Trying to remove virus, steps 1 & 2 of instructions failed

Solved
By Vicki Easley
Dec 27, 2012
  1. My computer has been going to a black screen starting two weeks ago. I have Norton and have restarted in safe mode, run system restore and done a full scan with Norton repeatedly only to have it go black again. At one point I actually had to uninstall and reinstall Norton. I came across this forum and have followed step one: run Norton, it says I have risks, fixes them, restarts to a black screen again. So, I then downloaded Microsoft Security Essentials to SD card, installed on computer and it came back that it cannot complete, sends error report and upon restarting goes to black screen again. I moved on to install MBAM from SD card (downloaded from other computer) and it ran quick scan successfully, found 23 risks, I saved the log and deleted risks and upon restarting it is back to a black screen giving me the option to start normally or use system restore (no safe mode option). I started normally and got a black screen again. Not sure what to do from here. I do not have the log to paste here as it is on the computer with the problem. Any suggestion?
  2. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==============================

    What Windows version is it?
  3. Vicki Easley

    Vicki Easley Newcomer, in training Topic Starter Posts: 35

    Update: I was able to start in safe mode and run a full system scan (I clicked C drive) and got the following report with no errors found. I restarted the computer and again, it will only allow me to run startup repair.

    Malwarebytes Anti-Malware (Trial) 1.65.1.1000
    www.malwarebytes.org

    Database version: v2012.12.27.01

    Windows 7 Service Pack 1 x64 NTFS (Safe Mode)
    Internet Explorer 9.0.8112.16421
    Vicki :: VICKI-PC [administrator]

    Protection: Disabled

    12/26/2012 9:03:27 PM
    mbam-log-2012-12-26 (21-03-27).txt

    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 386796
    Time elapsed: 49 minute(s), 52 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
  4. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

    Next...

    Re-run FRST again.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes in your reply.

    I'll expect two logs:
    - FRST.txt
    - Search.txt
  5. Vicki Easley

    Vicki Easley Newcomer, in training Topic Starter Posts: 35

    Thank you for the reply. The computer is currently running the startup repair (again)... has done this nearly every time I restart. Per your instructions, I will not do anything further until I hear from you.
  6. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    Follow my previous reply.
  7. Vicki Easley

    Vicki Easley Newcomer, in training Topic Starter Posts: 35

    Just got your second reply. I believe it is windows 7. It is currently running the startup repair scan. Should I allow that to complete then refer to the above instructions to go to system recovery options?
  8. Vicki Easley

    Vicki Easley Newcomer, in training Topic Starter Posts: 35

    Here are the logs. I was also able to retrieve the quick scan log from MBAM showing the risks that were fixed.

    Attached Files:

  9. Vicki Easley

    Vicki Easley Newcomer, in training Topic Starter Posts: 35

    Farbar Recovery Scan Tool (x64) Version: 23-12-2012 01
    Ran by SYSTEM at 2012-12-26 22:36:28
    Running from E:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-13 17:19] - [2009-07-13 19:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\System32\services.exe
    [2009-07-13 17:19] - [2009-07-13 19:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    ====== End Of Search ======
  10. Vicki Easley

    Vicki Easley Newcomer, in training Topic Starter Posts: 35

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-12-2012 01
    Ran by SYSTEM at 26-12-2012 22:33:37
    Running from E:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8306208 2009-10-20] (Realtek Semiconductor)
    HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
    HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m [1807680 2010-02-09] ()
    HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()
    HKLM-x32\...\Run: [jswtrayutil] "C:\Program Files (x86)\NETGEAR\WNA1100\jswtrayutil.exe" [x]
    HKLM-x32\...\Run: [AmazonGSDownloaderTray] C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe [326144 2009-10-23] (Amazon.com)
    HKLM-x32\...\Run: [TaskTray] [x]
    HKLM-x32\...\Run: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe" [979328 2010-10-12] (SEIKO EPSON CORPORATION)
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
    HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
    HKLM-x32\...\Run: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot [296096 2012-09-29] (RealNetworks, Inc.)
    HKLM-x32\...\Run: [DATAMNGR] C:\PROGRA~2\SEARCH~1\Datamngr\DATAMN~1.EXE [1899448 2012-10-22] (Bandoo Media Inc)
    HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)
    HKLM-x32\...\Run: [] [x]
    HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [439568 2010-05-10] (Microsoft Corporation)
    HKU\Vicki\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [3883856 2009-07-26] (Microsoft Corporation)
    HKU\Vicki\...\Run: [Google Update] "C:\Users\Vicki\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-12-10] (Google Inc.)
    HKU\Vicki\...\Run: [DW6] "C:\Program Files (x86)\The Weather Channel FW\Desktop\DesktopWeather.exe" [x]
    HKU\Vicki\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [9728 2009-07-13] (Microsoft Corporation)
    HKU\Vicki\...\Run: [Epson Stylus NX430(Network)] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIHBA.EXE /FU "C:\Users\Vicki\AppData\Local\Temp\E_S75FA.tmp" /EF "HKCU" [232448 2011-12-13] (SEIKO EPSON CORPORATION)
    HKU\Vicki\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-12-10] (Google Inc.)
    HKU\Vicki\...\Run: [RoboForm] "C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [109336 2012-05-23] (Siber Systems)
    HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [559616 2011-10-07] (Dell)
    Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
    Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 205.171.3.25
    AppInit_DLLs: C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\NETGEAR WNA1100 Smart Wizard.lnk
    ShortcutTarget: NETGEAR WNA1100 Smart Wizard.lnk -> C:\Program Files (x86)\NETGEAR\WNA1100\WNA1100.exe ()
    Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\Vicki\Start Menu\Programs\Startup\Dell Dock.lnk
    ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

