Inactive [A] Please HELP! "Windows has encountered a critical problem and will restart in one minute."

Status
Not open for further replies.
Hi,

I've got a laptop infected with Sirefef. Microsoft Security Essentials is no help at all. Cannot do anything with infected laptop as repeatedly restarting.

I read the forums before posting, so I have run Farbar Recovery Scan Tool on infected computer and attach FRST.txt and Search.txt:





Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 03-08-2012 22:34:24
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [828960 2009-08-05] (Acer Incorporated)
HKLM\...\Run: [mwlDaemon] C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe [349480 2009-08-06] (Egis Technology Inc.)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7982112 2009-07-28] (Realtek Semiconductor)
HKLM\...\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe [301056 2009-06-11] (Alps Electric Co., Ltd.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [159232 2009-09-02] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [380928 2009-09-02] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [358912 2009-09-02] (Intel Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe [1157128 2009-07-27] (Dritek System Inc.)
HKLM-x32\...\Run: [EgisTecLiveUpdate] "C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe" [199464 2009-08-03] (Egis Technology Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-10-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED [588648 2009-07-24] (Symantec Corporation)
HKLM-x32\...\Run: [ArcadeDeluxeAgent] "C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [128296 2009-07-31] (CyberLink Corp.)
HKLM-x32\...\Run: [PlayMovie] "C:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [181480 2009-08-04] (Acer Corp.)
HKLM-x32\...\Run: [mcagent_exe] "C:\Program Files (x86)\McAfee.com\Agent\mcagent.exe" /runkey [1218008 2009-10-28] (McAfee, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM-x32\...\Run: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide [205336 2011-08-12] (Logitech Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [935288 2009-09-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot [296056 2012-06-01] (RealNetworks, Inc.)
HKLM-x32\...\Run: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [295304 2012-07-05] (LeapFrog Enterprises, Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKU\Lanny\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-08-14] (Google Inc.)
HKU\Lanny\...\Run: [Sony Ericsson PC Companion] "C:\Program Files (x86)\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe" /systray /nologon [774144 2009-12-08] (Sony Ericsson Mobile Communications AB)
HKU\Lanny\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17148552 2012-02-29] (Skype Technologies S.A.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 194.168.4.100 194.168.8.100
Startup: C:\Users\Lanny\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)
Startup: C:\Users\Lanny\Start Menu\Programs\Startup\EvernoteClipper.lnk
ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
Startup: C:\Users\Lanny\Start Menu\Programs\Startup\StarOffice 9.lnk
ShortcutTarget: StarOffice 9.lnk -> C:\Program Files (x86)\Sun\StarOffice 9\program\quickstart.exe ()

==================== Services (Whitelisted) ======

2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
2 McAfee SiteAdvisor Service; "C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe" [103472 2012-06-15] (McAfee, Inc.)
2 mcmscsvc; C:\PROGRA~2\McAfee\MSC\mcmscsvc.exe [865832 2009-10-28] (McAfee, Inc.)
2 McNASvc; "C:\PROGRA~2\COMMON~1\mcafee\mna\mcnasvc.exe" [2482848 2009-07-07] (McAfee, Inc.)
3 McODS; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [696848 2009-10-28] (McAfee, Inc.)
2 McProxy; C:\PROGRA~2\COMMON~1\mcafee\mcproxy\mcproxy.exe [359952 2009-07-08] (McAfee, Inc.)
2 McShield; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [155456 2009-11-04] (McAfee, Inc.)
3 McSysmon; C:\PROGRA~2\McAfee\VIRUSS~1\mcsysmon.exe [606736 2009-11-04] (McAfee, Inc.)
2 MpfService; "C:\Program Files (x86)\McAfee\MPF\MPFSrv.exe" [895696 2009-10-27] (McAfee, Inc.)
2 MSK80Service; "C:\Program Files (x86)\McAfee\MSK\MskSrver.exe" [26640 2009-10-02] (McAfee, Inc.)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
2 MWLService; C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\\MWLService.exe [311592 2009-08-06] (Egis Technology Inc.)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)

