Solved Sirefefr.r removal

Status
Not open for further replies.
K

Keith C

Posts: 10   +0
Vipre has identified the Sirefefr.r virus in c:\windows\system32\services.exe

This file appears to have the same properties as a 'good' machine with Win7.

Vipre, MalwareBytes Anti-Malware and Ad-aware have been unable to resolve this.

How can I remove this from my machine?

Thank you in advance.
 
Hello, and welcome to TechSpot.


rulesx.png
Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Download Farbar Recovery Scan Tool and save it to a flash drive.

Depending on what type of OS you have, please select 32-bit or 64-bit accordingly. If you don't know, then use 32-bit and we'll go from there.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Place a check next to List Drivers MD5 as well as the default check marks that are already there
  • Press Scan button.
  • type exit and reboot the computer normally
  • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

Additional FRST Scan

Once again, please boot to the System Recovery Options and run FRST, as done previously.

Type the following text in the blank box after Search:

services.exe

Click: Search file(s)

FRST2.gif


When done searching, FRST makes a log, Search.txt, on the C:\ drive.

Please provide the Search.txt in your reply, along with the first FRST logfile.
 
Thank you DragonMasterJay.

The output from the FRST.txt file is:

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 25-07-2012 16:42:17
Running from F:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [] [x]
HKLM\...\Run: [Windows Mobile-based device management] %WINDIR%\WindowsMobile\wmdcBase.exe [x]
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [8423968 2010-01-12] (Realtek Semiconductor)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-09-08] (Apple Inc.)
HKLM\...\Run: [PS121v2] "C:\Program Files\NETGEAR\PS121v2\PS121v2.exe" /hide [699104 2007-05-17] ()
HKLM\...\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-06-24] (CyberLink Corp.)
HKLM\...\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install [1657448 2009-10-28] ()
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421160 2010-11-17] (Apple Inc.)
HKLM\...\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM\...\Run: [DLSService] "C:\Program Files\DYMO\DYMO Label Software\DLSService.exe" [55808 2009-09-29] (Sanford, L.P.)
HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [483328 2008-04-22] (Adobe Systems Inc.)
HKLM\...\Run: [MSCRM] "c:\Program Files\Microsoft Dynamics CRM\Client\ConfigWizard\CrmForOutlookInstaller.exe" /activateaddin [58216 2011-04-28] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [1808784 2011-04-13] (Microsoft Corporation)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM\...\Run: [SBAMTray] "C:\Program Files\GFI Software\GFIAgent\SBAMTray.exe" [1627504 2011-10-12] (GFI Software)
HKLM\...\Run: [Ad-Aware Antivirus] "C:\Program Files\Ad-Aware Antivirus\AdAwareLauncher" --windows-run [x]
HKLM\...\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe" [198032 2011-10-21] (Lavasoft)
HKLM\...\Run: [SBRegRebootCleaner] "C:\Program Files\Ad-Aware Antivirus\SBRC.exe" [200560 2011-12-19] (GFI Software)
HKU\KeithC\...\Run: [DymoQuickPrint] "C:\Program Files\DYMO\DYMO Label Software\DymoQuickPrint.exe" /startup [1885944 2009-09-29] (Sanford, L.P.)
HKU\KeithC\...\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcStd7_0_0 -reboot 1 [313472 2006-03-30] (Adobe Systems Incorporated)
HKU\KeithC\...\Run: [WISE-FTP Task Planner] "C:\Program Files\AceBIT\WISE-FTP 6\wf_tp.exe" /bg [1769264 2009-10-28] (AceBIT GmbH)
HKU\KeithC.DATASOUND\...\Run: [WISE-FTP Task Planner] "C:\Program Files\AceBIT\WISE-FTP 6\wf_tp.exe" /bg [1769264 2009-10-28] (AceBIT GmbH)
HKU\KeithC.DATASOUND\...\Run: [OfficeSyncProcess] "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE" [718720 2011-07-21] (Microsoft Corporation)
HKU\KeithC.DATASOUND\...\Run: [DymoQuickPrint] "C:\Program Files\DYMO\DYMO Label Software\DymoQuickPrint.exe" /startup [1885944 2009-09-29] (Sanford, L.P.)
HKU\KeithC.DATASOUND\...\Run: [3CX MyPhone571142265.192.168.242.200] C:\Users\KeithC.DATASOUND\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\3CX MyPhone.lnk [2347 2012-03-12] ()
HKU\KevinK\...\Run: [Installation Diagnostics] "C:\Program Files\Brother\Brmfl04b\Brinstck.exe" /I MFC-5840CN LAN [x]
HKU\KevinK\...\Run: [OfficeSyncProcess] "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE" [718720 2011-07-21] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.242.2
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
ShortcutTarget: Adobe Acrobat Speed Launcher.lnk -> C:\Windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe ()
Startup: C:\Users\KeithC.DATASOUND\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\KevinK\Start Menu\Programs\Startup\Adobe Gamma.lnk
ShortcutTarget: Adobe Gamma.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (No File)

