TechSpot

Windows shutdown loop problem

Inactive
By Lynn Johnson
Aug 8, 2012
  1. I have apparently picked up this nasty thing too. I tried virus removals at first and they did not stop the problem. I've read through some of the other posts and it looks like I could do the first step and save a little time so I'm attaching the FRST.txt contents and the Search.txt contents. The machine is running Windows Vista 64 bit. Strangely, I thought I had SP2 though below it says SP1. If I could turn it on for more than a minute, I could check again. I hope you can help and Thank YOU in advance. I will await your reply before doing anything else.

    Lynndie

    Scan result of Farbar Recovery Scan Tool Version: 08-08-2012
    Ran by SYSTEM at 07-08-2012 23:58:07
    Running from D:\
    Windows Vista (TM) Home Premium Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM-x32\...\Run: [] [x]
    HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\LogMeInRemoteUser\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\owner\...\Run: [AdobeBridge] [x]
    HKLM-x32\...\Runonce: [removeSearchqudatamngr] cmd.exe /c RD /S /Q "C:\Program Files (x86)\Searchqu Toolbar" [x]
    HKLM-x32\...\Runonce: [removeSearchqutoolbar] cmd.exe /c RD /S /Q "C:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar" [x]
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 24.217.0.5 24.217.201.67
    Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\LogMeInRemoteUser\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

    ==================== Services (Whitelisted) ======

    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
    3 nosGetPlusHelper; C:\Program Files (x86)\NOS\bin\getPlus_Helper_3004.dll [66112 2010-09-01] (NOS Microsystems Ltd.)
    2 RapiMgr; C:\Windows\WindowsMobile\rapimgr.dll [211968 2008-01-20] (Microsoft Corporation)
    4 stllssvr; "C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe" [74384 2008-03-24] (MicroVision Development, Inc.)
    2 WcesComm; C:\Windows\WindowsMobile\wcescomm.dll [428544 2008-01-20] (Microsoft Corporation)

