Inactive Windows has encountered a critical error virus

M

mradl36

Posts: 11   +0
My girlfriends laptop had the west yorkshire police ukash virus, while trying to fix that some others started to appear Mbam has been so good in the past but will not clean 4 problems so downloaded microsoft security essentials wich will not update and seems to have brought along a new virus wich pops up as Windows has encountered a critical error and will restart in one minute, even in safe mode... Due to this I am unable to follow the steps in the above guide, also this pops up straight away so I have only one minute to try and stop it!!! Any help would be much appreciated, thanks

Laptop is windows 7 64 bit
 
Hello, and welcome to TechSpot.


rulesx.png
Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.
Download Farbar Recovery Scan Tool and save it to a flash drive.


Please make sure to get the 64-bit version

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Place a check next to List Drivers MD5 as well as the default check marks that are already there
  • Press Scan button. It will do its scan and save a log on your flash drive.
  • Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:
    frst2.jpg

    When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
  • Type exit in the Command Prompt window and reboot the computer normally
  • FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.
 
Thanks for the reply, here are the logs...

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02-10-2012 01
Ran by SYSTEM at 03-10-2012 07:39:22
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [12666984 1999-12-31] (Realtek Semiconductor)
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKU\Michelle\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [9728 2009-07-13] (Microsoft Corporation)
HKU\Michelle\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17418928 2012-07-13] (Skype Technologies S.A.)
HKU\Michelle\...\Run: [AppVodBurner] [x]
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

==================== Services (Whitelisted) ===================

4 IMFservice; C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe [820568 2011-10-08] (IObit)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)
4 RichVideo; "C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe" [247152 2009-07-07] ()
4 rpcapd; "C:\Program Files (x86)\WinPcap\rpcapd.exe" -d -f "C:\Program Files (x86)\WinPcap\rpcapd.ini" [x]

==================== Drivers (Whitelisted) =====================

3 androidusb; C:\Windows\System32\Drivers\androidusb.sys [32768 2010-04-28] (Google Inc)
1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [283200 2012-06-05] (DT Soft Ltd)
4 FileMonitor; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\FileMonitor.sys [20336 2011-10-08] ()
1 ISODrive; \??\C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys [115600 2010-01-29] (EZB Systems, Inc.)
3 NPF; C:\Windows\System32\Drivers\NPF.sys [35344 2010-06-25] (CACE Technologies, Inc.)
3 NPF; C:\Windows\SysWow64\Drivers\NPF.sys [32512 2005-08-02] (CACE Technologies)
3 RegFilter; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\regfilter.sys [33184 2011-09-20] (IObit.com)
3 rtport; C:\Windows\SysWow64\Drivers\rtport.sys [15144 2010-12-29] (Windows (R) 2003 DDK 3790 provider)
3 SWDUMon; C:\Windows\System32\Drivers\SWDUMon.sys [15672 2012-09-30] ()
3 UrlFilter; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\UrlFilter.sys [21872 2011-09-20] (IObit.com)
3 motmodem; C:\Windows\System32\DRIVERS\motmodem.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-10-03 07:39 - 2012-10-03 07:39 - 00000000 ____D C:\FRST
2012-09-30 08:34 - 2012-09-30 08:34 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.82149F2443DCA127
2012-09-30 08:33 - 2012-08-07 07:18 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-09-30 08:30 - 2012-09-30 08:30 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E12A9E4C2F804C15
2012-09-28 15:40 - 2012-09-28 15:40 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.8111F3805AD03EB2
2012-09-28 14:36 - 2012-09-28 14:36 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.DC209EE1E9AB45AE
2012-09-28 14:16 - 2012-09-28 14:16 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.524C49B6E36415DD
