Solved "Windows has encountered a critical problem and will restart immediately"

[Bredgen]

Hello,

This error comes up on my desktop running Windows 7 x64 Professional. I turn on my computer and it runs for about 1 minute before I get this error message, which restarts my computer. I believe it is microsoft security essentials that is causing this error because it only started happening when I asked it to scan my computer (and it tries scanning every time I turn on my computer).

I've downloaded Kapersky Rescue Disc 10 and already ran it and scanned my computer and was able to remove several other viruses, but unfortunately this is still occurring when I turn on my computer.

MSE keeps telling me that my computer is infected with Sirefef before it turns off and it can't do anything about the files.

Any help would be appreciated. Thanks.

 

[Jay Pfoutz]

Hello, and welcome to TechSpot.

Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information

• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
• If you have already asked for help somewhere, please post the link to the topic you were helped.
• We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Please review the 5-Step removal instructions and post the logs back here for my review.

 

[Bredgen]

Hello DragonMasterJay,

I really want to follow the 5-step removal instructions but I unfortunately cannot, as my computer restarts automatically after 1 minute. I don't know how to stop this from occurring (I tried uninstalling MSE in that 1 minute window and stopping its scans but that didn't work).

Thanks again for the help.

 

[Bredgen]

I noticed that for every sirefef case, everyone was told to run the Farbar Recovery Scan Tool. I've done so and here is the FRST.txt log:

Scan result of Farbar Recovery Scan Tool Version: 16-07-2012 01
Ran by SYSTEM at 16-07-2012 16:44:22
Running from E:\
Windows 7 Professional (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11101800 2010-07-28] (Realtek Semiconductor)
HKLM\...\Run: [Launch LCore] "C:\Program Files\Logitech Gaming Software\LCore.exe" /minimized [110360 2011-06-14] (Logitech Inc.)
HKLM\...\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" [163552 2011-08-05] (Microsoft Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [Control Center] C:\Program Files (x86)\ASUS\WLAN Card Utilities\CenterAgent.exe [544256 2009-05-21] ()
HKLM-x32\...\Run: [DeathAdder] C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe [248320 2011-03-21] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKU\Julian\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [4280184 2012-03-08] (Microsoft Corporation)
HKU\Julian\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [3672384 2012-04-11] (DT Soft Ltd)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

==================== Services (Whitelisted) ======

2 ASWLCCSvc; C:\Program Files (x86)\ASUS\WLAN Card Utilities\ASWLCCSVC.exe [172032 2009-05-21] ()
3 DAUpdaterSvc; C:\program files (x86)\steam\steamapps\common\dragon age ultimate edition\bin_ship\DAUpdaterSvc.Service.exe [25832 2011-07-04] (BioWare)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
3 WMZuneComm; "C:\Program Files\Zune\WMZuneComm.exe" [306400 2011-08-05] (Microsoft Corporation)
3 ZuneNetworkSvc; "C:\Program Files\Zune\ZuneNss.exe" [8277728 2011-08-05] (Microsoft Corporation)
3 ZuneWlanCfgSvc; "C:\Program Files\Zune\ZuneWlanCfgSvc.exe" [467680 2011-08-05] (Microsoft Corporation)