    ========================== Drivers (Whitelisted) =============

    3 CAXHWBS2; C:\Windows\System32\Drivers\CAXHWBS2.sys [411136 2008-07-01] (Conexant Systems, Inc.)
    3 EyeOneDisplay; C:\Windows\System32\Drivers\i1display_x64.sys [7808 2005-12-13] (GretagMacbeth LLC)
    3 LVPr2M64; C:\Windows\System32\Drivers\LVPr2M64.sys [30304 2010-05-07] ()
    3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30304 2010-05-07] ()
    3 MusCAudio; C:\Windows\System32\Drivers\MusCAudio.sys [33336 2009-10-30] (Windows (R) Codename Longhorn DDK provider)
    3 SeqCal; C:\Windows\System32\Drivers\SeqCal.sys [7808 2006-05-18] (GretagMacbeth LLC)
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 lmimirr; C:\Windows\System32\DRIVERS\lmimirr.sys [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
    2 PDIHWCTL; \??\C:\Windows\system32\drivers\pdihwctl.sys [x]
    2 regi; \??\C:\Windows\system32\drivers\regi.sys [x]
    3 WacomVKHid; C:\Windows\System32\DRIVERS\WacomVKHid.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-07 23:58 - 2012-08-07 23:58 - 00000000 ____D C:\FRST
    2012-08-07 20:02 - 2012-08-07 20:02 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\nyuzseir.sys
    2012-08-06 10:44 - 2012-08-06 10:44 - 524288000 ____A C:\REMOVE_THIS_FILE.livecd.swap
    2012-08-06 09:12 - 2012-08-06 09:12 - 00000000 ____D C:\$WINDOWS.~BT
    2012-08-06 09:11 - 2012-08-06 09:11 - 00001887 ____A C:\Windows\diagwrn.xml
    2012-08-06 09:11 - 2012-08-06 09:11 - 00001887 ____A C:\Windows\diagerr.xml
    2012-08-05 15:31 - 2012-08-06 15:37 - 00003403 ____A C:\Windows\setupact.log
    2012-08-05 15:31 - 2012-08-06 09:11 - 00000000 ____A C:\Windows\setuperr.log
    2012-08-05 13:06 - 2012-08-07 17:38 - 00004566 ____A C:\Windows\WindowsUpdate.log
    2012-08-05 13:06 - 2012-08-05 13:06 - 00721626 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-08-05 13:06 - 2012-08-05 13:06 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-08-05 13:06 - 2012-08-05 13:06 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-08-05 11:39 - 2012-08-05 13:06 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-05 11:37 - 2012-08-05 11:37 - 12621696 ____A (Microsoft Corporation) C:\Users\owner\Downloads\mseinstall.exe
    2012-08-04 17:22 - 2012-08-07 20:49 - 00039012 ____A C:\Windows\PFRO.log
    2012-07-31 18:25 - 2012-07-31 18:36 - 00000732 ____A C:\Users\owner\AppData\Local\d3d9caps64.dat
    2012-07-31 18:23 - 2012-08-02 13:54 - 00000000 ____D C:\Windows\Minidump
    2012-07-31 13:35 - 2012-07-31 13:35 - 00000000 ____D C:\Users\owner\Doctor Web
    2012-07-31 13:19 - 2012-07-31 13:19 - 00000000 ____D C:\Program Files\Common Files\Doctor Web
    2012-07-31 13:18 - 2012-07-31 13:19 - 00000000 ____D C:\Users\All Users\Doctor Web
    2012-07-30 17:05 - 2012-07-30 17:05 - 10651816 ____A (Malwarebytes Corporation ) C:\Users\owner\Downloads\mbam-setup.exe
    2012-07-30 16:56 - 2012-07-30 16:56 - 00883616 ____A (Bleeping Computer, LLC) C:\Program Files (x86)\FixExec.scr
    2012-07-30 16:39 - 2012-07-30 17:02 - 00001246 ____A C:\Users\owner\Desktop\FixExec.txt
    2012-07-30 15:56 - 2012-07-30 15:56 - 01050016 ____A (Bleeping Computer, LLC) C:\Users\owner\Downloads\iExplore(2).exe
    2012-07-30 15:55 - 2012-07-30 15:55 - 00001205 ____A C:\Users\owner\Downloads\registryfix(1).reg
    2012-07-30 15:27 - 2012-07-30 15:27 - 01050016 ____A (Bleeping Computer, LLC) C:\Users\owner\Downloads\iExplore(1).exe
    2012-07-30 15:14 - 2012-07-30 15:57 - 00001004 ____A C:\Users\owner\Desktop\Rkill.txt
    2012-07-30 15:14 - 2012-07-30 15:14 - 00000000 ____D C:\Users\owner\Desktop\rkill-backup
    2012-07-30 15:12 - 2012-07-30 15:12 - 01050016 ____A (Bleeping Computer, LLC) C:\Users\owner\Downloads\iExplore.exe
    2012-07-30 15:11 - 2012-07-30 15:11 - 00001205 ____A C:\Users\owner\Downloads\registryfix.reg
    2012-07-30 14:30 - 2012-07-30 14:30 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
    2012-07-30 14:25 - 2012-07-30 20:17 - 00000000 ____D C:\Users\All Users\7531CC9600714A53199543F32F3B707C
    2012-07-12 13:56 - 2012-07-12 13:56 - 03875048 ____A (AVG Technologies) C:\Users\owner\Downloads\avg_free_stb_all_2012_2195_cnet.exe
    2012-07-12 13:53 - 2012-07-12 13:53 - 03889704 ____A (Piriform Ltd) C:\Users\owner\Downloads\ccsetup320.exe
    2012-07-12 13:53 - 2012-07-12 13:53 - 03889704 ____A (Piriform Ltd) C:\Users\owner\Downloads\ccsetup320(1).exe
    2012-07-12 13:39 - 2012-07-12 13:39 - 00002071 ____A C:\Users\Public\Desktop\HP Photosmart Essential.lnk
    2012-07-12 13:39 - 2012-07-12 13:39 - 00001894 ____A C:\Users\Public\Desktop\Shop for HP Supplies.lnk
    2012-07-12 13:39 - 2012-07-12 13:39 - 00000000 ____D C:\Users\All Users\HPSSUPPLY
    2012-07-12 00:01 - 2012-06-13 05:58 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-07-11 02:14 - 2012-06-08 09:59 - 12899840 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-07-11 02:14 - 2012-06-08 09:47 - 11586048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
    2012-07-11 02:14 - 2012-06-05 08:47 - 01401856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
    2012-07-11 02:14 - 2012-06-05 08:47 - 01248768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
    2012-07-11 02:14 - 2012-06-05 08:22 - 01869824 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-07-11 02:14 - 2012-06-05 08:22 - 01797120 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-07-11 02:14 - 2012-06-04 07:29 - 00516480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-07-11 02:14 - 2012-06-01 16:22 - 00347136 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-07-11 02:14 - 2012-06-01 16:22 - 00254464 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-07-11 02:14 - 2012-06-01 16:05 - 00077312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
    2012-07-11 02:14 - 2012-06-01 16:04 - 00278528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
    2012-07-11 02:14 - 2012-06-01 16:03 - 00204288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

