Inactive How can I disinfect my PC from cloudav 2012 virus

Status
Not open for further replies.
I think something is recreating those bad DNS settings.
We must run some more malware scans.
Go ahead with my reply #7 and run aswMBR and Combofix.
 
found rootkit.zeroaccess

combofix said it found rootkit.zeroaccess and then it rebooted - i don't see any log anywhere not on the c drive or desktop - should i run it again?

below is the aswmbr log (which i ran before combofix)
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-11-27 23:10:11
-----------------------------
23:10:11.140 OS Version: Windows 6.0.6002 Service Pack 2
23:10:11.140 Number of processors: 2 586 0xF0B
23:10:11.140 ComputerName: KOHENFAMILY UserName:
23:10:25.258 Initialize success
23:10:33.090 AVAST engine download error: 0
23:10:44.415 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
23:10:44.415 Disk 0 Vendor: WDC_WD6400AAKS-75A7B0 01.03B01 Size: 610480MB BusType: 3
23:10:46.443 Disk 0 MBR read successfully
23:10:46.443 Disk 0 MBR scan
23:10:46.459 Disk 0 Windows VISTA default MBR code
23:10:46.490 Disk 0 scanning sectors +1250260992
23:10:46.724 Disk 0 scanning C:\Windows\system32\drivers
23:11:04.945 Service scanning
23:11:05.584 Service .afd \* **LOCKED** 123
23:11:05.600 Service .dfsc \* **LOCKED** 123
23:11:05.600 Service .netbt \* **LOCKED** 123
23:11:05.600 Service .smb \* **LOCKED** 123
23:11:06.661 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
23:11:08.361 Modules scanning
23:11:16.255 Disk 0 trace - called modules:
23:11:16.317 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys
23:11:16.317 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x854a4030]
23:11:16.317 3 CLASSPNP.SYS[8a3ac8b3] -> nt!IofCallDriver -> [0x852d3238]
23:11:16.333 5 acpi.sys[8069a6bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x852db528]
23:11:16.333 Scan finished successfully
23:12:04.615 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
23:12:04.646 The log file has been saved successfully to "E:\aswMBR.txt"
 
should i have ran combofix by right clicking on it first and running as administrator -since it did mention something about it when it already began running?
 
