Newcomer, in training Topic Starter Posts: 41

    Also, is there a chance that my external hard drive or flash drives could have gotten infected with the virus? I had it plugged in when everything went kaput and don't want to take a risk.
  20. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Were the flash/ext. drives connected when we did the scans? If so, it'll be okay.

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
  21. abks26

    abks26 Newcomer, in training Topic Starter Posts: 41

    Ugh, now it looks like the Google Redirect links are back in full effect in both Google Chrome AND Firefox! Everything else (except Windows Defender, still error message) is fine. It started with Google Chrome though.

    I did have to re-install Java since I need it for my job. Also updated Adobe Flash (wanted to watch the Olympics and it kept crashing on me). Would that be the trigger?

    Also, ESET came with nothing. But I also had Microsoft Security Essentials open. Should I close it and re-do the ESET scan?
    -------------------------------------

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6583
    # api_version=3.0.2
    # EOSSerial=f4e9f46c4885fd4cacf0bac5ae605b99
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=false
    # utc_time=2012-08-01 10:23:20
    # local_time=2012-08-01 06:23:20 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=1033
    # osver=6.1.7601 NT Service Pack 1
    # compatibility_mode=5893 16776574 100 94 0 95397388 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=247689
    # found=10
    # cleaned=10
    # scan_time=5861
    C:\FRST\Quarantine\{00b598d9-c12d-228a-e17a-a95173c1bd79}\n Win64/Sirefef.W trojan (cleaned by deleting - quarantined) A7BF6F31D148E6236C89CDCCEB9A1E85 C
    C:\Qoobox\Quarantine\C\Users\Anne\AppData\Roaming\gdasn.dll.vir a variant of Win32/Medfos.BH trojan (cleaned by deleting - quarantined) A01ABAD040EC039F198848EEF1403EBB C
    C:\Users\Anne\AppData\Local\{215B6270-D699-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan (cleaned by deleting - quarantined) BEC1708519EDBC7F382DBBA8A9E2EE9C C
    C:\Users\Anne\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\a850b9d-658269ca a variant of Win32/Injector.UEZ trojan (cleaned by deleting - quarantined) FFBE7CC05310A2E1895B51EE1F1F9A9B C
    C:\Users\Anne\Downloads\Fluenz French 1-2\Youtube Get _5.0.5\yg.exe MSIL/Agent.NAX trojan (cleaned by deleting - quarantined) 7ADD85F5910555D5C0E105E1CC948130 C
    C:\Users\Anne\Downloads\Programs\cnet2_BullzipPDFPrinter_4_0_0_463_zip.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) D5A7EF7068B30EA8A18A4FC228317290 C
    C:\Users\Anne\Downloads\Programs\SoftonicDownloader_for_jdownloader.exe Win32/SoftonicDownloader application (cleaned by deleting - quarantined) E92E1D227062DEBD01FF2FD2D864A9F7 C
    C:\Users\Anne\Downloads\Youtube Get _5.0.5\yg.exe MSIL/Agent.NAX trojan (cleaned by deleting - quarantined) 7ADD85F5910555D5C0E105E1CC948130 C
    C:\Users\Anne\Downloads\JDownloader.exe multiple threats (cleaned by deleting - quarantined) 118473965E925DABD51AB16B863645F4 C
    C:\Windows\KMSEmulator.exe a variant of Win32/HackKMS.A application (cleaned by deleting - quarantined) 485055033BCDDFDE56325C0D2FEEA4F2 C
    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6583
    # api_version=3.0.2
    # EOSSerial=f4e9f46c4885fd4cacf0bac5ae605b99
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2012-08-07 01:40:14
    # local_time=2012-08-07 09:40:14 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=1033
    # osver=6.1.7601 NT Service Pack 1
    # compatibility_mode=5893 16776574 100 94 375942 95859505 0 0
    # compatibility_mode=8192 67108863 100 0 376115 376115 0 0
    # scanned=257313
    # found=0
    # cleaned=0
    # scan_time=30759
  22. abks26

    abks26 Newcomer, in training Topic Starter Posts: 41

    Also, I did NOT have my external hard drives or flash drives when I was going through the process of removing the virus. I disconnected it from the computer once things fell apart.
  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    That's okay.

    Let's do some further diagnosis...this might take a while...

    Please download DrWeb-CureIt and save it to your Desktop. Do NOT perform a scan yet

    • Double-click on drweb-cureit.exe to start the program.
      An Express Scan of your PC notice will appear.
    • Under Start the Express Scan Now, Click OK to start the scan.
      This is a short scan that will scan the files currently running in memory.
      If something is found, click the Yes button when it asks you if you want to cure it.
    • Once the short scan has finished, Click Options > Change settings
    • Choose the Scan tab and UNcheck Heuristic analysis
    • Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
    • Then click the Start/Stop Scanning button (green arrow on the right, and the scan will start.
    • When finished, a message will be displayed at the bottom advising if any viruses were found.
    • Click Yes to all if it asks if you want to cure/move the file.
    • When the scan has finished, look if you can see the icon next to the files found.
      If so, click it, then click the next icon right below and select Move incurable.
      (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
    • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
    • Save the DrWeb.csv report to your Desktop.
    • Exit Dr.Web Cureit when you have finished.
    • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
    • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
  24. abks26

    abks26 Newcomer, in training Topic Starter Posts: 41

    Things are getting weird again. I think I got the FBI Moneypak Virus since my brother went on it and said there was this strange pop-up from the "FBI" saying that we need to pay money yadda yadda blah blah. Didn't fall for it and he immediately shut down the computer and turned off the internet (he knew about my issues with the other virus). When he described it to me, I went on another computer, searched for what it was about, and figured it out.

