Solved Vista Ultimate 64-bit infect by WIN64/PATCHED.A

Status
Not open for further replies.
W

Wayne Stemple

Posts: 13   +0
My AVG is reporting that PATCHED.A has landed on my Dell Inspiron 1525. I am seeking some expert advice to get rid of it.

Thanks,
Wayne
 
Hello, and welcome to TechSpot.


rulesx.png
Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.
Please review the 5-Step removal instructions and post the logs back here for my review.
 
Thanks for wanting to help me with this issue. I have followed the 5 steps and here are the log(s) from those programs:

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.13.01

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Wayne :: WAYNE-LAPTOP [administrator]

Protection: Enabled

7/12/2012 10:41:02 PM
mbam-log-2012-07-12 (22-41-02).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 240233
Time elapsed: 5 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Windows\Installer\MSI10A5.tmp (HackTool.Hiderun) -> Quarantined and deleted successfully.
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.

(end)
There was no log from GMER
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Wayne at 13:03:38 on 2012-07-13
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.4085.1799 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Secunia\PSI\PSIA.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\SmarterTools\SmarterTrack\Web Server\STrWebSvr.exe
C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\AVG\AVG PC Tuneup\BoostSpeed.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Core Temp\Core Temp.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Windows\System32\WLTRAY.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe
C:\Windows\System32\p2phost.exe
C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe
C:\Users\Wayne\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Users\Wayne\AppData\Local\Smartbar\Application\Smartbar.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
C:\Windows\OEM02Mon.exe
C:\Program Files (x86)\Dell\MediaDirect\PCMService.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\Optimizer Pro\OptProSmartScan.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files (x86)\Optimizer Pro\OptProReminder.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files (x86)\SelectRebates\SelectRebates.exe
C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Wayne\AppData\Local\Google\Update\1.3.21.115\GoogleCrashHandler.exe
C:\Users\Wayne\AppData\Local\Google\Update\1.3.21.115\GoogleCrashHandler64.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
"C:\Windows\SysWOW64\svchost.exe" -k LocalServiceDns
C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
"C:\Windows\SysWOW64\svchost.exe" -k LocalServiceDns
C:\Program Files (x86)\AVG\AVG2012\avgcfgex.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.plusnetwork.com
uURLSearchHooks: greatbar22022010g2 Toolbar: {36a4bdcd-d5b5-4618-b144-e335d0f3d381} - C:\Program Files (x86)\EvonyNet\tbEvo0.dll
mURLSearchHooks: greatbar22022010g2 Toolbar: {36a4bdcd-d5b5-4618-b144-e335d0f3d381} - C:\Program Files (x86)\EvonyNet\tbEvo0.dll
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
BHO: Messenger Plus! Community SmartbarEngine: {31ad400d-1b06-4e33-a59a-90c2c140cba0} - mscoree.dll
BHO: greatbar22022010g2 Toolbar: {36a4bdcd-d5b5-4618-b144-e335d0f3d381} - C:\Program Files (x86)\EvonyNet\tbEvo0.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: ShopAtHomeIEHelper Class: {e8daaa30-6caa-4b58-9603-8e54238219e2} - C:\Program Files (x86)\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
BHO: DeLorme Send To GPS: {fbaad182-3c7a-4bc4-a5e9-207b8e0f02fd} - C:\Program Files (x86)\DeLorme\SendToGPS\PNPluginForIE.dll
TB: greatbar22022010g2 Toolbar: {36a4bdcd-d5b5-4618-b144-e335d0f3d381} - C:\Program Files (x86)\EvonyNet\tbEvo0.dll
TB: ShopAtHome.com Toolbar: {98279c38-de4b-4bcf-93c9-8ec26069d6f4} - C:\Program Files (x86)\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
TB: Messenger Plus! Community Smartbar: {ae07101b-46d4-4a98-af68-0333ea26e113} - mscoree.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [MsnMsgr] "C:\Program Files (x86)\Windows Live\Messenger\MsnMsgr.Exe" /background
uRun: [Speech Recognition] "C:\Windows\Speech\Common\sapisvr.exe" -SpeechUX -Startup
uRun: [TomTomHOME.exe] "C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe"
uRun: [CollaborationHost] C:\Windows\system32\p2phost.exe -s
uRun: [OpenDNS Updater] "C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe" /autostart
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "C:\Users\Wayne\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Browser Infrastructure Helper] C:\Users\Wayne\AppData\Local\Smartbar\Application\Smartbar.exe startup
uRun: [Optimizer Pro] C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe
uRunOnce: [Application Restart #3] C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe --flag-switches-begin --flag-switches-end --restore-last-session -- http://odo.parcom.net/cgi-bin/index...b43ea8a039fa4ec6c4&et=1340006949&locale=en_US
mRun: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
mRun: [DELL Webcam Manager] "C:\Program Files (x86)\Dell\Dell Webcam Manager\DellWMgr.exe" /s
mRun: [dellsupportcenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [PCMService] "C:\Program Files (x86)\Dell\MediaDirect\PCMService.exe"
mRun: [ArcSoft Connection Service] "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun: [SelectRebates] "C:\Program Files (x86)\SelectRebates\SelectRebates.exe"
mRun: [PlusService] "C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
dRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
StartupFolder: C:\Users\Wayne\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\Belkin\Bluetooth Software\BTTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\KODAKE~1.LNK - C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SECUNI~1.LNK - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &ieSpell Options - C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Check &Spelling - C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://C:\Program Files (x86)\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://C:\Program Files (x86)\ieSpell\wikipedia.HTM
IE: Send image to &Bluetooth Device... - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~4\OFFICE11\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: intuit.com\ttlc
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} - hxxp://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.3.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 216.165.129.158 216.170.153.146
TCP: Interfaces\{3EC58775-4044-4C87-A59C-DDBA70FC4BBC} : DhcpNameServer = 216.165.129.158 216.170.153.146
TCP: Interfaces\{5B3EA024-7116-49C2-BBA6-FFA2F8A60CFE} : DhcpNameServer = 216.165.129.158 216.170.153.146
TCP: Interfaces\{C5CCDEEA-3D2C-48EF-A950-31F3FF917680} : DhcpNameServer = 216.165.129.158 216.170.153.146
TCP: Interfaces\{CCA16B59-9EB4-4542-A1D3-F8ADD003D946} : DhcpNameServer = 216.165.129.158 216.170.153.146
Filter: text/x-mrml - {C51721BE-858B-4A66-A8BF-D2882FF49820} - C:\Program Files (x86)\Common Files\A&W\MidRadio.ocx
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\Advisor\System\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
BHO-X64: AVG Do Not Track - No File
BHO-X64: Messenger Plus! Community SmartbarEngine: {31ad400d-1b06-4e33-a59a-90c2c140cba0} - mscoree.dll
BHO-X64: greatbar22022010g2 Toolbar: {36a4bdcd-d5b5-4618-b144-e335d0f3d381} - C:\Program Files (x86)\EvonyNet\tbEvo0.dll
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: ShopAtHomeIEHelper Class: {E8DAAA30-6CAA-4b58-9603-8E54238219E2} - C:\Program Files (x86)\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
BHO-X64: ShopAtHomeIEHelper - No File
BHO-X64: DeLorme Send To GPS: {FBAAD182-3C7A-4BC4-A5E9-207B8E0F02FD} - C:\Program Files (x86)\DeLorme\SendToGPS\PNPluginForIE.dll
BHO-X64: PNBHO - No File
TB-X64: greatbar22022010g2 Toolbar: {36a4bdcd-d5b5-4618-b144-e335d0f3d381} - C:\Program Files (x86)\EvonyNet\tbEvo0.dll
TB-X64: ShopAtHome.com Toolbar: {98279C38-DE4B-4bcf-93C9-8EC26069D6F4} - C:\Program Files (x86)\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
TB-X64: Messenger Plus! Community Smartbar: {ae07101b-46d4-4a98-af68-0333ea26e113} - mscoree.dll
mRun-x64: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