combofix report

i reran it as administrator - it rebooted and here are the logs

ComboFix 11-11-27.02 - Kohen Family 11/27/2011 23:49:44.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3060.2484 [GMT -5:00]
Running from: c:\users\Kohen Family\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
C:\ipconfig.txt
c:\program files\LP
c:\program files\LP\F698\1120.tmp
c:\program files\LP\F698\2C9B.tmp
c:\program files\LP\F698\2E50.tmp
c:\program files\LP\F698\2FEB.tmp
c:\program files\LP\F698\48F3.tmp
c:\program files\LP\F698\5DDA.tmp
c:\program files\LP\F698\7FBC.tmp
c:\program files\LP\F698\8EE6.tmp
c:\program files\LP\F698\90CF.tmp
c:\program files\LP\F698\9FF6.tmp
c:\program files\LP\F698\A778.tmp
c:\program files\LP\F698\A7C6.tmp
c:\program files\LP\F698\B6E1.tmp
c:\program files\LP\F698\BCBA.tmp
c:\program files\LP\F698\C37E.tmp
c:\program files\LP\F698\C65A.tmp
c:\program files\LP\F698\E207.tmp
c:\programdata\defragcs.exe
c:\programdata\hsthst.exe
c:\programdata\htmlkb.exe
c:\programdata\Tarma Installer
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\users\Kohen Family\AppData\Roaming\ctfmsi.exe
c:\users\Kohen Family\AppData\Roaming\labelfast.exe
c:\users\Kohen Family\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk
c:\users\Kohen Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV Protection 2011
c:\users\Kohen Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV Protection 2011\AV Protection 2011.lnk
c:\users\Kohen Family\AppData\Roaming\Mozilla\Firefox\Profiles\ogqkxu5k.default\searchplugins\bing-zugo.xml
c:\users\Kohen Family\AppData\Roaming\playmsi.exe
c:\users\Kohen Family\AppData\Roaming\y777dEEL8gR
c:\users\Kohen Family\AppData\Roaming\y777dEEL8gR\Cloud AV 2012.ico
c:\users\Kohen Family\Desktop\AV Protection 2011.lnk
c:\users\Kohen Family\Documents\~WRL0001.tmp
c:\users\Kohen Family\Documents\~WRL0003.tmp
c:\users\Kohen Family\Documents\~WRL0005.tmp
c:\users\Kohen Family\Documents\~WRL0006.tmp
c:\users\Kohen Family\Documents\~WRL1901.tmp
c:\users\Kohen Family\Documents\~WRL2164.tmp
c:\users\Kohen Family\Documents\~WRL2642.tmp
c:\users\Mr. Vrumbo\AppData\Local\auditpol.dll
c:\users\Mr. Vrumbo\AppData\Local\auditpol.exe
c:\users\Mr. Vrumbo\AppData\Roaming\ctfmsi.exe
c:\users\Mr. Vrumbo\AppData\Roaming\labelfast.exe
c:\users\Mr. Vrumbo\AppData\Roaming\MediaWmplay\FlashPlugin\FlashUtil250_ActiveX.exe
c:\users\Mr. Vrumbo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV Protection 2011
c:\users\Mr. Vrumbo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV Protection 2011\AV Protection 2011.lnk
c:\users\Mr. Vrumbo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV Security 2012
c:\users\Mr. Vrumbo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV Security 2012\AV Security 2012.lnk
c:\users\Mr. Vrumbo\AppData\Roaming\playmsi.exe
c:\users\Mr. Vrumbo\Desktop\AV Protection 2011.lnk
.
c:\windows\system32\drivers\cdrom.sys was missing
Restored copy from - c:\windows\System32\DriverStore\FileRepository\cdrom.inf_c949a5b6\cdrom.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_.afd
-------\Service_.netbt
.
.
((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-28 )))))))))))))))))))))))))))))))
.
.
2011-11-28 05:03 . 2011-11-28 05:03 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CE8EA356-BDFB-4D3D-94D9-94A1DD8B0691}\offreg.dll
2011-11-28 04:58 . 2011-11-28 04:58 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Local\temp
2011-11-28 04:58 . 2011-11-28 04:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-28 04:58 . 2009-04-11 04:39 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-11-27 20:41 . 2011-11-27 20:41 -------- d-----w- C:\afdstuff
2011-11-27 07:55 . 2011-04-14 14:59 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-11-27 07:43 . 2009-04-11 04:45 66560 ----a-w- c:\windows\system32\drivers\smb.sys
2011-11-27 07:43 . 2011-04-21 13:58 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-11-27 02:37 . 2011-11-27 02:37 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\Malwarebytes
2011-11-27 02:06 . 2011-11-27 02:06 -------- d-----w- c:\users\admin
2011-11-25 05:24 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CE8EA356-BDFB-4D3D-94D9-94A1DD8B0691}\mpengine.dll
2011-11-25 04:43 . 2011-11-25 04:43 302592 ----a-w- C:\eurwzonsgmer.exe
2011-11-25 04:43 . 2011-11-25 04:44 607260 ----a-w- C:\dds.scr
2011-11-24 06:00 . 2011-05-12 19:03 6144 ------w- c:\windows\system32\9D14.tmp
2011-11-24 06:00 . 2011-05-12 19:03 6144 ------w- c:\windows\system32\76A0.tmp
2011-11-23 19:45 . 2011-11-23 19:45 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\GobF4pmG5Q
2011-11-23 19:45 . 2011-11-23 19:45 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\nH5Q7dEK8R9YwUe
2011-11-23 14:20 . 2011-11-23 14:20 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\QiivvD3oon4am5s
2011-11-23 14:20 . 2011-11-23 14:20 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\xCeellIBrzPNyAu
2011-11-23 14:20 . 2011-11-23 14:20 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\jnFFF4pmH5sQJdK
2011-11-23 05:04 . 2011-11-23 05:04 -------- d-----w- c:\program files\Sophos
2011-11-23 05:03 . 2011-11-23 05:04 1410192 ----a-w- C:\sophos anti rootkit.exe
2011-11-23 03:00 . 2011-11-25 04:21 -------- d-----w- c:\users\Kohen Family\AppData\Local\LogMeIn Rescue Applet
2011-11-23 00:09 . 2011-11-23 00:09 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\wfEL8gThYwUrOtP