2012-09-28 14:11 - 2012-09-28 14:11 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-09-28 14:11 - 2012-09-28 14:11 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-09-28 14:08 - 2012-09-28 14:08 - 13529576 ____A (Microsoft Corporation) C:\Users\Michelle\Downloads\mseinstall.exe
2012-09-28 13:54 - 2012-09-28 13:54 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-09-28 13:53 - 2012-09-28 13:53 - 02212440 ____A (Kaspersky Lab ZAO) C:\Users\Michelle\Downloads\tdsskiller.exe
2012-09-28 13:23 - 2012-09-28 13:23 - 00000000 ____D C:\Windows\erdnt
2012-09-28 13:22 - 2012-09-28 13:29 - 00000000 ___SD C:\32788R22FWJFW
2012-09-28 13:22 - 2012-09-28 13:23 - 04757745 ____R (Swearware) C:\Users\Michelle\Desktop\ComboFix.exe
2012-09-27 13:55 - 2012-09-27 16:14 - 00005036 ____A C:\Windows\PFRO.log
2012-09-27 08:51 - 2012-09-27 08:51 - 00000000 ____D C:\Users\All Users\wenlbqpdwpqkepq
2012-09-27 08:51 - 2012-09-27 08:49 - 00071168 ____A C:\Users\All Users\tbbjnhjp.exe
2012-09-27 08:49 - 2012-09-27 08:51 - 00069787 ____A C:\Users\All Users\rwdqatrqocvtlgg
2012-09-26 07:08 - 2012-09-26 07:08 - 00946352 ____A (Skype Technologies S.A.) C:\Users\Michelle\Downloads\SkypeSetup(2).exe
2012-09-26 04:16 - 2012-09-30 08:39 - 00000840 ____A C:\Windows\setupact.log
2012-09-26 04:16 - 2012-09-26 04:16 - 00277328 ____A C:\Windows\Minidump\092612-22464-01.dmp
2012-09-26 04:16 - 2012-09-26 04:16 - 00003352 ____N C:\bootsqm.dat
2012-09-26 04:16 - 2012-09-26 04:16 - 00000000 ____A C:\Windows\setuperr.log
2012-09-26 03:55 - 2012-09-26 03:55 - 72122368 ____A C:\Windows\System32\config\SOFTWARE.iobit
2012-09-26 03:55 - 2012-09-26 03:55 - 18198528 ____A C:\Windows\System32\config\SYSTEM.iobit
2012-09-26 03:55 - 2012-09-26 03:55 - 01409024 ____A C:\Windows\System32\config\DEFAULT.iobit
2012-09-26 03:55 - 2012-09-26 03:55 - 00024576 ____A C:\Windows\System32\config\SECURITY.iobit
2012-09-26 03:55 - 2012-09-26 03:55 - 00024576 ____A C:\Windows\System32\config\SAM.iobit
2012-09-25 17:34 - 2012-09-26 02:03 - 00000361 ____A C:\rkill.log
2012-09-25 16:38 - 2012-09-25 16:39 - 00000000 ____D C:\Users\Default\AppData\Roaming\IObit
2012-09-25 16:38 - 2012-09-25 16:39 - 00000000 ____D C:\Users\Default User\AppData\Roaming\IObit
2012-09-23 04:58 - 2012-09-23 04:58 - 00000000 ____D C:\Users\Michelle\Downloads\Hereafter (2010) DVDRip XviD-MAXSPEED
2012-09-16 10:22 - 2012-09-16 10:22 - 00000000 ____D C:\Users\Michelle\Downloads\[UsaBit.com] - Bait.2012.BDRiP.AC3-5.1.XviD-AXED
2012-09-13 17:26 - 2012-09-13 17:26 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-09-13 17:24 - 2012-09-13 17:24 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-09-13 17:11 - 2012-09-13 17:11 - 00000000 ____D C:\Program Files (x86)\VodBurner
2012-09-13 17:05 - 2012-09-13 17:11 - 00000000 ____D C:\Users\Michelle\Downloads\Netralia VodBurner v1.1.0.167 - BEAN
2012-09-12 23:49 - 2012-09-12 23:49 - 00002515 ____A C:\Users\Public\Desktop\Skype.lnk
2012-09-12 23:49 - 2012-09-12 23:49 - 00000000 ___RD C:\Program Files (x86)\Skype
2012-09-12 23:48 - 2012-09-12 23:48 - 00946352 ____A (Skype Technologies S.A.) C:\Users\Michelle\Downloads\SkypeSetup(1).exe
2012-09-12 23:45 - 2012-03-15 12:03 - 00000035 ____A C:\Users\Michelle\Downloads\FILE_ID.DIZ
2012-09-12 23:45 - 2012-03-15 03:34 - 00005839 ____A C:\Users\Michelle\Downloads\F4CG.nfo
2012-09-12 23:43 - 2012-09-12 23:43 - 00170837 ____A C:\Users\Michelle\Downloads\Vodburner_1_0_2_crack.zip
2012-09-12 23:35 - 2012-09-30 08:33 - 00004546 ____A C:\Windows\WindowsUpdate.log
2012-09-12 12:28 - 2012-08-22 10:12 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-09-12 12:28 - 2012-08-22 10:12 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
2012-09-12 12:28 - 2012-08-22 10:12 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-09-12 12:28 - 2012-08-22 10:12 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2012-09-12 12:28 - 2012-08-02 09:58 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2012-09-12 12:28 - 2012-08-02 08:57 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2012-09-12 12:28 - 2012-07-04 12:26 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\RNDISMP.sys
2012-09-11 12:00 - 2012-09-18 03:29 - 00000000 ____D C:\Users\Michelle\Downloads\The.Snowtown.Murders.2011.DVDRip.XviD-4PlayHD
2012-09-04 10:37 - 2012-09-27 14:02 - 00193024 __ASH C:\Users\Michelle\Documents\Thumbs.db

