TechSpot

Windows has encountered a critical error virus

Inactive
By mradl36
Oct 2, 2012
  1. My girlfriends laptop had the west yorkshire police ukash virus, while trying to fix that some others started to appear Mbam has been so good in the past but will not clean 4 problems so downloaded microsoft security essentials wich will not update and seems to have brought along a new virus wich pops up as Windows has encountered a critical error and will restart in one minute, even in safe mode... Due to this I am unable to follow the steps in the above guide, also this pops up straight away so I have only one minute to try and stop it!!! Any help would be much appreciated, thanks

    Laptop is windows 7 64 bit
     
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.
    Download Farbar Recovery Scan Tool and save it to a flash drive.


    Please make sure to get the 64-bit version

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button. It will do its scan and save a log on your flash drive.
    • Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:
      [​IMG]
      When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
    • Type exit in the Command Prompt window and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.
     
  3. mradl36

    mradl36 TS Rookie Topic Starter

    Thanks for the reply, here are the logs...

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02-10-2012 01
    Ran by SYSTEM at 03-10-2012 07:39:22
    Running from H:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [12666984 1999-12-31] (Realtek Semiconductor)
    HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)
    HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
    HKU\Michelle\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [9728 2009-07-13] (Microsoft Corporation)
    HKU\Michelle\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17418928 2012-07-13] (Skype Technologies S.A.)
    HKU\Michelle\...\Run: [AppVodBurner] [x]
    Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

    ==================== Services (Whitelisted) ===================

    4 IMFservice; C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe [820568 2011-10-08] (IObit)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)
    4 RichVideo; "C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe" [247152 2009-07-07] ()
    4 rpcapd; "C:\Program Files (x86)\WinPcap\rpcapd.exe" -d -f "C:\Program Files (x86)\WinPcap\rpcapd.ini" [x]

    ==================== Drivers (Whitelisted) =====================

    3 androidusb; C:\Windows\System32\Drivers\androidusb.sys [32768 2010-04-28] (Google Inc)
    1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [283200 2012-06-05] (DT Soft Ltd)
    4 FileMonitor; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\FileMonitor.sys [20336 2011-10-08] ()
    1 ISODrive; \??\C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys [115600 2010-01-29] (EZB Systems, Inc.)
    3 NPF; C:\Windows\System32\Drivers\NPF.sys [35344 2010-06-25] (CACE Technologies, Inc.)
    3 NPF; C:\Windows\SysWow64\Drivers\NPF.sys [32512 2005-08-02] (CACE Technologies)
    3 RegFilter; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\regfilter.sys [33184 2011-09-20] (IObit.com)
    3 rtport; C:\Windows\SysWow64\Drivers\rtport.sys [15144 2010-12-29] (Windows (R) 2003 DDK 3790 provider)
    3 SWDUMon; C:\Windows\System32\Drivers\SWDUMon.sys [15672 2012-09-30] ()
    3 UrlFilter; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\UrlFilter.sys [21872 2011-09-20] (IObit.com)
    3 motmodem; C:\Windows\System32\DRIVERS\motmodem.sys [x]