========================== Drivers (Whitelisted) =============

3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [102472 2009-11-04] (McAfee, Inc.)
1 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [308296 2009-11-04] (McAfee, Inc.)
3 mferkdk; C:\Windows\System32\Drivers\mferkdk.sys [40904 2009-11-04] (McAfee, Inc.)
3 mfesmfk; C:\Windows\System32\Drivers\mfesmfk.sys [49480 2009-11-04] (McAfee, Inc.)
1 MPFP; C:\Windows\System32\Drivers\MPFP.sys [176144 2009-04-09] (McAfee, Inc.)
3 s616bus; C:\Windows\System32\Drivers\s616bus.sys [108296 2007-04-03] (MCCI Corporation)
3 s616mdfl; C:\Windows\System32\Drivers\s616mdfl.sys [19720 2007-04-03] (MCCI Corporation)
3 s616mdm; C:\Windows\System32\Drivers\s616mdm.sys [144648 2007-04-03] (MCCI Corporation)
3 s616mgmt; C:\Windows\System32\Drivers\s616mgmt.sys [126216 2007-04-03] (MCCI Corporation)
3 s616nd5; C:\Windows\System32\Drivers\s616nd5.sys [31496 2007-04-03] (MCCI Corporation)
3 s616obex; C:\Windows\System32\Drivers\s616obex.sys [123656 2007-04-03] (MCCI Corporation)
3 s616unic; C:\Windows\System32\Drivers\s616unic.sys [130312 2007-04-03] (MCCI Corporation)
3 UBHelper; C:\Windows\System32\Drivers\UBHelper.sys [16896 2009-05-05] (NewTech Infosystems Corporation)
3 RtsUIR; C:\Windows\System32\DRIVERS\Rts516xIR.sys [x]
3 USBCCID; C:\Windows\System32\DRIVERS\RtsUCcid.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-03 22:34 - 2012-08-03 22:34 - 00000000 ____D C:\FRST
2012-08-03 12:31 - 2012-08-03 12:31 - 00008212 ____A C:\Windows\mfebcdata
2012-08-03 12:29 - 2012-08-03 12:29 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.9B8ABA7971022B74
2012-08-03 12:25 - 2012-08-03 12:25 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.00DC24ADEA4DF7AC
2012-08-03 12:21 - 2012-08-03 12:21 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.47C47C26AEA16645
2012-08-03 12:16 - 2012-08-03 12:16 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.854D216EE4E291F6
2012-08-03 12:11 - 2012-08-03 12:11 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.AC432C76A1ADF300
2012-08-03 12:04 - 2012-08-03 12:04 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.EB78D1FD8A27A8F0
2012-08-03 11:59 - 2012-08-03 11:59 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2AD92FD875803E1A
2012-08-03 11:58 - 2012-08-03 11:58 - 00001270 ____A C:\Users\Lanny\Desktop\shutdown.exe.lnk
2012-08-03 11:54 - 2012-08-03 11:54 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.7A6D771BB6F294C5
2012-08-03 11:51 - 2012-08-03 11:51 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.9402FC3FC657A086
2012-08-03 11:47 - 2012-08-03 11:47 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.A98763BCE020C246
2012-08-03 11:39 - 2012-08-03 11:39 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4231911F2DE6626B
2012-08-03 11:32 - 2012-08-03 11:32 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1134F344E661AE83
2012-08-03 11:22 - 2012-08-03 11:22 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E96F1589E38B2A99
2012-08-03 11:18 - 2012-08-03 11:18 - 00735552 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-03 11:18 - 2012-08-03 11:18 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-03 11:18 - 2012-08-03 11:18 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-08-03 11:18 - 2012-08-03 11:18 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-08-03 11:18 - 2012-01-30 20:59 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-08-03 11:17 - 2012-08-03 11:17 - 12621696 ____A (Microsoft Corporation) C:\Users\Lanny\Downloads\mseinstall.exe
2012-07-29 03:37 - 2012-07-29 03:37 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-07-29 02:39 - 2012-07-29 02:39 - 00000000 ____D C:\Users\Lanny\AppData\Local\{9D663E8E-D969-11E1-8270-B8AC6F996F26}
2012-07-29 02:38 - 2012-07-29 02:38 - 00000012 ____A C:\Windows\srun.log
2012-07-29 02:21 - 2012-07-29 02:21 - 00001787 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-07-29 02:19 - 2012-07-29 02:21 - 00000000 ____D C:\Program Files\iTunes
2012-07-29 02:19 - 2012-07-29 02:21 - 00000000 ____D C:\Program Files (x86)\iTunes
2012-07-29 02:19 - 2012-07-29 02:19 - 00000000 ____D C:\Program Files\iPod
2012-07-29 02:18 - 2012-07-29 02:18 - 00000000 ___HD C:\Users\Lanny\Downloads\.picasaoriginals
2012-07-29 02:15 - 2012-07-29 02:18 - 00000031 ___AH C:\Users\Lanny\Downloads\.picasa.ini
2012-07-29 02:13 - 2012-07-29 02:14 - 00000000 ____D C:\Program Files (x86)\QuickTime
2012-07-29 02:13 - 2012-07-29 02:13 - 00001849 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2012-07-22 06:23 - 2012-07-22 06:23 - 00000000 ____D C:\Users\Lanny\AppData\Roaming\.minecraft
