Solved Need assistance removing Sirefef, Windows (7) shuts down almost immediately

[NickH]

As stated in the title.
I have barely a minute before it restarts. I had CA-antivirus (which was almost useless) and after I downloaded Microsoft Security essentials and actually found the virus (sirefef, but always a different varient; ie. Sirefef-F, Sirefef-P ect), it began the one-minute 'critical error' shut down.

Really need help, thanks.

 

[Broni]

Welcome aboard

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=============================================================

Does the same thing happen in safe mode?

 

[NickH]

Yes. Also, the restart seems to also occur on the window log-in screen after a short duration. Is there anyway to prevent the restart?

 

[Broni]

Download Kaspersky Rescue Disk 10
Burn downloaded .iso file to CD. How to: http://www.petri.co.il/how_to_write_iso_files_to_cd.htm

Boot from Kaspersky Rescue Disk 10. How to boot from CD: http://www.hiren.info/pages/bios-boot-cdrom

A loading wizard will start (you will see the menu to select the required language). See screenshots here: http://support.kaspersky.com/viruses/rescuedisk/main?qid=208286086
If you do not press any key in 10 seconds, the computer boots from hard drive automatically.
Select the required interface language using the arrow-keys on your keyboard.
Press the Enter key on the keyboard.
In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode
Click Enter.
Click 'A' to accept the agreement.
Select operating system from dropdown menu.
In Objects Scan tab checkmark:

• Disk boot sectors
• Hidden startup objects
• C:

Click My Update Center tab and update if any available
Go back to other tab and click Start Object Scan.
NOTE. Be patient. It will take a while.

When scan has completed save a report:

• On the upper part of the Kaspersky Rescue Disk window, click on the Report link.
• On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button.
• On the upper right hand corner of the Detailed report window, click on the Save button.
• After clicking Detailed Report and 'SAVE', a browse window opens.
• Double-click on the \
• Click 'Disks'.
• All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt.
• Click on the Save button.
• The report has been saved to the file.

Remove the disk from the drive (or disconnect USB) and reboot normally.

Post the content of the file for my review.

 

[NickH]

The C drive is not appearing on the scannable list. How do I get the program to recognise it?

 

[Broni]

What drives are listed?

 

[NickH]

-Disc Boot Sectors,
-Hidden startup objects,
-sda (which is a USB currently inserted into the machine. If I remove it does nothing other than remove the file from the list. So it isn't preventing the C drive from being available.)

 

[Broni]

Go ahead and run the scan.

 

[NickH]

It takes a few seconds- which can't be right?. Do you still want the log?

 

[Broni]

Let's see, if we can look at your computer booting from an external source.

Please download OTLPE (filesize 120,9 MB)

• When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
• Reboot your system using the boot CD you just created.
  • Note : If you do not know how to set your computer to boot from CD follow the steps here
• Your system should now display a REATOGO-X-PE desktop.
• Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
• Double-click on the OTLPE icon.
• When asked Do you wish to load the remote registry, select Yes
• When asked Do you wish to load remote user profile(s) for scanning, select Yes
• Ensure the box Automatically Load All Remaining Users" is checked and press OK
• OTL should now start.
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive if you do not have internet connection on this system
• Please post the contents of the OTL.txt file in your reply.

 

[Theygnjjhz]

I am having the exact same problem...cannot access c: at any cost

 

[Broni]

At what exact point are you stuck?
You have to explain since I'm not there.

 

[NickH]

OTL logfile created on: 6/9/2012 6:02:17 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
64bit-Windows 7 Home Premium (Version = 6.1.7600) - Type = System
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000c09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 92.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 232.88 Gb Total Space | 147.65 Gb Free Space | 63.40% Space Free | Partition Type: NTFS
Drive D: | 931.51 Gb Total Space | 536.97 Gb Free Space | 57.65% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2012/03/26 04:49:56 | 000,291,696 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2012/03/26 04:49:56 | 000,012,600 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2012/03/06 17:23:32 | 000,358,448 | ---- | M] (Total Defense, Inc.) [On_Demand] -- C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe -- (CaCCProvSP)
SRV:64bit: - [2012/03/06 17:23:32 | 000,287,280 | ---- | M] (Total Defense, Inc.) [Auto] -- C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe -- (ccSchedulerSVC)
SRV:64bit: - [2012/01/14 18:14:00 | 000,312,656 | ---- | M] (Computer Associates International, Inc.) [Auto] -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe -- (CAISafe)
SRV:64bit: - [2012/01/14 02:37:33 | 000,293,704 | ---- | M] (CA) [Auto] -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\CAAMSvc.exe -- (CAAMSvc)
SRV:64bit: - [2011/12/02 23:18:12 | 000,204,288 | ---- | M] (AMD) [Auto] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2011/04/03 21:42:30 | 000,920,656 | ---- | M] (CA) [Auto] -- C:\Program Files\CA\SharedComponents\TMEngine\UmxEngine.exe -- (UmxEngine)