mRun-x64: [DELL Webcam Manager] "C:\Program Files (x86)\Dell\Dell Webcam Manager\DellWMgr.exe" /s
mRun-x64: [dellsupportcenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
mRun-x64: [PCMService] "C:\Program Files (x86)\Dell\MediaDirect\PCMService.exe"
mRun-x64: [ArcSoft Connection Service] "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
mRun-x64: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun-x64: [SelectRebates] "C:\Program Files (x86)\SelectRebates\SelectRebates.exe"
mRun-x64: [PlusService] "C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRunOnce-x64: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
IE-X64: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE-X64: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\system32\DRIVERS\avgidsha.sys --> C:\Windows\system32\DRIVERS\avgidsha.sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-2-14 193288]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2011-8-25 13672]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-12 655944]
R2 NPF;NetGroup Packet Filter Driver;C:\Windows\system32\drivers\npf.sys --> C:\Windows\system32\drivers\npf.sys [?]
R2 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2011-10-14 994360]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2010-12-12 1692480]
R2 STrWebSvr;SmarterTrack Web Server;C:\Program Files (x86)\SmarterTools\SmarterTrack\Web Server\STrWebSvr.exe [2012-3-8 98304]
R2 TomTomHOMEService;TomTomHOMEService;C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2012-1-22 92592]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\avgidsdrivera.sys --> C:\Windows\system32\DRIVERS\avgidsdrivera.sys [?]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\avgidsfiltera.sys --> C:\Windows\system32\DRIVERS\avgidsfiltera.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 Point64;Microsoft IntelliPoint Filter Driver;C:\Windows\system32\DRIVERS\point64k.sys --> C:\Windows\system32\DRIVERS\point64k.sys [?]
R3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys --> C:\Windows\system32\DRIVERS\psi_mf.sys [?]
R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x64.sys --> C:\Windows\system32\DRIVERS\yk60x64.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe [2012-7-4 5160568]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate1c9bf00c803d790;Google Update Service (gupdate1c9bf00c803d790);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-4-16 133104]
S2 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2011-10-14 399416]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-14 250056]
S3 btnetBUs;Bluetooth PAN Bus Service;C:\Windows\system32\Drivers\btnetBus.sys --> C:\Windows\system32\Drivers\btnetBus.sys [?]
S3 dc3d;USBCCGP filter driver (dc3d);C:\Windows\system32\DRIVERS\dc3d.sys --> C:\Windows\system32\DRIVERS\dc3d.sys [?]
S3 fssfltr;FssFltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-3-8 1492840]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-4-16 133104]
S3 netr7364;Wireless-G USB Network Adapter with RangeBooster Driver for Vista;C:\Windows\system32\DRIVERS\WUSB54GRx64.sys --> C:\Windows\system32\DRIVERS\WUSB54GRx64.sys [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;C:\Windows\system32\DRIVERS\silabenm.sys --> C:\Windows\system32\DRIVERS\silabenm.sys [?]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;C:\Windows\system32\DRIVERS\silabser.sys --> C:\Windows\system32\DRIVERS\silabser.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
S3 WSDScan;WSD Scan Support via UMB;C:\Windows\system32\DRIVERS\WSDScan.sys --> C:\Windows\system32\DRIVERS\WSDScan.sys [?]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-10 89920]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-07-13 17:44:14--------d-----w-C:\Users\Wayne\AppData\Local\{84828F34-931A-490F-A242-65171193B536}
2012-07-13 17:43:42--------d-----w-C:\Users\Wayne\AppData\Local\{4662A4E0-D7AB-4EF9-9722-4F856815449A}
2012-07-13 03:39:51--------d-----w-C:\Users\Wayne\AppData\Roaming\Malwarebytes
2012-07-13 03:39:11--------d-----w-C:\ProgramData\Malwarebytes
2012-07-13 03:39:1024904----a-w-C:\Windows\System32\drivers\mbam.sys
2012-07-13 03:39:10--------d-----w-C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-07-13 01:43:44--------d-----w-C:\Users\Wayne\AppData\Local\{B71E2A2B-A7C1-407D-A7BE-1BEE20D36069}
2012-07-12 11:56:18--------d-----w-C:\Users\Wayne\AppData\Local\{12D81F13-F765-4729-A71E-604027F7124F}
2012-07-12 11:56:14--------d-----w-C:\Users\Wayne\AppData\Local\{818C2590-7AC7-46C6-8DDF-8EFFF9F96678}
2012-07-12 04:48:37--------d-sh--w-C:\Windows\SysWow64\%APPDATA%
2012-07-11 11:54:31--------d-----w-C:\Users\Wayne\AppData\Local\{F26048F9-4ACA-4A5D-BF9E-325C505E1B9D}
2012-07-11 11:54:30--------d-----w-C:\Users\Wayne\AppData\Local\{7510CEC1-0FEA-4013-8EAD-5DA7CF53863C}
2012-07-11 00:58:44974848----a-w-C:\Program Files\Common Files\System\ado\msado15.dll
2012-07-10 11:59:50--------d-----w-C:\Users\Wayne\AppData\Local\{C19ABDB5-324C-4A25-9A94-6AD1B9B8CE9B}
2012-07-06 02:40:08--------d-----w-C:\Users\Wayne\AppData\Local\{66A14379-25F8-4F31-A5CD-CED625716A98}
2012-07-06 02:40:05--------d-----w-C:\Users\Wayne\AppData\Local\{E5052C14-B34D-4016-AAAE-7561274DE4A1}
2012-07-05 07:52:41--------d-----w-C:\Users\Wayne\AppData\Local\{A04D0DF2-0435-4D25-A45E-5E438005D45B}
2012-07-05 07:31:33--------d-----w-C:\Users\Wayne\AppData\Local\{0A620493-A9E6-4586-9B93-D4208364138C}
2012-07-04 04:22:17476936----a-w-C:\Windows\SysWow64\npdeployJava1.dll
2012-06-29 13:58:24--------d-----w-C:\Users\Wayne\AppData\Local\{53157048-2EFF-4CB5-A878-2157E7E534DD}
2012-06-29 13:57:19--------d-----w-C:\Users\Wayne\AppData\Local\{86E59D4E-A266-45CA-8ED6-29BA3A472E2C}
2012-06-14 11:01:10--------d-----w-C:\Users\Wayne\AppData\Local\{8DEBE35A-F785-408E-A392-C0C3147BB920}
2012-06-14 11:01:09--------d-----w-C:\Users\Wayne\AppData\Local\{38A48453-5A4A-4B3A-A185-3F3B3299C373}
2012-06-14 00:53:40209920----a-w-C:\Windows\System32\drivers\rdpwd.sys
2012-06-14 00:53:15984064----a-w-C:\Windows\SysWow64\crypt32.dll
2012-06-14 00:53:15174592----a-w-C:\Windows\System32\cryptsvc.dll
2012-06-14 00:53:15133120----a-w-C:\Windows\SysWow64\cryptsvc.dll
2012-06-14 00:53:15132096----a-w-C:\Windows\System32\cryptnet.dll
2012-06-14 00:53:151267200----a-w-C:\Windows\System32\crypt32.dll
2012-06-14 00:53:1498304----a-w-C:\Windows\SysWow64\cryptnet.dll
.
==================== Find3M ====================
.
2012-07-12 02:59:0170344----a-w-C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-12 02:59:01426184----a-w-C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-04 04:21:36472840----a-w-C:\Windows\SysWow64\deployJava1.dll
2012-06-13 13:58:272769408----a-w-C:\Windows\System32\win32k.sys
2012-06-05 16:47:281401856----a-w-C:\Windows\SysWow64\msxml6.dll
2012-06-05 16:47:271248768----a-w-C:\Windows\SysWow64\msxml3.dll
2012-06-05 16:22:471797120----a-w-C:\Windows\System32\msxml6.dll
2012-06-05 16:22:461869824----a-w-C:\Windows\System32\msxml3.dll
2012-06-04 15:29:59516480----a-w-C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 22:15:312622464----a-w-C:\Windows\System32\wucltux.dll
2012-06-02 22:15:0899840----a-w-C:\Windows\System32\wudriver.dll
2012-06-02 22:12:1388576----a-w-C:\Windows\SysWow64\wudriver.dll
2012-06-02 20:19:42186752----a-w-C:\Windows\System32\wuwebv.dll
2012-06-02 20:19:42171904----a-w-C:\Windows\SysWow64\wuwebv.dll
2012-06-02 20:15:1236864----a-w-C:\Windows\System32\wuapp.exe
2012-06-02 20:12:2033792----a-w-C:\Windows\SysWow64\wuapp.exe
2012-06-02 12:12:172311680----a-w-C:\Windows\System32\jscript9.dll
2012-06-02 12:05:281392128----a-w-C:\Windows\System32\wininet.dll
2012-06-02 12:04:501494528----a-w-C:\Windows\System32\inetcpl.cpl
2012-06-02 12:01:40173056----a-w-C:\Windows\System32\ieUnatt.exe
2012-06-02 11:57:082382848----a-w-C:\Windows\System32\mshtml.tlb
2012-06-02 08:33:251800192----a-w-C:\Windows\SysWow64\jscript9.dll
2012-06-02 08:25:081129472----a-w-C:\Windows\SysWow64\wininet.dll
2012-06-02 08:25:031427968----a-w-C:\Windows\SysWow64\inetcpl.cpl
2012-06-02 08:20:33142848----a-w-C:\Windows\SysWow64\ieUnatt.exe
2012-06-02 08:16:522382848----a-w-C:\Windows\SysWow64\mshtml.tlb
2012-06-02 00:22:56347136----a-w-C:\Windows\System32\schannel.dll
2012-06-02 00:22:10254464----a-w-C:\Windows\System32\ncrypt.dll
2012-06-02 00:05:1177312----a-w-C:\Windows\SysWow64\secur32.dll
2012-06-02 00:04:25278528----a-w-C:\Windows\SysWow64\schannel.dll
2012-06-02 00:03:42204288----a-w-C:\Windows\SysWow64\ncrypt.dll