    ============ 3 Months Modified Files ========================

    2012-08-07 20:53 - 2006-11-02 07:42 - 00032568 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-08-07 20:53 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-07 20:52 - 2011-11-26 05:30 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-08-07 20:49 - 2012-08-04 17:22 - 00039012 ____A C:\Windows\PFRO.log
    2012-08-07 20:02 - 2012-08-07 20:02 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\nyuzseir.sys
    2012-08-07 17:38 - 2012-08-05 13:06 - 00004566 ____A C:\Windows\WindowsUpdate.log
    2012-08-07 17:34 - 2011-11-26 05:30 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-08-07 17:33 - 2012-03-27 17:23 - 00000928 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2274459378-4032421509-301073050-1000UA.job
    2012-08-06 15:37 - 2012-08-05 15:31 - 00003403 ____A C:\Windows\setupact.log
    2012-08-06 15:36 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-06 15:36 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-06 10:44 - 2012-08-06 10:44 - 524288000 ____A C:\REMOVE_THIS_FILE.livecd.swap
    2012-08-06 09:11 - 2012-08-06 09:11 - 00001887 ____A C:\Windows\diagwrn.xml
    2012-08-06 09:11 - 2012-08-06 09:11 - 00001887 ____A C:\Windows\diagerr.xml
    2012-08-06 09:11 - 2012-08-05 15:31 - 00000000 ____A C:\Windows\setuperr.log
    2012-08-05 13:06 - 2012-08-05 13:06 - 00721626 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-08-05 13:06 - 2012-08-05 11:39 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-05 12:17 - 2006-11-02 04:46 - 00703342 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-05 11:46 - 2006-11-02 07:21 - 05154120 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-08-05 11:37 - 2012-08-05 11:37 - 12621696 ____A (Microsoft Corporation) C:\Users\owner\Downloads\mseinstall.exe
    2012-08-04 14:33 - 2012-03-27 17:23 - 00000906 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2274459378-4032421509-301073050-1000Core.job
    2012-07-31 18:36 - 2012-07-31 18:25 - 00000732 ____A C:\Users\owner\AppData\Local\d3d9caps64.dat
    2012-07-30 17:05 - 2012-07-30 17:05 - 10651816 ____A (Malwarebytes Corporation ) C:\Users\owner\Downloads\mbam-setup.exe
    2012-07-30 17:02 - 2012-07-30 16:39 - 00001246 ____A C:\Users\owner\Desktop\FixExec.txt
    2012-07-30 16:56 - 2012-07-30 16:56 - 00883616 ____A (Bleeping Computer, LLC) C:\Program Files (x86)\FixExec.scr
    2012-07-30 15:57 - 2012-07-30 15:14 - 00001004 ____A C:\Users\owner\Desktop\Rkill.txt
    2012-07-30 15:56 - 2012-07-30 15:56 - 01050016 ____A (Bleeping Computer, LLC) C:\Users\owner\Downloads\iExplore(2).exe
    2012-07-30 15:55 - 2012-07-30 15:55 - 00001205 ____A C:\Users\owner\Downloads\registryfix(1).reg
    2012-07-30 15:27 - 2012-07-30 15:27 - 01050016 ____A (Bleeping Computer, LLC) C:\Users\owner\Downloads\iExplore(1).exe
    2012-07-30 15:12 - 2012-07-30 15:12 - 01050016 ____A (Bleeping Computer, LLC) C:\Users\owner\Downloads\iExplore.exe
    2012-07-30 15:11 - 2012-07-30 15:11 - 00001205 ____A C:\Users\owner\Downloads\registryfix.reg
    2012-07-30 14:27 - 2009-08-07 12:29 - 00009746 ____A C:\Users\owner\AppData\Roaming\wklnhst.dat
    2012-07-25 19:12 - 2012-01-03 08:07 - 00024576 ____A C:\Users\owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-07-22 19:28 - 2010-07-27 13:28 - 00001848 ____A C:\Users\owner\Desktop\mpixpro ROES.lnk
    2012-07-12 13:56 - 2012-07-12 13:56 - 03875048 ____A (AVG Technologies) C:\Users\owner\Downloads\avg_free_stb_all_2012_2195_cnet.exe
    2012-07-12 13:54 - 2011-04-13 16:56 - 00000858 ____A C:\Users\Public\Desktop\CCleaner.lnk
    2012-07-12 13:53 - 2012-07-12 13:53 - 03889704 ____A (Piriform Ltd) C:\Users\owner\Downloads\ccsetup320.exe
    2012-07-12 13:53 - 2012-07-12 13:53 - 03889704 ____A (Piriform Ltd) C:\Users\owner\Downloads\ccsetup320(1).exe
    2012-07-12 13:41 - 2010-11-19 09:34 - 00148401 ____A C:\Windows\hpoins19.dat
    2012-07-12 13:41 - 2010-11-19 08:35 - 00012239 ____A C:\Users\All Users\hpzinstall.log
    2012-07-12 13:39 - 2012-07-12 13:39 - 00002071 ____A C:\Users\Public\Desktop\HP Photosmart Essential.lnk