SRV:64bit: - [2010/04/06 01:30:38 | 000,031,272 | ---- | M] () [On_Demand] -- C:\Windows\System32\AppleChargerSrv.exe -- (AppleChargerSrv)
SRV:64bit: - [2009/10/06 10:47:10 | 000,191,000 | ---- | M] (Logitech Inc.) [Auto] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcS64)
SRV - [2012/06/04 03:24:54 | 000,076,888 | ---- | M] () [Auto] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA)
SRV - [2012/05/18 23:39:51 | 000,529,232 | ---- | M] (Valve Corporation) [On_Demand] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2012/04/25 07:07:42 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/04/05 01:50:08 | 000,008,704 | ---- | M] (Hi-Rez Studios) [Auto] -- D:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe -- (HiPatchService)
SRV - [2012/02/28 02:38:54 | 002,343,816 | ---- | M] (LogMeIn Inc.) [Auto] -- C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe -- (Hamachi2Svc)
SRV - [2011/08/22 00:26:10 | 000,057,344 | ---- | M] () [Auto] -- C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe -- (DES2 Service)
SRV - [2010/03/17 23:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/02/18 22:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2009/10/13 01:39:46 | 000,114,688 | ---- | M] (Gigabyte Technology CO., LTD.) [Auto] -- C:\Program Files (x86)\GIGABYTE\smart6\timelock\TimeMgmtDaemon.exe -- (Smart TimeLock)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/01/26 00:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto] -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/03/20 06:44:12 | 000,098,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2011/12/03 01:51:40 | 010,588,160 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2011/12/02 22:22:06 | 000,325,632 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2011/10/27 01:07:50 | 000,182,352 | ---- | M] (Total Defense) [File_System | Boot] -- C:\Windows\System32\drivers\KmxAMRT.sys -- (KmxAMRT)
DRV:64bit: - [2011/10/25 21:51:38 | 000,113,744 | ---- | M] (CA) [File_System | System] -- C:\Windows\System32\drivers\KmxAgent.sys -- (KmxAgent)
DRV:64bit: - [2011/09/06 07:04:20 | 000,365,136 | ---- | M] (CA) [Kernel | System] -- C:\Windows\System32\drivers\KmxCfg.sys -- (KmxCfg)
DRV:64bit: - [2011/07/28 23:40:00 | 000,079,104 | ---- | M] (Etron Technology Inc) [Kernel | On_Demand] -- C:\Windows\System32\drivers\EtronXHCI.sys -- (EtronXHCI)
DRV:64bit: - [2011/07/28 23:40:00 | 000,056,960 | ---- | M] (Etron Technology Inc) [Kernel | On_Demand] -- C:\Windows\System32\drivers\EtronHub3.sys -- (EtronHub3)
DRV:64bit: - [2011/07/06 06:12:50 | 000,367,976 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\RtHDMIVX.sys -- (RTHDMIAzAudService)
DRV:64bit: - [2011/05/31 23:16:50 | 000,535,656 | ---- | M] (Realtek ) [Kernel | On_Demand] -- C:\Windows\System32\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2011/01/10 03:16:08 | 000,021,104 | ---- | M] () [Kernel | System] -- C:\Windows\System32\drivers\AppleCharger.sys -- (AppleCharger)
DRV:64bit: - [2010/09/20 18:59:38 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\HECIx64.sys -- (MEIx64) Intel(R)
DRV:64bit: - [2009/12/01 01:49:52 | 000,038,992 | ---- | M] (Screaming Bee LLC) [Kernel | On_Demand] -- C:\Windows\System32\drivers\ScreamingBAudio64.sys -- (ScreamBAudioSvc)
DRV:64bit: - [2009/10/07 04:49:27 | 006,379,288 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\lvuvc64.sys -- (LVUVC64) Logitech Webcam 500(UVC)
DRV:64bit: - [2009/10/07 04:47:44 | 000,327,704 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\lvrs64.sys -- (LVRS64)
DRV:64bit: - [2009/10/06 10:45:50 | 000,030,232 | ---- | M] () [Kernel | On_Demand] -- C:\Windows\System32\drivers\LVPr2M64.sys -- (LVPr2Mon)
DRV:64bit: - [2009/10/06 10:45:50 | 000,030,232 | ---- | M] () [Kernel | On_Demand] -- C:\Windows\System32\drivers\LVPr2M64.sys -- (LVPr2M64)
DRV:64bit: - [2009/06/10 16:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand] -- C:\Windows\System32\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\Windows\system32\DRIVERS\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/03/18 02:35:42 | 000,033,856 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\hamachi.sys -- (hamachi)
DRV - [2012/06/08 19:30:12 | 000,025,640 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand] -- C:\Windows\gdrv.sys -- (gdrv)
DRV - [2012/01/14 02:26:24 | 000,030,528 | ---- | M] () [Kernel | On_Demand] -- C:\Windows\GVTDrv64.sys -- (GVTDrv64)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\Nick_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ninemsn.com.au/?ocid=iehp
IE - HKU\Nick_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-AU
IE - HKU\Nick_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7B 7C 9D 28 B3 05 CD 01 [binary data]
IE - HKU\Nick_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Nick_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\System32\Macromed\Flash\NPSWF64_11_1_102.dll ()
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.4.0: C:\Windows\System32\npDeployJava1.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.4.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: File not found
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Apple.com/iTunes,version=:
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@esn.me/esnsonar,version=0.70.4: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll (ESN Social Software AB)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@esn/esnlaunch,version=1.118.0: C:\Program Files (x86)\Battlelog Web Plugins\1.118.0\npesnlaunch.dll (ESN Social Software AB)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_32: C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE: File not found

FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/04/25 07:07:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

[2012/05/10 02:49:18 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/05/10 02:49:18 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}
[2012/04/25 07:07:42 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/04/25 07:07:42 | 000,001,525 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazon-en-GB.xml
[2012/03/20 02:07:37 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/04/25 07:07:42 | 000,000,935 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\chambers-en-GB.xml
[2012/04/25 07:07:42 | 000,001,166 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-en-GB.xml
[2012/04/25 07:07:42 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml
[2012/04/25 07:07:42 | 000,001,121 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2012/06/07 04:56:44 | 000,001,204 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts: ::1 localhost
O2:64bit: - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (no name) - {45d30484-7ded-43d9-957a-d2fd1f046511} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4:64bit: - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [cctray] C:\Program Files\CA\CA Internet Security Suite\casc.exe (Total Defense, Inc.)
O4:64bit: - HKLM..\Run: [CNAP2 Launcher] C:\Windows\System32\spool\drivers\x64\3\CNAP2LAK.EXE (CANON INC.)
O4:64bit: - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [RtHDVBg_Dolby] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [AdobeCS5.5ServiceManager] File not found
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Dolby Home Theater v4] C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe (Dolby Laboratories Inc.)
O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe ()
O4 - HKLM..\Run: [LogMeIn Hamachi Ui] C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe (LogMeIn Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKU\LocalService_ON_C..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\NetworkService_ON_C..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\Nick_ON_C..\Run: [Logitech Vid] C:\Program Files (x86)\Logitech\Logitech Vid\vid.exe (Logitech Inc.)
O4 - HKU\Nick_ON_C..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - HKU\Nick_ON_C..\Run: [Steam] D:\Program Files (x86)\Steam\steam.exe (Valve Corporation)
O4 - HKU\Nick_ON_C..\Run: [uTorrent] C:\Program Files (x86)\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O4:64bit: - HKLM..\RunOnce: [RPMKickstart] C:\Program Files\GIGABYTE\SMART6\Recovery\RPMKickstart.exe (Gigabyte Technology CO., LTD.)
O4 - HKU\LocalService_ON_C..\RunOnce: [mctadmin] File not found
O4 - HKU\NetworkService_ON_C..\RunOnce: [mctadmin] File not found
O4 - Startup: Error locating startup folders.
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\VetRedir.dll (Computer Associates International, Inc.)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\VetRedir.dll (Computer Associates International, Inc.)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Windows\System32\VetRedir.dll (Computer Associates International, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\SysWow64\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\SysWow64\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Windows\SysWow64\VetRedir.dll (Computer Associates International, Inc.)
O13:64bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\PFW: DllName - UmxWnp.Dll - C:\Windows\SysWow64\UmxWNP.dll (CA)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
64bit: O35 - HKLM\..comfile [open] -- "%1" %* File not found
64bit: O35 - HKLM\..exefile [open] -- "%1" %* File not found
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/06/07 02:19:01 | 000,000,000 | ---D | C] -- C:\Users\Nick\AppData\Roaming\uTorrent
[2012/06/07 02:16:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
[2012/06/07 02:16:05 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2012/06/07 02:15:47 | 000,374,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\netio.sys
[2012/06/06 03:24:14 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2012/06/03 03:19:14 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2012/05/26 17:08:05 | 000,000,000 | ---D | C] -- C:\Users\Nick\Documents\Iron Front
[2012/05/26 17:08:04 | 000,000,000 | ---D | C] -- C:\Users\Nick\AppData\Local\Ironfront
[2012/05/22 03:48:19 | 000,000,000 | ---D | C] -- C:\Users\Nick\AppData\Local\Ironclad Games
[2012/05/22 03:47:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Ironclad Games
[2012/05/21 02:12:56 | 000,000,000 | ---D | C] -- C:\Users\Nick\AppData\Local\Kerberos_Productions
[2012/05/21 02:11:30 | 000,000,000 | ---D | C] -- C:\Users\Nick\AppData\Local\Sword of the Stars II
[2012/05/16 15:40:08 | 000,000,000 | ---D | C] -- C:\Users\Nick\Documents\Endless Space
[2012/05/15 05:14:02 | 000,000,000 | ---D | C] -- C:\Users\Nick\Documents\ArmA 2 Other Profiles
[2012/05/12 21:32:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft XNA
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/06/08 19:32:59 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/06/08 19:32:34 | 000,000,049 | ---- | M] () -- C:\Windows\System32\drivers\kmxzone.u2k7
[2012/06/08 19:32:34 | 000,000,049 | ---- | M] () -- C:\Windows\System32\drivers\kmxzone.u2k6
[2012/06/08 19:32:34 | 000,000,049 | ---- | M] () -- C:\Windows\System32\drivers\kmxzone.u2k5
[2012/06/08 19:32:34 | 000,000,049 | ---- | M] () -- C:\Windows\System32\drivers\kmxzone.u2k4
[2012/06/08 19:32:34 | 000,000,049 | ---- | M] () -- C:\Windows\System32\drivers\kmxzone.u2k3
[2012/06/08 19:32:34 | 000,000,049 | ---- | M] () -- C:\Windows\System32\drivers\kmxzone.u2k2
[2012/06/08 19:32:34 | 000,000,049 | ---- | M] () -- C:\Windows\System32\drivers\kmxzone.u2k1
[2012/06/08 19:32:33 | 000,113,524 | ---- | M] () -- C:\Windows\System32\drivers\KmxAgent.asc
[2012/06/08 19:32:33 | 000,046,985 | ---- | M] () -- C:\Windows\System32\drivers\kmxcfg.u2k0
[2012/06/08 19:32:33 | 000,000,085 | ---- | M] () -- C:\Windows\System32\drivers\kmxcfg.u2k7
[2012/06/08 19:32:33 | 000,000,085 | ---- | M] () -- C:\Windows\System32\drivers\kmxcfg.u2k6
[2012/06/08 19:32:33 | 000,000,085 | ---- | M] () -- C:\Windows\System32\drivers\kmxcfg.u2k5
[2012/06/08 19:32:33 | 000,000,085 | ---- | M] () -- C:\Windows\System32\drivers\kmxcfg.u2k4
[2012/06/08 19:32:33 | 000,000,085 | ---- | M] () -- C:\Windows\System32\drivers\kmxcfg.u2k3
[2012/06/08 19:32:33 | 000,000,085 | ---- | M] () -- C:\Windows\System32\drivers\kmxcfg.u2k2
[2012/06/08 19:32:33 | 000,000,085 | ---- | M] () -- C:\Windows\System32\drivers\kmxcfg.u2k1
[2012/06/08 19:32:33 | 000,000,049 | ---- | M] () -- C:\Windows\System32\drivers\kmxzone.u2k0
[2012/06/08 19:30:12 | 000,025,640 | ---- | M] (Windows (R) Server 2003 DDK provider) -- C:\Windows\gdrv.sys
[2012/06/08 19:29:42 | 4281,688,062 | -HS- | M] () -- C:\hiberfil.sys
[2012/06/07 02:25:07 | 000,013,440 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/06/07 02:25:07 | 000,013,440 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/06/07 02:16:44 | 000,002,154 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/06/07 02:16:24 | 000,001,915 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/06/07 02:16:19 | 000,787,672 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/06/07 02:16:19 | 000,654,066 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/06/07 02:16:19 | 000,121,898 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/06/04 03:58:20 | 000,283,304 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.xtr
[2012/06/04 03:58:20 | 000,283,304 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2012/06/04 03:58:00 | 000,280,904 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.ex0
[2012/06/04 03:24:54 | 000,076,888 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2012/06/04 03:19:17 | 000,000,801 | ---- | M] () -- C:\Users\Public\Desktop\Battlefield 3.lnk
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/06/07 02:16:44 | 000,002,154 | ---- | C] () -- C:\Windows\epplauncher.mif
[2012/06/07 02:16:24 | 000,001,915 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/06/04 03:19:17 | 000,000,801 | ---- | C] () -- C:\Users\Public\Desktop\Battlefield 3.lnk
[2012/04/06 19:59:55 | 000,056,320 | ---- | C] () -- C:\Windows\SysWow64\iyvu9_32.dll
[2012/01/15 23:06:24 | 000,787,672 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/01/14 03:46:19 | 000,283,304 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2012/01/14 03:46:18 | 000,669,184 | ---- | C] () -- C:\Windows\SysWow64\pbsvc.exe
[2012/01/14 03:46:18 | 000,076,888 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2012/01/14 03:14:22 | 000,000,262 | ---- | C] () -- C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
[2012/01/14 02:26:24 | 000,030,528 | ---- | C] () -- C:\Windows\GVTDrv64.sys
[2012/01/14 02:15:18 | 000,008,192 | ---- | C] () -- C:\Windows\SysWow64\drivers\IntelMEFWVer.dll
[2012/01/14 02:11:21 | 000,000,010 | ---- | C] () -- C:\Windows\GSetup.ini
[2012/01/14 02:06:12 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2012/01/14 02:04:05 | 000,204,960 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat
[2012/01/14 02:04:05 | 000,157,152 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat
[2012/01/14 02:04:05 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2011/12/02 22:28:12 | 000,069,632 | ---- | C] () -- C:\Windows\SysWow64\amdave32.dll
[2011/12/02 07:19:48 | 000,059,904 | ---- | C] () -- C:\Windows\SysWow64\OpenVideo.dll
[2011/12/02 07:19:36 | 000,054,784 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll
[2011/08/18 18:26:20 | 010,898,456 | ---- | C] () -- C:\Windows\SysWow64\LogiDPP.dll
[2011/08/18 18:26:20 | 000,336,408 | ---- | C] () -- C:\Windows\SysWow64\DevManagerCore.dll
[2011/08/18 18:26:20 | 000,104,472 | ---- | C] () -- C:\Windows\SysWow64\LogiDPPApp.exe
[2009/08/27 03:04:14 | 000,207,400 | R--- | C] () -- C:\Windows\GSetup.exe
[2009/07/14 01:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 22:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/13 22:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/13 20:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 20:02:54 | 000,245,248 | ---- | C] () -- C:\Windows\SysWow64\DShowRdpFilter.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 18:25:04 | 000,197,632 | ---- | C] () -- C:\Windows\SysWow64\ir32_32.dll
[2009/07/13 17:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2007/11/26 06:56:28 | 000,151,415 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat

========== LOP Check ==========

[2012/04/06 19:12:13 | 000,000,000 | ---D | M] -- C:\Users\Nick\AppData\Roaming\.minecraft
[2012/02/01 22:57:50 | 000,000,000 | ---D | M] -- C:\Users\Nick\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
[2012/01/28 05:35:05 | 000,000,000 | ---D | M] -- C:\Users\Nick\AppData\Roaming\Leadertech
[2012/03/31 23:23:07 | 000,000,000 | ---D | M] -- C:\Users\Nick\AppData\Roaming\Mount&Blade Warband
[2012/02/01 06:50:19 | 000,000,000 | ---D | M] -- C:\Users\Nick\AppData\Roaming\OpenOffice.org
[2012/02/16 07:35:38 | 000,000,000 | ---D | M] -- C:\Users\Nick\AppData\Roaming\Origin
[2012/01/14 22:26:45 | 000,000,000 | ---D | M] -- C:\Users\Nick\AppData\Roaming\Red Alert 3
[2012/04/21 19:49:57 | 000,000,000 | ---D | M] -- C:\Users\Nick\AppData\Roaming\runic games
[2012/04/29 06:12:05 | 000,000,000 | ---D | M] -- C:\Users\Nick\AppData\Roaming\Screaming Bee
[2012/02/27 08:01:02 | 000,000,000 | ---D | M] -- C:\Users\Nick\AppData\Roaming\The Creative Assembly
[2012/02/10 02:40:47 | 000,000,000 | ---D | M] -- C:\Users\Nick\AppData\Roaming\Tropico 3
[2012/04/24 19:26:20 | 000,000,000 | ---D | M] -- C:\Users\Nick\AppData\Roaming\TS3Client
[2012/03/04 18:29:37 | 000,000,000 | ---D | M] -- C:\Users\Nick\AppData\Roaming\ts3overlay
[2012/06/08 19:31:35 | 000,000,000 | ---D | M] -- C:\Users\Nick\AppData\Roaming\uTorrent
[2012/01/14 21:22:55 | 000,000,000 | ---D | M] -- C:\Users\Nick\AppData\Roaming\XRay Engine
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data
[2012/01/15 20:07:26 | 000,000,000 | ---D | M] -- C:\ProgramData\CA
[2012/03/26 03:22:31 | 000,000,000 | ---D | M] -- C:\ProgramData\Canon
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- C:\ProgramData\Desktop
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- C:\ProgramData\Documents
[2012/03/13 17:57:21 | 000,000,000 | ---D | M] -- C:\ProgramData\EA Core
[2012/03/13 18:36:57 | 000,000,000 | ---D | M] -- C:\ProgramData\EA Logs
[2012/03/13 17:57:24 | 000,000,000 | ---D | M] -- C:\ProgramData\Electronic Arts
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favorites
[2012/02/01 01:29:05 | 000,000,000 | ---D | M] -- C:\ProgramData\GRAW2
[2012/04/13 19:07:32 | 000,000,000 | ---D | M] -- C:\ProgramData\Hi-Rez Studios
[2012/05/22 03:47:18 | 000,000,000 | ---D | M] -- C:\ProgramData\Ironclad Games
[2012/02/16 17:37:20 | 000,000,000 | ---D | M] -- C:\ProgramData\Origin
[2012/02/05 08:18:49 | 000,000,000 | ---D | M] -- C:\ProgramData\regid.1986-12.com.adobe
[2012/04/07 18:59:40 | 000,000,000 | ---D | M] -- C:\ProgramData\Solidshield
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- C:\ProgramData\Start Menu
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- C:\ProgramData\Templates
[2012/05/10 04:43:13 | 000,000,000 | ---D | M] -- C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
[2012/04/06 01:23:08 | 000,032,648 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========


< End of report >

 

[Broni]

Do this on the computer you are posting from:
Copy the text in the codebox below:

:OTL
O2 - BHO: (no name) - {45d30484-7ded-43d9-957a-d2fd1f046511} - No CLSID value found.
O4 - HKLM..\Run: [AdobeCS5.5ServiceManager] File not found
O4 - HKU\LocalService_ON_C..\RunOnce: [mctadmin] File not found
O4 - HKU\NetworkService_ON_C..\RunOnce: [mctadmin] File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.


:Services

:Reg

:Files

:Commands
[purity]
[resethosts]

Open Notepad and paste it.
Save the document as Fix.txt on to a USB flash drive


On the infected computer the following...

Run OTLPE

• Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
  
  • (The content of Fix.txt should appear in the box)
• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post the log produced (you'll need to transfer it with USB stick)
• Remove the CD and shut down computer manually.
• Attempt to reboot normally into Windows.

 

[NickH]

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{45d30484-7ded-43d9-957a-d2fd1f046511}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{45d30484-7ded-43d9-957a-d2fd1f046511}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\\AdobeCS5.5ServiceManager deleted successfully.
Registry key HKEY_USERS\LocalService_ON_C\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce not found.
Registry key HKEY_USERS\NetworkService_ON_C\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce not found.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTLPE by OldTimer - Version 3.1.48.0 log created on 06102012_143417

 

[NickH]

I restarted and it still gave me a critical error and restarted.

 

[Broni]

For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.
Plug the flashdrive into the infected PC.
EnterSystemRecoveryOptions.
To enter SystemRecoveryOptionsfrom the AdvancedBootOptions:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key untilAdvancedBootOptions appears.
• Use the arrow keys to select the Repair your computer menu item.
• SelectUSas the keyboard language settings,andthen click Next.
• Select the operating system you want to repair,andthen click Next.
• Select your user account an click Next.

To enter SystemRecoveryOptionsbyusingWindows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windowsfrom the installation disc.If your computer isnot configured to start from a CD or DVD, check your BIOS settings.
• ClickRepair your computer.
• SelectUSas the keyboard language settings,andthen click Next.
• Select the operating system you want to repair,andthen click Next.
• Select your user account and click Next.

On the SystemRecoveryOptions menu you will get the following options:

• • StartupRepairSystemRestoreWindowsComplete PC RestoreWindowsMemoryDiagnosticToolCommandPrompt
• SelectCommandPrompt
• In the command window type innotepadand press Enter.
• The notepad opens.UnderFile menu selectOpen.
• Select"Computer"and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe(for x64 bit version type e:\frst64) and press Enter Note:Replace letter ewith the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• PressScan button.
• It will make a log (FRST.txt) on the flash drive.Please copy and paste it to your reply.

 

[NickH]

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{45d30484-7ded-43d9-957a-d2fd1f046511}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{45d30484-7ded-43d9-957a-d2fd1f046511}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\\AdobeCS5.5ServiceManager deleted successfully.
Registry key HKEY_USERS\LocalService_ON_C\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce not found.
Registry key HKEY_USERS\NetworkService_ON_C\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce not found.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTLPE by OldTimer - Version 3.1.48.0 log created on 06102012_143417

 

[Broni]

That's an old log from OTL fix.
You didn't follow my instructions.

 

[NickH]

