[Closed] Logs for help with virus removal

Status
Not open for further replies.
C

cableman

Posts: 274   +0
It started when I got what most people call the Windows 7 2012 virus but it can affect Windows XP also I believe. Anyway, here are the logs. I hope you can help and thank you for all your attention and effort. There are a lot of us who appreciate it. I am running Windows 7 on an HP Probook laptop model 4525s The virus disabled my Avast so I installed Vipre before I started the 5 step process but it seem to be operational. I also show network connection but no connection to the internet.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122308

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

1/8/2012 6:17:12 AM
mbam-log-2012-01-08 (06-17-12).txt

Scan type: Quick scan
Objects scanned: 206956
Time elapsed: 7 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-08 07:02:46
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK2561GSYN rev.MH000C
Running: evensteven123.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\kwldapob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13D1 83048369 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83081D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text C:\windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8E424000, 0x2F7634, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\windows\system32\rpcnet.exe[1812] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7505FFF6] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\windows\system32\rpcnet.exe[1812] @ C:\windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7505FFF6] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\windows\system32\rpcnet.exe[1812] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7505FFF6] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\windows\system32\rpcnet.exe[1812] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7505FFF6] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\windows\system32\rpcnet.exe[1812] @ C:\windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [7505FFF6] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\BTHUSB \Device\00000090 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\00000092 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)

Device \Driver\ACPI_HAL \Device\0000005d halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\RawIp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f3952a4dce
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f395796eb8
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\cc52af08cf2a
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\cc52af1518ac
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\cc52aff72f3f
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\cc52aff747fc
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e02a82f8005a
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\70f3952a4dce (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\70f395796eb8 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\cc52af08cf2a (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\cc52af1518ac (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\cc52aff72f3f (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\cc52aff747fc (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e02a82f8005a (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB30953$\1800766157 0 bytes
File C:\Windows\$NtUninstallKB30953$\3316104526 0 bytes
File C:\Windows\$NtUninstallKB30953$\3316104526\@ 2048 bytes
File C:\Windows\$NtUninstallKB30953$\3316104526\bckfg.tmp 863 bytes
File C:\Windows\$NtUninstallKB30953$\3316104526\cfg.ini 208 bytes
File C:\Windows\$NtUninstallKB30953$\3316104526\Desktop.ini 4608 bytes
File C:\Windows\$NtUninstallKB30953$\3316104526\keywords 10 bytes
File C:\Windows\$NtUninstallKB30953$\3316104526\kwrd.dll 223744 bytes
File C:\Windows\$NtUninstallKB30953$\3316104526\L 0 bytes
File C:\Windows\$NtUninstallKB30953$\3316104526\L\xadqgnnk 338944 bytes
File C:\Windows\$NtUninstallKB30953$\3316104526\lsflt7.ver 5176 bytes
File C:\Windows\$NtUninstallKB30953$\3316104526\U 0 bytes
File C:\Windows\$NtUninstallKB30953$\3316104526\U\00000001.@ 2048 bytes
File C:\Windows\$NtUninstallKB30953$\3316104526\U\00000002.@ 224768 bytes
File C:\Windows\$NtUninstallKB30953$\3316104526\U\00000004.@ 1024 bytes
File C:\Windows\$NtUninstallKB30953$\3316104526\U\80000000.@ 11264 bytes
File C:\Windows\$NtUninstallKB30953$\3316104526\U\80000004.@ 12800 bytes
File C:\Windows\$NtUninstallKB30953$\3316104526\U\80000032.@ 77312 bytes