2011-11-23 00:09 . 2011-11-23 02:25 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\tIBrzPNyx1
2011-11-23 00:09 . 2011-11-23 00:09 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\R6dEK8fRZhXjCl
2011-11-23 00:09 . 2011-11-23 00:09 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\DonG4amH6W7E8Tq
2011-11-23 00:06 . 2011-11-23 00:06 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\WZjBx2mdLjBx2n6
2011-11-23 00:06 . 2011-11-23 00:06 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\Lm7RwOyDpJgXlNv
2011-11-22 23:57 . 2011-11-22 23:57 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\Pi3QK7fELgZjCk
2011-11-22 23:57 . 2011-11-22 23:57 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\w0S35HWkOAci3QK
2011-11-22 23:57 . 2011-11-22 23:57 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\HhUIzy0S35HWkOA
2011-11-22 23:19 . 2011-11-22 23:19 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\ES2ibD3pn4Q6W
2011-11-22 23:19 . 2011-11-22 23:19 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\piD3o5sWJdLgZhX
2011-11-22 14:42 . 2011-11-22 14:42 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\mFF4pmH5sQ
2011-11-22 14:42 . 2011-11-22 14:42 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\NelOOttPyc1iDo
2011-11-22 14:42 . 2011-11-22 14:42 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\oD3onG4aHWEgqYw
2011-11-22 14:42 . 2011-11-23 02:25 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\wBtz0ycA1v2n4HQ
2011-11-22 14:42 . 2011-11-22 14:42 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\SwkUVrlOt01vo4m
2011-11-22 13:42 . 2011-11-22 13:42 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\hE9gTZjYCkVlx0c
2011-11-22 13:42 . 2011-11-22 13:42 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\daQH6sWK7
2011-11-22 02:48 . 2011-11-22 02:48 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\Bbp5JEf9XUlrPy1
2011-11-22 02:48 . 2011-11-22 02:48 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\iwjUVelIBz
2011-11-22 02:28 . 2011-11-22 02:28 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\mSS22obbF3mG5
2011-11-22 02:28 . 2011-11-22 02:28 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\tCCwwkIIVrONtP0
2011-11-22 00:37 . 2011-11-22 00:38 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\BONtxA0uc2
2011-11-22 00:37 . 2011-11-22 00:37 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\oK7fRL9gTqYeIr
2011-11-22 00:26 . 2011-11-22 00:26 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\WFFF3pmG5aQJ
2011-11-22 00:26 . 2011-11-22 00:26 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\weeelIBzNyA1uSo
2011-11-22 00:26 . 2011-11-22 00:26 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\rJ77fEEL8gTZhYw
2011-11-22 00:26 . 2011-11-22 00:26 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\dHHH66dWK7fR9gX
2011-11-22 00:25 . 2011-11-22 00:25 -------- d-----w- c:\programdata\WeCareReminder
2011-11-22 00:25 . 2011-11-22 00:25 -------- d-----w- c:\program files\Yontoo Layers Runtime
2011-11-22 00:25 . 2011-11-22 00:25 -------- d-----w- c:\program files\FoxTabFLVPlayer
2011-11-21 21:25 . 2011-11-21 21:25 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\jRRLL99hTXqUCkI
2011-11-21 21:25 . 2011-11-21 21:25 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\SF33ppmG5aQJdW8
2011-11-21 21:25 . 2011-11-21 21:25 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\vvvDD3onn4amH
2011-11-21 21:25 . 2011-11-21 21:25 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\tkkkIBBrzONyA0v
2011-11-21 13:12 . 2011-11-24 18:26 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\MediaWmplay
2011-11-16 18:59 . 2011-11-21 13:12 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\Apple Computer
2011-11-16 18:24 . 2011-11-16 18:24 709968 ----a-w- c:\windows\is-820P7.exe
2011-11-16 18:22 . 2011-11-16 18:22 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\yfEL9gTZqYIrOtP
2011-11-16 18:22 . 2011-11-16 18:22 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\gcS2ibD3pGa
2011-11-16 18:19 . 2011-11-16 18:19 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Local\Apple
2011-11-16 18:19 . 2011-11-16 18:19 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\NvD3onF4aHsJdLg
2011-11-16 18:19 . 2011-11-16 18:19 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\GwkUVrlOBx0c1
2011-11-16 03:59 . 2011-11-16 03:59 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\axAS26dWfLgXj
2011-11-16 03:59 . 2011-11-16 03:59 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\BpmG5aQJ6W
2011-11-16 01:29 . 2011-11-16 01:29 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\NUVrlOBtx0ci34H
2011-11-16 01:29 . 2011-11-16 01:29 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\eG4amH6sW7E8qYw
2011-11-16 01:25 . 2011-11-16 01:25 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\djYCekIVrOtAuSi
2011-11-16 01:25 . 2011-11-16 01:25 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\H3pnG5aQHdKfLgX
2011-11-16 01:25 . 2011-11-24 05:59 -------- d-----w- c:\users\Kohen Family\AppData\Roaming\867C5
2011-11-16 00:38 . 2011-11-24 05:59 -------- d-----w- c:\program files\C55A6
2011-11-16 00:37 . 2011-11-16 00:37 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\lyyxxA0uvS2i
2011-11-16 00:37 . 2011-11-16 00:37 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\cFFF3ppnG5aH6WK
2011-11-16 00:37 . 2011-11-23 02:25 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\867C5