========================== Drivers (Whitelisted) =============

1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [283200 2012-04-13] (DT Soft Ltd)
3 hamachi; C:\Windows\System32\Drivers\hamachi.sys [33856 2009-03-18] (LogMeIn, Inc.)
3 netr28ux; C:\Windows\System32\Drivers\netr28ux.sys [1104672 2010-02-12] (Ralink Technology Corp.)
3 PCASp50; C:\Windows\System32\Drivers\PCASp50.sys [45752 2009-10-28] (Printing Communications Assoc., Inc. (PCAUSA))
3 PCASp50; C:\Windows\SysWow64\Drivers\PCASp50.sys [45752 2009-10-28] (Printing Communications Assoc., Inc. (PCAUSA))
3 ALSysIO; \??\C:\Users\Julian\AppData\Local\Temp\ALSysIO64.sys [x]
3 cpuz134; \??\C:\Program Files (x86)\CPUID\PC Wizard 2010\pcwiz_x64.sys [x]
3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]
3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena\safedrv.sys [x]
3 RTL8192su; C:\Windows\System32\DRIVERS\RTL8192su.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-16 04:56 - 2012-07-16 04:56 - 00000000 ____D C:\Users\Julian\AppData\Local\{ABB21074-3B93-48B0-B00F-1DC00561AF1D}
2012-07-16 04:56 - 2012-07-16 04:56 - 00000000 ____D C:\Users\Julian\AppData\Local\{81F9E467-E3E1-40EC-94AF-87E9FAF44A12}
2012-07-15 13:38 - 2012-07-15 13:38 - 00001270 ____A C:\Users\Julian\Desktop\$RIKBJZG.lnk
2012-07-15 13:35 - 2012-07-15 13:35 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.08C5F3CF53189E28
2012-07-15 13:32 - 2012-07-15 13:32 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.019C83306439BF49
2012-07-15 13:28 - 2012-07-15 13:28 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.77B372096C5DBBBB
2012-07-15 13:23 - 2012-07-15 13:23 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.86D4C203C793454C
2012-07-15 13:19 - 2012-07-15 13:19 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-15 13:19 - 2012-07-15 13:19 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-07-15 09:59 - 2012-07-15 14:22 - 00000000 ___AD C:\Kaspersky Rescue Disk 10.0
2012-07-15 07:45 - 2012-07-15 07:45 - 00000000 ____D C:\Users\Julian\AppData\Local\{9092E349-58DE-4E32-B2EB-455D15367086}
2012-07-15 07:45 - 2012-07-15 07:45 - 00000000 ____D C:\Users\Julian\AppData\Local\{0AD42C22-D546-4799-8698-8BE230C63D38}
2012-07-14 07:41 - 2012-07-14 07:41 - 00000000 ____D C:\Users\Julian\AppData\Local\{CB9928E5-32F3-4F3A-8667-CDD44B5540DC}
2012-07-14 07:40 - 2012-07-14 07:41 - 00000000 ____D C:\Users\Julian\AppData\Local\{711F7E94-C9FE-4E1A-9F96-0584AF60100A}
2012-07-13 19:40 - 2012-07-13 19:40 - 00000000 ____D C:\Users\Julian\AppData\Local\{9A3A0560-F310-4FEB-9253-443A91EA4A3B}
2012-07-13 19:40 - 2012-07-13 19:40 - 00000000 ____D C:\Users\Julian\AppData\Local\{151F5244-9194-47A7-9509-418DE8AA4E39}
2012-07-13 07:40 - 2012-07-13 07:40 - 00000000 ____D C:\Users\Julian\AppData\Local\{8251E1FB-6A95-4EBC-A57B-7B5B3D0D99BE}
2012-07-13 07:40 - 2012-07-13 07:40 - 00000000 ____D C:\Users\Julian\AppData\Local\{71970D91-B8D3-4604-A2E3-5F2FA87C5647}
2012-07-12 19:39 - 2012-07-12 19:39 - 00000000 ____D C:\Users\Julian\AppData\Local\{D96191C7-56CF-40EF-89E1-F8786256E39C}
2012-07-12 19:39 - 2012-07-12 19:39 - 00000000 ____D C:\Users\Julian\AppData\Local\{11FC8DD8-0AFA-40BE-9D11-A01F19AD9374}
2012-07-12 10:01 - 2012-07-12 10:01 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-12 07:39 - 2012-07-12 07:39 - 00000000 ____D C:\Users\Julian\AppData\Local\{49FC6D23-2A67-46B6-A987-BEC1A5BA3967}
2012-07-12 07:39 - 2012-07-12 07:39 - 00000000 ____D C:\Users\Julian\AppData\Local\{2A46D7A1-C22A-45DE-8D77-2F987CEB7369}
2012-07-11 21:52 - 2012-06-11 19:08 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-11 19:38 - 2012-07-11 19:38 - 00000000 ____D C:\Users\Julian\AppData\Local\{D3485DC9-732C-4B0F-AD3E-372253CCDD60}
2012-07-11 19:38 - 2012-07-11 19:38 - 00000000 ____D C:\Users\Julian\AppData\Local\{42D78A25-E190-4F65-BB26-68B7420EAD01}
2012-07-11 07:38 - 2012-07-11 07:38 - 00000000 ____D C:\Users\Julian\AppData\Local\{5526E1C6-E732-4B8A-9CDF-9ED1E4D546EC}
2012-07-11 07:37 - 2012-07-11 07:38 - 00000000 ____D C:\Users\Julian\AppData\Local\{F4A190DD-E61F-41C5-BAF3-E79FB8ED7033}
2012-07-11 06:58 - 2012-06-05 22:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-11 06:58 - 2012-06-05 22:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-11 06:58 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-07-11 06:58 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-07-11 06:58 - 2010-06-25 19:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-11 06:58 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2012-07-11 06:57 - 2012-06-08 21:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-11 06:57 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-07-11 06:57 - 2012-06-05 22:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-11 06:57 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-07-11 06:57 - 2012-06-01 21:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-11 06:57 - 2012-06-01 21:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-11 06:57 - 2012-06-01 21:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-11 06:57 - 2012-06-01 21:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-11 06:57 - 2012-06-01 21:44 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-11 06:57 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-07-11 06:57 - 2012-06-01 20:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-07-11 06:57 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-07-11 06:57 - 2012-06-01 20:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-07-10 19:37 - 2012-07-10 19:37 - 00000000 ____D C:\Users\Julian\AppData\Local\{CFF40F8C-5402-4DBC-BA3A-C62AE6A9CAA1}
