Solved Sirefef.y and Sirefef.b - MSE cannot update and PC shuts itself down

[GailMacM]

Hi......been reading the info on your site since I got this virus a week ago. Since I was on limited up time I managed to scribble down the following.
Sirefef.y
Sirefef.b
pid 664
system 32/services/exe
0i763f66bz.exe
c:\windows\system3...2a1ab.sys

I bought a new computer and flash drive. I would like to save the data on the infected PC if possible. A lot of pictures and a lot of memories there!

I downloaded the FRST program to the flash drive and ran the log, then immediately shut down the computer. MSE is on that PC but not updating. Malwarebytes is also on it. Both MSE and MB seem to have tracked the intruders but neither seem able to remove them as the computer shuts itself off within a minute or two and promptly restarts ..........over and over, every time I tried.

Thanks.....now I'll just sit tight until I receive your instruction.

GailMacM

 

[Broni]

Welcome aboard

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

================================================

What Windows version is it?

 

[GailMacM]

Hi Broni...........WOW..............Lightning fast
I'm running Vista Home Premium 64 bit

 

[Broni]

For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

[GailMacM]

FRST log
Scan result of Farbar Recovery Scan Tool Version: 01-07-2012
Ran by SYSTEM at 01-07-2012 12:56:14
Running from F:\
Windows Vista (TM) Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2096424 2010-05-27] (Synaptics Incorporated)
HKLM\...\Run: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [914224 2008-11-18] (Hewlett-Packard)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [61440 2008-08-29] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start [206128 2008-10-10] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2011-01-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKLM-x32\...\Run: [Regedit32] C:\Windows\system32\regedit.exe [x]
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2008-01-20] (Microsoft Corporation)
HKU\Default\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [966656 2008-11-18] (Hewlett-Packard)
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2008-01-20] (Microsoft Corporation)
HKU\Default User\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [966656 2008-11-18] (Hewlett-Packard)
HKU\GM\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\GM\...\Run: [Google Update] "C:\Users\GM\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-09-02] (Google Inc.)
HKU\GM\...\Run: [0i763f66bz] C:\Users\GM\0i763f66bz.exe [40960 2012-06-22] (SmoothCandle)
Startup: C:\Users\GM\Start Menu\Programs\Startup\VZAccess Manager.lnk
ShortcutTarget: VZAccess Manager.lnk -> C:\Program Files (x86)\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe (Smith Micro Software, Inc.)
==================== Services (Whitelisted) ======
2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
4 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_1b06afce\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
2 AgereModemAudio; C:\Windows\system32\agr64svc.exe [15872 2007-12-11] (Agere Systems)
2 FreeAgentGoNext Service; "C:\Program Files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe" [189736 2009-12-18] (Seagate Technology LLC)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
2 Recovery Service for Windows; C:\Program Files (x86)\SMINST\BLService.exe [365952 2008-12-02] ()
2 RichVideo; "C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe" [241734 2008-09-15] ()
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_1b06afce\STacSV64.exe [240640 2009-08-13] (IDT, Inc.)
2 Themes; C:\Windows\SysWow64\shsvcs.dll [247808 2009-07-10] (Microsoft Corporation)
2 TVCapSvc; "C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe" [296320 2008-11-26] ()
2 TVSched; "C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe" [116096 2008-11-26] ()
2 Norton Internet Security; "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 [x]
========================== Drivers (Whitelisted) =============
0 30ecc9138b4d9f3d; C:\Windows\System32\Drivers\30ecc9138b4d9f3d.sys [74184 2012-06-23] ()
3 AgereSoftModem; C:\Windows\System32\DRIVERS\agrsm64.sys [1253376 2008-11-21] (Agere Systems)
0 AtiPcie; C:\Windows\System32\Drivers\AtiPcie.sys [16400 2008-04-27] (ATI Technologies Inc.)
3 grmnusb; C:\Windows\System32\Drivers\grmnusb.sys [20520 2009-05-08] (GARMIN Corp.)
3 NETw3v64; C:\Windows\System32\Drivers\NETw3v64.sys [3154432 2008-01-20] (Intel Corporation)
3 NWADI; C:\Windows\System32\DRIVERS\NWADIenum.sys [256512 2010-07-08] (Novatel Wireless Inc)
3 NWUSBCDFIL64; C:\Windows\System32\Drivers\NWUSBCDFIL64.sys [25600 2010-07-08] (Novatel Wireless Inc.)
3 NWUSBModem_000; C:\Windows\System32\DRIVERS\nwusbmdm_000.sys [217728 2010-07-08] (Novatel Wireless Inc.)
3 NWUSBPort2_000; C:\Windows\System32\DRIVERS\nwusbser2_000.sys [217728 2010-07-08] (Novatel Wireless Inc.)
3 NWUSBPort_000; C:\Windows\System32\DRIVERS\nwusbser_000.sys [217728 2010-07-08] (Novatel Wireless Inc.)
2 {55662437-DA8C-40c0-AADA-2C816A897A49}; \??\C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [146928 2008-11-28] (CyberLink Corp.)
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\ENG64.SYS [x]
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\EX64.SYS [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
1 SRTSP; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSP64.SYS [x]
1 SRTSPX; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSPX64.SYS [x]
========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============
2012-07-01 12:56 - 2012-07-01 12:56 - 00000000 ____D C:\FRST
2012-06-23 02:58 - 2012-06-23 02:58 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-23 02:31 - 2012-06-23 02:31 - 00074184 ____A C:\Windows\System32\Drivers\30ecc9138b4d9f3d.sys
2012-06-22 12:51 - 2012-06-22 12:51 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-22 12:47 - 2012-06-22 12:47 - 00040960 ____A (SmoothCandle) C:\Users\GM\0i763f66bz.exe
2012-06-18 18:48 - 2012-06-18 18:48 - 00000000 ____D C:\Users\All Users\Mozilla
2012-06-18 18:48 - 2012-06-18 18:48 - 00000000 ____D C:\Users\All Users\Application Data\Mozilla
2012-06-18 18:48 - 2012-06-18 18:48 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2012-06-17 08:59 - 2012-06-17 08:59 - 00000016 ____A C:\Windows\popcinfo.dat
2012-06-17 08:51 - 2012-06-17 08:52 - 00000000 ____D C:\Program Files (x86)\WildTangent Games
2012-06-14 12:03 - 2009-05-18 09:17 - 00034152 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
2012-06-14 12:03 - 2008-04-17 08:12 - 00126312 ____A (GEAR Software Inc.) C:\Windows\System32\GEARAspi64.dll
2012-06-14 12:03 - 2008-04-17 08:12 - 00107368 ____A (GEAR Software Inc.) C:\Windows\SysWOW64\GEARAspi.dll