    ==================== Services (Whitelisted) ===================

    2 N360; "C:\Program Files (x86)\Norton 360\Engine\5.2.1.3\ccSvcHst.exe" /s "N360" /m "C:\Program Files (x86)\Norton 360\Engine\5.2.1.3\diMaster.dll" /prefetch:1 [262584 2011-03-31] (Symantec Corporation)
    2 WSWNA1100; C:\Program Files (x86)\NETGEAR\WNA1100\WifiSvc.exe [278528 2009-11-27] ()
    2 ScanQuery Service; "C:\ProgramData\ScanQuery\scanquery123.exe" "C:\Program Files (x86)\ScanQuery\scanquery.dll" bawacecob ayanonowon [x]

    ==================== Drivers (Whitelisted) =====================

    1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20121130.005\BHDrvx64.sys [1384608 2012-11-30] (Symantec Corporation)
    1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [475696 2011-04-18] (Symantec Corporation)
    1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20121225.001\IDSvia64.sys [513184 2012-12-05] (Symantec Corporation)
    1 SRTSP; C:\Windows\System32\Drivers\N360x64\0502010.003\SRTSP64.SYS [744568 2011-03-30] (Symantec Corporation)
    1 SRTSPX; C:\Windows\system32\drivers\N360x64\0502010.003\SRTSPX64.SYS [40568 2011-03-30] (Symantec Corporation)
    0 SymDS; C:\Windows\System32\drivers\N360x64\0502010.003\SYMDS64.SYS [450680 2011-01-27] (Symantec Corporation)
    0 SymEFA; C:\Windows\System32\drivers\N360x64\0502010.003\SYMEFA64.SYS [912504 2011-03-14] (Symantec Corporation)
    3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2012-12-08] (Symantec Corporation)
    1 SymIRON; C:\Windows\system32\drivers\N360x64\0502010.003\Ironx64.SYS [171128 2011-01-26] (Symantec Corporation)
    1 SymNetS; C:\Windows\System32\Drivers\N360x64\0502010.003\SYMNETS.SYS [386168 2011-04-20] (Symantec Corporation)
    3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20121226.002\ENG64.SYS [x]
    3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20121226.002\EX64.SYS [x]

    ==================== NetSvcs (Whitelisted) ====================


    ==================== One Month Created Files and Folders ========

    2012-12-26 22:35 - 2012-12-26 22:35 - 00000000 ____D C:\Users\Vicki\Application Data\Malwarebytes
    2012-12-26 22:35 - 2012-12-26 22:35 - 00000000 ____D C:\Users\Vicki\AppData\Roaming\Malwarebytes
    2012-12-26 22:33 - 2012-12-26 22:33 - 00000000 ____D C:\FRST
    2012-12-26 22:32 - 2012-12-26 22:32 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-12-26 22:32 - 2012-12-26 22:32 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
    2012-12-26 22:31 - 2012-12-26 22:05 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-12-26 21:56 - 2012-12-26 21:56 - 00000000 ____A C:\Users\Vicki\Downloads\mseinstall.exe
    2012-12-25 19:06 - 2012-12-25 19:06 - 16363960 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
    2012-12-08 14:21 - 2012-12-26 21:50 - 00002339 ____A C:\Users\Public\Desktop\Norton 360.lnk
    2012-12-08 14:21 - 2012-12-26 21:50 - 00002339 ____A C:\Users\All Users\Desktop\Norton 360.lnk
    2012-12-08 14:21 - 2012-12-08 14:21 - 00174200 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS
    2012-12-08 14:21 - 2012-12-08 14:21 - 00007488 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.CAT
    2012-12-08 14:21 - 2012-12-08 14:21 - 00000000 ____D C:\Program Files\Symantec
    2012-12-08 14:20 - 2012-12-08 14:20 - 00000000 ____D C:\Program Files (x86)\Norton 360
    2012-12-08 14:04 - 2012-12-08 14:04 - 00000000 ____D C:\Users\All Users\NortonRnR
    2012-12-08 14:04 - 2012-12-08 14:04 - 00000000 ____D C:\Users\All Users\Application Data\NortonRnR
    2012-12-08 14:01 - 2012-12-08 14:02 - 06257640 ____A (Symantec Corporation) C:\Users\Vicki\Downloads\NRnR.exe
    2012-12-05 22:38 - 2012-12-05 22:38 - 00000000 ____D C:\Users\All Users\PCSettings
    2012-12-05 22:38 - 2012-12-05 22:38 - 00000000 ____D C:\Users\All Users\Application Data\PCSettings
    2012-11-27 22:00 - 2012-11-27 22:00 - 00003187 ____A C:\Users\Vicki\Downloads\Amazon-MP3-1354075269.amz

