Inactive RootKit virus -- need help removing!!

[Mateyo]

I saw that someone was having a problem very similar to mine here, but like him, I wanted to be safe by creating a thread unique to my situation and specifications.

Like him, it appears I have a rootkit virus that has become part of the operating system. Every time I boot the computer up and log on, within a minute, I get an error message that says

Error: You are about to be logged off: Windows has encountered a critical problem...

It then restarts the computer, thus restarting the process all over again. No matter what user I am logged onto, the problem is the same. Therefor, my supsispicion is to say that it is a rootkit virus.

Now, before resorting to post my query here, I had attempted to solve the problem myself to no avail. This virus had only popped up and reared its nasty head recently, in fact, as I was downloading Microsoft Security Essentials. So either it could have remained latent until the new antivirus software was installed, or possibly it hitched a ride with the software itself. Whatever the case, the problem still remains. I had looked up possible methods to root out the virus (of course, on another computer) and tried to empliment those methods, but obviously they didn't work (or else I wouldn't need to be here).

Here are the nuts and bolts:

Software: Windows 7 (32-bit)​

RegClean Pro​

Microsoft Security Essentials​

McAfee Antivirus (license expired)​

​

Hardware: Desktop Gateway 506 GR​

Pentium 4 Processor​

​

Methods Used in Removal Effort:​

Search in RegEdit​

Search Computer for sirefef file​

Ran Yorkyt --> Got Yorkyt.exe​

​

That should be enough to go off of. Any help and guidance on the removal of this virus would be appreciated. Thank you.

 

[Jay Pfoutz]

Hello, and welcome to TechSpot.

Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information

• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
• If you have already asked for help somewhere, please post the link to the topic you were helped.
• We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

We will need to get rid of ZeroAccess/Sirefef threat...

Download Farbar Recovery Scan Tool and save it to a flash drive.

Please make sure to download the 32-bit version.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• • Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to the disclaimer.
• Place a check next to List Drivers MD5 as well as the default check marks that are already there
• Press Scan button.
• type exit and reboot the computer normally
• FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

 

[Mateyo]

Thanks for the timely response. I did what you suggested up until the BIOS menu was supposed to appear. Instead, the computer went directly into Startup Repair mode. A prompt came up giving the option to restore the computer to a previous point. I chose that option, but I was a bit leery about the implications. As of now, it is in the process of "attempting repairs..."

 

[Mateyo]

