Inactive Another PC performance & stability analysis report

Status
Not open for further replies.
You need to stay with me on this and not run scans I don't direct you to. For instance, having to run Mbam to remove malware to allow you to access the internet is very sigficant.

Where is that Malwarebytes log?
========================================
Your Java is outdated. This is one reason why there is malware in the Java cache.
Update Java now then uninstall v6u14 in Add/Remove Programs.
To update: Check this site .Java Updates Java needs to be updated as soon as the updates come out. The new version does not overwrite the old version. So for the system security, you need to uninstall any old versions of Java right after-or before-you update. Outdated Java is a vulnerability for the system.
Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
==========================================
To delete the Java cache
  1. . Click Start > Control Panel.
  2. . Double-click the Java icon
    java.png
    in the cControl Panel.
  3. . Click Settings under Temporary Internet Files.
    http://www.java.com/en/img/download/5000020303.jpg[/b]
    There are three options on this window to clear the cache.(Version dependent)
    [o]. Delete Files
    [o]. View Applications
    [o]. View Applets
    [*]. Click OK on Delete Temporary Files window.
    Note: This deletes all the Downloaded Applications and Applets from the cache.
    [*]. Click OK on Temporary Files Settings window. [/list]
    ======================================
    There is one Eset entry that is not in the Java cache but appears to be an executable file on your desktop. I cannot identify what it is, but it needs to be removed:

    Please download [url=http://oldtimer.geekstogo.com/OTM.exe][b][color=blue]OTMovit by Old Timer[/b][/color][/url] and save to your desktop.
    [list]
    [*] Double-click [b]OTMoveIt3.exe[/b] to run it. (Vista users, please right click on [b]OTMoveit3.exe[/b] and select "Run as an [b]Administrator[/b]")
    [*][b]Copy the file paths below to the clipboard[/b] by highlighting [b]ALL[/b] of them and [b]pressing CTRL + C[/b] (or, after highlighting, right-click and choose [b]Copy[/b]):
    [CODE]
    :Files
    C:\Users\Angel\Desktop\0.925177210809825.exe
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot][/CODE]
    [*] Return to OTMoveIt3, right click in the [b]"Paste Instructions for Items to be Moved"[/b] window and choose [b]Paste[/b].
    [*]Click the red [b]Moveit![/b] button.
    [*]A log of files and folders moved will be created in the [b]c:\_OTMoveIt\MovedFiles[/b] folder in the form of Date and Time ([b]mmddyyyy_hhmmss.log[/b]). Please open this log in Notepad and post its contents in your next reply.
    [*]Close [b]OTMoveIt3[/b]
    [/list]If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose [b]Yes.[/b]
    ==========================================
    Regarding the [b]Security Scan:[/b]
    [QUOTE]Antivirus/Firewall Check:
    [b][color=red]There is no antivirus program running[/b][/color]
    [color=red][b]Windows Security Center service does not appear to be running! [/b][/color]
    Windows Firewall Enabled!
    ESET Online Scanner v3> [b][color=red] This is an online, on demand scan only.It does not offer any protection to the system.[/b][/color]
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:
    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 14>> [b][/color=red]Out of date Java installed![/b][/color]
    Adobe Flash Player 10.1.85.3 is current. [/QUOTE]

    No Webroot programs show in this audit. You have no antimalware programs running.
    The Windows Firewall only 'listens' to incoming ports. So if malware does gets past it, into the system, there is nothing to stop it from accessing the internet.
    =========================================
    You will need to clearly explain what happens on the 'Stage 4' when running the script in Combofix. It is puzzling how you ran the scan but can't run the script. I am going to prepare new script for you to run [b]after[/b] you handle the above.
 
Thanks! I apologize for not awaiting further instructions and just running the malware bytes but I had to get some work done. It won't happen again. I removed the old java and installed the new one along with removing the temp internet files.