2011-11-16 00:37 . 2011-11-16 00:37 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\eoonnF4ppH5
2011-11-16 00:37 . 2011-11-16 00:37 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\VTTTZZqhYCwkVrO
2011-11-15 02:36 . 2011-11-27 02:48 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\Urpoxuu
2011-11-15 02:36 . 2011-11-22 17:11 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\Qyhoil
2011-11-09 19:07 . 2011-09-20 21:02 913280 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-09 19:07 . 2011-09-20 13:44 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2011-11-09 19:07 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 23:49 . 2011-10-10 23:50 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E2450EA3-F9BA-48B9-84ED-4A9CC51A9977}\gapaengine.dll
2011-10-07 03:48 . 2011-07-07 19:30 6668624 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-10-03 23:45 . 2011-06-05 13:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-06 13:30 . 2011-10-12 18:01 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-09-01 02:35 . 2011-10-13 07:01 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-09-01 02:28 . 2011-10-13 07:01 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-09-01 02:22 . 2011-10-13 07:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-08-31 22:00 . 2011-07-05 19:20 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-10 13:39 . 2011-07-05 11:55 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-10-20 17:51 2846008 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-10-20 17:51 2846008 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-22 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-22 133656]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-11 4452352]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
mozystat - Shortcut.lnk - c:\program files\MozyHome\mozystat.exe [2009-10-20 2890552]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-6-14 50688]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-06-14 07:19 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2008-03-11 16:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2008-02-29 04:18 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-579958825-4098481908-445513631-1000]
"EnableNotificationsRef"=dword:00000011
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-579958825-4098481908-445513631-1001]
"EnableNotificationsRef"=dword:00000005
.
R1 azwqdmsl;azwqdmsl;c:\windows\system32\drivers\azwqdmsl.sys [x]
R1 durolbsl;durolbsl;c:\windows\system32\drivers\durolbsl.sys [x]
R4 dlbk_device;dlbk_device;c:\windows\system32\dlbkcoms.exe [2007-06-26 537840]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PXHELP20
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-19 00:33]
.
2011-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-19 00:33]
.
2011-11-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-579958825-4098481908-445513631-1000Core.job
- c:\users\Kohen Family\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-26 13:49]
.
2011-11-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-579958825-4098481908-445513631-1000UA.job
- c:\users\Kohen Family\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-26 13:49]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2080614
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {4ECE056F-E50F-4F9D-B069-EB342D21F26A} - hxxp://www2.snapfish.com/SnapfishActivia3.cab
DPF: {8D7624E2-F8CB-412B-9132-FD571DBA78FB} - hxxp://tegrity2.wku.edu/tegrity/_instructor/RecInstaller.CAB
FF - ProfilePath - c:\users\Kohen Family\AppData\Roaming\Mozilla\Firefox\Profiles\ogqkxu5k.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/?pc=Z128&install_date=20111122
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z128&form=ZGAADF&install_date=20111122&q=
FF - user.js: extentions.y2layers.installId - 8625a1ba-eb43-4878-8f4a-915138a31e75
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-\defragcs.exe - c:\programdata\defragcs.exe
HKCU-Run-\labelfast.exe - c:\users\Kohen Family\AppData\Roaming\labelfast.exe
HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe
MSConfigStartUp-auditpol - c:\users\Mr. Vrumbo\AppData\Local\auditpol.exe
MSConfigStartUp-jusched - c:\users\Mr. Vrumbo\AppData\Roaming\MediaWmplay\FlashPlugin\FlashUtil250_ActiveX.exe
MSConfigStartUp-qcJRllLRFlik - c:\programdata\qcJRllLRFlik.exe
MSConfigStartUp-rKxvcCJKbICCWeF - c:\programdata\rKxvcCJKbICCWeF.exe
MSConfigStartUp-StartNowToolbarHelper - c:\program files\StartNow Toolbar\ToolbarHelper.exe
AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\progra~2\TARMAI~1\{889DF~1\Setup.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
[0] 0x2D000000
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\.dfsc]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\.smb]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\D864.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1432)
c:\program files\MozyHome\mozyshell.dll
c:\windows\system32\igfxsrvc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\helppane.exe
.
**************************************************************************
.
Completion time: 2011-11-28 00:09:00 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-28 05:08
.
Pre-Run: 251,837,456,384 bytes free
Post-Run: 251,600,265,216 bytes free
.
- - End Of File - - CF7EB34F630C542110B5034661C0F781
 