    ==================== One Month Modified Files and Folders =======

    2012-12-27 00:28 - 2009-07-13 22:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-12-27 00:28 - 2009-07-13 22:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-12-27 00:27 - 2011-01-17 11:02 - 00000000 ____D C:\Users\Vicki\Tracing
    2012-12-27 00:26 - 2010-11-30 21:41 - 00000000 ____D C:\Users\Default\Local Settings\SoftThinks
    2012-12-27 00:26 - 2010-11-30 21:41 - 00000000 ____D C:\Users\Default\Local Settings\Application Data\SoftThinks
    2012-12-27 00:26 - 2010-11-30 21:41 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
    2012-12-27 00:26 - 2010-11-30 21:41 - 00000000 ____D C:\Users\Default User\Local Settings\SoftThinks
    2012-12-27 00:26 - 2010-11-30 21:41 - 00000000 ____D C:\Users\Default User\Local Settings\Application Data\SoftThinks
    2012-12-27 00:26 - 2010-11-30 21:41 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
    2012-12-27 00:26 - 2010-11-30 21:12 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
    2012-12-27 00:25 - 2012-02-17 21:54 - 00000402 ____A C:\Windows\Tasks\FreeFileViewerUpdateChecker.job
    2012-12-27 00:25 - 2010-12-10 18:24 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-12-27 00:25 - 2010-12-04 20:01 - 00000000 ____D C:\users\Vicki
    2012-12-27 00:25 - 2009-07-13 23:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-12-27 00:25 - 2009-07-13 22:51 - 00057494 ____A C:\Windows\setupact.log
    2012-12-26 22:35 - 2012-12-26 22:35 - 00000000 ____D C:\Users\Vicki\Application Data\Malwarebytes
    2012-12-26 22:35 - 2012-12-26 22:35 - 00000000 ____D C:\Users\Vicki\AppData\Roaming\Malwarebytes
    2012-12-26 22:33 - 2012-12-26 22:33 - 00000000 ____D C:\FRST
    2012-12-26 22:32 - 2012-12-26 22:32 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-12-26 22:32 - 2012-12-26 22:32 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
    2012-12-26 22:30 - 2011-04-28 09:05 - 00000000 ____D C:\Users\Vicki\Local Settings\CrashDumps
    2012-12-26 22:30 - 2011-04-28 09:05 - 00000000 ____D C:\Users\Vicki\Local Settings\Application Data\CrashDumps
    2012-12-26 22:30 - 2011-04-28 09:05 - 00000000 ____D C:\Users\Vicki\AppData\Local\CrashDumps
    2012-12-26 22:05 - 2012-12-26 22:31 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-12-26 22:05 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\registration
    2012-12-26 21:56 - 2012-12-26 21:56 - 00000000 ____A C:\Users\Vicki\Downloads\mseinstall.exe
    2012-12-26 21:55 - 2009-07-13 23:10 - 02035164 ____A C:\Windows\WindowsUpdate.log
    2012-12-26 21:50 - 2012-12-08 14:21 - 00002339 ____A C:\Users\Public\Desktop\Norton 360.lnk
    2012-12-26 21:50 - 2012-12-08 14:21 - 00002339 ____A C:\Users\All Users\Desktop\Norton 360.lnk
    2012-12-26 21:50 - 2012-04-28 09:36 - 00000000 ____D C:\Windows\System32\Drivers\N360x64
    2012-12-26 19:03 - 2011-01-04 16:42 - 00000000 ____D C:\Users\All Users\Norton
    2012-12-26 19:03 - 2011-01-04 16:42 - 00000000 ____D C:\Users\All Users\Application Data\Norton
    2012-12-26 05:01 - 2012-06-21 10:52 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-12-26 05:01 - 2011-02-21 11:44 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-455381835-2594386958-2642412177-1000UA.job
    2012-12-26 05:01 - 2010-12-10 18:24 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-12-25 21:35 - 2011-02-21 11:44 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-455381835-2594386958-2642412177-1000Core.job
    2012-12-25 19:07 - 2012-06-21 10:52 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-12-25 19:07 - 2011-05-27 23:27 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-12-25 19:06 - 2012-12-25 19:06 - 16363960 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
    2012-12-08 14:21 - 2012-12-08 14:21 - 00174200 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS
    2012-12-08 14:21 - 2012-12-08 14:21 - 00007488 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.CAT
    2012-12-08 14:21 - 2012-12-08 14:21 - 00000000 ____D C:\Program Files\Symantec
    2012-12-08 14:21 - 2012-04-28 09:37 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
    2012-12-08 14:20 - 2012-12-08 14:20 - 00000000 ____D C:\Program Files (x86)\Norton 360
    2012-12-08 14:15 - 2010-11-30 22:50 - 00646176 ____A C:\Windows\PFRO.log
    2012-12-08 14:04 - 2012-12-08 14:04 - 00000000 ____D C:\Users\All Users\NortonRnR
    2012-12-08 14:04 - 2012-12-08 14:04 - 00000000 ____D C:\Users\All Users\Application Data\NortonRnR
    2012-12-08 14:02 - 2012-12-08 14:01 - 06257640 ____A (Symantec Corporation) C:\Users\Vicki\Downloads\NRnR.exe
    2012-12-08 13:58 - 2009-07-13 23:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-12-08 13:50 - 2012-11-23 12:24 - 00000000 ____D C:\Program Files (x86)\MSN Toolbar
    2012-12-08 13:50 - 2012-02-18 21:54 - 00000000 ____D C:\Users\Vicki\Application Data\FreeFileViewer
    2012-12-08 13:50 - 2012-02-18 21:54 - 00000000 ____D C:\Users\Vicki\AppData\Roaming\FreeFileViewer
    2012-12-08 13:50 - 2010-11-30 20:59 - 00000000 ____D C:\Intel
    2012-12-08 13:50 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\System32\NDF
    2012-12-08 13:47 - 2011-04-07 20:27 - 00000000 ____D C:\Users\All Users\Real
    2012-12-08 13:47 - 2011-04-07 20:27 - 00000000 ____D C:\Users\All Users\Application Data\Real
    2012-12-05 22:38 - 2012-12-05 22:38 - 00000000 ____D C:\Users\All Users\PCSettings
    2012-12-05 22:38 - 2012-12-05 22:38 - 00000000 ____D C:\Users\All Users\Application Data\PCSettings
    2012-11-27 22:00 - 2012-11-27 22:00 - 00003187 ____A C:\Users\Vicki\Downloads\Amazon-MP3-1354075269.amz