2012-06-14 12:02 - 2012-06-14 12:03 - 00000000 ____D C:\Users\All Users\Application Data\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-06-14 12:02 - 2012-06-14 12:03 - 00000000 ____D C:\Users\All Users\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-06-14 12:02 - 2012-06-14 12:03 - 00000000 ____D C:\Program Files\iTunes
2012-06-14 12:02 - 2012-06-14 12:03 - 00000000 ____D C:\Program Files (x86)\iTunes
2012-06-14 12:02 - 2012-06-14 12:02 - 00000000 ____D C:\Program Files\iPod
2012-06-14 12:00 - 2012-06-14 12:00 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2012-06-14 11:58 - 2012-06-14 11:58 - 00000000 ____D C:\Program Files\Common Files\Apple
2012-06-14 11:57 - 2012-06-14 11:58 - 00000000 ____D C:\Program Files\Bonjour
============ 3 Months Modified Files ========================
2012-07-01 08:49 - 2012-02-06 11:04 - 00002387 ____A C:\Windows\setupact.log
2012-07-01 08:49 - 2009-04-07 23:04 - 00000012 ____A C:\Windows\bthservsdp.dat
2012-07-01 08:49 - 2006-11-02 07:42 - 00032612 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-01 08:49 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-01 08:48 - 2010-12-09 07:09 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-01 08:48 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-01 08:48 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-23 11:30 - 2006-11-02 07:21 - 02310272 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-23 11:29 - 2009-08-05 05:40 - 00001460 ____A C:\Users\GM\Local Settings\d3d9caps64.dat
2012-06-23 11:29 - 2009-08-05 05:40 - 00001460 ____A C:\Users\GM\Local Settings\Application Data\d3d9caps64.dat
2012-06-23 11:29 - 2009-08-05 05:40 - 00001460 ____A C:\Users\GM\AppData\Local\d3d9caps64.dat
2012-06-23 08:59 - 2010-12-09 07:09 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-06-23 08:57 - 2010-09-02 04:06 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3017639029-3219315148-4218580917-1000UA.job
2012-06-23 03:00 - 2012-02-06 12:55 - 00001484 ____A C:\Windows\PFRO.log
2012-06-23 02:59 - 2011-01-20 15:07 - 00002154 ____A C:\Windows\epplauncher.mif
2012-06-23 02:58 - 2011-01-20 15:01 - 00721764 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-06-23 02:57 - 2010-09-02 04:06 - 00000844 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3017639029-3219315148-4218580917-1000Core.job
2012-06-23 02:31 - 2012-06-23 02:31 - 00074184 ____A C:\Windows\System32\Drivers\30ecc9138b4d9f3d.sys
2012-06-22 18:24 - 2009-07-09 18:32 - 01079736 ____A C:\Windows\WindowsUpdate.log
2012-06-22 12:47 - 2012-06-22 12:47 - 00040960 ____A (SmoothCandle) C:\Users\GM\0i763f66bz.exe
2012-06-19 12:55 - 2011-07-22 09:14 - 00000020 ____H C:\Users\All Users\PKP_DLev.DAT
2012-06-19 12:55 - 2011-07-22 09:14 - 00000020 ____H C:\Users\All Users\PKP_DLet.DAT
2012-06-19 12:55 - 2011-07-22 09:14 - 00000020 ____H C:\Users\All Users\Application Data\PKP_DLev.DAT
2012-06-19 12:55 - 2011-07-22 09:14 - 00000020 ____H C:\Users\All Users\Application Data\PKP_DLet.DAT
2012-06-19 04:33 - 2006-11-02 04:46 - 00706824 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-17 08:59 - 2012-06-17 08:59 - 00000016 ____A C:\Windows\popcinfo.dat
2012-06-08 10:41 - 2009-08-06 10:50 - 00022016 ____A C:\Users\GM\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-06-08 10:41 - 2009-08-06 10:50 - 00022016 ____A C:\Users\GM\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-06-08 10:41 - 2009-08-06 10:50 - 00022016 ____A C:\Users\GM\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-05-30 03:33 - 2012-05-30 03:33 - 00419488 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-05-30 03:33 - 2012-03-06 07:42 - 00070304 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-05-28 06:36 - 2011-02-21 07:26 - 00013433 ____A C:\Users\GM\Desktop\ToDo.rtf
2012-05-27 17:23 - 2009-08-07 15:20 - 00003488 ____A C:\Users\GM\Application Data\wklnhst.dat
2012-05-27 17:23 - 2009-08-07 15:20 - 00003488 ____A C:\Users\GM\AppData\Roaming\wklnhst.dat
2012-05-17 04:11 - 2012-05-17 04:11 - 00000948 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-05-17 04:11 - 2012-05-17 04:11 - 00000948 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-04-25 08:11 - 2012-04-25 08:11 - 04547944 ____A (Apple, Inc.) C:\Windows\System32\usbaaplrc.dll
2012-04-25 08:11 - 2012-04-25 08:11 - 00052736 ____A (Apple, Inc.) C:\Windows\System32\Drivers\usbaapl64.sys
2012-04-12 13:43 - 2010-07-07 11:08 - 22363136 ____A C:\Users\GM\My Documents\Travel Card.php
2012-04-12 13:43 - 2010-07-07 11:08 - 22363136 ____A C:\Users\GM\Documents\Travel Card.php
2012-04-04 11:56 - 2012-05-17 04:11 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
ZeroAccess:
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\n
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\00000001.@
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\80000000.@
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\800000cb.@
ZeroAccess:
C:\Users\GM\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Users\GM\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
C:\Users\GM\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
C:\Users\GM\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\n
C:\Users\GM\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U
========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe
[2008-01-20 18:48] - [2008-01-20 18:48] - 3080704 ____A (Microsoft Corporation) F6D765FB6B457542D954682F50C26E4F
C:\Windows\SysWOW64\explorer.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 2927104 ____A (Microsoft Corporation) FFA764631CB70A30065C12EF8E174F9F
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe BA539D2CE99C05A180EC518EA2040D6A ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 17%
Total physical RAM: 3836.89 MB
Available physical RAM: 3181.82 MB
Total Pagefile: 3523.12 MB
Available Pagefile: 3161.92 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB
======================= Partitions =========================
1 Drive c: () (Fixed) (Total:451.71 GB) (Free:231.93 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (RECOVERY) (Fixed) (Total:14.05 GB) (Free:2.14 GB) NTFS
4 Drive f: (USB DISK) (Removable) (Total:7.47 GB) (Free:7.47 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 466 GB 1024 KB
Disk 1 Online 7667 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 452 GB 1024 KB
Partition 2 Primary 14 GB 452 GB
==================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 452 GB Healthy
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D RECOVERY NTFS Partition 14 GB Healthy
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7662 MB 5100 KB
==================================================================================
Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F USB DISK FAT32 Removable 7662 MB Healthy
==================================================================================
==========================================================
Last Boot: 2012-06-23 03:07
======================= End Of Log ==========================

