Windows has encountered a critical error will restart in one minute

Inactive
By againstheman
Aug 17, 2012
  1. I recently installed Microsoft Security Essentials and all of a sudden the box pop up saying "Windows has encountered a critical error will restart in one minute. Please save all your work." Looking around for solutions I found this forum an would really appreciate some help
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    Download Farbar Recovery Scan Tool and save it to a flash drive.


    Depending on your type of system, you will have to select 32-bit or 64-bit accordingly. How do I tell?

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button.
    • type exit and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.
  3. againstheman

    againstheman Newcomer, in training Topic Starter

    Thank you for your quick reply

    can result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 15-08-2012
    Ran by SYSTEM at 17-08-2012 14:47:39
    Running from E:\
    Windows 7 Starter (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1594664 2009-11-05] (Synaptics Incorporated)
    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [7866912 2009-11-17] (Realtek Semiconductor)
    HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.exe [4562944 2009-07-16] (Dell Inc.)
    HKLM\...\Run: [BTMeter] C:\Program Files\Battery Meter\BTMeter.exe [632176 2009-09-16] (Dell)
    HKLM\...\Run: [WSED] C:\Program Files\WSED\WSED.exe [247080 2009-05-27] (Dell)
    HKLM\...\Run: [CapsLKNotify] C:\Program Files\CapsLKNotify\CapsLKNotify.exe [320880 2009-06-09] (Compal Electronics, Inc)
    HKLM\...\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m [1779952 2009-09-11] ()
    HKLM\...\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter [206064 2009-06-03] (SupportSoft, Inc.)
    HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [31016 2006-10-26] (Microsoft Corporation)
    HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [141608 2010-07-21] (Apple Inc.)
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-08-10] (Apple Inc.)
    HKLM\...\Run: [LivingPlay] C:\Program Files\LivingPlay\livingplay32.exe a [x]
    HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2010-10-25] (Intel Corporation)
    HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [173592 2010-10-25] (Intel Corporation)
    HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [150552 2010-10-25] (Intel Corporation)
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    HKU\Aileen\...\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun [357696 2010-04-01] (DT Soft Ltd)
    HKU\Aileen\...\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [x]
    HKU\Aileen\...\Run: [Malware Protection] C:\Users\Aileen\AppData\Roaming\defender.exe [x]
    HKU\Aileen\...\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized [15141768 2011-06-15] (Skype Technologies S.A.)
    HKU\Aileen\...\Run: [Adobe] rundll32.exe "C:\Users\Aileen\AppData\Local\Apple\Adobe\mbgdtrp.dll",CreateInstance [1675776 2012-08-09] (Microsoft Corporation)
    HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1173504 2009-07-13] (Microsoft Corporation)
    HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1173504 2009-07-13] (Microsoft Corporation)
    HKU\Guest\...\Run: [Diagnostics] rundll32.exe "C:\Users\Guest\AppData\Local\Google\Diagnostics\golrjkntt.dll",CreateInstance [690176 2012-07-20] (Microsoft Corporation)
    HKU\Guest\...\Run: [Facebook Update] "C:\Users\Guest\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-08-05] (Facebook Inc.)
    Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
    Tcpip\Parameters: [DhcpNameServer] 10.0.0.1
    Startup: C:\Users\Aileen\Start Menu\Programs\Startup\Dell Dock.lnk
    ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\Aileen\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
    Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\Guest\Start Menu\Programs\Startup\Dell Dock.lnk
    ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\Guest\Start Menu\Programs\Startup\Facebook Messenger.lnk
    ShortcutTarget: Facebook Messenger.lnk -> (No File)

    ================================ Services (Whitelisted) ==================

    2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [155648 2009-06-09] (Stardock Corporation)
    2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
    2 sprtsvc_DellSupportCenter; "C:\Program Files\Dell Support Center\bin\sprtsvc.exe" /service /P DellSupportCenter [201968 2009-06-03] (SupportSoft, Inc.)
    2 wltrysvc; "C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE" "C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe" [3086848 2009-07-16] (Dell Inc.)
    2 AeLookupSvc32; C:\ProgramData\api-ms-win-core-console-l1-1-032.exe [x]
    2 AeLookupSvc3232; C:\ProgramData\drt32.exe [x]
    2 ALG32; C:\ProgramData\qedit32.exe [x]
    2 BDESVC32; C:\ProgramData\usbui32.exe [x]
    2 Browser32; C:\ProgramData\unimdmat32.exe [x]
    2 clr_optimization_v2.0.50727_3232; C:\ProgramData\panmap32.exe [x]
    2 COMSysApp32; C:\ProgramData\storage32.exe [x]
    2 CryptSvc32; C:\ProgramData\msisip32.exe [x]
    2 defragsvc32; C:\ProgramData\montr_ci32.exe [x]
    2 Dnscache32; C:\ProgramData\bthci32.exe [x]
    2 eventlog32; C:\ProgramData\asycfilt32.exe [x]
    2 EventSystem32; C:\ProgramData\RpcEpMap32.exe [x]
    2 Fax32; C:\ProgramData\KBDMON32.exe [x]
    2 GoToAssist32; C:\ProgramData\SynCtrl32.exe [x]
    2 GoToAssist3232; C:\ProgramData\recovery32.exe [x]
    2 GoToAssist323232; C:\ProgramData\api-ms-win-core-handle-l1-1-032.exe [x]
    2 hidserv32; C:\ProgramData\TabbtnEx32.exe [x]
    2 HomeGroupProvider32; C:\ProgramData\NlsData001d32.exe [x]
    2 IPBusEnum32; C:\ProgramData\efssvc32.exe [x]
    2 iphlpsvc32; C:\ProgramData\fdProxy32.exe [x]
    2 iPod Service32; C:\ProgramData\spwizui32.exe [x]
    2 LanmanWorkstation32; C:\ProgramData\mycomput32.exe [x]
    2 LanmanWorkstation3232; C:\ProgramData\msjetoledb4032.exe [x]
    2 lmhosts32; C:\ProgramData\rdpcorekmts32.exe [x]
    2 Microsoft Office Groove Audit Service32; C:\ProgramData\api-ms-win-core-namedpipe-l1-1-032.exe [x]
    2 MMCSS32; C:\ProgramData\VAN32.exe [x]
    2 MSiSCSI3232; C:\ProgramData\d3d8thk32.exe [x]
    2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
    2 Netman32; C:\ProgramData\NlsData041432.exe [x]
    2 Netman3232; C:\ProgramData\cabview32.exe [x]
    2 Netman323232; C:\ProgramData\kbd101b32.exe [x]
    3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
    2 NlaSvc32; C:\ProgramData\dxtmsft32.exe [x]
    2 nsi32; C:\ProgramData\ole3232.exe [x]
    2 ose32; C:\ProgramData\profprov32.exe [x]
    2 p2pimsvc32; C:\ProgramData\WsmAuto32.exe [x]
    2 pla32; C:\ProgramData\sspisrv32.exe [x]
    2 PlugPlay32; C:\ProgramData\aaclient32.exe [x]
    2 PlugPlay3232; C:\ProgramData\FM20ENU32.exe [x]
    2 PNRPAutoReg32; C:\ProgramData\KBDROPR32.exe [x]
    2 PNRPsvc32; C:\ProgramData\pstorsvc32.exe [x]
    2 RasMan32; C:\ProgramData\QUTIL32.exe [x]
    2 RemoteAccess32; C:\ProgramData\bootres32.exe [x]
    2 RemoteRegistry32; C:\ProgramData\dhcpcsvc32.exe [x]
    2 RpcSs32; C:\ProgramData\umpnpmgr32.exe [x]
    2 SCardSvr32; C:\ProgramData\UIRibbon32.exe [x]
    2 seclogon32; C:\ProgramData\FDResPub32.exe [x]
    2 SessionEnv32; C:\ProgramData\FirewallControlPanel32.exe [x]
    2 ShellHWDetection32; C:\ProgramData\pcwutl32.exe [x]
    2 Spooler32; C:\ProgramData\KBDAL32.exe [x]
    2 Spooler3232; C:\ProgramData\cabinet32.exe [x]
    2 Spooler323232; C:\ProgramData\dpapiprovider32.exe [x]
    2 Spooler32323232; C:\ProgramData\prnntfy32.exe [x]
    2 sppsvc32; C:\ProgramData\KBDINTEL32.exe [x]
    2 sppsvc3232; C:\ProgramData\tcpipcfg32.exe [x]
    2 SstpSvc32; C:\ProgramData\kbdnec9532.exe [x]
    2 SstpSvc3232; C:\ProgramData\iccvid32.exe [x]
    2 TabletInputService32; C:\ProgramData\KBDTURME32.exe [x]
    2 TBS32; C:\ProgramData\TabSvc32.exe [x]
    2 Themes32; C:\ProgramData\cngprovider32.exe [x]
    2 vds32; C:\ProgramData\propsys32.exe [x]
    2 VSS32; C:\ProgramData\loadperf32.exe [x]
    2 WbioSrvc32; C:\ProgramData\winbrand32.exe [x]
    2 wcncsvc32; C:\ProgramData\version32.exe [x]
    2 WinDefend32; C:\ProgramData\gcdef32.exe [x]
    2 wmiApSrv32; C:\ProgramData\NlsLexicons003e32.exe [x]
    2 wscsvc32; C:\ProgramData\oleres32.exe [x]
    2 WSearch32; C:\ProgramData\SampleRes32.exe [x]
    2 WSearch3232; C:\ProgramData\KBDLV32.exe [x]
    2 YahooAUService32; C:\ProgramData\prflbmsg32.exe [x]
    2 YahooAUService3232; C:\ProgramData\correngine32.exe [x]
    2 YahooAUService323232; C:\ProgramData\Groupinghc32.exe [x]