I have now competed the instructions you gave. Here is the log as follows:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 25-09-2012
Ran by SYSTEM at 25-09-2012 11:56:57
Running from J:\
Windows 7 Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001
==================== Registry (Whitelisted) ===================
HKLM\...\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [169312 2008-07-21] (Maxtor Corporation)
HKLM\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1271968 2012-06-21] (McAfee, Inc.)
HKLM\...\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [61440 2009-09-29] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [10029672 2011-03-28] (Realtek Semiconductor)
HKLM\...\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [210472 2006-10-25] (Nuance Communications, Inc.)
HKLM\...\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [29984 2008-07-09] (Nuance Communications, Inc.)
HKLM\...\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [46368 2008-07-09] (Nuance Communications, Inc.)
HKLM\...\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini" [345 2012-09-13] ()
HKLM\...\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN [1159168 2009-05-26] (Brother Industries, Ltd.)
HKLM\...\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun [114688 2008-12-24] (Brother Industries, Ltd.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [1821576 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\Dad\...\Policies\system: [LogonHoursAction] 2
HKU\Dad\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Matt\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
HKU\Matt\...\Run: [Epson Stylus NX510(Network)] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIFIA.EXE /FU "C:\Windows\TEMP\E_S4871.tmp" /EF "HKCU" [199680 2009-11-04] (SEIKO EPSON CORPORATION)
HKU\Matt\...\Run: [SansaDispatch] C:\Users\Matt\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe [79872 2011-12-13] (SanDisk Corporation)
HKU\Matt\...\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" /MINIMIZED [880496 2012-05-14] (BitTorrent, Inc.)
HKU\Matt\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [354304 2009-07-13] (Microsoft Corporation)
HKU\Matt\...\Run: [GoogleDriveSync] "C:\Program Files\Google\Drive\googledrivesync.exe" /autostart [12218904 2012-07-20] (Google)
HKU\Matt\...\Policies\system: [LogonHoursAction] 2
HKU\Matt\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Matt2\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [354304 2009-07-13] (Microsoft Corporation)
HKU\Matt2\...\Policies\system: [LogonHoursAction] 2
HKU\Matt2\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Startup: C:\Users\All Users\Start Menu\Programs\Startup\SATARaid5Manager.lnk
ShortcutTarget: SATARaid5Manager.lnk -> C:\Windows\Installer\{2ABC904F-6915-40AC-8CF8-B48743698CEC}\_4E324AB483CECB59D49F7F.exe ()
Startup: C:\Users\Matt\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
==================== Services (Whitelisted) ===================
2 EpsonBidirectionalService; C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe [94208 2006-12-19] (SEIKO EPSON CORPORATION)
2 Maxtor Sync Service; "C:\Program Files\Maxtor\Sync\SyncServices.exe" [193888 2008-07-21] (Seagate Technology LLC)
2 McAfee SiteAdvisor Service; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [168280 2012-05-11] (McAfee, Inc.)
2 McMPFSvc; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [168280 2012-05-11] (McAfee, Inc.)
2 mcmscsvc; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [168280 2012-05-11] (McAfee, Inc.)
2 McNaiAnn; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [168280 2012-05-11] (McAfee, Inc.)
2 McNASvc; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [168280 2012-05-11] (McAfee, Inc.)
3 McODS; "C:\Program Files\McAfee\VirusScan\mcods.exe" [279584 2012-07-12] (McAfee, Inc.)
2 McProxy; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [168280 2012-05-11] (McAfee, Inc.)
2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [200816 2012-06-22] (McAfee, Inc.)
2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [168368 2012-06-22] (McAfee, Inc.)
2 mfevtp; "C:\Windows\system32\mfevtps.exe" [166320 2012-06-22] (McAfee, Inc.)
2 MOBKbackup; "C:\Program Files\McAfee Online Backup\MOBKbackup.exe" [229688 2010-04-13] (McAfee, Inc.)
2 MSK80Service; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [168280 2012-05-11] (McAfee, Inc.)
2 SATARaid5 Config Service; "C:\Program Files\Silicon Image\3132-W-R\SATARaid5ConfigService.exe" [131072 2005-10-05] ()
2 svcboot_shvuszrb; C:\Windows\system32\crbadmvnc\svcboot_shvuszrb.dll [249727 2011-07-09] ()
2 TunngleService; C:\Program Files\Tunngle\TnglCtrl.exe [718072 2010-11-22] (Tunngle.net GmbH)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
==================== Drivers (Whitelisted) ====================
3 cfwids; C:\Windows\System32\drivers\cfwids.sys [60480 2012-06-22] (McAfee, Inc.)
0 DasBoot; C:\Windows\system32\drivers\DasBoot.SYS [20744 2012-01-17] ()
0 DasBootF; C:\Windows\system32\drivers\DasBootF.SYS [59272 2012-01-17] ()
3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [146872 2012-04-20] (McAfee, Inc.)
3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [127992 2012-06-22] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [230224 2012-06-22] (McAfee, Inc.)
3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [61912 2012-06-22] (McAfee, Inc.)
3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [360792 2012-06-22] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [554048 2012-06-22] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [92192 2012-06-22] (McAfee, Inc.)
0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [206784 2012-06-22] (McAfee, Inc.)
1 MOBKFilter; C:\Windows\System32\DRIVERS\MOBK.sys [54776 2010-04-13] (Mozy, Inc.)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
1 MpKsl69f0b902; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{1208F9C2-CEC9-490F-AB39-363E5FDA0CEB}\MpKsl69f0b902.sys [29904 2012-09-25] (Microsoft Corporation)
1 MpKslb250567e; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{1208F9C2-CEC9-490F-AB39-363E5FDA0CEB}\MpKslb250567e.sys [29904 2012-09-13] (Microsoft Corporation)
1 MpKslcbe20d8f; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{1208F9C2-CEC9-490F-AB39-363E5FDA0CEB}\MpKslcbe20d8f.sys [29904 2012-09-12] (Microsoft Corporation)
3 PRSBDrvr; C:\Windows\System32\DRIVERS\PRSBDrvr.sys [28424 2012-01-17] ()
0 Si3132r5; C:\Windows\System32\DRIVERS\Si3132r5.sys [217128 2008-10-29] (Silicon Image, Inc)
0 SiFilter; C:\Windows\System32\DRIVERS\SiWinAcc.sys [17064 2008-10-29] (Silicon Image, Inc.)
0 SiRemFil; C:\Windows\System32\DRIVERS\SiRemFil.sys [12200 2008-10-29] (Silicon Image, Inc.)
3 tap0901t; C:\Windows\System32\DRIVERS\tap0901t.sys [27136 2009-09-16] (Tunngle.net)
3 YMIDUSBW; C:\Windows\System32\drivers\ymidusbw.sys [34280 2011-01-31] (Yamaha Corporation)
1 gfcgigqd; \??\C:\Windows\system32\drivers\gfcgigqd.sys [x]
3 mfeavfk01; [x]
==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========
2012-09-25 11:56 - 2012-09-25 11:56 - 00000000 ____D C:\FRST
2012-09-25 08:47 - 2012-09-25 08:47 - 00043600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\pnxtluos.sys
2012-09-12 22:04 - 2012-01-17 12:55 - 00028424 ____A C:\Windows\System32\Drivers\PRSBDrvr.sys
2012-09-12 21:48 - 2012-09-12 21:48 - 00295106 ____A C:\Windows\System32\PHOOKSmf2.TXT
2012-09-12 21:36 - 2012-09-25 08:48 - 00257166 ____A C:\Windows\System32\PHOOKSmf.txt
2012-09-12 21:35 - 2012-09-23 20:40 - 00000000 ____D C:\Windows\System32\DBBK
2012-09-12 21:35 - 2012-09-12 22:05 - 00163017 ____A C:\Users\Dad\Desktop\yorkyt.exe.log
2012-09-12 21:35 - 2012-03-22 08:17 - 00225664 ____A C:\Windows\System32\Drivers\DasBootS.SYS
2012-09-12 21:35 - 2012-01-17 12:55 - 00059272 ____A C:\Windows\System32\Drivers\DasBootF.SYS
2012-09-12 21:35 - 2012-01-17 12:55 - 00027528 ____A C:\Windows\System32\Drivers\DasBootK.SYS
2012-09-12 21:35 - 2012-01-17 12:55 - 00020744 ____A C:\Windows\System32\Drivers\DasBoot.SYS
2012-09-12 21:35 - 2012-01-17 12:55 - 00009096 ____A C:\Windows\System32\Drivers\DasBootI.SYS
2012-09-12 21:35 - 2012-01-17 12:55 - 00009096 ____A C:\Windows\System32\Drivers\DasBootE.SYS
2012-09-12 21:35 - 2010-05-03 17:37 - 00003072 ____A C:\Windows\System32\Drivers\DasBootD.SYS
2012-09-12 21:31 - 2012-09-12 21:15 - 01415784 ____A C:\Users\Dad\Desktop\yorkyt.exe
2012-09-12 21:14 - 2012-09-12 21:14 - 00000000 ____D C:\Users\Matt2\AppData\Roaming\Apple Computer
2012-09-12 21:12 - 2012-09-12 21:12 - 00000000 ____D C:\Users\Matt2\AppData\LocalGoogle
2012-09-12 21:08 - 2012-09-12 21:08 - 00000000 ____D C:\Users\Dad\AppData\Local\Apple Computer
2012-09-12 20:19 - 2012-09-12 20:19 - 00001945 ____A C:\Windows\epplauncher.mif
2012-09-12 20:17 - 2012-09-12 20:17 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-09-12 20:15 - 2012-09-12 20:15 - 10288512 ____A (Microsoft Corporation) C:\Users\Matt\Downloads\mseinstall.exe
2012-08-28 14:32 - 2012-08-28 14:32 - 00000000 ____D C:\Users\Dad\AppData\Local\Apple
2012-08-28 14:05 - 2012-09-12 21:07 - 00000000 ____D C:\Users\Dad\AppData\Roaming\Apple Computer
2012-08-28 14:05 - 2012-08-28 14:05 - 00000000 ____D C:\Users\Dad\AppData\LocalGoogle
2012-08-27 22:24 - 2012-08-27 22:25 - 00000000 ____D C:\Users\Matt\AppData\Local\{5B84F374-2118-4994-8EB8-AC7228000162}
==================== 3 Months Modified Files ==================
2012-09-25 08:48 - 2012-09-12 21:36 - 00257166 ____A C:\Windows\System32\PHOOKSmf.txt
2012-09-25 08:47 - 2012-09-25 08:47 - 00043600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\pnxtluos.sys
2012-09-25 08:45 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-25 08:45 - 2009-07-13 20:39 - 00072248 ____A C:\Windows\setupact.log
2012-09-23 20:40 - 2012-08-12 19:25 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-09-23 19:46 - 2009-07-13 20:53 - 00032550 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-09-23 19:42 - 2012-08-12 19:25 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-09-13 14:08 - 2012-07-22 11:06 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-09-12 22:05 - 2012-09-12 21:35 - 00163017 ____A C:\Users\Dad\Desktop\yorkyt.exe.log
2012-09-12 21:55 - 2011-05-16 03:31 - 00089590 ____A C:\Windows\PFRO.log
2012-09-12 21:52 - 2011-05-15 14:29 - 00001828 ____A C:\Users\Public\Desktop\McAfee Total Protection.lnk
2012-09-12 21:48 - 2012-09-12 21:48 - 00295106 ____A C:\Windows\System32\PHOOKSmf2.TXT
2012-09-12 21:33 - 2011-05-15 12:42 - 00729514 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-12 21:15 - 2012-09-12 21:31 - 01415784 ____A C:\Users\Dad\Desktop\yorkyt.exe
2012-09-12 21:12 - 2011-11-21 12:03 - 00000632 _RASH C:\Users\Matt2\ntuser.pol
2012-09-12 20:19 - 2012-09-12 20:19 - 00001945 ____A C:\Windows\epplauncher.mif
2012-09-12 20:19 - 2011-05-15 14:23 - 01945164 ____A C:\Windows\WindowsUpdate.log
2012-09-12 20:15 - 2012-09-12 20:15 - 10288512 ____A (Microsoft Corporation) C:\Users\Matt\Downloads\mseinstall.exe
2012-09-12 19:09 - 2009-07-13 20:34 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-12 19:09 - 2009-07-13 20:34 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-10 23:25 - 2011-05-19 15:57 - 00000000 ____A C:\Windows\System32\Access.dat
2012-08-16 10:27 - 2009-07-13 20:33 - 00295408 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-14 22:26 - 2011-05-29 20:49 - 59884088 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-08-14 22:08 - 2012-04-23 13:27 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-14 22:08 - 2011-05-15 11:41 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-08-12 19:28 - 2012-08-12 19:28 - 00001644 ____A C:\Users\Matt\Desktop\Google Drive.lnk
2012-08-12 19:24 - 2012-08-12 19:24 - 00740104 ____A (Google Inc.) C:\Users\Matt\Downloads\googledrivesync.exe
2012-07-18 09:47 - 2012-08-14 20:24 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-06 17:42 - 2012-07-06 17:42 - 00000000 ____A C:\extensions.sqlite
2012-07-04 13:16 - 2012-08-14 20:24 - 00057344 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 13:14 - 2012-08-14 20:24 - 00102912 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 13:14 - 2012-08-14 20:24 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-06-28 16:52 - 2012-08-16 21:32 - 12317184 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-28 16:27 - 2012-08-16 21:32 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-28 16:16 - 2012-08-16 21:32 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-28 16:09 - 2012-08-16 21:32 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-28 16:09 - 2012-08-16 21:32 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-28 16:08 - 2012-08-16 21:32 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-28 16:07 - 2012-08-16 21:32 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-28 16:06 - 2012-08-16 21:32 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-28 16:04 - 2012-08-16 21:32 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-28 16:04 - 2012-08-16 21:32 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-28 16:01 - 2012-08-16 21:32 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-28 16:01 - 2012-08-16 21:32 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-28 16:00 - 2012-08-16 21:32 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-28 15:57 - 2012-08-16 21:32 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
ZeroAccess:
C:\Windows\Installer\{4b660329-baec-b093-9845-85ce4da27f9e}
C:\Windows\Installer\{4b660329-baec-b093-9845-85ce4da27f9e}\L
C:\Windows\Installer\{4b660329-baec-b093-9845-85ce4da27f9e}\n
C:\Windows\Installer\{4b660329-baec-b093-9845-85ce4da27f9e}\U
C:\Windows\Installer\{4b660329-baec-b093-9845-85ce4da27f9e}\L\00000004.@
ZeroAccess:
C:\Users\Matt\AppData\Local\{4b660329-baec-b093-9845-85ce4da27f9e}
C:\Users\Matt\AppData\Local\{4b660329-baec-b093-9845-85ce4da27f9e}\@
C:\Users\Matt\AppData\Local\{4b660329-baec-b093-9845-85ce4da27f9e}\L
C:\Users\Matt\AppData\Local\{4b660329-baec-b093-9845-85ce4da27f9e}\U
ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini
==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points =========================