2012-07-10 19:37 - 2012-07-10 19:37 - 00000000 ____D C:\Users\Julian\AppData\Local\{B384D789-7403-4104-A42D-95C9093480F2}
2012-07-10 07:37 - 2012-07-10 07:37 - 00000000 ____D C:\Users\Julian\AppData\Local\{F0CF286E-E9B3-4D51-AB92-B83E47A02E44}
2012-07-10 07:37 - 2012-07-10 07:37 - 00000000 ____D C:\Users\Julian\AppData\Local\{F0B9D27B-E78E-4677-9215-24F0914C62ED}
2012-07-09 19:36 - 2012-07-09 19:36 - 00000000 ____D C:\Users\Julian\AppData\Local\{54940723-F151-4375-BC97-13CBBD4E241E}
2012-07-09 19:36 - 2012-07-09 19:36 - 00000000 ____D C:\Users\Julian\AppData\Local\{351E0DBE-A47B-4392-A442-03427CA92679}
2012-07-09 07:36 - 2012-07-09 07:36 - 00000000 ____D C:\Users\Julian\AppData\Local\{B5F55291-24C7-4AD3-B6C7-EAA5FC0B07FA}
2012-07-09 07:36 - 2012-07-09 07:36 - 00000000 ____D C:\Users\Julian\AppData\Local\{8F5A2ABB-C39C-4949-A08B-46B7BB376FD8}
2012-07-08 07:37 - 2012-07-08 07:37 - 00000000 ____D C:\Users\Julian\AppData\Local\{F843EBB0-5C9F-4DB2-92E5-C29731E2AA69}
2012-07-08 07:37 - 2012-07-08 07:37 - 00000000 ____D C:\Users\Julian\AppData\Local\{173E76F7-9F29-49C0-8AD3-1F25DF6B6EEC}
2012-07-07 15:47 - 2012-07-07 16:05 - 00000000 ____D C:\Program Files (x86)\Rockstar Games
2012-07-07 15:47 - 2012-07-07 15:47 - 00000000 ____D C:\Users\All Users\Rockstar Games
2012-07-07 13:48 - 2012-07-07 16:06 - 00000000 ____D C:\Users\Julian\Documents\Rockstar Games
2012-07-07 08:31 - 2012-07-07 08:31 - 00000000 ____D C:\Users\Julian\AppData\Local\{08B8819C-CF5F-4E93-ABB1-0B61C902E4B4}
2012-07-07 08:30 - 2012-07-07 08:31 - 00000000 ____D C:\Users\Julian\AppData\Local\{DB2A1538-B798-4D57-80F1-5A1D5D8171E9}
2012-07-06 20:30 - 2012-07-06 20:30 - 00000000 ____D C:\Users\Julian\AppData\Local\{3CD15831-C0BE-413D-BD72-9761562936F1}
2012-07-06 20:30 - 2012-07-06 20:30 - 00000000 ____D C:\Users\Julian\AppData\Local\{2456A6F0-3F64-40C3-9ECC-260B30B61235}
2012-07-06 08:30 - 2012-07-06 08:30 - 00000000 ____D C:\Users\Julian\AppData\Local\{EBEB39CA-F8DF-4A80-8018-D3CB13526B95}
2012-07-06 08:29 - 2012-07-06 08:30 - 00000000 ____D C:\Users\Julian\AppData\Local\{16DA0EDE-D972-49B5-8554-4A96B6BA97CA}
2012-07-05 20:23 - 2012-07-05 20:23 - 00000000 ____D C:\Users\Julian\AppData\Local\{E3A148B4-D703-457D-9980-FE5A79BAC038}
2012-07-05 20:23 - 2012-07-05 20:23 - 00000000 ____D C:\Users\Julian\AppData\Local\{666D66B2-0071-4D2E-963F-3BFA2B2E0E5C}
2012-07-05 08:22 - 2012-07-05 08:22 - 00000000 ____D C:\Users\Julian\AppData\Local\{DAE66864-5F54-4408-878C-BE628CC55E03}
2012-07-05 08:22 - 2012-07-05 08:22 - 00000000 ____D C:\Users\Julian\AppData\Local\{5A0A2B85-5103-4FCA-A3B2-CD1306B4DCB1}
2012-07-04 20:22 - 2012-07-04 20:22 - 00000000 ____D C:\Users\Julian\AppData\Local\{059F0692-4EC8-4720-9C13-80970C776383}
2012-07-04 20:21 - 2012-07-04 20:22 - 00000000 ____D C:\Users\Julian\AppData\Local\{EBDB2089-3C32-4946-8AD3-7EEC8248438C}
2012-07-04 10:41 - 2012-07-07 16:40 - 00000000 ____D C:\Users\Julian\Downloads\Max.Payne.3-RELOADED
2012-07-04 08:21 - 2012-07-04 08:21 - 00000000 ____D C:\Users\Julian\AppData\Local\{E42D2F75-C668-4C6B-82C5-455ED67DEE99}
2012-07-04 08:21 - 2012-07-04 08:21 - 00000000 ____D C:\Users\Julian\AppData\Local\{417E67A9-DE16-4DF1-B9A5-A31C246A62D3}
2012-07-03 20:21 - 2012-07-03 20:21 - 00000000 ____D C:\Users\Julian\AppData\Local\{38ABB55E-80F2-4774-A57F-F74C50611C2C}
2012-07-03 20:21 - 2012-07-03 20:21 - 00000000 ____D C:\Users\Julian\AppData\Local\{28F7A8F0-6811-4E68-AA87-91A5D93D614A}
2012-07-03 08:20 - 2012-07-03 08:20 - 00000000 ____D C:\Users\Julian\AppData\Local\{7F71D596-FD12-4534-9D78-4AD4387A47EB}
2012-07-03 08:20 - 2012-07-03 08:20 - 00000000 ____D C:\Users\Julian\AppData\Local\{260DA7BD-968A-45CB-86A9-5B367EF75D37}
2012-07-02 20:20 - 2012-07-02 20:20 - 00000000 ____D C:\Users\Julian\AppData\Local\{3CB1847B-0EE4-4583-9B64-DEDD0AFA70B5}
2012-07-02 20:20 - 2012-07-02 20:20 - 00000000 ____D C:\Users\Julian\AppData\Local\{19193763-DE33-46FF-AFE2-24A0A7E69ADD}
2012-07-02 08:19 - 2012-07-02 08:20 - 00000000 ____D C:\Users\Julian\AppData\Local\{71D0EB3E-4DFE-482C-8129-E7BC8FC75D8A}
2012-07-02 08:19 - 2012-07-02 08:19 - 00000000 ____D C:\Users\Julian\AppData\Local\{D1BA8B53-5BF8-4891-9E72-B0BBA34346B5}
2012-07-01 20:19 - 2012-07-01 20:19 - 00000000 ____D C:\Users\Julian\AppData\Local\{AEBF8EF0-1B59-4F7B-BF77-2064D5F007F5}
2012-07-01 20:19 - 2012-07-01 20:19 - 00000000 ____D C:\Users\Julian\AppData\Local\{7888AC0E-2560-4299-94D6-7E1BAB299084}
2012-07-01 08:18 - 2012-07-01 08:19 - 00000000 ____D C:\Users\Julian\AppData\Local\{C3FE9DC9-5A3C-4060-A64D-7AA5A05B9BBF}
2012-07-01 08:18 - 2012-07-01 08:18 - 00000000 ____D C:\Users\Julian\AppData\Local\{38BB4B68-703C-4D13-B9B0-72E7E7C25ADE}
2012-06-30 22:48 - 2012-07-02 12:31 - 00000000 ____D C:\Users\Julian\Downloads\Wrath.of.the.Titans.DVDRip.XviD-DEPRiVED
2012-06-30 19:42 - 2012-06-30 19:42 - 00000000 ____D C:\Users\Julian\AppData\Local\{B6BB9C6A-FC76-4EB3-921E-DDE2C7DB1BA9}
2012-06-30 19:42 - 2012-06-30 19:42 - 00000000 ____D C:\Users\Julian\AppData\Local\{4E96455A-10F1-482B-A302-9680F50244F2}
2012-06-30 09:42 - 2012-06-30 09:43 - 00000000 ____D C:\Users\Julian\Downloads\Nurses.2
2012-06-30 09:40 - 2012-06-30 09:40 - 00000000 ____D C:\Users\Julian\Downloads\Just.Like.Mom
2012-06-30 07:42 - 2012-06-30 07:42 - 00000000 ____D C:\Users\Julian\AppData\Local\{98A2D557-7F14-4F63-91BF-D47D528BF98C}
2012-06-30 07:42 - 2012-06-30 07:42 - 00000000 ____D C:\Users\Julian\AppData\Local\{392CD1D0-0683-4E1F-8DB6-C97F4293DE9A}
2012-06-29 19:41 - 2012-06-29 19:41 - 00000000 ____D C:\Users\Julian\AppData\Local\{A81C2430-6701-4AE7-97FF-305ADC27FBD7}
2012-06-29 19:41 - 2012-06-29 19:41 - 00000000 ____D C:\Users\Julian\AppData\Local\{2C2AE0EB-9674-406F-8CFD-573CC7B83D76}