    ========================== Drivers (Whitelisted) =============

    3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18424 2009-07-16] (Broadcom Corporation)
    0 EMSC; C:\Windows\System32\DRIVERS\EMSC.SYS [13680 2009-06-26] (Windows (R) Win 7 DDK provider)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [14736 2009-05-08] (Microsoft Corporation)
    0 sptd; C:\Windows\System32\Drivers\sptd.sys [691696 2010-06-17] (Duplex Secure Ltd.)
    3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-17 03:40 - 2012-08-17 03:37 - 00347424 ____A (Microsoft Corporation) C:\Users\Aileen\Desktop\MicrosoftFixit.wu.Run.exe
    2012-08-17 02:37 - 2012-08-17 02:37 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-17 02:35 - 2012-08-17 02:35 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-08-17 02:34 - 2012-08-17 02:28 - 10288512 ____A (Microsoft Corporation) C:\Users\Aileen\Desktop\mseinstall.exe
    2012-08-17 02:28 - 2012-08-17 02:29 - 00145608 ____A C:\Windows\Minidump\081712-32869-01.dmp
    2012-08-17 01:33 - 2012-08-17 01:33 - 00000020 ____A C:\Windows\$ö
    2012-08-16 16:22 - 2012-06-18 05:10 - 62269166 ____A C:\Users\Guest\Desktop\102_1525.MOV
    2012-08-13 18:27 - 2012-08-13 18:27 - 00501248 ____A (Facebook Inc.) C:\Users\Aileen\Downloads\FacebookVideoCallSetup_v1.2.205.0(1).exe
    2012-08-13 18:25 - 2012-08-13 18:26 - 00501248 ____A (Facebook Inc.) C:\Users\Aileen\Downloads\FacebookVideoCallSetup_v1.2.205.0.exe
    2012-08-13 15:56 - 2012-08-13 15:56 - 00000000 ____D C:\Windows\Sun
    2012-08-12 11:43 - 2011-11-17 20:51 - 00239877 ____A C:\Users\Aileen\Desktop\spanish guy project.pptx
    2012-08-12 11:43 - 2011-11-16 08:45 - 07642112 ____A C:\Users\Aileen\Desktop\Presentation2.ppt
    2012-08-11 16:49 - 2012-08-11 16:49 - 00145608 ____A C:\Windows\Minidump\081112-30466-01.dmp
    2012-08-11 14:41 - 2012-08-11 14:41 - 00145608 ____A C:\Windows\Minidump\081112-28282-01.dmp
    2012-08-06 17:25 - 2012-08-06 17:25 - 00145608 ____A C:\Windows\Minidump\080612-34788-01.dmp
    2012-08-05 22:29 - 2012-08-05 22:29 - 00501248 ____A (Facebook Inc.) C:\Users\Guest\Downloads\FacebookVideoCallSetup_v1.2.205.0 (2).exe
    2012-08-05 22:25 - 2012-08-05 22:26 - 00501248 ____A (Facebook Inc.) C:\Users\Guest\Downloads\FacebookVideoCallSetup_v1.2.205.0 (1).exe
    2012-08-05 22:16 - 2012-08-05 22:17 - 00501248 ____A (Facebook Inc.) C:\Users\Guest\Downloads\FacebookVideoCallSetup_v1.2.205.0.exe
    2012-08-05 18:03 - 2012-08-17 02:28 - 165858926 ____A C:\Windows\MEMORY.DMP
    2012-08-05 18:03 - 2012-08-17 02:28 - 00000000 ____D C:\Windows\Minidump
    2012-08-05 18:03 - 2012-08-05 18:03 - 00145616 ____A C:\Windows\Minidump\080512-30888-01.dmp
    2012-08-01 10:22 - 2012-08-05 22:32 - 00000000 ____D C:\Users\Guest\AppData\Local\Facebook
    2012-08-01 10:22 - 2012-08-01 10:22 - 00501240 ____A (Facebook Inc.) C:\Users\Guest\Downloads\FacebookMessengerSetup_v1.2.205.0.exe
    2012-07-18 22:56 - 2012-07-18 22:56 - 00000000 ____D C:\Users\Guest\AppData\Roaming\vlc
    2012-07-18 12:54 - 2012-07-18 12:54 - 00000000 ____D C:\Users\Guest\AppData\Local\Macromedia


    ============ 3 Months Modified Files ========================

    2012-08-17 04:34 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-17 04:33 - 2009-07-13 20:39 - 00132301 ____A C:\Windows\setupact.log
    2012-08-17 03:40 - 2009-07-13 15:11 - 00259072 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-08-17 03:37 - 2012-08-17 03:40 - 00347424 ____A (Microsoft Corporation) C:\Users\Aileen\Desktop\MicrosoftFixit.wu.Run.exe
    2012-08-17 02:42 - 2009-07-13 20:55 - 01306915 ____A C:\Windows\WindowsUpdate.log
    2012-08-17 02:37 - 2012-08-17 02:37 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-17 02:37 - 2009-07-13 20:34 - 00010272 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-17 02:37 - 2009-07-13 20:34 - 00010272 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-17 02:35 - 2010-01-20 19:12 - 00743360 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-17 02:29 - 2012-08-17 02:28 - 00145608 ____A C:\Windows\Minidump\081712-32869-01.dmp
    2012-08-17 02:28 - 2012-08-17 02:34 - 10288512 ____A (Microsoft Corporation) C:\Users\Aileen\Desktop\mseinstall.exe
    2012-08-17 02:28 - 2012-08-05 18:03 - 165858926 ____A C:\Windows\MEMORY.DMP
    2012-08-17 02:08 - 2010-01-20 20:54 - 00500354 ____A C:\Windows\PFRO.log
    2012-08-17 02:03 - 2009-07-13 20:53 - 00032598 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-08-17 01:33 - 2012-08-17 01:33 - 00000020 ____A C:\Windows\$ö
    2012-08-13 18:27 - 2012-08-13 18:27 - 00501248 ____A (Facebook Inc.) C:\Users\Aileen\Downloads\FacebookVideoCallSetup_v1.2.205.0(1).exe
    2012-08-13 18:26 - 2012-08-13 18:25 - 00501248 ____A (Facebook Inc.) C:\Users\Aileen\Downloads\FacebookVideoCallSetup_v1.2.205.0.exe
    2012-08-13 16:02 - 2010-12-25 14:30 - 00032768 ____A C:\Windows\System32\Ikeext.etl
    2012-08-11 16:49 - 2012-08-11 16:49 - 00145608 ____A C:\Windows\Minidump\081112-30466-01.dmp
    2012-08-11 14:41 - 2012-08-11 14:41 - 00145608 ____A C:\Windows\Minidump\081112-28282-01.dmp
    2012-08-06 17:25 - 2012-08-06 17:25 - 00145608 ____A C:\Windows\Minidump\080612-34788-01.dmp
    2012-08-05 22:29 - 2012-08-05 22:29 - 00501248 ____A (Facebook Inc.) C:\Users\Guest\Downloads\FacebookVideoCallSetup_v1.2.205.0 (2).exe
    2012-08-05 22:26 - 2012-08-05 22:25 - 00501248 ____A (Facebook Inc.) C:\Users\Guest\Downloads\FacebookVideoCallSetup_v1.2.205.0 (1).exe
    2012-08-05 22:17 - 2012-08-05 22:16 - 00501248 ____A (Facebook Inc.) C:\Users\Guest\Downloads\FacebookVideoCallSetup_v1.2.205.0.exe
    2012-08-05 18:03 - 2012-08-05 18:03 - 00145616 ____A C:\Windows\Minidump\080512-30888-01.dmp
    2012-08-01 10:22 - 2012-08-01 10:22 - 00501240 ____A (Facebook Inc.) C:\Users\Guest\Downloads\FacebookMessengerSetup_v1.2.205.0.exe
    2012-07-26 21:35 - 2012-05-17 21:28 - 00002686 ____A C:\Windows\System32\debug.log
    2012-07-12 15:47 - 2009-07-13 20:33 - 00413832 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-06-29 19:05 - 2012-06-29 19:05 - 00097194 ____A C:\Users\Guest\Downloads\Unconfirmed 49300.crdownload
    2012-06-27 21:24 - 2012-06-27 21:24 - 00034825 ____A C:\Users\Guest\Desktop\267972.htm
    2012-06-26 21:20 - 2012-06-26 21:20 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-06-26 21:20 - 2012-06-26 21:20 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-06-18 05:10 - 2012-08-16 16:22 - 62269166 ____A C:\Users\Guest\Desktop\102_1525.MOV
    2012-06-11 18:44 - 2012-07-12 10:46 - 02344448 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-08 20:46 - 2012-07-11 12:14 - 12868608 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-05 21:09 - 2012-07-11 12:15 - 01389568 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-05 21:09 - 2012-07-11 12:15 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-02 14:19 - 2012-06-08 15:10 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-08 15:10 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-08 15:10 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-08 15:09 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-08 15:09 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 14:19 - 2012-06-08 15:09 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:12 - 2012-06-08 15:10 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:12 - 2012-06-08 15:09 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 14:12 - 2012-06-08 15:09 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-01 20:51 - 2012-07-11 12:15 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
    2012-06-01 20:51 - 2012-07-11 12:15 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-06-01 20:50 - 2012-07-11 12:15 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
    2012-06-01 20:48 - 2012-07-11 12:15 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-01 20:47 - 2012-07-11 12:15 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-05-31 11:25 - 2010-06-19 19:06 - 00237072 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe


    ZeroAccess:
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580}
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580}\@
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580}\L
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580}\n
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580}\U
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580}\L\00000004.@
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580}\L\201d3dde
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580}\U\00000004.@
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580}\U\00000008.@
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580}\U\000000cb.@
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580}\U\80000000.@
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580}\U\80000032.@

    ZeroAccess:
    C:\Windows\assembly\GAC\Desktop.ini

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    TDL4: custom:26000022 <===== ATTENTION!

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 39%
    Total physical RAM: 1013.34 MB
    Available physical RAM: 609.1 MB
    Total Pagefile: 1013.34 MB
    Available Pagefile: 608.27 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1977.38 MB

    ======================= Partitions =========================

    1 Drive c: (OS) (Fixed) (Total:134.36 GB) (Free:60.74 GB) NTFS
    2 Drive e: (DRIVER) (Removable) (Total:7.45 GB) (Free:7.45 GB) FAT32
    4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    5 Drive y: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:10.98 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 149 GB 0 B
    Disk 1 Online 7648 MB 0 B
    Disk 2 No Media 0 B 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 39 MB 31 KB
    Partition 2 Primary 14 GB 40 MB
    Partition 3 Primary 134 GB 14 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 FAT Partition 39 MB Healthy Hidden

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 0 Y RECOVERY NTFS Partition 14 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C OS NTFS Partition 134 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 7646 MB 1096 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0B
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 E DRIVER FAT32 Removable 7646 MB Healthy

    ==================================================================================

    Last Boot: 2012-08-11 15:05

    ======================= End Of Log ==========================
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Additional FRST Scan

    Once again, please boot to the System Recovery Options and run FRST, as done previously.

    Type the following text in the blank box after Search:

    services.exe

    Click: Search file(s)

    [​IMG]

    When done searching, FRST makes a log, Search.txt, on the C:\ drive.

    Please provide the Search.txt in your reply.
  5. againstheman

    againstheman Newcomer, in training Topic Starter

    The search took a while, sorry for the late reply

    Farbar Recovery Scan Tool Version: 15-08-2012
    Ran by SYSTEM at 2012-08-18 05:00:51
    Running from E:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

    C:\Windows\System32\services.exe
    [2009-07-13 15:11] - [2012-08-17 03:40] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

    === End Of Search ===
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    FRST Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
  7. againstheman

    againstheman Newcomer, in training Topic Starter

    Everything seems fine so far

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 15-08-2012
    Ran by SYSTEM at 2012-08-19 15:50:35 Run:1
    Running from E:\

    ==============================================

    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580} moved successfully.
    C:\Windows\assembly\GAC\Desktop.ini moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