2012-07-20 23:19 - 2012-07-20 23:19 - 00000000 ____D C:\Users\Public\Documents\LeapFrog
2012-07-20 23:10 - 2012-07-20 23:10 - 00000946 ____A C:\Users\Public\Desktop\LeapFrog Connect.lnk
2012-07-20 23:10 - 2012-07-20 23:10 - 00000000 ____D C:\Program Files\DIFX
2012-07-20 23:09 - 2012-07-20 23:10 - 00000000 ____D C:\Program Files (x86)\LeapFrog
2012-07-20 23:09 - 2012-07-20 23:09 - 10716040 ____A (LeapFrog Enterprises, Inc.) C:\Users\Lanny\Downloads\LeapFrogConnectSetup_LeapPadExplorer.exe
2012-07-20 23:09 - 2012-07-20 23:09 - 00000000 ____D C:\Users\Lanny\Downloads\log
2012-07-20 23:09 - 2012-07-20 23:09 - 00000000 ____D C:\Users\All Users\Leapfrog
2012-07-12 01:51 - 2012-06-11 19:08 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-12 01:45 - 2012-06-02 04:49 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-12 01:45 - 2012-06-02 04:17 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-12 01:45 - 2012-06-02 04:12 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-12 01:45 - 2012-06-02 04:05 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-12 01:45 - 2012-06-02 04:05 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-12 01:45 - 2012-06-02 04:04 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-12 01:45 - 2012-06-02 04:04 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-12 01:45 - 2012-06-02 04:03 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-12 01:45 - 2012-06-02 04:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-12 01:45 - 2012-06-02 04:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-12 01:45 - 2012-06-02 03:59 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-12 01:45 - 2012-06-02 03:57 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-12 01:45 - 2012-06-02 03:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-12 01:45 - 2012-06-02 03:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-12 01:45 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-07-12 01:45 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-07-12 01:45 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-07-12 01:45 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-07-12 01:45 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-07-12 01:45 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-07-12 01:45 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-07-12 01:45 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-07-12 01:45 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-07-12 01:45 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-07-12 01:45 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-07-12 01:45 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-07-12 01:45 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-07-12 01:45 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-07-10 13:36 - 2012-06-08 21:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-10 13:36 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-07-10 13:36 - 2012-06-05 22:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-10 13:36 - 2012-06-05 22:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-10 13:36 - 2012-06-05 22:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-10 13:36 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-07-10 13:36 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-07-10 13:36 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-07-10 13:36 - 2012-06-01 21:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-10 13:36 - 2012-06-01 21:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-10 13:36 - 2012-06-01 21:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-10 13:36 - 2012-06-01 21:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-10 13:36 - 2012-06-01 21:44 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-10 13:36 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-07-10 13:36 - 2012-06-01 20:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-07-10 13:36 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-07-10 13:36 - 2012-06-01 20:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-07-10 13:36 - 2010-06-25 19:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-10 13:36 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2012-07-05 13:51 - 2012-07-05 13:51 - 00007416 ____A C:\Users\Lanny\Downloads\yahoo_ab.csv
2012-07-05 08:48 - 2012-07-05 08:48 - 00040320 ____A (Belcarra Technologies) C:\Windows\System32\Drivers\btblan.sys