2012-06-29 07:41 - 2012-06-29 07:41 - 00000000 ____D C:\Users\Julian\AppData\Local\{DD0BAB09-C249-4A82-AEB6-6B96B0E4756D}
2012-06-29 07:41 - 2012-06-29 07:41 - 00000000 ____D C:\Users\Julian\AppData\Local\{752978BC-2414-43C9-86DF-101151FF24D1}
2012-06-28 19:40 - 2012-06-28 19:40 - 00000000 ____D C:\Users\Julian\AppData\Local\{E5FA199A-090B-4862-9D02-D6BE760B32D7}
2012-06-28 19:40 - 2012-06-28 19:40 - 00000000 ____D C:\Users\Julian\AppData\Local\{329ED0A5-4D6C-4338-9100-DEC963381B0C}
2012-06-28 07:40 - 2012-06-28 07:40 - 00000000 ____D C:\Users\Julian\AppData\Local\{784A00F2-6ADD-4DFD-9954-1ACC9C791535}
2012-06-27 19:40 - 2012-06-27 19:40 - 00000000 ____D C:\Users\Julian\AppData\Local\{968B74A3-37B9-4EA4-A54C-4699D3623012}
2012-06-27 19:39 - 2012-06-27 19:40 - 00000000 ____D C:\Users\Julian\AppData\Local\{33408ABE-CE0E-4ED8-91AC-B2A864B32BD4}
2012-06-27 07:39 - 2012-06-27 07:39 - 00000000 ____D C:\Users\Julian\AppData\Local\{E937E392-7198-4529-9200-FA742A379898}
2012-06-27 07:39 - 2012-06-27 07:39 - 00000000 ____D C:\Users\Julian\AppData\Local\{52A155B7-8F23-4B4F-B4A1-5EE617A9E25F}
2012-06-26 09:27 - 2012-06-26 09:27 - 00000000 ____D C:\Users\All Users\Solidshield
2012-06-26 07:34 - 2012-06-26 07:35 - 00000000 ____D C:\Users\Julian\AppData\Local\{0D09B9F5-B4E6-418E-AEEF-158572F9ACEC}
2012-06-26 07:34 - 2012-06-26 07:34 - 00000000 ____D C:\Users\Julian\AppData\Local\{0251260F-905F-4504-A28C-46A6884EAF4A}
2012-06-25 19:34 - 2012-06-25 19:34 - 00000000 ____D C:\Users\Julian\AppData\Local\{4000D83D-A348-4F1E-B26F-ABFAE0783229}
2012-06-25 19:34 - 2012-06-25 19:34 - 00000000 ____D C:\Users\Julian\AppData\Local\{3BDC8A8A-4BFF-412C-89E9-2C6CFA49F624}
2012-06-25 07:33 - 2012-06-25 07:34 - 00000000 ____D C:\Users\Julian\AppData\Local\{32204599-743F-486F-8A4B-EDA214757255}
2012-06-25 07:33 - 2012-06-25 07:33 - 00000000 ____D C:\Users\Julian\AppData\Local\{E21A4BC3-7069-4462-B80C-2D323F81C98D}
2012-06-24 18:24 - 2012-06-24 18:24 - 00000000 ____D C:\Users\Julian\AppData\Local\{FAFEC3D7-A3BD-4492-AC20-75F7C4C4362A}
2012-06-24 18:24 - 2012-06-24 18:24 - 00000000 ____D C:\Users\Julian\AppData\Local\{1EE7FCE5-ECDC-4B31-96A2-AFAEE82BDBA6}
2012-06-24 06:24 - 2012-06-24 06:24 - 00000000 ____D C:\Users\Julian\AppData\Local\{3FD3F35F-233F-4178-AD97-322DF141EBCD}
2012-06-24 06:24 - 2012-06-24 06:24 - 00000000 ____D C:\Users\Julian\AppData\Local\{343623CA-AE73-4ADA-A82A-F80F21603C2C}
2012-06-23 17:52 - 2012-06-23 17:52 - 00000000 ____D C:\Users\Julian\AppData\Local\{E3ED201E-08D0-47AE-A02D-D123748E01C7}
2012-06-23 17:52 - 2012-06-23 17:52 - 00000000 ____D C:\Users\Julian\AppData\Local\{63777ADA-E8FD-4D39-87B6-9C595789B147}
2012-06-23 05:52 - 2012-06-23 05:52 - 00000000 ____D C:\Users\Julian\AppData\Local\{667AAD22-F4A4-45BE-A495-9DFA436420A9}
2012-06-23 05:51 - 2012-06-23 05:52 - 00000000 ____D C:\Users\Julian\AppData\Local\{C8A7DFD5-0C72-47A3-90FF-B102AF8D1647}
2012-06-22 06:53 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-22 06:53 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-22 06:53 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-22 06:53 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-22 06:53 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-22 06:53 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-22 06:53 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-22 06:53 - 2012-06-02 11:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-22 06:53 - 2012-06-02 11:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-21 19:22 - 2012-06-21 19:22 - 00000000 ____D C:\Users\Julian\AppData\Local\{5BA84526-8441-43CD-87DE-1B329150DABB}
2012-06-21 19:22 - 2012-06-21 19:22 - 00000000 ____D C:\Users\Julian\AppData\Local\{30F7A3FB-DD31-48EE-A9F0-CC1B5C293CB5}
2012-06-21 07:21 - 2012-06-21 07:22 - 00000000 ____D C:\Users\Julian\AppData\Local\{935FC849-3465-45A4-82AF-85BC679CA6C3}
2012-06-21 07:21 - 2012-06-21 07:21 - 00000000 ____D C:\Users\Julian\AppData\Local\{BCCBAA79-1AD1-405B-8435-AD6033C34A99}
2012-06-20 19:21 - 2012-06-20 19:21 - 00000000 ____D C:\Users\Julian\AppData\Local\{BB1D0815-34EE-4856-8AE9-538B4FCD3133}
2012-06-20 19:21 - 2012-06-20 19:21 - 00000000 ____D C:\Users\Julian\AppData\Local\{06EDB373-7208-4E3C-A1E9-A6F4CF564BC9}
2012-06-20 07:21 - 2012-06-20 07:21 - 00000000 ____D C:\Users\Julian\AppData\Local\{FA691FE1-BE28-482B-8C1A-94BCCEED5113}
2012-06-20 07:20 - 2012-06-20 07:21 - 00000000 ____D C:\Users\Julian\AppData\Local\{613EB86A-59EA-4895-910F-FBA98734E2C4}
2012-06-19 08:30 - 2012-06-19 08:30 - 00000000 ____D C:\Users\Julian\AppData\Local\{0E7EA4B4-3C73-4FBA-9C41-228D0C86E307}
2012-06-19 08:29 - 2012-06-19 08:30 - 00000000 ____D C:\Users\Julian\AppData\Local\{9B8DA81F-22D0-4F91-A862-5BA102865508}
2012-06-18 20:29 - 2012-06-18 20:29 - 00000000 ____D C:\Users\Julian\AppData\Local\{DC381B85-7DE6-4DF3-B1B8-2DEF0F5815E9}
2012-06-18 20:29 - 2012-06-18 20:29 - 00000000 ____D C:\Users\Julian\AppData\Local\{BAAFB8BC-23EE-4ECE-BAAC-43ADE9516021}
2012-06-18 08:29 - 2012-06-18 08:29 - 00000000 ____D C:\Users\Julian\AppData\Local\{E77508C2-C0CC-41DC-9D12-4E21930D180E}
2012-06-17 19:55 - 2012-06-17 19:55 - 00000000 ____D C:\Users\Julian\AppData\Local\{89CEFB6E-3980-4C46-BBB8-13385267A303}
2012-06-17 07:55 - 2012-06-17 07:55 - 00000000 ____D C:\Users\Julian\AppData\Local\{AB16E00B-053C-406C-8BC2-63C9EADB5AE9}
2012-06-17 07:53 - 2012-06-17 07:53 - 00000000 ____D C:\Users\Julian\AppData\Local\{3E5DE6EC-E272-47FF-A1F5-0D5D7A21FCB0}
2012-06-16 14:39 - 2012-06-16 14:39 - 00000000 ____D C:\Users\Julian\AppData\Local\{C13C897D-B567-44F2-9150-7CA1E917DC2A}