---- EOF - GMER 1.0.15 ----


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Administrator at 7:07:04 on 2012-01-08
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1782.834 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV.exe
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\Hpservice.exe
C:\windows\system32\atieclxx.exe
C:\windows\system32\vcsFPService.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\IDT\WDM\aestsrv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\Program Files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe
C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
C:\Program Files\QUALCOMM\QDLService2k\QDLService2kHP.exe
C:\ProgramData\Rpcnet\Bin\rpcld.exe
C:\windows\system32\rpcnet.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe
C:\Program Files\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: File Sanitizer for HP ProtectTools: {3134413b-49b4-425c-98a5-893c1f195601} - c:\program files\hewlett-packard\file sanitizer\IEBHO.dll
BHO: RoboForm BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [HPAdvisorDock] c:\program files\hewlett-packard\hp advisor\dock\HPAdvisorDock.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SBAMTray] "c:\program files\sunbelt software\vipre\SBAMTray.exe"
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{29A50975-73AB-4414-8C8B-AF094183C9D1} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{386C4CDF-B88A-4FB1-9A4D-51A5E7F17435} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{386C4CDF-B88A-4FB1-9A4D-51A5E7F17435}\D4963627F61476568435 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}\854414D275966696D23586162796E676 : DhcpNameServer = 192.168.1.1
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\xibtwus7.default\
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-25 64288]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2012-1-4 220760]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-5-13 98392]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2011-12-13 78936]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\common files\actividentity\ac.sharedstore.exe [2009-6-3 207400]
R2 AESTFilters;Andrea ST Filters Service;c:\program files\idt\wdm\AEstSrv.exe [2011-11-6 81920]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-4-8 172032]
R2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\hewlett-packard\hp power assistant\HPPA_Service.exe [2011-6-2 133688]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\hewlett-packard\hp support framework\HPSA_Service.exe [2011-6-21 85560]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\hewlett-packard\hp wireless assistant\HPWA_Service.exe [2010-4-5 103992]
R2 HPDayStarterService;HP DayStarter Service;c:\program files\hewlett-packard\hp quicklook\HPDayStarterService.exe [2010-3-25 90112]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\hewlett-packard\shared\HPDrvMntSvc.exe [2011-5-21 103992]
R2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\hewlett-packard\file sanitizer\HPFSService.exe [2010-1-19 297984]
R2 hpHotkeyMonitor;HP Hotkey Monitor;c:\program files\hewlett-packard\hp hotkey support\hpHotkeyMonitor.exe [2010-3-1 264248]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2010-6-15 26168]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-15 366152]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2010-5-23 635416]
R2 PdiService;Portrait Displays SDK Service;c:\program files\common files\portrait displays\drivers\pdisrvc.exe [2011-11-6 113264]
R2 QDLService2kHP;Qualcomm Gobi 2000 Download Service (HP);c:\program files\qualcomm\qdlservice2k\QDLService2kHP.exe [2010-3-15 331000]
R2 rpcld;Remote Procedure Call (RPC) LD;c:\programdata\rpcnet\bin\rpcld.exe --> c:\programdata\rpcnet\bin\rpcld.exe [?]
R2 SBAMSvc;VIPRE Antivirus Premium;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2010-8-20 2763080]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-6-14 69976]
R2 SBPIMSvc;SB Recovery Service;c:\program files\sunbelt software\vipre\SBPIMSvc.exe [2010-8-20 181584]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2009-10-30 1021256]
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2010-2-18 1664304]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-4-8 5429760]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-4-8 157184]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-6-20 29472]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-15 22216]
R3 SBFWIMCLMP;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2012-1-4 68696]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-23 136176]
S2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-6-20 48640]
S2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-6-20 47616]
S2 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2010-6-20 38912]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-23 136176]
S3 qcfilterhp2k;Gobi 2000 USB Composite Device Filter Driver(03F0-251D);c:\windows\system32\drivers\qcfilterhp2k.sys [2010-3-15 5248]
S3 qcusbnethp2k;Gobi 2000 USB-NDIS miniport(03F0-251D);c:\windows\system32\drivers\qcusbnethp2k.sys [2010-3-15 208384]
S3 qcusbserhp2k;Gobi 2000 USB Device for Legacy Serial Communication(03F0-251D);c:\windows\system32\drivers\qcusbserhp2k.sys [2010-3-15 106880]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2009-11-23 1120752]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxMediaDB12OEM.exe [2011-1-15 1116656]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-9-29 279656]
S3 rtsuvc;HP Webcam [2 MP Fixed];c:\windows\system32\drivers\rtsuvc.sys [2010-6-20 73344]
S3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Service;c:\windows\system32\drivers\SbFwIm.sys [2012-1-4 68696]
S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2011-12-13 94040]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-8-12 52224]
S3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\drivers\vpcuxd.sys [2011-8-12 12800]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-25 1343400]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2010-1-8 316416]
.
=============== Created Last 30 ================
.
2012-01-04 18:44:46 -------- d-----w- c:\users\administrator\appdata\roaming\Sunbelt
2012-01-04 18:43:00 68696 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2012-01-04 18:43:00 220760 ----a-w- c:\windows\system32\drivers\SbFw.sys
2011-12-16 00:20:32 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-15 14:02:56 29512 ----a-w- c:\windows\system32\TURegOpt.exe
2011-12-15 14:02:51 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2011-12-15 14:02:51 21320 ----a-w- c:\windows\system32\authuitu.dll
2011-12-15 14:02:42 -------- d-----w- c:\users\administrator\appdata\roaming\TuneUp Software
2011-12-15 14:02:36 -------- d-----w- c:\program files\TuneUp Utilities 2010
2011-12-15 14:02:09 -------- d-----w- c:\programdata\TuneUp Software
2011-12-15 14:01:59 -------- d-sh--w- c:\programdata\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2011-12-15 08:02:58 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-15 00:47:58 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-12-15 00:47:54 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-15 00:47:49 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-15 00:47:48 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-15 00:47:44 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-15 00:47:42 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-14 20:10:55 -------- d-----w- c:\program files\AVAST Software
2011-12-13 20:02:29 -------- d-----w- c:\programdata\Sunbelt
2011-12-13 20:00:08 94040 ----a-w- c:\windows\system32\drivers\sbhips.sys
2011-12-13 20:00:05 78936 ----a-w- c:\windows\system32\drivers\sbtis.sys
2011-12-13 19:59:49 -------- d-----w- c:\program files\Sunbelt Software
2011-12-13 17:00:32 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{2aa5de23-5ed8-470a-9f0e-6367571ac127}\mpengine.dll
2011-12-13 16:55:38 -------- d-----w- c:\windows\system32\wbem\repository
2011-12-13 09:28:48 -------- d-----w- c:\users\administrator\appdata\roaming\Malwarebytes
2011-12-12 08:09:37 -------- d-----w- c:\program files\W3i, LLC
2011-12-12 08:09:11 -------- d-----w- c:\programdata\WeCareReminder
2011-12-12 07:40:39 -------- d-sh--w- c:\windows\system32\AI_RecycleBin
.
==================== Find3M ====================
.
2012-01-04 23:14:19 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2012-01-04 23:14:16 58288 ----a-w- c:\windows\system32\rpcnet.dll
2012-01-04 18:32:18 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2011-11-15 19:29:56 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-13 19:54:06 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-06 05:40:43 431616 ----a-w- c:\windows\system32\drivers\stwrt.sys
2011-11-06 05:40:42 934912 ----a-w- c:\windows\system32\stapo.dll
2011-11-06 05:40:42 531968 ------w- c:\windows\system32\stapi32.dll
2011-11-06 05:40:42 495708 ----a-w- c:\windows\sttray.exe
2011-11-06 05:40:42 405504 ----a-w- c:\windows\system32\stcplx.dll
2011-11-06 05:40:42 1953792 ----a-w- c:\windows\system32\stlang.dll
2011-11-06 05:40:42 179712 ----a-w- c:\windows\system32\staco.dll
2011-11-06 05:40:41 86016 ----a-w- c:\windows\system32\AESTCom.dll
2011-11-06 05:40:41 380928 ----a-w- c:\windows\system32\aestecap.dll
2011-11-06 05:40:41 12705884 ----a-w- c:\windows\system32\idtcpl.cpl
2011-11-06 05:40:40 61440 ----a-w- c:\windows\system32\aestaren.dll