==================== Memory info ===========================
Percentage of memory in use: 19%
Total physical RAM: 2045.79 MB
Available physical RAM: 1655.9 MB
Total Pagefile: 2045.79 MB
Available Pagefile: 1663.3 MB
Total Virtual: 2047.88 MB
Available Virtual: 1952.7 MB
==================== Partitions =============================
1 Drive c: () (Fixed) (Total:298.08 GB) (Free:16.34 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
8 Drive j: (MATT THM DR) (Removable) (Total:1.86 GB) (Free:1.83 GB) FAT
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 9 MB
Disk 1 No Media 0 B 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 Online 1907 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 298 GB 31 KB
=========================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 298 GB Healthy
=========================================================
Partitions of Disk 5:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1907 MB 64 KB
=========================================================
Disk: 5
Partition 1
Type : 06
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 7 J MATT THM DR FAT Removable 1907 MB Healthy
=========================================================
Last Boot: 2012-08-30 16:49
==================== End Of Log ============================

 

[Jay Pfoutz]

Before we do the fixes, please open FRST, put services.exe in the search box and hit Search. Post log when finished (search.txt).

 

[Mateyo]

Run this on the infected computer, right?

 

[Mateyo]

Indeed, I performed the search on the infected computer. Here are the results:

Farbar Recovery Scan Tool (x86) Version: 25-09-2012
Ran by SYSTEM at 2012-09-25 17:31:14
Running from G:\
================== Search: "services.exe" ===================
C:\Windows.old\Documents and Settings\Old Data\WINDOWS\system32\services.exe
[2008-04-14 04:00] - [2008-04-14 04:00] - 0108544 ____A (Microsoft Corporation) 0E776ED5F7CC9F94299E70461B7B8185
C:\Windows.old\Documents and Settings\Old Data\WINDOWS\$NtUninstallKB956572_0$\services.exe
[2009-09-14 19:57] - [2004-08-04 04:00] - 0108032 ___AC (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4
C:\Windows.old\Documents and Settings\Old Data\WINDOWS\$NtUninstallKB956572$\services.exe
[2010-05-29 19:39] - [2004-08-04 04:00] - 0108032 ___AC (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4
C:\Windows.old\Documents and Settings\Old Data\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
[2009-09-14 18:10] - [2009-02-06 03:06] - 0110592 ____A (Microsoft Corporation) 020CEAAEDC8EB655B6506B8C70D53BB6
C:\Windows.old\Documents and Settings\Old Data\WINDOWS\$hf_mig$\KB956572\SP3GDR\services.exe
[2009-09-14 18:10] - [2009-02-06 03:11] - 0110592 ____A (Microsoft Corporation) 65DF52F5B8B6E9BBD183505225C37315
C:\Windows.old\Documents and Settings\Old Data\WINDOWS\$hf_mig$\KB956572\SP2QFE\services.exe
[2009-09-14 18:10] - [2009-02-06 02:22] - 0110592 ____A (Microsoft Corporation) 4712531AB7A01B7EE059853CA17D39BD
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6
C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9
=== End Of Search ===

 

[Jay Pfoutz]

Can you boot back in and stay on? I'll be back in the morning. (ET)

 

[Mateyo]

Are you asking about staying on beyond the usual 30 seconds or so? And on which bootup method? The normal one, or other methods?

 

[Mateyo]

On regular mode, the computer takes just over a minute to boot up to the log-on screen. The computer restarts all over again after only three minutes of staying on the log-on screen. I'd have to test the stability using the other modes, but I don't believe it would be any different...

 

[Jay Pfoutz]

Download the attached fixlist.txt, please.

Place it on your flash drive in the same location as FRST.exe.

Then, boot back to FRST as instructed above, and click on the Fix button once and wait.

Once done, please post the log from it (fixlog.txt). Then, boot to Normal Mode and let me know how the computer is working.

 

[Mateyo]

Ok. Copied the file and transferred it over to the infected computer. Booted it up with the flash drive plugged in. Clicked 'Fix' and in less than a second, fixlist.txt turned into fixlog.txt. The log itself is gobbledygook, so I hope it's supposed to end up like that:

ÐÏࡱá >  þÿ 
)  þÿÿÿ þÿÿÿ ( ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

I have no clue if it went off without a hitch or not.

 

[Mateyo]

Booting it up in Normal Mode: First try brings me to the Startup Repair mode again. Attempting repairs. Takes 10 minutes then brings me to the log on scren. I log onto the first user (there's three). A minute passes. No pop-up appears. I start to open and try programs. 10 minutes pass. I see that the status of the computer by McAfee (still installed) and MSE says that it is still 'at risk'. I click 'details' and MSE is able to detect/name the virus as

Win32/Sirefef.R Alert Level: severe Status: Active

And it recommends that I 'disinfect'. If I choose to do so, what are the possibilities? I know what it recommends, but I just wanted to make sure.

 

[Mateyo]

I chose to 'disinfect', but I am a bit leery of proceeding, and I know that there should be more to it than this so that the threat is eliminated and all traces of it are gone...

 

[Jay Pfoutz]

Post new log from FRST please.

 

[Mateyo]

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 25-09-2012
Ran by Matt at 27-09-2012 10:26:51
Running from F:\
Service Pack 1 (X86) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.