    ==================== NetSvcs (Whitelisted) ====================


    ==================== One Month Created Files and Folders ========

    2012-10-03 07:39 - 2012-10-03 07:39 - 00000000 ____D C:\FRST
    2012-09-30 08:34 - 2012-09-30 08:34 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.82149F2443DCA127
    2012-09-30 08:33 - 2012-08-07 07:18 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2012-09-30 08:30 - 2012-09-30 08:30 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E12A9E4C2F804C15
    2012-09-28 15:40 - 2012-09-28 15:40 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.8111F3805AD03EB2
    2012-09-28 14:36 - 2012-09-28 14:36 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.DC209EE1E9AB45AE
    2012-09-28 14:16 - 2012-09-28 14:16 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.524C49B6E36415DD
    2012-09-28 14:11 - 2012-09-28 14:11 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-09-28 14:11 - 2012-09-28 14:11 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-09-28 14:08 - 2012-09-28 14:08 - 13529576 ____A (Microsoft Corporation) C:\Users\Michelle\Downloads\mseinstall.exe
    2012-09-28 13:54 - 2012-09-28 13:54 - 00000000 ____D C:\TDSSKiller_Quarantine
    2012-09-28 13:53 - 2012-09-28 13:53 - 02212440 ____A (Kaspersky Lab ZAO) C:\Users\Michelle\Downloads\tdsskiller.exe
    2012-09-28 13:23 - 2012-09-28 13:23 - 00000000 ____D C:\Windows\erdnt
    2012-09-28 13:22 - 2012-09-28 13:29 - 00000000 ___SD C:\32788R22FWJFW
    2012-09-28 13:22 - 2012-09-28 13:23 - 04757745 ____R (Swearware) C:\Users\Michelle\Desktop\ComboFix.exe
    2012-09-27 13:55 - 2012-09-27 16:14 - 00005036 ____A C:\Windows\PFRO.log
    2012-09-27 08:51 - 2012-09-27 08:51 - 00000000 ____D C:\Users\All Users\wenlbqpdwpqkepq
    2012-09-27 08:51 - 2012-09-27 08:49 - 00071168 ____A C:\Users\All Users\tbbjnhjp.exe
    2012-09-27 08:49 - 2012-09-27 08:51 - 00069787 ____A C:\Users\All Users\rwdqatrqocvtlgg
    2012-09-26 07:08 - 2012-09-26 07:08 - 00946352 ____A (Skype Technologies S.A.) C:\Users\Michelle\Downloads\SkypeSetup(2).exe
    2012-09-26 04:16 - 2012-09-30 08:39 - 00000840 ____A C:\Windows\setupact.log
    2012-09-26 04:16 - 2012-09-26 04:16 - 00277328 ____A C:\Windows\Minidump\092612-22464-01.dmp
    2012-09-26 04:16 - 2012-09-26 04:16 - 00003352 ____N C:\bootsqm.dat
    2012-09-26 04:16 - 2012-09-26 04:16 - 00000000 ____A C:\Windows\setuperr.log
    2012-09-26 03:55 - 2012-09-26 03:55 - 72122368 ____A C:\Windows\System32\config\SOFTWARE.iobit
    2012-09-26 03:55 - 2012-09-26 03:55 - 18198528 ____A C:\Windows\System32\config\SYSTEM.iobit
    2012-09-26 03:55 - 2012-09-26 03:55 - 01409024 ____A C:\Windows\System32\config\DEFAULT.iobit
    2012-09-26 03:55 - 2012-09-26 03:55 - 00024576 ____A C:\Windows\System32\config\SECURITY.iobit
    2012-09-26 03:55 - 2012-09-26 03:55 - 00024576 ____A C:\Windows\System32\config\SAM.iobit
    2012-09-25 17:34 - 2012-09-26 02:03 - 00000361 ____A C:\rkill.log
    2012-09-25 16:38 - 2012-09-25 16:39 - 00000000 ____D C:\Users\Default\AppData\Roaming\IObit
    2012-09-25 16:38 - 2012-09-25 16:39 - 00000000 ____D C:\Users\Default User\AppData\Roaming\IObit
    2012-09-23 04:58 - 2012-09-23 04:58 - 00000000 ____D C:\Users\Michelle\Downloads\Hereafter (2010) DVDRip XviD-MAXSPEED
    2012-09-16 10:22 - 2012-09-16 10:22 - 00000000 ____D C:\Users\Michelle\Downloads\[UsaBit.com] - Bait.2012.BDRiP.AC3-5.1.XviD-AXED
    2012-09-13 17:26 - 2012-09-13 17:26 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
    2012-09-13 17:24 - 2012-09-13 17:24 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-09-13 17:11 - 2012-09-13 17:11 - 00000000 ____D C:\Program Files (x86)\VodBurner
    2012-09-13 17:05 - 2012-09-13 17:11 - 00000000 ____D C:\Users\Michelle\Downloads\Netralia VodBurner v1.1.0.167 - BEAN
    2012-09-12 23:49 - 2012-09-12 23:49 - 00002515 ____A C:\Users\Public\Desktop\Skype.lnk
    2012-09-12 23:49 - 2012-09-12 23:49 - 00000000 ___RD C:\Program Files (x86)\Skype
    2012-09-12 23:48 - 2012-09-12 23:48 - 00946352 ____A (Skype Technologies S.A.) C:\Users\Michelle\Downloads\SkypeSetup(1).exe
    2012-09-12 23:45 - 2012-03-15 12:03 - 00000035 ____A C:\Users\Michelle\Downloads\FILE_ID.DIZ
    2012-09-12 23:45 - 2012-03-15 03:34 - 00005839 ____A C:\Users\Michelle\Downloads\F4CG.nfo
    2012-09-12 23:43 - 2012-09-12 23:43 - 00170837 ____A C:\Users\Michelle\Downloads\Vodburner_1_0_2_crack.zip
    2012-09-12 23:35 - 2012-09-30 08:33 - 00004546 ____A C:\Windows\WindowsUpdate.log
    2012-09-12 12:28 - 2012-08-22 10:12 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
    2012-09-12 12:28 - 2012-08-22 10:12 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
    2012-09-12 12:28 - 2012-08-22 10:12 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
    2012-09-12 12:28 - 2012-08-22 10:12 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
    2012-09-12 12:28 - 2012-08-02 09:58 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
    2012-09-12 12:28 - 2012-08-02 08:57 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
    2012-09-12 12:28 - 2012-07-04 12:26 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\RNDISMP.sys
    2012-09-11 12:00 - 2012-09-18 03:29 - 00000000 ____D C:\Users\Michelle\Downloads\The.Snowtown.Murders.2011.DVDRip.XviD-4PlayHD
    2012-09-04 10:37 - 2012-09-27 14:02 - 00193024 __ASH C:\Users\Michelle\Documents\Thumbs.db