2011-11-06 05:40:40 140288 ----a-w- c:\windows\system32\aestacap.dll
2011-11-03 22:47:42 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-11-03 22:39:47 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 7:07:33.09 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/25/2011 10:40:56 AM
System Uptime: 1/4/2012 6:13:53 PM (85 hours ago)
.
Motherboard: Hewlett-Packard | | 142C
Processor: AMD Athlon(tm) II P360 Dual-Core Processor | Unknown | 2300/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 231 GiB total, 181.21 GiB free.
D: is CDROM ()
E: is Removable
G: is FIXED (FAT32) - 2 GiB total, 1.986 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Flash Drive
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_USB2.0&PROD_FLASH_DRIVE&REV_8.00#12345678&0#
Manufacturer: USB2.0
Name: E:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_USB2.0&PROD_FLASH_DRIVE&REV_8.00#12345678&0#
Service: WUDFRd
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: HTTP
Device ID: ROOT\LEGACY_HTTP\0000
Manufacturer:
Name: HTTP
PNP Device ID: ROOT\LEGACY_HTTP\0000
Service: HTTP
.
==== System Restore Points ===================
.
RP120: 12/13/2011 2:50:59 PM - avast! Free Antivirus Setup
RP121: 12/13/2011 2:59:27 PM - Installed VIPRE Antivirus Premium.
RP122: 12/14/2011 3:00:15 AM - Windows Update
RP123: 12/14/2011 3:10:40 PM - avast! Free Antivirus Setup
RP124: 12/14/2011 3:26:21 PM - avast! Free Antivirus Setup
RP125: 12/15/2011 3:00:22 AM - Windows Update
RP126: 12/15/2011 9:02:16 AM - Installed TuneUp Utilities
RP127: 12/23/2011 2:52:52 AM - Scheduled Checkpoint
RP128: 12/31/2011 4:43:10 PM - Scheduled Checkpoint
RP129: 1/4/2012 12:01:45 PM - Restore Operation
RP130: 1/4/2012 1:41:48 PM - avast! Free Antivirus Setup
RP131: 1/4/2012 1:42:42 PM - Installed VIPRE Antivirus Premium.
RP132: 1/4/2012 6:08:43 PM - Restore Operation
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
µTorrent
ActivClient x86
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 8.2.0
Adobe Shockwave Player 11.5
Apple Application Support
Apple Software Update
ATI Catalyst Install Manager
Broadcom 2070 Bluetooth 2.1 + EDR
Broadcom 802.11 Wireless LAN Adapter
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
DirectX 9 Runtime
File Sanitizer For HP ProtectTools
Google Chrome
Google Update Helper
Hewlett-Packard ACLM.NET v1.1.1.0
HP 3D DriveGuard
HP Advisor
HP Customer Experience Enhancements
HP ESU for Microsoft Windows 7
HP HotKey Support
HP Power Assistant
HP Power Data
HP QuickLook
HP QuickWeb
HP Setup
HP SoftPaq Download Manager
HP Software Framework
HP Software Setup
HP Support Assistant
HP User Guides 0185
HP Web Camera
HP Webcam
HP Webcam Driver
HP Wireless Assistant
IDT Audio
Java Auto Updater
Java Card Security for HP ProtectTools
Java(TM) 6 Update 26
LightScribe System Software
LiveUpdate 3.3 (Symantec Corporation)
LSI HDA Modem
Malwarebytes' Anti-Malware version 1.51.2.1300
Marvell Miniport Driver
Microsoft .NET Framework 4 Client Profile
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Mozilla Firefox 8.0.1 (x86 en-US)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton Online Backup
PDF Complete Special Edition
Qualcomm Gobi 2000 Package for HP
QuickTime
RealPlayer
Realtek Ethernet Controller All-In-One Windows Driver
RealUpgrade 1.0
RICOH Media Driver
RoboForm 7-4-2 (All Users)
Roxio Activation Module
Roxio CinePlayer Decoder Pack
Roxio Creator Audio
Roxio Creator Business
Roxio Creator Business v10
Roxio Creator Copy
Roxio Creator Data
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD
Roxio MyDVD Business 2010
SDK
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Sonic CinePlayer Decoder Pack
Synaptics Pointing Device Driver
Theft Recovery
TuneUp Utilities
TuneUp Utilities Language Pack (en-US)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2596560)
Validity Fingerprint Driver
VIPRE Antivirus Premium
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows 7 Default Setting
Windows Driver Package - Broadcom Bluetooth (07/30/2009 6.2.0.9405)
Windows Driver Package - Broadcom Bluetooth (12/16/2009 6.2.0.9414)
Windows Driver Package - Broadcom HIDClass (07/28/2009 6.2.0.9800)
Windows Live Essentials
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinRAR archiver
WinZip 14.0
Wisdom-soft Set up ScreenHunter 5.1 Free
WSOP-USA.com
.
==== Event Viewer Messages From Past Week ========
.
1/8/2012 7:07:24 AM, Error: Service Control Manager [7001] - The Workstation service depends on the SMB 2.0 MiniRedirector service which failed to start because of the following error: The dependency service or group failed to start.
1/8/2012 7:07:24 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The device does not recognize the command.
1/8/2012 7:07:24 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The device does not recognize the command.
1/8/2012 7:07:24 AM, Error: Service Control Manager [7001] - The Remote Desktop Configuration service depends on the Workstation service which failed to start because of the following error: The dependency service or group failed to start.
1/8/2012 7:07:24 AM, Error: Service Control Manager [7000] - The SMB MiniRedirector Wrapper and Engine service failed to start due to the following error: The device does not recognize the command.
1/8/2012 6:28:03 AM, Error: Service Control Manager [7003] - The DHCP Client service depends the following service: Afd. This service might not be installed.
1/8/2012 6:28:03 AM, Error: Service Control Manager [7001] - The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: The dependency service does not exist or has been marked for deletion.
1/8/2012 6:09:16 AM, Error: Service Control Manager [7000] - The MBAMSwissArmy service failed to start due to the following error: The system cannot find the file specified.
1/7/2012 6:18:49 PM, Error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error %%-2147014846.
1/7/2012 6:18:49 PM, Error: Microsoft-Windows-Bits-Client [16392] - The BITS service failed to start. Error 0x80072742.
1/4/2012 6:27:47 PM, Error: Service Control Manager [7001] - The Function Discovery Provider Host service depends on the HTTP service which failed to start because of the following error: The device does not recognize the command.
1/4/2012 6:27:47 PM, Error: Service Control Manager [7000] - The HTTP service failed to start due to the following error: The device does not recognize the command.
1/4/2012 6:24:58 PM, Error: Service Control Manager [7001] - The SSDP Discovery service depends on the HTTP service which failed to start because of the following error: The device does not recognize the command.
1/4/2012 6:24:58 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
1/4/2012 6:24:58 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
1/4/2012 6:16:33 PM, Error: Service Control Manager [7023] - The Windows Update service terminated with the following error: %%-2147014846
1/4/2012 6:14:26 PM, Error: Microsoft-Windows-DNS-Client [1012] - There was an error while attempting to read the local hosts file.
1/4/2012 6:14:15 PM, Error: Service Control Manager [7000] - The rixdpcie service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/4/2012 6:14:14 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
1/4/2012 6:14:14 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
1/4/2012 6:14:14 PM, Error: Service Control Manager [7000] - The risdpcie service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/4/2012 6:14:14 PM, Error: Service Control Manager [7000] - The rimspci service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/4/2012 6:14:12 PM, Error: Service Control Manager [7001] - The Server SMB 2.xxx Driver service depends on the srvnet service which failed to start because of the following error: The device does not recognize the command.
1/4/2012 6:14:12 PM, Error: Service Control Manager [7001] - The Server SMB 1.xxx Driver service depends on the Server SMB 2.xxx Driver service which failed to start because of the following error: The dependency service or group failed to start.
1/4/2012 6:14:12 PM, Error: Service Control Manager [7001] - The Server service depends on the Server SMB 1.xxx Driver service which failed to start because of the following error: The dependency service or group failed to start.
1/4/2012 6:14:12 PM, Error: Service Control Manager [7001] - The Print Spooler service depends on the HTTP service which failed to start because of the following error: The device does not recognize the command.
1/4/2012 6:14:12 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Workstation service which failed to start because of the following error: The dependency service or group failed to start.
1/4/2012 6:14:12 PM, Error: Service Control Manager [7000] - The srvnet service failed to start due to the following error: The device does not recognize the command.
1/4/2012 6:14:11 PM, Error: Service Control Manager [7003] - The TCP/IP NetBIOS Helper service depends the following service: Afd. This service might not be installed.
1/4/2012 10:51:18 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the UmRdpService service.
1/4/2012 10:04:43 AM, Error: Service Control Manager [7034] - The Remote Procedure Call (RPC) LD service terminated unexpectedly. It has done this 1 time(s).
1/4/2012 1:32:18 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SBRE
.
==== End Of File ===========================
 