 

[Broni]

In Vista or Windows 7: Boot to System Recovery Options and run FRST.
In Windows XP: Please boot to UBCD and run FRST.
Type the following in the edit box after "Search:".

services.exe

Click Search button and post the log (Search.txt) it makes to your reply.

 

[GailMacM]

Do I once again select "repair your computer" prior to running FRST

 

[Broni]

Yes.

 

[GailMacM]

I'm being asked to choose a recovery tool and see nothing where I can run FRST....sorry but want to be sure I won't make an improper selection.

 

[Broni]

You follow very same steps as you did to run FRST tool but this time instead of "Scan" button you click "Fix" button.

 

[GailMacM]

I select the Fix button then get this message...........

No fixlist.txt found (should be made and saved in the same directory the tool is located.

Notepad opens with FRST in F drive, I choose FRST (tried selecting txt and all files, but get the same message)

 

[Broni]

I apologize.

Type the following in the edit box after "Search:".

services.exe

Click Search button and post the log (Search.txt) it makes to your reply.

 

[GailMacM]

Thanks Broni,
I'll pick this up in the morning when my brain is refreshed. Between learning a new computer with a different OS and trying to wrangle this nasty virus, then having the food need kick in, it's probably time to have a rest. Thanks for all your help thus far, many of us would be much worse off without you.........see you tomorrow(y)

 

[Broni]

No problem

 

[GailMacM]

Hi Broni.....good morning
I'm still having a problem with this last step - I'll itemize so you can tell me what I'm not doing

Following the steps above I open notepad
select drive "f" which is the flash
I highlight FRST which is the only item listed
below, under File Name: is "txt"
Files of type: Text Documents (*.txt)
Encoding: ANSI
Clicking Open brings up the txt file
Instructions above say to close notepad and type f:\frst64 in the command box which open Farbar recovery scan tool
in the search bar I type services.exe.........................AHA..............................
I hit search files instead of Fix and it's running and here is the log:

Farbar Recovery Scan Tool Version: 01-07-2012
Ran by SYSTEM at 2012-07-02 08:41:53
Running from F:\
================== Search: "services.exe" ===================
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-11-30 15:45] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[2009-11-30 15:45] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719
C:\Windows\SysWOW64\services.exe
[2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
C:\Windows\System32\services.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) BA539D2CE99C05A180EC518EA2040D6A
====== End Of Search ======

 

[Broni]

You did fine

Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Next....

Restart normally.

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
• Double click on combofix.exe & follow the prompts.

• 
  NOTE1. If Combofix asks you to install Recovery Console, please allow it.
  NOTE 2. If Combofix asks you to update the program, always do so.

• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe

• Double-click on the Rkill icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[GailMacM]

Hi Broni........some notes before I post the 2 logs
.
After running FIX, then normal restart computer would only start in test mode Build 6001: Service Pack 1
Windows firewall service was not running saying "Due to an unidentified problem Windows cannot display Windows Firewall settings. After the scan, I checked and Windows Firewall is back running.
I could not disable MSE or Malwarebytes so I had to uninstall both and will not re-install until you say do so.
I had to restart after uninstalling MSE and the computer did start normally
Internet was not cut off when Combofix started running so I shut it down manually. It appears that ComboFix did run as intended. Thanks again for all your help

Now the logs:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 01-07-2012
Ran by SYSTEM at 2012-07-03 07:17:09 Run:1
Running from F:\
==============================================
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored successfully .
C:\Windows\System32\consrv.dll not found.
HKLM-x32\\\.\.\.\\Run\\Regedit32 Value deleted successfully.
30ecc9138b4d9f3d service deleted successfully.
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} moved successfully.
C:\Users\GM\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe copied successfully to C:\Windows\System32\services.exe
==== End of Fixlog ====

And ComboFix log:

ComboFix 12-07-02.01 - GM 07/03/2012 8:26.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3837.2493 [GMT -4:00]
Running from: c:\users\GM\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-06-03 to 2012-07-03 )))))))))))))))))))))))))))))))
.
.
2012-07-03 12:36 . 2012-07-03 12:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-01 20:56 . 2012-07-01 20:56 -------- d-----w- C:\FRST
2012-06-23 10:31 . 2012-06-23 10:31 74184 ----a-w- c:\windows\system32\drivers\30ecc9138b4d9f3d.sys
2012-06-22 20:51 . 2012-06-22 20:51 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-06-22 20:47 . 2012-07-03 12:15 40960 ----a-w- c:\users\GM\0i763f66bz.exe
2012-06-19 02:48 . 2012-06-19 02:48 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-06-19 02:48 . 2012-06-19 02:48 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
2012-06-19 02:48 . 2012-06-19 02:48 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
2012-06-17 16:51 . 2012-06-17 16:52 -------- d-----w- c:\program files (x86)\WildTangent Games
2012-06-14 20:03 . 2009-05-18 17:17 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-06-14 20:03 . 2008-04-17 16:12 126312 ----a-w- c:\windows\system32\GEARAspi64.dll
2012-06-14 20:03 . 2008-04-17 16:12 107368 ----a-w- c:\windows\SysWow64\GEARAspi.dll
2012-06-14 20:02 . 2012-06-14 20:02 -------- d-----w- c:\program files\iPod
2012-06-14 20:02 . 2012-06-14 20:03 -------- d-----w- c:\programdata\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-06-14 20:02 . 2012-06-14 20:03 -------- d-----w- c:\program files\iTunes
2012-06-14 20:02 . 2012-06-14 20:03 -------- d-----w- c:\program files (x86)\iTunes
2012-06-14 20:00 . 2012-06-14 20:00 -------- d-----w- c:\program files (x86)\Apple Software Update
2012-06-14 19:58 . 2012-06-14 19:58 -------- d-----w- c:\program files\Common Files\Apple
2012-06-14 19:57 . 2012-06-14 19:58 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-30 11:33 . 2012-05-30 11:33 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-05-30 11:33 . 2012-03-06 15:42 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-25 16:11 . 2012-04-25 16:11 52736 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
2012-04-25 16:11 . 2012-04-25 16:11 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-10-10 206128]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
.
c:\users\GM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
VZAccess Manager.lnk - c:\program files (x86)\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2010-12-9 3826968]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_1b06afce\AESTSr64.exe [2009-03-02 89600]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - ab750cc85d5e0ea
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-09 15:09]
.
2012-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-09 15:09]
.
2012-06-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3017639029-3219315148-4218580917-1000Core.job
- c:\users\GM\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-02 12:06]
.
2012-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3017639029-3219315148-4218580917-1000UA.job
- c:\users\GM\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-02 12:06]
.
.
--------- X64 Entries -----------
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: elogiclearning.com\brsrealestate
Trusted Zone: intuit.com\ttlc
DPF: PUFLITE - hxxp://www.homesweethomeflorida.com/ColpaControls/Photo/Control/PUFLITE.CAB
DPF: {C269D811-8511-44CF-B310-28CDDFFB1B74} - hxxp://www.brevardmls.com/brv/valid/osi_valid9m.ocx
FF - ProfilePath - c:\users\GM\AppData\Roaming\Mozilla\Firefox\Profiles\mfmw7f7q.default\
FF - prefs.js: browser.search.selectedEngine - Craigslist Search
FF - prefs.js: browser.startup.homepage - google.com
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-Regedit32 - c:\windows\system32\regedit.exe
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-SmartMenu - c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ab750cc85d5e0ea]
"ImagePath"="\SystemRoot\System32\Drivers\ab750cc85d5e0ea.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\SysWow64\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,75,23,5c,14,98,
6a,6a,b2,2e,e8,e1,00,eb,16,2b,de,4c,1d,38,8a,24,36,b1,97,e2,63,26,f1,3f,c8,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\SysWow64\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0,92,4b,c7,ef,ce,1e,43,3e,3b,
5a,c7,bd,46,47,15,b0,92,4b,c7,ef,bf,8b,e5,67,e8,9a,29,9b,6a,9c,d6,61,af,45,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\SysWow64\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,85,47,55,f4,5f,
2e,1a,4f,7a,45,05,fd,91,e8,6f,31,f9,ff,4a,1b,6d,ec,fa,51,ff,7c,85,e0,43,d4,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\SysWow64\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,79,99,68,e3,30,
74,e0,01,6b,65,49,6a,7e,99,74,f7,72,8a,cd,2e,5a,11,b9,a7,86,8c,21,01,be,91,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\SysWow64\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,dc,a0,a1,eb,1e,
38,18,96,e9,02,6c,fa,fb,1d,47,57,61,cd,d7,32,b5,82,1f,2a,f5,1d,4d,73,a8,13,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\SysWow64\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,41,85,25,48,79,
44,c5,a5,50,93,e5,ab,ec,6a,4e,ab,38,f1,4c,58,f4,eb,e9,a4,df,20,58,62,78,6b,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\SysWow64\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,0f,d1,78,34,98,
5c,21,f5,97,20,4e,9a,c7,f1,35,ee,3f,81,9d,dc,f8,83,8e,18,fb,a7,78,e6,12,2f,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\SysWow64\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,c2,5f,d8,da,40,
f7,94,03,aa,52,c6,00,84,3c,26,64,61,f6,7e,cb,6f,79,ce,f4,01,3a,48,fc,e8,04,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\SysWow64\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,ae,da,81,26,9e,
89,fc,97,b2,46,9a,e2,1b,fe,1b,94,76,36,4c,2e,36,eb,5d,21,f6,0f,4e,58,98,5b,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\SysWow64\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3,a6,15,56,0a,88,90,18,b2,9c,
93,c5,ed,37,a4,aa,c3,a6,15,56,0a,ed,35,57,9b,7a,a9,0a,56,3d,ce,ea,26,2d,45,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\SysWow64\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,4e,46,6e,ca,f4,
8b,01,07,f8,31,0f,a9,5f,a0,ec,fb,29,ed,21,5b,cb,16,50,3d,2a,b7,cc,b5,b9,7f,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\SysWow64\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,44,93,72,dc,ba,
91,0d,82,05,73,21,dd,54,d8,4a,c5,63,a4,98,cd,8a,1d,68,a0,6c,43,2d,1e,aa,22,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\SMINST\BLService.exe
c:\program files (x86)\CyberLink\Shared files\RichVideo.exe
c:\program files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
c:\program files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
.
**************************************************************************
.
Completion time: 2012-07-03 08:47:54 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-03 12:47
.
Pre-Run: 253,874,696,192 bytes free
Post-Run: 253,922,799,616 bytes free
.
- - End Of File - - D9D6A066268A1F8ED1FF0669D95DFC39

 

[Broni]

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\30ecc9138b4d9f3d.sys
c:\windows\system32\Drivers\ab750cc85d5e0ea.sys

RegNull::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]


Driver::
30ecc9138b4d9f3d
ab750cc85d5e0ea

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ab750cc85d5e0ea]

ClearJavaCache::

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[GailMacM]

