Solved My laptop was redirecting websites, now it reboots every 60 seconds

[Infectious]

I thank you ahead of time for your assistance. I have no idea what to do since I cannot keep it running long enough to scan with the anti-virus.

Take care,
Timothy

 

[Jay Pfoutz]

Hello, and welcome to TechSpot.

Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information

• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
• If you have already asked for help somewhere, please post the link to the topic you were helped.
• We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Download Farbar Recovery Scan Tool and save it to a flash drive.

Based on your system, you will have to choose the download you need, whether 32-bit or 64-bit.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• • Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to the disclaimer.
• Place a check next to List Drivers MD5 as well as the default check marks that are already there
• Press Scan button.
• type exit and reboot the computer normally
• FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

 

[Infectious]

Thank you for the quick reply! Here is the log. I also read about the sevices.exe scan and did that, results below as well.

I appreciate your time and expertise!


Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 24-07-2012 01
Ran by SYSTEM at 24-07-2012 16:56:12
Running from G:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [13605408 2009-03-06] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [92704 2009-03-06] (NVIDIA Corporation)
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1045800 2008-03-27] (Synaptics, Inc.)
HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-11-02] (Apple Inc.)
HKLM\...\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [1439496 2010-10-19] (Intuit Inc. All rights reserved.)
HKLM\...\Run: [NPSStartup] [x]
HKLM\...\Run: [Nuance PDF Converter Professional 7-reminder] "C:\Program Files\Nuance\PDF Professional 7\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\PDF Converter Professional 7\Ereg\Ereg.ini" [x]
HKLM\...\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [323640 2009-11-24] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [499608 2011-03-30] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [36760 2012-04-03] (Adobe Systems Incorporated)
HKLM\...\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [815512 2012-04-03] (Adobe Systems Inc.)
HKLM\...\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [1821576 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKLM\...\Run: [HTC Sync Loader] "C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup [651264 2012-04-17] ()
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKU\6T Services\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKU\Tim\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKU\Tim\...\Run: [Adobe Acrobat Synchronizer] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" [1261472 2012-04-03] (Adobe Systems Incorporated)
HKU\Tim\...\Run: [ISUSPM] "C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe" -scheduler [x]
HKU\Tim\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
HKU\Tim\...\Run: [AdobeBridge] [x]
Startup: C:\Users\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\Users\Tim\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)
================================ Services (Whitelisted) ==================
2 astcc; C:\Windows\system32\astsrv.exe [57344 2010-11-01] (Nalpeiron Ltd.)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 FsUsbExService; C:\Windows\system32\FsUsbExService.Exe [238952 2010-07-04] (Teruten)
2 MDM; "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe" [335872 2006-10-26] (Microsoft Corporation)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [11552 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [214952 2012-03-26] (Microsoft Corporation)
2 PassThru Service; C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe [88576 2011-09-15] ()
2 ProtexisLicensing; C:\Windows\system32\PSIService.exe [177704 2007-06-05] ()
2 QBCFMonitorService; "C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe" [45056 2011-11-11] (Intuit)
3 QBFCService; "C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe" [61440 2009-07-23] (Intuit Inc.)
========================== Drivers (Whitelisted) =============
3 FsUsbExDisk; \??\C:\Windows\system32\FsUsbExDisk.SYS [36608 2010-06-14] ()
3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [60104 2010-07-12] (FTDI Ltd.)
3 FTSER2K; C:\Windows\System32\drivers\ftser2k.sys [73032 2010-07-12] (FTDI Ltd.)
3 HBtnKey; C:\Windows\System32\DRIVERS\cpqbttn.sys [15544 2010-02-24] (Hewlett-Packard Company)
3 HTCAND32; C:\Windows\System32\Drivers\ANDROIDUSB.sys [25088 2009-10-26] (HTC, Corporation)
3 htcnprot; C:\Windows\System32\DRIVERS\htcnprot.sys [23040 2010-06-23] (Windows (R) Win 7 DDK provider)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 nvsmu; C:\Windows\System32\DRIVERS\nvsmu.sys [12032 2007-02-16] (NVIDIA Corporation)
3 VAD_DEV; C:\Windows\System32\drivers\vad.sys [x]