2012-04-19 09:50:2628480----a-w-C:\Windows\System32\drivers\avgidsha.sys
.
============= FINISH: 13:04:24.37 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Ultimate
Boot Device: \Device\HarddiskVolume3
Install Date: 12/24/2008 12:22:58 PM
System Uptime: 7/13/2012 12:15:14 PM (1 hours ago)
.
Motherboard: Dell Inc. | | 0U990C
Processor: Intel(R) Core(TM)2 Duo CPU T5800 @ 2.00GHz | Microprocessor | 2000/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 221 GiB total, 56.969 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 3.451 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
.
Acrobat.com
Adobe AIR
Adobe ConnectNow Add-in
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.3)
Advanced Audio FX Engine
Advanced PDF Password Recovery
Advanced Video FX Engine
Apple Application Support
Apple Software Update
ArcSoft Print Creations
ArcSoft Print Creations - Album Page
ArcSoft Print Creations - Funhouse
ArcSoft Print Creations - Greeting Card
ArcSoft Print Creations - Photo Book
ArcSoft Print Creations - Photo Calendar
ArcSoft Print Creations - Scrapbook
ArcSoft Print Creations - Slimline Card
AVerMedia MCE Encoder x64 3.0.1.0
AVG PC Tuneup
Belarc Advisor 7.2
Bing Rewards Client Installer
CCScore
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Compatibility Pack for the 2007 Office system
Coupon Printer for Windows
D3DX10
Dell DataSafe Local Backup
Dell DataSafe Local Backup - Support Software
Dell Driver Download Manager
Dell Resource CD
Dell Webcam Center
Dell Webcam Manager
DeLorme Cache Register 2.0
DeLorme Send To GPS 1.2
DeLorme Street Atlas USA 2009
DeLorme Topo North America 9.0
DeLorme Topo USA 8.0
DFX for Windows Media Player
Dynex mini card reader
EasyGPS 4.45
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSTOOLS
essvatgt
EvonyNet Toolbar
Feedback Tool
Garmin Communicator Plugin
Garmin USB Drivers
GCTool
GeoGet 2.6.4.671
Geomate.Jr Software Kit
Google Chrome
Google Earth
Google Update Helper
Google Updater
Highlight Viewer (Windows Live Toolbar)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ieSpell
Ipswitch WS_FTP LE
iSEEK AnswerWorks English Runtime
Java Auto Updater
Java(TM) 6 Update 22
Java(TM) 6 Update 33
Java(TM) 6 Update 7
Junk Mail filter update
Kixtarter
Kodak EasyShare software
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
Logic Circuit Designer
Loki ActiveX Control
Loki Browser Plugin
Malwarebytes Anti-Malware version 1.62.0.1300
Map Button (Windows Live Toolbar)
MediaDirect
Messenger Plus! 5
Messenger Plus! Community Smartbar
Microsoft Default Manager
Microsoft Office File Validation Add-In
Microsoft Office Live Add-in 1.5
Microsoft Office Live Add-in Patches
Microsoft Office Outlook Connector
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Works 6-9 Converter
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MWSnap 3
netbrdg
Nokia Connectivity Cable Driver
OfotoXMI
OkCustomMap
OkCustomMap 1.4.4
OkMap 10.4.0
OpenDNS Updater 2.2.1
OpenOffice.org 3.3
Optimizer Pro v3.0
OutlookAddinSetup
PC Connectivity Solution
PDF Password Cracker Pro v3.2
PDF Password Unlocker 4.0.2.5
QuickTime
RICOH R5C83x/84x Media Driver x64 Ver.5.03.03
Secunia PSI (2.0.0.4003)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Segoe UI
SFR
SHASTA
ShopAtHome.com Toolbar
Silicon Laboratories CP210x USB to UART Bridge (Driver Removal)
skin0001
SKINXSDK
Smart Menus (Windows Live Toolbar)
SmarterTrack
Spelling Dictionaries Support For Adobe Reader 9
Spotlight on Windows (freeware)
staticcr
Street Atlas USA 2004 Handheld
Street Atlas USA 2004 Handheld Data
TomTom HOME 2.8.3.2499
TomTom HOME Visual Studio Merge Modules
TurboTax 2009
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wrapper
TurboTax 2009 wwiiper
TurboTax 2010
TurboTax 2010 WinPerFedFormset
TurboTax 2010 WinPerReleaseEngine
TurboTax 2010 WinPerTaxSupport
TurboTax 2010 wrapper
TurboTax 2010 wwiiper
TurboTax 2010 wwviper
TurboTax 2011
TurboTax 2011 WinPerFedFormset
TurboTax 2011 WinPerReleaseEngine
TurboTax 2011 WinPerTaxSupport
TurboTax 2011 wrapper
TurboTax 2011 wwiiper
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update Installer for WildTangent Games App
Urwigo
Vhd Resizer
Visual C++ 8.0 Runtime Setup Package (x64)
Visual Studio 2008 x64 Redistributables
VPRINTOL
WildTangent Games App (Dell Games)
WinCachebox
Windows Live Communications Platform
Windows Live Essentials
Windows Live Favorites for Windows Live Toolbar
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Player Firefox Plugin
WinPcap 4.1.1
WIRELESS
Workspace Macro 4.6
.
==== Event Viewer Messages From Past Week ========
.
7/13/2012 12:56:13 PM, Error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Secure Socket Tunneling Protocol Service service which failed to start because of the following error: The service has not been started.
7/13/2012 12:41:35 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SftService service.
7/13/2012 12:18:31 PM, Error: Microsoft-Windows-WMPNSS-Service [14329] - Service 'WMPNetworkSvc' did not start correctly because the registry could not be updated due to error '0x80070006'. If possible, reinstall Windows Media Player.
7/13/2012 12:18:00 PM, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer HP LaserJet 4050 Series PCL 5 with shared resource name NAIMIS. Error 1753. The printer cannot be used by others on the network.
7/13/2012 12:18:00 PM, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer HP LaserJet 4 Plus with shared resource name HP LaserJet 4 Plus. Error 1753. The printer cannot be used by others on the network.
7/13/2012 12:17:13 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BtHidBus
7/13/2012 12:17:13 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
7/13/2012 12:17:13 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
7/13/2012 12:17:13 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
7/13/2012 12:17:04 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
7/13/2012 12:01:41 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the WLAN AutoConfig service, but this action failed with the following error: An instance of the service is already running.
7/13/2012 11:58:28 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the DHCP Client service, but this action failed with the following error: An instance of the service is already running.
7/13/2012 11:57:41 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Audio Endpoint Builder service, but this action failed with the following error: An instance of the service is already running.
7/13/2012 11:54:10 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
7/13/2012 11:52:10 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
7/13/2012 11:51:59 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the IPBusEnum service.
7/13/2012 11:51:29 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
7/13/2012 11:50:59 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.
7/13/2012 11:36:23 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WPDBusEnum service.
7/13/2012 11:35:53 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SysMain service.
7/13/2012 11:35:23 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the EMDMgmt service.
7/13/2012 11:34:23 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the CscService service.
7/13/2012 11:33:53 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the AudioEndpointBuilder service.
7/13/2012 11:32:23 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the UxSms service.
7/13/2012 11:31:53 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the TabletInputService service.
7/13/2012 11:30:23 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the hidserv service.
7/13/2012 11:28:38 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.15 for the Network Card with network address 00234E35ED5A has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
7/13/2012 1:05:12 PM, Error: Service Control Manager [7023] - The Secure Socket Tunneling Protocol Service service terminated with the following error: The system cannot find the file specified.
7/13/2012 1:05:12 PM, Error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Secure Socket Tunneling Protocol Service service which failed to start because of the following error: The system cannot find the file specified.
.
==== End Of File ===========================
Thanks for you help and I await your next set of instructions.
Wayne
 