I was able to run every program after a while by just letting it run overnight. I can include any log you want now. I do have the combofix log from when you prepared the last script for it along with the malware bytes logs.

Below is the log you requested.

OTMoveIt3
All processes killed
========== FILES ==========
C:\Users\Angel\Desktop\0.925177210809825.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Angel
->Temp folder emptied: 13678080 bytes
->Temporary Internet Files folder emptied: 646042641 bytes
->Java cache emptied: 812215 bytes
->FireFox cache emptied: 88623804 bytes
->Apple Safari cache emptied: 41597952 bytes
->Flash cache emptied: 15505 bytes

User: Angel_2
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 235861188 bytes
->Java cache emptied: 433948 bytes
->FireFox cache emptied: 86793377 bytes
->Flash cache emptied: 34146 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56502 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 115211 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 41266 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
RecycleBin emptied: 124537 bytes

Total Files Cleaned = 1,063.00 mb


OTM by OldTimer - Version 3.1.18.0 log created on 06292011_111351

Files moved on Reboot...
C:\Users\Angel\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...
 
Oh my goodness!! From OTM: Total Files Cleaned = 1,063.00 mb That is an enormous number of files! How is it that there is an account for 'Angel' and another for 'Angel 2'? Those angels need to get together and set up a schedule for routine maintenance to be done:
Delete temporary internet files and Cookies.
Do a Disc Cleanup.
Run the Error Check
Do a defrag

The frequency will depend on the amount of use on the system.
=================================================
I was able to run every program after a while by just letting it run overnight. I can include any log you want now. I do have the combofix log from when you prepared the last script for it along with the malware bytes logs.
Click to expand...

Yes. Want all of these logs.

Also want to know what it was that you ran overnight!
 
lol! the angels will get together and cleanup more often :) Combofix takes that long to run.. The logs requested are below.

Malware 6/25/11
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6921

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/25/2011 11:33:35 AM
mbam-log-2011-06-25 (11-33-35).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 332771
Time elapsed: 38 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Angel\AppData\Local\hbs.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Users\Angel\AppData\Local\hbs.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Angel\AppData\Local\Temp\0.22571415097438274.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.


Malware 6/27/11
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6921

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/27/2011 1:04:27 PM
mbam-log-2011-06-27 (13-04-27).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 328853
Time elapsed: 35 minute(s), 55 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
c:\Users\Angel\AppData\Local\eyb.exe (Trojan.ExeShell.Gen) -> 5688 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2250338663 (Trojan.ExeShell.Gen) -> Value: 2250338663 -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Angel\AppData\Local\eyb.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Users\Angel\AppData\Local\eyb.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Angel\AppData\Local\eyb.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
c:\Users\Angel\AppData\Local\gqt.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.