==================== One Month Created Files and Folders ========

2012-09-26 22:55 - 2012-09-27 02:14 - 00000000 ____D C:\Users\Dad\AppData\Roaming\Audacity
2012-09-26 17:40 - 2012-09-26 17:40 - 00000000 ____D C:\Users\Default\AppData\LocalGoogle
2012-09-26 17:40 - 2012-09-26 17:40 - 00000000 ____D C:\Users\Default\AppData\Local\Google
2012-09-26 17:40 - 2012-09-26 17:40 - 00000000 ____D C:\Users\Default User\AppData\LocalGoogle
2012-09-26 17:40 - 2012-09-26 17:40 - 00000000 ____D C:\Users\Default User\AppData\Local\Google
2012-09-25 14:56 - 2012-09-27 10:26 - 00000000 ____D C:\FRST
2012-09-25 12:00 - 2012-09-25 12:00 - 00000000 ____D C:\Windows\System32\MpEngineStore
2012-09-13 01:04 - 2012-01-17 15:55 - 00028424 ____A C:\Windows\System32\Drivers\PRSBDrvr.sys
2012-09-13 00:48 - 2012-09-13 00:48 - 00295106 ____A C:\Windows\System32\PHOOKSmf2.TXT
2012-09-13 00:36 - 2012-09-27 10:26 - 00538176 ____A C:\Windows\System32\PHOOKSmf.txt
2012-09-13 00:35 - 2012-09-27 10:26 - 00000000 ____D C:\Windows\System32\DBBK
2012-09-13 00:35 - 2012-03-22 11:17 - 00225664 ____A C:\Windows\System32\Drivers\DasBootS.SYS
2012-09-13 00:35 - 2012-01-17 15:55 - 00059272 ____A C:\Windows\System32\Drivers\DasBootF.SYS
2012-09-13 00:35 - 2012-01-17 15:55 - 00027528 ____A C:\Windows\System32\Drivers\DasBootK.SYS
2012-09-13 00:35 - 2012-01-17 15:55 - 00020744 ____A C:\Windows\System32\Drivers\DasBoot.SYS
2012-09-13 00:35 - 2012-01-17 15:55 - 00009096 ____A C:\Windows\System32\Drivers\DasBootI.SYS
2012-09-13 00:35 - 2012-01-17 15:55 - 00009096 ____A C:\Windows\System32\Drivers\DasBootE.SYS
2012-09-13 00:35 - 2010-05-03 20:37 - 00003072 ____A C:\Windows\System32\Drivers\DasBootD.SYS
2012-09-13 00:14 - 2012-09-13 00:14 - 00000000 ____D C:\Users\Matt2\AppData\Roaming\Apple Computer
2012-09-13 00:12 - 2012-09-13 00:12 - 00000000 ____D C:\Users\Matt2\AppData\LocalGoogle
2012-09-13 00:08 - 2012-09-13 00:08 - 00000000 ____D C:\Users\Dad\AppData\Local\Apple Computer
2012-09-12 23:19 - 2012-09-12 23:19 - 00001945 ____A C:\Windows\epplauncher.mif
2012-09-12 23:17 - 2012-09-12 23:17 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-09-12 23:15 - 2012-09-12 23:15 - 10288512 ____A (Microsoft Corporation) C:\Users\Matt\Downloads\mseinstall.exe
2012-08-28 17:32 - 2012-08-28 17:32 - 00000000 ____D C:\Users\Dad\AppData\Local\Apple
2012-08-28 17:05 - 2012-09-26 23:04 - 00000000 ____D C:\Users\Dad\AppData\Roaming\Apple Computer
2012-08-28 17:05 - 2012-08-28 17:05 - 00000000 ____D C:\Users\Dad\AppData\LocalGoogle
2012-08-28 01:24 - 2012-08-28 01:25 - 00000000 ____D C:\Users\Matt\AppData\Local\{5B84F374-2118-4994-8EB8-AC7228000162}

==================== 3 Months Modified Files ==================

2012-09-27 10:26 - 2012-09-13 00:36 - 00538176 ____A C:\Windows\System32\PHOOKSmf.txt
2012-09-27 10:10 - 2009-07-13 23:34 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-27 10:10 - 2009-07-13 23:34 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-27 10:08 - 2012-07-22 14:06 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-09-27 10:01 - 2012-08-12 22:25 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-09-27 10:00 - 2009-07-13 23:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-27 10:00 - 2009-07-13 23:39 - 00073256 ____A C:\Windows\setupact.log
2012-09-27 04:26 - 2011-05-19 18:57 - 00000000 ____A C:\Windows\System32\Access.dat
2012-09-27 03:40 - 2012-08-12 22:25 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-09-27 02:32 - 2011-05-15 17:29 - 00001828 ____A C:\Users\Public\Desktop\McAfee Total Protection.lnk
2012-09-26 18:08 - 2012-04-23 16:27 - 00696240 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-09-26 18:08 - 2011-05-15 14:41 - 00073136 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-09-26 17:36 - 2011-05-15 17:23 - 01946527 ____A C:\Windows\WindowsUpdate.log
2012-09-23 22:46 - 2009-07-13 23:53 - 00032550 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-09-13 00:55 - 2011-05-16 06:31 - 00089590 ____A C:\Windows\PFRO.log
2012-09-13 00:48 - 2012-09-13 00:48 - 00295106 ____A C:\Windows\System32\PHOOKSmf2.TXT
2012-09-13 00:33 - 2011-05-15 15:42 - 00729514 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-13 00:12 - 2011-11-21 15:03 - 00000632 _RASH C:\Users\Matt2\ntuser.pol
2012-09-12 23:19 - 2012-09-12 23:19 - 00001945 ____A C:\Windows\epplauncher.mif
2012-09-12 23:15 - 2012-09-12 23:15 - 10288512 ____A (Microsoft Corporation) C:\Users\Matt\Downloads\mseinstall.exe
2012-08-16 13:27 - 2009-07-13 23:33 - 00295408 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-15 01:26 - 2011-05-29 23:49 - 59884088 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-08-12 22:28 - 2012-08-12 22:28 - 00001644 ____A C:\Users\Matt\Desktop\Google Drive.lnk
2012-08-12 22:24 - 2012-08-12 22:24 - 00740104 ____A (Google Inc.) C:\Users\Matt\Downloads\googledrivesync.exe
2012-07-18 12:47 - 2012-08-14 23:24 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-06 20:42 - 2012-07-06 20:42 - 00000000 ____A C:\extensions.sqlite
2012-07-04 16:16 - 2012-08-14 23:24 - 00057344 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 16:14 - 2012-08-14 23:24 - 00102912 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 16:14 - 2012-08-14 23:24 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll

ZeroAccess:
C:\Windows\Installer\{4b660329-baec-b093-9845-85ce4da27f9e}
C:\Windows\Installer\{4b660329-baec-b093-9845-85ce4da27f9e}\L
C:\Windows\Installer\{4b660329-baec-b093-9845-85ce4da27f9e}\n
C:\Windows\Installer\{4b660329-baec-b093-9845-85ce4da27f9e}\U
C:\Windows\Installer\{4b660329-baec-b093-9845-85ce4da27f9e}\L\00000004.@

ZeroAccess:
C:\Users\Matt\AppData\Local\{4b660329-baec-b093-9845-85ce4da27f9e}
C:\Users\Matt\AppData\Local\{4b660329-baec-b093-9845-85ce4da27f9e}\@
C:\Users\Matt\AppData\Local\{4b660329-baec-b093-9845-85ce4da27f9e}\L
C:\Users\Matt\AppData\Local\{4b660329-baec-b093-9845-85ce4da27f9e}\U

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Memory info ===========================

Percentage of memory in use: 53%
Total physical RAM: 2045.79 MB
Available physical RAM: 952.03 MB
Total Pagefile: 4091.58 MB
Available Pagefile: 2486.43 MB
Total Virtual: 2047.88 MB
Available Virtual: 1912.62 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:298.08 GB) (Free:15.74 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
4 Drive f: (MATT THM DR) (Removable) (Total:1.86 GB) (Free:1.83 GB) FAT

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 9 MB
Disk 1 No Media 0 B 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 Online 1907 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 298 GB 31 KB

=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 298 GB Healthy System (partition with boot components)

=========================================================

Partitions of Disk 5:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1907 MB 64 KB

=========================================================

Disk: 5
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 7 F MATT THM DR FAT Removable 1907 MB Healthy

=========================================================

Last Boot: 2012-09-26 18:28

==================== End Of Log ============================

 

[Jay Pfoutz]

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.