    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2012-11-29 05:01:52
    Restore point made on: 2012-12-02 05:02:19
    Restore point made on: 2012-12-03 05:01:33
    Restore point made on: 2012-12-06 05:00:48
    Restore point made on: 2012-12-09 05:02:18
    Restore point made on: 2012-12-26 05:02:18
    Restore point made on: 2012-12-26 21:56:47

    ==================== Memory info ===========================

    Percentage of memory in use: 23%
    Total physical RAM: 2012.99 MB
    Available physical RAM: 1543.26 MB
    Total Pagefile: 2012.99 MB
    Available Pagefile: 1531.26 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ==================== Partitions =============================

    1 Drive c: (OS) (Fixed) (Total:286.61 GB) (Free:197.67 GB) NTFS
    3 Drive e: () (Removable) (Total:3.83 GB) (Free:3.66 GB) FAT32
    7 Drive I: (RECOVERY) (Fixed) (Total:11.44 GB) (Free:4.69 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 298 GB 0 B
    Disk 1 Online 3926 MB 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 39 MB 31 KB
    Partition 2 Primary 11 GB 40 MB
    Partition 3 Primary 286 GB 11 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 7 FAT Partition 39 MB Healthy Hidden

    =========================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 I RECOVERY NTFS Partition 11 GB Healthy

    =========================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C OS NTFS Partition 286 GB Healthy

    =========================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    * Partition 1 Primary 3926 MB 0 B

    ==================================================================================

    Disk: 1
    There is no partition selected.

    There is no partition selected.
    Please select a partition and try again.

    =========================================================

    Last Boot: 2011-07-08 13:08

    ==================== End Of Log =============================
  11. Vicki Easley

    Vicki Easley Newcomer, in training Topic Starter Posts: 35

    Malwarebytes Anti-Malware (Trial) 1.65.1.1000
    www.malwarebytes.org

    Database version: v2012.12.27.01

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Vicki :: VICKI-PC [administrator]