==================== 3 Months Modified Files ==================

2012-09-30 08:39 - 2012-09-26 04:16 - 00000840 ____A C:\Windows\setupact.log
2012-09-30 08:39 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-30 08:38 - 2011-09-30 16:32 - 00000416 ____A C:\Windows\Tasks\SlimDrivers Startup.job
2012-09-30 08:38 - 2009-07-13 15:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-09-30 08:37 - 2011-12-24 17:26 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-09-30 08:37 - 2011-09-30 16:32 - 00015672 ____A C:\Windows\System32\Drivers\SWDUMon.sys
2012-09-30 08:34 - 2012-09-30 08:34 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.82149F2443DCA127
2012-09-30 08:33 - 2012-09-12 23:35 - 00004546 ____A C:\Windows\WindowsUpdate.log
2012-09-30 08:31 - 2011-12-24 17:26 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-09-30 08:30 - 2012-09-30 08:30 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E12A9E4C2F804C15
2012-09-28 15:40 - 2012-09-28 15:40 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.8111F3805AD03EB2
2012-09-28 14:36 - 2012-09-28 14:36 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.DC209EE1E9AB45AE
2012-09-28 14:33 - 2009-07-13 20:45 - 00014144 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-28 14:33 - 2009-07-13 20:45 - 00014144 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-28 14:16 - 2012-09-28 14:16 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.524C49B6E36415DD
2012-09-28 14:11 - 2011-04-28 13:31 - 00001945 ____A C:\Windows\epplauncher.mif
2012-09-28 14:08 - 2012-09-28 14:08 - 13529576 ____A (Microsoft Corporation) C:\Users\Michelle\Downloads\mseinstall.exe
2012-09-28 13:53 - 2012-09-28 13:53 - 02212440 ____A (Kaspersky Lab ZAO) C:\Users\Michelle\Downloads\tdsskiller.exe
2012-09-28 13:39 - 2012-03-25 09:24 - 00000920 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-868785299-726797094-2297327714-1001UA.job
2012-09-28 13:23 - 2012-09-28 13:22 - 04757745 ____R (Swearware) C:\Users\Michelle\Desktop\ComboFix.exe
2012-09-28 13:16 - 2012-03-25 09:24 - 00000868 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-868785299-726797094-2297327714-1001Core.job
2012-09-28 07:50 - 2012-03-25 09:25 - 00002501 ____A C:\Users\Michelle\Desktop\Google Chrome.lnk
2012-09-27 16:14 - 2012-09-27 13:55 - 00005036 ____A C:\Windows\PFRO.log
2012-09-27 14:02 - 2012-09-04 10:37 - 00193024 __ASH C:\Users\Michelle\Documents\Thumbs.db
2012-09-27 08:51 - 2012-09-27 08:49 - 00069787 ____A C:\Users\All Users\rwdqatrqocvtlgg
2012-09-27 08:49 - 2012-09-27 08:51 - 00071168 ____A C:\Users\All Users\tbbjnhjp.exe
2012-09-26 07:08 - 2012-09-26 07:08 - 00946352 ____A (Skype Technologies S.A.) C:\Users\Michelle\Downloads\SkypeSetup(2).exe
2012-09-26 04:16 - 2012-09-26 04:16 - 00277328 ____A C:\Windows\Minidump\092612-22464-01.dmp
2012-09-26 04:16 - 2012-09-26 04:16 - 00003352 ____N C:\bootsqm.dat
2012-09-26 04:16 - 2012-09-26 04:16 - 00000000 ____A C:\Windows\setuperr.log
2012-09-26 03:55 - 2012-09-26 03:55 - 72122368 ____A C:\Windows\System32\config\SOFTWARE.iobit
2012-09-26 03:55 - 2012-09-26 03:55 - 18198528 ____A C:\Windows\System32\config\SYSTEM.iobit
2012-09-26 03:55 - 2012-09-26 03:55 - 01409024 ____A C:\Windows\System32\config\DEFAULT.iobit
2012-09-26 03:55 - 2012-09-26 03:55 - 00024576 ____A C:\Windows\System32\config\SECURITY.iobit
2012-09-26 03:55 - 2012-09-26 03:55 - 00024576 ____A C:\Windows\System32\config\SAM.iobit
2012-09-26 02:03 - 2012-09-25 17:34 - 00000361 ____A C:\rkill.log
2012-09-15 19:14 - 2009-07-13 21:13 - 00005198 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-15 19:13 - 2011-04-29 03:24 - 00000671 ____A C:\Users\Michelle\AppData\Roaming\vso_ts_preview.xml
2012-09-13 17:24 - 2012-09-13 17:24 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-09-13 17:24 - 2012-08-20 08:42 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-09-12 23:49 - 2012-09-12 23:49 - 00002515 ____A C:\Users\Public\Desktop\Skype.lnk
2012-09-12 23:48 - 2012-09-12 23:48 - 00946352 ____A (Skype Technologies S.A.) C:\Users\Michelle\Downloads\SkypeSetup(1).exe
2012-09-12 23:43 - 2012-09-12 23:43 - 00170837 ____A C:\Users\Michelle\Downloads\Vodburner_1_0_2_crack.zip
2012-09-12 18:01 - 2011-04-08 01:23 - 64462936 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-08-30 13:03 - 2012-08-30 13:03 - 00228768 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
2012-08-30 13:03 - 2012-08-30 13:03 - 00128456 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys
2012-08-30 12:53 - 2012-08-30 12:52 - 07136856 ____A C:\Users\Michelle\Downloads\pics.zip
2012-08-30 12:51 - 2012-08-30 12:51 - 07136736 ____A C:\Users\Michelle\Downloads\2008-05.zip
2012-08-27 19:23 - 2012-08-27 19:23 - 00179820 ____A C:\Users\Michelle\Downloads\skypelogview.zip
2012-08-26 21:52 - 2012-08-26 21:52 - 00282608 ____A () C:\Users\Michelle\Downloads\VBSetup.exe
2012-08-25 12:47 - 2012-08-25 12:45 - 00829074 ____A C:\Users\Michelle\Downloads\Pic.zip
2012-08-25 12:43 - 2012-08-25 12:43 - 00000000 ____A C:\Users\Michelle\Downloads\4C3.tmp
2012-08-22 10:12 - 2012-09-12 12:28 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-08-22 10:12 - 2012-09-12 12:28 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
2012-08-22 10:12 - 2012-09-12 12:28 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-08-22 10:12 - 2012-09-12 12:28 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2012-08-20 08:41 - 2012-08-20 08:41 - 03092640 ____A (Adobe Systems, Inc.) C:\Users\Michelle\Downloads\install_flash_player_10_plugin.exe
2012-08-20 08:26 - 2012-08-20 08:26 - 00687304 ____A (Adobe Systems Incorporated) C:\Users\Michelle\Downloads\uninstall_flash_player.exe
2012-08-18 03:37 - 2012-08-18 03:37 - 09622688 ____A C:\Users\Michelle\Downloads\SopCast-3.5.0.exe
2012-08-18 03:37 - 2012-08-18 03:37 - 00000991 ____A C:\Users\Michelle\Desktop\SopCast.lnk
2012-08-17 00:08 - 2009-07-13 20:45 - 00418520 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-07 07:18 - 2012-09-30 08:33 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-08-02 09:58 - 2012-09-12 12:28 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2012-08-02 08:57 - 2012-09-12 12:28 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2012-07-24 16:56 - 2012-07-24 05:38 - 00092923 ____H C:\Users\All Users\sys013.log
2012-07-24 16:56 - 2012-07-24 05:38 - 00038894 ____H C:\Users\All Users\sys011.log
2012-07-24 16:56 - 2012-07-24 05:38 - 00003735 ____H C:\Users\All Users\sys001.log
2012-07-24 16:56 - 2012-07-24 05:38 - 00002625 ____H C:\Users\All Users\sys004.log
2012-07-24 16:56 - 2012-07-24 05:38 - 00000328 ____H C:\Users\All Users\sys012.log
2012-07-24 16:56 - 2012-07-24 05:38 - 00000111 ____H C:\Users\All Users\sys014.log
2012-07-24 16:45 - 2012-07-24 00:33 - 00000098 ____H C:\Users\All Users\emopts.dat
2012-07-24 00:25 - 2012-07-24 00:24 - 04045423 ____A C:\Users\Michelle\Downloads\Spytech Spyagent Stealth 6.2.rar
2012-07-23 23:28 - 2012-07-23 23:28 - 01237410 ____A C:\Users\Michelle\Downloads\007.Spy.Software.v3.873.Retail-ARN.RAR
2012-07-18 10:15 - 2012-08-15 04:29 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-16 23:25 - 2012-07-16 23:25 - 01133761 ____A C:\Users\Michelle\Downloads\universal_gb_root_v20.zip
2012-07-13 05:16 - 2012-07-13 05:16 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Michelle\Downloads\mbam-setup-1.62.0.1300.exe
2012-07-13 05:06 - 2012-07-13 05:06 - 01012656 ____A C:\Users\Michelle\Downloads\rkill.exe
2012-07-13 05:06 - 2012-07-13 05:06 - 01012656 ____A C:\Users\Michelle\Downloads\iExplore.exe