    ==================== 3 Months Modified Files ==================

    2012-09-30 08:39 - 2012-09-26 04:16 - 00000840 ____A C:\Windows\setupact.log
    2012-09-30 08:39 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-09-30 08:38 - 2011-09-30 16:32 - 00000416 ____A C:\Windows\Tasks\SlimDrivers Startup.job
    2012-09-30 08:38 - 2009-07-13 15:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-09-30 08:37 - 2011-12-24 17:26 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-09-30 08:37 - 2011-09-30 16:32 - 00015672 ____A C:\Windows\System32\Drivers\SWDUMon.sys
    2012-09-30 08:34 - 2012-09-30 08:34 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.82149F2443DCA127
    2012-09-30 08:33 - 2012-09-12 23:35 - 00004546 ____A C:\Windows\WindowsUpdate.log
    2012-09-30 08:31 - 2011-12-24 17:26 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-09-30 08:30 - 2012-09-30 08:30 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E12A9E4C2F804C15
    2012-09-28 15:40 - 2012-09-28 15:40 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.8111F3805AD03EB2
    2012-09-28 14:36 - 2012-09-28 14:36 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.DC209EE1E9AB45AE
    2012-09-28 14:33 - 2009-07-13 20:45 - 00014144 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-09-28 14:33 - 2009-07-13 20:45 - 00014144 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-09-28 14:16 - 2012-09-28 14:16 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.524C49B6E36415DD
    2012-09-28 14:11 - 2011-04-28 13:31 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-09-28 14:08 - 2012-09-28 14:08 - 13529576 ____A (Microsoft Corporation) C:\Users\Michelle\Downloads\mseinstall.exe
    2012-09-28 13:53 - 2012-09-28 13:53 - 02212440 ____A (Kaspersky Lab ZAO) C:\Users\Michelle\Downloads\tdsskiller.exe
    2012-09-28 13:39 - 2012-03-25 09:24 - 00000920 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-868785299-726797094-2297327714-1001UA.job
    2012-09-28 13:23 - 2012-09-28 13:22 - 04757745 ____R (Swearware) C:\Users\Michelle\Desktop\ComboFix.exe
    2012-09-28 13:16 - 2012-03-25 09:24 - 00000868 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-868785299-726797094-2297327714-1001Core.job
    2012-09-28 07:50 - 2012-03-25 09:25 - 00002501 ____A C:\Users\Michelle\Desktop\Google Chrome.lnk
    2012-09-27 16:14 - 2012-09-27 13:55 - 00005036 ____A C:\Windows\PFRO.log
    2012-09-27 14:02 - 2012-09-04 10:37 - 00193024 __ASH C:\Users\Michelle\Documents\Thumbs.db
    2012-09-27 08:51 - 2012-09-27 08:49 - 00069787 ____A C:\Users\All Users\rwdqatrqocvtlgg
    2012-09-27 08:49 - 2012-09-27 08:51 - 00071168 ____A C:\Users\All Users\tbbjnhjp.exe
    2012-09-26 07:08 - 2012-09-26 07:08 - 00946352 ____A (Skype Technologies S.A.) C:\Users\Michelle\Downloads\SkypeSetup(2).exe
    2012-09-26 04:16 - 2012-09-26 04:16 - 00277328 ____A C:\Windows\Minidump\092612-22464-01.dmp
    2012-09-26 04:16 - 2012-09-26 04:16 - 00003352 ____N C:\bootsqm.dat
    2012-09-26 04:16 - 2012-09-26 04:16 - 00000000 ____A C:\Windows\setuperr.log
    2012-09-26 03:55 - 2012-09-26 03:55 - 72122368 ____A C:\Windows\System32\config\SOFTWARE.iobit
    2012-09-26 03:55 - 2012-09-26 03:55 - 18198528 ____A C:\Windows\System32\config\SYSTEM.iobit
    2012-09-26 03:55 - 2012-09-26 03:55 - 01409024 ____A C:\Windows\System32\config\DEFAULT.iobit
    2012-09-26 03:55 - 2012-09-26 03:55 - 00024576 ____A C:\Windows\System32\config\SECURITY.iobit
    2012-09-26 03:55 - 2012-09-26 03:55 - 00024576 ____A C:\Windows\System32\config\SAM.iobit
    2012-09-26 02:03 - 2012-09-25 17:34 - 00000361 ____A C:\rkill.log
    2012-09-15 19:14 - 2009-07-13 21:13 - 00005198 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-09-15 19:13 - 2011-04-29 03:24 - 00000671 ____A C:\Users\Michelle\AppData\Roaming\vso_ts_preview.xml
    2012-09-13 17:24 - 2012-09-13 17:24 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-09-13 17:24 - 2012-08-20 08:42 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-09-12 23:49 - 2012-09-12 23:49 - 00002515 ____A C:\Users\Public\Desktop\Skype.lnk
    2012-09-12 23:48 - 2012-09-12 23:48 - 00946352 ____A (Skype Technologies S.A.) C:\Users\Michelle\Downloads\SkypeSetup(1).exe
    2012-09-12 23:43 - 2012-09-12 23:43 - 00170837 ____A C:\Users\Michelle\Downloads\Vodburner_1_0_2_crack.zip
    2012-09-12 18:01 - 2011-04-08 01:23 - 64462936 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-08-30 13:03 - 2012-08-30 13:03 - 00228768 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
    2012-08-30 13:03 - 2012-08-30 13:03 - 00128456 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys
    2012-08-30 12:53 - 2012-08-30 12:52 - 07136856 ____A C:\Users\Michelle\Downloads\pics.zip
    2012-08-30 12:51 - 2012-08-30 12:51 - 07136736 ____A C:\Users\Michelle\Downloads\2008-05.zip
    2012-08-27 19:23 - 2012-08-27 19:23 - 00179820 ____A C:\Users\Michelle\Downloads\skypelogview.zip
    2012-08-26 21:52 - 2012-08-26 21:52 - 00282608 ____A () C:\Users\Michelle\Downloads\VBSetup.exe
    2012-08-25 12:47 - 2012-08-25 12:45 - 00829074 ____A C:\Users\Michelle\Downloads\Pic.zip
    2012-08-25 12:43 - 2012-08-25 12:43 - 00000000 ____A C:\Users\Michelle\Downloads\4C3.tmp
    2012-08-22 10:12 - 2012-09-12 12:28 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
    2012-08-22 10:12 - 2012-09-12 12:28 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
    2012-08-22 10:12 - 2012-09-12 12:28 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
    2012-08-22 10:12 - 2012-09-12 12:28 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
    2012-08-20 08:41 - 2012-08-20 08:41 - 03092640 ____A (Adobe Systems, Inc.) C:\Users\Michelle\Downloads\install_flash_player_10_plugin.exe
    2012-08-20 08:26 - 2012-08-20 08:26 - 00687304 ____A (Adobe Systems Incorporated) C:\Users\Michelle\Downloads\uninstall_flash_player.exe
    2012-08-18 03:37 - 2012-08-18 03:37 - 09622688 ____A C:\Users\Michelle\Downloads\SopCast-3.5.0.exe
    2012-08-18 03:37 - 2012-08-18 03:37 - 00000991 ____A C:\Users\Michelle\Desktop\SopCast.lnk
    2012-08-17 00:08 - 2009-07-13 20:45 - 00418520 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-08-07 07:18 - 2012-09-30 08:33 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2012-08-02 09:58 - 2012-09-12 12:28 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
    2012-08-02 08:57 - 2012-09-12 12:28 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
    2012-07-24 16:56 - 2012-07-24 05:38 - 00092923 ____H C:\Users\All Users\sys013.log
    2012-07-24 16:56 - 2012-07-24 05:38 - 00038894 ____H C:\Users\All Users\sys011.log
    2012-07-24 16:56 - 2012-07-24 05:38 - 00003735 ____H C:\Users\All Users\sys001.log
    2012-07-24 16:56 - 2012-07-24 05:38 - 00002625 ____H C:\Users\All Users\sys004.log
    2012-07-24 16:56 - 2012-07-24 05:38 - 00000328 ____H C:\Users\All Users\sys012.log
    2012-07-24 16:56 - 2012-07-24 05:38 - 00000111 ____H C:\Users\All Users\sys014.log
    2012-07-24 16:45 - 2012-07-24 00:33 - 00000098 ____H C:\Users\All Users\emopts.dat
    2012-07-24 00:25 - 2012-07-24 00:24 - 04045423 ____A C:\Users\Michelle\Downloads\Spytech Spyagent Stealth 6.2.rar
    2012-07-23 23:28 - 2012-07-23 23:28 - 01237410 ____A C:\Users\Michelle\Downloads\007.Spy.Software.v3.873.Retail-ARN.RAR
    2012-07-18 10:15 - 2012-08-15 04:29 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-07-16 23:25 - 2012-07-16 23:25 - 01133761 ____A C:\Users\Michelle\Downloads\universal_gb_root_v20.zip
    2012-07-13 05:16 - 2012-07-13 05:16 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Michelle\Downloads\mbam-setup-1.62.0.1300.exe
    2012-07-13 05:06 - 2012-07-13 05:06 - 01012656 ____A C:\Users\Michelle\Downloads\rkill.exe
    2012-07-13 05:06 - 2012-07-13 05:06 - 01012656 ____A C:\Users\Michelle\Downloads\iExplore.exe