========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============
2012-07-23 14:33 - 2012-07-23 14:33 - 00000000 ____D C:\FRST
2012-07-23 08:23 - 2012-07-23 09:12 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2012-07-13 11:02 - 2012-07-13 11:02 - 00687508 ____N C:\Users\Tim\Documents\APR Company Meeting PP Template.pptx
2012-07-11 09:08 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-11 09:08 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-11 09:08 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-11 09:08 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-11 09:08 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-11 09:08 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-11 09:08 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-11 09:08 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-11 09:08 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-11 09:08 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-11 09:08 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-11 09:08 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-11 09:08 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-11 09:08 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-11 09:02 - 2012-07-11 09:02 - 00259992 ____A C:\Windows\msxml4-KB2721691-enu.LOG
2012-07-11 09:02 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-11 04:17 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-11 04:17 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-11 04:17 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-11 04:17 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-11 04:17 - 2012-06-01 20:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-11 04:17 - 2012-06-01 20:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-11 04:17 - 2012-06-01 20:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-11 04:17 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-11 04:17 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-11 04:17 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-03 11:56 - 2012-07-03 11:56 - 00000000 ____D C:\Users\Tim\Desktop\MASTER Specials sheets without Credits 2012 V2 - Copy
2012-07-02 07:26 - 2012-07-02 07:26 - 00229672 ____A C:\Users\Tim\Downloads\CrucialScan.exe
2012-06-28 06:40 - 2012-06-28 06:41 - 05026104 ____A C:\Users\Tim\Downloads\Free_Trial_Issue.pdf.part
2012-06-28 05:02 - 2012-06-28 05:02 - 00000000 ____D C:\Program Files\QuickTime
2012-06-28 04:44 - 2012-06-28 04:45 - 39483256 ____A (Apple Inc.) C:\Users\Tim\Downloads\QuickTimeInstaller.exe
2012-06-25 12:04 - 2012-06-25 12:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\System32\msxml4.dll
============ 3 Months Modified Files ========================
2012-07-24 12:53 - 2012-03-21 18:09 - 00414161 ____A C:\Windows\setupact.log
2012-07-24 12:53 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-24 12:53 - 2009-07-13 20:33 - 00866320 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-23 09:12 - 2012-07-23 08:23 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2012-07-23 04:25 - 2011-01-01 18:36 - 01595312 ____A C:\Windows\WindowsUpdate.log
2012-07-23 04:15 - 2012-04-06 11:01 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-19 06:57 - 2009-07-13 20:34 - 00020528 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-19 06:57 - 2009-07-13 20:34 - 00020528 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-17 07:19 - 2012-04-06 11:01 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-17 07:19 - 2011-05-08 23:15 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-07-16 07:58 - 2011-11-21 08:11 - 00747358 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-13 12:18 - 2011-02-17 11:22 - 00561152 __ASH C:\Users\Tim\Documents\Thumbs.db
2012-07-13 11:02 - 2012-07-13 11:02 - 00687508 ____N C:\Users\Tim\Documents\APR Company Meeting PP Template.pptx
2012-07-12 11:02 - 2011-01-01 16:57 - 00148912 ____A C:\Users\Tim\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-11 09:04 - 2011-01-05 05:31 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-11 09:02 - 2012-07-11 09:02 - 00259992 ____A C:\Windows\msxml4-KB2721691-enu.LOG
2012-07-02 07:26 - 2012-07-02 07:26 - 00229672 ____A C:\Users\Tim\Downloads\CrucialScan.exe
2012-06-28 06:41 - 2012-06-28 06:40 - 05026104 ____A C:\Users\Tim\Downloads\Free_Trial_Issue.pdf.part
2012-06-28 04:45 - 2012-06-28 04:44 - 39483256 ____A (Apple Inc.) C:\Users\Tim\Downloads\QuickTimeInstaller.exe
2012-06-25 12:04 - 2012-06-25 12:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\System32\msxml4.dll
2012-06-21 08:16 - 2011-01-01 19:35 - 00002020 ___AH C:\Users\Tim\Documents\Default.rdp
2012-06-11 18:40 - 2012-07-11 09:02 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 20:41 - 2012-07-11 04:17 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 08:06 - 2012-06-08 08:05 - 09846466 ____A C:\Users\Tim\Downloads\10th Anniversary Buying Show Video.wmv.part
2012-06-08 06:46 - 2012-06-08 06:45 - 00143064 ____A C:\Windows\Minidump\060812-29374-01.dmp