    2012-07-12 13:39 - 2012-07-12 13:39 - 00001894 ____A C:\Users\Public\Desktop\Shop for HP Supplies.lnk
    2012-07-12 00:04 - 2006-11-02 04:35 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-06-18 15:20 - 2012-06-18 15:20 - 00841568 ____A (WinRecovery Software ) C:\Users\owner\Downloads\cardrecovery_setup(1).exe
    2012-06-18 15:17 - 2012-06-18 15:17 - 00841568 ____A (WinRecovery Software ) C:\Users\owner\Downloads\cardrecovery_setup.exe
    2012-06-18 15:12 - 2012-06-18 15:12 - 03917522 ____A ( ) C:\Users\owner\Downloads\zar91setup.exe
    2012-06-18 14:41 - 2012-06-18 14:41 - 04149019 ____A (InstallShield Software Corporation) C:\Users\owner\Downloads\pci_us_smartrecovery.exe.part
    2012-06-14 09:13 - 2012-06-14 09:13 - 00001872 ____A C:\Users\owner\Desktop\Diversified Digital Link.lnk
    2012-06-13 05:58 - 2012-07-12 00:01 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-08 09:59 - 2012-07-11 02:14 - 12899840 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-08 09:47 - 2012-07-11 02:14 - 11586048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
    2012-06-05 08:47 - 2012-07-11 02:14 - 01401856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
    2012-06-05 08:47 - 2012-07-11 02:14 - 01248768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
    2012-06-05 08:22 - 2012-07-11 02:14 - 01869824 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-05 08:22 - 2012-07-11 02:14 - 01797120 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-04 07:29 - 2012-07-11 02:14 - 00516480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-06-02 14:19 - 2012-06-20 18:29 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-20 18:29 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-20 18:29 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-18 16:29 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-18 16:29 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
    2012-06-02 14:19 - 2012-06-18 16:29 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:19 - 2012-06-18 16:29 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
    2012-06-02 14:15 - 2012-06-20 18:29 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-18 16:29 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 14:12 - 2012-06-20 18:29 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
    2012-06-02 12:19 - 2012-06-18 16:29 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 12:19 - 2012-06-18 16:29 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2012-06-02 12:15 - 2012-06-18 16:29 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 12:12 - 2012-06-18 16:29 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
    2012-06-01 16:22 - 2012-07-11 02:14 - 00347136 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-01 16:22 - 2012-07-11 02:14 - 00254464 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-06-01 16:05 - 2012-07-11 02:14 - 00077312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
    2012-06-01 16:04 - 2012-07-11 02:14 - 00278528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
    2012-06-01 16:03 - 2012-07-11 02:14 - 00204288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
    2012-05-14 22:37 - 2012-06-13 20:04 - 01212416 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-05-14 22:37 - 2012-06-13 20:04 - 00916992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-05-14 22:37 - 2012-06-13 20:04 - 00105984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-05-14 22:35 - 2012-06-13 20:04 - 00206848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
    2012-05-14 22:33 - 2012-06-13 20:04 - 06007808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-05-14 22:33 - 2012-06-13 20:04 - 00629760 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
    2012-05-14 22:33 - 2012-06-13 20:04 - 00611840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstime.dll
    2012-05-14 22:33 - 2012-06-13 20:04 - 00067072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-05-14 22:33 - 2012-06-13 20:04 - 00055296 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