    ==== End of Fixlog ====
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
  9. againstheman

    againstheman Newcomer, in training Topic Starter

    I am unable to run it without running into the blue screen of death. I have tried running it in safe mode and I have tried changing the name before downloading it
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay. Go ahead with another scan from FRST, post a new log, please.
  11. againstheman

    againstheman Newcomer, in training Topic Starter

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 15-08-2012
    Ran by SYSTEM at 21-08-2012 15:56:03
    Running from F:\
    Windows 7 Starter (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1594664 2009-11-05] (Synaptics Incorporated)
    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [7866912 2009-11-17] (Realtek Semiconductor)
    HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.exe [4562944 2009-07-16] (Dell Inc.)
    HKLM\...\Run: [BTMeter] C:\Program Files\Battery Meter\BTMeter.exe [632176 2009-09-16] (Dell)
    HKLM\...\Run: [WSED] C:\Program Files\WSED\WSED.exe [247080 2009-05-27] (Dell)
    HKLM\...\Run: [CapsLKNotify] C:\Program Files\CapsLKNotify\CapsLKNotify.exe [320880 2009-06-09] (Compal Electronics, Inc)
    HKLM\...\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m [1779952 2009-09-11] ()
    HKLM\...\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter [206064 2009-06-03] (SupportSoft, Inc.)
    HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [31016 2006-10-26] (Microsoft Corporation)
    HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [141608 2010-07-21] (Apple Inc.)
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-08-10] (Apple Inc.)
    HKLM\...\Run: [LivingPlay] C:\Program Files\LivingPlay\livingplay32.exe a [x]
    HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2010-10-25] (Intel Corporation)
    HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [173592 2010-10-25] (Intel Corporation)
    HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [150552 2010-10-25] (Intel Corporation)
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKU\Aileen\...\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun [357696 2010-04-01] (DT Soft Ltd)
    HKU\Aileen\...\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [x]
    HKU\Aileen\...\Run: [Malware Protection] C:\Users\Aileen\AppData\Roaming\defender.exe [x]
    HKU\Aileen\...\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized [15141768 2011-06-15] (Skype Technologies S.A.)
    HKU\Aileen\...\Run: [Facebook Update] "C:\Users\Aileen\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-08-13] (Facebook Inc.)
    HKU\Aileen\...\Run: [Adobe] rundll32.exe "C:\Users\Aileen\AppData\Local\Apple\Adobe\mbgdtrp.dll",CreateInstance [1675776 2012-08-09] (Microsoft Corporation)
    HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1173504 2009-07-13] (Microsoft Corporation)
    HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1173504 2009-07-13] (Microsoft Corporation)
    HKU\Guest\...\Run: [Diagnostics] rundll32.exe "C:\Users\Guest\AppData\Local\Google\Diagnostics\golrjkntt.dll",CreateInstance [690176 2012-07-20] (Microsoft Corporation)
    HKU\Guest\...\Run: [Facebook Update] "C:\Users\Guest\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-08-05] (Facebook Inc.)
    Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
    Tcpip\Parameters: [DhcpNameServer] 10.0.0.1
    Startup: C:\Users\Aileen\Start Menu\Programs\Startup\Dell Dock.lnk
    ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\Aileen\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
    Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\Guest\Start Menu\Programs\Startup\Dell Dock.lnk
    ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\Guest\Start Menu\Programs\Startup\Facebook Messenger.lnk
    ShortcutTarget: Facebook Messenger.lnk -> (No File)

    ================================ Services (Whitelisted) ==================

    2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [155648 2009-06-09] (Stardock Corporation)
    2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
    2 sprtsvc_DellSupportCenter; "C:\Program Files\Dell Support Center\bin\sprtsvc.exe" /service /P DellSupportCenter [201968 2009-06-03] (SupportSoft, Inc.)
    2 wltrysvc; "C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE" "C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe" [3086848 2009-07-16] (Dell Inc.)
    2 AeLookupSvc32; C:\ProgramData\api-ms-win-core-console-l1-1-032.exe [x]
    2 AeLookupSvc3232; C:\ProgramData\drt32.exe [x]
    2 ALG32; C:\ProgramData\qedit32.exe [x]
    2 BDESVC32; C:\ProgramData\usbui32.exe [x]
    2 Browser32; C:\ProgramData\unimdmat32.exe [x]
    2 clr_optimization_v2.0.50727_3232; C:\ProgramData\panmap32.exe [x]
    2 COMSysApp32; C:\ProgramData\storage32.exe [x]
    2 CryptSvc32; C:\ProgramData\msisip32.exe [x]
    2 defragsvc32; C:\ProgramData\montr_ci32.exe [x]
    2 Dnscache32; C:\ProgramData\bthci32.exe [x]
    2 eventlog32; C:\ProgramData\asycfilt32.exe [x]
    2 EventSystem32; C:\ProgramData\RpcEpMap32.exe [x]
    2 Fax32; C:\ProgramData\KBDMON32.exe [x]
    2 GoToAssist32; C:\ProgramData\SynCtrl32.exe [x]
    2 GoToAssist3232; C:\ProgramData\recovery32.exe [x]
    2 GoToAssist323232; C:\ProgramData\api-ms-win-core-handle-l1-1-032.exe [x]
    2 hidserv32; C:\ProgramData\TabbtnEx32.exe [x]
    2 HomeGroupProvider32; C:\ProgramData\NlsData001d32.exe [x]
    2 IPBusEnum32; C:\ProgramData\efssvc32.exe [x]
    2 iphlpsvc32; C:\ProgramData\fdProxy32.exe [x]
    2 iPod Service32; C:\ProgramData\spwizui32.exe [x]
    2 LanmanWorkstation32; C:\ProgramData\mycomput32.exe [x]
    2 LanmanWorkstation3232; C:\ProgramData\msjetoledb4032.exe [x]
    2 lmhosts32; C:\ProgramData\rdpcorekmts32.exe [x]
    2 Microsoft Office Groove Audit Service32; C:\ProgramData\api-ms-win-core-namedpipe-l1-1-032.exe [x]
    2 MMCSS32; C:\ProgramData\VAN32.exe [x]
    2 MSiSCSI3232; C:\ProgramData\d3d8thk32.exe [x]
    2 Netman32; C:\ProgramData\NlsData041432.exe [x]
    2 Netman3232; C:\ProgramData\cabview32.exe [x]
    2 Netman323232; C:\ProgramData\kbd101b32.exe [x]
    2 NlaSvc32; C:\ProgramData\dxtmsft32.exe [x]
    2 nsi32; C:\ProgramData\ole3232.exe [x]
    2 ose32; C:\ProgramData\profprov32.exe [x]
    2 p2pimsvc32; C:\ProgramData\WsmAuto32.exe [x]
    2 pla32; C:\ProgramData\sspisrv32.exe [x]
    2 PlugPlay32; C:\ProgramData\aaclient32.exe [x]
    2 PlugPlay3232; C:\ProgramData\FM20ENU32.exe [x]
    2 PNRPAutoReg32; C:\ProgramData\KBDROPR32.exe [x]
    2 PNRPsvc32; C:\ProgramData\pstorsvc32.exe [x]
    2 RasMan32; C:\ProgramData\QUTIL32.exe [x]
    2 RemoteAccess32; C:\ProgramData\bootres32.exe [x]
    2 RemoteRegistry32; C:\ProgramData\dhcpcsvc32.exe [x]
    2 RpcSs32; C:\ProgramData\umpnpmgr32.exe [x]
    2 SCardSvr32; C:\ProgramData\UIRibbon32.exe [x]
    2 seclogon32; C:\ProgramData\FDResPub32.exe [x]
    2 SessionEnv32; C:\ProgramData\FirewallControlPanel32.exe [x]
    2 ShellHWDetection32; C:\ProgramData\pcwutl32.exe [x]
    2 Spooler32; C:\ProgramData\KBDAL32.exe [x]
    2 Spooler3232; C:\ProgramData\cabinet32.exe [x]
    2 Spooler323232; C:\ProgramData\dpapiprovider32.exe [x]
    2 Spooler32323232; C:\ProgramData\prnntfy32.exe [x]
    2 sppsvc32; C:\ProgramData\KBDINTEL32.exe [x]
    2 sppsvc3232; C:\ProgramData\tcpipcfg32.exe [x]
    2 SstpSvc32; C:\ProgramData\kbdnec9532.exe [x]
    2 SstpSvc3232; C:\ProgramData\iccvid32.exe [x]
    2 TabletInputService32; C:\ProgramData\KBDTURME32.exe [x]
    2 TBS32; C:\ProgramData\TabSvc32.exe [x]
    2 Themes32; C:\ProgramData\cngprovider32.exe [x]
    2 vds32; C:\ProgramData\propsys32.exe [x]
    2 VSS32; C:\ProgramData\loadperf32.exe [x]
    2 WbioSrvc32; C:\ProgramData\winbrand32.exe [x]
    2 wcncsvc32; C:\ProgramData\version32.exe [x]
    2 WinDefend32; C:\ProgramData\gcdef32.exe [x]
    2 wmiApSrv32; C:\ProgramData\NlsLexicons003e32.exe [x]
    2 wscsvc32; C:\ProgramData\oleres32.exe [x]
    2 WSearch32; C:\ProgramData\SampleRes32.exe [x]
    2 WSearch3232; C:\ProgramData\KBDLV32.exe [x]
    2 YahooAUService32; C:\ProgramData\prflbmsg32.exe [x]
    2 YahooAUService3232; C:\ProgramData\correngine32.exe [x]
    2 YahooAUService323232; C:\ProgramData\Groupinghc32.exe [x]

    ========================== Drivers (Whitelisted) =============

    3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18424 2009-07-16] (Broadcom Corporation)
    0 EMSC; C:\Windows\System32\DRIVERS\EMSC.SYS [13680 2009-06-26] (Windows (R) Win 7 DDK provider)
    3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [14736 2009-05-08] (Microsoft Corporation)
    0 sptd; C:\Windows\System32\Drivers\sptd.sys [691696 2010-06-17] (Duplex Secure Ltd.)
    3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-20 18:49 - 2012-08-20 18:50 - 00000000 ____D C:\Qoobox
    2012-08-20 15:28 - 2012-08-20 15:28 - 00000000 ____D C:\Users\Guest\AppData\Local\Apple
    2012-08-17 05:16 - 2012-08-17 05:17 - 00000000 ____D C:\FRST
    2012-08-17 02:35 - 2012-08-21 13:50 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-08-17 01:33 - 2012-08-17 01:33 - 00000020 ____A C:\Windows\$ö
    2012-08-16 16:22 - 2012-06-18 05:10 - 62269166 ____A C:\Users\Guest\Desktop\102_1525.MOV
    2012-08-13 18:27 - 2012-08-13 18:27 - 00501248 ____A (Facebook Inc.) C:\Users\Aileen\Downloads\FacebookVideoCallSetup_v1.2.205.0(1).exe
    2012-08-13 18:25 - 2012-08-13 18:26 - 00501248 ____A (Facebook Inc.) C:\Users\Aileen\Downloads\FacebookVideoCallSetup_v1.2.205.0.exe
    2012-08-13 15:56 - 2012-08-13 15:56 - 00000000 ____D C:\Windows\Sun
    2012-08-12 11:43 - 2011-11-17 20:51 - 00239877 ____A C:\Users\Aileen\Desktop\spanish guy project.pptx
    2012-08-12 11:43 - 2011-11-16 08:45 - 07642112 ____A C:\Users\Aileen\Desktop\Presentation2.ppt
    2012-08-11 16:49 - 2012-08-11 16:49 - 00145608 ____A C:\Windows\Minidump\081112-30466-01.dmp
    2012-08-11 14:41 - 2012-08-11 14:41 - 00145608 ____A C:\Windows\Minidump\081112-28282-01.dmp
    2012-08-06 17:25 - 2012-08-06 17:25 - 00145608 ____A C:\Windows\Minidump\080612-34788-01.dmp
    2012-08-05 22:29 - 2012-08-05 22:29 - 00501248 ____A (Facebook Inc.) C:\Users\Guest\Downloads\FacebookVideoCallSetup_v1.2.205.0 (2).exe
    2012-08-05 22:25 - 2012-08-05 22:26 - 00501248 ____A (Facebook Inc.) C:\Users\Guest\Downloads\FacebookVideoCallSetup_v1.2.205.0 (1).exe
    2012-08-05 22:16 - 2012-08-05 22:17 - 00501248 ____A (Facebook Inc.) C:\Users\Guest\Downloads\FacebookVideoCallSetup_v1.2.205.0.exe
    2012-08-05 18:03 - 2012-08-11 16:49 - 228802190 ____A C:\Windows\MEMORY.DMP
    2012-08-05 18:03 - 2012-08-11 16:49 - 00000000 ____D C:\Windows\Minidump
    2012-08-05 18:03 - 2012-08-05 18:03 - 00145616 ____A C:\Windows\Minidump\080512-30888-01.dmp
    2012-08-01 10:22 - 2012-08-05 22:32 - 00000000 ____D C:\Users\Guest\AppData\Local\Facebook
    2012-08-01 10:22 - 2012-08-01 10:22 - 00501240 ____A (Facebook Inc.) C:\Users\Guest\Downloads\FacebookMessengerSetup_v1.2.205.0.exe