    Protection: Enabled

    12/26/2012 8:42:01 PM
    mbam-log-2012-12-26 (20-42-01).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 208535
    Time elapsed: 4 minute(s), 13 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 20
    HKCR\CLSID\{C1ED9DA0-AFD0-4b90-AC6A-D3874F591014} (PUP.Datamngr) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{1FDC0B61-91AC-4157-9B27-CAD9A09AB67E} (PUP.Datamngr) -> Quarantined and deleted successfully.
    HKCR\BrowserConnection.Loader.1 (PUP.Datamngr) -> Quarantined and deleted successfully.
    HKCR\BrowserConnection.Loader (PUP.Datamngr) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C1ED9DA0-AFD0-4B90-AC6A-D3874F591014} (PUP.Datamngr) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{C1ED9DA0-AFD0-4B90-AC6A-D3874F591014} (PUP.Datamngr) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1ED9DA0-AFD0-4B90-AC6A-D3874F591014} (PUP.Datamngr) -> Quarantined and deleted successfully.
    HKCR\CLSID\{f34c9277-6577-4dff-b2d7-7d58092f272f} (PUP.Datamngr) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F34C9277-6577-4DFF-B2D7-7D58092F272F} (PUP.Datamngr) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{F34C9277-6577-4DFF-B2D7-7D58092F272F} (PUP.Datamngr) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F34C9277-6577-4DFF-B2D7-7D58092F272F} (PUP.Datamngr) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F34C9277-6577-4DFF-B2D7-7D58092F272F} (PUP.Datamngr) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1602F07D-8BF3-4C08-BDD6-DDDB1C48AEDC} (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{BDEA95CF-F0E6-41E0-BD3D-B00F39A4E939} (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.
    HKLM\SYSTEM\CurrentControlSet\Services\ScanQuery Service (Adware.ScanQuery) -> Quarantined and deleted successfully.

    Registry Values Detected: 4
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{F34C9277-6577-4DFF-B2D7-7D58092F272F} (PUP.Datamngr) -> Data: Search-Results Toolbar -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{f34c9277-6577-4dff-b2d7-7d58092f272f} (PUP.Datamngr) -> Data: -> Quarantined and deleted successfully.
    HKCR\.exe\shell\open\command| (Hijack.ExeFile) -> Data: "C:\Users\Vicki\AppData\Local\wut.exe" -a "%1" %* -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Mozilla\Firefox\extensions|ClickPotatoLite@ClickPotatoLite.com (Adware.ClickPotato) -> Data: C:\Program Files (x86)\ClickPotatoLite\bin\10.0.673.0\firefox\extensions -> Quarantined and deleted successfully.

    Registry Data Items Detected: 1
    HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Vicki\AppData\Local\wut.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and repaired successfully.

    Folders Detected: 1
    C:\Program Files (x86)\FunWebProducts (PUP.MyWebSearch) -> Quarantined and deleted successfully.

    Files Detected: 2
    C:\Program Files (x86)\Search Results Toolbar\Datamngr\BrowserConnection.dll (PUP.Datamngr) -> Quarantined and deleted successfully.
    C:\Program Files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\searchresultsDx.dll (PUP.Datamngr) -> Quarantined and deleted successfully.

    (end)
     
  12. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    I don't see anything malicious in your FRST log.

    Stay in safe mode for now.

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
  13. Vicki Easley

    Vicki Easley Newcomer, in training Topic Starter Posts: 35

    Thank you for your help, here is the report:

    RogueKiller V8.4.1 [Dec 27 2012] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Safe mode
    User : Vicki [Admin rights]
    Mode : Remove -- Date : 12/27/2012 18:53:49

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 9 ¤¤¤
    [RUN][SUSP PATH] HKCU\[...]\Run : DW6 ("C:\Program Files (x86)\The Weather Channel FW\Desktop\DesktopWeather.exe") -> DELETED
    [HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    [HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    [HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
    [HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    [SHELLSPWN] HKCU\[...]\command : ("C:\Users\Vicki\AppData\Local\wut.exe" -a "%1" %*) -> REPLACED ("%1" %*)
    [FILEASSO] HKLM\[...]\command : ("C:\Users\Vicki\AppData\Local\wut.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe") -> REPLACED ("C:\Program Files (x86)\Internet Explorer\iexplore.exe")

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts



    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: ST3320418AS ATA Device +++++
    --- User ---
    [MBR] 7205b3b80fdbac45f52d5923b11e60a2
    [BSP] 0ec75d35f40aef34d4393a1738aa9c4d : Windows Vista MBR Code
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 11718 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 24080384 | Size: 293486 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: Generic- SD/MMC USB Device +++++
    --- User ---
    [MBR] aa69bdbf828bbce6512c0d1a2a2dfa74
    [BSP] 9d91a5848f4bd188eba9ee86a85cabfe : MBR Code unknown
    Partition table:
    0 - [XXXXXX] UNKNOWN (0x72) [VISIBLE] Offset (sectors): 778135908 | Size: 557377 Mo
    1 - [XXXXXX] UNKNOWN (0x65) [VISIBLE] Offset (sectors): 168689522 | Size: 945326 Mo
    2 - [XXXXXX] UNKNOWN (0x79) [VISIBLE] Offset (sectors): 1869881465 | Size: 945326 Mo
    3 - [XXXXXX] UNKNOWN (0x0d) [VISIBLE] Offset (sectors): 2885681152 | Size: 27 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[2]_D_12272012_02d1853.txt >>
    RKreport[1]_S_12272012_02d1853.txt ; RKreport[2]_D_12272012_02d1853.txt
  14. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    Create new restore point before proceeding with the next step....
    How to:
    - Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    ===============================