    2012-05-14 22:32 - 2012-06-13 20:04 - 01469440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-05-14 22:32 - 2012-06-13 20:04 - 00043520 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
    2012-05-14 22:32 - 2012-06-13 20:04 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-05-14 22:31 - 2012-06-13 20:04 - 11111424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-05-14 22:31 - 2012-06-13 20:04 - 02000384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-05-14 22:31 - 2012-06-13 20:04 - 00387584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
    2012-05-14 22:31 - 2012-06-13 20:04 - 00184320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
    2012-05-14 22:31 - 2012-06-13 20:04 - 00164352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-05-14 22:31 - 2012-06-13 20:04 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
    2012-05-14 22:31 - 2012-06-13 20:04 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
    2012-05-14 22:31 - 2012-06-13 20:04 - 00055808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
    2012-05-14 21:01 - 2012-06-13 20:04 - 00385024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
    2012-05-14 19:26 - 2012-06-13 20:04 - 00133632 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-05-14 19:25 - 2012-06-13 20:04 - 00174080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ie4uinit.exe
    2012-05-14 19:24 - 2012-06-13 20:04 - 00013312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
    2012-05-14 19:23 - 2012-06-13 20:04 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-05-14 18:19 - 2012-06-13 20:04 - 01488384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-05-14 18:19 - 2012-06-13 20:04 - 01147392 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-05-14 18:19 - 2012-06-13 20:04 - 00108032 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-05-14 18:18 - 2012-06-13 20:04 - 00243712 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
    2012-05-14 18:16 - 2012-06-13 20:04 - 01062912 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll
    2012-05-14 18:15 - 2012-06-13 20:04 - 09328640 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-05-14 18:15 - 2012-06-13 20:04 - 00742912 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
    2012-05-14 18:15 - 2012-06-13 20:04 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-05-14 18:15 - 2012-06-13 20:04 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
    2012-05-14 18:15 - 2012-06-13 20:04 - 00056832 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
    2012-05-14 18:15 - 2012-06-13 20:04 - 00031744 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-05-14 18:14 - 2012-06-13 20:04 - 12508672 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-05-14 18:14 - 2012-06-13 20:04 - 02350592 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-05-14 18:14 - 2012-06-13 20:04 - 01538560 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-05-14 18:14 - 2012-06-13 20:04 - 00459776 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
    2012-05-14 18:14 - 2012-06-13 20:04 - 00252416 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
    2012-05-14 18:14 - 2012-06-13 20:04 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-05-14 18:14 - 2012-06-13 20:04 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
    2012-05-14 18:14 - 2012-06-13 20:04 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
    2012-05-14 18:14 - 2012-06-13 20:04 - 00072192 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
    2012-05-14 17:21 - 2012-06-13 20:04 - 00479232 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
    2012-05-14 16:40 - 2012-06-13 20:04 - 00162816 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-05-14 16:40 - 2012-06-13 20:04 - 00070656 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
    2012-05-14 16:39 - 2012-06-13 20:04 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-05-14 16:39 - 2012-06-13 20:04 - 00012288 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe


    ZeroAccess:
    C:\Windows\Installer\{5cbbb43c-55e9-d992-a3af-aff90a8bd5c8}
    C:\Windows\Installer\{5cbbb43c-55e9-d992-a3af-aff90a8bd5c8}\@
    C:\Windows\Installer\{5cbbb43c-55e9-d992-a3af-aff90a8bd5c8}\L
    C:\Windows\Installer\{5cbbb43c-55e9-d992-a3af-aff90a8bd5c8}\U
    C:\Windows\Installer\{5cbbb43c-55e9-d992-a3af-aff90a8bd5c8}\L\00000004.@
    C:\Windows\Installer\{5cbbb43c-55e9-d992-a3af-aff90a8bd5c8}\L\201d3dde

    ZeroAccess:
    C:\Windows\assembly\GAC_32\Desktop.ini

    ZeroAccess:
    C:\Windows\assembly\GAC_64\Desktop.ini

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe B8844F93D2C5F1DCDB179AAA9AF134B7 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 7%
    Total physical RAM: 8189.27 MB
    Available physical RAM: 7566.78 MB
    Total Pagefile: 7938.67 MB
    Available Pagefile: 7550.45 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB

    ======================= Partitions =========================

    1 Drive c: (OS) (Fixed) (Total:916.82 GB) (Free:719.78 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: () (Removable) (Total:0.24 GB) (Free:0.05 GB) FAT32
    8 Drive x: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:7.88 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 932 GB 0 B
    Disk 1 Online 245 MB 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Disk 5 No Media 0 B 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 39 MB 32 KB
    Partition 2 Primary 15 GB 40 MB
    Partition 3 Primary 917 GB 15 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 8 FAT Partition 39 MB Healthy Hidden

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 X RECOVERY NTFS Partition 15 GB Healthy Boot

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C OS NTFS Partition 917 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 245 MB 16 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0B
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 D FAT32 Removable 245 MB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-08-05 12:17

    ======================= End Of Log ==========================
     
  2. Lynn Johnson

    Lynn Johnson TS Rookie Topic Starter

    Farbar Recovery Scan Tool Version: 08-08-2012
    Ran by SYSTEM at 2012-08-07 23:59:57
    Running from D:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
    [2009-09-17 15:42] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
    [2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
    [2009-09-17 15:43] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
    [2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

    C:\Windows\SysWOW64\services.exe
    [2009-09-17 15:42] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

    C:\Windows\System32\services.exe
    [2009-09-17 15:43] - [2009-04-10 23:10] - 0381952 ____A (Microsoft Corporation) B8844F93D2C5F1DCDB179AAA9AF134B7

    ====== End Of Search ======
     
  3. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    FRST64 Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
     
  4. Lynn Johnson

    Lynn Johnson TS Rookie Topic Starter

    It appears to be working fine. The fixlog is below. Thank you very much for your help and quick reply.

    Lynndie


    start
    C:\Windows\Installer\{5cbbb43c-55e9-d992-a3af-aff90a8bd5c8}
    C:\Windows\assembly\GAC_32\Desktop.ini
    C:\Windows\assembly\GAC_64\Desktop.ini
    Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe C:\Windows\System32\services.exe
    end
     
  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
     
  6. Lynn Johnson

    Lynn Johnson TS Rookie Topic Starter

    I received the warning below. I ran the uninstaller for this program and I also ran the avg_remover_stf_x86_2012_2125 removal tool. I'm not sure what else to do to stop or get rid of this program. Is there a place that I might find further removal instructions?
     

    Attached Files:

  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Go ahead with ComboFix and see what happens...
     
  8. Lynn Johnson

    Lynn Johnson TS Rookie Topic Starter

    Below is the Combofix log.