Any particular reason why you ran Combofix in Safe Mode?

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\windows\system32\9D14.tmp
c:\windows\system32\76A0.tmp
c:\windows\is-820P7.exe
c:\windows\system32\drivers\azwqdmsl.sys
c:\windows\system32\drivers\durolbsl.sys


Folder::
c:\users\Kohen Family\AppData\Roaming\jnFFF4pmH5sQJdK
c:\users\Kohen Family\AppData\Roaming\xCeellIBrzPNyAu
c:\users\Kohen Family\AppData\Roaming\QiivvD3oon4am5s
c:\users\Kohen Family\AppData\Roaming\nH5Q7dEK8R9YwUe
c:\users\Kohen Family\AppData\Roaming\GobF4pmG5Q
c:\users\Mr. Vrumbo\AppData\Roaming\oK7fRL9gTqYeIr
c:\users\Mr. Vrumbo\AppData\Roaming\BONtxA0uc2
c:\users\Mr. Vrumbo\AppData\Roaming\tCCwwkIIVrONtP0
c:\users\Mr. Vrumbo\AppData\Roaming\mSS22obbF3mG5
c:\users\Kohen Family\AppData\Roaming\iwjUVelIBz
c:\users\Kohen Family\AppData\Roaming\Bbp5JEf9XUlrPy1
c:\users\Mr. Vrumbo\AppData\Roaming\daQH6sWK7
c:\users\Mr. Vrumbo\AppData\Roaming\hE9gTZjYCkVlx0c
c:\users\Mr. Vrumbo\AppData\Roaming\SwkUVrlOt01vo4m
c:\users\Mr. Vrumbo\AppData\Roaming\wBtz0ycA1v2n4HQ
c:\users\Mr. Vrumbo\AppData\Roaming\oD3onG4aHWEgqYw
c:\users\Mr. Vrumbo\AppData\Roaming\NelOOttPyc1iDo
c:\users\Mr. Vrumbo\AppData\Roaming\mFF4pmH5sQ
c:\users\Kohen Family\AppData\Roaming\piD3o5sWJdLgZhX
c:\users\Kohen Family\AppData\Roaming\ES2ibD3pn4Q6W
c:\users\Mr. Vrumbo\AppData\Roaming\HhUIzy0S35HWkOA
c:\users\Mr. Vrumbo\AppData\Roaming\w0S35HWkOAci3QK
c:\users\Mr. Vrumbo\AppData\Roaming\Pi3QK7fELgZjCk
c:\users\Kohen Family\AppData\Roaming\Lm7RwOyDpJgXlNv
c:\users\Kohen Family\AppData\Roaming\WZjBx2mdLjBx2n6
c:\users\Kohen Family\AppData\Roaming\DonG4amH6W7E8Tq
c:\users\Kohen Family\AppData\Roaming\R6dEK8fRZhXjCl
c:\users\Kohen Family\AppData\Roaming\tIBrzPNyx1
c:\users\Kohen Family\AppData\Roaming\wfEL8gThYwUrOtP
c:\users\Kohen Family\AppData\Roaming\dHHH66dWK7fR9gX
c:\users\Kohen Family\AppData\Roaming\rJ77fEEL8gTZhYw
c:\users\Kohen Family\AppData\Roaming\weeelIBzNyA1uSo
c:\users\Kohen Family\AppData\Roaming\WFFF3pmG5aQJ
c:\users\Mr. Vrumbo\AppData\Roaming\Apple Computer
c:\users\Mr. Vrumbo\AppData\Roaming\MediaWmplay
c:\users\Kohen Family\AppData\Roaming\tkkkIBBrzONyA0v
c:\users\Kohen Family\AppData\Roaming\vvvDD3onn4amH
c:\users\Kohen Family\AppData\Roaming\SF33ppmG5aQJdW8
c:\users\Kohen Family\AppData\Roaming\jRRLL99hTXqUCkI
c:\users\Mr. Vrumbo\AppData\Roaming\Qyhoil
c:\users\Mr. Vrumbo\AppData\Roaming\Urpoxuu
c:\users\Mr. Vrumbo\AppData\Roaming\VTTTZZqhYCwkVrO
c:\users\Mr. Vrumbo\AppData\Roaming\eoonnF4ppH5
c:\users\Mr. Vrumbo\AppData\Roaming\867C5
c:\users\Mr. Vrumbo\AppData\Roaming\cFFF3ppnG5aH6WK
c:\users\Mr. Vrumbo\AppData\Roaming\lyyxxA0uvS2i
c:\program files\C55A6
c:\users\Kohen Family\AppData\Roaming\867C5
c:\users\Kohen Family\AppData\Roaming\H3pnG5aQHdKfLgX
c:\users\Kohen Family\AppData\Roaming\djYCekIVrOtAuSi
c:\users\Mr. Vrumbo\AppData\Roaming\eG4amH6sW7E8qYw
c:\users\Mr. Vrumbo\AppData\Roaming\NUVrlOBtx0ci34H
c:\users\Mr. Vrumbo\AppData\Roaming\BpmG5aQJ6W
c:\users\Mr. Vrumbo\AppData\Roaming\axAS26dWfLgXj
c:\users\Mr. Vrumbo\AppData\Roaming\GwkUVrlOBx0c1
c:\users\Mr. Vrumbo\AppData\Roaming\NvD3onF4aHsJdLg
c:\users\Kohen Family\AppData\Roaming\gcS2ibD3pGa
c:\users\Kohen Family\AppData\Roaming\yfEL9gTZqYIrOtP


Driver::
azwqdmsl
durolbsl

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\.dfsc]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\.smb]


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
the reason i used safemode was that during this virus - everytime i would log into normal mode - the pc would blue screen so thats why i was constantly mentioning that i was using safemode - i hope it doesn't mess anything up. at this point it probably won't blue screen but i figured let me keep testing under the same login that i was using throughout our troubleshooting - and that was in safemode.

i started a backup of this system before this last post - and its going to take a while - i will attempt what you mentioned first thing tomorrow morning - it's 12:45am by me now.

i really appreciate all this work you have done for me - thanks!
 
good morning!