Combofix with script 6/26/11
ComboFix 11-06-25.05 - Angel 06/25/2011 20:33:07.11.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3895.2413 [GMT -4:00]
Running from: c:\users\Angel\Desktop\ComboFix.exe
Command switches used :: c:\users\Angel\Desktop\CFScript.txt
AV: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
SP: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-26 to 2011-06-26 )))))))))))))))))))))))))))))))
.
.
2011-06-26 09:24 . 2011-06-26 09:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-26 09:24 . 2011-06-26 09:24 -------- d-----w- c:\users\Angel_2\AppData\Local\temp
2011-06-25 04:29 . 2011-06-25 04:29 -------- d-----w- c:\program files (x86)\ESET
2011-06-18 01:35 . 2011-06-18 01:35 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-06-13 18:39 . 2011-06-13 18:39 -------- d-----w- c:\program files (x86)\Reference Assemblies
2011-06-13 18:39 . 2011-06-13 18:39 -------- d-----w- c:\program files (x86)\MSBuild
2011-06-13 18:39 . 2011-06-13 18:39 -------- d-----w- c:\program files\Reference Assemblies
2011-06-13 18:39 . 2011-06-13 18:39 -------- d-----w- c:\program files\MSBuild
2011-06-13 18:12 . 2011-06-13 18:12 -------- d-----w- c:\windows\SysWow64\BestPractices
2011-06-13 18:12 . 2011-06-13 18:12 -------- d-----w- c:\windows\system32\BestPractices
2011-06-13 18:12 . 2011-06-13 18:12 -------- d-----w- C:\inetpub
2011-06-13 17:30 . 2011-06-13 17:30 -------- d-----w- c:\programdata\Pervasive Software
2011-06-12 14:59 . 2011-06-25 13:28 96598 ----a-w- C:\InformationalData.tmp
2011-06-12 14:59 . 2011-06-25 13:28 8927 ----a-w- C:\DetectionData.tmp
2011-06-10 14:02 . 2011-06-10 14:02 -------- d-----w- c:\users\Angel_2\AppData\Roaming\Apple Computer
2011-06-10 14:02 . 2011-06-10 14:02 -------- d-----w- c:\users\Angel_2\AppData\Local\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 13:11 . 2011-03-04 17:56 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2011-03-04 17:56 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-24 16:14 . 2011-05-24 16:14 0 ----a-w- c:\windows\SysWow64\ConduitEngine.tmp
2011-04-06 20:26 . 2011-04-06 20:26 96544 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:26 . 2011-04-06 20:26 69408 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:26 . 2011-04-06 20:26 237856 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:26 . 2011-04-06 20:26 119584 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\SysWow64\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\SysWow64\jdns_sd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\SysWow64\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\SysWow64\dns-sd.exe
2011-03-31 10:44 . 2011-03-31 10:44 982912 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-03-31 10:44 . 2011-03-31 10:44 320512 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-03-31 10:44 . 2011-03-31 10:44 265088 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-03-31 10:44 . 2011-03-31 10:44 1888256 ----a-w- c:\windows\system32\WMVDECOD.DLL
2011-03-31 10:44 . 2011-03-31 10:44 1619456 ----a-w- c:\windows\SysWow64\WMVDECOD.DLL
2011-03-31 10:44 . 2011-03-31 10:44 144384 ----a-w- c:\windows\system32\cdd.dll
2011-03-31 10:44 . 2011-03-31 10:44 197120 ----a-w- c:\windows\system32\d3d10_1.dll
2011-03-31 10:44 . 2011-03-31 10:44 1837568 ----a-w- c:\windows\system32\d3d10warp.dll
2011-03-31 10:44 . 2011-03-31 10:44 902656 ----a-w- c:\windows\system32\d2d1.dll
2011-03-31 10:44 . 2011-03-31 10:44 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2011-03-31 10:44 . 2011-03-31 10:44 662528 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-31 10:44 . 2011-03-31 10:44 470016 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-31 10:44 . 2011-03-31 10:44 283648 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2011-03-31 10:44 . 2011-03-31 10:44 229888 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-03-31 10:44 . 2011-03-31 10:44 1863680 ----a-w- c:\windows\system32\ExplorerFrame.dll
2011-03-31 10:44 . 2011-03-31 10:44 1540608 ----a-w- c:\windows\system32\DWrite.dll
2011-03-31 10:44 . 2011-03-31 10:44 1495040 ----a-w- c:\windows\SysWow64\ExplorerFrame.dll
2011-03-31 10:44 . 2011-03-31 10:44 135168 ----a-w- c:\windows\SysWow64\XpsRasterService.dll
2011-03-31 10:44 . 2011-03-31 10:44 1133568 ----a-w- c:\windows\system32\FntCache.dll
2011-03-31 10:44 . 2011-03-31 10:44 1074176 ----a-w- c:\windows\SysWow64\DWrite.dll
2011-03-31 10:44 . 2011-03-31 10:44 442880 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2011-03-31 10:44 . 2011-03-31 10:44 4068864 ----a-w- c:\windows\system32\mf.dll
2011-03-31 10:44 . 2011-03-31 10:44 3181568 ----a-w- c:\windows\SysWow64\mf.dll