================================ Services (Whitelisted) ==================

2 Ad-Aware Service; "C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe" [1239952 2012-07-12] (Lavasoft Limited)
2 AERTFilters; C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe [87968 2009-11-17] (Andrea Electronics Corporation)
2 BPowMon; C:\Program Files\Broadcom\BPowMon\BPowMon.exe [79168 2009-08-17] (Broadcom Corp.)
2 clsbd; C:\Cadence\SPB_15.5.1\tools\bin\clsbd.exe [57419 2004-07-22] ()
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 MDM; "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" [335872 2003-03-18] (Microsoft Corporation)
4 msvsmon80; "C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2808664 2007-02-22] (Microsoft Corporation)
2 NVIDIA Performance Driver Service; "C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe" [5233256 2009-10-26] ()
2 SBAMSvc; "C:\Program Files\Ad-Aware Antivirus\SBAMSvc.exe" [3289032 2011-12-19] (GFI Software)
2 SBPIMSvc; "C:\Program Files\GFI Software\GFIAgent\SBPIMSvc.exe" [181616 2011-10-12] (GFI Software)
2 Viewpoint Manager Service; "C:\Program Files\Viewpoint\Common\ViewpointService.exe" [24652 2008-09-08] (Viewpoint Corporation)
2 JTAGServer; c:\altera\91sp2\quartus\bin\jtagserver.exe [x]
2 MSSQL$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [x]
4 MSSQLServerADHelper; "c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe" [x]
2 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]
2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]

========================== Drivers (Whitelisted) =============

2 AlteraByteBlaster; \??\C:\Windows\system32\drivers\pgdhdlc.sys [7680 2010-03-24] (Altera Corporation)
2 altio; \??\C:\Program Files\Altium\AD 10\System\Drivers\altio.sys [3200 2012-07-24] (Altium Limited)
3 FETNDIS; C:\Windows\System32\DRIVERS\fetnd6.sys [44032 2009-07-13] (VIA Technologies, Inc. )
3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [57800 2009-10-22] (FTDI Ltd.)
3 FTSER2K; C:\Windows\System32\drivers\ftser2k.sys [72520 2009-10-22] (FTDI Ltd.)
3 k57nd60x; C:\Windows\System32\DRIVERS\k57nd60x.sys [273960 2009-08-05] (Broadcom Corporation)
2 MCUSBICD2; C:\Windows\System32\Drivers\icd2w2k.sys [12427 2004-03-21] (Microchip Technology, Inc.)
3 NETGEARUHOST; C:\Windows\System32\DRIVERS\NETGEARUHOST.sys [13824 2007-03-08] (SerComm)
3 NETGEARUHUB; C:\Windows\System32\DRIVERS\NETGEARUHUB.sys [35840 2007-03-08] (SerComm)
2 sbapifs; C:\Windows\System32\DRIVERS\sbapifs.sys [77816 2011-11-28] (GFI Software)
3 SBHIPS; C:\Windows\System32\drivers\sbhips.sys [93816 2011-12-19] (GFI Software)
1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [101112 2011-10-26] (GFI Software)
1 SbTis; C:\Windows\System32\drivers\sbtis.sys [78936 2011-09-09] (Sunbelt Software, Inc.)
2 Sentinel; C:\Windows\System32\Drivers\SENTINEL.SYS [76288 2010-03-24] (Rainbow Technologies, Inc.)
2 siserial; \??\C:\Windows\system32\drivers\siserial.sys [927328 2009-06-24] (Tactical Software, LLC)
3 Sntnlusb; C:\Windows\System32\DRIVERS\SNTNLUSB.SYS [26120 2010-03-24] (Rainbow Technologies Inc.)
3 SNXPCARD; C:\Windows\System32\DRIVERS\snxpcard.sys [41080 2010-02-01] (SUNIX Co., Ltd.)
3 SNXPPALX; C:\Windows\System32\DRIVERS\snxppalx.sys [84984 2010-02-01] (SUNIX Co., Ltd.)
3 WinDriver6; C:\Windows\System32\drivers\windrvr6.sys [195904 2010-06-09] (Jungo)
3 XJLINK; C:\Windows\System32\drivers\xjlink.sys [22088 2009-07-14] (XJTAG Ltd.)
2 zntport; \??\C:\Windows\system32\drivers\zntport.sys [12344 2007-12-22] (Zeal SoftStudio)
3 LinkMD; \??\UNC\Dsl1\dsl library\DataSheets\Micrel\KSZ8841-pmql\KSZ88XX Software Package 20080707\M16C Software\Demo Program\LinkMD GUI Demo\LinkMD.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-25 16:41 - 2012-07-25 16:42 - 00000000 ____D C:\FRST
2012-07-25 07:23 - 2012-07-25 07:25 - 00014101 ____A C:\Users\KeithC.DATASOUND\Desktop\1238-000 rev 10.csv
2012-07-25 04:17 - 2012-07-25 04:17 - 00000104 ____A C:\Windows\System32\SBRC.dat
2012-07-25 02:19 - 2012-07-25 02:19 - 00000000 ____D C:\Users\KeithC.DATASOUND\AppData\Roaming\Lavasoft
2012-07-25 02:19 - 2012-07-25 02:09 - 00000000 ____A C:\Users\KeithC.DATASOUND\AppData\Roaming\adaware-installer-reboot-required.tmp
2012-07-25 02:09 - 2012-07-25 03:28 - 00001868 ____A C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk
2012-07-25 02:09 - 2012-07-25 03:28 - 00000000 ____D C:\Users\All Users\Ad-Aware Browsing Protection
2012-07-25 02:09 - 2012-07-25 02:17 - 00000000 ____D C:\Program Files\Ad-Aware Antivirus
2012-07-25 02:09 - 2012-07-25 02:09 - 00000000 ____D C:\Windows\System32\Drivers\VDD
2012-07-25 02:09 - 2012-07-25 02:09 - 00000000 ____D C:\Users\KeithC.DATASOUND\AppData\Local\adaware
2012-07-25 02:09 - 2012-07-25 02:09 - 00000000 ____D C:\Users\All Users\Lavasoft
2012-07-25 02:09 - 2011-12-19 03:44 - 00093816 ____A (GFI Software) C:\Windows\System32\Drivers\sbhips.sys
2012-07-25 02:07 - 2012-07-25 02:34 - 00000000 ____D C:\Users\KeithC.DATASOUND\AppData\Roaming\Ad-Aware Antivirus
2012-07-25 01:33 - 2012-07-25 01:33 - 00000000 ____D C:\Users\KeithC.DATASOUND\AppData\Roaming\Malwarebytes
2012-07-25 01:32 - 2012-07-25 01:32 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-25 01:32 - 2012-07-25 01:32 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-07-25 01:32 - 2012-07-25 01:32 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-07-25 01:32 - 2012-07-03 04:46 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-23 05:29 - 2012-07-23 05:29 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-19 01:44 - 2012-07-19 08:29 - 00262144 ____A C:\Users\KeithC.DATASOUND\Desktop\SXDIAPP.rom
2012-07-18 23:51 - 2012-02-14 00:38 - 00000323 ____A C:\Users\KeithC.DATASOUND\Desktop\BIOS Update Instruction.txt
2012-07-18 23:51 - 2011-08-05 09:10 - 00069808 ____A C:\Users\KeithC.DATASOUND\Desktop\SPIFLASH.EXE
2012-07-18 23:50 - 2012-07-19 01:44 - 00240935 ____A C:\Users\KeithC.DATASOUND\Desktop\BIOS.rar
2012-07-17 02:58 - 2012-07-17 03:03 - 00009509 ____A C:\Users\KeithC.DATASOUND\Desktop\1248-000.csv
2012-07-17 02:58 - 2012-07-17 03:00 - 00000450 ____A C:\Users\KeithC.DATASOUND\Desktop\600-1248-000.csv
2012-07-13 18:06 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-13 18:06 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-13 18:06 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-13 18:06 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-13 18:06 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-13 18:06 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-13 18:06 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-13 18:06 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-13 18:06 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-13 18:06 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-13 18:06 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-13 18:06 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-13 18:06 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-13 18:06 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-13 18:02 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-13 00:17 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-13 00:17 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-13 00:17 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-13 00:17 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-13 00:17 - 2012-06-01 20:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-13 00:17 - 2012-06-01 20:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-13 00:17 - 2012-06-01 20:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-13 00:17 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-13 00:17 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-13 00:17 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-07-13 00:17 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-07-13 00:17 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-07-13 00:17 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-11 04:56 - 2012-07-11 04:56 - 00000000 ____D C:\Users\KeithC.DATASOUND\Desktop\MRVFiles
2012-07-11 04:38 - 2012-07-11 04:39 - 00000000 ____D C:\Users\KeithC.DATASOUND\Desktop\Planer
2012-07-10 04:25 - 2012-07-16 06:40 - 00014713 ____A C:\Users\KeithC.DATASOUND\Desktop\MRV.EXE
2012-07-06 00:49 - 2012-07-06 00:50 - 00021504 __ASH C:\Users\KeithC.DATASOUND\Documents\Thumbs.db
2012-06-28 02:16 - 2012-06-28 02:16 - 00047839 ____A C:\Users\KeithC.DATASOUND\Desktop\CaptouchPIC10FDemo.zip
2012-06-28 01:59 - 2012-06-28 01:59 - 00512489 ____A C:\Users\KeithC.DATASOUND\Desktop\PCAPTechnologySource_v5.zip