2012-06-08 06:45 - 2012-06-08 06:45 - 217398132 ____A C:\Windows\MEMORY.DMP
2012-06-06 16:43 - 2012-06-06 16:43 - 00353700 ____A C:\Users\Tim\Documents\CampingNeedsList Father Son 2012.xlsx
2012-06-06 16:43 - 2012-06-06 16:43 - 00000165 ___AH C:\Users\Tim\Documents\~$CampingNeedsList Father Son 2012.xlsx
2012-06-05 21:05 - 2012-07-11 04:17 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:05 - 2012-07-11 04:17 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 21:03 - 2012-07-11 04:17 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-03 17:10 - 2012-06-03 17:10 - 00039424 ____A C:\Users\Tim\Documents\Sales May 2012 Rolling 12 Top 50 UP.xls
2012-06-03 17:01 - 2012-06-03 17:00 - 00038912 ____A C:\Users\Tim\Documents\Sales May 2012 Rolling 12 Top 50 Down.xls
2012-06-03 16:57 - 2012-06-03 16:56 - 00039936 ____A C:\Users\Tim\Documents\Sales May 2012 Top 50 Down.xls
2012-06-03 16:56 - 2012-06-03 16:56 - 00039936 ____A C:\Users\Tim\Documents\SalesMay 2012 top 50 By Rolling 12.xls
2012-06-03 16:52 - 2012-06-03 16:52 - 00039936 ____A C:\Users\Tim\Documents\Sales May 2012 Top 50 UP.xls
2012-06-03 16:46 - 2012-06-03 16:45 - 00039936 ____A C:\Users\Tim\Documents\Sales May Top 50 Down.xls
2012-06-02 14:19 - 2012-06-22 04:11 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-22 04:11 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-22 04:11 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-22 04:11 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-22 04:11 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-22 04:11 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-22 04:11 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-22 04:10 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:12 - 2012-06-22 04:10 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 01:07 - 2012-07-11 09:08 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 00:43 - 2012-07-11 09:08 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 00:33 - 2012-07-11 09:08 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 00:26 - 2012-07-11 09:08 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 00:25 - 2012-07-11 09:08 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 00:25 - 2012-07-11 09:08 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 00:23 - 2012-07-11 09:08 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 00:21 - 2012-07-11 09:08 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 09:08 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 09:08 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 00:19 - 2012-07-11 09:08 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 00:17 - 2012-07-11 09:08 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 09:08 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 09:08 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 20:45 - 2012-07-11 04:17 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 20:45 - 2012-07-11 04:17 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 20:40 - 2012-07-11 04:17 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 20:40 - 2012-07-11 04:17 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 20:39 - 2012-07-11 04:17 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-31 04:26 - 2012-05-31 04:26 - 00001037 ____A C:\Users\Tim\Desktop\Dropbox.lnk
2012-05-31 04:20 - 2012-05-31 04:20 - 18002040 ____A (Dropbox, Inc.) C:\Users\Tim\Downloads\Dropbox 1.4.7.exe
2012-05-25 09:58 - 2009-07-13 20:53 - 00032558 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-05-23 16:06 - 2012-05-23 16:06 - 00001304 ____A C:\Windows\System32\_GEAREXT.WO_IDENT.TXT
2012-05-21 10:47 - 2012-05-21 10:47 - 00001067 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-05-18 09:55 - 2012-05-18 09:55 - 00001040 ____A C:\Users\Public\Desktop\HTC Sync.lnk
2012-05-17 18:24 - 2012-05-17 18:24 - 02095104 ____A C:\Users\Tim\Downloads\QuakeLiveNP_520.msi
2012-05-14 18:46 - 2012-05-14 18:46 - 09490616 ____A (HTC) C:\Users\Tim\Downloads\PG8610000_Shooter_hboot_1.50.0000_2.17.651.5_pg2fs_unlock.exe
2012-05-11 13:16 - 2012-03-22 04:12 - 00001930 ____A C:\Windows\PFRO.log
2012-05-11 11:50 - 2012-05-11 11:50 - 00002975 ____A C:\Users\Tim\Desktop\Pixetell.lnk
2012-05-11 11:41 - 2012-05-11 11:43 - 17846741 ____A C:\Users\Tim\Downloads\Pixetell-1.3.16005.zip
2012-05-11 11:37 - 2012-05-11 11:37 - 00463080 ____A (CNET Download.com) C:\Users\Tim\Downloads\cnet_Pixetell-1_3_16005_zip.exe
2012-05-10 09:18 - 2012-05-10 09:18 - 00318904 ____A (Microsoft Corporation) C:\Users\Tim\Downloads\wmpfirefoxplugin(1).exe
2012-05-04 01:59 - 2012-06-13 10:54 - 00514560 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-04-30 20:44 - 2012-06-13 09:11 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-30 19:54 - 2011-01-04 08:05 - 00001945 ____A C:\Windows\epplauncher.mif
2012-04-27 19:17 - 2012-06-13 09:11 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-26 08:23 - 2011-02-09 10:57 - 00060304 ____A C:\Users\Tim\g2mdlhlpx.exe
2012-04-26 06:09 - 2012-04-26 06:09 - 00041578 ____A C:\Users\Tim\Desktop\Adobe Invoice Buy.com