    Lynndie


    ComboFix 12-08-09.01 - owner 08/09/2012 13:32:37.1.4 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.8189.5958 [GMT -5:00]
    Running from: F:\svchost.exe.exe
    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\boost_interprocess\20120731161100.109997
    c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\YO GABBA GABBA.url
    K:\Autorun.inf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-09 to 2012-08-09 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-09 18:41 . 2012-08-09 18:41 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0ACC08C6-E4F5-4229-A29E-E7B8D6DB0C21}\offreg.dll
    2012-08-09 18:39 . 2012-08-09 18:41 -------- d-----w- c:\users\owner\AppData\Local\temp
    2012-08-08 07:58 . 2012-08-08 07:58 -------- d-----w- C:\FRST
    2012-08-08 04:02 . 2012-08-08 04:02 50392 ----a-w- c:\windows\system32\drivers\nyuzseir.sys
    2012-08-06 17:12 . 2012-08-06 17:12 -------- d-----w- C:\$WINDOWS.~BT
    2012-08-05 21:08 . 2012-02-09 19:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{ABDE32EC-4C7F-4880-AD7F-36D081C3EA98}\gapaengine.dll
    2012-08-05 21:08 . 2012-07-16 07:40 9133488 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0ACC08C6-E4F5-4229-A29E-E7B8D6DB0C21}\mpengine.dll
    2012-08-05 21:06 . 2012-08-05 21:06 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2012-08-05 21:06 . 2012-08-05 21:06 -------- d-----w- c:\program files\Microsoft Security Client
    2012-07-31 21:35 . 2012-07-31 21:35 -------- d-----w- c:\users\owner\Doctor Web
    2012-07-31 21:19 . 2012-07-31 21:19 -------- d-----w- c:\program files\Common Files\Doctor Web
    2012-07-31 21:18 . 2012-07-31 21:19 -------- d-----w- c:\programdata\Doctor Web
    2012-07-31 00:56 . 2012-07-31 00:56 883616 ----a-w- c:\program files (x86)\FixExec.scr
    2012-07-30 22:30 . 2012-07-30 22:30 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
    2012-07-30 22:25 . 2012-07-31 04:17 -------- d-----w- c:\programdata\7531CC9600714A53199543F32F3B707C
    2012-07-12 21:39 . 2012-07-12 21:39 -------- d-----w- c:\programdata\HPSSUPPLY
    2012-07-12 08:01 . 2012-06-13 13:58 2769408 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-12 08:04 . 2006-11-02 12:35 59701280 ----a-w- c:\windows\system32\mrt.exe
    2012-06-02 22:19 . 2012-06-19 00:29 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 02:29 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:19 . 2012-06-21 02:29 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 02:29 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-19 00:29 35864 ----a-w- c:\windows\SysWow64\wups.dll
    2012-06-02 22:19 . 2012-06-19 00:29 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-19 00:29 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
    2012-06-02 22:15 . 2012-06-21 02:29 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:15 . 2012-06-19 00:29 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 22:12 . 2012-06-21 02:29 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
    2012-06-02 20:19 . 2012-06-19 00:29 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 20:19 . 2012-06-19 00:29 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
    2012-06-02 20:15 . 2012-06-19 00:29 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-02 20:12 . 2012-06-19 00:29 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
    2012-05-15 06:37 . 2012-06-14 04:04 916992 ----a-w- c:\windows\SysWow64\wininet.dll
    2012-05-15 06:32 . 2012-06-14 04:04 43520 ----a-w- c:\windows\SysWow64\licmgr10.dll
    2012-05-15 06:32 . 2012-06-14 04:04 1469440 ----a-w- c:\windows\SysWow64\inetcpl.cpl
    2012-05-15 06:31 . 2012-06-14 04:04 109056 ----a-w- c:\windows\SysWow64\iesysprep.dll
    2012-05-15 06:31 . 2012-06-14 04:04 71680 ----a-w- c:\windows\SysWow64\iesetup.dll
    2012-05-15 05:01 . 2012-06-14 04:04 385024 ----a-w- c:\windows\SysWow64\html.iec
    2012-05-15 03:26 . 2012-06-14 04:04 133632 ----a-w- c:\windows\SysWow64\ieUnatt.exe
    2012-05-15 03:23 . 2012-06-14 04:04 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
    2012-05-15 02:19 . 2012-06-14 04:04 1147392 ----a-w- c:\windows\system32\wininet.dll
    2012-05-15 02:19 . 2012-06-14 04:04 1488384 ----a-w- c:\windows\system32\urlmon.dll
    2012-05-15 02:19 . 2012-06-14 04:04 108032 ----a-w- c:\windows\system32\url.dll