Please run this from the Recovery Environment like earlier:

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

 

[Mateyo]

Right. My mistake. Here is the log run in Recovery Environment.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 25-09-2012
Ran by SYSTEM at 27-09-2012 11:52:03
Running from F:\
Windows 7 Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [169312 2008-07-21] (Maxtor Corporation)
HKLM\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1271968 2012-06-21] (McAfee, Inc.)
HKLM\...\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [61440 2009-09-29] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [10029672 2011-03-28] (Realtek Semiconductor)
HKLM\...\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [210472 2006-10-25] (Nuance Communications, Inc.)
HKLM\...\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [29984 2008-07-09] (Nuance Communications, Inc.)
HKLM\...\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [46368 2008-07-09] (Nuance Communications, Inc.)
HKLM\...\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini" [345 2012-09-27] ()
HKLM\...\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN [1159168 2009-05-26] (Brother Industries, Ltd.)
HKLM\...\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun [114688 2008-12-24] (Brother Industries, Ltd.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [1821576 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\Dad\...\Policies\system: [LogonHoursAction] 2
HKU\Dad\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Matt\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
HKU\Matt\...\Run: [Epson Stylus NX510(Network)] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIFIA.EXE /FU "C:\Windows\TEMP\E_S4871.tmp" /EF "HKCU" [199680 2009-11-04] (SEIKO EPSON CORPORATION)
HKU\Matt\...\Run: [SansaDispatch] C:\Users\Matt\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe [79872 2011-12-13] (SanDisk Corporation)
HKU\Matt\...\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" /MINIMIZED [896912 2012-09-26] (BitTorrent, Inc.)
HKU\Matt\...\Run: [GoogleDriveSync] "C:\Program Files\Google\Drive\googledrivesync.exe" /autostart [15668432 2012-09-06] (Google)
HKU\Matt\...\Run: [RESTART_STICKY_NOTES] C:\Windows\system32\StikyNot.exe [354304 2009-07-13] (Microsoft Corporation)
HKU\Matt\...\Policies\system: [LogonHoursAction] 2
HKU\Matt\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Matt2\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [354304 2009-07-13] (Microsoft Corporation)
HKU\Matt2\...\Policies\system: [LogonHoursAction] 2
HKU\Matt2\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Startup: C:\Users\All Users\Start Menu\Programs\Startup\SATARaid5Manager.lnk
ShortcutTarget: SATARaid5Manager.lnk -> C:\Windows\Installer\{2ABC904F-6915-40AC-8CF8-B48743698CEC}\_4E324AB483CECB59D49F7F.exe ()
Startup: C:\Users\Matt\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

==================== Services (Whitelisted) ===================

2 EpsonBidirectionalService; C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe [94208 2006-12-19] (SEIKO EPSON CORPORATION)
2 Maxtor Sync Service; "C:\Program Files\Maxtor\Sync\SyncServices.exe" [193888 2008-07-21] (Seagate Technology LLC)
2 McAfee SiteAdvisor Service; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [168280 2012-05-11] (McAfee, Inc.)
2 McMPFSvc; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [168280 2012-05-11] (McAfee, Inc.)
2 mcmscsvc; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [168280 2012-05-11] (McAfee, Inc.)
2 McNaiAnn; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [168280 2012-05-11] (McAfee, Inc.)
2 McNASvc; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [168280 2012-05-11] (McAfee, Inc.)
3 McODS; "C:\Program Files\McAfee\VirusScan\mcods.exe" [279584 2012-07-12] (McAfee, Inc.)
2 McProxy; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [168280 2012-05-11] (McAfee, Inc.)
2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [200816 2012-06-22] (McAfee, Inc.)
2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [168368 2012-06-22] (McAfee, Inc.)
2 mfevtp; "C:\Windows\system32\mfevtps.exe" [166320 2012-06-22] (McAfee, Inc.)
2 MOBKbackup; "C:\Program Files\McAfee Online Backup\MOBKbackup.exe" [229688 2010-04-13] (McAfee, Inc.)
2 MSK80Service; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [168280 2012-05-11] (McAfee, Inc.)
2 SATARaid5 Config Service; "C:\Program Files\Silicon Image\3132-W-R\SATARaid5ConfigService.exe" [131072 2005-10-05] ()
2 svcboot_shvuszrb; C:\Windows\system32\crbadmvnc\svcboot_shvuszrb.dll [249727 2011-07-09] ()
2 TunngleService; C:\Program Files\Tunngle\TnglCtrl.exe [718072 2010-11-22] (Tunngle.net GmbH)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

==================== Drivers (Whitelisted) ====================

3 cfwids; C:\Windows\System32\drivers\cfwids.sys [60480 2012-06-22] (McAfee, Inc.)
0 DasBoot; C:\Windows\system32\drivers\DasBoot.SYS [20744 2012-01-17] ()
0 DasBootF; C:\Windows\system32\drivers\DasBootF.SYS [59272 2012-01-17] ()
3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [146872 2012-04-20] (McAfee, Inc.)
3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [127992 2012-06-22] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [230224 2012-06-22] (McAfee, Inc.)
3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [61912 2012-06-22] (McAfee, Inc.)
3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [360792 2012-06-22] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [554048 2012-06-22] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [92192 2012-06-22] (McAfee, Inc.)
0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [206784 2012-06-22] (McAfee, Inc.)
1 MOBKFilter; C:\Windows\System32\DRIVERS\MOBK.sys [54776 2010-04-13] (Mozy, Inc.)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 PRSBDrvr; C:\Windows\System32\DRIVERS\PRSBDrvr.sys [28424 2012-01-17] ()
0 Si3132r5; C:\Windows\System32\DRIVERS\Si3132r5.sys [217128 2008-10-29] (Silicon Image, Inc)
0 SiFilter; C:\Windows\System32\DRIVERS\SiWinAcc.sys [17064 2008-10-29] (Silicon Image, Inc.)
0 SiRemFil; C:\Windows\System32\DRIVERS\SiRemFil.sys [12200 2008-10-29] (Silicon Image, Inc.)
3 tap0901t; C:\Windows\System32\DRIVERS\tap0901t.sys [27136 2009-09-16] (Tunngle.net)
3 YMIDUSBW; C:\Windows\System32\drivers\ymidusbw.sys [34280 2011-01-31] (Yamaha Corporation)
1 gfcgigqd; \??\C:\Windows\system32\drivers\gfcgigqd.sys [x]
3 mfeavfk01; [x]
1 MpKsl00f7e486; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{25DB002E-BFFA-4927-BF54-48BB0A3D4CB7}\MpKsl00f7e486.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2012-09-26 19:55 - 2012-09-26 23:14 - 00000000 ____D C:\Users\Dad\AppData\Roaming\Audacity
2012-09-26 14:40 - 2012-09-26 14:40 - 00000000 ____D C:\Users\Default\AppData\LocalGoogle
2012-09-26 14:40 - 2012-09-26 14:40 - 00000000 ____D C:\Users\Default\AppData\Local\Google
2012-09-26 14:40 - 2012-09-26 14:40 - 00000000 ____D C:\Users\Default User\AppData\LocalGoogle
2012-09-26 14:40 - 2012-09-26 14:40 - 00000000 ____D C:\Users\Default User\AppData\Local\Google
2012-09-25 11:56 - 2012-09-27 07:26 - 00000000 ____D C:\FRST
2012-09-25 09:00 - 2012-09-25 09:00 - 00000000 ____D C:\Windows\System32\MpEngineStore
2012-09-12 22:04 - 2012-01-17 12:55 - 00028424 ____A C:\Windows\System32\Drivers\PRSBDrvr.sys
2012-09-12 21:48 - 2012-09-12 21:48 - 00295106 ____A C:\Windows\System32\PHOOKSmf2.TXT
2012-09-12 21:36 - 2012-09-27 08:48 - 00607326 ____A C:\Windows\System32\PHOOKSmf.txt
2012-09-12 21:35 - 2012-09-27 08:48 - 00000000 ____D C:\Windows\System32\DBBK
2012-09-12 21:35 - 2012-03-22 08:17 - 00225664 ____A C:\Windows\System32\Drivers\DasBootS.SYS
2012-09-12 21:35 - 2012-01-17 12:55 - 00059272 ____A C:\Windows\System32\Drivers\DasBootF.SYS
2012-09-12 21:35 - 2012-01-17 12:55 - 00027528 ____A C:\Windows\System32\Drivers\DasBootK.SYS
2012-09-12 21:35 - 2012-01-17 12:55 - 00020744 ____A C:\Windows\System32\Drivers\DasBoot.SYS
2012-09-12 21:35 - 2012-01-17 12:55 - 00009096 ____A C:\Windows\System32\Drivers\DasBootI.SYS
2012-09-12 21:35 - 2012-01-17 12:55 - 00009096 ____A C:\Windows\System32\Drivers\DasBootE.SYS
2012-09-12 21:35 - 2010-05-03 17:37 - 00003072 ____A C:\Windows\System32\Drivers\DasBootD.SYS
2012-09-12 21:14 - 2012-09-12 21:14 - 00000000 ____D C:\Users\Matt2\AppData\Roaming\Apple Computer
2012-09-12 21:12 - 2012-09-12 21:12 - 00000000 ____D C:\Users\Matt2\AppData\LocalGoogle
2012-09-12 21:08 - 2012-09-12 21:08 - 00000000 ____D C:\Users\Dad\AppData\Local\Apple Computer
2012-09-12 20:19 - 2012-09-12 20:19 - 00001945 ____A C:\Windows\epplauncher.mif
2012-09-12 20:17 - 2012-09-12 20:17 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-09-12 20:15 - 2012-09-12 20:15 - 10288512 ____A (Microsoft Corporation) C:\Users\Matt\Downloads\mseinstall.exe
2012-08-28 14:32 - 2012-08-28 14:32 - 00000000 ____D C:\Users\Dad\AppData\Local\Apple
2012-08-28 14:05 - 2012-09-26 20:04 - 00000000 ____D C:\Users\Dad\AppData\Roaming\Apple Computer
2012-08-28 14:05 - 2012-08-28 14:05 - 00000000 ____D C:\Users\Dad\AppData\LocalGoogle