ZeroAccess:
C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}
C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}\@
C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}\L
C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}\U
C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}\L\00000004.@
C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}\L\201d3dde
C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\00000004.@
C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\00000008.@
C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\000000cb.@
C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\80000000.@
C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\80000032.@
C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\80000064.@

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

ZeroAccess:
C:\Users\Michelle\AppData\Local\{ff697493-7907-793c-1ca6-6e5463ef1223}
C:\Users\Michelle\AppData\Local\{ff697493-7907-793c-1ca6-6e5463ef1223}\@
C:\Users\Michelle\AppData\Local\{ff697493-7907-793c-1ca6-6e5463ef1223}\L
C:\Users\Michelle\AppData\Local\{ff697493-7907-793c-1ca6-6e5463ef1223}\U
C:\Users\Michelle\AppData\Local\{ff697493-7907-793c-1ca6-6e5463ef1223}\L\00000004.@
C:\Users\Michelle\AppData\Local\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\00000004.@
C:\Users\Michelle\AppData\Local\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\80000064.@

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-20 22:56:29

==================== Memory info ===========================

Percentage of memory in use: 18%
Total physical RAM: 3032.61 MB
Available physical RAM: 2472.07 MB
Total Pagefile: 3030.75 MB
Available Pagefile: 2468.57 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:138.99 GB) (Free:12.45 GB) NTFS
2 Drive e: () (Fixed) (Total:139 GB) (Free:138.16 GB) NTFS
3 Drive f: (RECOVERY) (Fixed) (Total:20 GB) (Free:4.21 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive h: () (Removable) (Total:0.24 GB) (Free:0.24 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 247 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 20 GB 1024 KB
Partition 2 Primary 100 MB 20 GB
Partition 3 Primary 138 GB 20 GB
Partition 4 Primary 138 GB 159 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F RECOVERY NTFS Partition 20 GB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 138 GB Healthy

=========================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E NTFS Partition 138 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 246 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H FAT Removable 246 MB Healthy

=========================================================

Last Boot: 2012-09-25 22:35

==================== End Of Log =============================


And

Farbar Recovery Scan Tool (x64) Version: 02-10-2012 01
Ran by SYSTEM at 2012-10-03 07:41:19
Running from H:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2012-09-30 08:38] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======
 
FRST Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Users\Michelle\AppData\Local\{ff697493-7907-793c-1ca6-6e5463ef1223}
end
Click to expand...

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.
 
Hi, booted normal after the fix and after 5 minutes its still on :) I have not done anything on it just looked at the desktop... Here is the fixlog...

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-10-2012 01
Ran by SYSTEM at 2012-10-03 09:53:05 Run:1
Running from H:\

==============================================

C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223} moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini not found.
C:\Windows\assembly\GAC_64\Desktop.ini not found.
C:\Users\Michelle\AppData\Local\{ff697493-7907-793c-1ca6-6e5463ef1223} moved successfully.

==== End of Fixlog ====
 
Excellent work! :)

Please download ComboFix
combofix.gif
by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.
After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:
  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.
Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
 
After running combofix, I turned the machine off and got two windows updates install themselves, not sure if relevent but thought I would mention it, here is combofix log...