    ============ 3 Months Modified Files ========================

    2012-08-21 14:21 - 2011-06-30 16:19 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-08-21 13:04 - 2010-01-20 19:12 - 00726142 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-21 13:00 - 2009-07-13 20:34 - 00010272 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-21 13:00 - 2009-07-13 20:34 - 00010272 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-21 12:57 - 2011-06-30 16:19 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-08-21 12:52 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-21 12:52 - 2009-07-13 20:39 - 00131797 ____A C:\Windows\setupact.log
    2012-08-17 01:33 - 2012-08-17 01:33 - 00000020 ____A C:\Windows\$ö
    2012-08-17 01:04 - 2009-07-13 20:55 - 01300696 ____A C:\Windows\WindowsUpdate.log
    2012-08-17 00:54 - 2009-07-13 20:53 - 00032598 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-08-17 00:33 - 2012-04-01 15:20 - 00000932 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-917044141-2080598828-2143362272-1000UA.job
    2012-08-16 18:33 - 2012-04-01 15:20 - 00000910 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-917044141-2080598828-2143362272-1000Core.job
    2012-08-13 18:27 - 2012-08-13 18:27 - 00501248 ____A (Facebook Inc.) C:\Users\Aileen\Downloads\FacebookVideoCallSetup_v1.2.205.0(1).exe
    2012-08-13 18:26 - 2012-08-13 18:25 - 00501248 ____A (Facebook Inc.) C:\Users\Aileen\Downloads\FacebookVideoCallSetup_v1.2.205.0.exe
    2012-08-13 16:02 - 2010-12-25 14:30 - 00032768 ____A C:\Windows\System32\Ikeext.etl
    2012-08-11 16:49 - 2012-08-11 16:49 - 00145608 ____A C:\Windows\Minidump\081112-30466-01.dmp
    2012-08-11 16:49 - 2012-08-05 18:03 - 228802190 ____A C:\Windows\MEMORY.DMP
    2012-08-11 14:41 - 2012-08-11 14:41 - 00145608 ____A C:\Windows\Minidump\081112-28282-01.dmp
    2012-08-06 17:25 - 2012-08-06 17:25 - 00145608 ____A C:\Windows\Minidump\080612-34788-01.dmp
    2012-08-05 22:29 - 2012-08-05 22:29 - 00501248 ____A (Facebook Inc.) C:\Users\Guest\Downloads\FacebookVideoCallSetup_v1.2.205.0 (2).exe
    2012-08-05 22:26 - 2012-08-05 22:25 - 00501248 ____A (Facebook Inc.) C:\Users\Guest\Downloads\FacebookVideoCallSetup_v1.2.205.0 (1).exe
    2012-08-05 22:17 - 2012-08-05 22:16 - 00501248 ____A (Facebook Inc.) C:\Users\Guest\Downloads\FacebookVideoCallSetup_v1.2.205.0.exe
    2012-08-05 18:03 - 2012-08-05 18:03 - 00145616 ____A C:\Windows\Minidump\080512-30888-01.dmp
    2012-08-01 10:22 - 2012-08-01 10:22 - 00501240 ____A (Facebook Inc.) C:\Users\Guest\Downloads\FacebookMessengerSetup_v1.2.205.0.exe
    2012-07-26 21:35 - 2012-05-17 21:28 - 00002686 ____A C:\Windows\System32\debug.log
    2012-07-12 15:47 - 2009-07-13 20:33 - 00413832 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-06-29 19:05 - 2012-06-29 19:05 - 00097194 ____A C:\Users\Guest\Downloads\Unconfirmed 49300.crdownload
    2012-06-27 21:24 - 2012-06-27 21:24 - 00034825 ____A C:\Users\Guest\Desktop\267972.htm
    2012-06-26 21:20 - 2012-06-26 21:20 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-06-26 21:20 - 2012-06-26 21:20 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-06-18 05:10 - 2012-08-16 16:22 - 62269166 ____A C:\Users\Guest\Desktop\102_1525.MOV
    2012-06-11 18:44 - 2012-07-12 10:46 - 02344448 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-08 20:46 - 2012-07-11 12:14 - 12868608 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-05 21:09 - 2012-07-11 12:15 - 01389568 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-05 21:09 - 2012-07-11 12:15 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-02 14:19 - 2012-06-08 15:10 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-08 15:10 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-08 15:10 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-08 15:09 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-08 15:09 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 14:19 - 2012-06-08 15:09 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:12 - 2012-06-08 15:10 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:12 - 2012-06-08 15:09 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 14:12 - 2012-06-08 15:09 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-01 20:51 - 2012-07-11 12:15 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
    2012-06-01 20:51 - 2012-07-11 12:15 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-06-01 20:50 - 2012-07-11 12:15 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
    2012-06-01 20:48 - 2012-07-11 12:15 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-01 20:47 - 2012-07-11 12:15 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-05-31 11:25 - 2010-06-19 19:06 - 00237072 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe


    ZeroAccess:
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580}
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580}\@
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580}\L
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580}\n
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580}\U
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580}\L\00000004.@
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580}\L\201d3dde
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580}\U\00000004.@
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580}\U\00000008.@
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580}\U\000000cb.@
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580}\U\80000000.@
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580}\U\80000032.@

    ZeroAccess:
    C:\Windows\assembly\GAC\Desktop.ini

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    TDL4: custom:26000022 <===== ATTENTION!

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 39%
    Total physical RAM: 1013.34 MB
    Available physical RAM: 612.47 MB
    Total Pagefile: 1013.34 MB
    Available Pagefile: 615.21 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1977.62 MB

    ======================= Partitions =========================

    1 Drive c: (OS) (Fixed) (Total:134.36 GB) (Free:60.62 GB) NTFS
    3 Drive f: (DRIVER) (Removable) (Total:7.45 GB) (Free:7.45 GB) FAT32
    4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    5 Drive y: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:10.98 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 149 GB 0 B
    Disk 1 No Media 0 B 0 B
    Disk 2 Online 7648 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 39 MB 31 KB
    Partition 2 Primary 14 GB 40 MB
    Partition 3 Primary 134 GB 14 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 FAT Partition 39 MB Healthy Hidden

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 0 Y RECOVERY NTFS Partition 14 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C OS NTFS Partition 134 GB Healthy

    ==================================================================================

    Partitions of Disk 2:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 7646 MB 1096 KB

    ==================================================================================

    Disk: 2
    Partition 1
    Type : 0B
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F DRIVER FAT32 Removable 7646 MB Healthy

    ==================================================================================

    Last Boot: 2012-08-19 20:04

    ======================= End Of Log ==========================
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    FRST Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
  13. againstheman

    againstheman Newcomer, in training Topic Starter

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 15-08-2012
    Ran by SYSTEM at 2012-08-22 19:47:39 Run:2
    Running from F:\

    ==============================================

    HKEY_USERS\Aileen\Software\Microsoft\Windows\CurrentVersion\Run\\Malware Protection Value deleted successfully.
    C:\Windows\Installer\{2119776a-ccfb-0eae-915e-772df2562580} moved successfully.
    C:\Windows\assembly\GAC\Desktop.ini moved successfully.

    The operation completed successfully.
    The operation completed successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe
    AeLookupSvc32 service deleted successfully.
    AeLookupSvc3232 service deleted successfully.
    ALG32 service deleted successfully.
    BDESVC32 service deleted successfully.
    Browser32 service deleted successfully.
    clr_optimization_v2.0.50727_3232 service deleted successfully.
    COMSysApp32 service deleted successfully.
    CryptSvc32 service deleted successfully.
    defragsvc32 service deleted successfully.
    Dnscache32 service deleted successfully.
    eventlog32 service deleted successfully.
    EventSystem32 service deleted successfully.
    Fax32 service deleted successfully.
    GoToAssist32 service deleted successfully.
    GoToAssist3232 service deleted successfully.
    GoToAssist323232 service deleted successfully.
    hidserv32 service deleted successfully.
    HomeGroupProvider32 service deleted successfully.
    IPBusEnum32 service deleted successfully.
    iphlpsvc32 service deleted successfully.
    iPod Service32 service deleted successfully.
    LanmanWorkstation32 service deleted successfully.
    LanmanWorkstation3232 service deleted successfully.
    lmhosts32 service deleted successfully.
    Microsoft Office Groove Audit Service32 service deleted successfully.
    MMCSS32 service deleted successfully.
    MSiSCSI3232 service deleted successfully.
    Netman32 service deleted successfully.
    Netman3232 service deleted successfully.
    Netman323232 service deleted successfully.
    NlaSvc32 service deleted successfully.
    nsi32 service deleted successfully.
    ose32 service deleted successfully.
    p2pimsvc32 service deleted successfully.
    pla32 service deleted successfully.
    PlugPlay32 service deleted successfully.
    PlugPlay3232 service deleted successfully.
    PNRPAutoReg32 service deleted successfully.
    PNRPsvc32 service deleted successfully.
    RasMan32 service deleted successfully.
    RemoteAccess32 service deleted successfully.
    RemoteRegistry32 service deleted successfully.
    RpcSs32 service deleted successfully.
    SCardSvr32 service deleted successfully.
    seclogon32 service deleted successfully.
    SessionEnv32 service deleted successfully.
    ShellHWDetection32 service deleted successfully.
    Spooler32 service deleted successfully.
    Spooler3232 service deleted successfully.
    Spooler323232 service deleted successfully.
    Spooler32323232 service deleted successfully.
    sppsvc32 service deleted successfully.
    sppsvc3232 service deleted successfully.
    SstpSvc32 service deleted successfully.
    SstpSvc3232 service deleted successfully.
    TabletInputService32 service deleted successfully.
    TBS32 service deleted successfully.
    Themes32 service deleted successfully.
    vds32 service deleted successfully.
    VSS32 service deleted successfully.
    WbioSrvc32 service deleted successfully.
    wcncsvc32 service deleted successfully.
    WinDefend32 service deleted successfully.
    wmiApSrv32 service deleted successfully.
    wscsvc32 service deleted successfully.
    WSearch32 service deleted successfully.
    WSearch3232 service deleted successfully.
    YahooAUService32 service deleted successfully.
    YahooAUService3232 service deleted successfully.
    YahooAUService323232 service deleted successfully.

    ==== End of Fixlog ====

    Everything seems normal
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Pleasant work.