============ 3 Months Modified Files ========================

2012-07-16 05:00 - 2011-12-22 09:07 - 00038753 ____A C:\Windows\setupact.log
2012-07-16 05:00 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-15 14:22 - 2009-07-13 15:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-07-15 13:38 - 2012-07-15 13:38 - 00001270 ____A C:\Users\Julian\Desktop\$RIKBJZG.lnk
2012-07-15 13:35 - 2012-07-15 13:35 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.08C5F3CF53189E28
2012-07-15 13:32 - 2012-07-15 13:32 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.019C83306439BF49
2012-07-15 13:28 - 2012-07-15 13:28 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.77B372096C5DBBBB
2012-07-15 13:24 - 2009-07-13 20:45 - 00014976 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-15 13:24 - 2009-07-13 20:45 - 00014976 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-15 13:23 - 2012-07-15 13:23 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.86D4C203C793454C
2012-07-15 13:23 - 2009-07-13 21:13 - 00782528 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-15 13:19 - 2011-09-30 19:46 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-15 13:19 - 2011-07-03 08:44 - 00796186 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-07-15 13:19 - 2011-06-20 05:36 - 01138779 ____A C:\Windows\WindowsUpdate.log
2012-07-12 09:59 - 2012-03-31 17:00 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-12 09:59 - 2011-06-21 01:22 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-12 07:30 - 2009-07-13 20:45 - 00413312 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-11 21:52 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
2012-07-11 21:50 - 2011-06-21 01:45 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-07 16:02 - 2011-06-23 03:17 - 00143628 ____A C:\Windows\DirectX.log
2012-06-21 11:58 - 2011-03-25 16:20 - 00053760 ____A C:\Users\Julian\Documents\Bank book - Julian.xls
2012-06-11 19:08 - 2012-07-11 21:52 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-11 16:45 - 2012-05-12 15:36 - 00000091 ____A C:\Users\Julian\Documents\Authenticator Restore.txt
2012-06-08 21:43 - 2012-07-11 06:57 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-11 06:57 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 22:06 - 2012-07-11 06:58 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-11 06:58 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-11 06:57 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-11 06:58 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-11 06:58 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-11 06:57 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-02 14:19 - 2012-06-22 06:53 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-22 06:53 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-22 06:53 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-22 06:53 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-22 06:53 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-22 06:53 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-22 06:53 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-22 06:53 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:15 - 2012-06-22 06:53 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-01 21:50 - 2012-07-11 06:57 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-11 06:57 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-11 06:57 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-11 06:57 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-11 06:57 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-11 06:57 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-11 06:57 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-11 06:57 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-11 06:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-05-24 17:41 - 2012-05-24 17:41 - 00002378 ____A C:\Users\Julian\Documents\MumbleAutomaticCertificateBackup.p12
2012-05-14 20:01 - 2012-06-13 20:01 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-14 19:59 - 2012-06-13 20:01 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-14 19:03 - 2012-06-13 20:01 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-14 19:00 - 2012-06-13 20:01 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-12 18:15 - 2012-05-12 18:15 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_ZuneDriver_01_09_00.Wdf
2012-05-12 18:15 - 2012-05-12 18:15 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_winusb_01009.Wdf
2012-05-04 03:06 - 2012-06-13 20:01 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 02:03 - 2012-06-13 20:01 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 02:03 - 2012-06-13 20:01 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-04-30 21:40 - 2012-06-13 20:01 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-29 08:32 - 2011-06-21 01:49 - 00070854 ____A C:\Windows\PFRO.log
2012-04-27 19:55 - 2012-06-13 20:01 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-25 21:41 - 2012-06-13 20:01 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 21:41 - 2012-06-13 20:01 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 21:34 - 2012-06-13 20:01 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-23 21:37 - 2012-06-13 20:00 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 21:37 - 2012-06-13 20:00 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 21:37 - 2012-06-13 20:00 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-23 20:36 - 2012-06-13 20:00 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-04-23 20:36 - 2012-06-13 20:00 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-04-23 20:36 - 2012-06-13 20:00 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-04-21 19:55 - 2009-07-13 21:08 - 00032548 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-04-19 21:42 - 2012-06-13 20:01 - 12297216 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-04-19 21:42 - 2012-06-13 20:01 - 09059840 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-04-19 21:42 - 2012-06-13 20:01 - 02454528 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-04-19 21:42 - 2012-06-13 20:01 - 01494016 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-04-19 21:42 - 2012-06-13 20:01 - 00735744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-04-19 21:42 - 2012-06-13 20:01 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-04-19 21:42 - 2012-06-13 20:01 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-04-19 21:42 - 2012-06-13 20:01 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-04-19 21:00 - 2012-06-13 20:01 - 01231360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-04-19 21:00 - 2012-06-13 20:01 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-04-19 20:57 - 2012-06-13 20:01 - 06027776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-04-19 20:57 - 2012-06-13 20:01 - 00627712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-04-19 20:57 - 2012-06-13 20:01 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-04-19 20:56 - 2012-06-13 20:01 - 11020800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-04-19 20:56 - 2012-06-13 20:01 - 02073600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-04-19 20:56 - 2012-06-13 20:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-04-19 19:45 - 2012-06-13 20:01 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-04-19 19:16 - 2012-06-13 20:01 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb


ZeroAccess:
C:\Windows\Installer\{c97d60d6-334e-f1c8-0f48-547fa5084648}
C:\Windows\Installer\{c97d60d6-334e-f1c8-0f48-547fa5084648}\@
C:\Windows\Installer\{c97d60d6-334e-f1c8-0f48-547fa5084648}\L
C:\Windows\Installer\{c97d60d6-334e-f1c8-0f48-547fa5084648}\U
C:\Windows\Installer\{c97d60d6-334e-f1c8-0f48-547fa5084648}\U\00000001.@

ZeroAccess:
C:\Users\Julian\AppData\Local\{c97d60d6-334e-f1c8-0f48-547fa5084648}
C:\Users\Julian\AppData\Local\{c97d60d6-334e-f1c8-0f48-547fa5084648}\@
C:\Users\Julian\AppData\Local\{c97d60d6-334e-f1c8-0f48-547fa5084648}\L
C:\Users\Julian\AppData\Local\{c97d60d6-334e-f1c8-0f48-547fa5084648}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe FCB084FA3DCB7449F3BAA13312A215B4 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 9%
Total physical RAM: 8174.7 MB
Available physical RAM: 7406.49 MB
Total Pagefile: 8172.84 MB
Available Pagefile: 7400.45 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:931.51 GB) (Free:561.06 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: () (Removable) (Total:3.73 GB) (Free:3.69 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 0 B
Disk 1 Online 3819 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 931 GB 1024 KB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 931 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3818 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E FAT32 Removable 3818 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-08 17:02

======================= End Of Log ==========================

 

[Jay Pfoutz]

Thanks for doing that, and good work! It's not always a good idea, though, to follow instructions that others receive. But, it'll be okay.

Anyway, we will need another scan from FRST before continuing the fixes, so the infection cannot reinstall itself, AND so your computer can boot properly without trouble. This will search for other places to find backup copies of the system file. There is a system file on your machine that is infected. Time to clean it up!

Additional FRST Scan

Once again, please boot to the System Recovery Options and run FRST, as done previously.

Type the following text in the blank box after Search:

services.exe

Click: Search file(s)

When done searching, FRST makes a log, Search.txt, on the C:\ drive.

Please provide the Search.txt in your reply.

 

[Bredgen]

Sorry I couldn't get back to you quicker. Here is the Search.txt file that you requested:

Farbar Recovery Scan Tool Version: 16-07-2012 01
Ran by SYSTEM at 2012-07-17 09:56:40
Running from E:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2012-07-15 14:22] - 0328704 ____A (Microsoft Corporation) FCB084FA3DCB7449F3BAA13312A215B4

====== End Of Search ======

Hope to hear back from you soon!

 

[Jay Pfoutz]

FRST64 Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{c97d60d6-334e-f1c8-0f48-547fa5084648}
C:\Users\Julian\AppData\Local\{c97d60d6-334e-f1c8-0f48-547fa5084648}
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.

 

[Bredgen]

My computer booted and is so far still on without restarting. I'm able to give you this log using the infected computer rather than my laptop now. This is a huge improvement already although It is a bit laggier than usual and took a bit longer to start up but I'm assuming we're not done cleaning it yet.

Here is the log you requested:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 16-07-2012 01
Ran by SYSTEM at 2012-07-17 14:18:31 Run:1
Running from E:\

==============================================

C:\Windows\Installer\{c97d60d6-334e-f1c8-0f48-547fa5084648} moved successfully.
C:\Users\Julian\AppData\Local\{c97d60d6-334e-f1c8-0f48-547fa5084648} moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

 

[Jay Pfoutz]

Hi again. Please run the following tool:

ComboFix

Please download ComboFix

by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:

• Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
• It is important to rename ComboFix before the download.
• Please do not rename ComboFix to other names, but only the one indicated.