Scan result of Farbar Recovery Scan Tool Version: 09-06-2012 01
Ran by SYSTEM at 10-06-2012 15:22:24
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [12632168 2011-07-21] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE4 [2264168 2011-07-12] (Realtek Semiconductor)
HKLM\...\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\casc.exe" [2698800 2012-03-06] (Total Defense, Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [499608 2011-03-14] (Adobe Systems Incorporated)
HKLM\...\Run: [CNAP2 Launcher] C:\Windows\system32\spool\DRIVERS\x64\3\CNAP2LAK.EXE [406944 2007-09-05] (CANON INC.)
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [343168 2011-12-02] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Dolby Home Theater v4] "C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe" -autostart [506712 2011-05-31] (Dolby Laboratories Inc.)
HKLM-x32\...\Run: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start [81920 2005-02-16] (InstallShield Software Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [34672 2008-06-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide [2793304 2009-10-13] ()
HKLM-x32\...\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-18] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start [1987976 2012-02-27] (LogMeIn Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-26] (Apple Inc.)
HKU\Nick\...\Run: [ISUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup [221184 2005-02-16] (InstallShield Software Corporation)
HKU\Nick\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2144088 2009-01-25] (Safer Networking Limited)
HKU\Nick\...\Run: [Steam] "D:\Program Files (x86)\Steam\steam.exe" -silent [x]
HKU\Nick\...\Run: [Logitech Vid] "C:\Program Files (x86)\Logitech\Logitech Vid\vid.exe" -bootmode [5458704 2009-07-15] (Logitech Inc.)
HKU\Nick\...\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZED [880496 2012-05-17] (BitTorrent, Inc.)
HKLM\...\RunOnce: [RPMKickstart] C:\Program Files\GIGABYTE\SMART6\Recovery\RPMKickstart.exe [2552320 2011-03-29] (Gigabyte Technology CO., LTD.)
Tcpip\..\Interfaces\{702CC94E-E79E-4B0D-958D-B44D92C48654}: [NameServer]203.8.183.1,192.189.54.17
Startup: C:\Users\Nick\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
==================== Services (Whitelisted) ======
3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-05] ()
2 CAAMSvc; C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\caamsvc.exe [293704 2012-01-13] (CA)
3 CaCCProvSP; "C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe" [358448 2012-03-06] (Total Defense, Inc.)
2 CAISafe; C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe [312656 2012-01-14] (Computer Associates International, Inc.)
2 ccSchedulerSVC; C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe [287280 2012-03-06] (Total Defense, Inc.)
2 DES2 Service; "C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe" [57344 2011-08-21] ()
2 Hamachi2Svc; "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe" -s [2343816 2012-02-27] (LogMeIn Inc.)
2 LVPrcS64; "C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe" [191000 2009-10-06] (Logitech Inc.)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [76888 2012-06-03] ()
2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-25] (Safer Networking Ltd.)
2 Smart TimeLock; C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe [114688 2009-10-12] (Gigabyte Technology CO., LTD.)
2 UmxEngine; "C:\Program Files\CA\SharedComponents\TMEngine\UmxEngine.exe" [920656 2011-04-03] (CA)
2 HiPatchService; C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [x]
========================== Drivers (Whitelisted) =============
1 AppleCharger; C:\Windows\System32\Drivers\AppleCharger.sys [21104 2011-01-09] ()
3 EtronHub3; C:\Windows\System32\Drivers\EtronHub3.sys [56960 2011-07-28] (Etron Technology Inc)
3 EtronXHCI; C:\Windows\System32\Drivers\EtronXHCI.sys [79104 2011-07-28] (Etron Technology Inc)
3 gdrv; \??\C:\Windows\gdrv.sys [25640 2012-06-09] (Windows (R) Server 2003 DDK provider)
3 GVTDrv64; \??\C:\Windows\GVTDrv64.sys [30528 2012-01-13] ()
3 hamachi; C:\Windows\System32\Drivers\hamachi.sys [33856 2009-03-17] (LogMeIn, Inc.)
1 KmxAgent; C:\Windows\System32\Drivers\KmxAgent.sys [113744 2011-10-25] (CA)
0 KmxAMRT; C:\Windows\System32\Drivers\KmxAMRT.sys [182352 2011-10-26] (Total Defense)
1 KmxCfg; C:\Windows\System32\Drivers\KmxCfg.sys [365136 2011-09-06] (CA)
3 LVPr2M64; C:\Windows\System32\Drivers\LVPr2M64.sys [30232 2009-10-06] ()
3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30232 2009-10-06] ()
3 ScreamBAudioSvc; C:\Windows\System32\drivers\ScreamingBAudio64.sys [38992 2009-11-30] (Screaming Bee LLC)
========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============
2012-06-10 15:22 - 2012-06-10 15:22 - 00000000 ____D C:\FRST
2012-06-10 10:34 - 2012-06-10 10:34 - 00000000 ____D C:\_OTL
2012-06-09 14:04 - 2012-06-09 14:04 - 00062996 ____A C:\OTL.Txt
2012-06-06 23:00 - 2012-06-06 23:20 - 00364612 ____A C:\Windows\ntbtlog.txt
2012-06-06 22:19 - 2012-06-09 20:37 - 00000000 ____D C:\Users\Nick\AppData\Roaming\uTorrent
2012-06-06 22:16 - 2012-06-06 22:16 - 00002154 ____A C:\Windows\epplauncher.mif
2012-06-06 22:16 - 2012-06-06 22:16 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-06 22:16 - 2012-06-06 22:16 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-06 22:15 - 2010-04-09 03:06 - 00374664 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-06-05 23:24 - 2012-06-05 23:24 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-03 23:19 - 2012-06-03 23:19 - 00000801 ____A C:\Users\Public\Desktop\Battlefield 3.lnk
2012-06-03 23:18 - 2012-06-04 05:05 - 478365655 ____A C:\Users\Nick\Downloads\Game.of.Thrones.S02E10.HDTV.x264-ASAP.mp4
2012-06-02 23:19 - 2012-06-02 23:19 - 00000000 ____D C:\Windows\Sun
2012-05-27 22:02 - 2012-05-28 00:00 - 388380861 ____A C:\Users\Nick\Downloads\Game.of.Thrones.S02E09.HDTV.x264-ASAP.mp4
2012-05-26 13:08 - 2012-06-05 22:36 - 00000000 ____D C:\Users\Nick\AppData\Local\Ironfront
2012-05-26 13:08 - 2012-05-27 22:20 - 00000000 ____D C:\Users\Nick\Documents\Iron Front
2012-05-23 17:09 - 2012-05-23 17:11 - 00000000 ____D C:\Users\Nick\Downloads\DayZ-1.5.8.4
2012-05-21 23:48 - 2012-05-21 23:48 - 00000000 ____D C:\Users\Nick\AppData\Local\Ironclad Games
2012-05-21 23:47 - 2012-05-21 23:47 - 00000000 ____D C:\Users\All Users\Ironclad Games