==================== 3 Months Modified Files ==================

2012-09-27 08:48 - 2012-09-12 21:36 - 00607326 ____A C:\Windows\System32\PHOOKSmf.txt
2012-09-27 08:48 - 2011-05-19 15:57 - 00000000 ____A C:\Windows\System32\Access.dat
2012-09-27 08:40 - 2012-08-12 19:25 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-09-27 08:08 - 2012-07-22 11:06 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-09-27 07:28 - 2011-05-15 12:42 - 00729514 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-27 07:10 - 2009-07-13 20:34 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-27 07:10 - 2009-07-13 20:34 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-27 07:01 - 2012-08-12 19:25 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-09-27 07:00 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-27 07:00 - 2009-07-13 20:39 - 00073256 ____A C:\Windows\setupact.log
2012-09-26 23:32 - 2011-05-15 14:29 - 00001828 ____A C:\Users\Public\Desktop\McAfee Total Protection.lnk
2012-09-26 15:08 - 2012-04-23 13:27 - 00696240 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-09-26 15:08 - 2011-05-15 11:41 - 00073136 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-09-26 14:36 - 2011-05-15 14:23 - 01946527 ____A C:\Windows\WindowsUpdate.log
2012-09-23 19:46 - 2009-07-13 20:53 - 00032550 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-09-12 21:55 - 2011-05-16 03:31 - 00089590 ____A C:\Windows\PFRO.log
2012-09-12 21:48 - 2012-09-12 21:48 - 00295106 ____A C:\Windows\System32\PHOOKSmf2.TXT
2012-09-12 21:12 - 2011-11-21 12:03 - 00000632 _RASH C:\Users\Matt2\ntuser.pol
2012-09-12 20:19 - 2012-09-12 20:19 - 00001945 ____A C:\Windows\epplauncher.mif
2012-09-12 20:15 - 2012-09-12 20:15 - 10288512 ____A (Microsoft Corporation) C:\Users\Matt\Downloads\mseinstall.exe
2012-08-16 10:27 - 2009-07-13 20:33 - 00295408 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-14 22:26 - 2011-05-29 20:49 - 59884088 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-08-12 19:28 - 2012-08-12 19:28 - 00001644 ____A C:\Users\Matt\Desktop\Google Drive.lnk
2012-08-12 19:24 - 2012-08-12 19:24 - 00740104 ____A (Google Inc.) C:\Users\Matt\Downloads\googledrivesync.exe
2012-07-18 09:47 - 2012-08-14 20:24 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-06 17:42 - 2012-07-06 17:42 - 00000000 ____A C:\extensions.sqlite
2012-07-04 13:16 - 2012-08-14 20:24 - 00057344 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 13:14 - 2012-08-14 20:24 - 00102912 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 13:14 - 2012-08-14 20:24 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll

ZeroAccess:
C:\Windows\Installer\{4b660329-baec-b093-9845-85ce4da27f9e}
C:\Windows\Installer\{4b660329-baec-b093-9845-85ce4da27f9e}\L
C:\Windows\Installer\{4b660329-baec-b093-9845-85ce4da27f9e}\n
C:\Windows\Installer\{4b660329-baec-b093-9845-85ce4da27f9e}\U
C:\Windows\Installer\{4b660329-baec-b093-9845-85ce4da27f9e}\L\00000004.@

ZeroAccess:
C:\Users\Matt\AppData\Local\{4b660329-baec-b093-9845-85ce4da27f9e}
C:\Users\Matt\AppData\Local\{4b660329-baec-b093-9845-85ce4da27f9e}\@
C:\Users\Matt\AppData\Local\{4b660329-baec-b093-9845-85ce4da27f9e}\L
C:\Users\Matt\AppData\Local\{4b660329-baec-b093-9845-85ce4da27f9e}\U

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 19%
Total physical RAM: 2045.79 MB
Available physical RAM: 1654.27 MB
Total Pagefile: 2045.79 MB
Available Pagefile: 1657.13 MB
Total Virtual: 2047.88 MB
Available Virtual: 1957.61 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:298.08 GB) (Free:15.58 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
4 Drive f: (MATT THM DR) (Removable) (Total:1.86 GB) (Free:1.83 GB) FAT
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 9 MB
Disk 1 Online 1907 MB 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 298 GB 31 KB

=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 298 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1907 MB 64 KB

=========================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F MATT THM DR FAT Removable 1907 MB Healthy

=========================================================

Last Boot: 2012-09-26 15:28

==================== End Of Log ============================

 

[Jay Pfoutz]

It's okay. Just want to make sure we get an accurate log...

Download attached fixlist.txt and do just like before, but replace the old fixlist.txt on the flash drive.

Once done, post fixlog.txt, please.

 

[Mateyo]

Looks like it worked! Here's the log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 25-09-2012
Ran by SYSTEM at 2012-09-29 14:16:59 Run:3
Running from F:\

==============================================

gfcgigqd service deleted successfully.
mfeavfk01 service not found.
HKEY_USERS\Matt\Software\Microsoft\Windows\CurrentVersion\Policies\system\\LogonHoursAction Value deleted successfully.
HKEY_USERS\Matt\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DontDisplayLogonHoursWarnings Value deleted successfully.
HKEY_USERS\Matt2\Software\Microsoft\Windows\CurrentVersion\Policies\system\\LogonHoursAction Value deleted successfully.
HKEY_USERS\Matt2\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DontDisplayLogonHoursWarnings Value deleted successfully.
svcboot_shvuszrb service deleted successfully.
C:\Windows\Installer\{4b660329-baec-b093-9845-85ce4da27f9e} moved successfully.
C:\Users\Matt\AppData\Local\{4b660329-baec-b093-9845-85ce4da27f9e} moved successfully.

==== End of Fixlog ====

And unlike last time, this one is actually legible. I will run one more scan...

 

[Mateyo]

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 25-09-2012
Ran by SYSTEM at 29-09-2012 14:28:12
Running from J:\
Windows 7 Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [169312 2008-07-21] (Maxtor Corporation)
HKLM\...\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [61440 2009-09-29] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [10029672 2011-03-28] (Realtek Semiconductor)
HKLM\...\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [210472 2006-10-25] (Nuance Communications, Inc.)
HKLM\...\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [29984 2008-07-09] (Nuance Communications, Inc.)
HKLM\...\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [46368 2008-07-09] (Nuance Communications, Inc.)
HKLM\...\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini" [345 2012-09-29] ()
HKLM\...\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN [1159168 2009-05-26] (Brother Industries, Ltd.)
HKLM\...\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun [114688 2008-12-24] (Brother Industries, Ltd.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [1821576 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\Dad\...\Policies\system: [LogonHoursAction] 2
HKU\Dad\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Matt\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
HKU\Matt\...\Run: [Epson Stylus NX510(Network)] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIFIA.EXE /FU "C:\Windows\TEMP\E_S4871.tmp" /EF "HKCU" [199680 2009-11-04] (SEIKO EPSON CORPORATION)
HKU\Matt\...\Run: [SansaDispatch] C:\Users\Matt\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe [79872 2011-12-13] (SanDisk Corporation)
HKU\Matt\...\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" /MINIMIZED [896912 2012-09-26] (BitTorrent, Inc.)
HKU\Matt\...\Run: [GoogleDriveSync] "C:\Program Files\Google\Drive\googledrivesync.exe" /autostart [15668432 2012-09-06] (Google)
HKU\Matt\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [354304 2009-07-13] (Microsoft Corporation)
HKU\Matt2\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [354304 2009-07-13] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Startup: C:\Users\All Users\Start Menu\Programs\Startup\SATARaid5Manager.lnk
ShortcutTarget: SATARaid5Manager.lnk -> C:\Windows\Installer\{2ABC904F-6915-40AC-8CF8-B48743698CEC}\_4E324AB483CECB59D49F7F.exe ()
Startup: C:\Users\Matt\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