============ 3 Months Modified Files ========================

2012-07-25 07:37 - 2010-06-16 04:51 - 00000250 __ASH C:\Users\KeithC.DATASOUND\ntuser.ini
2012-07-25 07:25 - 2012-07-25 07:23 - 00014101 ____A C:\Users\KeithC.DATASOUND\Desktop\1238-000 rev 10.csv
2012-07-25 06:56 - 2011-01-04 08:11 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-25 06:56 - 2011-01-04 08:11 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-25 06:53 - 2010-06-16 04:49 - 00000136 ____A C:\Windows\System32\config\netlogon.ftl
2012-07-25 06:52 - 2012-04-16 02:01 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-25 04:17 - 2012-07-25 04:17 - 00000104 ____A C:\Windows\System32\SBRC.dat
2012-07-25 03:34 - 2009-07-13 20:34 - 00015296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-25 03:34 - 2009-07-13 20:34 - 00015296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-25 03:30 - 2010-06-16 03:47 - 00940404 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-25 03:28 - 2012-07-25 02:09 - 00001868 ____A C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk
2012-07-25 03:25 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-25 03:25 - 2009-07-13 20:39 - 00037453 ____A C:\Windows\setupact.log
2012-07-25 03:12 - 2010-06-16 04:08 - 00031264 ____A C:\Windows\PFRO.log
2012-07-25 02:09 - 2012-07-25 02:19 - 00000000 ____A C:\Users\KeithC.DATASOUND\AppData\Roaming\adaware-installer-reboot-required.tmp
2012-07-25 01:32 - 2012-07-25 01:32 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-24 05:57 - 2010-06-30 00:07 - 00002733 ____A C:\Windows\AdvSch99SE.dft
2012-07-24 05:57 - 2010-06-18 06:38 - 00281275 ____A C:\Windows\CLIENT99SE.rcs
2012-07-24 05:57 - 2010-06-18 06:38 - 00008924 ____A C:\Windows\CLIENT99SE.raf
2012-07-24 05:57 - 2010-06-18 06:38 - 00002994 ____A C:\Windows\CLIENT99SE.ndr
2012-07-24 05:57 - 2010-06-16 06:43 - 00296960 ____A C:\Windows\Client99SE.cfg
2012-07-24 05:57 - 2010-06-16 06:43 - 00010161 ____A C:\Windows\Client99SE.INI
2012-07-24 05:57 - 2010-06-16 06:43 - 00003656 ____A C:\Windows\AdvSch99SE.ini
2012-07-24 05:38 - 2010-06-18 06:27 - 00000705 ____A C:\Windows\ProHelp99SE.INI
2012-07-23 05:23 - 2010-06-16 03:45 - 01310082 ____A C:\Windows\WindowsUpdate.log
2012-07-23 04:50 - 2010-06-18 06:38 - 00281275 ____A C:\Windows\CLIENT99SE.~cs
2012-07-23 04:50 - 2010-06-18 06:38 - 00008924 ____A C:\Windows\CLIENT99SE.~af
2012-07-19 08:29 - 2012-07-19 01:44 - 00262144 ____A C:\Users\KeithC.DATASOUND\Desktop\SXDIAPP.rom
2012-07-19 01:44 - 2012-07-18 23:50 - 00240935 ____A C:\Users\KeithC.DATASOUND\Desktop\BIOS.rar
2012-07-18 02:01 - 2010-06-17 00:32 - 00001223 ____A C:\Users\KeithC.DATASOUND\quartus2.ini
2012-07-17 03:03 - 2012-07-17 02:58 - 00009509 ____A C:\Users\KeithC.DATASOUND\Desktop\1248-000.csv
2012-07-17 03:00 - 2012-07-17 02:58 - 00000450 ____A C:\Users\KeithC.DATASOUND\Desktop\600-1248-000.csv
2012-07-16 06:40 - 2012-07-10 04:25 - 00014713 ____A C:\Users\KeithC.DATASOUND\Desktop\MRV.EXE
2012-07-16 02:03 - 2009-07-13 20:53 - 00032610 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-16 02:03 - 2009-07-13 20:33 - 00414808 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-13 18:03 - 2010-06-16 04:59 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-12 05:52 - 2012-04-16 02:01 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-12 05:52 - 2011-06-08 03:26 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-07-06 00:50 - 2012-07-06 00:49 - 00021504 __ASH C:\Users\KeithC.DATASOUND\Documents\Thumbs.db
2012-07-03 04:46 - 2012-07-25 01:32 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-28 02:16 - 2012-06-28 02:16 - 00047839 ____A C:\Users\KeithC.DATASOUND\Desktop\CaptouchPIC10FDemo.zip
2012-06-28 01:59 - 2012-06-28 01:59 - 00512489 ____A C:\Users\KeithC.DATASOUND\Desktop\PCAPTechnologySource_v5.zip
2012-06-27 06:15 - 2010-07-06 08:01 - 00001014 ____A C:\Windows\TextEdit99SE.INI
2012-06-27 06:15 - 2010-06-18 06:38 - 00007823 ____A C:\Windows\ADVPCB99SE.INI
2012-06-21 05:17 - 2010-06-16 04:51 - 00006314 _RASH C:\Users\KeithC.DATASOUND\ntuser.pol
2012-06-21 01:43 - 2012-05-03 00:23 - 00002092 ____A C:\Users\KeithC.DATASOUND\Desktop\Awaiting lib check.lnk
2012-06-20 07:08 - 2012-06-20 05:19 - 00009664 ____A C:\Users\KeithC.DATASOUND\Desktop\va.xlsx
2012-06-20 05:19 - 2012-06-20 05:19 - 00009394 ____A C:\Users\KeithC.DATASOUND\Documents\va.xlsx
2012-06-11 18:40 - 2012-07-13 18:02 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 20:41 - 2012-07-13 00:17 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-07 07:53 - 2012-06-03 05:22 - 00002630 ____A C:\Users\KeithC.DATASOUND\Desktop\SF100.Bom
2012-06-05 21:05 - 2012-07-13 00:17 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:05 - 2012-07-13 00:17 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 21:03 - 2012-07-13 00:17 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-02 14:19 - 2012-06-16 19:08 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-16 19:08 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-16 19:08 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-16 19:08 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-16 19:08 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-16 19:08 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-16 19:08 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 06:19 - 2012-06-16 19:08 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 06:12 - 2012-06-16 19:08 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 01:07 - 2012-07-13 18:06 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 00:43 - 2012-07-13 18:06 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 00:33 - 2012-07-13 18:06 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 00:26 - 2012-07-13 18:06 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 00:25 - 2012-07-13 18:06 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 00:25 - 2012-07-13 18:06 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 00:23 - 2012-07-13 18:06 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 00:21 - 2012-07-13 18:06 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 00:20 - 2012-07-13 18:06 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 00:19 - 2012-07-13 18:06 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 00:19 - 2012-07-13 18:06 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 00:17 - 2012-07-13 18:06 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 00:16 - 2012-07-13 18:06 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 00:14 - 2012-07-13 18:06 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 20:45 - 2012-07-13 00:17 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 20:45 - 2012-07-13 00:17 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 20:40 - 2012-07-13 00:17 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 20:40 - 2012-07-13 00:17 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 20:39 - 2012-07-13 00:17 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-04-27 19:17 - 2012-06-15 00:56 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys


ZeroAccess:
C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}
C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\@
C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\L
C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\n
C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\U
C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\L\00000004.@
C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\L\201d3dde
C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\U\00000004.@
C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\U\00000008.@
C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\U\000000cb.@
C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\U\80000000.@
C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\U\80000032.@

ZeroAccess:
C:\Users\KeithC.DATASOUND\AppData\Local\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}
C:\Users\KeithC.DATASOUND\AppData\Local\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\@
C:\Users\KeithC.DATASOUND\AppData\Local\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\L
C:\Users\KeithC.DATASOUND\AppData\Local\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\n
C:\Users\KeithC.DATASOUND\AppData\Local\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\U

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 17%
Total physical RAM: 3031.11 MB
Available physical RAM: 2489.48 MB
Total Pagefile: 3029.39 MB
Available Pagefile: 2493.83 MB
Total Virtual: 2047.88 MB
Available Virtual: 1952.7 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:232 GB) (Free:89.03 GB) NTFS
2 Drive e: (Jul 25 2012) (CDROM) (Total:0.01 GB) (Free:0 GB) UDF
3 Drive f: (KINGSTON) (Removable) (Total:3.73 GB) (Free:3.24 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (RECOVERY) (Fixed) (Total:0.73 GB) (Free:0.51 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 Online 3826 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 94 MB 31 KB
Partition 2 Primary 750 MB 95 MB
Partition 3 Primary 232 GB 845 MB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 FAT Partition 94 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y RECOVERY NTFS Partition 750 MB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 232 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3822 MB 4032 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F KINGSTON FAT32 Removable 3822 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-17 15:00

======================= End Of Log ==========================
 
The output from the search.txt file is:

Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-25 16:44:49
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

C:\WINCE600\OSDesigns\Webserver\Webserver\Wince600\DSL_Vortex86_x86\cesysgen\oak\target\x86\retail\services.exe
[2011-02-08 08:37] - [2011-02-08 08:37] - 0008704 ____A () 52BE681074D0B55A1567FED6E0D0A645

C:\WINCE600\OSDesigns\Webserver\Webserver\Wince600\DSL_Vortex86_x86\cesysgen\oak\target\x86\debug\services.exe
[2011-02-08 08:14] - [2011-02-08 08:14] - 0011264 ____A () 187F61F0CDB895E4E9A73CF93C2E570A

C:\WINCE600\OSDesigns\Webserver\Webserver\RelDir\DSL_Vortex86_x86_Release\services.exe
[2011-02-08 08:37] - [2011-02-08 09:09] - 0008704 ____A () FF55978A1643521A20BE073694892CF8

C:\WINCE600\OSDesigns\Webserver\Webserver\RelDir\DSL_Vortex86_x86_Debug\services.exe
[2011-02-08 08:14] - [2011-02-08 08:27] - 0011264 ____A () 8AF5E67249FCA7F2DBD4CBA11B2E992F

C:\WINCE600\OSDesigns\ShopAlert\ShopAlert\Wince600\Vortex86DX_60B_x86\cesysgen\oak\target\x86\retail\services.exe
[2011-02-04 08:36] - [2011-02-04 08:36] - 0008704 ___RA () C9749108DB061E7C66265735F4DA04B9

C:\WINCE600\OSDesigns\ShopAlert\ShopAlert\RelDir\Vortex86DX_60B_x86_Release\services.exe
[2011-02-04 08:36] - [2011-02-07 03:46] - 0008704 ___RA () 4258B5E068BB4DFCB0763F88B560BEAA

C:\WINCE600\OSDesigns\ShopAlert\ShopAlert\RelDir\Vortex86DX_60B_x86_Debug\services.exe
[2011-02-04 02:44] - [2011-02-04 03:00] - 0011264 ___RA () 2157F1A8B87D4B46F85433B93AAA09A8

C:\WINCE600\OSDesigns\OSDesign1\Wince600\eBox-3300MX_x86\cesysgen\oak\target\x86\retail\services.exe
[2011-10-13 01:55] - [2011-10-13 01:55] - 0008704 ____A () BB223949758613D4D863B7820E78C200

C:\WINCE600\OSDesigns\OSDesign1\RelDir\eBox-3300MX_x86_Release\services.exe
[2011-10-13 01:55] - [2011-10-18 01:13] - 0008704 ____A () 3C65A3E65C61EDAF264FB57C306F25B0

C:\WINCE600\OSDesigns\iMX51-EVK-PDK1_7-Mobility\Wince600\iMX51-EVK-PDK1_7_ARMV4I\cesysgen\oak\target\ARMV4I\debug\services.exe
[2011-02-25 04:10] - [2011-02-25 04:10] - 0015360 ____A () DDC5AAC490C333C8F67A6BAF33A266E1

C:\WINCE600\OSDesigns\EBox-3300MX\EBOX-3300MX\EBOX-3300MX\Wince600\eBox-3300MX_x86\cesysgen\oak\target\x86\debug\services.exe
[2011-10-17 02:14] - [2011-10-17 02:14] - 0011264 ____A () 5FCD1D2D389642E661B34E6162F0D6D7

C:\WINCE600\OSDesigns\EBox-3300MX\EBOX-3300MX\EBOX-3300MX\RelDir\eBox-3300MX_x86_Debug\services.exe
[2011-10-17 02:14] - [2011-10-17 02:29] - 0011264 ____A () 143C315FE01A237C0A9D77ECAF12A7D2