ZeroAccess:
C:\Users\Tim\AppData\Local\{cc946b6f-c464-464d-ed9a-1a01aaa39ce8}
C:\Users\Tim\AppData\Local\{cc946b6f-c464-464d-ed9a-1a01aaa39ce8}\@
C:\Users\Tim\AppData\Local\{cc946b6f-c464-464d-ed9a-1a01aaa39ce8}\L
C:\Users\Tim\AppData\Local\{cc946b6f-c464-464d-ed9a-1a01aaa39ce8}\U
========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 22%
Total physical RAM: 1982.61 MB
Available physical RAM: 1540.34 MB
Total Pagefile: 1982.61 MB
Available Pagefile: 1542.51 MB
Total Virtual: 2047.88 MB
Available Virtual: 1977.62 MB
======================= Partitions =========================
1 Drive c: () (Fixed) (Total:232.79 GB) (Free:117.55 GB) NTFS
2 Drive d: (Data Drive) (Fixed) (Total:232.88 GB) (Free:179.69 GB) NTFS
4 Drive g: () (Removable) (Total:0.23 GB) (Free:0.23 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 Online 232 GB 0 B
Disk 2 Online 242 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 232 GB 101 MB
==================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 232 GB Healthy
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 232 GB 1024 KB
==================================================================================
Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D Data Drive NTFS Partition 232 GB Healthy
==================================================================================
Partitions of Disk 2:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 240 MB 1276 KB
==================================================================================
Disk: 2
Partition 1
Type : 06
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT Removable 240 MB Healthy
==================================================================================
==========================================================
Last Boot: 2012-07-19 07:59
======================= End Of Log ==========================