    ZeroAccess:
    C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}
    C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}\@
    C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}\L
    C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}\U
    C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}\L\00000004.@
    C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}\L\201d3dde
    C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\00000004.@
    C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\00000008.@
    C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\000000cb.@
    C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\80000000.@
    C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\80000032.@
    C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\80000064.@

    ZeroAccess:
    C:\Windows\assembly\GAC_32\Desktop.ini

    ZeroAccess:
    C:\Windows\assembly\GAC_64\Desktop.ini

    ZeroAccess:
    C:\Users\Michelle\AppData\Local\{ff697493-7907-793c-1ca6-6e5463ef1223}
    C:\Users\Michelle\AppData\Local\{ff697493-7907-793c-1ca6-6e5463ef1223}\@
    C:\Users\Michelle\AppData\Local\{ff697493-7907-793c-1ca6-6e5463ef1223}\L
    C:\Users\Michelle\AppData\Local\{ff697493-7907-793c-1ca6-6e5463ef1223}\U
    C:\Users\Michelle\AppData\Local\{ff697493-7907-793c-1ca6-6e5463ef1223}\L\00000004.@
    C:\Users\Michelle\AppData\Local\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\00000004.@
    C:\Users\Michelle\AppData\Local\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\80000064.@

    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2012-09-20 22:56:29

    ==================== Memory info ===========================

    Percentage of memory in use: 18%
    Total physical RAM: 3032.61 MB
    Available physical RAM: 2472.07 MB
    Total Pagefile: 3030.75 MB
    Available Pagefile: 2468.57 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ==================== Partitions =============================

    1 Drive c: () (Fixed) (Total:138.99 GB) (Free:12.45 GB) NTFS
    2 Drive e: () (Fixed) (Total:139 GB) (Free:138.16 GB) NTFS
    3 Drive f: (RECOVERY) (Fixed) (Total:20 GB) (Free:4.21 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    5 Drive h: () (Removable) (Total:0.24 GB) (Free:0.24 GB) FAT
    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    7 Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 298 GB 0 B
    Disk 1 Online 247 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Recovery 20 GB 1024 KB
    Partition 2 Primary 100 MB 20 GB
    Partition 3 Primary 138 GB 20 GB
    Partition 4 Primary 138 GB 159 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 27
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 F RECOVERY NTFS Partition 20 GB Healthy Hidden

    =========================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y SYSTEM NTFS Partition 100 MB Healthy

    =========================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 138 GB Healthy

    =========================================================

    Disk: 0
    Partition 4
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E NTFS Partition 138 GB Healthy

    =========================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 246 MB 16 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 06
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 5 H FAT Removable 246 MB Healthy

    =========================================================

    Last Boot: 2012-09-25 22:35

    ==================== End Of Log =============================


    And

    Farbar Recovery Scan Tool (x64) Version: 02-10-2012 01
    Ran by SYSTEM at 2012-10-03 07:41:19
    Running from H:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\System32\services.exe
    [2009-07-13 15:19] - [2012-09-30 08:38] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    ====== End Of Search ======
     
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    FRST Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
     
  5. mradl36

    mradl36 TS Rookie Topic Starter

    Hi, booted normal after the fix and after 5 minutes its still on :) I have not done anything on it just looked at the desktop... Here is the fixlog...

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-10-2012 01
    Ran by SYSTEM at 2012-10-03 09:53:05 Run:1
    Running from H:\

    ==============================================

    C:\Windows\Installer\{ff697493-7907-793c-1ca6-6e5463ef1223} moved successfully.
    C:\Windows\assembly\GAC_32\Desktop.ini not found.
    C:\Windows\assembly\GAC_64\Desktop.ini not found.
    C:\Users\Michelle\AppData\Local\{ff697493-7907-793c-1ca6-6e5463ef1223} moved successfully.

    ==== End of Fixlog ====
     
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Excellent work! :)

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
     
  7. mradl36

    mradl36 TS Rookie Topic Starter

    After running combofix, I turned the machine off and got two windows updates install themselves, not sure if relevent but thought I would mention it, here is combofix log...