After the download:

• Close any open browsers.
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

• Double click on svchost.exe & follow the prompts.
• It will attempt to install the Recovery Console:

• When ComboFix finishes, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

 

[Bredgen]

Done!
Edit: Not sure if it's important to note or not, but when it finished, it restarted my computer and produced the log. When it finished the log, I was not able to open windows explorer or firefox because "the registry key was scheduled to be deleted" and it asked me if I wanted to delete it now. I Said no and restarted my computer so I was able to access Firefox and Windows explorer.
Is this normal? Everything seems to be working after the restart.
Here is the log you requested:

ComboFix 12-07-18.04 - Julian 07/18/2012 12:39:28.1.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8175.6518 [GMT -4:00]
Running from: c:\users\Julian\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-18 to 2012-07-18 )))))))))))))))))))))))))))))))
.
.
2012-07-17 00:43 . 2012-07-17 00:44 -------- d-----w- C:\FRST
2012-07-15 21:35 . 2012-07-15 21:35 328704 ----a-w- c:\windows\system32\services.exe.08C5F3CF53189E28
2012-07-15 21:32 . 2012-07-15 21:32 328704 ----a-w- c:\windows\system32\services.exe.019C83306439BF49
2012-07-15 21:28 . 2012-07-15 21:28 328704 ----a-w- c:\windows\system32\services.exe.77B372096C5DBBBB
2012-07-15 21:23 . 2012-07-15 21:23 328704 ----a-w- c:\windows\system32\services.exe.86D4C203C793454C
2012-07-15 21:20 . 2012-02-09 18:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{26E5D0E3-639D-4029-9D58-A92BF46A633F}\gapaengine.dll
2012-07-15 21:20 . 2012-06-18 07:12 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9618269D-EA5D-4908-87EC-4FA7D8D67730}\mpengine.dll
2012-07-15 21:19 . 2012-07-15 21:19 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-07-15 21:19 . 2012-07-15 21:19 -------- d-----w- c:\program files\Microsoft Security Client
2012-07-15 17:59 . 2012-07-15 22:22 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-07-12 18:01 . 2012-07-12 18:01 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-12 05:52 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 14:58 . 2012-06-06 06:06 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-07-11 14:58 . 2012-06-06 06:06 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-07-11 14:58 . 2012-06-06 05:05 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-07-11 14:58 . 2012-06-06 05:05 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-07-11 14:58 . 2010-06-26 03:55 2048 ----a-w- c:\windows\system32\msxml3r.dll
2012-07-11 14:58 . 2010-06-26 03:24 2048 ----a-w- c:\windows\SysWow64\msxml3r.dll
2012-07-07 23:47 . 2012-07-08 00:05 -------- d-----w- c:\program files (x86)\Rockstar Games
2012-07-07 23:47 . 2012-07-07 23:47 -------- d-----w- c:\programdata\Rockstar Games
2012-06-27 17:54 . 2012-06-27 17:54 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
2012-06-27 17:54 . 2012-06-27 17:54 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
2012-06-26 17:27 . 2012-06-26 17:27 -------- d-----w- c:\programdata\Solidshield
2012-06-22 14:53 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-22 14:53 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-22 14:53 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-22 14:53 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-22 14:53 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-22 14:53 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-22 14:53 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-22 14:53 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-22 14:53 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-12 17:59 . 2012-04-01 01:00 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-12 17:59 . 2011-06-21 09:22 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-12 05:50 . 2011-06-21 09:45 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-05-15 04:01 . 2012-06-14 04:01 1188864 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 03:59 . 2012-06-14 04:01 64512 ----a-w- c:\windows\system32\jsproxy.dll
2012-05-15 03:03 . 2012-06-14 04:01 981504 ----a-w- c:\windows\SysWow64\wininet.dll
2012-05-04 11:06 . 2012-06-14 04:01 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 10:03 . 2012-06-14 04:01 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03 . 2012-06-14 04:01 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-01 05:40 . 2012-06-14 04:01 209920 ----a-w- c:\windows\system32\profsvc.dll
2012-04-28 03:55 . 2012-06-14 04:01 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-26 05:41 . 2012-06-14 04:01 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-26 05:41 . 2012-06-14 04:01 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-26 05:34 . 2012-06-14 04:01 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-04-24 05:37 . 2012-06-14 04:00 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2012-04-24 05:37 . 2012-06-14 04:00 140288 ----a-w- c:\windows\system32\cryptnet.dll
2012-04-24 05:37 . 2012-06-14 04:00 1462272 ----a-w- c:\windows\system32\crypt32.dll
2012-04-24 04:36 . 2012-06-14 04:00 1158656 ----a-w- c:\windows\SysWow64\crypt32.dll
2012-04-24 04:36 . 2012-06-14 04:00 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2012-04-24 04:36 . 2012-06-14 04:00 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2012-04-20 05:42 . 2012-06-14 04:01 1494016 ----a-w- c:\windows\system32\urlmon.dll
2012-04-20 05:42 . 2012-06-14 04:01 134144 ----a-w- c:\windows\system32\url.dll
2012-04-20 05:42 . 2012-06-14 04:01 9059840 ----a-w- c:\windows\system32\mshtml.dll
2012-04-20 05:42 . 2012-06-14 04:01 735744 ----a-w- c:\windows\system32\msfeeds.dll
2012-04-20 05:42 . 2012-06-14 04:01 97792 ----a-w- c:\windows\system32\mshtmled.dll
2012-04-20 05:42 . 2012-06-14 04:01 12297216 ----a-w- c:\windows\system32\ieframe.dll
2012-04-20 05:42 . 2012-06-14 04:01 247808 ----a-w- c:\windows\system32\ieui.dll
2012-04-20 05:42 . 2012-06-14 04:01 2454528 ----a-w- c:\windows\system32\iertutil.dll
2012-04-20 03:45 . 2012-06-14 04:01 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-04-20 03:16 . 2012-06-14 04:01 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-06-21 10:28 . 2011-06-21 10:28 399736 ----a-w- c:\program files\utorrent.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-04-11 3672384]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Control Center"="c:\program files (x86)\ASUS\WLAN Card Utilities\CenterAgent.exe" [2009-05-21 544256]
"DeathAdder"="c:\program files (x86)\Razer\DeathAdder\razerhid.exe" [2011-03-21 248320]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-03-01 2348352]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]
R3 ALSysIO;ALSysIO;c:\users\Julian\AppData\Local\Temp\ALSysIO64.sys [x]
R3 cpuz134;cpuz134;c:\program files (x86)\CPUID\PC Wizard 2010\pcwiz_x64.sys [x]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\steam\steamapps\common\dragon age ultimate edition\bin_ship\DAUpdaterSvc.Service.exe [2011-07-04 25832]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files (x86)\Garena\safedrv.sys [x]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-23 16008]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-18 113120]
R3 netr28ux;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\netr28ux.sys [2010-02-12 1104672]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192su.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-06-21 1255736]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2011-08-05 306400]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-04-13 283200]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 ASWLCCSvc;ASUS Wireless Card Service;c:\program files (x86)\ASUS\WLAN Card Utilities\ASWLCCSVC.exe [2009-05-21 172032]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-02-29 382272]
S3 danewFltr;NewDeathAdder Mouse;c:\windows\system32\drivers\danew.sys [2010-03-23 12032]
S3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;c:\windows\system32\Drivers\EtronHub3.sys [2011-02-08 39936]
S3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;c:\windows\system32\Drivers\EtronXHCI.sys [2011-02-08 64512]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-23 22408]
S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-19 56344]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-01-17 188224]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-06-23 344680]
S3 VKbms;Virtual HID Minidriver;c:\windows\system32\DRIVERS\VKbms.sys [2010-10-01 13312]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-07-28 11101800]
"Launch LCore"="c:\program files\Logitech Gaming Software\LCore.exe" [2011-06-14 110360]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 163552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Julian\AppData\Roaming\Mozilla\Firefox\Profiles\shst9y5c.default\
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
URLSearchHooks-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
AddRemove-{173F2B02-2AAA-414F-A2D8-44870BB98F7A} - c:\program files (x86)\InstallShield Installation Information\{173F2B02-2AAA-414F-A2D8-44870BB98F7A}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DbgagD\1*]
"value"="?\02\01\06\06\"\10~"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-07-18 12:50:27 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-18 16:50
.
Pre-Run: 602,301,231,104 bytes free
Post-Run: 603,159,162,880 bytes free
.
- - End Of File - - 869FA338373691825F0B3E9A304890C7