C:\WINCE600\OSDesigns\Centurion\Wince600\iMX51-EVK-PDK1_7_ARMV4I\cesysgen\oak\target\ARMV4I\retail\services.exe
[2011-02-25 04:44] - [2010-12-10 07:44] - 0011264 ____A () 66C4F1B474CD5C8844519A08E3DCBA9D

C:\WINCE600\OSDesigns\Centurion\RelDir\Freescale_i_MX51_EVK_ARMV4I_Release\services.exe
[2011-02-25 04:44] - [2011-02-25 06:54] - 0011264 ____A () 3DEB06389470E14B4DE551D6A35FFCD1

C:\Wince Backup\Centurion\Wince600\iMX51-EVK-PDK1_7_ARMV4I\cesysgen\oak\target\ARMV4I\retail\services.exe
[2011-02-03 06:14] - [2010-12-10 07:44] - 0011264 ____A () 66C4F1B474CD5C8844519A08E3DCBA9D

C:\Wince Backup\Centurion\RelDir\Freescale_i_MX51_EVK_ARMV4I_Release\services.exe
[2011-02-03 06:12] - [2010-12-10 08:40] - 0011264 ____A () 3DEB06389470E14B4DE551D6A35FFCD1

=== End Of Search ===
 
FRST Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ==> ZeroAccess
C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}
C:\Users\KeithC.DATASOUND\AppData\Local\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}
C:\Windows\assembly\GAC\Desktop.ini
Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe C:\Windows\System32\services.exe
end
Click to expand...

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.
 
DragonMasterJay,

The machine has rebooted fine after running this.

The fixlog.txt output is:
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-26 09:06:56 Run:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8} moved successfully.
C:\Users\KeithC.DATASOUND\AppData\Local\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8} moved successfully.
C:\Windows\assembly\GAC\Desktop.ini moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

I am impressed that you are willing to give up your time to help work toward resolving this. Thank you very much.
 
You're welcome! I'm only glad to help. :)

Please run the following tool:

ComboFix

Please download ComboFix
combofix.gif
by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.
After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:
  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.
Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
 
Output from ComboFix:

ComboFix 12-07-27.01 - keithc 26/07/2012 12:40:35.1.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.44.1033.18.3031.1812 [GMT 1:00]
Running from: c:\users\KeithC.DATASOUND\Desktop\ComboFix.exe
AV: Lavasoft Ad-Aware *Disabled/Updated* {445B48C3-0FA4-6B16-8F07-6506F305D800}
FW: Lavasoft Ad-Aware *Disabled* {7C60C9E6-45CB-6A4E-A458-CC330DD69F7B}
SP: Lavasoft Ad-Aware *Disabled/Updated* {FF3AA927-299E-6498-B5B7-5E74888292BD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\users\KeithC.DATASOUND\AppData\Local\assembly\tmp
c:\users\KeithC.DATASOUND\AppData\Local\Microsoft\Windows\Temporary Internet Files\{9560D711-0A7F-4C35-80C8-200C898D6816}.xps
c:\users\KeithC.DATASOUND\AppData\Local\Microsoft\Windows\Temporary Internet Files\{A9596BDD-A96F-44B5-BCC0-B1D7D56F9C2E}.xps
c:\users\KeithC.DATASOUND\AppData\Roaming\adaware-installer-reboot-required.tmp
c:\users\KeithC.DATASOUND\AppData\Roaming\Microsoft\Windows\Cookies\WOWCTF3V.txt
c:\users\KevinK\Documents\$AP2D8.tmp
c:\users\KevinK\Documents\$AP2DD.tmp
c:\users\KevinK\Documents\$AP2E1.tmp
c:\users\KevinK\Documents\$AP2E5.tmp
c:\users\KevinK\Documents\$AP2E9.tmp
c:\users\KevinK\Documents\$AP45.tmp
c:\users\KevinK\Documents\$AP49.tmp
c:\users\KevinK\Documents\$AP4A.tmp
c:\users\KevinK\Documents\$AP5A.tmp
c:\users\KevinK\Documents\$AP5F.tmp
c:\users\KevinK\Documents\$AP63.tmp
c:\users\KevinK\Documents\$AP6B.tmp
c:\users\KevinK\Documents\$AP6F.tmp
c:\users\KevinK\Documents\$AP74.tmp
c:\users\KevinK\Documents\$AP78.tmp
c:\users\KevinK\Documents\$AP79.tmp
c:\users\KevinK\Documents\$AP7D.tmp
c:\users\KevinK\Documents\$AP7E.tmp
c:\users\KevinK\Documents\$AP81.tmp
c:\users\KevinK\Documents\$AP83.tmp
c:\users\KevinK\Documents\$AP8B.tmp
c:\users\KevinK\Documents\$AP8F.tmp
c:\users\KevinK\Documents\$AP91.tmp
c:\windows\system32\Temp
c:\windows\system32\Temp\3rdparty\Tencent\Catalog\Tencent.PbcXml
c:\windows\system32\Temp\3rdparty\Tencent\files\chatStateIcon.png
c:\windows\system32\Temp\3rdparty\Tencent\files\init_logo.png
c:\windows\system32\Temp\3rdparty\Tencent\files\left_arrow_black.png
c:\windows\system32\Temp\3rdparty\Tencent\files\left_arrow_blue.png
c:\windows\system32\Temp\3rdparty\Tencent\files\QQ.exe
c:\windows\system32\Temp\3rdparty\Tencent\files\qq.llk
c:\windows\system32\Temp\3rdparty\Tencent\files\right_arrow_black.png
c:\windows\system32\Temp\3rdparty\Tencent\files\right_arrow_blue.png
c:\windows\system32\Temp\3rdparty\Tencent\files\SelfDefault.png
c:\windows\system32\Temp\3rdparty\Tencent\files\SendButton_Black.png
c:\windows\system32\Temp\3rdparty\Tencent\files\SendButton_Black2.png
c:\windows\system32\Temp\3rdparty\Tencent\files\SendButton_Blue.png
c:\windows\system32\Temp\3rdparty\Tencent\files\SendButton_Blue2.png
.
.
((((((((((((((((((((((((( Files Created from 2012-06-26 to 2012-07-26 )))))))))))))))))))))))))))))))
.
.
2012-07-26 11:51 . 2012-07-26 11:51 -------- d-----w- c:\users\KevinK\AppData\Local\temp
2012-07-26 11:51 . 2012-07-26 11:51 -------- d-----w- c:\users\KeithC\AppData\Local\temp
2012-07-26 11:51 . 2012-07-26 11:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-26 00:41 . 2012-07-26 00:42 -------- d-----w- C:\FRST
2012-07-25 10:19 . 2012-07-25 10:19 -------- d-----w- c:\users\KeithC.DATASOUND\AppData\Roaming\Lavasoft
2012-07-25 10:09 . 2012-07-26 11:55 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
2012-07-25 10:09 . 2012-07-25 10:09 -------- d-----w- c:\users\KeithC.DATASOUND\AppData\Local\adaware
2012-07-25 10:09 . 2011-12-19 11:44 93816 ----a-w- c:\windows\system32\drivers\sbhips.sys
2012-07-25 10:09 . 2012-07-25 10:17 -------- d-----w- c:\program files\Ad-Aware Antivirus
2012-07-25 10:09 . 2012-07-25 10:09 -------- d-----w- c:\windows\system32\drivers\VDD
2012-07-25 10:09 . 2012-07-25 10:09 -------- d-----w- c:\programdata\Lavasoft
2012-07-25 10:07 . 2012-07-25 10:34 -------- d-----w- c:\users\KeithC.DATASOUND\AppData\Roaming\Ad-Aware Antivirus
2012-07-25 09:33 . 2012-07-25 09:33 -------- d-----w- c:\users\KeithC.DATASOUND\AppData\Roaming\Malwarebytes
2012-07-25 09:32 . 2012-07-25 09:32 -------- d-----w- c:\programdata\Malwarebytes
2012-07-25 09:32 . 2012-07-03 12:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-25 09:32 . 2012-07-25 09:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-23 13:29 . 2012-07-23 13:29 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-14 02:02 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-12 13:52 . 2012-04-16 10:01 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-12 13:52 . 2011-06-08 11:26 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 22:19 . 2012-06-17 03:08 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-17 03:08 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-17 03:08 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-17 03:08 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-17 03:08 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-17 03:08 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-17 03:08 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 14:19 . 2012-06-17 03:08 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 14:12 . 2012-06-17 03:08 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-26 17:47 . 2012-05-26 17:47 163048 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin
2012-04-28 03:17 . 2012-06-15 08:56 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WISE-FTP Task Planner"="c:\program files\AceBIT\WISE-FTP 6\wf_tp.exe" [2009-10-28 1769264]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2011-07-21 718720]
"DymoQuickPrint"="c:\program files\DYMO\DYMO Label Software\DymoQuickPrint.exe" [2009-09-29 1885944]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Aware Antivirus"="c:\program files\Ad-Aware Antivirus\AdAwareLauncher --windows-run" [X]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 648072]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-01-12 8423968]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"PS121v2"="c:\program files\NETGEAR\PS121v2\PS121v2.exe" [2007-05-17 699104]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-24 140520]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-10-28 1657448]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-17 421160]
"IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-03-03 284696]
"DLSService"="c:\program files\DYMO\DYMO Label Software\DLSService.exe" [2009-09-29 55808]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"MSCRM"="c:\program files\Microsoft Dynamics CRM\Client\ConfigWizard\CrmForOutlookInstaller.exe" [2011-04-28 58216]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 1808784]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"SBAMTray"="c:\program files\GFI Software\GFIAgent\SBAMTray.exe" [2011-10-12 1627504]
"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2011-10-21 198032]
.
c:\users\KeithC.DATASOUND\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2010-6-16 25214]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2010-06-22 202088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3704106032-1294615849-3918947052-1140\Scripts\Logon\0\0]
"Script"=Script.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3704106032-1294615849-3918947052-1140\Scripts\Logon\1\0]
"Script"=logon.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]
@="Ad-Aware Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R2 MCUSBICD2;Microchip MPLAB ICD 2 Firmware Client Driver (ICD2W2K.SYS);c:\windows\system32\Drivers\icd2w2k.sys [x]
R2 SBAMSvc;Ad-Aware;c:\program files\Ad-Aware Antivirus\SBAMSvc.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 LinkMD;Micrel Diagnostics;UNC\Dsl1\dsl library\DataSheets\Micrel\KSZ8841-pmql\KSZ88XX Software Package 20080707\M16C Software\Demo Program\LinkMD GUI Demo\LinkMD.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 SBHIPS;SBHIPS;c:\windows\system32\drivers\sbhips.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 XJLINK;XJLINK Driver;c:\windows\system32\drivers\xjlink.sys [x]
R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [x]
S1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [x]
S2 Ad-Aware Service;Ad-Aware Service;c:\program files\Ad-Aware Antivirus\AdAwareService.exe [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [x]
S2 altio;altio;c:\program files\Altium\AD 10\System\Drivers\altio.sys [x]
S2 BPowMon;Broadcom Power monitoring service;c:\program files\Broadcom\BPowMon\BPowMon.exe [x]
S2 clsbd;CDS Boolean Daemon;c:\cadence\SPB_15.5.1\tools\bin\clsbd.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [x]
S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [x]
S2 SBPIMSvc;SB Recovery Service;c:\program files\GFI Software\GFIAgent\SBPIMSvc.exe [x]
S2 siserial;Serial/IP Serial Driver;c:\windows\system32\drivers\siserial.sys [x]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [x]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [x]
S3 NETGEARUHOST;NETGEAR Network USB Host Controller;c:\windows\system32\DRIVERS\NETGEARUHOST.sys [x]
S3 NETGEARUHUB;NETGEAR Network USB Root Hub;c:\windows\system32\DRIVERS\NETGEARUHUB.sys [x]
S3 SNXPCARD;SUNIX Multi-I/O Card Driver;c:\windows\system32\DRIVERS\snxpcard.sys [x]
S3 SNXPPALX;SUNIX Parallel Port Driver;c:\windows\system32\DRIVERS\snxppalx.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
GPSvcGroup REG_MULTI_SZ GPSvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-16 13:52]
.
2012-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-04 16:11]
.
2012-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-04 16:11]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
Trusted Zone: crm-server
Trusted Zone: dsl3
TCP: DhcpNameServer = 192.168.242.2
DPF: {82E5DF24-51E8-47CD-864A-F4BD5005AA73} - hxxps://www.icloud.com/system/iCloud.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
AddRemove-Altium Designer Release 10 {61CAD434-55E4-42A0-8184-D6A29DAC3FB5} - c:\program files\Altium\AD 10\System\Installation\uninstall.bat
AddRemove-4150337710.192.168.0.200 - c:\program files\Microsoft Silverlight\4.0.60531.0\Silverlight.Configuration.exe
AddRemove-571142265.192.168.242.200 - c:\program files\Microsoft Silverlight\4.1.10111.0\Silverlight.Configuration.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5564)
c:\programdata\Ad-Aware Browsing Protection\adawarebp.dll
c:\program files\Stardock\Fences\FencesMenu.dll
c:\program files\stardock\fences\DesktopDock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\altera\91sp2\quartus\bin\jtagserver.exe
c:\program files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-07-26 13:01:34 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-26 12:01
.
Pre-Run: 98,419,130,368 bytes free
Post-Run: 103,766,167,552 bytes free
.
- - End Of File - - C44BD09DDA358E48A6B5238492212A3E
 