============ 3 Months Modified Files ========================

2012-08-03 12:31 - 2012-08-03 12:31 - 00008212 ____A C:\Windows\mfebcdata
2012-08-03 12:31 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-03 12:30 - 2009-07-13 20:51 - 00136306 ____A C:\Windows\setupact.log
2012-08-03 12:29 - 2012-08-03 12:29 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.9B8ABA7971022B74
2012-08-03 12:25 - 2012-08-03 12:25 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.00DC24ADEA4DF7AC
2012-08-03 12:23 - 2010-02-10 15:01 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-03 12:22 - 2009-07-13 21:08 - 00032620 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-03 12:21 - 2012-08-03 12:21 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.47C47C26AEA16645
2012-08-03 12:16 - 2012-08-03 12:16 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.854D216EE4E291F6
2012-08-03 12:15 - 2010-02-10 15:01 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-03 12:11 - 2012-08-03 12:11 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.AC432C76A1ADF300
2012-08-03 12:08 - 2012-04-28 00:14 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-03 12:04 - 2012-08-03 12:04 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.EB78D1FD8A27A8F0
2012-08-03 11:59 - 2012-08-03 11:59 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2AD92FD875803E1A
2012-08-03 11:58 - 2012-08-03 11:58 - 00001270 ____A C:\Users\Lanny\Desktop\shutdown.exe.lnk
2012-08-03 11:54 - 2012-08-03 11:54 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.7A6D771BB6F294C5
2012-08-03 11:51 - 2012-08-03 11:51 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.9402FC3FC657A086
2012-08-03 11:47 - 2012-08-03 11:47 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.A98763BCE020C246
2012-08-03 11:39 - 2012-08-03 11:39 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4231911F2DE6626B
2012-08-03 11:32 - 2012-08-03 11:32 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1134F344E661AE83
2012-08-03 11:22 - 2012-08-03 11:22 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E96F1589E38B2A99
2012-08-03 11:18 - 2012-08-03 11:18 - 00735552 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-03 11:18 - 2012-08-03 11:18 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-03 11:18 - 2009-10-05 00:02 - 01886477 ____A C:\Windows\WindowsUpdate.log
2012-08-03 11:17 - 2012-08-03 11:17 - 12621696 ____A (Microsoft Corporation) C:\Users\Lanny\Downloads\mseinstall.exe
2012-08-03 11:10 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-03 11:10 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-03 11:08 - 2012-04-28 00:14 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-03 11:08 - 2011-05-29 05:30 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-29 03:47 - 2009-08-14 02:45 - 00036701 ____A C:\Windows\System32\Config.MPF
2012-07-29 02:38 - 2012-07-29 02:38 - 00000012 ____A C:\Windows\srun.log
2012-07-29 02:21 - 2012-07-29 02:21 - 00001787 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-07-29 02:18 - 2012-07-29 02:15 - 00000031 ___AH C:\Users\Lanny\Downloads\.picasa.ini
2012-07-29 02:13 - 2012-07-29 02:13 - 00001849 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2012-07-28 12:29 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-26 12:46 - 2009-08-14 02:52 - 00819708 ____A C:\Windows\PFRO.log
2012-07-20 23:10 - 2012-07-20 23:10 - 00000946 ____A C:\Users\Public\Desktop\LeapFrog Connect.lnk
2012-07-20 23:10 - 2009-10-05 00:05 - 00037830 ____A C:\Windows\DPINST.LOG
2012-07-20 23:09 - 2012-07-20 23:09 - 10716040 ____A (LeapFrog Enterprises, Inc.) C:\Users\Lanny\Downloads\LeapFrogConnectSetup_LeapPadExplorer.exe
2012-07-20 15:06 - 2012-06-01 13:30 - 00000448 ___AH C:\Windows\Tasks\Norton Security Scan for Lanny.job
2012-07-15 05:01 - 2010-01-10 04:01 - 00000342 ____A C:\Windows\Tasks\McDefragTask.job
2012-07-12 02:48 - 2009-07-13 20:45 - 00359320 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-12 01:47 - 2010-01-10 13:26 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-05 13:51 - 2012-07-05 13:51 - 00007416 ____A C:\Users\Lanny\Downloads\yahoo_ab.csv
2012-07-05 08:48 - 2012-07-05 08:48 - 00040320 ____A (Belcarra Technologies) C:\Windows\System32\Drivers\btblan.sys
2012-07-03 23:33 - 2010-05-11 12:50 - 00021730 ____A C:\Users\Lanny\Desktop\lanny letter.odt
2012-06-30 16:00 - 2010-01-10 04:01 - 00000320 ____A C:\Windows\Tasks\McQcTask.job
2012-06-11 19:08 - 2012-07-12 01:51 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 21:43 - 2012-07-10 13:36 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-10 13:36 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 22:06 - 2012-07-10 13:36 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-10 13:36 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-10 13:36 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-10 13:36 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-10 13:36 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-10 13:36 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-05 12:55 - 2012-06-05 12:55 - 00000126 ____A C:\Windows\wininit.ini
2012-06-05 12:55 - 2011-07-03 14:29 - 00001026 ____A C:\Users\Lanny\Desktop\Dropbox.lnk
2012-06-02 14:19 - 2012-06-23 08:13 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-23 08:13 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-23 08:13 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-23 08:12 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-23 08:12 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-23 08:13 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-23 08:12 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 06:19 - 2012-06-23 08:11 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 06:15 - 2012-06-23 08:11 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 04:49 - 2012-07-12 01:45 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-12 01:45 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-12 01:45 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-12 01:45 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:05 - 2012-07-12 01:45 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:04 - 2012-07-12 01:45 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:04 - 2012-07-12 01:45 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:03 - 2012-07-12 01:45 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-12 01:45 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-12 01:45 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-12 01:45 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-12 01:45 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-12 01:45 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-12 01:45 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-12 01:45 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-12 01:45 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-12 01:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-12 01:45 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-12 01:45 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-12 01:45 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-12 01:45 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-12 01:45 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-12 01:45 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-12 01:45 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-12 01:45 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-12 01:45 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-12 01:45 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-12 01:45 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 21:50 - 2012-07-10 13:36 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-10 13:36 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-10 13:36 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-10 13:36 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-10 13:36 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-10 13:36 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-10 13:36 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-10 13:36 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-10 13:36 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-06-01 13:30 - 2012-06-01 13:30 - 00001343 ____A C:\Users\Public\Desktop\Norton Security Scan.lnk
2012-06-01 11:32 - 2012-06-01 11:32 - 00001042 ____A C:\Users\Public\Desktop\RealPlayer.lnk
2012-06-01 11:32 - 2012-03-31 14:13 - 00001952 ____A C:\Users\Public\Desktop\Free Offers.lnk
2012-06-01 11:31 - 2012-03-31 14:13 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll
2012-06-01 11:31 - 2012-03-31 14:13 - 00198832 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll
2012-06-01 11:31 - 2012-03-31 14:13 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll
2012-06-01 11:31 - 2012-03-31 14:13 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll
2012-05-07 02:11 - 2012-05-07 02:11 - 00002018 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2012-05-07 00:30 - 2010-01-10 15:03 - 00000804 ____A C:\Users\Lanny\AppData\Roaming\wklnhst.dat