Farbar Recovery Scan Tool Version: 24-07-2012 01
Ran by SYSTEM at 2012-07-24 16:57:47
Running from G:\
================== Search: "services.exe" ===================
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6
C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6
=== End Of Search ===

 

[Jay Pfoutz]

FRST Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ==> ZeroAccess
C:\Users\Tim\AppData\Local\{cc946b6f-c464-464d-ed9a-1a01aaa39ce8}
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.

 

[Infectious]

Okay, now it is booting up and is not restarting at all. The MSE is deactivated and says it is out of date. Malware Bytes is corrupted and won't start. I'm not connecting to the network until I hear from you what to do next.

Thanks


Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 24-07-2012 01
Ran by SYSTEM at 2012-07-26 09:52:51 Run:3
Running from G:\
==============================================
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
==== End of Fixlog ====

 

[Jay Pfoutz]

Good news!

Let's go ahead with this tool now!

ComboFix

Please download ComboFix

by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:

• Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
• It is important to rename ComboFix before the download.
• Please do not rename ComboFix to other names, but only the one indicated.

After the download:

• Close any open browsers.
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

• Double click on svchost.exe & follow the prompts.
• It will attempt to install the Recovery Console:

• When ComboFix finishes, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

 

[Infectious]

Thanks, here is the log file...

ComboFix 12-07-27.02 - Tim 07/26/2012 13:02:44.1.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1983.955 [GMT -4:00]
Running from: c:\users\Tim\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Tim\AppData\Local\assembly\tmp
c:\users\Tim\g2mdlhlpx.exe
c:\users\Tim\GoToAssistDownloadHelper.exe
c:\windows\system32\spool\prtprocs\w32x86\x5pp.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-06-26 to 2012-07-26 )))))))))))))))))))))))))))))))
.
.
2012-07-26 17:14 . 2012-07-26 17:15 -------- d-----w- c:\users\Tim\AppData\Local\temp
2012-07-26 17:14 . 2012-07-26 17:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-26 17:14 . 2012-07-26 17:14 -------- d-----w- c:\users\Admin\AppData\Local\temp
2012-07-26 17:14 . 2012-07-26 17:14 -------- d-----w- c:\users\6T Services\AppData\Local\temp
2012-07-26 15:46 . 2012-07-26 15:46 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A2D3BD83-46C5-4089-89F3-CC749FE30784}\MpKsl3902e138.sys
2012-07-26 15:45 . 2012-07-26 15:45 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A2D3BD83-46C5-4089-89F3-CC749FE30784}\offreg.dll
2012-07-26 15:37 . 2012-07-26 15:37 -------- d-----w- c:\program files\Microsoft
2012-07-26 15:37 . 2012-07-26 15:37 -------- d--h--w- c:\windows\msdownld.tmp
2012-07-26 15:34 . 2012-07-26 15:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-26 15:34 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-26 15:33 . 2012-02-09 18:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{28CBAEB4-BB76-4033-AA15-FCBBECDF5AB5}\gapaengine.dll
2012-07-26 15:33 . 2012-07-16 06:41 6891424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A2D3BD83-46C5-4089-89F3-CC749FE30784}\mpengine.dll
2012-07-26 15:31 . 2012-07-16 06:41 6891424 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{29A1A198-2435-4F11-B717-8742297C4F31}\mpengine.dll
2012-07-26 15:30 . 2012-07-26 15:31 -------- d-----w- c:\program files\Microsoft Security Client
2012-07-23 22:33 . 2012-07-23 22:33 -------- d-----w- C:\FRST
2012-07-11 17:02 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-06-28 13:02 . 2012-06-28 13:02 159744 ----a-w- c:\program files\Mozilla Firefox\Plugins\npqtplugin7.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-17 15:19 . 2012-04-06 19:01 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-17 15:19 . 2011-05-09 07:15 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-25 20:04 . 2012-06-25 20:04 1394248 ----a-w- c:\windows\system32\msxml4.dll
2012-06-02 22:19 . 2012-06-22 12:11 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-22 12:11 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-22 12:11 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-22 12:11 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-22 12:11 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-22 12:11 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-22 12:11 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-22 12:10 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12 . 2012-06-22 12:10 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-10 15:20 . 2012-05-10 15:20 19352 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-05-04 09:59 . 2012-06-13 18:54 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-05-01 04:44 . 2012-06-13 17:11 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-04-28 03:17 . 2012-06-13 17:11 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-20 20:36 . 2012-04-23 15:56 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\users\Tim\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\users\Tim\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\users\Tim\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\users\Tim\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"Adobe Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" [2012-04-04 1261472]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-06 13605408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-06 92704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-10-19 1439496]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-24 323640]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-30 499608]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-04-04 36760]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-04-04 815512]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"HTC Sync Loader"="c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2012-04-17 651264]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"BrandClearStubs"="IEDKCS32.DLL" [2011-04-18 353584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2011-04-18 280576]
.
c:\users\Tim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Tim\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-11-11 1155432]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [x]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 VAD_DEV;Virtual Audio Service;c:\windows\system32\drivers\vad.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S1 MpKsl3902e138;MpKsl3902e138;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A2D3BD83-46C5-4089-89F3-CC749FE30784}\MpKsl3902e138.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [x]
S2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [x]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [x]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPFILTER
*NewlyCreated* - MPKSL3902E138
*Deregistered* - MBAMSwissArmy
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 15:19]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 10.101.1.105 8.8.8.8
FF - ProfilePath - c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\h9xtkwb2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.drudgereport.com/
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-ISUSPM - c:\programdata\FLEXnet\Connect\11\ISUSPM.exe
HKCU-Run-AdobeBridge - (no file)
HKLM-Run-NPSStartup - (no file)
HKLM-Run-Nuance PDF Converter Professional 7-reminder - c:\program files\Nuance\PDF Professional 7\Ereg\Ereg.exe
ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file)
.
.
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: WDC_WD25 rev.11.0 -> Harddisk0\DR0 -> \Device\00000072
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-07-26 13:19:03
ComboFix-quarantined-files.txt 2012-07-26 17:19
.
Pre-Run: 130,093,359,104 bytes free
Post-Run: 130,980,384,768 bytes free
.
- - End Of File - - BD9C85A5F6870E0623BE1DE16B5FC20A