ComboFix 12-10-04.01 - Michelle 04/10/2012 11:49:43.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3033.1989 [GMT 1:00]
Running from: c:\users\Michelle\Desktop\svchost.exe.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Spytech Software
c:\program files (x86)\Spytech Software\Spytech SpyAgent\Deploy.exe
c:\program files (x86)\Spytech Software\Spytech SpyAgent\license.txt
c:\program files (x86)\Spytech Software\Spytech SpyAgent\NoStealth.exe
c:\program files (x86)\Spytech Software\Spytech SpyAgent\readme!.txt
c:\program files (x86)\Spytech Software\Spytech SpyAgent\SpyAgent's 10 Step Guide to Total Stealth.url
c:\program files (x86)\Spytech Software\Spytech SpyAgent\SpyAgent Help Documentation.url
c:\program files (x86)\Spytech Software\Spytech SpyAgent\svchost.exe
c:\program files (x86)\Spytech Software\Spytech SpyAgent\sysdiag.exe
c:\program files (x86)\Spytech Software\Spytech SpyAgent\uninstal.log
c:\program files (x86)\WinConfig
c:\program files (x86)\WinConfig\npf_mgm.exe
c:\programdata\100
c:\programdata\AgentSS
c:\programdata\emopts.dat
c:\programdata\FullRemove.exe
c:\programdata\sacache
c:\programdata\tbbjnhjp.exe
c:\users\Michelle\AppData\Local\TempDIR
c:\users\Michelle\AppData\Roaming\inst.exe
c:\users\Michelle\AppData\Roaming\vso_ts_preview.xml
c:\windows\imglib.dll
c:\windows\iun6002.exe
c:\windows\sadefs.dat
c:\windows\SNMPAPI.DLL
c:\windows\sview.exe
c:\windows\sysk32.dll
c:\windows\SysWow64\wpcap.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-09-04 to 2012-10-04 )))))))))))))))))))))))))))))))
.
.
2012-10-04 11:03 . 2012-10-04 11:03 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4615EFAC-FFB9-4D81-A45C-8791946114C0}\offreg.dll
2012-10-04 11:01 . 2012-10-04 11:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-10-03 15:39 . 2012-10-03 15:39 -------- d-----w- C:\FRST
2012-10-03 06:57 . 2012-09-18 23:58 9308616 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4615EFAC-FFB9-4D81-A45C-8791946114C0}\mpengine.dll
2012-09-30 16:34 . 2012-09-30 16:34 328704 ----a-w- c:\windows\system32\services.exe.82149F2443DCA127
2012-09-30 16:33 . 2012-09-18 23:58 9308616 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-09-30 16:33 . 2012-08-07 15:18 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-09-30 16:30 . 2012-09-30 16:30 328704 ----a-w- c:\windows\system32\services.exe.E12A9E4C2F804C15
2012-09-28 23:40 . 2012-09-28 23:40 328704 ----a-w- c:\windows\system32\services.exe.8111F3805AD03EB2
2012-09-28 22:36 . 2012-09-28 22:36 328704 ----a-w- c:\windows\system32\services.exe.DC209EE1E9AB45AE
2012-09-28 22:16 . 2012-09-28 22:16 328704 ----a-w- c:\windows\system32\services.exe.524C49B6E36415DD
2012-09-28 22:11 . 2012-09-28 22:11 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-09-28 22:11 . 2012-09-28 22:11 -------- d-----w- c:\program files\Microsoft Security Client
2012-09-28 21:54 . 2012-09-28 21:54 -------- d-----w- C:\TDSSKiller_Quarantine
2012-09-27 16:51 . 2012-09-27 16:51 -------- d-----w- c:\programdata\wenlbqpdwpqkepq
2012-09-26 00:38 . 2012-09-26 00:39 -------- d-----w- c:\users\Default\AppData\Roaming\IObit
2012-09-14 01:26 . 2012-09-14 01:26 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-09-14 01:24 . 2012-09-14 01:24 696520 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-09-14 01:11 . 2012-09-14 01:11 -------- d-----w- c:\program files (x86)\VodBurner
2012-09-13 07:49 . 2012-09-13 07:49 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-09-13 07:49 . 2012-09-13 07:49 -------- d-----r- c:\program files (x86)\Skype
2012-09-12 20:28 . 2012-08-22 18:12 950128 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-09-12 20:28 . 2012-07-04 20:26 41472 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2012-09-12 20:28 . 2012-08-22 18:12 1913200 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-09-12 20:28 . 2012-08-02 17:58 574464 ----a-w- c:\windows\system32\d3d10level9.dll
2012-09-12 20:28 . 2012-08-02 16:57 490496 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2012-09-12 20:28 . 2012-08-22 18:12 376688 ----a-w- c:\windows\system32\drivers\netio.sys
2012-09-12 20:28 . 2012-08-22 18:12 288624 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-04 11:03 . 2011-10-01 00:32 15672 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2012-09-30 16:38 . 2009-07-13 23:19 328704 ----a-w- c:\windows\system32\services.exe
2012-09-14 01:24 . 2012-08-20 16:42 73416 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-13 02:01 . 2011-04-08 09:23 64462936 ----a-w- c:\windows\system32\MRT.exe
2012-08-30 21:03 . 2012-08-30 21:03 228768 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-30 21:03 . 2012-08-30 21:03 128456 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-07-18 18:15 . 2012-08-15 12:29 3148800 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-07-13 17418928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [2010-04-29 32768]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-09-10 114144]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-30 128456]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-12 368896]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35344]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 RegFilter;RegFilter;c:\program files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\regfilter.sys [2011-09-20 33184]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]
R3 SWDUMon;SWDUMon;c:\windows\system32\DRIVERS\SWDUMon.sys [2012-10-04 15672]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 UrlFilter;UrlFilter;c:\program files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\UrlFilter.sys [2011-09-20 21872]
R3 UsbFltr;WayTech USB Filter Driver;c:\windows\system32\Drivers\UsbFltr.sys [2007-04-09 12288]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-04-06 1255736]
R4 FileMonitor;FileMonitor;c:\program files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\FileMonitor.sys [2011-10-08 20336]
R4 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-25 136176]
R4 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-25 136176]
R4 IMFservice;IMF Service;c:\program files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe [2011-10-08 820568]
R4 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-06-05 283200]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2010-03-31 13824]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2010-04-01 136192]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2000-01-01 145408]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2011-04-29 82816]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2011-05-20 394016]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-25 01:26]
.
2012-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-25 01:26]
.
2012-09-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-868785299-726797094-2297327714-1001Core.job
- c:\users\Michelle\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-25 17:24]
.
2012-10-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-868785299-726797094-2297327714-1001UA.job
- c:\users\Michelle\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-25 17:24]
.
2012-10-04 c:\windows\Tasks\SlimDrivers Startup.job
- c:\program files (x86)\SlimDrivers\SlimDrivers.exe [2012-02-01 13:42]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2000-01-01 12666984]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2000-01-01 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2000-01-01 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2000-01-01 415256]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 1289704]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.co.uk/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Michelle\AppData\Roaming\Mozilla\Firefox\Profiles\43jymlnu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 0
FF - user.js: extensions.funmoods_i.hmpg - true
FF - user.js: extensions.funmoods_i.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=bf4
FF - user.js: extensions.funmoods_i.dfltSrch - true
FF - user.js: extensions.funmoods_i.srchPrvdr - Search
FF - user.js: extensions.funmoods_i.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - true
FF - user.js: extensions.funmoods_i.newTabUrl - hxxp://start.funmoods.com/?f=2&a=bf4
FF - user.js: extensions.funmoods_i.tlbrSrchUrl - hxxp://start.funmoods.com/results.php?f=3&a=bf4&q=
FF - user.js: extensions.funmoods_i.id - 12a577f5000000000000889ffa5a8bbd
FF - user.js: extensions.funmoods_i.instlDay - 15397
FF - user.js: extensions.funmoods_i.vrsn - 1.5.12.2
FF - user.js: extensions.funmoods_i.vrsni - 1.5.12.2
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.12.221:45
FF - user.js: extensions.funmoods_i.prtnrId - funmoods
FF - user.js: extensions.funmoods_i.prdct - funmoods
FF - user.js: extensions.funmoods_i.aflt - bf4
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods_i.tlbrId - base
FF - user.js: extensions.funmoods_i.instlRef -
FF - user.js: extensions.funmoods_i.dfltLng -
FF - user.js: extensions.funmoods_i.excTlbr - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-AppVodBurner - (no file)
Toolbar-Locked - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-Fruit_Machine_Emulators - c:\windows\iun6002.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
c:\program files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
.
**************************************************************************
.
Completion time: 2012-10-04 12:20:09 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-04 11:20
.
Pre-Run: 13,461,463,040 bytes free
Post-Run: 15,120,396,288 bytes free
.
- - End Of File - - 3119802961B9F73543CA96D88ABE3DB4
 