ComboFix 11-11-27.02 - Kohen Family 11/28/2011 7:34.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3060.2530 [GMT -5:00]
Running from: c:\users\Kohen Family\Desktop\ComboFix.exe
Command switches used :: c:\users\Kohen Family\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\is-820P7.exe"
"c:\windows\system32\76A0.tmp"
"c:\windows\system32\9D14.tmp"
"c:\windows\system32\drivers\azwqdmsl.sys"
"c:\windows\system32\drivers\durolbsl.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\C55A6
c:\users\Kohen Family\AppData\Roaming\867C5
c:\users\Kohen Family\AppData\Roaming\867C5\55A6.67C
c:\users\Kohen Family\AppData\Roaming\Bbp5JEf9XUlrPy1
c:\users\Kohen Family\AppData\Roaming\Bbp5JEf9XUlrPy1\AV Protection 2011.ico
c:\users\Kohen Family\AppData\Roaming\dHHH66dWK7fR9gX
c:\users\Kohen Family\AppData\Roaming\djYCekIVrOtAuSi
c:\users\Kohen Family\AppData\Roaming\djYCekIVrOtAuSi\AV Security 2012.ico
c:\users\Kohen Family\AppData\Roaming\DonG4amH6W7E8Tq
c:\users\Kohen Family\AppData\Roaming\ES2ibD3pn4Q6W
c:\users\Kohen Family\AppData\Roaming\ES2ibD3pn4Q6W\AV Protection 2011.ico
c:\users\Kohen Family\AppData\Roaming\gcS2ibD3pGa
c:\users\Kohen Family\AppData\Roaming\GobF4pmG5Q
c:\users\Kohen Family\AppData\Roaming\GobF4pmG5Q\Cloud AV 2012.ico
c:\users\Kohen Family\AppData\Roaming\H3pnG5aQHdKfLgX
c:\users\Kohen Family\AppData\Roaming\iwjUVelIBz
c:\users\Kohen Family\AppData\Roaming\jnFFF4pmH5sQJdK
c:\users\Kohen Family\AppData\Roaming\jRRLL99hTXqUCkI
c:\users\Kohen Family\AppData\Roaming\jRRLL99hTXqUCkI\AV Protection 2011.ico
c:\users\Kohen Family\AppData\Roaming\Lm7RwOyDpJgXlNv
c:\users\Kohen Family\AppData\Roaming\nH5Q7dEK8R9YwUe
c:\users\Kohen Family\AppData\Roaming\piD3o5sWJdLgZhX
c:\users\Kohen Family\AppData\Roaming\QiivvD3oon4am5s
c:\users\Kohen Family\AppData\Roaming\R6dEK8fRZhXjCl
c:\users\Kohen Family\AppData\Roaming\R6dEK8fRZhXjCl\AV Protection 2011.ico
c:\users\Kohen Family\AppData\Roaming\rJ77fEEL8gTZhYw
c:\users\Kohen Family\AppData\Roaming\SF33ppmG5aQJdW8
c:\users\Kohen Family\AppData\Roaming\tIBrzPNyx1
c:\users\Kohen Family\AppData\Roaming\tkkkIBBrzONyA0v
c:\users\Kohen Family\AppData\Roaming\vvvDD3onn4amH
c:\users\Kohen Family\AppData\Roaming\weeelIBzNyA1uSo
c:\users\Kohen Family\AppData\Roaming\wfEL8gThYwUrOtP
c:\users\Kohen Family\AppData\Roaming\WFFF3pmG5aQJ
c:\users\Kohen Family\AppData\Roaming\WFFF3pmG5aQJ\AV Protection 2011.ico
c:\users\Kohen Family\AppData\Roaming\WZjBx2mdLjBx2n6
c:\users\Kohen Family\AppData\Roaming\WZjBx2mdLjBx2n6\AV Protection 2011.ico
c:\users\Kohen Family\AppData\Roaming\xCeellIBrzPNyAu
c:\users\Kohen Family\AppData\Roaming\yfEL9gTZqYIrOtP
c:\users\Kohen Family\AppData\Roaming\yfEL9gTZqYIrOtP\AV Security 2012.ico
c:\users\Mr. Vrumbo\AppData\Roaming\867C5
c:\users\Mr. Vrumbo\AppData\Roaming\867C5\55A6.67C
c:\users\Mr. Vrumbo\AppData\Roaming\Apple Computer
c:\users\Mr. Vrumbo\AppData\Roaming\Apple Computer\Logs\asl.081238_21Nov11.log
c:\users\Mr. Vrumbo\AppData\Roaming\axAS26dWfLgXj
c:\users\Mr. Vrumbo\AppData\Roaming\axAS26dWfLgXj\AV Security 2012.ico
c:\users\Mr. Vrumbo\AppData\Roaming\BONtxA0uc2
c:\users\Mr. Vrumbo\AppData\Roaming\BONtxA0uc2\AV Protection 2011.ico
c:\users\Mr. Vrumbo\AppData\Roaming\BpmG5aQJ6W
c:\users\Mr. Vrumbo\AppData\Roaming\cFFF3ppnG5aH6WK
c:\users\Mr. Vrumbo\AppData\Roaming\cFFF3ppnG5aH6WK\AV Security 2012.ico
c:\users\Mr. Vrumbo\AppData\Roaming\daQH6sWK7
c:\users\Mr. Vrumbo\AppData\Roaming\eG4amH6sW7E8qYw
c:\users\Mr. Vrumbo\AppData\Roaming\eoonnF4ppH5
c:\users\Mr. Vrumbo\AppData\Roaming\GwkUVrlOBx0c1
c:\users\Mr. Vrumbo\AppData\Roaming\hE9gTZjYCkVlx0c
c:\users\Mr. Vrumbo\AppData\Roaming\hE9gTZjYCkVlx0c\AV Protection 2011.ico
c:\users\Mr. Vrumbo\AppData\Roaming\HhUIzy0S35HWkOA
c:\users\Mr. Vrumbo\AppData\Roaming\lyyxxA0uvS2i
c:\users\Mr. Vrumbo\AppData\Roaming\MediaWmplay
c:\users\Mr. Vrumbo\AppData\Roaming\MediaWmplay\FlashPlugin\FlashUtil196_ActiveX.exe