Download Farbar Recovery Scan Tool and save it to a flash drive.

Please make sure to download the 64-bit version.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64 and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Place a check next to List Drivers MD5 as well as the default check marks that are already there
  • Press Scan button.
  • type exit and reboot the computer normally
  • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

Once again, please boot to the System Recovery Options and run FRST, as done previously.

Type the following text in the blank box after Search:

services.exe

Click: Search file(s)

FRST2.gif


When done searching, FRST makes a log, Search.txt, on the C:\ drive.

Please provide the Search.txt in your reply along with the first FRST log.
 
When booting from the HD, Repair your computer was not an option. Since I was in my office and did not have the CD to boot from, I booted into Safe Mode w/command prompt to run the requested process. I hope that will work for you. If not, I will have to locate my CD to boot from. I have included the requested logs below:
========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 4085.12 MB
Available physical RAM: 3512.75 MB
Total Pagefile: 8345.52 MB
Available Pagefile: 7889.95 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:220.58 GB) (Free:55.62 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (RECOVERY) (Fixed) (Total:9.77 GB) (Free:3.46 GB) NTFS
4 Drive g: (NEW VOLUME) (Removable) (Total:7.45 GB) (Free:3.54 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 0 B
Disk 1 Online 7643 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 32 KB
Partition 2 Primary 10 GB 40 MB
Partition 3 Primary 221 GB 10 GB
Partition 0 Extended 2559 MB 230 GB
Partition 4 Logical 2558 MB 230 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

There is no volume associated with this partition.

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D RECOVERY NTFS Partition 10 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 221 GB Healthy System (partition with boot components)

==================================================================================

Disk: 0
Partition 4
Type : DD
Hidden: Yes
Active: No

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7640 MB 32 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 G NEW VOLUME FAT32 Removable 7640 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-17 12:34

======================= End Of Log ==========================

Farbar Recovery Scan Tool Version: 14-07-2012 01
Ran by Wayne at 2012-07-17 14:02:21
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-09-10 22:19] - [2009-04-11 01:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 21:49] - [2008-01-20 21:49] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[2009-09-10 22:19] - [2009-04-11 02:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[2008-01-20 21:48] - [2008-01-20 21:48] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

C:\Windows\SysWOW64\services.exe
[2009-09-10 22:19] - [2009-04-11 01:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\System32\services.exe
[2009-09-10 22:19] - [2009-04-11 02:10] - 0381952 ____A (Microsoft Corporation) B8844F93D2C5F1DCDB179AAA9AF134B7

====== End Of Search ======
 
The system file services.exe is clearly infected.

Let's take a different approach:

ComboFix

Please download ComboFix
combofix.gif
by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.
After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:
  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.
Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
 
I was able to get this to run as you requested. Just a note that the link to the download came back with a 404. I just had to get it from them the old fashion way. Your instructions did not include a reboot after this process, but I notice in the log that it seems to be needed. Please advise.


ComboFix 12-07-18.04 - Wayne 07/18/2012 12:55:51.2.2 - x64
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.4085.1853 [GMT -5:00]
Running from: C:\Users\Wayne\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\@
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L\00000004.@
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L\1afb2d56
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L\201d3dde
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\00000004.@
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\00000008.@
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\000000cb.@
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\80000000.@
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\80000032.@
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\80000064.@

---- Previous Run -------

C:\Install.exe
C:\Program Files (x86)\SelectRebates
C:\Program Files (x86)\SelectRebates\FFToolbar\chrome.manifest
C:\Program Files (x86)\SelectRebates\FFToolbar\chrome\sahtoolbar.jar
C:\Program Files (x86)\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js
C:\Program Files (x86)\SelectRebates\FFToolbar\install.rdf
C:\Program Files (x86)\SelectRebates\SahImages\alert.png
C:\Program Files (x86)\SelectRebates\SahImages\check.png
C:\Program Files (x86)\SelectRebates\SahImages\close.png
C:\Program Files (x86)\SelectRebates\SelectAlerts.dat
C:\Program Files (x86)\SelectRebates\SelectRebates.exe
C:\Program Files (x86)\SelectRebates\SelectRebates.ini
C:\Program Files (x86)\SelectRebates\SelectRebatesA.dat
C:\Program Files (x86)\SelectRebates\SelectRebatesApi.exe
C:\Program Files (x86)\SelectRebates\SelectRebatesB.dat
C:\Program Files (x86)\SelectRebates\SelectRebatesBT.dat
C:\Program Files (x86)\SelectRebates\SelectRebatesDownload.exe
C:\Program Files (x86)\SelectRebates\SelectRebatesH.dat
C:\Program Files (x86)\SelectRebates\SelectRebatesUninstall.exe
C:\Program Files (x86)\SelectRebates\SRebates.dll
C:\Program Files (x86)\SelectRebates\SRFF3.dll
C:\Program Files (x86)\SelectRebates\Toolbar\AddtoList.bmp
C:\Program Files (x86)\SelectRebates\Toolbar\basis.xml
C:\Program Files (x86)\SelectRebates\Toolbar\Basis.xml.dym
C:\Program Files (x86)\SelectRebates\Toolbar\Blank.bmp
C:\Program Files (x86)\SelectRebates\Toolbar\CashBack.bmp
C:\Program Files (x86)\SelectRebates\Toolbar\Coupons.bmp
C:\Program Files (x86)\SelectRebates\Toolbar\GroceryCoupon.bmp
C:\Program Files (x86)\SelectRebates\Toolbar\i_magnifying.bmp
C:\Program Files (x86)\SelectRebates\Toolbar\icons.bmp
C:\Program Files (x86)\SelectRebates\Toolbar\logo.bmp
C:\Program Files (x86)\SelectRebates\Toolbar\logo_24.bmp
C:\Program Files (x86)\SelectRebates\Toolbar\logo_HotSpots.bmp
C:\Program Files (x86)\SelectRebates\Toolbar\ReviewSite.bmp
C:\Program Files (x86)\SelectRebates\Toolbar\RightControls.dym
C:\Program Files (x86)\SelectRebates\Toolbar\sahtb-alert.bmp
C:\Program Files (x86)\SelectRebates\Toolbar\sahtb-go.bmp
C:\Program Files (x86)\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp
C:\Program Files (x86)\SelectRebates\Toolbar\sahtb-icons.bmp
C:\Program Files (x86)\SelectRebates\Toolbar\sahtb-restaurant.bmp
C:\Program Files (x86)\SelectRebates\Toolbar\sahtb-wishlist.bmp
C:\Program Files (x86)\SelectRebates\Toolbar\Scissors.bmp
C:\Program Files (x86)\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
C:\Users\Wayne\AppData\Local\Microsoft\Windows\Temporary Internet Files\index.dat
C:\Users\Wayne\Desktop\Setup.exe
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
D:\AUTORUN.INF

C:\Windows\system32\services.exe . . . is infected!!