2012-05-21 03:48 - 2012-05-21 06:14 - 405104863 ____A C:\Users\Nick\Downloads\Game.of.Thrones.S02E08.HDTV.x264-ASAP.mp4
2012-05-20 22:12 - 2012-05-20 22:12 - 00000000 ____D C:\Users\Nick\AppData\Local\Kerberos_Productions
2012-05-20 22:11 - 2012-05-20 22:11 - 00000000 ____D C:\Users\Nick\AppData\Local\Sword of the Stars II
2012-05-16 11:40 - 2012-05-16 22:25 - 00000000 ____D C:\Users\Nick\Documents\Endless Space
2012-05-15 01:14 - 2012-05-25 01:20 - 00000000 ____D C:\Users\Nick\Documents\ArmA 2 Other Profiles
2012-05-13 23:28 - 2012-05-14 02:47 - 409100303 ____A C:\Users\Nick\Downloads\Game.of.Thrones.S02E07.HDTV.x264-ASAP.mp4
2012-05-12 17:32 - 2012-05-12 17:32 - 00000000 ____D C:\Program Files (x86)\Microsoft XNA
============ 3 Months Modified Files and Folders =============
2012-06-10 15:22 - 2012-06-10 15:22 - 00000000 ____D C:\FRST
2012-06-10 10:34 - 2012-06-10 10:34 - 00000000 ____D C:\_OTL
2012-06-10 10:34 - 2012-04-28 22:49 - 00000098 ____A C:\Windows\System32\Drivers\etc\Hosts
2012-06-09 20:42 - 2012-01-23 01:14 - 00089640 ____A C:\Windows\PFRO.log
2012-06-09 20:41 - 2012-01-15 15:11 - 00113524 ____A C:\Windows\System32\Drivers\KmxAgent.asc
2012-06-09 20:41 - 2012-01-15 13:50 - 00046985 ____A C:\Windows\System32\Drivers\kmxcfg.u2k0
2012-06-09 20:41 - 2012-01-15 13:50 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k7
2012-06-09 20:41 - 2012-01-15 13:50 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k6
2012-06-09 20:41 - 2012-01-15 13:50 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k5
2012-06-09 20:41 - 2012-01-15 13:50 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k4
2012-06-09 20:41 - 2012-01-15 13:50 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k3
2012-06-09 20:41 - 2012-01-15 13:50 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k2
2012-06-09 20:41 - 2012-01-15 13:50 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k1
2012-06-09 20:41 - 2012-01-15 13:50 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k7
2012-06-09 20:41 - 2012-01-15 13:50 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k6
2012-06-09 20:41 - 2012-01-15 13:50 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k5
2012-06-09 20:41 - 2012-01-15 13:50 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k4
2012-06-09 20:41 - 2012-01-15 13:50 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k3
2012-06-09 20:41 - 2012-01-15 13:50 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k2
2012-06-09 20:41 - 2012-01-15 13:50 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k1
2012-06-09 20:41 - 2012-01-15 13:50 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k0
2012-06-09 20:39 - 2012-01-13 22:25 - 00025640 ____A (Windows (R) Server 2003 DDK provider) C:\Windows\gdrv.sys
2012-06-09 20:39 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-09 20:39 - 2009-07-13 20:51 - 00077301 ____A C:\Windows\setupact.log
2012-06-09 20:37 - 2012-06-06 22:19 - 00000000 ____D C:\Users\Nick\AppData\Roaming\uTorrent
2012-06-09 20:37 - 2012-01-31 21:17 - 00000000 ____D C:\Users\Nick\AppData\Local\LogMeIn Hamachi
2012-06-09 14:04 - 2012-06-09 14:04 - 00062996 ____A C:\OTL.Txt
2012-06-09 14:02 - 2012-01-13 21:57 - 00000000 ____D C:\users\Nick
2012-06-08 15:31 - 2012-01-13 22:53 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-06-06 23:20 - 2012-06-06 23:00 - 00364612 ____A C:\Windows\ntbtlog.txt
2012-06-06 22:32 - 2012-01-13 21:54 - 01379127 ____A C:\Windows\WindowsUpdate.log
2012-06-06 22:25 - 2009-07-13 20:45 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-06 22:25 - 2009-07-13 20:45 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-06 22:16 - 2012-06-06 22:16 - 00002154 ____A C:\Windows\epplauncher.mif
2012-06-06 22:16 - 2012-06-06 22:16 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-06 22:16 - 2012-06-06 22:16 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-06 22:16 - 2012-01-15 19:06 - 00787672 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-06-05 23:24 - 2012-06-05 23:24 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-05 23:20 - 2012-01-14 12:04 - 00000000 __SHD C:\Users\Nick\AppData\Local\{8b035cbb-d94f-d87a-4189-ca58bbb852d6}
2012-06-05 22:36 - 2012-05-26 13:08 - 00000000 ____D C:\Users\Nick\AppData\Local\Ironfront
2012-06-04 23:05 - 2009-07-13 21:13 - 00764302 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-04 05:05 - 2012-06-03 23:18 - 478365655 ____A C:\Users\Nick\Downloads\Game.of.Thrones.S02E10.HDTV.x264-ASAP.mp4
2012-06-04 01:19 - 2012-01-29 14:54 - 00000000 ____D C:\Users\Nick\AppData\Local\ArmA 2 OA
2012-06-03 23:58 - 2012-01-18 14:22 - 00283304 ____A C:\Windows\SysWOW64\PnkBstrB.xtr
2012-06-03 23:58 - 2012-01-13 23:46 - 00283304 ____A C:\Windows\SysWOW64\PnkBstrB.exe
2012-06-03 23:58 - 2012-01-13 23:46 - 00280904 ____A C:\Windows\SysWOW64\PnkBstrB.ex0
2012-06-03 23:24 - 2012-01-13 23:46 - 00076888 ____A C:\Windows\SysWOW64\PnkBstrA.exe
2012-06-03 23:19 - 2012-06-03 23:19 - 00000801 ____A C:\Users\Public\Desktop\Battlefield 3.lnk
2012-06-03 23:18 - 2012-01-13 23:46 - 00537254 ____A C:\Windows\DirectX.log
2012-06-02 23:19 - 2012-06-02 23:19 - 00000000 ____D C:\Windows\Sun
2012-06-02 19:52 - 2012-02-02 01:47 - 00000000 ____D C:\Users\Nick\Documents\StarCraft II
2012-05-31 22:56 - 2012-01-24 19:27 - 00000000 ____D C:\Users\Nick\Documents\wORK
2012-05-31 20:29 - 2012-03-13 13:58 - 00000000 ____D C:\Program Files (x86)\Battlelog Web Plugins
2012-05-28 00:00 - 2012-05-27 22:02 - 388380861 ____A C:\Users\Nick\Downloads\Game.of.Thrones.S02E09.HDTV.x264-ASAP.mp4
2012-05-27 22:20 - 2012-05-26 13:08 - 00000000 ____D C:\Users\Nick\Documents\Iron Front
2012-05-25 01:20 - 2012-05-15 01:14 - 00000000 ____D C:\Users\Nick\Documents\ArmA 2 Other Profiles
2012-05-23 17:11 - 2012-05-23 17:09 - 00000000 ____D C:\Users\Nick\Downloads\DayZ-1.5.8.4
2012-05-21 23:48 - 2012-05-21 23:48 - 00000000 ____D C:\Users\Nick\AppData\Local\Ironclad Games
2012-05-21 23:47 - 2012-05-21 23:47 - 00000000 ____D C:\Users\All Users\Ironclad Games
2012-05-21 06:14 - 2012-05-21 03:48 - 405104863 ____A C:\Users\Nick\Downloads\Game.of.Thrones.S02E08.HDTV.x264-ASAP.mp4
2012-05-20 22:12 - 2012-05-20 22:12 - 00000000 ____D C:\Users\Nick\AppData\Local\Kerberos_Productions
2012-05-20 22:11 - 2012-05-20 22:11 - 00000000 ____D C:\Users\Nick\AppData\Local\Sword of the Stars II
2012-05-19 03:45 - 2012-03-30 03:23 - 00000000 ____D C:\Users\Nick\Downloads\Sons of Anarchy S01
2012-05-17 20:42 - 2012-01-28 02:13 - 00000000 ____D C:\Program Files (x86)\uTorrent