c:\users\Mr. Vrumbo\AppData\Roaming\MediaWmplay\FlashPlugin\FlashUtil52_ActiveX.exe
c:\users\Mr. Vrumbo\AppData\Roaming\MediaWmplay\wmiencoder.cfg
c:\users\Mr. Vrumbo\AppData\Roaming\mFF4pmH5sQ
c:\users\Mr. Vrumbo\AppData\Roaming\mFF4pmH5sQ\AV Protection 2011.ico
c:\users\Mr. Vrumbo\AppData\Roaming\mSS22obbF3mG5
c:\users\Mr. Vrumbo\AppData\Roaming\mSS22obbF3mG5\AV Protection 2011.ico
c:\users\Mr. Vrumbo\AppData\Roaming\NelOOttPyc1iDo
c:\users\Mr. Vrumbo\AppData\Roaming\NUVrlOBtx0ci34H
c:\users\Mr. Vrumbo\AppData\Roaming\NUVrlOBtx0ci34H\AV Security 2012.ico
c:\users\Mr. Vrumbo\AppData\Roaming\NvD3onF4aHsJdLg
c:\users\Mr. Vrumbo\AppData\Roaming\NvD3onF4aHsJdLg\AV Security 2012.ico
c:\users\Mr. Vrumbo\AppData\Roaming\oD3onG4aHWEgqYw
c:\users\Mr. Vrumbo\AppData\Roaming\oK7fRL9gTqYeIr
c:\users\Mr. Vrumbo\AppData\Roaming\Pi3QK7fELgZjCk
c:\users\Mr. Vrumbo\AppData\Roaming\Pi3QK7fELgZjCk\AV Protection 2011.ico
c:\users\Mr. Vrumbo\AppData\Roaming\Qyhoil
c:\users\Mr. Vrumbo\AppData\Roaming\SwkUVrlOt01vo4m
c:\users\Mr. Vrumbo\AppData\Roaming\tCCwwkIIVrONtP0
c:\users\Mr. Vrumbo\AppData\Roaming\Urpoxuu
c:\users\Mr. Vrumbo\AppData\Roaming\VTTTZZqhYCwkVrO
c:\users\Mr. Vrumbo\AppData\Roaming\w0S35HWkOAci3QK
c:\users\Mr. Vrumbo\AppData\Roaming\wBtz0ycA1v2n4HQ
c:\windows\is-820P7.exe
c:\windows\system32\76A0.tmp
c:\windows\system32\9D14.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_azwqdmsl
-------\Service_durolbsl
.
.
((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-28 )))))))))))))))))))))))))))))))
.
.
2011-11-28 12:44 . 2011-11-28 12:44 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CE8EA356-BDFB-4D3D-94D9-94A1DD8B0691}\offreg.dll
2011-11-28 12:43 . 2011-11-28 12:43 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Local\temp
2011-11-28 12:43 . 2011-11-28 12:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-28 04:58 . 2009-04-11 04:39 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-11-27 20:41 . 2011-11-27 20:41 -------- d-----w- C:\afdstuff
2011-11-27 07:55 . 2011-04-14 14:59 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-11-27 07:43 . 2009-04-11 04:45 66560 ----a-w- c:\windows\system32\drivers\smb.sys
2011-11-27 07:43 . 2011-04-21 13:58 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-11-27 02:37 . 2011-11-27 02:37 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\Malwarebytes
2011-11-27 02:06 . 2011-11-27 02:06 -------- d-----w- c:\users\admin
2011-11-25 05:24 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CE8EA356-BDFB-4D3D-94D9-94A1DD8B0691}\mpengine.dll
2011-11-25 04:43 . 2011-11-25 04:43 302592 ----a-w- C:\eurwzonsgmer.exe
2011-11-25 04:43 . 2011-11-25 04:44 607260 ----a-w- C:\dds.scr
2011-11-23 05:04 . 2011-11-23 05:04 -------- d-----w- c:\program files\Sophos
2011-11-23 05:03 . 2011-11-23 05:04 1410192 ----a-w- C:\sophos anti rootkit.exe
2011-11-23 03:00 . 2011-11-25 04:21 -------- d-----w- c:\users\Kohen Family\AppData\Local\LogMeIn Rescue Applet
2011-11-22 00:25 . 2011-11-22 00:25 -------- d-----w- c:\programdata\WeCareReminder
2011-11-22 00:25 . 2011-11-22 00:25 -------- d-----w- c:\program files\Yontoo Layers Runtime
2011-11-22 00:25 . 2011-11-22 00:25 -------- d-----w- c:\program files\FoxTabFLVPlayer
2011-11-16 18:19 . 2011-11-16 18:19 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Local\Apple
2011-11-09 19:07 . 2011-09-20 21:02 913280 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-09 19:07 . 2011-09-20 13:44 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2011-11-09 19:07 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 23:49 . 2011-10-10 23:50 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E2450EA3-F9BA-48B9-84ED-4A9CC51A9977}\gapaengine.dll