    Task Manager disappears 2 seconds after using ctrl + alt + delete. I also haven't turned on my internet/wireless access. I don't think I can boot into safe mode, but I don't want to keep rebooting and having the virus refresh itself. I'm not sure if that's even accurate, lol. Whatever makes me feel better I guess.

    I'm just going to have to rent a computer or something to try to do work now since I feel like trying to use it for work is beyond me. It's too bad because I need those programs on that laptop! Real sorry for this :'( :oops: . Hopefully you are not losing patience with me :oops: . This is like the first time in my whole life that I ever had to deal with a virus.

    This was the Dr. Cure It log file that I got before the FBI Moneypak Virus.

    GetAd[1].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ATKSRM1U;Probably SCRIPT.Virus;Deleted.;
    GetAd[2].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ATKSRM1U;Probably SCRIPT.Virus;Deleted.;
    GetAd[3].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ATKSRM1U;Probably SCRIPT.Virus;Deleted.;
    GetAd[4].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ATKSRM1U;Probably SCRIPT.Virus;Deleted.;
    GetAd[5].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ATKSRM1U;Probably SCRIPT.Virus;Deleted.;
    GetAd[6].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ATKSRM1U;Probably SCRIPT.Virus;Deleted.;
    GetAd[7].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ATKSRM1U;Probably SCRIPT.Virus;Deleted.;
    GetAd[1].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BZGPZ844;Probably SCRIPT.Virus;Deleted.;
    GetAd[2].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BZGPZ844;Probably SCRIPT.Virus;Deleted.;
    GetAd[3].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BZGPZ844;Probably SCRIPT.Virus;Deleted.;
    GetAd[4].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BZGPZ844;Probably SCRIPT.Virus;Deleted.;
    GetAd[5].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BZGPZ844;Probably SCRIPT.Virus;Deleted.;
    GetAd[6].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BZGPZ844;Probably SCRIPT.Virus;Deleted.;
    GetAd[7].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BZGPZ844;Probably SCRIPT.Virus;Deleted.;
    GetAd[8].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BZGPZ844;Probably SCRIPT.Virus;Deleted.;
    GetAd[1].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HMYM6A9U;Probably SCRIPT.Virus;Deleted.;
    GetAd[2].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HMYM6A9U;Probably SCRIPT.Virus;Deleted.;
    GetAd[3].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HMYM6A9U;Probably SCRIPT.Virus;Deleted.;
    GetAd[4].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HMYM6A9U;Probably SCRIPT.Virus;Deleted.;
    GetAd[1].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XP7MQYLG;Probably SCRIPT.Virus;Deleted.;
    GetAd[2].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XP7MQYLG;Probably SCRIPT.Virus;Deleted.;
    GetAd[3].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XP7MQYLG;Probably SCRIPT.Virus;Deleted.;
    GetAd[4].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XP7MQYLG;Probably SCRIPT.Virus;Deleted.;
    GetAd[6].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XP7MQYLG;Probably SCRIPT.Virus;Deleted.;
    GetAd[7].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XP7MQYLG;Probably SCRIPT.Virus;Deleted.;
    GetAd[8].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XP7MQYLG;Probably SCRIPT.Virus;Deleted.;
    ros[4].js;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XP7MQYLG;Probably SCRIPT.Virus;Deleted.;
    WebInstaller.exe;C:\Documents and Settings\Anne\Downloads\Programs;Trojan.DownLoader5.52228;Incurable.Moved.;
  25. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Connect any external drives and flash drives while doing this....

    Kaspersky Virus Removal Tool

    The Kaspersky Virus Removal Tool is a scan-and-remove solution from Kaspersky that searches out the most common malware and attempts to remove it from your computer.

    Please download the Kaspersky Virus Removal Tool from Kaspersky's Official Link and save it to your Desktop.

    • Double-click the Setup file to install it on your computer.
    • Once it has installed, review and accept the agreement and press the Start button.
    • You will presented with the main interface, but don't scan yet, click the options tab (gear icon):
      [​IMG]
    • On the Scan Scope tab, make sure to checkmark all the options including all drives, except for the CD/DVD drive:
      [​IMG]
    • On the Security Level tab, make sure to move the slider up denoting "Current Security Level: High":
      [​IMG]
    • Now, go back to the Automatic Scan tab, and choose "Start Scanning". It may take several hours to complete. Please allow it to do so.
    • Once done scanning, choose the Report tab (page icon), select Detected Threats tab on left, and choose Disinfect All:
      [​IMG]
    • Then, choose Save. Also, in the Automatic Report tab, select Save:
      [​IMG]
    • Please post the reports in your next reply.
    • Once you exit, the tool should uninstall automatically.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.