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
  15. againstheman

    againstheman Newcomer, in training Topic Starter

    I've been running the program for almost an hour now. It has stopped going after "Completed Stage_4" and has not produced a "C:\Combo-Fix.txt"
  16. againstheman

    againstheman Newcomer, in training Topic Starter

    Oddly enough at the hour mark it started going again, I shall post the results as soon as they come out
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okie dokie. Let me see when finished. I'll be back later.
  18. againstheman

    againstheman Newcomer, in training Topic Starter

    ComboFix 12-08-22.03 - Aileen 08/24/2012 0:43.1.2 - x86
    Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1013.202 [GMT -7:00]
    Running from: c:\users\Aileen\Desktop\ComboFix\ComboFix.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\Object
    c:\program files\Object\config.ini
    c:\program files\Object\status.txt
    c:\program files\Object\status2.txt
    c:\programdata\3e6cc60e
    c:\users\Aileen\AppData\Local\Apple\Adobe\mbgdtrp.dll
    c:\users\Aileen\AppData\Roaming\Mozilla\Firefox\Profiles\hwk53vfa.default\searchplugins\bing-zugo.xml
    c:\users\Aileen\Documents\~WRL0003.tmp
    c:\users\Aileen\Documents\~WRL2486.tmp
    c:\users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\r3h0zwmd.default\extensions\{86b98b80-83ff-4605-8284-113b8904d8eb}
    c:\windows\system32\config\systemprofile\AppData\Local\{2119776a-ccfb-0eae-915e-772df2562580}
    c:\windows\system32\config\systemprofile\AppData\Local\{2119776a-ccfb-0eae-915e-772df2562580}\@
    c:\windows\system32\config\systemprofile\AppData\Local\{2119776a-ccfb-0eae-915e-772df2562580}\n
    c:\windows\system32\DEBUG.log
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-24 to 2012-08-24 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-24 11:36 . 2012-08-24 11:36--------d-----w-c:\users\Guest\AppData\Local\temp
    2012-08-24 11:24 . 2012-08-24 11:40--------d-----w-c:\users\Aileen\AppData\Local\temp
    2012-08-24 11:24 . 2012-08-24 11:24--------d-----w-c:\users\Default\AppData\Local\temp
    2012-08-24 11:14 . 2012-08-24 11:14--------d-----w-c:\windows\system32\config\systemprofile\AppData\Local\temp
    2012-08-24 03:19 . 2012-08-24 03:19--------d-----w-c:\users\Guest\AppData\Roaming\Creative
    2012-08-20 23:28 . 2012-08-20 23:28--------d-----w-c:\users\Guest\AppData\Local\Apple
    2012-08-17 13:16 . 2012-08-17 13:17--------d-----w-C:\FRST
    2012-08-17 10:35 . 2012-08-21 21:50--------d-----w-c:\program files\Microsoft Security Client
    2012-08-13 23:56 . 2012-08-13 23:56--------d-----w-c:\windows\Sun
    2012-08-05 03:48 . 2012-08-05 03:47108544----a-w-c:\programdata\Microsoft\Windows\DRM\BB69.tmp
    2012-08-01 18:22 . 2012-08-06 06:32--------d-----w-c:\users\Guest\AppData\Local\Facebook
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-06-29 08:44 . 2012-08-11 06:366891424----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{C8146B2B-F741-4BF8-9BC8-7DC36EEB2A0A}\mpengine.dll
    2012-06-27 05:20 . 2012-06-27 05:20426184----a-w-c:\windows\system32\FlashPlayerApp.exe
    2012-06-27 05:20 . 2012-06-27 05:2070344----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-12 02:44 . 2012-07-12 18:462344448----a-w-c:\windows\system32\win32k.sys
    2012-06-06 05:09 . 2012-07-11 20:151389568----a-w-c:\windows\system32\msxml6.dll
    2012-06-06 05:09 . 2012-07-11 20:151236992----a-w-c:\windows\system32\msxml3.dll
    2012-06-02 22:19 . 2012-06-08 23:09171904----a-w-c:\windows\system32\wuwebv.dll
    2012-06-02 22:19 . 2012-06-08 23:1053784----a-w-c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-08 23:1045080----a-w-c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-08 23:0935864----a-w-c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-08 23:09577048----a-w-c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-08 23:101933848----a-w-c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-08 23:102422272----a-w-c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-08 23:0933792----a-w-c:\windows\system32\wuapp.exe
    2012-06-02 22:12 . 2012-06-08 23:0988576----a-w-c:\windows\system32\wudriver.dll
    2012-06-02 04:51 . 2012-07-11 20:15134000----a-w-c:\windows\system32\drivers\ksecpkg.sys
    2012-06-02 04:51 . 2012-07-11 20:1567440----a-w-c:\windows\system32\drivers\ksecdd.sys
    2012-06-02 04:50 . 2012-07-11 20:15369336----a-w-c:\windows\system32\drivers\cng.sys
    2012-06-02 04:48 . 2012-07-11 20:15225280----a-w-c:\windows\system32\schannel.dll
    2012-06-02 04:47 . 2012-07-11 20:15219136----a-w-c:\windows\system32\ncrypt.dll
    2012-05-31 19:25 . 2010-06-20 03:06237072------w-c:\windows\system32\MpSigStub.exe
    2012-04-08 06:42 . 2011-06-16 22:39121816----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-11-05 1594664]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-11-17 7866912]
    "Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4562944]
    "BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2009-09-17 632176]
    "WSED"="c:\program files\WSED\WSED.exe" [2009-05-27 247080]
    "CapsLKNotify"="c:\program files\CapsLKNotify\CapsLKNotify.exe" [2009-06-09 320880]
    "Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-09-11 1779952]
    "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-10-25 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-10-25 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-10-25 150552]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    .
    c:\users\Aileen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-9-21 1316192]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-9-21 1316192]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R3 dc3d;MS Hardware Device Detection Driver (HID);c:\windows\system32\DRIVERS\dc3d.sys [x]
    R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
    S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\DRIVERS\EMSC.SYS [x]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [x]
    S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonationREG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-01 00:19]
    .
    2012-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-01 00:19]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.startnow.com/?src=startpage&provider=Bing&provider_code=Z059&partner_id=308&product_id=435&affiliate_id=&channel=dpgrupo&toolbar_id=200&toolbar_version=2.0&install_country=US&install_date=20110701&user_guid=8FF070CEFC3241ADA77A5A60E1EEBDEA&machine_id=e5ba8923dbc0dbb1bc908bb979ea2c7c&browser=IE&os=win&os_version=6.1-x86-SP0
    mStart Page = hxxp://www.yahoo.com
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 10.0.0.1
    FF - ProfilePath - c:\users\Aileen\AppData\Roaming\Mozilla\Firefox\Profiles\hwk53vfa.default\
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)
    BHO-{01DA8A95-DEFF-4DDB-A548-64729F169DE6} - (no file)
    BHO-{A2136F3C-C2F0-1F0C-8429-AB07BEE57BC7} - (no file)
    Toolbar-Locked - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
    HKCU-Run-Adobe - c:\users\Aileen\AppData\Local\Apple\Adobe\mbgdtrp.dll
    HKLM-Run-LivingPlay - c:\program files\LivingPlay\livingplay32.exe
    SafeBoot-mcmscsvc
    SafeBoot-MCODS
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(4056)
    c:\windows\System32\SyncCenter.dll
    c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
    c:\windows\system32\WLANExt.exe
    c:\windows\system32\conhost.exe
    c:\program files\Dell\Dell Wireless WLAN Card\bcmwltry.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\windows\System32\rundll32.exe
    c:\windows\system32\sppsvc.exe
    c:\program files\Dell Support Center\bin\sprtsvc.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-24 04:50:45 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-24 11:50
    .
    Pre-Run: 66,067,726,336 bytes free
    Post-Run: 77,761,347,584 bytes free
    .
    - - End Of File - - 47EC1FD604FE2ECE97A832A198BC661B
     
  19. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.

    Please download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Search.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
  20. againstheman

    againstheman Newcomer, in training Topic Starter

    ComboFix 12-08-24.02 - Aileen 08/24/2012 15:20:12.2.2 - x86
    Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1013.176 [GMT -7:00]
    Running from: c:\users\Aileen\Desktop\fix\ComboFix.exe
    Command switches used :: c:\users\Aileen\Desktop\fix\CFScript.txt.txt
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-24 to 2012-08-24 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-24 22:42 . 2012-08-24 22:42--------d-----w-c:\windows\system32\config\systemprofile\AppData\Local\temp
    2012-08-24 22:42 . 2012-08-24 22:42--------d-----w-c:\users\Guest\AppData\Local\temp
    2012-08-24 22:42 . 2012-08-24 22:42--------d-----w-c:\users\Default\AppData\Local\temp
    2012-08-24 11:24 . 2012-08-24 22:42--------d-----w-c:\users\Aileen\AppData\Local\temp
    2012-08-24 03:19 . 2012-08-24 03:19--------d-----w-c:\users\Guest\AppData\Roaming\Creative
    2012-08-20 23:28 . 2012-08-20 23:28--------d-----w-c:\users\Guest\AppData\Local\Apple
    2012-08-17 13:16 . 2012-08-17 13:17--------d-----w-C:\FRST
    2012-08-17 10:35 . 2012-08-21 21:50--------d-----w-c:\program files\Microsoft Security Client
    2012-08-13 23:56 . 2012-08-13 23:56--------d-----w-c:\windows\Sun
    2012-08-11 06:36 . 2012-06-29 08:446891424----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{C8146B2B-F741-4BF8-9BC8-7DC36EEB2A0A}\mpengine.dll
    2012-08-05 03:48 . 2012-08-05 03:47108544----a-w-c:\programdata\Microsoft\Windows\DRM\BB69.tmp
    2012-08-01 18:22 . 2012-08-06 06:32--------d-----w-c:\users\Guest\AppData\Local\Facebook
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-06-27 05:20 . 2012-06-27 05:20426184----a-w-c:\windows\system32\FlashPlayerApp.exe
    2012-06-27 05:20 . 2012-06-27 05:2070344----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-12 02:44 . 2012-07-12 18:462344448----a-w-c:\windows\system32\win32k.sys
    2012-06-06 05:09 . 2012-07-11 20:151389568----a-w-c:\windows\system32\msxml6.dll
    2012-06-06 05:09 . 2012-07-11 20:151236992----a-w-c:\windows\system32\msxml3.dll
    2012-06-02 22:19 . 2012-06-08 23:09171904----a-w-c:\windows\system32\wuwebv.dll
    2012-06-02 22:19 . 2012-06-08 23:1053784----a-w-c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-08 23:1045080----a-w-c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-08 23:0935864----a-w-c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-08 23:09577048----a-w-c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-08 23:101933848----a-w-c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-08 23:102422272----a-w-c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-08 23:0933792----a-w-c:\windows\system32\wuapp.exe
    2012-06-02 22:12 . 2012-06-08 23:0988576----a-w-c:\windows\system32\wudriver.dll
    2012-06-02 04:51 . 2012-07-11 20:15134000----a-w-c:\windows\system32\drivers\ksecpkg.sys
    2012-06-02 04:51 . 2012-07-11 20:1567440----a-w-c:\windows\system32\drivers\ksecdd.sys
    2012-06-02 04:50 . 2012-07-11 20:15369336----a-w-c:\windows\system32\drivers\cng.sys
    2012-06-02 04:48 . 2012-07-11 20:15225280----a-w-c:\windows\system32\schannel.dll
    2012-06-02 04:47 . 2012-07-11 20:15219136----a-w-c:\windows\system32\ncrypt.dll
    2012-05-31 19:25 . 2010-06-20 03:06237072------w-c:\windows\system32\MpSigStub.exe
    2012-04-08 06:42 . 2011-06-16 22:39121816----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-11-05 1594664]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-11-17 7866912]
    "Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4562944]
    "BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2009-09-17 632176]
    "WSED"="c:\program files\WSED\WSED.exe" [2009-05-27 247080]
    "CapsLKNotify"="c:\program files\CapsLKNotify\CapsLKNotify.exe" [2009-06-09 320880]
    "Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-09-11 1779952]
    "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-10-25 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-10-25 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-10-25 150552]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    .
    c:\users\Aileen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-9-21 1316192]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-9-21 1316192]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R3 dc3d;MS Hardware Device Detection Driver (HID);c:\windows\system32\DRIVERS\dc3d.sys [x]
    R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
    S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\DRIVERS\EMSC.SYS [x]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [x]
    S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonationREG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-01 00:19]
    .
    2012-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-01 00:19]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.startnow.com/?src=startpage&provider=Bing&provider_code=Z059&partner_id=308&product_id=435&affiliate_id=&channel=dpgrupo&toolbar_id=200&toolbar_version=2.0&install_country=US&install_date=20110701&user_guid=8FF070CEFC3241ADA77A5A60E1EEBDEA&machine_id=e5ba8923dbc0dbb1bc908bb979ea2c7c&browser=IE&os=win&os_version=6.1-x86-SP0
    mStart Page = hxxp://www.yahoo.com
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 10.0.0.1
    FF - ProfilePath - c:\users\Aileen\AppData\Roaming\Mozilla\Firefox\Profiles\hwk53vfa.default\
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-08-24 16:01:21
    ComboFix-quarantined-files.txt 2012-08-24 23:01
    ComboFix2.txt 2012-08-24 11:50
    .
    Pre-Run: 80,786,227,200 bytes free
    Post-Run: 80,745,553,920 bytes free
    .
    - - End Of File - - 2DC8AD6C3BD155F73DC9A7F2222EAB2A

