2011-10-07 03:48 . 2011-07-07 19:30 6668624 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-10-03 23:45 . 2011-06-05 13:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-06 13:30 . 2011-10-12 18:01 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-09-01 02:35 . 2011-10-13 07:01 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-09-01 02:28 . 2011-10-13 07:01 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-09-01 02:22 . 2011-10-13 07:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-08-31 22:00 . 2011-07-05 19:20 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-10 13:39 . 2011-07-05 11:55 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-10-20 17:51 2846008 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-10-20 17:51 2846008 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-22 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-22 133656]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-11 4452352]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
mozystat - Shortcut.lnk - c:\program files\MozyHome\mozystat.exe [2009-10-20 2890552]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-6-14 50688]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-06-14 07:19 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2008-03-11 16:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2008-02-29 04:18 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-579958825-4098481908-445513631-1000]
"EnableNotificationsRef"=dword:00000011
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-579958825-4098481908-445513631-1001]
"EnableNotificationsRef"=dword:00000005
.
R4 dlbk_device;dlbk_device;c:\windows\system32\dlbkcoms.exe [2007-06-26 537840]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-19 00:33]
.
2011-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-19 00:33]
.
2011-11-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-579958825-4098481908-445513631-1000Core.job
- c:\users\Kohen Family\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-26 13:49]
.
2011-11-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-579958825-4098481908-445513631-1000UA.job
- c:\users\Kohen Family\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-26 13:49]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2080614
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {4ECE056F-E50F-4F9D-B069-EB342D21F26A} - hxxp://www2.snapfish.com/SnapfishActivia3.cab
DPF: {8D7624E2-F8CB-412B-9132-FD571DBA78FB} - hxxp://tegrity2.wku.edu/tegrity/_instructor/RecInstaller.CAB
FF - ProfilePath - c:\users\Kohen Family\AppData\Roaming\Mozilla\Firefox\Profiles\ogqkxu5k.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/?pc=Z128&install_date=20111122
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z128&form=ZGAADF&install_date=20111122&q=
FF - user.js: extentions.y2layers.installId - 8625a1ba-eb43-4878-8f4a-915138a31e75
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-28 07:48
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\D864.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2620)
c:\program files\MozyHome\mozyshell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\MozyHome\mozybackup.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\TomTom HOME 2\TomTomHOMEService.exe
c:\windows\system32\WUDFHost.exe
c:\program files\MozyHome\mozybackup.exe
c:\program files\Tegrity\Recorder\TegSrv.exe
c:\program files\MozyHome\mozybackup.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2011-11-28 07:50:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-28 12:50
.
Pre-Run: 251,638,349,824 bytes free
Post-Run: 248,334,659,584 bytes free
.
- - End Of File - - 4ADC1713F6B28734883CECA728589000
 
Looks good :)

How is computer doing?

Download OTL to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
Status
Not open for further replies.

Similar threads

NonTechyDad
Solved Malware removal for my son's pc
2
Replies
33
Views
5K
Broni
Broni
B
Solved Bestprosoft
Replies
23
Views
3K
Broni
Broni
C
Solved Malware \ProductData + possibly more, on two devices
Replies
4
Views
7K
Broni
Broni

Latest posts

Back