Download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

ComboFix Script

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    ClearJavaCache::
    Click to expand...
  • Save this as CFScript.txt, in the same location as ComboFix.exe

    CFScriptB-4.gif
  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.
 
Hi, sorry it took so long to reply, been mad at work, when I tried to merge the combofix text it told me I did not spell it right so would not run, I tried different ways and it just won't have it... Here is the adware log

# AdwCleaner v2.003 - Logfile created 10/05/2012 at 20:54:18
# Updated 23/09/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Michelle - MICHELLE-PC
# Boot Mode : Normal
# Running from : C:\Users\Michelle\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\user.js
File Deleted : C:\Users\Michelle\AppData\Roaming\Mozilla\Firefox\Profiles\43jymlnu.default\searchplugins\Askcom.xml
File Deleted : C:\Users\Michelle\AppData\Roaming\Mozilla\Firefox\Profiles\43jymlnu.default\searchplugins\funmoods.xml
Folder Deleted : C:\ProgramData\InstallMate
Folder Deleted : C:\ProgramData\Partner
Folder Deleted : C:\Users\Michelle\AppData\LocalLow\boost_interprocess

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Restored : [HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\\ Mozilla Firefox v15.0.1 (en-GB)

Profile name : default
File : C:\Users\Michelle\AppData\Roaming\Mozilla\Firefox\Profiles\43jymlnu.default\prefs.js

C:\Users\Michelle\AppData\Roaming\Mozilla\Firefox\Profiles\43jymlnu.default\user.js ... Deleted !

Deleted : user_pref("extensions.funmoods.admin", false);
Deleted : user_pref("extensions.funmoods.aflt", "bf4");
Deleted : user_pref("extensions.funmoods.brwsrsrc", "ietlbr");
Deleted : user_pref("extensions.funmoods.cntry", "GB");
Deleted : user_pref("extensions.funmoods.dfltLng", "EN");
Deleted : user_pref("extensions.funmoods.dfltSrch", true);
Deleted : user_pref("extensions.funmoods.dfltlng", "EN");
Deleted : user_pref("extensions.funmoods.dfltsrch", true);
Deleted : user_pref("extensions.funmoods.excTlbr", false);
Deleted : user_pref("extensions.funmoods.hdrMd5", "6C9B0A348A01B22EE1F00A44C90F047F");
Deleted : user_pref("extensions.funmoods.hmpg", true);
Deleted : user_pref("extensions.funmoods.hrdid", "0");
Deleted : user_pref("extensions.funmoods.id", "12a577f5000000000000889ffa5a8bbd");
Deleted : user_pref("extensions.funmoods.instlDay", "15397");
Deleted : user_pref("extensions.funmoods.instlRef", "");
Deleted : user_pref("extensions.funmoods.instlday", "15397");
Deleted : user_pref("extensions.funmoods.instlref", "");
Deleted : user_pref("extensions.funmoods.isDcmntCmplt", true);
Deleted : user_pref("extensions.funmoods.keywordurl", "");
Deleted : user_pref("extensions.funmoods.lastVrsnTs", "1.5.12.221:45:03");
Deleted : user_pref("extensions.funmoods.newTab", true);
Deleted : user_pref("extensions.funmoods.newTabUrl", "hxxp://start.funmoods.com/?f=2&a=bf4");
Deleted : user_pref("extensions.funmoods.newtab", true);
Deleted : user_pref("extensions.funmoods.newtaburl", "hxxp://start.funmoods.com/?f=2&a=bf4");
Deleted : user_pref("extensions.funmoods.noFFXTlbr", false);
Deleted : user_pref("extensions.funmoods.prdct", "funmoods");
Deleted : user_pref("extensions.funmoods.propectorlck", 68954993);
Deleted : user_pref("extensions.funmoods.prtkHmpg", 1);
Deleted : user_pref("extensions.funmoods.prtnrId", "funmoods");
Deleted : user_pref("extensions.funmoods.prtnrid", "funmoods");
Deleted : user_pref("extensions.funmoods.sg", "none");
Deleted : user_pref("extensions.funmoods.smplGrp", "none");
Deleted : user_pref("extensions.funmoods.smplgrp", "none");
Deleted : user_pref("extensions.funmoods.srch", "");
Deleted : user_pref("extensions.funmoods.srchPrvdr", "Search");
Deleted : user_pref("extensions.funmoods.srchprvdr", "Search");
Deleted : user_pref("extensions.funmoods.tlbrId", "base");
Deleted : user_pref("extensions.funmoods.tlbrSrchUrl", "hxxp://start.funmoods.com/results.php?f=3&a=bf4&q=");
Deleted : user_pref("extensions.funmoods.tlbrid", "base");
Deleted : user_pref("extensions.funmoods.tlbrsrchurl", "hxxp://start.funmoods.com/results.php?f=3&a=bf4&q=");
Deleted : user_pref("extensions.funmoods.vrsn", "1.5.12.2");
Deleted : user_pref("extensions.funmoods.vrsnTs", "1.5.12.221:45:03");
Deleted : user_pref("extensions.funmoods.vrsni", "1.5.12.2");
Deleted : user_pref("extensions.funmoods.vrsnts", "1.5.12.221:45:03");
Deleted : user_pref("extensions.funmoods_i.aflt", "bf4");
Deleted : user_pref("extensions.funmoods_i.dfltLng", "");
Deleted : user_pref("extensions.funmoods_i.dfltSrch", true);
Deleted : user_pref("extensions.funmoods_i.dnsErr", true);
Deleted : user_pref("extensions.funmoods_i.excTlbr", false);
Deleted : user_pref("extensions.funmoods_i.hmpg", true);
Deleted : user_pref("extensions.funmoods_i.hmpgUrl", "hxxp://start.funmoods.com/?f=1&a=bf4");
Deleted : user_pref("extensions.funmoods_i.id", "12a577f5000000000000889ffa5a8bbd");
Deleted : user_pref("extensions.funmoods_i.instlDay", "15397");
Deleted : user_pref("extensions.funmoods_i.instlRef", "");
Deleted : user_pref("extensions.funmoods_i.newTab", true);
Deleted : user_pref("extensions.funmoods_i.newTabUrl", "hxxp://start.funmoods.com/?f=2&a=bf4");
Deleted : user_pref("extensions.funmoods_i.prdct", "funmoods");
Deleted : user_pref("extensions.funmoods_i.prtnrId", "funmoods");
Deleted : user_pref("extensions.funmoods_i.smplGrp", "none");
Deleted : user_pref("extensions.funmoods_i.srchPrvdr", "Search");
Deleted : user_pref("extensions.funmoods_i.tlbrId", "base");
Deleted : user_pref("extensions.funmoods_i.tlbrSrchUrl", "hxxp://start.funmoods.com/results.php?f=3&a=bf4&q=")[...]
Deleted : user_pref("extensions.funmoods_i.vrsn", "1.5.12.2");
Deleted : user_pref("extensions.funmoods_i.vrsnTs", "1.5.12.221:45:03");
Deleted : user_pref("extensions.funmoods_i.vrsni", "1.5.12.2");