    # AdwCleaner v1.801 - Logfile created 08/24/2012 at 16:04:58
    # Updated 14/08/2012 by Xplode
    # Operating system : Windows 7 Starter (32 bits)
    # User : Aileen - AILEEN-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Aileen\Desktop\fix\adwcleaner.exe
    # Option [Search]


    ***** [Services] *****


    ***** [Files / Folders] *****

    Folder Found : C:\Users\Aileen\AppData\Local\OpenCandy
    Folder Found : C:\Users\Aileen\AppData\Roaming\OpenCandy
    Folder Found : C:\Users\Aileen\AppData\Roaming\Mozilla\Firefox\Profiles\hwk53vfa.default\Conduit
    Folder Found : C:\ProgramData\Ask
    Folder Found : C:\ProgramData\Trymedia
    Folder Found : C:\Program Files\DAEMON Tools Toolbar
    File Found : C:\Users\Aileen\AppData\Roaming\Mozilla\Firefox\Profiles\hwk53vfa.default\searchplugins\Askcom.xml
    File Found : C:\Users\Aileen\AppData\Roaming\Mozilla\Firefox\Profiles\hwk53vfa.default\searchplugins\Conduit.xml

    ***** [Registry] *****

    Key Found : HKLM\SOFTWARE\Classes\DTToolbar.ToolBandObj
    Key Found : HKLM\SOFTWARE\Classes\DTToolbar.ToolBandObj.1
    Key Found : HKLM\SOFTWARE\Google\chrome\Extensions\kincjchfokkeneeofpeefomkikfkiedl
    Value Found : HKCU\Software\Mozilla\Firefox\Extensions [{EB132DB0-A4CA-11DF-9732-0E29E0D72085}]

    ***** [Registre - GUID] *****

    Key Found : HKLM\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66D8FBA6-D90F-40A9-AC55-84896F79CA69}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{32099AAC-C132-4136-9E9A-4E364A424E17}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BFE4B5CB-63F7-4A51-9266-6167655D5B4F}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{C80BDEB2-8735-44C6-BD55-A1CCD555667A}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{32099AAC-C132-4136-9E9A-4E364A424E17}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BFE4B5CB-63F7-4A51-9266-6167655D5B4F}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C80BDEB2-8735-44C6-BD55-A1CCD555667A}
    Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{32099AAC-C132-4136-9E9A-4E364A424E17}]
    Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{32099AAC-C132-4136-9E9A-4E364A424E17}]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v8.0.7600.16385

    [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www.startnow.com/?src=startpage&provider=Bing&provider_code=Z059&partner_id=308&product_id=435&affiliate_id=&channel=dpgrupo&toolbar_id=200&toolbar_version=2.0&install_country=US&install_date=20110701&user_guid=8FF070CEFC3241ADA77A5A60E1EEBDEA&machine_id=e5ba8923dbc0dbb1bc908bb979ea2c7c&browser=IE&os=win&os_version=6.1-x86-SP0

    -\\ Mozilla Firefox v9.0.1 (en-US)

    Profile name : default
    File : C:\Users\Aileen\AppData\Roaming\Mozilla\Firefox\Profiles\hwk53vfa.default\prefs.js

    Found : user_pref("browser.search.order.1", "Ask.com");
    Found : user_pref("extensions.crossriderapp4924.4924.InstallationTime", 1338146321);
    Found : user_pref("extensions.crossriderapp4924.4924.active", true);
    Found : user_pref("extensions.crossriderapp4924.4924.addressbar", "");
    Found : user_pref("extensions.crossriderapp4924.4924.affid", "0");
    Found : user_pref("extensions.crossriderapp4924.4924.backgroundjs", "\n\n/**********************************[...]
    Found : user_pref("extensions.crossriderapp4924.4924.backgroundver", 4);
    Found : user_pref("extensions.crossriderapp4924.4924.can_run_bg_code", true);
    Found : user_pref("extensions.crossriderapp4924.4924.certdomaininstaller", "");
    Found : user_pref("extensions.crossriderapp4924.4924.changeprevious", false);
    Found : user_pref("extensions.crossriderapp4924.4924.cookie.InstallationTime.expiration", "Fri Feb 01 2030 0[...]
    Found : user_pref("extensions.crossriderapp4924.4924.cookie.InstallationTime.value", "1338146321");
    Found : user_pref("extensions.crossriderapp4924.4924.description", "The Easiest Way To Remove Your Facebook [...]
    Found : user_pref("extensions.crossriderapp4924.4924.domain", "removemytimeline.com");
    Found : user_pref("extensions.crossriderapp4924.4924.emailsig", "");
    Found : user_pref("extensions.crossriderapp4924.4924.enablesearch", false);
    Found : user_pref("extensions.crossriderapp4924.4924.exposesites", "");
    Found : user_pref("extensions.crossriderapp4924.4924.fbremoteurl", "");
    Found : user_pref("extensions.crossriderapp4924.4924.group", 0);
    Found : user_pref("extensions.crossriderapp4924.4924.homepage", "");
    Found : user_pref("extensions.crossriderapp4924.4924.iframe", false);
    Found : user_pref("extensions.crossriderapp4924.4924.manifesturl", "");
    Found : user_pref("extensions.crossriderapp4924.4924.name", "FB Timeline Remover");
    Found : user_pref("extensions.crossriderapp4924.4924.newtab", "");
    Found : user_pref("extensions.crossriderapp4924.4924.opensearch", "");
    Found : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_13.code", "(function(c){c.selectedText=f[...]
    Found : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_13.name", "CrossriderAppUtils");
    Found : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_13.ver", 1);
    Found : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_14.code", "\"undefined\"===typeof appAPI[...]
    Found : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_14.name", "CrossriderUtils");
    Found : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_14.ver", 1);
    Found : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_15.code", "(function(e){function u(c,b){[...]
    Found : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_15.name", "FacebookFFIE");
    Found : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_15.ver", 1);
    Found : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_16.code", "(function(b,a){function I(){v[...]
    Found : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_16.name", "FFAppAPIWrapper");
    Found : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_16.ver", 1);
    Found : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_17.code", "var $$jquery;\n(function(l,n)[...]
    Found : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_17.name", "jQuery");
    Found : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_17.ver", 1);
    Found : user_pref("extensions.crossriderapp4924.4924.plugins_lists.plugins_0", "17,14,16");
    Found : user_pref("extensions.crossriderapp4924.4924.plugins_lists.plugins_1", "17,14,13,16,15");
    Found : user_pref("extensions.crossriderapp4924.4924.pluginsurl", "hxxp://app-static.crossrider.com/plugin/a[...]
    Found : user_pref("extensions.crossriderapp4924.4924.pluginsversion", 1);
    Found : user_pref("extensions.crossriderapp4924.4924.premium", true);
    Found : user_pref("extensions.crossriderapp4924.4924.publisher", "Deximol");
    Found : user_pref("extensions.crossriderapp4924.4924.searchstatus", 0);
    Found : user_pref("extensions.crossriderapp4924.4924.setnewtab", false);
    Found : user_pref("extensions.crossriderapp4924.4924.settingsurl", "");
    Found : user_pref("extensions.crossriderapp4924.4924.thankyou", "hxxp://facebook.com/profile.php?");
    Found : user_pref("extensions.crossriderapp4924.4924.updateinterval", 360);
    Found : user_pref("extensions.crossriderapp4924.4924.ver", 30);
    Found : user_pref("extensions.crossriderapp4924.apps", "4924");
    Found : user_pref("extensions.crossriderapp4924.bic", "1378fbc72284c2145e569c479529b9b7");
    Found : user_pref("extensions.crossriderapp4924.cid", 4924);
    Found : user_pref("extensions.crossriderapp4924.firstrun", false);
    Found : user_pref("extensions.crossriderapp4924.hadappinstalled", true);
    Found : user_pref("extensions.crossriderapp4924.installationdate", 1338146321);
    Found : user_pref("extensions.crossriderapp4924.lastcheck", 22302439);
    Found : user_pref("extensions.crossriderapp4924.lastcheckitem", 22302599);
    Found : user_pref("extensions.crossriderapp4924.misc.lastBgWorkerTimer", "1338155924618");
    Found : user_pref("extensions.crossriderapp4924.misc.lastDomWorkerTimer", "1338155924569");
    Found : user_pref("extensions.crossriderapp4926.4926.InstallationTime", 1338244166);
    Found : user_pref("extensions.crossriderapp4926.4926.active", true);
    Found : user_pref("extensions.crossriderapp4926.4926.addressbar", "");
    Found : user_pref("extensions.crossriderapp4926.4926.affid", "0");
    Found : user_pref("extensions.crossriderapp4926.4926.backgroundjs", "\n\n/**********************************[...]
    Found : user_pref("extensions.crossriderapp4926.4926.backgroundver", 2);
    Found : user_pref("extensions.crossriderapp4926.4926.can_run_bg_code", true);
    Found : user_pref("extensions.crossriderapp4926.4926.certdomaininstaller", "");
    Found : user_pref("extensions.crossriderapp4926.4926.changeprevious", false);
    Found : user_pref("extensions.crossriderapp4926.4926.cookie.InstallationTime.expiration", "Fri Feb 01 2030 0[...]
    Found : user_pref("extensions.crossriderapp4926.4926.cookie.InstallationTime.value", "1338244166");
    Found : user_pref("extensions.crossriderapp4926.4926.description", "The Easiest Way To Remove Your Facebook [...]
    Found : user_pref("extensions.crossriderapp4926.4926.domain", "battle-stats.com");
    Found : user_pref("extensions.crossriderapp4926.4926.emailsig", "");
    Found : user_pref("extensions.crossriderapp4926.4926.enablesearch", false);
    Found : user_pref("extensions.crossriderapp4926.4926.exposesites", "");
    Found : user_pref("extensions.crossriderapp4926.4926.fbremoteurl", "");
    Found : user_pref("extensions.crossriderapp4926.4926.group", 0);
    Found : user_pref("extensions.crossriderapp4926.4926.homepage", "");
    Found : user_pref("extensions.crossriderapp4926.4926.iframe", false);
    Found : user_pref("extensions.crossriderapp4926.4926.manifesturl", "");
    Found : user_pref("extensions.crossriderapp4926.4926.name", "Timeline Remover");
    Found : user_pref("extensions.crossriderapp4926.4926.newtab", "");
    Found : user_pref("extensions.crossriderapp4926.4926.opensearch", "");
    Found : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_13.code", "(function(c){c.selectedText=f[...]
    Found : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_13.name", "CrossriderAppUtils");
    Found : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_13.ver", 1);
    Found : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_14.code", "\"undefined\"===typeof appAPI[...]
    Found : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_14.name", "CrossriderUtils");
    Found : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_14.ver", 1);
    Found : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_15.code", "(function(e){function u(c,b){[...]
    Found : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_15.name", "FacebookFFIE");
    Found : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_15.ver", 1);
    Found : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_16.code", "(function(b,a){function I(){v[...]
    Found : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_16.name", "FFAppAPIWrapper");
    Found : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_16.ver", 1);
    Found : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_17.code", "var $$jquery;\n(function(l,n)[...]
    Found : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_17.name", "jQuery");
    Found : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_17.ver", 1);
    Found : user_pref("extensions.crossriderapp4926.4926.plugins_lists.plugins_0", "17,14,16");
    Found : user_pref("extensions.crossriderapp4926.4926.plugins_lists.plugins_1", "17,14,13,16,15");
    Found : user_pref("extensions.crossriderapp4926.4926.pluginsurl", "hxxp://app-static.crossrider.com/plugin/a[...]
    Found : user_pref("extensions.crossriderapp4926.4926.pluginsversion", 1);
    Found : user_pref("extensions.crossriderapp4926.4926.premium", true);
    Found : user_pref("extensions.crossriderapp4926.4926.publisher", "Deximol");
    Found : user_pref("extensions.crossriderapp4926.4926.searchstatus", 0);
    Found : user_pref("extensions.crossriderapp4926.4926.setnewtab", false);
    Found : user_pref("extensions.crossriderapp4926.4926.settingsurl", "");
    Found : user_pref("extensions.crossriderapp4926.4926.thankyou", "hxxp://facebook.com/profile.php");
    Found : user_pref("extensions.crossriderapp4926.4926.updateinterval", 360);
    Found : user_pref("extensions.crossriderapp4926.4926.ver", 55);
    Found : user_pref("extensions.crossriderapp4926.apps", "4926");
    Found : user_pref("extensions.crossriderapp4926.bic", "1378fbc72284c2145e569c479529b9b7");
    Found : user_pref("extensions.crossriderapp4926.cid", 4926);
    Found : user_pref("extensions.crossriderapp4926.firstrun", false);
    Found : user_pref("extensions.crossriderapp4926.hadappinstalled", true);
    Found : user_pref("extensions.crossriderapp4926.installationdate", 1338244165);
    Found : user_pref("extensions.crossriderapp4926.lastcheck", 22304069);
    Found : user_pref("extensions.crossriderapp4926.lastcheckitem", 22304094);
    Found : user_pref("extensions.crossriderapp4926.misc.lastBgWorkerTimer", "1338245606731");
    Found : user_pref("extensions.crossriderapp4926.misc.lastDomWorkerTimer", "1338245606604");
    Found : user_pref("extensions.enabledAddons", "{5911488E-9D1E-40ec-8CBB-06B231CC153F}:2.4.0,crossriderapp492[...]