2012-05-16 22:25 - 2012-05-16 11:40 - 00000000 ____D C:\Users\Nick\Documents\Endless Space
2012-05-14 02:47 - 2012-05-13 23:28 - 409100303 ____A C:\Users\Nick\Downloads\Game.of.Thrones.S02E07.HDTV.x264-ASAP.mp4
2012-05-12 17:54 - 2012-01-13 23:53 - 00000000 ____D C:\Users\Nick\Documents\My Games
2012-05-12 17:32 - 2012-05-12 17:32 - 00000000 ____D C:\Program Files (x86)\Microsoft XNA
2012-05-10 08:42 - 2012-05-10 00:42 - 00000000 ____D C:\Users\Nick\Downloads\Warhammer AudioBooks
2012-05-10 00:44 - 2012-05-10 00:43 - 00000000 ____D C:\Users\Nick\AppData\Roaming\Apple Computer
2012-05-10 00:43 - 2012-05-10 00:43 - 00000000 ____D C:\Users\Nick\AppData\Local\Apple Computer
2012-05-10 00:43 - 2012-05-10 00:42 - 00000000 ____D C:\Users\All Users\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-05-10 00:43 - 2012-05-10 00:42 - 00000000 ____D C:\Program Files\iTunes
2012-05-10 00:43 - 2012-05-10 00:42 - 00000000 ____D C:\Program Files (x86)\iTunes
2012-05-10 00:42 - 2012-05-10 00:42 - 00000000 ____D C:\Users\Nick\AppData\Local\Apple
2012-05-10 00:42 - 2012-05-10 00:42 - 00000000 ____D C:\Users\All Users\Apple Computer
2012-05-10 00:42 - 2012-05-10 00:42 - 00000000 ____D C:\Users\All Users\Apple
2012-05-10 00:42 - 2012-05-10 00:42 - 00000000 ____D C:\Program Files\iPod
2012-05-10 00:42 - 2012-05-10 00:42 - 00000000 ____D C:\Program Files\Common Files\Apple
2012-05-10 00:42 - 2012-05-10 00:42 - 00000000 ____D C:\Program Files\Bonjour
2012-05-10 00:42 - 2012-05-10 00:42 - 00000000 ____D C:\Program Files (x86)\Bonjour
2012-05-10 00:42 - 2012-05-10 00:42 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2012-05-09 22:54 - 2012-05-09 22:54 - 00955848 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2012-05-09 22:54 - 2012-05-09 22:54 - 00839112 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2012-05-09 22:54 - 2012-05-09 22:54 - 00268744 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-05-09 22:54 - 2012-05-09 22:54 - 00189384 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-05-09 22:54 - 2012-05-09 22:54 - 00188872 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-05-09 22:54 - 2012-05-09 22:54 - 00000000 ____D C:\Program Files\Java
2012-05-09 22:49 - 2012-05-09 22:49 - 00476960 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-05-09 22:49 - 2012-05-09 22:49 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-05-09 22:49 - 2012-05-09 22:49 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-05-09 22:49 - 2012-05-09 22:49 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-05-09 22:49 - 2012-02-01 02:48 - 00472864 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2012-05-09 22:40 - 2009-07-13 20:45 - 04853960 ____A C:\Windows\System32\FNTCACHE.DAT
2012-05-09 03:27 - 2009-07-13 23:45 - 00000000 ____D C:\Program Files\Windows Journal
2012-05-08 00:39 - 2012-05-07 23:34 - 447520043 ____A C:\Users\Nick\Downloads\Game.of.Thrones.S02E06.HDTV.x264-2HD.mp4
2012-05-07 04:12 - 2012-04-29 23:52 - 432513909 ____A C:\Users\Nick\Downloads\Game.of.Thrones.S02E05.HDTV.x264-ASAP.mp4
2012-05-04 15:36 - 2012-01-28 01:34 - 00000000 ____A C:\Windows\System32\Drivers\lvuvc.hs
2012-05-01 03:30 - 2012-02-29 23:28 - 00000000 ____D C:\Users\Nick\Documents\Mount&Blade Warband Savegames
2012-04-29 02:12 - 2012-04-29 02:12 - 00000000 ____D C:\Users\Nick\AppData\Roaming\Screaming Bee
2012-04-29 02:10 - 2012-04-29 02:10 - 00000000 ____D C:\Program Files (x86)\Screaming Bee
2012-04-28 21:49 - 2012-01-14 01:04 - 00000000 ____D C:\Users\Nick\AppData\Local\ArmA 2
2012-04-25 03:07 - 2012-04-25 03:07 - 00000000 ____D C:\Users\All Users\Mozilla
2012-04-25 03:07 - 2012-04-25 03:07 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2012-04-24 15:26 - 2012-03-04 14:28 - 00000000 ____D C:\Users\Nick\AppData\Roaming\TS3Client
2012-04-24 15:26 - 2012-03-04 14:28 - 00000000 ____D C:\Program Files\TeamSpeak 3 Client
2012-04-24 02:49 - 2012-04-24 02:49 - 00000000 ____D C:\Users\Nick\AppData\Roaming\Media Player Classic
2012-04-24 02:00 - 2012-04-23 00:46 - 1331438144 ____A C:\Users\Nick\Downloads\Game.of.Thrones.S02E04.720p.HDTV.x264-AVS.mkv
2012-04-21 15:49 - 2012-04-21 15:47 - 00000000 ____D C:\Users\Nick\AppData\Roaming\runic games
2012-04-20 22:23 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2012-04-20 21:16 - 2012-04-20 21:16 - 00274744 ____A C:\Windows\Minidump\042112-18782-01.dmp
2012-04-20 21:16 - 2012-03-12 04:25 - 745939386 ____A C:\Windows\MEMORY.DMP
2012-04-20 21:16 - 2012-03-12 04:25 - 00000000 ____D C:\Windows\Minidump
2012-04-20 00:31 - 2012-04-20 00:31 - 00262144 ____A C:\Windows\Minidump\042012-16161-01.dmp
2012-04-16 01:07 - 2012-04-15 23:48 - 349368220 ____A C:\Users\Nick\Downloads\Game.of.Thrones.S02E03.HDTV.x264-ASAP.mp4
2012-04-13 15:07 - 2012-04-13 05:15 - 00000000 ____D C:\Users\All Users\Hi-Rez Studios
2012-04-13 05:15 - 2012-01-13 22:13 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-04-10 13:31 - 2012-04-10 13:31 - 00000000 ____D C:\Users\Nick\AppData\Local\Red 5 Studios
2012-04-10 04:41 - 2012-04-10 04:41 - 00000000 ____D C:\Program Files (x86)\Xiph.Org
2012-04-10 04:41 - 2012-02-16 13:33 - 00000000 ____D C:\Windows\SysWOW64\directx
2012-04-09 13:20 - 2012-04-09 13:20 - 00000000 ____D C:\Users\Nick\AppData\Local\CrashRpt
2012-04-09 00:57 - 2012-04-08 23:56 - 384418649 ____A C:\Users\Nick\Downloads\Game.of.Thrones.S02E02.HDTV.x264-ASAP.mp4
2012-04-07 15:01 - 2012-04-07 15:01 - 00000000 ____D C:\Users\Nick\Documents\EA Games
2012-04-07 14:59 - 2012-04-07 14:59 - 00000000 ____D C:\Users\Nick\AppData\Local\EA Games
2012-04-07 14:59 - 2012-03-09 16:22 - 00000000 ____D C:\Users\All Users\Solidshield
2012-04-06 15:12 - 2012-02-09 17:51 - 00000000 ____D C:\Users\Nick\AppData\Roaming\.minecraft
2012-04-06 15:12 - 2012-01-14 01:04 - 00000000 ____D C:\Users\Nick\Documents\ArmA 2
2012-04-06 15:12 - 2012-01-13 22:52 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-04-06 15:12 - 2012-01-13 22:21 - 00000000 ____D C:\Users\All Users\InstallShield
2012-04-06 15:12 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2012-04-06 15:12 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2012-04-06 14:24 - 2012-04-06 14:24 - 00000000 ____D C:\Users\Nick\AppData\Local\Electronic Arts
2012-04-06 14:07 - 2012-04-06 14:07 - 00000000 ____D C:\Users\Nick\Documents\Electronic Arts
2012-04-05 21:23 - 2009-07-13 21:08 - 00032648 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-04-05 21:22 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\config\TxR