-\\ Google Chrome v22.0.1229.79

File : C:\Users\Michelle\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [6726 octets] - [05/10/2012 20:54:18]

########## EOF - C:\AdwCleaner[S1].txt - [6786 octets] ##########
 
ESET Online Scan

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
  • Click Start or wait for the scanner to load.
  • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, there are a couple of things to keep in mind:
  • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
  • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
  • Open the logfile from wherever you saved it
  • Copy and paste the contents in your next reply.

Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

  • Slow computer
  • Error messages
  • Fake antivirus alerts or the icon in the system tray
  • svchost.exe running at 100%
  • System crashes or blue screen of death
 
I have not used the laptop since I started this thread, will spen a couple hours tonight going through it to see if anything pops up, here is results of eset scan, thanks...

C:\FRST\Quarantine\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\00000004.@ Win64/Conedex.C trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\00000008.@ Win64/Agent.BA trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\000000cb.@ Win64/Conedex.B trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\80000000.@ Win64/Sirefef.AP trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\{ff697493-7907-793c-1ca6-6e5463ef1223}\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\00000004.@ Win64/Conedex.C trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\{ff697493-7907-793c-1ca6-6e5463ef1223}\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\80000064.@ Win64/Sirefef.AN trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\ProgramData\tbbjnhjp.exe.vir a variant of Win32/Injector.XCB trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0000\file0000\tsk0000.dta Win64/Patched.A.Gen trojan deleted - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0000\zafs0000\tsk0000.dta Win32/Sirefef.EZ trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0000\zafs0000\tsk0001.dta Win64/Sirefef.W trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0000\zafs0000\tsk0005.dta Win64/Conedex.C trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0000\zafs0000\tsk0006.dta Win64/Agent.BA trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0000\zafs0000\tsk0007.dta Win64/Conedex.B trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0000\zafs0000\tsk0008.dta Win64/Sirefef.AP trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0000\zafs0000\tsk0009.dta probably a variant of Win32/Sirefef.FD trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0000\zafs0000\tsk0013.dta Win64/Conedex.C trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0000\zafs0000\tsk0014.dta Win64/Sirefef.AN trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0001\file0000\tsk0000.dta Win64/Patched.A.Gen trojan deleted - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0001\zafs0000\tsk0000.dta Win32/Sirefef.EZ trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0001\zafs0000\tsk0001.dta Win64/Sirefef.W trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0001\zafs0000\tsk0005.dta Win64/Conedex.C trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0001\zafs0000\tsk0006.dta Win64/Agent.BA trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0001\zafs0000\tsk0007.dta Win64/Conedex.B trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0001\zafs0000\tsk0008.dta Win64/Sirefef.AP trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0001\zafs0000\tsk0009.dta probably a variant of Win32/Sirefef.FD trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0001\zafs0000\tsk0013.dta Win64/Conedex.C trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0001\zafs0000\tsk0014.dta Win64/Sirefef.AN trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0002\file0000\tsk0000.dta Win64/Patched.A.Gen trojan deleted - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0002\zafs0000\tsk0000.dta Win32/Sirefef.EZ trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0002\zafs0000\tsk0001.dta Win64/Sirefef.W trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0002\zafs0000\tsk0005.dta Win64/Conedex.C trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0002\zafs0000\tsk0006.dta Win64/Agent.BA trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0002\zafs0000\tsk0007.dta Win64/Conedex.B trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0002\zafs0000\tsk0008.dta Win64/Sirefef.AP trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0002\zafs0000\tsk0009.dta probably a variant of Win32/Sirefef.FD trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0002\zafs0000\tsk0013.dta Win64/Conedex.C trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0002\zafs0000\tsk0014.dta Win64/Sirefef.AN trojan cleaned by deleting - quarantined
C:\Users\Michelle\AppData\Local\Microsoft\Windows\1364\TapiMigPlugin.exe a variant of Win32/Kryptik.AMLT trojan cleaned by deleting - quarantined
C:\Users\Michelle\Downloads\asc-setup.exe a variant of Win32/Toolbar.Widgi application cleaned by deleting - quarantined
C:\Users\Michelle\Downloads\gb3-setup.exe a variant of Win32/Toolbar.Widgi application cleaned by deleting - quarantined
 
Your logs appear to be fine, let's finish up...