Welcome to TechSpot! Yes, this rogue hit Vista, Win XP and Win 7! It's not particular. I will help you remove it but I'd like you to run the following first.

The malware has added domains to the Trusted Zone. NONE of these domains need to be there. We need to get them out because the security settings are lower in this zone so it makes the system more vulnerable. The following have been set. The program you run will remove all:
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
Click to expand...
----------------------------------------
Please download DelDomains with .zip and unzip it to your desktop. Do not run it yet.
  • Close all open browsers
  • Right click on deldomains.inf and select Install
Note: this will remove all entries in the Trusted Zone and Restricted Zone.
=====================================
Rogue Antispyware, Antivirus, Security, Home Security , Internet Security 2012
  1. Pretends to be a security update for Windows installed via Automatic Updates. It will then install itself as a single executable that has a random consisting of three characters
  2. Clicking on any executable loads the malware
  3. Display fake security alerts on the infected computer.
  4. May not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer
  5. Changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program.

To fix #5, you start here: Download a Registry file that will fix these changes.
Please download FixNCR.reg and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.
  • Insert the removable device into the infected computer and open the folder the drive letter associated with it.(Usually C)
  • Double click the FixNCR.reg file
  • You should now be able to run the .exe files.
-------------------------------------
To end the processes that belong to the rogue program:
Please click on RKill
  • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
  • Double click on the iExplore.exe icon
  • Please be patient- it may take a bit.
  • The black Window will close when through and you can continue.
Note: If you get a message that RKill is malware, ignore it> it's from the malware.
=======================================
Do not reboot your computer after running RKill as the malware programs will start again.
================================
Update and rescan with Malwarebytes:
  • Select Perform Full Scan on the Scanner tab
  • Click on the Scan button.
  • When scan has finished, you will see this image:
    scan-finished.jpg
  • Click on OK to close box and continue.
  • Click on the Show Results button.
  • Click on the Remove Selected button to remove all the listed malware.
  • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
==============================
This should remove the major offender. Reboot the Computer into Normal Mode and run the following:
To run the Eset Online Virus Scan:
If you use Internet Explorer:
  1. Open the ESETOnlineScan
  2. Skip to #4 to "Continue with the directions"

    If you are using a browser other than Internet Explorer
  3. Open Eset Smart Installer
    [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
    [o] Double click on the desktop icon to run.
    [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
  4. Continue with the directions.
  5. Check 'Yes I accept terms of use.'
  6. Click Start button
  7. Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  8. Uncheck 'Remove found threats'
  9. Check 'Scan archives/
  10. Leave remaining settings as is.
  11. Press the Start button.
  12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  13. When the scan completes, press List of found threats
  14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  15. Push the Back button, then Finish
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
=======================================
FYI: regarding the network not functioning:
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
We will be fixing this- you do not need to do anything with these entries. They are information only.
=======================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
  • Please let me know if there is any change in the system.
If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=======================================
Please leave the logs in your next reply. Advise me if you have a problem running the scans. Important you follow the order given.
=====================================
 
I performed your instructions to the letter up until I needed to run the ESET Smart Security Program. I still cannot get online. I show a connection but no internet service and I have no password configured on my network or router. All the other computers are connecting fine. Here is the log from Malware:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122308

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

1/9/2012 10:23:58 AM
mbam-log-2012-01-09 (10-23-58).txt

Scan type: Full scan (C:\|)
Objects scanned: 353806
Time elapsed: 25 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I have done nothing different from what you have instructed.
 
No, I didn't and I extend my apology for the delay. I took some time off during the holidays to enjoy my 'other life..' The penalty for that enjoyment is being incredibly behind!

However, in all fairness, your thread is more current than some others.
===============================
Please download Farbar Service Scanner
  • Check Include all files option
  • Press the Scan button
  • Log named FSS.txt will be created in the same directory as the tool
  • Please paste the log into your next reply
=============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Expect these- they are normal:
1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
2. Before you run the Combofix scan, please disable any security software you have running.
3. Combofix may need to reboot your computer more than once to do its job this is normal.