2012-04-05 19:20 - 2012-04-05 19:20 - 00000000 ____D C:\Users\Nick\Documents\Egosoft
2012-04-05 18:54 - 2009-07-13 20:51 - 00054520 ____A C:\Windows\setupact(22).log
2012-04-01 23:52 - 2012-04-01 23:51 - 00000000 ____D C:\Users\Nick\Downloads\Game of Thrones S02E01 HDTV x264-ASAP[ettv]
2012-04-01 23:49 - 2012-04-01 22:59 - 393031408 ____A C:\Users\Nick\Downloads\Game.of.Thrones.S02E01.HDTV.RM-ASAP.mp4
2012-04-01 21:34 - 2012-05-08 23:40 - 05504880 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-04-01 20:46 - 2012-05-08 23:40 - 03958128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-04-01 20:46 - 2012-05-08 23:40 - 03902320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-04-01 19:01 - 2012-05-08 23:40 - 03143680 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-03-31 19:23 - 2012-02-29 23:17 - 00000000 ____D C:\Users\Nick\AppData\Roaming\Mount&Blade Warband
2012-03-31 14:52 - 2012-03-31 14:52 - 00000000 ____D C:\Users\Nick\AppData\Local\FalloutNV
2012-03-30 03:09 - 2012-05-08 23:33 - 01895280 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-03-25 23:22 - 2012-03-25 23:22 - 00000000 ____D C:\Users\All Users\Canon
2012-03-25 23:21 - 2012-03-25 23:21 - 00000000 ____D C:\Program Files\Canon
2012-03-25 23:21 - 2012-03-25 23:21 - 00000000 ____D C:\Program Files (x86)\Canon
2012-03-25 22:04 - 2012-03-25 17:51 - 355600103 ____A C:\Users\Nick\Downloads\The.Walking.Dead.S02E13.HDTV.x264-ASAP.[VTV].mp4
2012-03-22 20:56 - 2012-01-13 23:27 - 00414368 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-03-20 02:44 - 2012-03-20 02:44 - 00203888 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
2012-03-20 02:44 - 2012-03-20 02:44 - 00098688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys
2012-03-19 01:33 - 2012-03-19 01:32 - 00803760 ____A C:\Users\Nick\Downloads\RobCo_Certified_v2-712-2-5-FINAL.zip
2012-03-18 14:03 - 2012-03-05 22:36 - 00000000 ____D C:\Users\Nick\AppData\Local\Fallout3
2012-03-16 23:55 - 2012-05-08 23:33 - 00075632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys
2012-03-15 00:57 - 2012-03-14 15:06 - 00000000 ____D C:\Users\Nick\AppData\Local\ESN Sonar
2012-03-13 19:31 - 2012-03-13 19:31 - 00000000 __SHD C:\Users\All Users\SecuROM
2012-03-13 14:36 - 2012-02-16 13:37 - 00000000 ____D C:\Users\All Users\EA Logs
2012-03-13 13:59 - 2012-03-13 13:59 - 00000000 ____D C:\Users\Nick\Documents\Battlefield 3
2012-03-13 13:59 - 2012-01-18 14:21 - 00000000 ____D C:\Users\Nick\AppData\Local\PunkBuster
2012-03-13 13:57 - 2012-03-13 13:57 - 00000000 ____D C:\Users\All Users\EA Core
2012-03-13 13:57 - 2012-02-16 03:34 - 00000000 ____D C:\Users\All Users\Electronic Arts
2012-03-13 04:40 - 2012-02-16 03:34 - 00000000 ____D C:\Users\Nick\AppData\Local\Origin
2012-03-13 03:17 - 2012-02-16 03:34 - 00001056 ____A C:\Windows\KB893803v2.log
ZeroAccess:
C:\Windows\Installer\{8b035cbb-d94f-d87a-4189-ca58bbb852d6}
C:\Windows\Installer\{8b035cbb-d94f-d87a-4189-ca58bbb852d6}\@
C:\Windows\Installer\{8b035cbb-d94f-d87a-4189-ca58bbb852d6}\L
C:\Windows\Installer\{8b035cbb-d94f-d87a-4189-ca58bbb852d6}\U
C:\Windows\Installer\{8b035cbb-d94f-d87a-4189-ca58bbb852d6}\U\00000001.@
C:\Windows\Installer\{8b035cbb-d94f-d87a-4189-ca58bbb852d6}\U\800000cb.@
ZeroAccess:
C:\Users\Nick\AppData\Local\{8b035cbb-d94f-d87a-4189-ca58bbb852d6}
C:\Users\Nick\AppData\Local\{8b035cbb-d94f-d87a-4189-ca58bbb852d6}\@
C:\Users\Nick\AppData\Local\{8b035cbb-d94f-d87a-4189-ca58bbb852d6}\L
C:\Users\Nick\AppData\Local\{8b035cbb-d94f-d87a-4189-ca58bbb852d6}\U
========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 6%
Total physical RAM: 16367.12 MB
Available physical RAM: 15240.44 MB
Total Pagefile: 16365.27 MB
Available Pagefile: 15229.94 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB
======================= Partitions =========================
1 Drive c: () (Fixed) (Total:232.88 GB) (Free:147.57 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (TeraByte) (Fixed) (Total:931.51 GB) (Free:536.97 GB) NTFS
4 Drive f: (LEXAR) (Removable) (Total:1.89 GB) (Free:0.37 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 8 MB
Disk 1 Online 931 GB 0 B *
Disk 2 Online 1935 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 232 GB 31 KB
======================================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 232 GB Healthy
======================================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Dynamic Data 931 GB 31 KB
======================================================================================================
Disk: 1
Partition 1
Type : 42
Hidden: Yes
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 D TeraByte NTFS Simple 931 GB Healthy
======================================================================================================
Partitions of Disk 2:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1935 MB 16 KB
======================================================================================================
Disk: 2
Partition 1
Type : 04
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F LEXAR FAT Removable 1935 MB Healthy
======================================================================================================
==========================================================
Last Boot: 2012-05-28 22:59
======================= End Of Log ==========================

 

[NickH]

My apologies. I did follow your instructions, however I must not have copied the report properly (must have not pressed the key hard enough). The last thing I copied was the older log, that is why it was posted.

 

[Broni]

Good job
Hold on....

 

[Broni]

We have ZeroAccess rootkit infection there.

Before we run some fix I need to find a replacement for one system file, which seems to be infected as well.

In Vista or Windows 7: Boot to System Recovery Options and run FRST.
In Windows XP: Please boot to BartPe and run FRST.
Type the following in the edit box after "Search:".

services.exe

Click Search button and post the log (Search.txt) it makes to your reply.

 

[NickH]

Farbar Recovery Scan Tool Version: 09-06-2012 01
Ran by SYSTEM at 2012-06-10 16:07:21
Running from F:\
================== Search: "services.exe" ===================
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06
====== End Of Search ======

 

[Broni]

Good

Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.