ESET Online Scan

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
 
I have run ESET Online Scanner and it found 5 infected files.

Unfortunately don't have the c:\program files\EsetOnlineScanner directory.
Do have c:\program files\ESET\EsetOnlineScanner, but there is no log.txt there, just the ActiveX and uninstaller.

I have searched the entire C:\ drive and there is no log.txt created today.
 
Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

  • Slow computer
  • Error messages
  • Fake antivirus alerts or the icon in the system tray
  • svchost.exe running at 100%
  • System crashes or blue screen of death
 
I ran a second ESET scan and this found nothing more.

I have re-installed Vipre and will do a full scan later.

The machine seems to be running OK, a the moment.

Thank you very much.
You definitely deserve great Kudos for your effort.
 
If you reinstalled Vipre, make sure to remove AdAware or at least disable it.

Your logs appear to be clean. If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point
  • Go to Control Panel and select System and Maintenance
  • Select System
  • On the left select Advance System Settings and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name I.e. Clean
  • Select Create
Now we can purge the infected ones
  • Go back to the System and Maintenance page
  • Select Performance Information and Tools
  • On the left select Open Disk Cleanup
  • Select Files from all users and accept the warning if you get one
  • In the drop down box select your main drive I.e. C
  • For a few moments the system will make some calculations:
    diskcleanup1.png
  • Select the More Options tab
    moreoptions.png
  • In the System Restore and Shadow Backups select Clean up
    moreoptions2.png
  • Select Delete on the pop up
  • Select OK
  • Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Please download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:
  • Cleaned System Restore
  • Ran OTC
  • Ran TFC
  • Ran Security Check
Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
 
AdAware has been uninstalled.
System restore has been cleaned.
OTC ran OK, but I needed to manually delete the OTC.exe from the desktop following the reboot.
TFC ran OK.

The output from Security check is:
Results of screen317's Security Check version 0.99.43
Windows 7 Service Pack 1 x86 (UAC is disabled!)
Internet Explorer 4 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
GFI Software VIPRE
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Java(TM) 6 Update 29
Java version out of Date!
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

The computer seems to be running OK.
 
IE is actually IE9 and all updates are applied, as far as I am aware, with last MS updates installed on 14th July.

I have updated Java to Version 7 Update 5
 
Make sure to remove Java(TM) 6 Update 29 from your Programs list by uninstalling it. If you don't remove old versions, they can be exploited by hackers.

Go to the Control Panel and enter Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Read more about Java exploit problems

Personal Tips on Preventing Malware

See this page for more info about malware and prevention.

Any other questions before I mark this topic solved?
 
I have uninstalled the old version of Java.

Please mark this topic solved, and accept my thanks again.
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
793
uber_beetle
uber_beetle
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni

Latest posts

Back