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe
    cf-icon.jpg
    & follow the prompts.
  • If prompted for Recovery Console, please allow.
  • Once installed, you should see a blue screen prompt that says:
    • The Recovery Console was successfully installed.[/b]
    • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
    • Note: No query will be made if the Recovery Console is already on the system.
  • .Close/disable all anti virus and anti malware programs
    (If you need help with this, please see HERE)
  • .Close any open browsers.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
======================================
Questions/Comments:
1. Did the DelDomains remove the sites from the Trusted Zone? Did you check?
2. Other than not being able to access the internet, what malware related problems are you having.
3. Did you have internet access before you got this malware?
4. "The virus disabled my Avast so I installed Vipre">> it is strange that malware disabled one AV, but allowed you to install another one! It is possible that you downloaded Avast but didn't install it therefore it wasn't actually running.

It appears that you downloaded the Avast setup 4 times> first time 12/13, last time 1/4. Avast . Did you ever double click on the Program to run/install? Avast shows running on 1/8. But is doesn't show as an installed program.

You installed VIPRE twice> 12/13 and 1/4.> it shows as an installed program.

Dates, downloads, installs and restores in Restore Points:
RP120: 12/13/2011 2:50:59 PM - avast! Free Antivirus Setup> 1
RP121: 12/13/2011 2:59:27 PM - Installed VIPRE Antivirus Premium.> 1
RP123: 12/14/2011 3:10:40 PM - avast! Free Antivirus Setup> 2
RP124: 12/14/2011 3:26:21 PM - avast! Free Antivirus Setup> 3

RP129: 1/4/2012 12:01:45 PM - Restore Operation
RP130: 1/4/2012 1:41:48 PM - avast! Free Antivirus Setup
RP131: 1/4/2012 1:42:42 PM - Installed VIPRE Antivirus Premium.> 2
RP132: 1/4/2012 6:08:43 PM - Restore Operation
-----------------------------------------
You did System Restore twice on 1/4.> how far back did you go?
=======================================
Please leave Combofix log and answers to Questions/Comments in next reply.
 
I can't check anything or change any settings. I keep getting message "Illegal operation attempted on a registry key that has been marked for deletion."

Here are the logs:

Farbar Service Scanner
Ran by Administrator (administrator) on 12-01-2012 at 11:35:32
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open afd registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open afd registry key. The service key does not exist.


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall"=DWORD:0


System Restore:
============
VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
===========
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


File Check:
========
C:\windows\system32\nsisvc.dll => MD5 is legit
C:\windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\windows\system32\dhcpcore.dll => MD5 is legit
C:\windows\system32\Drivers\afd.sys => MD5 is legit
C:\windows\system32\Drivers\tdx.sys => MD5 is legit
C:\windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\windows\system32\dnsrslvr.dll => MD5 is legit
C:\windows\system32\mpssvc.dll => MD5 is legit
C:\windows\system32\bfe.dll => MD5 is legit
C:\windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\windows\system32\SDRSVC.dll => MD5 is legit
C:\windows\system32\vssvc.exe => MD5 is legit
C:\windows\system32\wscsvc.dll => MD5 is legit
C:\windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\windows\system32\wuaueng.dll => MD5 is legit
C:\windows\system32\qmgr.dll => MD5 is legit
C:\windows\system32\es.dll => MD5 is legit
C:\windows\system32\cryptsvc.dll => MD5 is legit
C:\windows\system32\svchost.exe => MD5 is legit
C:\windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