    2012-05-15 02:18 . 2012-06-14 04:04 243712 ----a-w- c:\windows\system32\occache.dll
    2012-05-15 02:16 . 2012-06-14 04:04 1062912 ----a-w- c:\windows\system32\mstime.dll
    2012-05-15 02:15 . 2012-06-14 04:04 9328640 ----a-w- c:\windows\system32\mshtml.dll
    2012-05-15 02:15 . 2012-06-14 04:04 98304 ----a-w- c:\windows\system32\mshtmled.dll
    2012-05-15 02:15 . 2012-06-14 04:04 742912 ----a-w- c:\windows\system32\msfeeds.dll
    2012-05-15 02:15 . 2012-06-14 04:04 71680 ----a-w- c:\windows\system32\msfeedsbs.dll
    2012-05-15 02:15 . 2012-06-14 04:04 56832 ----a-w- c:\windows\system32\licmgr10.dll
    2012-05-15 02:15 . 2012-06-14 04:04 31744 ----a-w- c:\windows\system32\jsproxy.dll
    2012-05-15 02:14 . 2012-06-14 04:04 1538560 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-05-15 02:14 . 2012-06-14 04:04 77312 ----a-w- c:\windows\system32\iesetup.dll
    2012-05-15 02:14 . 2012-06-14 04:04 2350592 ----a-w- c:\windows\system32\iertutil.dll
    2012-05-15 02:14 . 2012-06-14 04:04 219136 ----a-w- c:\windows\system32\ieui.dll
    2012-05-15 02:14 . 2012-06-14 04:04 132096 ----a-w- c:\windows\system32\iesysprep.dll
    2012-05-15 02:14 . 2012-06-14 04:04 72192 ----a-w- c:\windows\system32\iernonce.dll
    2012-05-15 02:14 . 2012-06-14 04:04 12508672 ----a-w- c:\windows\system32\ieframe.dll
    2012-05-15 02:14 . 2012-06-14 04:04 252416 ----a-w- c:\windows\system32\iepeers.dll
    2012-05-15 02:14 . 2012-06-14 04:04 459776 ----a-w- c:\windows\system32\iedkcs32.dll
    2012-05-15 01:21 . 2012-06-14 04:04 479232 ----a-w- c:\windows\system32\html.iec
    2012-05-15 00:40 . 2012-06-14 04:04 162816 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-05-15 00:40 . 2012-06-14 04:04 70656 ----a-w- c:\windows\system32\ie4uinit.exe
    2012-05-15 00:39 . 2012-06-14 04:04 12288 ----a-w- c:\windows\system32\msfeedssync.exe
    2012-05-15 00:39 . 2012-06-14 04:04 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-6 1312096]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux3"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    R4 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-01-13 88576]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Themes
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-08 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2274459378-4032421509-301073050-1000Core.job
    - c:\users\owner\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-03-28 22:28]
    .
    2012-08-09 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2274459378-4032421509-301073050-1000UA.job
    - c:\users\owner\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-03-28 22:28]
    .
    2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-26 13:30]
    .
    2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-26 13:30]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x1
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.searchnu.com/406
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1 24.217.0.5 24.217.201.67
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\nc80knnu.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
    FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=119&systemid=406&sr=0&q=
    FF - prefs.js: network.proxy.type - 4
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-10 - (no file)
    Wow6432Node-HKCU-Run-AdobeBridge - (no file)
    BHO-{9D717F81-9148-4f12-8568-69135F087DB0} - (no file)
    Toolbar-10 - (no file)
    AddRemove-Diversified Digital Link - c:\windows\system32\javaws.exe
    AddRemove-mpixpro ROES - c:\windows\system32\javaws.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
    "ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_4f7fccd.dll"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows CE Services]
    "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-09 13:48:13 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-09 18:48
    .
    Pre-Run: 768,578,605,056 bytes free
    Post-Run: 769,311,965,184 bytes free
    .
    - - End Of File - - D73EE2FE9B984D1A058707AC47831BDF
     
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Good job!

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.
     
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello. Are you still with us?

    Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

    Thanks.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.