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point
  • Go to Control Panel and select System and Maintenance
  • Select System
  • On the left select Advance System Settings and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name I.e. Clean
  • Select Create
Now we can purge the infected ones
  • Go back to the System and Maintenance page
  • Select Performance Information and Tools
  • On the left select Open Disk Cleanup
  • Select Files from all users and accept the warning if you get one
  • In the drop down box select your main drive I.e. C
  • For a few moments the system will make some calculations:
    diskcleanup1.png
  • Select the More Options tab
    moreoptions.png
  • In the System Restore and Shadow Backups select Clean up
    moreoptions2.png
  • Select Delete on the pop up
  • Select OK
  • Select Delete
Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note:If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
 
Ok done all that, here is log, thanks

Results of screen317's Security Check version 0.99.51
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Java(TM) 6 Update 24
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (15.0.1)
Google Chrome 21.0.1180.83
Google Chrome 21.0.1180.89
Google Chrome 22.0.1229.79
Google Chrome 22.0.1229.92
Google Chrome 22.0.1229.94
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 
Adobe Reader Update!

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

Adobe Flash Player Update!

Please download the newest version of Adobe Flash Player from Adobe.com

Before installing: it is important to remove older versions of Flash Player since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Flash Player. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

Java Update!

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

Read more about Java exploit problems


Personal Tips on Preventing Malware

See this page for more info about malware and prevention.

Read more about "FAQ: How did Sirefef or ZeroAccess Infect You?"

Any other questions before I mark this topic solved?
 
Yes when I start msconfig and look in startup there is a file that worries me,
c:\programmedata\tbbjnhjp.exe
Other than that I cannot thank you enough as all seems well :)
 
Looks like it might be in other locations, please do this:

Download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    tbbjnhjp.exe
    Click to expand...
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
Hi, Results seem to be negative... Here is the scan results

SystemLook 30.07.11 by jpshortstuff
Log created at 07:34 on 16/10/2012 by Michelle
Administrator - Elevation successful

========== filefind ==========

Searching for "tbbjnhjp.exe"
No files found.

-= EOF =-
 
SystemLook 30.07.11 by jpshortstuff
Log created at 00:17 on 18/10/2012 by Michelle
Administrator - Elevation successful

========== regfind ==========

Searching for "tbbjnhjp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"tbbjnhjpwsxvxtb"="C:\ProgramData\tbbjnhjp.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\tbbjnhjp_RASAPI32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\tbbjnhjp_RASMANCS]
[HKEY_USERS\S-1-5-21-868785299-726797094-2297327714-1001\Software\Microsoft\Windows\CurrentVersion\Run]
"tbbjnhjpwsxvxtb"="C:\ProgramData\tbbjnhjp.exe"

-= EOF =-
 
Please download OTM

  • Save it to your desktop.
  • Please double-click OTM to run it. (Note for Vista: Right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL C (or, after highlighting, right-click and choose Copy):

    :reg
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "tbbjnhjpwsxvxtb"=-
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\tbbjnhjp_RASAPI32]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\tbbjnhjp_RASMANCS]
    [HKEY_USERS\S-1-5-21-868785299-726797094-2297327714-1001\Software\Microsoft\Windows\CurrentVersion\Run]
    "tbbjnhjpwsxvxtb"=-

    :Commands
    [emptytemp]
    [purity]
    [Reboot]
    Click to expand...
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and
open the newest .log file present, and copy/paste the contents of that document back here in your next post.
 
Hello, are you still with us? Please update us with the state of your situation, so we know how to continue from here.

We'd still like to help. Topic marked inactive, until your return.
 
All processes killed
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\tbbjnhjpwsxvxtb deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\tbbjnhjp_RASAPI32\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\tbbjnhjp_RASMANCS\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-868785299-726797094-2297327714-1001\Software\Microsoft\Windows\CurrentVersion\Run\\tbbjnhjpwsxvxtb not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Michelle
->Temp folder emptied: 169993474 bytes
->Temporary Internet Files folder emptied: 11190737 bytes
->Java cache emptied: 1878 bytes
->FireFox cache emptied: 1158098172 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 37316 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 1171461 bytes
%systemroot%\System32 (64bit) .tmp files removed: 6223248 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4584029 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 978694758 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 670 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67496 bytes
RecycleBin emptied: 3193963 bytes

Total Files Cleaned = 2,225.00 mb


OTM by OldTimer - Version 3.1.21.0 log created on 10272012_134429

Files moved on Reboot...
C:\Users\Michelle\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...
 
Hello! Are you still with us? Your topic is now marked inactive, because you have lacked to reply.

However, we'd like to still help. Please update us on the state of your PC.
 
You must log in or register to reply here.

Similar threads

midian182
UnitedHealthcare accused of using AI that denies critical medical care coverage
2
Replies
35
Views
996
Hotlynx16
H
Bob O'Donnell
Data Governance and Provenance: Two words that are critical to the future of generative AI
Replies
1
Views
120
human7
H
D
Microsoft's June 2023 Patch Tuesday brings critical patches for Windows, Office, SharePoint...
Replies
1
Views
472
Gars
Gars

Latest posts

Back