2011-03-31 10:44 . 2011-03-31 10:44 257024 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-03-31 10:44 . 2011-03-31 10:44 218624 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2011-03-31 10:44 . 2011-03-31 10:44 206848 ----a-w- c:\windows\system32\mfps.dll
2011-03-31 10:44 . 2011-03-31 10:44 196608 ----a-w- c:\windows\SysWow64\mfreadwrite.dll
2011-03-31 10:44 . 2011-03-31 10:44 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2011-03-31 10:44 . 2011-03-31 10:44 1170944 ----a-w- c:\windows\SysWow64\d3d10warp.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-06-25_22.45.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:54 . 2011-06-26 00:22 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-06-25 18:54 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-06-26 00:22 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-06-25 18:54 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-17 02:37 . 2011-06-26 00:24 56484 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-06-26 00:24 39944 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2011-06-25 18:56 39944 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-07-07 21:55 . 2011-06-26 00:24 11834 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3107127743-3541146285-3577337754-1001_UserData.bin
- 2010-07-07 21:55 . 2011-06-25 18:56 11834 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3107127743-3541146285-3577337754-1001_UserData.bin
+ 2010-07-07 21:55 . 2011-06-26 00:23 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-07-07 21:55 . 2011-06-25 18:56 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-07-07 21:55 . 2011-06-25 18:56 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-07-07 21:55 . 2011-06-26 00:23 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-07-07 21:55 . 2011-06-26 00:23 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-07-07 21:55 . 2011-06-25 18:56 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-07-07 21:50 . 2011-06-25 18:56 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-07-07 21:50 . 2011-06-26 00:23 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-07-07 21:50 . 2011-06-26 00:23 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-07-07 21:50 . 2011-06-25 18:56 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-06-25 18:54 . 2011-06-25 18:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-06-26 00:22 . 2011-06-26 00:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-06-25 18:54 . 2011-06-25 18:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-06-26 00:22 . 2011-06-26 00:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 04:54 . 2011-06-26 00:22 491520 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-06-25 18:54 491520 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 02:36 . 2011-06-25 18:04 736644 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-06-26 00:28 736644 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-06-26 00:28 147720 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2011-06-25 18:04 147720 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2011-06-25 18:53 400556 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-06-26 00:21 400556 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 02:34 . 2011-06-26 00:36 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
- 2009-07-14 02:34 . 2011-06-25 19:08 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2009-10-02 284696]
"TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2009-11-05 2446648]
"PeachtreePrefetcher.exe"="c:\progra~2\Sage\PEACHT~1\PeachtreePrefetcher.exe" [2011-02-22 29512]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"WebrootTrayApp"="c:\program files (x86)\Webroot\Security\Current\Framework\WRTray.exe" [2011-04-07 1373208]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-29 1047656]
.
c:\users\Angel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-23 270336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
R1 vflt;Shrew Soft Lightweight Filter;c:\windows\system32\DRIVERS\vfilter.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 HtcUsbMdmV64;HTC Proprietary USB Driver;c:\windows\system32\DRIVERS\HtcUsbMdmV64.sys [x]
R3 HtcVCom32;HTC Diagnostic Port;c:\windows\system32\DRIVERS\HtcVComV64.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 Peachtree SmartPosting 2011;Peachtree SmartPosting 2011;c:\program files (x86)\Sage\Peachtree\SmartPostingService2011.exe [2011-02-22 43848]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-09-01 222720]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 vnet;Shrew Soft Virtual Adapter;c:\windows\system32\DRIVERS\virtualnet.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-10-02 13336]