ComboFix 12-01-12.02 - Administrator 01/12/2012 15:56:50.1.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1782.1236 [GMT -5:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Thumbs.db
c:\windows\$NtUninstallKB30953$
c:\windows\$NtUninstallKB30953$\1800766157
c:\windows\$NtUninstallKB30953$\3316104526\@
c:\windows\$NtUninstallKB30953$\3316104526\bckfg.tmp
c:\windows\$NtUninstallKB30953$\3316104526\cfg.ini
c:\windows\$NtUninstallKB30953$\3316104526\Desktop.ini
c:\windows\$NtUninstallKB30953$\3316104526\keywords
c:\windows\$NtUninstallKB30953$\3316104526\kwrd.dll
c:\windows\$NtUninstallKB30953$\3316104526\L\xadqgnnk
c:\windows\$NtUninstallKB30953$\3316104526\lsflt7.ver
c:\windows\$NtUninstallKB30953$\3316104526\U\00000001.@
c:\windows\$NtUninstallKB30953$\3316104526\U\00000002.@
c:\windows\$NtUninstallKB30953$\3316104526\U\00000004.@
c:\windows\$NtUninstallKB30953$\3316104526\U\80000000.@
c:\windows\$NtUninstallKB30953$\3316104526\U\80000004.@
c:\windows\$NtUninstallKB30953$\3316104526\U\80000032.@
.
Infected copy of c:\windows\System32\autochk.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7600.20538_none_e28cf2983c0715a1\autochk.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-12 to 2012-01-12 )))))))))))))))))))))))))))))))
.
.
2012-01-12 21:15 . 2012-01-12 21:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-12 21:15 . 2012-01-12 21:15 -------- d-----w- c:\users\user\AppData\Local\temp
2012-01-12 19:03 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-01-12 05:46 . 2012-01-12 05:46 -------- d-----w- c:\users\Administrator\AppData\Local\VirtualStore
2012-01-12 04:22 . 2012-01-12 04:22 -------- d-----w- c:\windows\system32\drivers\ar-SA - Copy
2012-01-09 16:23 . 2012-01-09 16:23 -------- d-----w- c:\program files\ESET
2012-01-08 15:47 . 2012-01-08 15:38 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2012-01-04 18:44 . 2012-01-04 18:44 -------- d-----w- c:\users\Administrator\AppData\Roaming\Sunbelt
2012-01-04 18:43 . 2010-07-27 09:48 220760 ----a-w- c:\windows\system32\drivers\SbFw.sys
2012-01-04 18:43 . 2010-04-15 23:35 68696 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2011-12-15 14:02 . 2009-10-30 20:08 29512 ----a-w- c:\windows\system32\TURegOpt.exe
2011-12-15 14:02 . 2009-10-30 20:01 21320 ----a-w- c:\windows\system32\authuitu.dll
2011-12-15 14:02 . 2009-10-30 20:01 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2011-12-15 14:02 . 2011-12-15 14:02 -------- d-----w- c:\users\Administrator\AppData\Roaming\TuneUp Software
2011-12-15 14:02 . 2011-12-15 14:02 -------- d-----w- c:\program files\TuneUp Utilities 2010
2011-12-15 14:02 . 2011-12-15 14:02 -------- d-----w- c:\programdata\TuneUp Software
2011-12-15 14:01 . 2011-12-15 14:01 -------- d-sh--w- c:\programdata\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2011-12-15 08:02 . 2011-11-03 22:40 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-15 00:47 . 2011-11-24 04:25 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-12-15 00:47 . 2011-11-05 04:26 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-15 00:47 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-15 00:47 . 2011-10-26 04:28 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-15 00:47 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-15 00:47 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-14 20:10 . 2011-12-14 20:10 -------- d-----w- c:\program files\AVAST Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 21:16 . 2010-10-07 00:01 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2012-01-12 21:16 . 2010-07-28 16:16 58288 ----a-w- c:\windows\system32\rpcnet.dll
2012-01-04 18:32 . 2010-10-07 00:02 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2011-11-21 10:47 . 2011-12-13 17:00 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2AA5DE23-5ED8-470A-9F0E-6367571AC127}\mpengine.dll
2011-11-15 19:29 . 2010-06-25 17:29 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-13 19:54 . 2011-08-16 14:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-06 05:40 . 2011-11-06 05:41 431616 ----a-w- c:\windows\system32\drivers\stwrt.sys
2011-11-06 05:40 . 2011-11-06 05:43 531968 ------w- c:\windows\system32\stapi32.dll
2011-11-06 05:40 . 2011-11-06 05:42 495708 ----a-w- c:\windows\sttray.exe
2011-11-06 05:40 . 2011-11-06 05:42 1953792 ----a-w- c:\windows\system32\stlang.dll
2011-11-06 05:40 . 2011-11-06 05:42 179712 ----a-w- c:\windows\system32\staco.dll
2011-11-06 05:40 . 2011-11-06 05:41 934912 ----a-w- c:\windows\system32\stapo.dll
2011-11-06 05:40 . 2011-11-06 05:41 405504 ----a-w- c:\windows\system32\stcplx.dll
2011-11-06 05:40 . 2011-11-06 05:42 380928 ----a-w- c:\windows\system32\aestecap.dll
2011-11-06 05:40 . 2011-11-06 05:42 86016 ----a-w- c:\windows\system32\AESTCom.dll
2011-11-06 05:40 . 2011-11-06 05:42 12705884 ----a-w- c:\windows\system32\idtcpl.cpl
2011-11-06 05:40 . 2011-11-06 05:42 61440 ----a-w- c:\windows\system32\aestaren.dll
2011-11-06 05:40 . 2011-11-06 05:42 140288 ----a-w- c:\windows\system32\aestacap.dll
2011-12-18 20:01 . 2011-09-14 23:51 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisorDock"="c:\program files\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe" [2010-02-10 1515576]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2011-09-29 107000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-03 1791272]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2011-11-06 495708]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2010-08-20 1348944]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LightScribe Control Panel"=c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe"
"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"estar"=c:\system.sav\Util\HideDOS.EXE c:\system.sav\util\estartwk\twk7.bat
"NortonOnlineBackupReminder"="c:\program files\Symantec\Norton Online Backup\Activation\NOBuActivation.exe" UNATTENDED
"PDF Complete"=c:\program files\PDF Complete\pdfsty.exe
"QLBController"=c:\program files\Hewlett-Packard\HP HotKey Support\QLBController.exe /start
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"HPWirelessAssistant"=c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden
"HPPowerAssistant"=c:\program files\Hewlett-Packard\HP Power Assistant\DelayedAppStarter.exe 120 c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe /hidden
"File Sanitizer"=c:\program files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-09-23 136176]
R2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-10-26 48640]
R2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2009-10-29 47616]
R2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2009-12-12 38912]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-09-23 136176]
R3 qcfilterhp2k;Gobi 2000 USB Composite Device Filter Driver(03F0-251D);c:\windows\system32\DRIVERS\qcfilterhp2k.sys [2010-03-15 5248]
R3 qcusbnethp2k;Gobi 2000 USB-NDIS miniport(03F0-251D);c:\windows\system32\DRIVERS\qcusbnethp2k.sys [2010-03-15 208384]
R3 qcusbserhp2k;Gobi 2000 USB Device for Legacy Serial Communication(03F0-251D);c:\windows\system32\DRIVERS\qcusbserhp2k.sys [2010-03-15 106880]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-11-23 1120752]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2011-01-15 1116656]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-09-29 279656]
R3 rtsuvc;HP Webcam [2 MP Fixed];c:\windows\system32\DRIVERS\rtsuvc.sys [2010-01-30 05:45 73344]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Service;c:\windows\system32\DRIVERS\sbfwim.sys [2010-04-15 68696]
R3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2010-07-27 94040]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\drivers\vpcuxd.sys [2010-11-20 12800]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-25 1343400]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2010-01-08 316416]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-06-25 64288]
S1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2010-07-27 220760]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2010-05-13 98392]
S1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2010-07-27 78936]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-06-03 207400]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2011-11-06 81920]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-04-08 172032]
S2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [2011-06-02 133688]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-04-05 103992]
S2 HPDayStarterService;HP DayStarter Service;c:\program files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe [2010-03-25 90112]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-05-21 103992]
S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\Hewlett-Packard\File Sanitizer\HPFSService.exe [2010-01-19 297984]
S2 hpHotkeyMonitor;HP Hotkey Monitor;c:\program files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe [2010-03-01 264248]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2010-06-15 26168]
S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2010-03-06 635416]
S2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [2011-03-16 113264]
S2 QDLService2kHP;Qualcomm Gobi 2000 Download Service (HP);c:\program files\QUALCOMM\QDLService2k\QDLService2kHP.exe [2010-03-15 331000]
S2 rpcld;Remote Procedure Call (RPC) LD;c:\programdata\Rpcnet\Bin\rpcld.exe [x]
S2 SBAMSvc;VIPRE Antivirus Premium;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [2010-08-20 2763080]
S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [2010-06-14 69976]
S2 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe [2010-08-20 181584]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2009-10-30 1021256]
S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2010-02-18 1664304]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-04-08 5429760]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-04-08 157184]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-01-07 29472]
S3 SBFWIMCLMP;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\DRIVERS\SBFWIM.sys [2010-04-15 68696]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-02-22 18:38 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-23 23:48]
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-23 23:48]
.
2012-01-02 c:\windows\Tasks\HPCeeScheduleForAdministrator.job
- c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-01-05 10:53]
.
2012-01-06 c:\windows\Tasks\TuneUpUtilities_Task_BkGndMaintenance.job
- c:\program files\TuneUp Utilities 2010\OneClick.exe [2009-10-30 20:13]
.
2012-01-12 c:\windows\Tasks\User_Feed_Synchronization-{19480436-369E-4C2B-AD5E-B736E2BA19A1}.job
- c:\windows\system32\msfeedssync.exe [2011-09-29 13:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\
FF - prefs.js: network.proxy.type - 4
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-wctsys
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
AddRemove-{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226} - c:\program files\InstallShield Installation Information\{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (Administrator)
"Timestamp"=hex:64,8b,c6,12,14,8d,cc,01
.
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,48,24,5a,38,11,8c,bf,43,be,81,3d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,48,24,5a,38,11,8c,bf,43,be,81,3d,\
.
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"
.
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"
.
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.partial\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.PARTIAL"
.
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.SVG"
.
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.URL"
.
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.website\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.WEBSITE"
.
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3960)
c:\program files\Hewlett-Packard\HP Support Framework\Resources\HPSFMessenger\HPSFTaskbar.dll
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\IDT\WDM\STacSV.exe
c:\windows\system32\atieclxx.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\rpcnet.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\taskhost.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\windows\system32\conhost.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\program files\TuneUp Utilities 2010\TuneUpSystemStatusCheck.exe
.
**************************************************************************
.
Completion time: 2012-01-12 16:23:54 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-12 21:23
.
Pre-Run: 210,002,137,088 bytes free
Post-Run: 210,442,407,936 bytes free
.
- - End Of File - - 4DDB77C7469246736A56F793D9B16602