((((((((((((((((((((((((( Files Created from 2012-06-18 to 2012-07-18 )))))))))))))))))))))))))))))))


2012-07-17 18:26:28 . 2012-07-17 18:26:45--------d-----w-C:\FRST
2012-07-13 03:39:51 . 2012-07-13 03:39:51--------d-----w-C:\Users\Wayne\AppData\Roaming\Malwarebytes
2012-07-13 03:39:11 . 2012-07-13 03:39:11--------d-----w-C:\ProgramData\Malwarebytes
2012-07-13 03:39:10 . 2012-07-13 03:39:14--------d-----w-C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-07-13 03:39:10 . 2012-07-03 18:46:4424904----a-w-C:\Windows\system32\drivers\mbam.sys
2012-07-12 04:48:37 . 2012-07-12 04:48:37--------d-sh--w-C:\Windows\SysWow64\%APPDATA%
2012-07-11 00:58:44 . 2012-06-05 16:47:10708608----a-w-C:\Program Files (x86)\Common Files\System\ado\msado15.dll
2012-07-06 04:01:22 . 2012-07-18 17:33:18--------d-----w-C:\Users\Wayne\AppData\Roaming\Thunderbird
2012-07-04 04:22:17 . 2012-07-04 04:21:36476936----a-w-C:\Windows\SysWow64\npdeployJava1.dll
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2012-07-12 02:59:01 . 2012-04-15 04:21:10426184----a-w-C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-12 02:59:01 . 2011-11-01 15:56:5370344----a-w-C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-11 08:04:47 . 2006-11-02 12:35:0059701280----a-w-C:\Windows\system32\mrt.exe
2012-07-04 04:21:36 . 2010-05-02 23:43:54472840----a-w-C:\Windows\SysWow64\deployJava1.dll
2012-06-26 04:15:16 . 2008-12-25 18:31:54164880---ha-w-C:\Users\Wayne\AppData\Roaming\Microsoft\Virtual PC\VPCKeyboard.dll
2012-05-01 14:29:44 . 2012-06-14 00:53:40209920----a-w-C:\Windows\system32\drivers\rdpwd.sys
2012-04-23 16:25:30 . 2012-06-14 00:53:15174592----a-w-C:\Windows\system32\cryptsvc.dll
2012-04-23 16:25:30 . 2012-06-14 00:53:15132096----a-w-C:\Windows\system32\cryptnet.dll
2012-04-23 16:25:30 . 2012-06-14 00:53:151267200----a-w-C:\Windows\system32\crypt32.dll
2012-04-23 16:00:53 . 2012-06-14 00:53:15984064----a-w-C:\Windows\SysWow64\crypt32.dll
2012-04-23 16:00:53 . 2012-06-14 00:53:15133120----a-w-C:\Windows\SysWow64\cryptsvc.dll
2012-04-23 16:00:53 . 2012-06-14 00:53:1498304----a-w-C:\Windows\SysWow64\cryptnet.dll


------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.

[7] 2009-04-11 07:10:50 . 934E0B7D77FF78C18D9F8891221B6DE3 . 384512 . . [6.0.6002.18005 (lh_sp2rtm.090410-1830)] .. C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[7] 2008-01-21 02:48:47 . DFAC660F0F139276CC9299812DE42719 . 384512 . . [6.0.6001.18000 (longhorn_rtm.080118-1840)] .. C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[-] 2009-04-11 07:10:50 . B8844F93D2C5F1DCDB179AAA9AF134B7 . 381952 . . [6.0.6000.16386 (vista_rtm.061101-2205)] .. C:\Windows\system32\services.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{36a4bdcd-d5b5-4618-b144-e335d0f3d381}"= "C:\Program Files (x86)\EvonyNet\tbEvo0.dll" [2010-09-12 19:24:44 2735200]

[HKEY_CLASSES_ROOT\clsid\{36a4bdcd-d5b5-4618-b144-e335d0f3d381}]

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}]
2009-11-08 15:55:32297808----a-w-C:\Windows\System32\mscoree.dll

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{36a4bdcd-d5b5-4618-b144-e335d0f3d381}]
2010-09-12 19:24:442735200----a-w-C:\Program Files (x86)\EvonyNet\tbEvo0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{36a4bdcd-d5b5-4618-b144-e335d0f3d381}"= "C:\Program Files (x86)\EvonyNet\tbEvo0.dll" [2010-09-12 19:24:44 2735200]

[HKEY_CLASSES_ROOT\clsid\{36a4bdcd-d5b5-4618-b144-e335d0f3d381}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2009-04-11 07:10:53 1555968]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-21 02:50:36 138240]
"Speech Recognition"="C:\Windows\Speech\Common\sapisvr.exe" [2008-01-21 02:48:42 41984]
"TomTomHOME.exe"="C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [2012-01-23 04:43:08 247728]
"OpenDNS Updater"="C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe" [2010-06-16 21:42:58 839680]
"swg"="C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-03 22:40:49 39408]
"Browser Infrastructure Helper"="C:\Users\Wayne\AppData\Local\Smartbar\Application\Smartbar.exe" [2012-02-28 00:03:24 19272]
"Optimizer Pro"="C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe" [2012-01-02 23:15:28 81912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"OEM02Mon.exe"="C:\Windows\OEM02Mon.exe" [2007-05-10 07:01:00 36864]
"DELL Webcam Manager"="C:\Program Files (x86)\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 22:43:34 118784]
"PCMService"="C:\Program Files (x86)\Dell\MediaDirect\PCMService.exe" [2007-12-21 16:58:06 184320]
"ArcSoft Connection Service"="C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 01:17:52 207424]
"Microsoft Default Manager"="C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 19:12:28 439568]
"Adobe Reader Speed Launcher"="C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-04-04 05:53:56 35736]
"Adobe ARM"="C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 07:37:53 843712]
"AVG_TRAY"="C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" [2012-04-05 10:12:34 2587008]
"PlusService"="C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe" [2012-02-27 20:43:07 801792]
"APSDaemon"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 12:22:28 59240]
"QuickTime Task"="C:\Program Files (x86)\QuickTime\QTTask.exe" [2011-10-24 19:28:52 421888]
"SunJavaUpdateSched"="C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 20:02:04 254696]
"Malwarebytes' Anti-Malware"="C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 18:46:44 462920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-14 13:43:07 559616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" [2012-03-08 23:50:28 4280184]

C:\Users\Wayne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\Belkin\Bluetooth Software\BTTray.exe [2007-2-27 982320]
Kodak EasyShare software.lnk - C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
Secunia PSI Tray.lnk - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe [2011-10-14 291896]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecuteREG_MULTI_SZ autocheck autochk *\0C:\PROGRA~2\AVG\AVG2012\avgrsa.exe /sync /restart

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-12 02:59:02 250056]
S2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 13:10:42 63928]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ALSYSIO
*NewlyCreated* - WS2IFSL

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
NETSVCS REQUIRES REPAIRS - current entries shown

Rebuilding ... You need to reboot your machine for this to take effect.

AeLookupSvc
AppMgmt
AudioSrv
BITS
CertPropSvc
FastUserSwitchingCompatibility
gpsvc
helpsvc
Ias
iphlpsvc
Irmon
lanmanserver
LogonHours
msiscsi
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
PCAudit
Rasauto
Rasman
Remoteaccess
schedule
SCPolicySvc
SENS
SessionEnv
Sharedaccess
ShellHWDetection
SRService
Tapisrv
TermService
uploadmgr
winmgmt
WmdmPmSp
Wmi
wuauserv

Contents of the 'Scheduled Tasks' folder

2012-07-18 C:\Windows\Tasks\Adobe Flash Player Updater.job
- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 04:21:10 . 2012-07-12 02:59:02]

2012-07-18 C:\Windows\Tasks\Google Software Updater.job
- C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-03 22:40:46 . 2011-09-15 23:45:46]

2012-07-18 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-04-17 02:04:02 . 2009-04-17 02:03:49]

2012-07-18 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1640899211-619604783-1113738171-1000Core.job
- C:\Users\Wayne\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-01 22:57:04 . 2010-12-01 22:57:02]

2012-07-18 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1640899211-619604783-1113738171-1000UA.job
- C:\Users\Wayne\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-01 22:57:04 . 2010-12-01 22:57:02]

2012-07-13 C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
- C:\Program Files\Dell Support Center\uaclauncher.exe [2011-10-06 20:32:18 . 2011-10-06 20:32:18]

2012-07-18 C:\Windows\Tasks\SystemToolsDailyTest.job
- C:\Program Files\Dell Support Center\uaclauncher.exe [2011-10-06 20:32:18 . 2011-10-06 20:32:18]


--------- X64 Entries -----------

Thanks,
Wayne
 
Here is the latest log:

ComboFix 12-07-18.04 - Wayne 07/18/2012 20:31:58.3.2 - x64
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.4085.1602 [GMT -5:00]
Running from: c:\users\Wayne\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L\00000004.@
c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\00000004.@
c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\00000008.@
c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\000000cb.@
c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\80000000.@
c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\80000032.@
c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\80000064.@
.
---- Previous Run -------
.
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\@
c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L\00000004.@
c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L\1afb2d56
c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L\201d3dde
c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\00000004.@
c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\00000008.@
c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\000000cb.@
c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\80000000.@
c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\80000032.@
c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\80000064.@
.
c:\windows\system32\services.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-06-19 to 2012-07-19 )))))))))))))))))))))))))))))))
.
.
2012-07-17 18:26 . 2012-07-17 18:26--------d-----w-C:\FRST
2012-07-13 03:39 . 2012-07-13 03:39--------d-----w-c:\users\Wayne\AppData\Roaming\Malwarebytes
2012-07-13 03:39 . 2012-07-13 03:39--------d-----w-c:\programdata\Malwarebytes
2012-07-13 03:39 . 2012-07-13 03:39--------d-----w-c:\program files (x86)\Malwarebytes' Anti-Malware
2012-07-13 03:39 . 2012-07-03 18:4624904----a-w-c:\windows\system32\drivers\mbam.sys
2012-07-12 04:48 . 2012-07-12 04:48--------d-sh--w-c:\windows\SysWow64\%APPDATA%
2012-07-11 00:58 . 2012-06-05 16:47708608----a-w-c:\program files (x86)\Common Files\System\ado\msado15.dll
2012-07-06 04:01 . 2012-07-19 00:16--------d-----w-c:\users\Wayne\AppData\Roaming\Thunderbird
2012-07-04 04:22 . 2012-07-04 04:21476936----a-w-c:\windows\SysWow64\npdeployJava1.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-12 02:59 . 2012-04-15 04:21426184----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-12 02:59 . 2011-11-01 15:5670344----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-11 08:04 . 2006-11-02 12:3559701280----a-w-c:\windows\system32\mrt.exe
2012-07-04 04:21 . 2010-05-02 23:43472840----a-w-c:\windows\SysWow64\deployJava1.dll
2012-06-26 04:15 . 2008-12-25 18:31164880---ha-w-c:\users\Wayne\AppData\Roaming\Microsoft\Virtual PC\VPCKeyboard.dll
2012-05-01 14:29 . 2012-06-14 00:53209920----a-w-c:\windows\system32\drivers\rdpwd.sys
2012-04-23 16:25 . 2012-06-14 00:53174592----a-w-c:\windows\system32\cryptsvc.dll
2012-04-23 16:25 . 2012-06-14 00:53132096----a-w-c:\windows\system32\cryptnet.dll
2012-04-23 16:25 . 2012-06-14 00:531267200----a-w-c:\windows\system32\crypt32.dll
2012-04-23 16:00 . 2012-06-14 00:53984064----a-w-c:\windows\SysWow64\crypt32.dll
2012-04-23 16:00 . 2012-06-14 00:53133120----a-w-c:\windows\SysWow64\cryptsvc.dll
2012-04-23 16:00 . 2012-06-14 00:5398304----a-w-c:\windows\SysWow64\cryptnet.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-04-11 . 934E0B7D77FF78C18D9F8891221B6DE3 . 384512 . . [6.0.6002.18005] .. c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[7] 2008-01-21 . DFAC660F0F139276CC9299812DE42719 . 384512 . . [6.0.6001.18000] .. c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[-] 2009-04-11 . B8844F93D2C5F1DCDB179AAA9AF134B7 . 381952 . . [6.0.6000.16386] .. c:\windows\system32\services.exe
.
((((((((((((((((((((((((((((( SnapShot@2012-07-18_18.12.13 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-07-12 04:50 . 2012-07-18 17:4665536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2012-07-12 04:50 . 2012-07-18 20:5965536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2008-12-24 16:29 . 2012-07-18 23:1919266 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1640899211-619604783-1113738171-1000_UserData.bin
+ 2008-01-21 03:19 . 2012-07-18 23:17786432 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-21 03:19 . 2012-07-18 17:53786432 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-07-12 04:48 . 2012-07-18 21:00262144 c:\windows\SysWOW64\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
- 2012-07-12 04:48 . 2012-07-18 17:45262144 c:\windows\SysWOW64\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
+ 2008-12-25 18:18 . 2012-07-18 22:56406814 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2006-11-02 15:44 . 2012-07-18 23:19110812 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 12:46 . 2012-07-18 23:23660368 c:\windows\system32\perfh009.dat
- 2006-11-02 12:46 . 2012-07-18 17:27660368 c:\windows\system32\perfh009.dat
- 2006-11-02 12:46 . 2012-07-18 17:27126010 c:\windows\system32\perfc009.dat
+ 2006-11-02 12:46 . 2012-07-18 23:23126010 c:\windows\system32\perfc009.dat
- 2008-01-21 03:19 . 2012-07-18 17:536127616 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:19 . 2012-07-18 23:176127616 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:19 . 2012-07-18 17:5316187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 03:19 . 2012-07-18 23:1716187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{36a4bdcd-d5b5-4618-b144-e335d0f3d381}"= "c:\program files (x86)\EvonyNet\tbEvo0.dll" [2010-09-12 2735200]
.
[HKEY_CLASSES_ROOT\clsid\{36a4bdcd-d5b5-4618-b144-e335d0f3d381}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}]
2009-11-08 15:55297808----a-w-c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{36a4bdcd-d5b5-4618-b144-e335d0f3d381}]
2010-09-12 19:242735200----a-w-c:\program files (x86)\EvonyNet\tbEvo0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{36a4bdcd-d5b5-4618-b144-e335d0f3d381}"= "c:\program files (x86)\EvonyNet\tbEvo0.dll" [2010-09-12 2735200]
.
[HKEY_CLASSES_ROOT\clsid\{36a4bdcd-d5b5-4618-b144-e335d0f3d381}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2008-01-21 41984]
"TomTomHOME.exe"="c:\program files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [2012-01-23 247728]
"CollaborationHost"="c:\windows\system32\p2phost.exe" [BU]
"OpenDNS Updater"="c:\program files (x86)\OpenDNS Updater\OpenDNSUpdater.exe" [2010-06-16 839680]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-03 39408]
"Browser Infrastructure Helper"="c:\users\Wayne\AppData\Local\Smartbar\Application\Smartbar.exe" [2012-02-28 19272]
"Optimizer Pro"="c:\program files (x86)\Optimizer Pro\OptProLauncher.exe" [2012-01-02 81912]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"DELL Webcam Manager"="c:\program files (x86)\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"dellsupportcenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [BU]
"PCMService"="c:\program files (x86)\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-04-04 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"SelectRebates"="c:\program files (x86)\SelectRebates\SelectRebates.exe" [BU]
"PlusService"="c:\program files (x86)\Yuna Software\Messenger Plus!\PlusService.exe" [2012-02-27 801792]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-14 559616]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2012-03-08 4280184]
.
c:\users\Wayne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\Belkin\Bluetooth Software\BTTray.exe [2007-2-27 982320]
Kodak EasyShare software.lnk - c:\program files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
Secunia PSI Tray.lnk - c:\program files (x86)\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecuteREG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-12 250056]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 02:59]
.
2012-07-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-03 23:45]
.
2012-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-04-17 02:03]
.
2012-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1640899211-619604783-1113738171-1000Core.job
- c:\users\Wayne\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-01 22:57]
.
2012-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1640899211-619604783-1113738171-1000UA.job
- c:\users\Wayne\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-01 22:57]
.
2012-07-13 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-10-06 20:32]
.
2012-07-18 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-10-06 20:32]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}]
2009-11-08 15:55444752----a-w-c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-02 3863040]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 138264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 203800]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 168472]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-25 174616]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-05 2320752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.plusnetwork.com
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: &ieSpell Options - c:\program files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Check &Spelling - c:\program files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files (x86)\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files (x86)\ieSpell\wikipedia.HTM
IE: Send image to &Bluetooth Device... - c:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\Belkin\Bluetooth Software\btsendto_ie.htm
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.0.200 216.165.129.157
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{36A4BDCD-D5B5-4618-B144-E335D0F3D381} - (no file)
AddRemove-SLABCOMM&10C4&EA60 - c:\windows\system32\Silabs\DriverUninstaller.exe VCP CP210x Cardinal\SLABCOMM&10C4&EA60
AddRemove-Adobe ConnectNow Add-in - c:\users\Wayne\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\acaddin\acaddin.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-07-18 20:52:16
ComboFix-quarantined-files.txt 2012-07-19 01:52
.
Pre-Run: 60,408,598,528 bytes free
Post-Run: 60,475,002,880 bytes free
.
- - End Of File - - 0D3AA42741868526E754DA703EB90864
 