    -\\ Google Chrome v21.0.1180.83

    File : C:\Users\Aileen\AppData\Local\Google\Chrome\User Data\Default\Preferences

    [OK] File is clean.

    *************************

    AdwCleaner[R1].txt - [14000 octets] - [24/08/2012 16:04:58]

    ########## EOF - C:\AdwCleaner[R1].txt - [14129 octets] ##########
  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Remove the Adware.
    • Please close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with OK.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
    Please post the log.

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.
  22. againstheman

    againstheman Newcomer, in training Topic Starter

    # AdwCleaner v1.801 - Logfile created 08/26/2012 at 02:02:55
    # Updated 14/08/2012 by Xplode
    # Operating system : Windows 7 Starter (32 bits)
    # User : Aileen - AILEEN-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Aileen\Desktop\fix\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    Folder Deleted : C:\Users\Aileen\AppData\Local\OpenCandy
    Folder Deleted : C:\Users\Aileen\AppData\Roaming\OpenCandy
    Folder Deleted : C:\Users\Aileen\AppData\Roaming\Mozilla\Firefox\Profiles\hwk53vfa.default\Conduit
    Folder Deleted : C:\ProgramData\Ask
    Folder Deleted : C:\ProgramData\Trymedia
    Folder Deleted : C:\Program Files\DAEMON Tools Toolbar
    File Deleted : C:\Users\Aileen\AppData\Roaming\Mozilla\Firefox\Profiles\hwk53vfa.default\searchplugins\Askcom.xml
    File Deleted : C:\Users\Aileen\AppData\Roaming\Mozilla\Firefox\Profiles\hwk53vfa.default\searchplugins\Conduit.xml

    ***** [Registry] *****

    Key Deleted : HKLM\SOFTWARE\Classes\DTToolbar.ToolBandObj
    Key Deleted : HKLM\SOFTWARE\Classes\DTToolbar.ToolBandObj.1
    Key Deleted : HKLM\SOFTWARE\Google\chrome\Extensions\kincjchfokkeneeofpeefomkikfkiedl
    Value Deleted : HKCU\Software\Mozilla\Firefox\Extensions [{EB132DB0-A4CA-11DF-9732-0E29E0D72085}]

    ***** [Registre - GUID] *****

    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66D8FBA6-D90F-40A9-AC55-84896F79CA69}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{32099AAC-C132-4136-9E9A-4E364A424E17}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BFE4B5CB-63F7-4A51-9266-6167655D5B4F}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{C80BDEB2-8735-44C6-BD55-A1CCD555667A}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{32099AAC-C132-4136-9E9A-4E364A424E17}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BFE4B5CB-63F7-4A51-9266-6167655D5B4F}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C80BDEB2-8735-44C6-BD55-A1CCD555667A}
    Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{32099AAC-C132-4136-9E9A-4E364A424E17}]
    Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{32099AAC-C132-4136-9E9A-4E364A424E17}]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v8.0.7600.16385

    Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www.startnow.com/?src=startpage&provider=Bing&provider_code=Z059&partner_id=308&product_id=435&affiliate_id=&channel=dpgrupo&toolbar_id=200&toolbar_version=2.0&install_country=US&install_date=20110701&user_guid=8FF070CEFC3241ADA77A5A60E1EEBDEA&machine_id=e5ba8923dbc0dbb1bc908bb979ea2c7c&browser=IE&os=win&os_version=6.1-x86-SP0 --> hxxp://www.google.com

    -\\ Mozilla Firefox v9.0.1 (en-US)

    Profile name : default
    File : C:\Users\Aileen\AppData\Roaming\Mozilla\Firefox\Profiles\hwk53vfa.default\prefs.js

    C:\Users\Aileen\AppData\Roaming\Mozilla\Firefox\Profiles\hwk53vfa.default\user.js ... Deleted !