ComboFix 12-07-02.01 - GM 07/03/2012 20:00:38.2.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3837.2513 [GMT -4:00]
Running from: c:\users\GM\Desktop\ComboFix.exe
Command switches used :: c:\users\GM\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\drivers\30ecc9138b4d9f3d.sys"
"c:\windows\system32\Drivers\ab750cc85d5e0ea.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_30ECC9138B4D9F3D
-------\Legacy_AB750CC85D5E0EA
-------\Service_ab750cc85d5e0ea
.
.
((((((((((((((((((((((((( Files Created from 2012-06-04 to 2012-07-04 )))))))))))))))))))))))))))))))
.
.
2012-07-01 20:56 . 2012-07-01 20:56 -------- d-----w- C:\FRST
2012-06-23 10:31 . 2012-06-23 10:31 74184 ----a-w- c:\windows\system32\drivers\30ecc9138b4d9f3d.sys
2012-06-22 20:51 . 2012-06-22 20:51 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-06-22 20:47 . 2012-07-03 12:15 40960 ----a-w- c:\users\GM\0i763f66bz.exe
2012-06-19 02:48 . 2012-06-19 02:48 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-06-19 02:48 . 2012-06-19 02:48 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
2012-06-19 02:48 . 2012-06-19 02:48 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
2012-06-17 16:51 . 2012-06-17 16:52 -------- d-----w- c:\program files (x86)\WildTangent Games
2012-06-14 20:03 . 2009-05-18 17:17 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-06-14 20:03 . 2008-04-17 16:12 126312 ----a-w- c:\windows\system32\GEARAspi64.dll
2012-06-14 20:03 . 2008-04-17 16:12 107368 ----a-w- c:\windows\SysWow64\GEARAspi.dll
2012-06-14 20:02 . 2012-06-14 20:02 -------- d-----w- c:\program files\iPod
2012-06-14 20:02 . 2012-06-14 20:03 -------- d-----w- c:\programdata\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-06-14 20:02 . 2012-06-14 20:03 -------- d-----w- c:\program files\iTunes
2012-06-14 20:02 . 2012-06-14 20:03 -------- d-----w- c:\program files (x86)\iTunes
2012-06-14 20:00 . 2012-06-14 20:00 -------- d-----w- c:\program files (x86)\Apple Software Update
2012-06-14 19:58 . 2012-06-14 19:58 -------- d-----w- c:\program files\Common Files\Apple
2012-06-14 19:57 . 2012-06-14 19:58 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-30 11:33 . 2012-05-30 11:33 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-05-30 11:33 . 2012-03-06 15:42 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-25 16:11 . 2012-04-25 16:11 52736 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
2012-04-25 16:11 . 2012-04-25 16:11 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-03_12.40.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 02:23 . 2012-07-03 12:44 67822 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-01-21 02:23 . 2012-07-03 23:45 67822 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-08-02 23:56 . 2012-07-04 00:45 17792 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3017639029-3219315148-4218580917-1000_UserData.bin
+ 2009-09-29 19:19 . 2012-07-04 00:42 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-09-29 19:19 . 2012-07-03 11:32 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-09-29 19:19 . 2012-07-04 00:42 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-09-29 19:19 . 2012-07-03 11:32 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-07-04 00:42 . 2012-07-04 00:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-07-03 12:40 . 2012-07-03 12:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-04 00:42 . 2012-07-04 00:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-07-03 12:40 . 2012-07-03 12:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 15:45 . 2012-07-04 00:45 127508 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2006-11-02 12:46 . 2012-07-03 12:19 604502 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-07-03 23:49 604502 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-07-03 23:49 104170 c:\windows\system32\perfc009.dat
- 2006-11-02 12:46 . 2012-07-03 12:19 104170 c:\windows\system32\perfc009.dat
+ 2009-07-10 04:10 . 2012-07-04 00:41 1079368 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-10-10 206128]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
.
c:\users\GM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
VZAccess Manager.lnk - c:\program files (x86)\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2010-12-9 3826968]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_1b06afce\AESTSr64.exe [2009-03-02 89600]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AB750CC85D5E0EA
*Deregistered* - ab750cc85d5e0ea
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-09 15:09]
.
2012-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-09 15:09]
.
2012-06-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3017639029-3219315148-4218580917-1000Core.job
- c:\users\GM\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-02 12:06]
.
2012-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3017639029-3219315148-4218580917-1000UA.job
- c:\users\GM\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-02 12:06]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"SmartMenu"="c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [BU]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: elogiclearning.com\brsrealestate
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.1.1
DPF: PUFLITE - hxxp://www.homesweethomeflorida.com/ColpaControls/Photo/Control/PUFLITE.CAB
DPF: {C269D811-8511-44CF-B310-28CDDFFB1B74} - hxxp://www.brevardmls.com/brv/valid/osi_valid9m.ocx
FF - ProfilePath - c:\users\GM\AppData\Roaming\Mozilla\Firefox\Profiles\mfmw7f7q.default\
FF - prefs.js: browser.search.selectedEngine - Craigslist Search
FF - prefs.js: browser.startup.homepage - google.com
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ab750cc85d5e0ea]
"ImagePath"="\SystemRoot\System32\Drivers\ab750cc85d5e0ea.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\SMINST\BLService.exe
c:\program files (x86)\CyberLink\Shared files\RichVideo.exe
c:\program files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
c:\program files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
.
**************************************************************************
.
Completion time: 2012-07-03 20:49:38 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-04 00:49
ComboFix2.txt 2012-07-03 12:47
.
Pre-Run: 253,808,488,448 bytes free
Post-Run: 253,437,177,856 bytes free
.
- - End Of File - - 002312029E88433ED27CF3811018ED89

 

[Broni]

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\30ecc9138b4d9f3d.sys
c:\windows\system32\Drivers\ab750cc85d5e0ea.sys

Folder::

Driver::
30ecc9138b4d9f3d
ab750cc85d5e0ea

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ab750cc85d5e0ea]

ClearJavaCache::

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[GailMacM]