When I got the Windows 7 virus it turned off my Avast virus protection and the only virus software I got get to install was the Vipre. I tried to restore to an earlier point so I could try and fix the problems but the restore option would not work. I tried to restore it to December 15, 2011 before the problems began but no luck. I don't know what kind of virus or malware I have but it seems to be getting worse. It seems to be keeping essential Windows programs from running, I could not confirm if the trusted zones were deleted or not because I can't get access and I am running administrator. If I have to re-install Windows 7 Professional I think I will lose my Microsoft office 2007 that came installed with the computer. Does Windows 7 Professional come with that program?
 
I did a system restart and so far all the programs I have tried are working. Is there anything else I need to do to make sure the virus is gone? I now have internet access also.
 
Entry in the Combofix instructions:

Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Click to expand...

I did a system restart
Click to expand...

Do you mean a reboot or a restore?
--------------------------------------------------
There are numerous Services that are not running. They will need to be set to either Manual or Automatic Startup.
DHPC Service isn't running: Dynamic Host Configuration Protocol (DHCP) Should be Automatic
Security Center Service isn't running> Should be Automatic.
Windows Firewall Service isn't running.
Windows Update isn't running.
Restore Points Service isn't running Should be Manual

Some needed Services are missing the registry entries
---------------------
Basically, the Service to connect isn't running, none of the security for the OS is running, restore points are stopped. You system will crash, you will loose the connection, you will not have any restore points to use because the system isn't making any.
 
All I did was reboot the system. You told me not to do anything you didn't tell me to do and I haven't I was just locked out of every program. I couldn't even open the device manager or any software program. The only thing I haven't run that you suggested was the ESET Online Scan because I just now got internet back. What should I do to finish fixing?
 
I may not have thanked you yet but I do know that you have put a good deal of time in helping me and I appreciate it. I was not able to run the ESET Scanner until now because I did not have internet access but since I have access now here are the results.

Edit: Duplicate Combofix log has been deleted by Bobbye. No Eset log was posted.
 
Cableman did you want to finish up? You still owe me the Eset log. I'm getting ready to close the thread so please let me know.
 
I thought I posted the log and it looks like you deleted it. I don't know anything about a duplicate log. I would not do that. If I can't run a scan or something I'm not going to post a fake or duplicate.

Everything is still running fine but yes, of course I want to make sure the virus is gone and the computer is thoroughly clean. Otherwise what is the use of doing anything?

Where do I need to start now? Do I just need to go back to the beginning and start all over? And sorry about not getting back to you, I thought you gave up on me and also last week was my final week of the semester so it was crazy. I didn't even get any time off between semesters, I am already in new semester now so I have been swamped.

I still don't know what that last message means that you deleted a duplicate file. I would not post a duplicate and I was never able to run Eset log but once. Did I accidentally post the wrong file? Tell me where to start and I will be glad to do it. I am very grateful for your help. I would never do anything like that on purpose. If I posted the wrong thing then it was an accident.

I just ran an ESET scan and here are the results:

C:\Documents and Settings\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\1b0b81d-66b55316 multiple threats
C:\Documents and Settings\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\64a5ca89-7edcc387 a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\Documents and Settings\Administrator\Downloads\[PC games]Mahjong 2006-Solsuite 2007i\SolSuite.2007.rar probably a variant of Win32/Agent.HKUDRIV trojan
C:\Users\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\1b0b81d-66b55316 multiple threats
C:\Users\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\64a5ca89-7edcc387 a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\Users\Administrator\Downloads\[PC games]Mahjong 2006-Solsuite 2007i\SolSuite.2007.rar probably a variant of Win32/Agent.HKUDRIV trojan
 
I was never able to run Eset log but once. Did I accidentally post the wrong file?
Click to expand...
No, you left a duplicate log for one and no log for the other. I just fixed it.
Edit: Duplicate Combofix log has been deleted by Bobbye. No Eset log was posted

When I make an Edit to a post, I try to make it clear what I'm doing.