    ComboFix 12-10-04.01 - Michelle 04/10/2012 11:49:43.1.2 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3033.1989 [GMT 1:00]
    Running from: c:\users\Michelle\Desktop\svchost.exe.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
    SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files (x86)\Spytech Software
    c:\program files (x86)\Spytech Software\Spytech SpyAgent\Deploy.exe
    c:\program files (x86)\Spytech Software\Spytech SpyAgent\license.txt
    c:\program files (x86)\Spytech Software\Spytech SpyAgent\NoStealth.exe
    c:\program files (x86)\Spytech Software\Spytech SpyAgent\readme!.txt
    c:\program files (x86)\Spytech Software\Spytech SpyAgent\SpyAgent's 10 Step Guide to Total Stealth.url
    c:\program files (x86)\Spytech Software\Spytech SpyAgent\SpyAgent Help Documentation.url
    c:\program files (x86)\Spytech Software\Spytech SpyAgent\svchost.exe
    c:\program files (x86)\Spytech Software\Spytech SpyAgent\sysdiag.exe
    c:\program files (x86)\Spytech Software\Spytech SpyAgent\uninstal.log
    c:\program files (x86)\WinConfig
    c:\program files (x86)\WinConfig\npf_mgm.exe
    c:\programdata\100
    c:\programdata\AgentSS
    c:\programdata\emopts.dat
    c:\programdata\FullRemove.exe
    c:\programdata\sacache
    c:\programdata\tbbjnhjp.exe
    c:\users\Michelle\AppData\Local\TempDIR
    c:\users\Michelle\AppData\Roaming\inst.exe
    c:\users\Michelle\AppData\Roaming\vso_ts_preview.xml
    c:\windows\imglib.dll
    c:\windows\iun6002.exe
    c:\windows\sadefs.dat
    c:\windows\SNMPAPI.DLL
    c:\windows\sview.exe
    c:\windows\sysk32.dll
    c:\windows\SysWow64\wpcap.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-09-04 to 2012-10-04 )))))))))))))))))))))))))))))))
    .
    .
    2012-10-04 11:03 . 2012-10-04 11:03 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4615EFAC-FFB9-4D81-A45C-8791946114C0}\offreg.dll
    2012-10-04 11:01 . 2012-10-04 11:01 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-10-03 15:39 . 2012-10-03 15:39 -------- d-----w- C:\FRST
    2012-10-03 06:57 . 2012-09-18 23:58 9308616 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4615EFAC-FFB9-4D81-A45C-8791946114C0}\mpengine.dll
    2012-09-30 16:34 . 2012-09-30 16:34 328704 ----a-w- c:\windows\system32\services.exe.82149F2443DCA127
    2012-09-30 16:33 . 2012-09-18 23:58 9308616 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-09-30 16:33 . 2012-08-07 15:18 279656 ------w- c:\windows\system32\MpSigStub.exe
    2012-09-30 16:30 . 2012-09-30 16:30 328704 ----a-w- c:\windows\system32\services.exe.E12A9E4C2F804C15
    2012-09-28 23:40 . 2012-09-28 23:40 328704 ----a-w- c:\windows\system32\services.exe.8111F3805AD03EB2
    2012-09-28 22:36 . 2012-09-28 22:36 328704 ----a-w- c:\windows\system32\services.exe.DC209EE1E9AB45AE
    2012-09-28 22:16 . 2012-09-28 22:16 328704 ----a-w- c:\windows\system32\services.exe.524C49B6E36415DD
    2012-09-28 22:11 . 2012-09-28 22:11 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2012-09-28 22:11 . 2012-09-28 22:11 -------- d-----w- c:\program files\Microsoft Security Client
    2012-09-28 21:54 . 2012-09-28 21:54 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-09-27 16:51 . 2012-09-27 16:51 -------- d-----w- c:\programdata\wenlbqpdwpqkepq
    2012-09-26 00:38 . 2012-09-26 00:39 -------- d-----w- c:\users\Default\AppData\Roaming\IObit
    2012-09-14 01:26 . 2012-09-14 01:26 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
    2012-09-14 01:24 . 2012-09-14 01:24 696520 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-09-14 01:11 . 2012-09-14 01:11 -------- d-----w- c:\program files (x86)\VodBurner
    2012-09-13 07:49 . 2012-09-13 07:49 -------- d-----w- c:\program files (x86)\Common Files\Skype
    2012-09-13 07:49 . 2012-09-13 07:49 -------- d-----r- c:\program files (x86)\Skype
    2012-09-12 20:28 . 2012-08-22 18:12 950128 ----a-w- c:\windows\system32\drivers\ndis.sys
    2012-09-12 20:28 . 2012-07-04 20:26 41472 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
    2012-09-12 20:28 . 2012-08-22 18:12 1913200 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2012-09-12 20:28 . 2012-08-02 17:58 574464 ----a-w- c:\windows\system32\d3d10level9.dll
    2012-09-12 20:28 . 2012-08-02 16:57 490496 ----a-w- c:\windows\SysWow64\d3d10level9.dll
    2012-09-12 20:28 . 2012-08-22 18:12 376688 ----a-w- c:\windows\system32\drivers\netio.sys
    2012-09-12 20:28 . 2012-08-22 18:12 288624 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-10-04 11:03 . 2011-10-01 00:32 15672 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
    2012-09-30 16:38 . 2009-07-13 23:19 328704 ----a-w- c:\windows\system32\services.exe
    2012-09-14 01:24 . 2012-08-20 16:42 73416 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-09-13 02:01 . 2011-04-08 09:23 64462936 ----a-w- c:\windows\system32\MRT.exe
    2012-08-30 21:03 . 2012-08-30 21:03 228768 ----a-w- c:\windows\system32\drivers\MpFilter.sys
    2012-08-30 21:03 . 2012-08-30 21:03 128456 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
    2012-07-18 18:15 . 2012-08-15 12:29 3148800 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-07-13 17418928]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [2010-04-29 32768]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-09-10 114144]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-30 128456]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-12 368896]
    R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35344]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
    R3 RegFilter;RegFilter;c:\program files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\regfilter.sys [2011-09-20 33184]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]
    R3 SWDUMon;SWDUMon;c:\windows\system32\DRIVERS\SWDUMon.sys [2012-10-04 15672]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 UrlFilter;UrlFilter;c:\program files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\UrlFilter.sys [2011-09-20 21872]
    R3 UsbFltr;WayTech USB Filter Driver;c:\windows\system32\Drivers\UsbFltr.sys [2007-04-09 12288]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-04-06 1255736]
    R4 FileMonitor;FileMonitor;c:\program files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\FileMonitor.sys [2011-10-08 20336]
    R4 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-25 136176]
    R4 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-25 136176]
    R4 IMFservice;IMF Service;c:\program files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe [2011-10-08 820568]
    R4 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-06-05 283200]
    S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2010-03-31 13824]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
    S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
    S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2010-04-01 136192]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2000-01-01 145408]
    S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2011-04-29 82816]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2011-05-20 394016]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-10-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-25 01:26]
    .
    2012-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-25 01:26]
    .
    2012-09-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-868785299-726797094-2297327714-1001Core.job
    - c:\users\Michelle\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-25 17:24]
    .
    2012-10-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-868785299-726797094-2297327714-1001UA.job
    - c:\users\Michelle\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-25 17:24]
    .
    2012-10-04 c:\windows\Tasks\SlimDrivers Startup.job
    - c:\program files (x86)\SlimDrivers\SlimDrivers.exe [2012-02-01 13:42]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2000-01-01 12666984]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2000-01-01 161304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2000-01-01 386584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2000-01-01 415256]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 1289704]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.co.uk/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\users\Michelle\AppData\Roaming\Mozilla\Firefox\Profiles\43jymlnu.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: extensions.funmoods_i.hmpg - true
    FF - user.js: extensions.funmoods_i.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=bf4
    FF - user.js: extensions.funmoods_i.dfltSrch - true
    FF - user.js: extensions.funmoods_i.srchPrvdr - Search
    FF - user.js: extensions.funmoods_i.dnsErr - true
    FF - user.js: extensions.funmoods_i.newTab - true
    FF - user.js: extensions.funmoods_i.newTabUrl - hxxp://start.funmoods.com/?f=2&a=bf4
    FF - user.js: extensions.funmoods_i.tlbrSrchUrl - hxxp://start.funmoods.com/results.php?f=3&a=bf4&q=
    FF - user.js: extensions.funmoods_i.id - 12a577f5000000000000889ffa5a8bbd
    FF - user.js: extensions.funmoods_i.instlDay - 15397
    FF - user.js: extensions.funmoods_i.vrsn - 1.5.12.2
    FF - user.js: extensions.funmoods_i.vrsni - 1.5.12.2
    FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.12.221:45
    FF - user.js: extensions.funmoods_i.prtnrId - funmoods
    FF - user.js: extensions.funmoods_i.prdct - funmoods
    FF - user.js: extensions.funmoods_i.aflt - bf4
    FF - user.js: extensions.funmoods_i.smplGrp - none
    FF - user.js: extensions.funmoods_i.tlbrId - base
    FF - user.js: extensions.funmoods_i.instlRef -
    FF - user.js: extensions.funmoods_i.dfltLng -
    FF - user.js: extensions.funmoods_i.excTlbr - false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Wow6432Node-HKCU-Run-AppVodBurner - (no file)
    Toolbar-Locked - (no file)
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    AddRemove-Fruit_Machine_Emulators - c:\windows\iun6002.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_265_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_265_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
    "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
    c:\program files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
    .
    **************************************************************************
    .
    Completion time: 2012-10-04 12:20:09 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-10-04 11:20
    .
    Pre-Run: 13,461,463,040 bytes free
    Post-Run: 15,120,396,288 bytes free
    .
    - - End Of File - - 3119802961B9F73543CA96D88ABE3DB4
     