 

[Jay Pfoutz]

• Download RogueKiller and save it on your desktop.
• Quit all programs
• Start RogueKiller.exe.
• Wait until Prescan has finished ...
• Click on Scan

• Wait for the end of the scan.
• The report has been created on the desktop.
• Click on the Delete button.

• The report has been created on the desktop.

• Next click on the ShortcutsFix
  
  
  
• The report has been created on the desktop.

Please post:

All RKreport.txt text files located on your desktop.

 

[Infectious]

RogueKiller V7.6.4 [07/17/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User: Tim [Admin rights]
Mode: Scan -- Date: 07/27/2012 15:34:49

¤¤¤ Bad processes: 1 ¤¤¤
[SVCHOST] svchost.exe -- Path not found -> KILLED [TermThr]

¤¤¤ Registry Entries: 4 ¤¤¤
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD25 00BJKT-75F4T SCSI Disk Device +++++
--- User ---
[MBR] 5bd0e9fced6af4aa9d5c515e26634eb1
[BSP] 93fbd628a1ec0581fd63898c025d5e5f : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 238373 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: WDC WD25 00BJKT-75F4T SCSI Disk Device +++++
--- User ---
[MBR] ffa613315e7b8349116cffcff018bc0b
[BSP] 4c6fbc325b250709dc731c5838412aa1 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 238473 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt

 

[Infectious]

RogueKiller V7.6.4 [07/17/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User: Tim [Admin rights]
Mode: Remove -- Date: 07/27/2012 15:37:35

¤¤¤ Bad processes: 1 ¤¤¤
[SVCHOST] svchost.exe -- Path not found -> KILLED [TermThr]

¤¤¤ Registry Entries: 4 ¤¤¤
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD25 00BJKT-75F4T SCSI Disk Device +++++
--- User ---
[MBR] 5bd0e9fced6af4aa9d5c515e26634eb1
[BSP] 93fbd628a1ec0581fd63898c025d5e5f : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 238373 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: WDC WD25 00BJKT-75F4T SCSI Disk Device +++++
--- User ---
[MBR] ffa613315e7b8349116cffcff018bc0b
[BSP] 4c6fbc325b250709dc731c5838412aa1 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 238473 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

 

[Infectious]

RogueKiller V7.6.4 [07/17/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User: Tim [Admin rights]
Mode: Shortcuts HJfix -- Date: 07/27/2012 15:42:36

¤¤¤ Bad processes: 1 ¤¤¤
[SVCHOST] svchost.exe -- Path not found -> KILLED [TermThr]

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 7 / Fail 0
Quick launch: Success 1 / Fail 0
Programs: Success 11 / Fail 0
Start menu: Success 1 / Fail 0
User folder: Success 263 / Fail 0
My documents: Success 1 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 726 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 410 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[E:] \Device\HarddiskVolume3 -- 0x3 --> Restored

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

 

[Infectious]

Thanks again for your assistance. It seemed like there were more infections that this cleared up?