    Deleted : user_pref("browser.search.order.1", "Ask.com");
    Deleted : user_pref("extensions.crossriderapp4924.4924.InstallationTime", 1338146321);
    Deleted : user_pref("extensions.crossriderapp4924.4924.active", true);
    Deleted : user_pref("extensions.crossriderapp4924.4924.addressbar", "");
    Deleted : user_pref("extensions.crossriderapp4924.4924.affid", "0");
    Deleted : user_pref("extensions.crossriderapp4924.4924.backgroundjs", "\n\n/**********************************[...]
    Deleted : user_pref("extensions.crossriderapp4924.4924.backgroundver", 4);
    Deleted : user_pref("extensions.crossriderapp4924.4924.can_run_bg_code", true);
    Deleted : user_pref("extensions.crossriderapp4924.4924.certdomaininstaller", "");
    Deleted : user_pref("extensions.crossriderapp4924.4924.changeprevious", false);
    Deleted : user_pref("extensions.crossriderapp4924.4924.cookie.InstallationTime.expiration", "Fri Feb 01 2030 0[...]
    Deleted : user_pref("extensions.crossriderapp4924.4924.cookie.InstallationTime.value", "1338146321");
    Deleted : user_pref("extensions.crossriderapp4924.4924.description", "The Easiest Way To Remove Your Facebook [...]
    Deleted : user_pref("extensions.crossriderapp4924.4924.domain", "removemytimeline.com");
    Deleted : user_pref("extensions.crossriderapp4924.4924.emailsig", "");
    Deleted : user_pref("extensions.crossriderapp4924.4924.enablesearch", false);
    Deleted : user_pref("extensions.crossriderapp4924.4924.exposesites", "");
    Deleted : user_pref("extensions.crossriderapp4924.4924.fbremoteurl", "");
    Deleted : user_pref("extensions.crossriderapp4924.4924.group", 0);
    Deleted : user_pref("extensions.crossriderapp4924.4924.homepage", "");
    Deleted : user_pref("extensions.crossriderapp4924.4924.iframe", false);
    Deleted : user_pref("extensions.crossriderapp4924.4924.manifesturl", "");
    Deleted : user_pref("extensions.crossriderapp4924.4924.name", "FB Timeline Remover");
    Deleted : user_pref("extensions.crossriderapp4924.4924.newtab", "");
    Deleted : user_pref("extensions.crossriderapp4924.4924.opensearch", "");
    Deleted : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_13.code", "(function(c){c.selectedText=f[...]
    Deleted : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_13.name", "CrossriderAppUtils");
    Deleted : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_13.ver", 1);
    Deleted : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_14.code", "\"undefined\"===typeof appAPI[...]
    Deleted : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_14.name", "CrossriderUtils");
    Deleted : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_14.ver", 1);
    Deleted : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_15.code", "(function(e){function u(c,b){[...]
    Deleted : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_15.name", "FacebookFFIE");
    Deleted : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_15.ver", 1);
    Deleted : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_16.code", "(function(b,a){function I(){v[...]
    Deleted : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_16.name", "FFAppAPIWrapper");
    Deleted : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_16.ver", 1);
    Deleted : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_17.code", "var $$jquery;\n(function(l,n)[...]
    Deleted : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_17.name", "jQuery");
    Deleted : user_pref("extensions.crossriderapp4924.4924.plugins.plugin_17.ver", 1);
    Deleted : user_pref("extensions.crossriderapp4924.4924.plugins_lists.plugins_0", "17,14,16");
    Deleted : user_pref("extensions.crossriderapp4924.4924.plugins_lists.plugins_1", "17,14,13,16,15");
    Deleted : user_pref("extensions.crossriderapp4924.4924.pluginsurl", "hxxp://app-static.crossrider.com/plugin/a[...]
    Deleted : user_pref("extensions.crossriderapp4924.4924.pluginsversion", 1);
    Deleted : user_pref("extensions.crossriderapp4924.4924.premium", true);
    Deleted : user_pref("extensions.crossriderapp4924.4924.publisher", "Deximol");
    Deleted : user_pref("extensions.crossriderapp4924.4924.searchstatus", 0);
    Deleted : user_pref("extensions.crossriderapp4924.4924.setnewtab", false);
    Deleted : user_pref("extensions.crossriderapp4924.4924.settingsurl", "");
    Deleted : user_pref("extensions.crossriderapp4924.4924.thankyou", "hxxp://facebook.com/profile.php?");
    Deleted : user_pref("extensions.crossriderapp4924.4924.updateinterval", 360);
    Deleted : user_pref("extensions.crossriderapp4924.4924.ver", 30);
    Deleted : user_pref("extensions.crossriderapp4924.apps", "4924");
    Deleted : user_pref("extensions.crossriderapp4924.bic", "1378fbc72284c2145e569c479529b9b7");
    Deleted : user_pref("extensions.crossriderapp4924.cid", 4924);
    Deleted : user_pref("extensions.crossriderapp4924.firstrun", false);
    Deleted : user_pref("extensions.crossriderapp4924.hadappinstalled", true);
    Deleted : user_pref("extensions.crossriderapp4924.installationdate", 1338146321);
    Deleted : user_pref("extensions.crossriderapp4924.lastcheck", 22302439);
    Deleted : user_pref("extensions.crossriderapp4924.lastcheckitem", 22302599);
    Deleted : user_pref("extensions.crossriderapp4924.misc.lastBgWorkerTimer", "1338155924618");
    Deleted : user_pref("extensions.crossriderapp4924.misc.lastDomWorkerTimer", "1338155924569");
    Deleted : user_pref("extensions.crossriderapp4926.4926.InstallationTime", 1338244166);
    Deleted : user_pref("extensions.crossriderapp4926.4926.active", true);
    Deleted : user_pref("extensions.crossriderapp4926.4926.addressbar", "");
    Deleted : user_pref("extensions.crossriderapp4926.4926.affid", "0");
    Deleted : user_pref("extensions.crossriderapp4926.4926.backgroundjs", "\n\n/**********************************[...]
    Deleted : user_pref("extensions.crossriderapp4926.4926.backgroundver", 2);
    Deleted : user_pref("extensions.crossriderapp4926.4926.can_run_bg_code", true);
    Deleted : user_pref("extensions.crossriderapp4926.4926.certdomaininstaller", "");
    Deleted : user_pref("extensions.crossriderapp4926.4926.changeprevious", false);
    Deleted : user_pref("extensions.crossriderapp4926.4926.cookie.InstallationTime.expiration", "Fri Feb 01 2030 0[...]
    Deleted : user_pref("extensions.crossriderapp4926.4926.cookie.InstallationTime.value", "1338244166");
    Deleted : user_pref("extensions.crossriderapp4926.4926.description", "The Easiest Way To Remove Your Facebook [...]
    Deleted : user_pref("extensions.crossriderapp4926.4926.domain", "battle-stats.com");
    Deleted : user_pref("extensions.crossriderapp4926.4926.emailsig", "");
    Deleted : user_pref("extensions.crossriderapp4926.4926.enablesearch", false);
    Deleted : user_pref("extensions.crossriderapp4926.4926.exposesites", "");
    Deleted : user_pref("extensions.crossriderapp4926.4926.fbremoteurl", "");
    Deleted : user_pref("extensions.crossriderapp4926.4926.group", 0);
    Deleted : user_pref("extensions.crossriderapp4926.4926.homepage", "");
    Deleted : user_pref("extensions.crossriderapp4926.4926.iframe", false);
    Deleted : user_pref("extensions.crossriderapp4926.4926.manifesturl", "");
    Deleted : user_pref("extensions.crossriderapp4926.4926.name", "Timeline Remover");
    Deleted : user_pref("extensions.crossriderapp4926.4926.newtab", "");
    Deleted : user_pref("extensions.crossriderapp4926.4926.opensearch", "");
    Deleted : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_13.code", "(function(c){c.selectedText=f[...]
    Deleted : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_13.name", "CrossriderAppUtils");
    Deleted : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_13.ver", 1);
    Deleted : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_14.code", "\"undefined\"===typeof appAPI[...]
    Deleted : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_14.name", "CrossriderUtils");
    Deleted : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_14.ver", 1);
    Deleted : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_15.code", "(function(e){function u(c,b){[...]
    Deleted : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_15.name", "FacebookFFIE");
    Deleted : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_15.ver", 1);
    Deleted : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_16.code", "(function(b,a){function I(){v[...]
    Deleted : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_16.name", "FFAppAPIWrapper");
    Deleted : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_16.ver", 1);
    Deleted : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_17.code", "var $$jquery;\n(function(l,n)[...]
    Deleted : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_17.name", "jQuery");
    Deleted : user_pref("extensions.crossriderapp4926.4926.plugins.plugin_17.ver", 1);
    Deleted : user_pref("extensions.crossriderapp4926.4926.plugins_lists.plugins_0", "17,14,16");
    Deleted : user_pref("extensions.crossriderapp4926.4926.plugins_lists.plugins_1", "17,14,13,16,15");
    Deleted : user_pref("extensions.crossriderapp4926.4926.pluginsurl", "hxxp://app-static.crossrider.com/plugin/a[...]
    Deleted : user_pref("extensions.crossriderapp4926.4926.pluginsversion", 1);
    Deleted : user_pref("extensions.crossriderapp4926.4926.premium", true);
    Deleted : user_pref("extensions.crossriderapp4926.4926.publisher", "Deximol");
    Deleted : user_pref("extensions.crossriderapp4926.4926.searchstatus", 0);
    Deleted : user_pref("extensions.crossriderapp4926.4926.setnewtab", false);
    Deleted : user_pref("extensions.crossriderapp4926.4926.settingsurl", "");
    Deleted : user_pref("extensions.crossriderapp4926.4926.thankyou", "hxxp://facebook.com/profile.php");
    Deleted : user_pref("extensions.crossriderapp4926.4926.updateinterval", 360);
    Deleted : user_pref("extensions.crossriderapp4926.4926.ver", 55);
    Deleted : user_pref("extensions.crossriderapp4926.apps", "4926");
    Deleted : user_pref("extensions.crossriderapp4926.bic", "1378fbc72284c2145e569c479529b9b7");
    Deleted : user_pref("extensions.crossriderapp4926.cid", 4926);
    Deleted : user_pref("extensions.crossriderapp4926.firstrun", false);
    Deleted : user_pref("extensions.crossriderapp4926.hadappinstalled", true);
    Deleted : user_pref("extensions.crossriderapp4926.installationdate", 1338244165);
    Deleted : user_pref("extensions.crossriderapp4926.lastcheck", 22304069);
    Deleted : user_pref("extensions.crossriderapp4926.lastcheckitem", 22304094);
    Deleted : user_pref("extensions.crossriderapp4926.misc.lastBgWorkerTimer", "1338245606731");
    Deleted : user_pref("extensions.crossriderapp4926.misc.lastDomWorkerTimer", "1338245606604");
    Deleted : user_pref("extensions.enabledAddons", "{5911488E-9D1E-40ec-8CBB-06B231CC153F}:2.4.0,crossriderapp492[...]

    -\\ Google Chrome v21.0.1180.83

    File : C:\Users\Aileen\AppData\Local\Google\Chrome\User Data\Default\Preferences

    [OK] File is clean.

    *************************

    AdwCleaner[R1].txt - [14131 octets] - [24/08/2012 16:04:58]
    AdwCleaner[S1].txt - [14495 octets] - [26/08/2012 02:02:56]

    ########## EOF - C:\AdwCleaner[S1].txt - [14624 octets] ##########




    The first time I tried running ESET, my computer went blue screen.
    After it restarted I ran it again and it ran fine


    C:\FRST\Quarantine\services.exeWin32/Sirefef.FC trojandeleted - quarantined
    C:\FRST\Quarantine\{2119776a-ccfb-0eae-915e-772df2562580}\nWin32/Sirefef.EV trojancleaned by deleting - quarantined
    C:\FRST\Quarantine\{2119776a-ccfb-0eae-915e-772df2562580}\U\00000004.@Win32/Conedex.D trojancleaned by deleting - quarantined
    C:\FRST\Quarantine\{2119776a-ccfb-0eae-915e-772df2562580}\U\000000cb.@Win32/Conedex.E trojancleaned by deleting - quarantined
    C:\FRST\Quarantine\{2119776a-ccfb-0eae-915e-772df2562580}\U\80000000.@a variant of Win32/Sirefef.FA trojancleaned by deleting - quarantined
    C:\FRST\Quarantine\{2119776a-ccfb-0eae-915e-772df2562580}\U\80000032.@a variant of Win32/Sirefef.FD trojancleaned by deleting - quarantined
    C:\FRST\Quarantine\{2119776a-ccfb-0eae-915e-772df2562580}\{2119776a-ccfb-0eae-915e-772df2562580}\nWin32/Sirefef.EV trojancleaned by deleting - quarantined
    C:\FRST\Quarantine\{2119776a-ccfb-0eae-915e-772df2562580}\{2119776a-ccfb-0eae-915e-772df2562580}\U\00000004.@Win32/Conedex.D trojancleaned by deleting - quarantined
    C:\FRST\Quarantine\{2119776a-ccfb-0eae-915e-772df2562580}\{2119776a-ccfb-0eae-915e-772df2562580}\U\000000cb.@Win32/Conedex.E trojancleaned by deleting - quarantined
    C:\FRST\Quarantine\{2119776a-ccfb-0eae-915e-772df2562580}\{2119776a-ccfb-0eae-915e-772df2562580}\U\80000000.@a variant of Win32/Sirefef.FA trojancleaned by deleting - quarantined
    C:\FRST\Quarantine\{2119776a-ccfb-0eae-915e-772df2562580}\{2119776a-ccfb-0eae-915e-772df2562580}\U\80000032.@a variant of Win32/Sirefef.FD trojancleaned by deleting - quarantined
    C:\ProgramData\Microsoft\Windows\DRM\BB69.tmpa variant of Win32/Kryptik.AJUZ trojancleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Users\Aileen\AppData\Local\Apple\Adobe\mbgdtrp.dll.vira variant of Win32/Kryptik.AKQH trojancleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Windows\System32\config\systemprofile\AppData\Local\{2119776a-ccfb-0eae-915e-772df2562580}\n.virWin32/Sirefef.EV trojancleaned by deleting - quarantined
    C:\Users\Aileen\AppData\Local\Google\Chrome\User Data\Default\Extensions\maopdgeieiiiifooolcjjfmjdlkmhfdh\nplptl.dlla variant of Win32/Adware.Gamevance.BR applicationcleaned by deleting - quarantined
    C:\Users\Aileen\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@lplay.com\components\lptlf.dlla variant of Win32/Adware.Gamevance.BR applicationcleaned by deleting - quarantined
    C:\Users\Aileen\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@lplay.com\components\lptlf2.dlla variant of Win32/Adware.Gamevance.BR applicationcleaned by deleting - quarantined
    C:\Users\Aileen\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@lplay.com\components\lptlf3.dlla variant of Win32/Adware.Gamevance.BR applicationcleaned by deleting - quarantined
    C:\Users\Aileen\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@lplay.com\components\lptlf4.dlla variant of Win32/Adware.Gamevance.BR applicationcleaned by deleting - quarantined
    C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Default\aadjdfgdgfdhdcdadegddjdidedbgcgf\background.htmlWin32/BHO.OEI trojancleaned by deleting - quarantined
    C:\Users\Guest\AppData\Local\Google\Diagnostics\golrjkntt.dlla variant of Win32/Kryptik.AIZP trojancleaned by deleting - quarantined
    C:\Users\Guest\AppData\LocalLow\FCTB000060231\Toolbar\Toolbar.dll.newWin32/Toolbar.BHO.B applicationcleaned by deleting - quarantined


    I let it run over night, when I woke up it auto clean and auto quarantined the options
  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
  24. againstheman

    againstheman Newcomer, in training Topic Starter

    1. The computer is slow
    2. I noticed there was no windows update, and when I tried to update, it denied it saying the service was offline
    3. When I noticed this I tried to install some anti-virus programs to install, but got the blue screen and then the message of windows has encountered a critical error will restart in one minute showed up
  25. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    New log from FRST please.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.