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.
     
  9. mradl36

    mradl36 TS Rookie Topic Starter

    Hi, sorry it took so long to reply, been mad at work, when I tried to merge the combofix text it told me I did not spell it right so would not run, I tried different ways and it just won't have it... Here is the adware log

    # AdwCleaner v2.003 - Logfile created 10/05/2012 at 20:54:18
    # Updated 23/09/2012 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
    # User : Michelle - MICHELLE-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Michelle\Desktop\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    File Deleted : C:\user.js
    File Deleted : C:\Users\Michelle\AppData\Roaming\Mozilla\Firefox\Profiles\43jymlnu.default\searchplugins\Askcom.xml
    File Deleted : C:\Users\Michelle\AppData\Roaming\Mozilla\Firefox\Profiles\43jymlnu.default\searchplugins\funmoods.xml
    Folder Deleted : C:\ProgramData\InstallMate
    Folder Deleted : C:\ProgramData\Partner
    Folder Deleted : C:\Users\Michelle\AppData\LocalLow\boost_interprocess

    ***** [Registry] *****

    Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
    Key Deleted : HKCU\Software\Softonic
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
    Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    Restored : [HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

    -\\ Mozilla Firefox v15.0.1 (en-GB)

    Profile name : default
    File : C:\Users\Michelle\AppData\Roaming\Mozilla\Firefox\Profiles\43jymlnu.default\prefs.js

    C:\Users\Michelle\AppData\Roaming\Mozilla\Firefox\Profiles\43jymlnu.default\user.js ... Deleted !