ZeroAccess:
C:\Windows\Installer\{8b8289ea-5958-5b3b-3b42-aa2c6776fdd9}
C:\Windows\Installer\{8b8289ea-5958-5b3b-3b42-aa2c6776fdd9}\@
C:\Windows\Installer\{8b8289ea-5958-5b3b-3b42-aa2c6776fdd9}\L
C:\Windows\Installer\{8b8289ea-5958-5b3b-3b42-aa2c6776fdd9}\n
C:\Windows\Installer\{8b8289ea-5958-5b3b-3b42-aa2c6776fdd9}\U
C:\Windows\Installer\{8b8289ea-5958-5b3b-3b42-aa2c6776fdd9}\L\00000004.@
C:\Windows\Installer\{8b8289ea-5958-5b3b-3b42-aa2c6776fdd9}\L\201d3dde
C:\Windows\Installer\{8b8289ea-5958-5b3b-3b42-aa2c6776fdd9}\U\00000008.@
C:\Windows\Installer\{8b8289ea-5958-5b3b-3b42-aa2c6776fdd9}\U\80000032.@
C:\Windows\Installer\{8b8289ea-5958-5b3b-3b42-aa2c6776fdd9}\U\80000064.@

ZeroAccess:
C:\Users\Lanny\AppData\Local\{8b8289ea-5958-5b3b-3b42-aa2c6776fdd9}
C:\Users\Lanny\AppData\Local\{8b8289ea-5958-5b3b-3b42-aa2c6776fdd9}\@
C:\Users\Lanny\AppData\Local\{8b8289ea-5958-5b3b-3b42-aa2c6776fdd9}\L
C:\Users\Lanny\AppData\Local\{8b8289ea-5958-5b3b-3b42-aa2c6776fdd9}\U

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 18%
Total physical RAM: 3001.98 MB
Available physical RAM: 2438.98 MB
Total Pagefile: 3000.13 MB
Available Pagefile: 2433.21 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (Acer) (Fixed) (Total:220.78 GB) (Free:158.68 GB) NTFS
2 Drive e: (PQSERVICE) (Fixed) (Total:12 GB) (Free:2.78 GB) NTFS
4 Drive g: () (Removable) (Total:1.88 GB) (Free:1.88 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 Online 1928 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 12 GB 31 KB
Partition 2 Primary 101 MB 12 GB
Partition 3 Primary 220 GB 12 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E PQSERVICE NTFS Partition 12 GB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM RESE NTFS Partition 101 MB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C Acer NTFS Partition 220 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 1928 MB 0 B

==================================================================================

Disk: 1
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

==================================================================================

==========================================================

Last Boot: 2012-07-19 05:01

======================= End Of Log ==========================











Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 2012-08-03 22:36:57
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======





Please help!

Many thanks,

Jay
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=====================================

Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Next....

Restart normally.

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe
  • Double-click on the Rkill icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.
Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 

Attachments

  • fixlist.txt
    2.2 KB · Views: 3
This topic is marked as abandoned and closed due to inactivity.
This member will NOT be eligible to receive any more help in malware removal forum.
 
Status
Not open for further replies.
Back