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
  15. Vicki Easley

    Vicki Easley Newcomer, in training Topic Starter Posts: 35

    I am not sure what to do next. At this point when I restart my computer it will not start normally and asks if I want to run system repair. when system repair runs it cannot complete then shuts down to a blank screen again.
  16. Vicki Easley

    Vicki Easley Newcomer, in training Topic Starter Posts: 35

    Disregard my last message, I just got your last reply and will run combofix.
  17. Vicki Easley

    Vicki Easley Newcomer, in training Topic Starter Posts: 35

    I am not able to create a restore point using those instructions. There is no system protection link showing under the properties menu. Should I attempt to restart the computer? I am currently in safe mode and my prior attempts to restart normally have failed.
  18. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    Skip restore point creation.
  19. Vicki Easley

    Vicki Easley Newcomer, in training Topic Starter Posts: 35

    Ok. I will continue without restore point and post logs later today. Thank you again for your help, I greatly appreciate it!
  20. Vicki Easley

    Vicki Easley Newcomer, in training Topic Starter Posts: 35

    I am attempting to work on this again and just want to be sure I am ok to proceed. I restarted my computer and it started normally this time. Norton is showing I have 5 risks that need to be fixed and automatically starts to run scans producing an error message 3048 that they are unable to communicate with servers and asking to renew my IP settings. I set the restore point successfully and moved on to the next step to disable Norton but under the right click menu it has an "enable antivirus auto protect" option that is grey and cannot be activated. There is no "disable" option. Am I ok to run combofix?
  21. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    Go ahead.
  22. Vicki Easley

    Vicki Easley Newcomer, in training Topic Starter Posts: 35

    Combofix report:

    ComboFix 12-12-29.02 - Vicki 12/29/2012 11:57:04.1.1 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2013.712 [GMT -8:00]
    Running from: E:\ComboFix.exe
    AV: Norton 360 *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    FW: Norton 360 *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
    SP: Norton 360 *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files (x86)\Blinkx
    c:\program files (x86)\Blinkx\blinkx.ico
    c:\program files (x86)\Blinkx\blinkxss.exe
    c:\program files (x86)\Blinkx\blinkxstop.exe
    c:\program files (x86)\Blinkx\lang.dll
    c:\program files (x86)\Blinkx\templates\beat.ico
    c:\program files (x86)\Blinkx\templates\index.html
    c:\program files (x86)\Blinkx\templates\noflash.html
    c:\program files (x86)\Blinkx\templates\offline.html
    c:\program files (x86)\Blinkx\templates\offline.swf
    c:\program files (x86)\Blinkx\templates\uninstall.exe
    c:\programdata\7e6d2fs3e60xx26ry3
    c:\programdata\Roaming
    c:\programdata\Roaming\Disney Interactive\Lilo & Stitch Trouble In Paradise\LSConfig.ini
    c:\users\Vicki\videos\xmascottage.exe
    c:\windows\XSxS
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_ScanQuery Service
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-11-28 to 2012-12-29 )))))))))))))))))))))))))))))))
    .
    .
    2012-12-29 19:09 . 2012-12-29 19:24 -------- d-----w- c:\windows\system32\drivers\N360x64\0502020.003
    2012-12-29 18:49 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll
    2012-12-29 18:49 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll
    2012-12-29 18:49 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
    2012-12-29 18:49 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
    2012-12-27 04:35 . 2012-12-27 04:35 -------- d-----w- c:\users\Vicki\AppData\Roaming\Malwarebytes
    2012-12-27 04:33 . 2012-12-27 04:33 -------- d-----w- C:\FRST
    2012-12-27 04:32 . 2012-11-02 05:59 478208 ----a-w- c:\windows\system32\dpnet.dll
    2012-12-27 04:32 . 2012-11-02 05:11 376832 ----a-w- c:\windows\SysWow64\dpnet.dll
    2012-12-27 04:32 . 2012-12-27 04:32 -------- d-----w- c:\programdata\Malwarebytes
    2012-12-27 04:31 . 2012-12-27 04:05 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-12-26 01:06 . 2012-12-26 01:06 16363960 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
    2012-12-08 20:56 . 2012-12-08 20:56 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
    2012-12-08 20:21 . 2012-12-08 20:21 -------- d-----w- c:\program files\Symantec
    2012-12-08 20:21 . 2012-12-08 20:21 174200 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
    2012-12-08 20:20 . 2012-12-08 20:20 -------- d-----w- c:\program files (x86)\Norton 360
    2012-12-08 20:04 . 2012-12-08 20:04 -------- d-----w- c:\programdata\NortonRnR
    2012-12-06 04:38 . 2012-12-06 04:38 -------- d-----w- c:\programdata\PCSettings
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-12-26 01:07 . 2012-06-21 16:52 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-12-26 01:07 . 2011-05-28 05:27 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-11-15 11:05 . 2011-05-16 22:44 66395536 ----a-w- c:\windows\system32\MRT.exe
    2012-10-18 18:25 . 2012-11-15 08:19 3149824 ----a-w- c:\windows\system32\win32k.sys
    2012-10-18 17:26 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
    2012-10-18 17:26 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
    2012-10-09 18:17 . 2012-11-15 08:42 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll
    2012-10-09 18:17 . 2012-11-15 08:42 226816 ----a-w- c:\windows\system32\dhcpcore6.dll
    2012-10-09 17:40 . 2012-11-15 08:42 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll
    2012-10-09 17:40 . 2012-11-15 08:42 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll
    2012-10-03 17:56 . 2012-11-15 07:58 1914248 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2012-10-03 17:44 . 2012-11-15 07:58 70656 ----a-w- c:\windows\system32\nlaapi.dll
    2012-10-03 17:44 . 2012-11-15 07:58 303104 ----a-w- c:\windows\system32\nlasvc.dll
    2012-10-03 17:44 . 2012-11-15 07:58 246272 ----a-w- c:\windows\system32\netcorehc.dll
    2012-10-03 17:44 . 2012-11-15 07:58 18944 ----a-w- c:\windows\system32\netevent.dll
    2012-10-03 17:44 . 2012-11-15 07:58 216576 ----a-w- c:\windows\system32\ncsi.dll
    2012-10-03 17:42 . 2012-11-15 07:58 569344 ----a-w- c:\windows\system32\iphlpsvc.dll
    2012-10-03 16:42 . 2012-11-15 07:58 18944 ----a-w- c:\windows\SysWow64\netevent.dll
    2012-10-03 16:42 . 2012-11-15 07:58 175104 ----a-w- c:\windows\SysWow64\netcorehc.dll
    2012-10-03 16:42 . 2012-11-15 07:58 156672 ----a-w- c:\windows\SysWow64\ncsi.dll
    2012-10-03 16:07 . 2012-11-15 07:58 45568 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files (x86)\Swag_Bucks\prxtbSwa0.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]
    2011-05-09 08:49 176936 ----a-w- c:\program files (x86)\Swag_Bucks\prxtbSwa0.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{C1ED9DA0-AFD0-4b90-AC6A-D3874F591014}]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{f34c9277-6577-4dff-b2d7-7d58092f272f}]
    2012-09-24 23:01 89288 ----a-w- c:\progra~2\SEARCH~1\Datamngr\SRTOOL~1\searchresultsDx.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files (x86)\Swag_Bucks\prxtbSwa0.dll" [2011-05-09 176936]
    "{f34c9277-6577-4dff-b2d7-7d58092f272f}"= "c:\progra~2\SEARCH~1\Datamngr\SRTOOL~1\searchresultsDx.dll" [2012-09-24 89288]
    .
    [HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]
    .
    [HKEY_CLASSES_ROOT\clsid\{f34c9277-6577-4dff-b2d7-7d58092f272f}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-12-11 39408]
    "RoboForm"="c:\program files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2012-05-24 109336]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2010-02-09 1807680]
    "Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
    "AmazonGSDownloaderTray"="c:\program files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
    "EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2010-10-12 979328]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
    "TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2012-09-29 296096]
    "HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
    "c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-07 559616]
    .
    c:\users\Vicki\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    NETGEAR WNA1100 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WNA1100\WNA1100.exe [2010-12-4 4562944]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=1 (0x1)
    "AppInit_DLLs"=c:\progra~2\SEARCH~1\Datamngr\datamngr.dll c:\progra~2\SEARCH~1\Datamngr\IEBHO.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
    R3 jswpsapi;JumpStart Wi-Fi Protected Setup;c:\program files (x86)\NETGEAR\WNA1100\jswpsapi.exe [2009-11-06 954368]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-12-06 1255736]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
    S0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\DRIVERS\scmndisp.sys [2007-01-20 25312]