 

[Jay Pfoutz]

Indeed.

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install
• Click Start
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

 

[Infectious]

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=7ee0d8f9ed6b434fb934731b4d0e56ef
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-07-29 05:42:59
# local_time=2012-07-29 01:42:59 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 100 94 0 95070479 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=278619
# found=6
# cleaned=6
# scan_time=14890
C:\Users\Admin\Downloads\YouTubeDownloaderSetup274.exe multiple threats (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Tim\Downloads\asc-setup.exe a variant of Win32/Toolbar.Widgi application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Tim\Downloads\cnet_gtm138le_eng_exe.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Tim\Downloads\cnet_PDFGallerySetup_zip.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Tim\Downloads\cnet_Pixetell-1_3_16005_zip.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Tim\Downloads\YouTubeDownloaderSetup274.exe multiple threats (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

 

[Jay Pfoutz]

Let's gloss over once more...

Scan for malware

Please download Malwarebytes Anti-Malware from HERE.


Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
• Copy and paste the entire report in your next reply.

 

[Infectious]

Okay, nothing found with MBAM.

Thanks

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.26.12

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Tim :: DV8420US [administrator]

7/29/2012 8:12:46 PM
mbam-log-2012-07-29 (20-12-46).txt

Scan type: Full scan (C:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 498901
Time elapsed: 2 hour(s), 10 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

[Jay Pfoutz]

Hi! Your logs appear to be clean. If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point

• Go to Control Panel and select System and Maintenance
• Select System
• On the left select Advance System Settings and accept the warning if you get one
• Select System Protection Tab
• Select Create at the bottom
• Type in a name I.e. Clean
• Select Create

Now we can purge the infected ones

• Go back to the System and Maintenance page
• Select Performance Information and Tools
• On the left select Open Disk Cleanup
• Select Files from all users and accept the warning if you get one
• In the drop down box select your main drive I.e. C
• For a few moments the system will make some calculations:
  
  
• Select the More Options tab
  
  
• In the System Restore and Shadow Backups select Clean up
  
  
• Select Delete on the pop up
• Select OK
• Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
• Double click OTC.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• It will close all programs when run, so make sure you have saved all your work before you begin.
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:

• Cleaned System Restore
• Ran OTC
• Ran TFC
• Ran Security Check

Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.

 

[Infectious]

I feel the end is near! Here is the latest info...

• Cleaned System Restore - Complete
• Ran OTC - Complete
• Ran TFC - Complete
• Ran Security Check - Complete

Results of screen317's Security Check version 0.99.43
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.62.0.1300
CCleaner
JavaFX 2.1.1
Java(TM) 7 Update 5
Adobe Flash Player 11.3.300.268
Adobe Reader X (10.1.3)
Mozilla Firefox (14.0.1)
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

Thanks,
Timothy

 

[Infectious]

Question, do you have a sense how we are catching sirefef? I am generally very careful.

 

[Jay Pfoutz]

Hehe...having a weak antivirus is a common cause, particularly with Sirefef.

This should help clear some things up: http://secureconnexion.wordpress.com/2012/06/14/antivirus-software-toplist-top-20-summer-2012/

Personal Tips on Preventing Malware

See this page for more info about malware and prevention.

Any other questions before I mark this topic solved?

 

[Infectious]

Thanks, I'll look that over and take your hint

The only other thing I was wondering is this. Could I run some of what you had me do on my other machines to make sure they do not have any hidden bugs? From Combofix on there wasn't any custom code so I am assuming it was designed to locate and clean up various threats. I don't want to bug you folks if there isn't a major hijacking.

I really appreciate the help you gave. Everything is working well now.

Timothy

 

[Jay Pfoutz]

Malwarebytes' Anti-Malware is a great choice. ESET Online Scanner should find a lot as well.

I should note that the premium version of MBAM is recommended in the battlefield against malware.

If you have anymore questions or discussions, PM me.

Otherwise, this topic is closed and marked as solved.