==================== Services (Whitelisted) ===================

2 EpsonBidirectionalService; C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe [94208 2006-12-19] (SEIKO EPSON CORPORATION)
2 Maxtor Sync Service; "C:\Program Files\Maxtor\Sync\SyncServices.exe" [193888 2008-07-21] (Seagate Technology LLC)
2 SATARaid5 Config Service; "C:\Program Files\Silicon Image\3132-W-R\SATARaid5ConfigService.exe" [131072 2005-10-05] ()
4 McMPFSvc; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [x]
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

==================== Drivers (Whitelisted) ====================

0 DasBoot; C:\Windows\system32\drivers\DasBoot.SYS [20744 2012-01-17] ()
0 DasBootF; C:\Windows\system32\drivers\DasBootF.SYS [59272 2012-01-17] ()
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 PRSBDrvr; C:\Windows\System32\DRIVERS\PRSBDrvr.sys [28424 2012-01-17] ()
0 Si3132r5; C:\Windows\System32\DRIVERS\Si3132r5.sys [217128 2008-10-29] (Silicon Image, Inc)
0 SiFilter; C:\Windows\System32\DRIVERS\SiWinAcc.sys [17064 2008-10-29] (Silicon Image, Inc.)
0 SiRemFil; C:\Windows\System32\DRIVERS\SiRemFil.sys [12200 2008-10-29] (Silicon Image, Inc.)
3 YMIDUSBW; C:\Windows\System32\drivers\ymidusbw.sys [34280 2011-01-31] (Yamaha Corporation)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2012-09-26 19:55 - 2012-09-26 23:14 - 00000000 ____D C:\Users\Dad\AppData\Roaming\Audacity
2012-09-26 14:40 - 2012-09-26 14:40 - 00000000 ____D C:\Users\Default\AppData\LocalGoogle
2012-09-26 14:40 - 2012-09-26 14:40 - 00000000 ____D C:\Users\Default\AppData\Local\Google
2012-09-26 14:40 - 2012-09-26 14:40 - 00000000 ____D C:\Users\Default User\AppData\LocalGoogle
2012-09-26 14:40 - 2012-09-26 14:40 - 00000000 ____D C:\Users\Default User\AppData\Local\Google
2012-09-25 11:56 - 2012-09-27 07:26 - 00000000 ____D C:\FRST
2012-09-25 09:00 - 2012-09-25 09:00 - 00000000 ____D C:\Windows\System32\MpEngineStore
2012-09-12 22:04 - 2012-01-17 12:55 - 00028424 ____A C:\Windows\System32\Drivers\PRSBDrvr.sys
2012-09-12 21:48 - 2012-09-12 21:48 - 00295106 ____A C:\Windows\System32\PHOOKSmf2.TXT
2012-09-12 21:36 - 2012-09-29 11:25 - 00431434 ____A C:\Windows\System32\PHOOKSmf.txt
2012-09-12 21:35 - 2012-09-29 11:08 - 00000000 ____D C:\Windows\System32\DBBK
2012-09-12 21:35 - 2012-03-22 08:17 - 00225664 ____A C:\Windows\System32\Drivers\DasBootS.SYS
2012-09-12 21:35 - 2012-01-17 12:55 - 00059272 ____A C:\Windows\System32\Drivers\DasBootF.SYS
2012-09-12 21:35 - 2012-01-17 12:55 - 00027528 ____A C:\Windows\System32\Drivers\DasBootK.SYS
2012-09-12 21:35 - 2012-01-17 12:55 - 00020744 ____A C:\Windows\System32\Drivers\DasBoot.SYS
2012-09-12 21:35 - 2012-01-17 12:55 - 00009096 ____A C:\Windows\System32\Drivers\DasBootI.SYS
2012-09-12 21:35 - 2012-01-17 12:55 - 00009096 ____A C:\Windows\System32\Drivers\DasBootE.SYS
2012-09-12 21:35 - 2010-05-03 17:37 - 00003072 ____A C:\Windows\System32\Drivers\DasBootD.SYS
2012-09-12 21:14 - 2012-09-12 21:14 - 00000000 ____D C:\Users\Matt2\AppData\Roaming\Apple Computer
2012-09-12 21:12 - 2012-09-12 21:12 - 00000000 ____D C:\Users\Matt2\AppData\LocalGoogle
2012-09-12 21:08 - 2012-09-12 21:08 - 00000000 ____D C:\Users\Dad\AppData\Local\Apple Computer
2012-09-12 20:19 - 2012-09-12 20:19 - 00001945 ____A C:\Windows\epplauncher.mif
2012-09-12 20:17 - 2012-09-12 20:17 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-09-12 20:15 - 2012-09-12 20:15 - 10288512 ____A (Microsoft Corporation) C:\Users\Matt\Downloads\mseinstall.exe

==================== 3 Months Modified Files ==================

2012-09-29 11:25 - 2012-09-12 21:36 - 00431434 ____A C:\Windows\System32\PHOOKSmf.txt
2012-09-29 11:25 - 2011-05-15 12:42 - 00729514 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-29 11:25 - 2009-07-13 20:34 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-29 11:25 - 2009-07-13 20:34 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-29 11:18 - 2012-08-12 19:25 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-09-29 11:18 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-29 11:18 - 2009-07-13 20:39 - 00073648 ____A C:\Windows\setupact.log
2012-09-29 11:08 - 2012-07-22 11:06 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-09-29 10:52 - 2011-05-15 14:23 - 01951964 ____A C:\Windows\WindowsUpdate.log
2012-09-29 10:43 - 2012-08-12 19:25 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-09-28 13:46 - 2011-05-16 03:31 - 00092718 ____A C:\Windows\PFRO.log
2012-09-28 09:37 - 2011-05-15 14:11 - 00064552 ____A C:\Users\Matt\AppData\Local\GDIPFONTCACHEV1.DAT
2012-09-28 09:34 - 2009-07-13 20:33 - 00294712 ____A C:\Windows\System32\FNTCACHE.DAT
2012-09-27 22:12 - 2011-05-19 15:57 - 00000000 ____A C:\Windows\System32\Access.dat
2012-09-26 15:08 - 2012-04-23 13:27 - 00696240 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-09-26 15:08 - 2011-05-15 11:41 - 00073136 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-09-23 19:46 - 2009-07-13 20:53 - 00032550 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-09-12 21:48 - 2012-09-12 21:48 - 00295106 ____A C:\Windows\System32\PHOOKSmf2.TXT
2012-09-12 21:12 - 2011-11-21 12:03 - 00000632 _RASH C:\Users\Matt2\ntuser.pol
2012-09-12 20:19 - 2012-09-12 20:19 - 00001945 ____A C:\Windows\epplauncher.mif
2012-09-12 20:15 - 2012-09-12 20:15 - 10288512 ____A (Microsoft Corporation) C:\Users\Matt\Downloads\mseinstall.exe
2012-08-14 22:26 - 2011-05-29 20:49 - 59884088 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-08-12 19:28 - 2012-08-12 19:28 - 00001644 ____A C:\Users\Matt\Desktop\Google Drive.lnk
2012-08-12 19:24 - 2012-08-12 19:24 - 00740104 ____A (Google Inc.) C:\Users\Matt\Downloads\googledrivesync.exe
2012-07-18 09:47 - 2012-08-14 20:24 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-06 17:42 - 2012-07-06 17:42 - 00000000 ____A C:\extensions.sqlite
2012-07-04 13:16 - 2012-08-14 20:24 - 00057344 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 13:14 - 2012-08-14 20:24 - 00102912 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 13:14 - 2012-08-14 20:24 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-27 22:14:09
Restore point made on: 2012-09-27 22:14:55
Restore point made on: 2012-09-27 22:15:57
Restore point made on: 2012-09-27 22:18:52