    Deleted : user_pref("extensions.funmoods.admin", false);
    Deleted : user_pref("extensions.funmoods.aflt", "bf4");
    Deleted : user_pref("extensions.funmoods.brwsrsrc", "ietlbr");
    Deleted : user_pref("extensions.funmoods.cntry", "GB");
    Deleted : user_pref("extensions.funmoods.dfltLng", "EN");
    Deleted : user_pref("extensions.funmoods.dfltSrch", true);
    Deleted : user_pref("extensions.funmoods.dfltlng", "EN");
    Deleted : user_pref("extensions.funmoods.dfltsrch", true);
    Deleted : user_pref("extensions.funmoods.excTlbr", false);
    Deleted : user_pref("extensions.funmoods.hdrMd5", "6C9B0A348A01B22EE1F00A44C90F047F");
    Deleted : user_pref("extensions.funmoods.hmpg", true);
    Deleted : user_pref("extensions.funmoods.hrdid", "0");
    Deleted : user_pref("extensions.funmoods.id", "12a577f5000000000000889ffa5a8bbd");
    Deleted : user_pref("extensions.funmoods.instlDay", "15397");
    Deleted : user_pref("extensions.funmoods.instlRef", "");
    Deleted : user_pref("extensions.funmoods.instlday", "15397");
    Deleted : user_pref("extensions.funmoods.instlref", "");
    Deleted : user_pref("extensions.funmoods.isDcmntCmplt", true);
    Deleted : user_pref("extensions.funmoods.keywordurl", "");
    Deleted : user_pref("extensions.funmoods.lastVrsnTs", "1.5.12.221:45:03");
    Deleted : user_pref("extensions.funmoods.newTab", true);
    Deleted : user_pref("extensions.funmoods.newTabUrl", "hxxp://start.funmoods.com/?f=2&a=bf4");
    Deleted : user_pref("extensions.funmoods.newtab", true);
    Deleted : user_pref("extensions.funmoods.newtaburl", "hxxp://start.funmoods.com/?f=2&a=bf4");
    Deleted : user_pref("extensions.funmoods.noFFXTlbr", false);
    Deleted : user_pref("extensions.funmoods.prdct", "funmoods");
    Deleted : user_pref("extensions.funmoods.propectorlck", 68954993);
    Deleted : user_pref("extensions.funmoods.prtkHmpg", 1);
    Deleted : user_pref("extensions.funmoods.prtnrId", "funmoods");
    Deleted : user_pref("extensions.funmoods.prtnrid", "funmoods");
    Deleted : user_pref("extensions.funmoods.sg", "none");
    Deleted : user_pref("extensions.funmoods.smplGrp", "none");
    Deleted : user_pref("extensions.funmoods.smplgrp", "none");
    Deleted : user_pref("extensions.funmoods.srch", "");
    Deleted : user_pref("extensions.funmoods.srchPrvdr", "Search");
    Deleted : user_pref("extensions.funmoods.srchprvdr", "Search");
    Deleted : user_pref("extensions.funmoods.tlbrId", "base");
    Deleted : user_pref("extensions.funmoods.tlbrSrchUrl", "hxxp://start.funmoods.com/results.php?f=3&a=bf4&q=");
    Deleted : user_pref("extensions.funmoods.tlbrid", "base");
    Deleted : user_pref("extensions.funmoods.tlbrsrchurl", "hxxp://start.funmoods.com/results.php?f=3&a=bf4&q=");
    Deleted : user_pref("extensions.funmoods.vrsn", "1.5.12.2");
    Deleted : user_pref("extensions.funmoods.vrsnTs", "1.5.12.221:45:03");
    Deleted : user_pref("extensions.funmoods.vrsni", "1.5.12.2");
    Deleted : user_pref("extensions.funmoods.vrsnts", "1.5.12.221:45:03");
    Deleted : user_pref("extensions.funmoods_i.aflt", "bf4");
    Deleted : user_pref("extensions.funmoods_i.dfltLng", "");
    Deleted : user_pref("extensions.funmoods_i.dfltSrch", true);
    Deleted : user_pref("extensions.funmoods_i.dnsErr", true);
    Deleted : user_pref("extensions.funmoods_i.excTlbr", false);
    Deleted : user_pref("extensions.funmoods_i.hmpg", true);
    Deleted : user_pref("extensions.funmoods_i.hmpgUrl", "hxxp://start.funmoods.com/?f=1&a=bf4");
    Deleted : user_pref("extensions.funmoods_i.id", "12a577f5000000000000889ffa5a8bbd");
    Deleted : user_pref("extensions.funmoods_i.instlDay", "15397");
    Deleted : user_pref("extensions.funmoods_i.instlRef", "");
    Deleted : user_pref("extensions.funmoods_i.newTab", true);
    Deleted : user_pref("extensions.funmoods_i.newTabUrl", "hxxp://start.funmoods.com/?f=2&a=bf4");
    Deleted : user_pref("extensions.funmoods_i.prdct", "funmoods");
    Deleted : user_pref("extensions.funmoods_i.prtnrId", "funmoods");
    Deleted : user_pref("extensions.funmoods_i.smplGrp", "none");
    Deleted : user_pref("extensions.funmoods_i.srchPrvdr", "Search");
    Deleted : user_pref("extensions.funmoods_i.tlbrId", "base");
    Deleted : user_pref("extensions.funmoods_i.tlbrSrchUrl", "hxxp://start.funmoods.com/results.php?f=3&a=bf4&q=")[...]
    Deleted : user_pref("extensions.funmoods_i.vrsn", "1.5.12.2");
    Deleted : user_pref("extensions.funmoods_i.vrsnTs", "1.5.12.221:45:03");
    Deleted : user_pref("extensions.funmoods_i.vrsni", "1.5.12.2");

    -\\ Google Chrome v22.0.1229.79

    File : C:\Users\Michelle\AppData\Local\Google\Chrome\User Data\Default\Preferences

    [OK] File is clean.

    *************************

    AdwCleaner[S1].txt - [6726 octets] - [05/10/2012 20:54:18]

    ########## EOF - C:\AdwCleaner[S1].txt - [6786 octets] ##########
     
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
     
  11. mradl36

    mradl36 TS Rookie Topic Starter

    I have not used the laptop since I started this thread, will spen a couple hours tonight going through it to see if anything pops up, here is results of eset scan, thanks...

    C:\FRST\Quarantine\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\00000004.@ Win64/Conedex.C trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\00000008.@ Win64/Agent.BA trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\000000cb.@ Win64/Conedex.B trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\80000000.@ Win64/Sirefef.AP trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\{ff697493-7907-793c-1ca6-6e5463ef1223}\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\00000004.@ Win64/Conedex.C trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\{ff697493-7907-793c-1ca6-6e5463ef1223}\{ff697493-7907-793c-1ca6-6e5463ef1223}\U\80000064.@ Win64/Sirefef.AN trojan cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\ProgramData\tbbjnhjp.exe.vir a variant of Win32/Injector.XCB trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0000\file0000\tsk0000.dta Win64/Patched.A.Gen trojan deleted - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0000\zafs0000\tsk0000.dta Win32/Sirefef.EZ trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0000\zafs0000\tsk0001.dta Win64/Sirefef.W trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0000\zafs0000\tsk0005.dta Win64/Conedex.C trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0000\zafs0000\tsk0006.dta Win64/Agent.BA trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0000\zafs0000\tsk0007.dta Win64/Conedex.B trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0000\zafs0000\tsk0008.dta Win64/Sirefef.AP trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0000\zafs0000\tsk0009.dta probably a variant of Win32/Sirefef.FD trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0000\zafs0000\tsk0013.dta Win64/Conedex.C trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0000\zafs0000\tsk0014.dta Win64/Sirefef.AN trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0001\file0000\tsk0000.dta Win64/Patched.A.Gen trojan deleted - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0001\zafs0000\tsk0000.dta Win32/Sirefef.EZ trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0001\zafs0000\tsk0001.dta Win64/Sirefef.W trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0001\zafs0000\tsk0005.dta Win64/Conedex.C trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0001\zafs0000\tsk0006.dta Win64/Agent.BA trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0001\zafs0000\tsk0007.dta Win64/Conedex.B trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0001\zafs0000\tsk0008.dta Win64/Sirefef.AP trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0001\zafs0000\tsk0009.dta probably a variant of Win32/Sirefef.FD trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0001\zafs0000\tsk0013.dta Win64/Conedex.C trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0001\zafs0000\tsk0014.dta Win64/Sirefef.AN trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0002\file0000\tsk0000.dta Win64/Patched.A.Gen trojan deleted - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0002\zafs0000\tsk0000.dta Win32/Sirefef.EZ trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0002\zafs0000\tsk0001.dta Win64/Sirefef.W trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0002\zafs0000\tsk0005.dta Win64/Conedex.C trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0002\zafs0000\tsk0006.dta Win64/Agent.BA trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0002\zafs0000\tsk0007.dta Win64/Conedex.B trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0002\zafs0000\tsk0008.dta Win64/Sirefef.AP trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0002\zafs0000\tsk0009.dta probably a variant of Win32/Sirefef.FD trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0002\zafs0000\tsk0013.dta Win64/Conedex.C trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\28.09.2012_22.54.07\zasubsys0002\zafs0000\tsk0014.dta Win64/Sirefef.AN trojan cleaned by deleting - quarantined
    C:\Users\Michelle\AppData\Local\Microsoft\Windows\1364\TapiMigPlugin.exe a variant of Win32/Kryptik.AMLT trojan cleaned by deleting - quarantined
    C:\Users\Michelle\Downloads\asc-setup.exe a variant of Win32/Toolbar.Widgi application cleaned by deleting - quarantined
    C:\Users\Michelle\Downloads\gb3-setup.exe a variant of Win32/Toolbar.Widgi application cleaned by deleting - quarantined
     