In your case, instead of posting the log from the Eset scan, you pasted in another copy of the Combofix log. I did not place any blame on you- of course it was accidental. I knew you meant to leave the Eset log.

Threads sometimes tend to get very long. When I review your thread, I usually go back to the beginning and review everything again. Having to go through a duplicate logs takes time and that is very precious commodity for malware helpers.
=================================
Thank you for the Eset log:

Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code: 
    :Files 
C:\Documents and Settings\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\1b 0b81d-66b55316 
C:\Documents and Settings\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\64a 5ca89-7edcc387 
C:\Documents and Settings\Administrator\Downloads\[PC games]Mahjong 2006-Solsuite 2007i\SolSuite.2007.rar 
C:\Users\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\1b 0b81d-66b55316 
C:\Users\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\64a 5ca89-7edcc387 
C:\Users\Administrator\Downloads\[PC games]Mahjong 2006-Solsuite 2007i\SolSuite.2007.rar 
:Commands
[purity]
[emptytemp]
[emptyflash]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
======================================
Most of the entries were in the Java cache. This usually happens if an outdated version of Java is still on the system.
--------------------------------
There was also malware on the 2 entries for [PC games]Mahjong 2006-Solsuite 2007i\SolSuite.2007.rar These are torrent downloads and you will get malware whenever you download from torrent sites.
======================================
Please consider that instead of closing the thread in 5 days, after a week, I posted instead and asked if you planned to continue. So we both have time issues. Let's get past that and go on.
========================================
Some of the Services need to be reset. I'm working up a list for you to do that. I'm on a Win XP machine right now, so I'm using guidance from the Black Viper site for your Win 7.

Go ahead with OTM. I'll be back as soon as I have the Services list and script to run in Combofix.

Please disable TuneUp while I'm helping you. It has a registry optimizer running.
 
Here is the results. They were hard to copy and paste:

All processes killed
========== FILES ==========
File/Folder C:\Documents and Settings\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\1b 0b81d-66b55316 not found.
File/Folder C:\Documents and Settings\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\64a 5ca89-7edcc387 not found.
C:\Documents and Settings\Administrator\Downloads\[PC games]Mahjong 2006-Solsuite 2007i\SolSuite.2007.rar moved successfully.
File/Folder C:\Users\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\1b 0b81d-66b55316 not found.
File/Folder C:\Users\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\64a 5ca89-7edcc387 not found.
File/Folder C:\Users\Administrator\Downloads\[PC games]Mahjong 2006-Solsuite 2007i\SolSuite.2007.rar not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 56312625 bytes
->Temporary Internet Files folder emptied: 10747997 bytes
->Java cache emptied: 51360 bytes
->FireFox cache emptied: 802337298 bytes
->Google Chrome cache emptied: 21922573 bytes
->Flash cache emptied: 107564 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56504 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: user
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56504 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 726652 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 3837493 bytes

Total Files Cleaned = 855.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

User: user
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTM by OldTimer - Version 3.1.19.0 log created on 02052012_075819

Files moved on Reboot...
C:\windows\temp\FXSAPIDebugLogFile.txt moved successfully.
C:\windows\temp\FXSTIFFDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...
 
Well, when I restarted the computer it seemed to straighten out. I got control back over my programs and internet access and download abilities but I hold no misconceptions there is still some mal-ware lurking somewhere waiting to do more damage. How can I make sure to delete all bad mal-ware etc.

I will stay on top of your instructions now, I was in the middle of a small crisis before.
 
Okay, we'll check these 2 scans:

If you still have Malwarebytes on the system, please uninstall it. Then download and run again:

malwarebytesgc8.png

Malwarebytes' Anti-Malware
  • Please download Malwarebytes' Anti-Malware from from HERE
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    [o] Update Malwarebytes' Anti-Malware
    [o] and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please attach this log with your reply
    Note: on opening Notepad, click on Format> make sure Word Wrap is unchecked.
    [o] If you accidentally close it, the log file is saved here and will be named like this:
    [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
========================
To run the Eset Online Virus Scan:
If you use Internet Explorer:
  1. Open the ESETOnlineScan
  2. Skip to #4 to "Continue with the directions"

    If you are using a browser other than Internet Explorer
  3. Open Eset Smart Installer
    [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
    [o] Double click on the desktop icon to run.
    [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
  4. Continue with the directions.
  5. Check 'Yes I accept terms of use.'
  6. Click Start button
  7. Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  8. Uncheck 'Remove found threats'
  9. Check 'Scan archives/
  10. Leave remaining settings as is.
  11. Press the Start button.
  12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  13. When the scan completes, press List of found threats
  14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  15. Push the Back button, then Finish
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
 
"Here are the two logs"

Edit: Pasted logs and attached log are all copies of previous logs. There is no new Eset scan or Malwarebytes log per the following:
  • You ran the Eset scan 2 weeks ago.
  • A week later, (1 week ago) you ran OTM and pasted the log: You made the comment "they were hard to copy and paste."
  • 5 days ago, I made this reply: " It's been a month cableman. Please give me an update on the system."
  • 1 day ago, I replied "Okay, we'll check these 2 scans:" The two scans I asked for were for a new Malwarebytes and a new Eset Online virus scan.
  • 9 hours ago, you replied "Here are the two logs"
  • Then you pasted in 5 copies of the original OTM log:
    Total Files Cleaned = 855.00 mb
    OTM by OldTimer - Version 3.1.19.0 log created on 02052012_075819
  • You added "I don't know if that last log copied right so I added it as an attachment " naming it 'malware log.'> it was another copy of the original Eset scan log from 2 weeks ago.

I have deleted all of the logs and the attachment as they are all multiple copies of the same logs.
Perhaps you can undertake this at another time.

The thread was started over a month ago. This thread is now closed.

"I don't know if that last log copied right so I added it as an attachment"> attachment is old log.
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
793
uber_beetle
uber_beetle
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
S
  • Locked
Inactive Am I infected?
Replies
8
Views
3K
Broni
Broni

Latest posts

Back