ComboFix 12-07-02.01 - GM 07/03/2012 21:30:09.3.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3837.2507 [GMT -4:00]
Running from: c:\users\GM\Desktop\ComboFix.exe
Command switches used :: c:\users\GM\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\drivers\30ecc9138b4d9f3d.sys"
"c:\windows\system32\Drivers\ab750cc85d5e0ea.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AB750CC85D5E0EA
-------\Service_ab750cc85d5e0ea
.
.
((((((((((((((((((((((((( Files Created from 2012-06-04 to 2012-07-04 )))))))))))))))))))))))))))))))
.
.
2012-07-01 20:56 . 2012-07-01 20:56 -------- d-----w- C:\FRST
2012-06-23 10:31 . 2012-06-23 10:31 74184 ----a-w- c:\windows\system32\drivers\30ecc9138b4d9f3d.sys
2012-06-22 20:51 . 2012-06-22 20:51 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-06-22 20:47 . 2012-07-03 12:15 40960 ----a-w- c:\users\GM\0i763f66bz.exe
2012-06-19 02:48 . 2012-06-19 02:48 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-06-19 02:48 . 2012-06-19 02:48 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
2012-06-19 02:48 . 2012-06-19 02:48 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
2012-06-17 16:51 . 2012-06-17 16:52 -------- d-----w- c:\program files (x86)\WildTangent Games
2012-06-14 20:03 . 2009-05-18 17:17 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-06-14 20:03 . 2008-04-17 16:12 126312 ----a-w- c:\windows\system32\GEARAspi64.dll
2012-06-14 20:03 . 2008-04-17 16:12 107368 ----a-w- c:\windows\SysWow64\GEARAspi.dll
2012-06-14 20:02 . 2012-06-14 20:02 -------- d-----w- c:\program files\iPod
2012-06-14 20:02 . 2012-06-14 20:03 -------- d-----w- c:\programdata\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-06-14 20:02 . 2012-06-14 20:03 -------- d-----w- c:\program files\iTunes
2012-06-14 20:02 . 2012-06-14 20:03 -------- d-----w- c:\program files (x86)\iTunes
2012-06-14 20:00 . 2012-06-14 20:00 -------- d-----w- c:\program files (x86)\Apple Software Update
2012-06-14 19:58 . 2012-06-14 19:58 -------- d-----w- c:\program files\Common Files\Apple
2012-06-14 19:57 . 2012-06-14 19:58 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-30 11:33 . 2012-05-30 11:33 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-05-30 11:33 . 2012-03-06 15:42 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-25 16:11 . 2012-04-25 16:11 52736 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
2012-04-25 16:11 . 2012-04-25 16:11 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-03_12.40.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 02:23 . 2012-07-03 12:44 67822 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-01-21 02:23 . 2012-07-03 23:45 67822 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-08-02 23:56 . 2012-07-04 00:45 17792 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3017639029-3219315148-4218580917-1000_UserData.bin
+ 2009-09-29 19:19 . 2012-07-04 00:42 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-09-29 19:19 . 2012-07-03 11:32 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-09-29 19:19 . 2012-07-04 00:42 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-09-29 19:19 . 2012-07-03 11:32 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-07-04 01:40 . 2012-07-04 01:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-07-03 12:40 . 2012-07-03 12:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-04 01:40 . 2012-07-04 01:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-07-03 12:40 . 2012-07-03 12:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 15:45 . 2012-07-04 00:45 127508 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2006-11-02 12:46 . 2012-07-03 12:19 604502 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-07-03 23:49 604502 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-07-03 23:49 104170 c:\windows\system32\perfc009.dat
- 2006-11-02 12:46 . 2012-07-03 12:19 104170 c:\windows\system32\perfc009.dat
+ 2009-07-10 04:10 . 2012-07-04 01:40 1079448 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-10-10 206128]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
.
c:\users\GM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
VZAccess Manager.lnk - c:\program files (x86)\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2010-12-9 3826968]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_1b06afce\AESTSr64.exe [2009-03-02 89600]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AB750CC85D5E0EA
*Deregistered* - ab750cc85d5e0ea
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-09 15:09]
.
2012-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-09 15:09]
.
2012-06-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3017639029-3219315148-4218580917-1000Core.job
- c:\users\GM\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-02 12:06]
.
2012-07-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3017639029-3219315148-4218580917-1000UA.job
- c:\users\GM\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-02 12:06]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"SmartMenu"="c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [BU]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: elogiclearning.com\brsrealestate
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.1.1
DPF: PUFLITE - hxxp://www.homesweethomeflorida.com/ColpaControls/Photo/Control/PUFLITE.CAB
DPF: {C269D811-8511-44CF-B310-28CDDFFB1B74} - hxxp://www.brevardmls.com/brv/valid/osi_valid9m.ocx
FF - ProfilePath - c:\users\GM\AppData\Roaming\Mozilla\Firefox\Profiles\mfmw7f7q.default\
FF - prefs.js: browser.search.selectedEngine - Craigslist Search
FF - prefs.js: browser.startup.homepage - google.com
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ab750cc85d5e0ea]
"ImagePath"="\SystemRoot\System32\Drivers\ab750cc85d5e0ea.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\SMINST\BLService.exe
c:\program files (x86)\CyberLink\Shared files\RichVideo.exe
c:\program files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
c:\program files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
.
**************************************************************************
.
Completion time: 2012-07-03 21:47:50 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-04 01:47
ComboFix2.txt 2012-07-04 00:49
ComboFix3.txt 2012-07-03 12:47
.
Pre-Run: 253,480,595,456 bytes free
Post-Run: 253,222,014,976 bytes free
.
- - End Of File - - 0E18D35C90F4F4BECEE248BF2E932DAD

 

[Broni]

I still don't like it.

Please boot to System Recovery Options and give me fresh FRST log.

 

[GailMacM]