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Your logs appear to be fine, let's finish up...

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete
    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note:If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
     
  13. mradl36

    mradl36 TS Rookie Topic Starter

    Ok done all that, here is log, thanks

    Results of screen317's Security Check version 0.99.51
    Windows 7 Service Pack 1 x64 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Microsoft Security Essentials
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Java(TM) 6 Update 24
    Java version out of Date!
    Adobe Flash Player 10 Flash Player out of Date!
    Adobe Reader 9 Adobe Reader out of Date!
    Mozilla Firefox (15.0.1)
    Google Chrome 21.0.1180.83
    Google Chrome 21.0.1180.89
    Google Chrome 22.0.1229.79
    Google Chrome 22.0.1229.92
    Google Chrome 22.0.1229.94
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0%
    ````````````````````End of Log``````````````````````
     
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Adobe Reader Update!

    Please download the newest version of Adobe Acrobat Reader from Adobe.com

    Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.

    Adobe Flash Player Update!

    Please download the newest version of Adobe Flash Player from Adobe.com

    Before installing: it is important to remove older versions of Flash Player since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Adobe Flash Player. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.

    Java Update!

    Please download the newest version of Java from Java.com.

    Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

    Once old versions are gone, please install the newest version.

    Read more about Java exploit problems


    Personal Tips on Preventing Malware

    See this page for more info about malware and prevention.

    Read more about "FAQ: How did Sirefef or ZeroAccess Infect You?"

    Any other questions before I mark this topic solved?
     
  15. mradl36

    mradl36 TS Rookie Topic Starter

    Yes when I start msconfig and look in startup there is a file that worries me,
    c:\programmedata\tbbjnhjp.exe
    Other than that I cannot thank you enough as all seems well :)
     
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Looks like it might be in other locations, please do this:

    Download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  17. mradl36

    mradl36 TS Rookie Topic Starter

    Hi, Results seem to be negative... Here is the scan results

    SystemLook 30.07.11 by jpshortstuff
    Log created at 07:34 on 16/10/2012 by Michelle
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "tbbjnhjp.exe"
    No files found.

    -= EOF =-
     
  18. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi. Here is next script for SystemLook. Post back log when done, please...
     
  19. mradl36

    mradl36 TS Rookie Topic Starter

    SystemLook 30.07.11 by jpshortstuff
    Log created at 00:17 on 18/10/2012 by Michelle
    Administrator - Elevation successful

    ========== regfind ==========

    Searching for "tbbjnhjp"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "tbbjnhjpwsxvxtb"="C:\ProgramData\tbbjnhjp.exe"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\tbbjnhjp_RASAPI32]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\tbbjnhjp_RASMANCS]
    [HKEY_USERS\S-1-5-21-868785299-726797094-2297327714-1001\Software\Microsoft\Windows\CurrentVersion\Run]
    "tbbjnhjpwsxvxtb"="C:\ProgramData\tbbjnhjp.exe"

    -= EOF =-
     
  20. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please download OTM

    • Save it to your desktop.
    • Please double-click OTM to run it. (Note for Vista: Right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL C (or, after highlighting, right-click and choose Copy):

    • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM and reboot your PC.
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and
    open the newest .log file present, and copy/paste the contents of that document back here in your next post.
     
  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, are you still with us? Please update us with the state of your situation, so we know how to continue from here.

    We'd still like to help. Topic marked inactive, until your return.
     
  22. mradl36

    mradl36 TS Rookie Topic Starter

    All processes killed
    ========== REGISTRY ==========
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\tbbjnhjpwsxvxtb deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\tbbjnhjp_RASAPI32\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\tbbjnhjp_RASMANCS\ deleted successfully.
    Registry value HKEY_USERS\S-1-5-21-868785299-726797094-2297327714-1001\Software\Microsoft\Windows\CurrentVersion\Run\\tbbjnhjpwsxvxtb not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Michelle
    ->Temp folder emptied: 169993474 bytes
    ->Temporary Internet Files folder emptied: 11190737 bytes
    ->Java cache emptied: 1878 bytes
    ->FireFox cache emptied: 1158098172 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 37316 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 1171461 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 6223248 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 4584029 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 978694758 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 670 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67496 bytes
    RecycleBin emptied: 3193963 bytes

    Total Files Cleaned = 2,225.00 mb


    OTM by OldTimer - Version 3.1.21.0 log created on 10272012_134429

    Files moved on Reboot...
    C:\Users\Michelle\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

    Registry entries deleted on Reboot...
     
  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    This problem should be diminished, correct?

    Any more questions?
     
  24. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello! Are you still with us? Your topic is now marked inactive, because you have lacked to reply.

    However, we'd like to still help. Please update us on the state of your PC.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.