    S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0502020.003\SYMDS64.SYS [2011-01-27 450680]
    S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0502020.003\SYMEFA64.SYS [2011-03-15 912504]
    S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20121130.005\BHDrvx64.sys [2012-11-30 1384608]
    S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20121228.001\IDSvia64.sys [2012-12-05 513184]
    S1 JSWPSLWF;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwfx.sys [2008-05-15 26624]
    S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0502020.003\Ironx64.SYS [2011-01-27 171128]
    S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360x64\0502020.003\SYMNETS.SYS [2011-04-21 386168]
    S2 Amazon Download Agent;Amazon Download Agent;c:\program files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-10-23 401920]
    S2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.exe [2012-02-10 193816]
    S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
    S2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [2011-12-13 168448]
    S2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [2011-12-13 131072]
    S2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [2011-06-09 555392]
    S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
    S2 N360;Norton 360;c:\program files (x86)\Norton 360\Engine\5.2.2.3\ccSvcHst.exe [2011-04-17 130008]
    S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-08-18 1692480]
    S2 WSWNA1100;WSWNA1100;c:\program files (x86)\NETGEAR\WNA1100\WifiSvc.exe [2009-11-27 278528]
    S3 athur;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\DRIVERS\athurx.sys [2009-11-10 1827328]
    S3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe [2012-02-10 240408]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-05-26 138752]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-07-31 236544]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-12-29 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-21 01:07]
    .
    2012-12-29 c:\windows\Tasks\FreeFileViewerUpdateChecker.job
    - c:\program files (x86)\FreeFileViewer\FFVCheckForUpdates.exe [2012-02-18 22:24]
    .
    2012-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-11 00:24]
    .
    2012-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-11 00:24]
    .
    2012-12-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-455381835-2594386958-2642412177-1000Core.job
    - c:\users\Vicki\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-21 05:30]
    .
    2012-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-455381835-2594386958-2642412177-1000UA.job
    - c:\users\Vicki\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-21 05:30]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-10-21 8306208]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=c:\progra~2\SEARCH~1\Datamngr\x64\datamngr.dll c:\progra~2\SEARCH~1\Datamngr\x64\IEBHO.dll
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.searchnu.com/406
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: Customize Menu - file://c:\program files (x86)\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office12\EXCEL.EXE/3000
    IE: Fill Forms - file://c:\program files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    IE: Save Forms - file://c:\program files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    IE: Show RoboForm Toolbar - file://c:\program files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    IE: {{A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - {A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - c:\program files (x86)\Superfish\Window Shopper\SuperfishIEAddon.dll
    TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
    FF - ProfilePath - c:\users\Vicki\AppData\Roaming\Mozilla\Firefox\Profiles\5uwdrdz5.default\
    FF - prefs.js: browser.search.selectedEngine - Search Results
    FF - prefs.js: browser.startup.homepage - hxxp://www.searchnu.com/406
    FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&gct=ds&appid=427&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&apn_uid=1156029100954992&o=APN10645&q=
    FF - ExtSQL: 2012-11-07 19:14; {f34c9277-6577-4dff-b2d7-7d58092f272f}; c:\users\Vicki\AppData\Roaming\Mozilla\Firefox\Profiles\5uwdrdz5.default\extensions\{f34c9277-6577-4dff-b2d7-7d58092f272f}
    FF - ExtSQL: !HIDDEN! 2012-11-07 19:15; {1FD91A9C-410C-4090-BBCC-55D3450EF433}; c:\program files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension
    FF - user.js: general.useragent.extra.brc - BRI/1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{6E13D095-45C3-4271-9475-F3B48227DD9F} - c:\program files (x86)\StartNow Toolbar\Toolbar32.dll
    Toolbar-Locked - (no file)
    Toolbar-{5911488E-9D1E-40ec-8CBB-06B231CC153F} - c:\program files (x86)\StartNow Toolbar\Toolbar32.dll
    Toolbar-10 - (no file)
    Wow6432Node-HKLM-Run-jswtrayutil - c:\program files (x86)\NETGEAR\WNA1100\jswtrayutil.exe
    Wow6432Node-HKLM-Run-TaskTray - (no file)
    Wow6432Node-HKLM-Run-<NO NAME> - (no file)
    Toolbar-Locked - (no file)
    Toolbar-10 - (no file)
    WebBrowser-{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94} - (no file)
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    AddRemove-obnoxious_saver - c:\windows\system32\obnoxious_saver.scr
    AddRemove-blinkx beat - c:\program files (x86)\Blinkx\templates\uninstall.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\N360]
    "ImagePath"="\"c:\program files (x86)\Norton 360\Engine\5.2.2.3\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton 360\Engine\5.2.2.3\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
    c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
    c:\program files (x86)\Common Files\Java\Java Update\jusched.exe
    c:\windows\system32\spool\DRIVERS\x64\3\EBAPIx32.EXE
    .
    **************************************************************************
    .
    Completion time: 2012-12-29 12:39:11 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-12-29 20:39
    .
    Pre-Run: 211,261,796,352 bytes free
    Post-Run: 210,693,464,064 bytes free
    .
    - - End Of File - - DA74088C8ED897739C4AC4516F6C608C
  23. Vicki Easley

    Vicki Easley Newcomer, in training Topic Starter Posts: 35

    Should I now run system restore?
  24. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    No.

    Combofix log looks good.

    How is computer doing?

    =============================

    Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.

    Next...

    • Double click on adwcleaner.exe to run the tool.
    • Click on Uninstall.
    • Confirm with yes.

    ============================

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  25. Vicki Easley

    Vicki Easley Newcomer, in training Topic Starter Posts: 35

    It will not run Adwcleaner. Message: Illegal operation attempted on a registry key that has been marked for deletion.
    I get the same message when I attempt to open anything on my desktop (word, firefox, Norton, etc).


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.