Scan result of Farbar Recovery Scan Tool Version: 01-07-2012
Ran by SYSTEM at 03-07-2012 22:08:37
Running from F:\
Windows Vista (TM) Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2096424 2010-05-27] (Synaptics Incorporated)
HKLM\...\Run: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [914224 2008-11-18] (Hewlett-Packard)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [61440 2008-08-29] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start [206128 2008-10-10] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2011-01-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2008-01-20] (Microsoft Corporation)
HKU\Default\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [966656 2008-11-18] (Hewlett-Packard)
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2008-01-20] (Microsoft Corporation)
HKU\Default User\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [966656 2008-11-18] (Hewlett-Packard)
HKU\GM\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
Startup: C:\Users\GM\Start Menu\Programs\Startup\VZAccess Manager.lnk
ShortcutTarget: VZAccess Manager.lnk -> C:\Program Files (x86)\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe (Smith Micro Software, Inc.)
==================== Services (Whitelisted) ======
2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
4 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_1b06afce\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
2 AgereModemAudio; C:\Windows\system32\agr64svc.exe [15872 2007-12-11] (Agere Systems)
2 FreeAgentGoNext Service; "C:\Program Files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe" [189736 2009-12-18] (Seagate Technology LLC)
2 Recovery Service for Windows; C:\Program Files (x86)\SMINST\BLService.exe [365952 2008-12-02] ()
2 RichVideo; "C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe" [241734 2008-09-15] ()
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_1b06afce\STacSV64.exe [240640 2009-08-13] (IDT, Inc.)
2 Themes; C:\Windows\SysWow64\shsvcs.dll [247808 2009-07-10] (Microsoft Corporation)
2 TVCapSvc; "C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe" [296320 2008-11-26] ()
2 TVSched; "C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe" [116096 2008-11-26] ()
2 Norton Internet Security; "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 [x]
========================== Drivers (Whitelisted) =============
0 ab750cc85d5e0ea; C:\Windows\System32\Drivers\ab750cc85d5e0ea.sys [73688 2012-07-03] ()
3 AgereSoftModem; C:\Windows\System32\DRIVERS\agrsm64.sys [1253376 2008-11-21] (Agere Systems)
0 AtiPcie; C:\Windows\System32\Drivers\AtiPcie.sys [16400 2008-04-27] (ATI Technologies Inc.)
3 grmnusb; C:\Windows\System32\Drivers\grmnusb.sys [20520 2009-05-08] (GARMIN Corp.)
3 NETw3v64; C:\Windows\System32\Drivers\NETw3v64.sys [3154432 2008-01-20] (Intel Corporation)
3 NWADI; C:\Windows\System32\DRIVERS\NWADIenum.sys [256512 2010-07-08] (Novatel Wireless Inc)
3 NWUSBCDFIL64; C:\Windows\System32\Drivers\NWUSBCDFIL64.sys [25600 2010-07-08] (Novatel Wireless Inc.)
3 NWUSBModem_000; C:\Windows\System32\DRIVERS\nwusbmdm_000.sys [217728 2010-07-08] (Novatel Wireless Inc.)
3 NWUSBPort2_000; C:\Windows\System32\DRIVERS\nwusbser2_000.sys [217728 2010-07-08] (Novatel Wireless Inc.)
3 NWUSBPort_000; C:\Windows\System32\DRIVERS\nwusbser_000.sys [217728 2010-07-08] (Novatel Wireless Inc.)
2 {55662437-DA8C-40c0-AADA-2C816A897A49}; \??\C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [146928 2008-11-28] (CyberLink Corp.)
1 Beep; [x]
3 catchme; \??\C:\ComboFix\catchme.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
1 luhkuxtl; \??\C:\Windows\system32\drivers\luhkuxtl.sys [x]
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\ENG64.SYS [x]
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\EX64.SYS [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
1 sfrsmfcq; \??\C:\Windows\system32\drivers\sfrsmfcq.sys [x]
1 SRTSP; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSP64.SYS [x]
1 SRTSPX; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSPX64.SYS [x]
========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============
2012-07-03 17:47 - 2012-07-03 17:47 - 00017321 ____A C:\ComboFix.txt
2012-07-03 04:19 - 2012-07-03 17:47 - 00000000 ____D C:\Qoobox
2012-07-03 04:19 - 2012-07-03 17:39 - 00000000 ____D C:\Windows\erdnt
2012-07-03 04:19 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-07-03 04:19 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-07-03 04:19 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-07-03 04:19 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-07-03 04:19 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-07-03 04:19 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-07-03 04:19 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-07-03 04:19 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-07-03 03:41 - 2012-07-03 03:42 - 04568951 ____R (Swearware) C:\Users\GM\Desktop\ComboFix.exe
2012-07-03 03:34 - 2012-07-03 03:34 - 00073688 ____A C:\Windows\System32\Drivers\ab750cc85d5e0ea.sys
2012-07-01 12:56 - 2012-07-01 12:56 - 00000000 ____D C:\FRST
2012-06-23 02:31 - 2012-06-23 02:31 - 00074184 ____A C:\Windows\System32\Drivers\30ecc9138b4d9f3d.sys
2012-06-22 12:51 - 2012-06-22 12:51 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-22 12:47 - 2012-07-03 04:15 - 00040960 ____A (SmoothCandle) C:\Users\GM\0i763f66bz.exe
2012-06-18 18:48 - 2012-06-18 18:48 - 00000000 ____D C:\Users\All Users\Mozilla
2012-06-18 18:48 - 2012-06-18 18:48 - 00000000 ____D C:\Users\All Users\Application Data\Mozilla
2012-06-18 18:48 - 2012-06-18 18:48 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2012-06-17 08:59 - 2012-06-17 08:59 - 00000016 ____A C:\Windows\popcinfo.dat
2012-06-17 08:51 - 2012-06-17 08:52 - 00000000 ____D C:\Program Files (x86)\WildTangent Games
2012-06-14 12:03 - 2009-05-18 09:17 - 00034152 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
2012-06-14 12:03 - 2008-04-17 08:12 - 00126312 ____A (GEAR Software Inc.) C:\Windows\System32\GEARAspi64.dll
2012-06-14 12:03 - 2008-04-17 08:12 - 00107368 ____A (GEAR Software Inc.) C:\Windows\SysWOW64\GEARAspi.dll
2012-06-14 12:02 - 2012-06-14 12:03 - 00000000 ____D C:\Users\All Users\Application Data\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-06-14 12:02 - 2012-06-14 12:03 - 00000000 ____D C:\Users\All Users\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-06-14 12:02 - 2012-06-14 12:03 - 00000000 ____D C:\Program Files\iTunes
2012-06-14 12:02 - 2012-06-14 12:03 - 00000000 ____D C:\Program Files (x86)\iTunes
2012-06-14 12:02 - 2012-06-14 12:02 - 00000000 ____D C:\Program Files\iPod
2012-06-14 12:00 - 2012-06-14 12:00 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2012-06-14 11:58 - 2012-06-14 11:58 - 00000000 ____D C:\Program Files\Common Files\Apple
2012-06-14 11:57 - 2012-06-14 11:58 - 00000000 ____D C:\Program Files\Bonjour
============ 3 Months Modified Files ========================