 

[Jay Pfoutz]

Yeah, it's normal. Should be fine.

Please let me know how your computer is operating after this scan:

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install
• Click Start
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

 

[Bredgen]

Now I may have made a mistake here. I used ESET to scan my computer once, and then me, being genius, checked the option to uninstall all ESET related stuff after it was over. I believe this also deleted the first ESET log, so I ran it again.


This is the log that showed up the 2nd time around.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=9af8d78a94f7d7488f06e9a0b38b4a53
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-07-19 03:05:13
# local_time=2012-07-18 11:05:13 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 100 94 0 94208020 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=251859
# found=0
# cleaned=0
# scan_time=2543

 

[Jay Pfoutz]

Do you remember if anything was detected?

Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

• Slow computer
• Error messages
• Fake antivirus alerts or the icon in the system tray
• svchost.exe running at 100%
• System crashes or blue screen of death

 

[Bredgen]

It detected and deleted/quarantined 4 files.

Other than that, my computer seems to be running fine. I'm not getting random error messages or anything. I've been wanting to do another full system scan with MSE to make sure that it won't start acting up again, that's about it.

Any other scans that you suggest I do?

Once again, thanks for the help.

 

[Jay Pfoutz]

Hi! Your logs appear to be clean. If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point

• Go to Control Panel and select System and Maintenance
• Select System
• On the left select Advance System Settings and accept the warning if you get one
• Select System Protection Tab
• Select Create at the bottom
• Type in a name I.e. Clean
• Select Create

Now we can purge the infected ones

• Go back to the System and Maintenance page
• Select Performance Information and Tools
• On the left select Open Disk Cleanup
• Select Files from all users and accept the warning if you get one
• In the drop down box select your main drive I.e. C
• For a few moments the system will make some calculations:
  
  
• Select the More Options tab
  
  
• In the System Restore and Shadow Backups select Clean up
  
  
• Select Delete on the pop up
• Select OK
• Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
• Double click OTC.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• It will close all programs when run, so make sure you have saved all your work before you begin.
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:

• Cleaned System Restore
• Ran OTC
• Ran TFC
• Ran Security Check

Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.

 

[Jay Pfoutz]

Hello. Are you still with us?

Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

Thanks.

 

[Bredgen]

Hi again, I'm extremely sorry for my absence. For some reason techspot stopped sending me e-mails whenever you replied and for that I thought we were done. I only just thought that that was odd and decided to check this thread again.
My computer has been running fine. I will follow the steps you asked me to do and I'll edit this post again with the results.
Once again I apologize.

 

[Bredgen]

Turns out I can't edit.
I've completed the tasks you requested I do. Here is the security check log:

Results of screen317's Security Check version 0.99.43
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Java(TM) 6 Update 31
Java version out of Date!
Mozilla Firefox (14.0.1)
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

Thanks for the help, and again, sorry for my absence.

 

[Jay Pfoutz]

That's okay. Good work!

MOST IMPORTANT: You Need to Update IE to get all the Latest Security Patches to protect your computer from the malware that is around on the internet. Please go to
Windows Update to get the critical updates.

Java Update!

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

Read more about Java exploit problems

Personal Tips on Preventing Malware

See this page for more info about malware and prevention.

Any other questions before I mark this topic solved?

 

[Bredgen]

Done and done!
No I don't have any more questions.
Thanks very much for your help.

 

[Jay Pfoutz]

Great! Topic marked solved.