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :filefind
services.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
Here is the requested log:

SystemLook 30.07.11 by jpshortstuff
Log created at 08:47 on 19/07/2012 by Wayne
Administrator - Elevation successful

========== filefind ==========

Searching for "services.exe"
C:\Windows\System32\services.exe--a---- 381952 bytes[03:19 11/09/2009][07:10 11/04/2009] B8844F93D2C5F1DCDB179AAA9AF134B7
C:\Windows\SysWOW64\services.exe--a---- 279552 bytes[03:19 11/09/2009][06:27 11/04/2009] D4E6D91C1349B7BFB3599A6ADA56851B
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe--a---- 384512 bytes[02:48 21/01/2008][02:48 21/01/2008] DFAC660F0F139276CC9299812DE42719
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe--a---- 384512 bytes[03:19 11/09/2009][07:10 11/04/2009] 934E0B7D77FF78C18D9F8891221B6DE3
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe--a---- 279040 bytes[02:49 21/01/2008][02:49 21/01/2008] 2B336AB6286D6C81FA02CBAB914E3C6C
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe--a---- 279552 bytes[03:19 11/09/2009][06:27 11/04/2009] D4E6D91C1349B7BFB3599A6ADA56851B

-= EOF =-
 
ComboFix Script

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    killall::

    ClearJavaCache::

    Fcopy::
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe | c:\windows\system32\services.exe
    Reboot::
    Click to expand...
  • Save this as CFScript.txt, in the same location as ComboFix.exe

    CFScriptB-4.gif

  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.
 
I created the script file and used it to run ComboFix. After it finished it thing, it rebooted my system. As it is now, it will not start Windows. I have tried Safe Mode both with and without command prompt. I always just get a blank screen. The mouse cursor is visible and does respond, but that is all.

What do I do now?
 
Very strange.

Download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Place a check next to List Drivers MD5 as well as the default check marks that are already there
  • Press Scan button.
  • type exit and reboot the computer normally
  • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.
 
Yes, it is strange as I know that you folks are good at what you do. I was hoping that I would hear back from you a little sooner and I know that you probably have a ful plate. I needed to get my system back to a state that at least windows was running and I just received your reply. To that end I pulled out the DVD and booted from it. It is at the same service pack that the machine is. Seeing that the script copied another SERVICES.EXE over to the system folder, I deduced that was the issue. I got to the command prompt and copied the file from the DVD to the HD, after renaming the current one. The system rebooted just fine and ComboFix finshed it job. There is now a log file from it

I have not had AVG or MalwareBytes flag anything yet. I have AVG running a full scan to double check. If you wish, I can still post the ComboFix.txt file for you. I also understand that you may want to run some other process to check the system again. Please let me know if that is the case.
 
ComboFix 12-07-18.04 - Wayne 07/19/2012 14:05:53.4.2 - x64
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.4085.1808 [GMT -5:00]
Running from: c:\users\Wayne\Desktop\ComboFix.exe
Command switches used :: c:\users\Wayne\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Wayne\AppData\Local\Temp\nscFBA.tmp\newadvsplash.dll
c:\users\Wayne\AppData\Local\Temp\nscFBA.tmp\registry.dll
c:\users\Wayne\AppData\Local\Temp\nscFBA.tmp\System.dll
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe --> c:\windows\system32\services.exe
.
((((((((((((((((((((((((( Files Created from 2012-06-20 to 2012-07-20 )))))))))))))))))))))))))))))))
.
.
2012-07-20 20:05 . 2008-01-19 08:00384512----a-w-c:\windows\system32\services.exe
2012-07-19 19:20 . 2012-07-19 19:20--------d-----w-c:\users\Default\AppData\Local\temp
2012-07-19 19:20 . 2012-07-19 19:20--------d-----w-c:\users\Administrator\AppData\Local\temp
2012-07-19 14:15 . 2012-07-19 14:15--------d-----w-c:\users\Wayne\AppData\Local\Thunderbird
2012-07-17 18:26 . 2012-07-17 18:26--------d-----w-C:\FRST
2012-07-13 03:39 . 2012-07-13 03:39--------d-----w-c:\users\Wayne\AppData\Roaming\Malwarebytes
2012-07-13 03:39 . 2012-07-13 03:39--------d-----w-c:\programdata\Malwarebytes
2012-07-13 03:39 . 2012-07-13 03:39--------d-----w-c:\program files (x86)\Malwarebytes' Anti-Malware
2012-07-13 03:39 . 2012-07-03 18:4624904----a-w-c:\windows\system32\drivers\mbam.sys
2012-07-12 04:48 . 2012-07-12 04:48--------d-sh--w-c:\windows\SysWow64\%APPDATA%
2012-07-11 00:58 . 2012-06-05 16:47708608----a-w-c:\program files (x86)\Common Files\System\ado\msado15.dll
2012-07-06 04:01 . 2012-07-19 14:15--------d-----w-c:\users\Wayne\AppData\Roaming\Thunderbird
2012-07-04 04:22 . 2012-07-04 04:21476936----a-w-c:\windows\SysWow64\npdeployJava1.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-12 02:59 . 2012-04-15 04:21426184----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-12 02:59 . 2011-11-01 15:5670344----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-11 08:04 . 2006-11-02 12:3559701280----a-w-c:\windows\system32\mrt.exe
2012-07-04 04:21 . 2010-05-02 23:43472840----a-w-c:\windows\SysWow64\deployJava1.dll
2012-06-26 04:15 . 2008-12-25 18:31164880---ha-w-c:\users\Wayne\AppData\Roaming\Microsoft\Virtual PC\VPCKeyboard.dll
2012-05-01 14:29 . 2012-06-14 00:53209920----a-w-c:\windows\system32\drivers\rdpwd.sys
2012-04-23 16:25 . 2012-06-14 00:53174592----a-w-c:\windows\system32\cryptsvc.dll
2012-04-23 16:25 . 2012-06-14 00:53132096----a-w-c:\windows\system32\cryptnet.dll
2012-04-23 16:25 . 2012-06-14 00:531267200----a-w-c:\windows\system32\crypt32.dll
2012-04-23 16:00 . 2012-06-14 00:53984064----a-w-c:\windows\SysWow64\crypt32.dll
2012-04-23 16:00 . 2012-06-14 00:53133120----a-w-c:\windows\SysWow64\cryptsvc.dll
2012-04-23 16:00 . 2012-06-14 00:5398304----a-w-c:\windows\SysWow64\cryptnet.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-18_18.12.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-12 04:50 . 2012-07-18 20:5965536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
- 2012-07-12 04:50 . 2012-07-18 17:4665536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2008-12-24 16:29 . 2012-07-20 17:0919326 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1640899211-619604783-1113738171-1000_UserData.bin
- 2008-01-21 03:19 . 2012-07-18 17:53786432 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:19 . 2012-07-20 17:06786432 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-07-12 04:48 . 2012-07-18 17:45262144 c:\windows\SysWOW64\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
+ 2012-07-12 04:48 . 2012-07-18 21:00262144 c:\windows\SysWOW64\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
+ 2008-12-25 18:18 . 2012-07-19 13:20407286 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2006-11-02 15:44 . 2012-07-20 17:09111020 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2006-11-02 12:46 . 2012-07-18 17:27660368 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-07-19 16:02660368 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-07-19 16:02126010 c:\windows\system32\perfc009.dat
- 2006-11-02 12:46 . 2012-07-18 17:27126010 c:\windows\system32\perfc009.dat
- 2010-11-21 16:13 . 2012-07-18 17:08425268 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2010-11-21 16:13 . 2012-07-19 19:21425268 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2008-01-21 03:19 . 2012-07-20 17:066127616 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:19 . 2012-07-18 17:536127616 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-01 09:05 . 2012-07-18 17:084650384 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-01-01 09:05 . 2012-07-19 19:214650384 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2010-11-21 16:13 . 2012-07-19 19:216840766 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1640899211-619604783-1113738171-1000-8192.dat
- 2010-11-21 16:13 . 2012-07-18 17:086840766 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1640899211-619604783-1113738171-1000-8192.dat
+ 2008-01-21 03:19 . 2012-07-20 17:0616187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-21 03:19 . 2012-07-18 17:5316187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{36a4bdcd-d5b5-4618-b144-e335d0f3d381}"= "c:\program files (x86)\EvonyNet\tbEvo0.dll" [2010-09-12 2735200]
.
[HKEY_CLASSES_ROOT\clsid\{36a4bdcd-d5b5-4618-b144-e335d0f3d381}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}]
2009-11-08 15:55297808----a-w-c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{36a4bdcd-d5b5-4618-b144-e335d0f3d381}]
2010-09-12 19:242735200----a-w-c:\program files (x86)\EvonyNet\tbEvo0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{36a4bdcd-d5b5-4618-b144-e335d0f3d381}"= "c:\program files (x86)\EvonyNet\tbEvo0.dll" [2010-09-12 2735200]
.
[HKEY_CLASSES_ROOT\clsid\{36a4bdcd-d5b5-4618-b144-e335d0f3d381}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2008-01-21 41984]
"TomTomHOME.exe"="c:\program files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [2012-01-23 247728]
"CollaborationHost"="c:\windows\system32\p2phost.exe" [BU]
"OpenDNS Updater"="c:\program files (x86)\OpenDNS Updater\OpenDNSUpdater.exe" [2010-06-16 839680]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-03 39408]
"Browser Infrastructure Helper"="c:\users\Wayne\AppData\Local\Smartbar\Application\Smartbar.exe" [2012-02-28 19272]
"Optimizer Pro"="c:\program files (x86)\Optimizer Pro\OptProLauncher.exe" [2012-01-02 81912]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"DELL Webcam Manager"="c:\program files (x86)\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"dellsupportcenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [BU]
"PCMService"="c:\program files (x86)\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-04-04 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"SelectRebates"="c:\program files (x86)\SelectRebates\SelectRebates.exe" [BU]
"PlusService"="c:\program files (x86)\Yuna Software\Messenger Plus!\PlusService.exe" [2012-02-27 801792]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-14 559616]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2012-03-08 4280184]
.
c:\users\Wayne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\Belkin\Bluetooth Software\BTTray.exe [2007-2-27 982320]
Kodak EasyShare software.lnk - c:\program files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
Secunia PSI Tray.lnk - c:\program files (x86)\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecuteREG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-12 250056]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 02:59]
.
2012-07-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-03 23:45]
.
2012-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-04-17 02:03]
.
2012-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1640899211-619604783-1113738171-1000Core.job
- c:\users\Wayne\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-01 22:57]
.
2012-07-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1640899211-619604783-1113738171-1000UA.job
- c:\users\Wayne\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-01 22:57]
.
2012-07-13 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-10-06 20:32]
.
2012-07-20 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-10-06 20:32]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}]
2009-11-08 15:55444752----a-w-c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-02 3863040]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 138264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 203800]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 168472]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-25 174616]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-05 2320752]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.plusnetwork.com
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: &ieSpell Options - c:\program files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Check &Spelling - c:\program files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files (x86)\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files (x86)\ieSpell\wikipedia.HTM
IE: Send image to &Bluetooth Device... - c:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\Belkin\Bluetooth Software\btsendto_ie.htm
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 216.165.129.158 216.170.153.146
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{36A4BDCD-D5B5-4618-B144-E335D0F3D381} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files (x86)\Secunia\PSI\PSIA.exe
c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE
c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe
c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe
c:\program files (x86)\AVG\AVG PC Tuneup\BoostSpeed.exe
c:\program files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
c:\program files (x86)\Optimizer Pro\OptProSmartScan.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.exe
c:\program files (x86)\Optimizer Pro\OptProReminder.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.bin
c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
c:\program files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
.
**************************************************************************
.
Completion time: 2012-07-20 12:24:20 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-20 17:24
ComboFix2.txt 2012-07-19 01:52
.
Pre-Run: 59,414,577,152 bytes free
Post-Run: 59,533,750,272 bytes free
.
- - End Of File - - 18342A2180E2F73F6C37CB33EAC76F2C
 