2012-07-03 18:02 - 2009-04-07 23:04 - 00000012 ____A C:\Windows\bthservsdp.dat
2012-07-03 18:02 - 2006-11-02 07:42 - 00032612 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-03 18:02 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-03 18:02 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-03 18:02 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-03 17:59 - 2010-12-09 07:09 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-03 17:57 - 2010-09-02 04:06 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3017639029-3219315148-4218580917-1000UA.job
2012-07-03 17:47 - 2012-07-03 17:47 - 00017321 ____A C:\ComboFix.txt
2012-07-03 17:41 - 2010-12-09 07:09 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-03 17:41 - 2006-11-02 04:34 - 00000215 ____A C:\Windows\system.ini
2012-07-03 17:40 - 2012-02-06 12:55 - 00004642 ____A C:\Windows\PFRO.log
2012-07-03 17:40 - 2006-11-02 04:33 - 74833920 ____A C:\Windows\System32\config\SOFTWARE.bak
2012-07-03 17:40 - 2006-11-02 04:33 - 23330816 ____A C:\Windows\System32\config\SYSTEM.bak
2012-07-03 17:40 - 2006-11-02 04:33 - 00274432 ____A C:\Windows\System32\config\DEFAULT.bak
2012-07-03 17:40 - 2006-11-02 04:33 - 00057344 ____A C:\Windows\System32\config\SAM.bak
2012-07-03 17:40 - 2006-11-02 04:33 - 00028672 ____A C:\Windows\System32\config\SECURITY.bak
2012-07-03 16:41 - 2006-11-02 04:33 - 50343936 ____A C:\Windows\System32\config\COMPONENTS.bak
2012-07-03 15:49 - 2006-11-02 04:46 - 00703388 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-03 04:17 - 2011-01-20 15:07 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-03 04:15 - 2012-06-22 12:47 - 00040960 ____A (SmoothCandle) C:\Users\GM\0i763f66bz.exe
2012-07-03 03:43 - 2009-07-09 18:32 - 01081099 ____A C:\Windows\WindowsUpdate.log
2012-07-03 03:42 - 2012-07-03 03:41 - 04568951 ____R (Swearware) C:\Users\GM\Desktop\ComboFix.exe
2012-07-03 03:34 - 2012-07-03 03:34 - 00073688 ____A C:\Windows\System32\Drivers\ab750cc85d5e0ea.sys
2012-07-01 08:49 - 2012-02-06 11:04 - 00002387 ____A C:\Windows\setupact.log
2012-06-23 11:30 - 2006-11-02 07:21 - 02310272 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-23 11:29 - 2009-08-05 05:40 - 00001460 ____A C:\Users\GM\Local Settings\d3d9caps64.dat
2012-06-23 11:29 - 2009-08-05 05:40 - 00001460 ____A C:\Users\GM\Local Settings\Application Data\d3d9caps64.dat
2012-06-23 11:29 - 2009-08-05 05:40 - 00001460 ____A C:\Users\GM\AppData\Local\d3d9caps64.dat
2012-06-23 02:58 - 2011-01-20 15:01 - 00721764 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-06-23 02:57 - 2010-09-02 04:06 - 00000844 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3017639029-3219315148-4218580917-1000Core.job
2012-06-23 02:31 - 2012-06-23 02:31 - 00074184 ____A C:\Windows\System32\Drivers\30ecc9138b4d9f3d.sys
2012-06-19 12:55 - 2011-07-22 09:14 - 00000020 ____H C:\Users\All Users\PKP_DLev.DAT
2012-06-19 12:55 - 2011-07-22 09:14 - 00000020 ____H C:\Users\All Users\PKP_DLet.DAT
2012-06-19 12:55 - 2011-07-22 09:14 - 00000020 ____H C:\Users\All Users\Application Data\PKP_DLev.DAT
2012-06-19 12:55 - 2011-07-22 09:14 - 00000020 ____H C:\Users\All Users\Application Data\PKP_DLet.DAT
2012-06-17 08:59 - 2012-06-17 08:59 - 00000016 ____A C:\Windows\popcinfo.dat
2012-06-08 10:41 - 2009-08-06 10:50 - 00022016 ____A C:\Users\GM\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-06-08 10:41 - 2009-08-06 10:50 - 00022016 ____A C:\Users\GM\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-06-08 10:41 - 2009-08-06 10:50 - 00022016 ____A C:\Users\GM\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-05-30 03:33 - 2012-05-30 03:33 - 00419488 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-05-30 03:33 - 2012-03-06 07:42 - 00070304 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-05-28 06:36 - 2011-02-21 07:26 - 00013433 ____A C:\Users\GM\Desktop\ToDo.rtf
2012-05-27 17:23 - 2009-08-07 15:20 - 00003488 ____A C:\Users\GM\Application Data\wklnhst.dat
2012-05-27 17:23 - 2009-08-07 15:20 - 00003488 ____A C:\Users\GM\AppData\Roaming\wklnhst.dat
2012-04-25 08:11 - 2012-04-25 08:11 - 04547944 ____A (Apple, Inc.) C:\Windows\System32\usbaaplrc.dll
2012-04-25 08:11 - 2012-04-25 08:11 - 00052736 ____A (Apple, Inc.) C:\Windows\System32\Drivers\usbaapl64.sys
2012-04-12 13:43 - 2010-07-07 11:08 - 22363136 ____A C:\Users\GM\My Documents\Travel Card.php
2012-04-12 13:43 - 2010-07-07 11:08 - 22363136 ____A C:\Users\GM\Documents\Travel Card.php
========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe
[2008-01-20 18:48] - [2008-01-20 18:48] - 3080704 ____A (Microsoft Corporation) F6D765FB6B457542D954682F50C26E4F
C:\Windows\SysWOW64\explorer.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 2927104 ____A (Microsoft Corporation) FFA764631CB70A30065C12EF8E174F9F
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2008-01-20 18:49] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 17%
Total physical RAM: 3836.89 MB
Available physical RAM: 3182.19 MB
Total Pagefile: 3523.12 MB
Available Pagefile: 3162.13 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB
======================= Partitions =========================
1 Drive c: () (Fixed) (Total:451.71 GB) (Free:236.9 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (RECOVERY) (Fixed) (Total:14.05 GB) (Free:2.14 GB) NTFS
4 Drive f: (USB DISK) (Removable) (Total:7.47 GB) (Free:7.47 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 466 GB 1024 KB
Disk 1 Online 7667 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 452 GB 1024 KB
Partition 2 Primary 14 GB 452 GB
==================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 452 GB Healthy
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D RECOVERY NTFS Partition 14 GB Healthy
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7662 MB 5100 KB
==================================================================================
Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F USB DISK FAT32 Removable 7662 MB Healthy
==================================================================================
==========================================================
Last Boot: 2012-07-03 17:49
======================= End Of Log ==========================

 

[Broni]

Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Restart normally, delete your Combofix file, download new one and post fresh log.

 

[GailMacM]

Thanks......it came through........here's the log

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 01-07-2012
Ran by SYSTEM at 2012-07-03 22:31:27 Run:2
Running from F:\
==============================================
ab750cc85d5e0ea service deleted successfully.
luhkuxtl service deleted successfully.
C:\Windows\System32\Drivers\ab750cc85d5e0ea.sys moved successfully.
C:\Windows\System32\Drivers\30ecc9138b4d9f3d.sys moved successfully.
========= reg delete hklm\system\controlset001\Services\ab750cc85d5e0ea /f =========
ERROR: The system was unable to find the specified registry key or value.
========= End of Reg: =========

==== End of Fixlog ====