S2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files (x86)\Pervasive Software\PSQL\bin\w3dbsmgr.exe [2010-04-10 435496]
S2 RSELSVC;TOSHIBA Modem region select service;c:\program files\TOSHIBA\rselect\RSelSvc.exe [2009-07-07 65904]
S2 ssfmonm;ssfmonm;c:\windows\system32\DRIVERS\ssfmonm.sys [x]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-10-01 2314240]
S2 WRConsumerService;Webroot Client Service;c:\program files (x86)\Webroot\Security\Current\Framework\WRConsumerService.exe [2011-04-07 3251928]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [x]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [x]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-11-05 137560]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
2009-07-14 01:14 301568 ----a-w- c:\windows\System32\cmd.exe
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-14 166424]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-14 390168]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-11-14 408600]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-11-03 8312352]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2008-09-25 195080]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
"HSON"="c:\program files (x86)\TOSHIBA\TBS\HSON.exe" [BU]
"SmoothView"="c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe" [BU]
"00TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-11-05 709976]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie9
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:52222
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~2\MIF5BA~1\Office14\ONBttnIE.dll/105
Trusted Zone: woosterplace.com\mail
TCP: DhcpNameServer = 192.168.1.1 71.250.0.12
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"=hex:51,66,7a,6c,4c,1d,38,12,50,ef,00,
7f,a8,d7,1e,0e,c6,dd,65,57,bd,6c,7c,36
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=hex:51,66,7a,6c,4c,1d,38,12,5c,be,8a,
eb,c9,8f,bc,54,f6,39,43,d0,22,43,0b,9c
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"=hex:51,66,7a,6c,4c,1d,38,12,56,8e,54,
06,cb,8d,95,0b,e4,47,35,d5,e9,fe,12,64
"{0347C33E-8762-4905-BF09-768834316C61}"=hex:51,66,7a,6c,4c,1d,38,12,50,c0,54,
07,50,c9,6b,0c,c0,1f,35,c8,31,6f,28,75
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}"=hex:51,66,7a,6c,4c,1d,38,12,cf,4e,be,
f9,90,2f,b6,0a,e3,01,c5,b7,a9,7a,14,95
"{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}"=hex:51,66,7a,6c,4c,1d,38,12,91,fc,ec,
fb,7c,81,45,0a,c2,d4,4d,32,e4,48,ec,42
"{555D4D79-4BD2-4094-A395-CFC534424A05}"=hex:51,66,7a,6c,4c,1d,38,12,17,4e,4e,
51,e0,05,fa,05,dc,83,8c,85,31,1c,0e,11
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:ba,ad,0d,65,7c,f0,cb,01
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-06-26 05:26:52
ComboFix-quarantined-files.txt 2011-06-26 09:26
ComboFix2.txt 2011-06-25 22:47
.
Pre-Run: 252,875,038,720 bytes free
Post-Run: 252,598,636,544 bytes free
.
- - End Of File - - 4D8941525D5458AB7274AA25DCED4778
 
We need to get together on this! I told you several times when you had the problem with the script that you did not need to try and run it, that I got the information.

Please run the requested Security Scan. The system has new malware. It is not secure. If you continue to get these malware infections, it is plausible that the system will eventually become unbootable.

There is no sense in continuing to remove these entries unless we can find out how they are getting in.

My personal opinion for whatever Webroot is running for an antivirus/spyware program is very low.
 
sorry, I started running the program by the time you were telling me to stop it.. What do you suggest I do? Can I safely move all of my files and backup my software into a portable hard drive??
 
Mbam found WORM_AUTORUN.MFC The system shows new infections every time Malwarebytes runs. This particular malware spreads this way:
Infection Channel 1 : Propagates via removable drives
Infection Channel 2 : Copies itself in all available physical drives

Are you using a flash drive? If so, it is infected as are any other removable drives.
==============================================
  • Please download Panda USB Vaccine(you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
  • Install and run it.
  • Plug in USB drive and click on Vaccinate USB and Vaccinate computer.

You will need to connect each of the removable drives and run the Panda Vaccinate.

If this has been the source of the continued infections, then the system might be able to be cleaned without reinfection.
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
794
uber_beetle
uber_beetle
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni

Latest posts

Back