ESET Online Scan

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
 
Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

  • Slow computer
  • Error messages
  • Fake antivirus alerts or the icon in the system tray
  • svchost.exe running at 100%
  • System crashes or blue screen of death
 
  • Like
Reactions: Wayne Stemple
Everything seems to be operating within "government" standards! Speed is good, no error msgs or fake alerts. All icons are what I expect. both cores are running at 5-10%, with memory at 72% of the 4 GB. No BSOD's, nor did I have any before with this issue.

Thanks so much for lending me a hand. It is rare that I find myself in this position, but at least I know that there are people around that can help.
 
Good news. Let's do some final steps...

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point
  • Go to Control Panel and select System and Maintenance
  • Select System
  • On the left select Advance System Settings and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name I.e. Clean
  • Select Create
Now we can purge the infected ones
  • Go back to the System and Maintenance page
  • Select Performance Information and Tools
  • On the left select Open Disk Cleanup
  • Select Files from all users and accept the warning if you get one
  • In the drop down box select your main drive I.e. C
  • For a few moments the system will make some calculations:
    diskcleanup1.png
  • Select the More Options tab
    moreoptions.png
  • In the System Restore and Shadow Backups select Clean up
    moreoptions2.png
  • Select Delete on the pop up
  • Select OK
  • Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Please download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:
  • Cleaned System Restore
  • Ran OTC
  • Ran TFC
  • Ran Security Check
Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
 
I ran all 4 process(s) as listed above. Here is the log from the Security Check step:

Results of screen317's Security Check version 0.99.43
Windows Vista Service Pack 2 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
AVG Anti-Virus Free Edition 2012
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Secunia PSI (2.0.0.4003)
Malwarebytes Anti-Malware version 1.62.0.1300
AVG PC Tuneup
Java(TM) 6 Update 22
Java(TM) 6 Update 33
Java(TM) 6 Update 7
Java version out of Date!
Adobe Flash Player11.3.300.268
Adobe Reader 9 Adobe Reader out of Date!
Adobe Reader X (10.1.3)
Google Chrome 20.0.1132.47
Google Chrome 20.0.1132.57
Google Chrome plugins...
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
AVG avgwdsvc.exe
AVG avgtray.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````
The laptop is running just fine. Can I remove Malwarebytes at this time, or is there more coming from you that will do that?

Wayne
 
Hi. Usually, I like keeping MBAM for additional scans in the future. It might help as good backup. Otherwise, you can remove it from your programs list as you wish!

Adobe Reader Update!

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

Java Update!

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

Read more about Java exploit problems


Personal Tips on Preventing Malware

See this page for more info about malware and prevention.

Any other questions before I mark this topic solved?
 
I was able to address the Java part, but there is not version 9 listed for Adobe Acrobat Reader. I did find an old version 4 buried in an application sub-dir and removed it. I reran the Security program and it still reports version 9. I did a scan for the file and here is the DIR output:


C:\>dir acrord32.exe /s/p
Volume in drive C is OS
Volume Serial Number is 6EDB-0B0A

Directory of C:\Program Files (x86)\Adobe\Reader 10.0\Reader

04/04/2012 12:53 AM 1,496,472 AcroRd32.exe
1 File(s) 1,496,472 bytes

Directory of C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0

06/06/2011 12:55 PM 1,480,600 AcroRd32.exe
1 File(s) 1,480,600 bytes

Total Files Listed:
2 File(s) 2,977,072 bytes
0 Dir(s) 75,508,473,856 bytes free

C:\>

Both these are ver 10.x. Could Security be giving us a false positive?

Wayne
 
Status
Not open for further replies.

Similar threads

Julio Franco
Expert tips for great video conferences, virtual meetings and interviews
Replies
0
Views
797
Julio Franco
Julio Franco
A
Solved My computer was hit by unknown malware
2
Replies
30
Views
11K
Broni
Broni
Imacreep
I need advice for recovering an external hard drive
Replies
1
Views
2K
DelJo63
D

Latest posts

Back