==================== Memory info ===========================

Percentage of memory in use: 19%
Total physical RAM: 2045.79 MB
Available physical RAM: 1653.85 MB
Total Pagefile: 2045.79 MB
Available Pagefile: 1653.84 MB
Total Virtual: 2047.88 MB
Available Virtual: 1957.61 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:298.08 GB) (Free:25.14 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (TPRTS) (CDROM) (Total:0.54 GB) (Free:0 GB) CDFS
8 Drive j: (MATT THM DR) (Removable) (Total:1.86 GB) (Free:1.83 GB) FAT
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 9 MB
Disk 1 No Media 0 B 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 Online 1907 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 298 GB 31 KB

=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 298 GB Healthy

=========================================================

Partitions of Disk 5:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1907 MB 64 KB

=========================================================

Disk: 5
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 7 J MATT THM DR FAT Removable 1907 MB Healthy

=========================================================

Last Boot: 2012-09-26 15:28

==================== End Of Log ============================

Any further action required??

 

[Jay Pfoutz]

ComboFix

Please download ComboFix

by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:

• Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
• It is important to rename ComboFix before the download.
• Please do not rename ComboFix to other names, but only the one indicated.

After the download:

• Close any open browsers.
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

• Double click on svchost.exe & follow the prompts.
• It will attempt to install the Recovery Console:

• When ComboFix finishes, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

 

[Mateyo]

I have been supremely busy for last few days. I will be even more busy today. I will run the ComboFix program first thing tomorrow.

 

[Jay Pfoutz]

That's fine. See ya then!

 

[Mateyo]

Actually, I didn't get a finished scan until today. I attempted to run one Thursday last week, but it never completed, possibly because MSE was interfering. Anyway, here it is:

ComboFix 12-10-09.01 - Matt 10/09/2012 16:43:12.2.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2046.1234 [GMT -5:00]
Running from: c:\users\Matt\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\users\Matt\AppData\Local\Temp\_MEI26722\_ctypes.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\_elementtree.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\_hashlib.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\_socket.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\_ssl.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\pyexpat.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\pysqlite2._sqlite.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\python26.dll
c:\users\Matt\AppData\Local\Temp\_MEI26722\pythoncom26.dll
c:\users\Matt\AppData\Local\Temp\_MEI26722\pywintypes26.dll
c:\users\Matt\AppData\Local\Temp\_MEI26722\select.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\unicodedata.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\win32api.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\win32com.shell.shell.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\win32crypt.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\win32event.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\win32file.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\win32inet.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\win32pdh.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\win32process.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\win32security.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\windows._cacheinvalidation.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\wx._controls_.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\wx._core_.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\wx._gdi_.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\wx._html2.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\wx._misc_.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\wx._windows_.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\wx._wizard.pyd
c:\users\Matt\AppData\Local\Temp\_MEI26722\wxbase293u_net_vc.dll
c:\users\Matt\AppData\Local\Temp\_MEI26722\wxbase293u_vc.dll
c:\users\Matt\AppData\Local\Temp\_MEI26722\wxmsw293u_adv_vc.dll
c:\users\Matt\AppData\Local\Temp\_MEI26722\wxmsw293u_core_vc.dll
c:\users\Matt\AppData\Local\Temp\_MEI26722\wxmsw293u_html_vc.dll
c:\users\Matt\AppData\Local\Temp\_MEI26722\wxmsw293u_webview_vc.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-09-09 to 2012-10-09 )))))))))))))))))))))))))))))))
.
.
2012-10-09 21:56 . 2012-10-09 21:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-10-09 21:56 . 2012-10-09 21:56 -------- d-----w- c:\users\Dad\AppData\Local\temp
2012-10-09 21:56 . 2012-10-09 21:56 -------- d-----w- c:\users\Matt2\AppData\Local\temp
2012-10-09 21:29 . 2012-10-09 21:29 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{57E34F42-FEEE-49B2-9B87-5A7AE4447CBF}\MpKsl68428d03.sys
2012-10-09 21:26 . 2012-10-09 21:58 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{57E34F42-FEEE-49B2-9B87-5A7AE4447CBF}\offreg.dll
2012-10-09 01:55 . 2012-08-30 08:17 6980552 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{57E34F42-FEEE-49B2-9B87-5A7AE4447CBF}\mpengine.dll
2012-10-08 00:27 . 2012-08-30 08:17 6980552 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-10-05 17:20 . 2012-10-02 16:55 740784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F219BDB8-5EDD-4694-8AE1-4971D7255CF7}\gapaengine.dll
2012-10-02 16:56 . 2012-10-02 16:55 740784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-10-01 15:53 . 2012-08-22 17:16 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-10-01 15:53 . 2012-07-04 19:45 33280 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2012-10-01 15:53 . 2012-08-22 17:16 1292144 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-10-01 15:53 . 2012-08-22 17:16 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-10-01 15:53 . 2012-08-22 17:16 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-10-01 15:53 . 2012-08-02 16:57 490496 ----a-w- c:\windows\system32\d3d10level9.dll
2012-09-27 03:55 . 2012-09-27 07:14 -------- d-----w- c:\users\Dad\AppData\Roaming\Audacity
2012-09-26 22:40 . 2012-09-26 22:40 -------- d-----w- c:\users\Default\AppData\Local\Google
2012-09-25 19:56 . 2012-09-27 15:26 -------- d-----w- C:\FRST
2012-09-13 06:04 . 2012-01-17 20:55 28424 ----a-w- c:\windows\system32\drivers\PRSBDrvr.sys
2012-09-13 05:35 . 2012-10-01 17:10 -------- d-----w- c:\windows\system32\DBBK
2012-09-13 05:35 . 2012-03-22 16:17 225664 ----a-w- c:\windows\system32\drivers\DasBootS.SYS
2012-09-13 05:35 . 2012-01-17 20:55 9096 ----a-w- c:\windows\system32\drivers\DasBootI.SYS
2012-09-13 05:35 . 2012-01-17 20:55 27528 ----a-w- c:\windows\system32\drivers\DasBootK.SYS
2012-09-13 05:35 . 2012-01-17 20:55 9096 ----a-w- c:\windows\system32\drivers\DasBootE.SYS
2012-09-13 05:35 . 2012-01-17 20:55 59272 ----a-w- c:\windows\system32\drivers\DasBootF.SYS
2012-09-13 05:35 . 2012-01-17 20:55 20744 ----a-w- c:\windows\system32\drivers\DasBoot.SYS
2012-09-13 05:35 . 2010-05-04 01:37 3072 ----a-w- c:\windows\system32\drivers\DasBootD.SYS
2012-09-13 05:14 . 2012-09-13 05:14 -------- d-----w- c:\users\Matt2\AppData\Roaming\Apple Computer
2012-09-13 05:08 . 2012-09-13 05:08 -------- d-----w- c:\users\Dad\AppData\Local\Apple Computer
2012-09-13 04:17 . 2012-10-02 05:42 -------- d-----w- c:\program files\Microsoft Security Client
2012-09-11 22:24 . 2012-09-11 22:24 73696 ----a-w- c:\program files\Mozilla Firefox\breakpadinjector.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-09 04:08 . 2012-04-23 21:27 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 04:08 . 2011-05-15 19:41 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-31 03:03 . 2012-08-31 03:03 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-31 03:03 . 2012-03-21 01:44 99272 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-08-24 06:51 . 2012-10-01 17:09 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:47 . 2012-10-01 17:09 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-21 20:12 . 2012-10-01 15:53 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2012-07-18 17:47 . 2012-08-15 04:24 2345984 ----a-w- c:\windows\system32\win32k.sys
2011-07-10 05:04 . 2011-07-27 05:28 2159768 ----a-w- c:\program files\mozilla firefox\components\1521958.dll
2012-09-11 22:24 . 2011-07-27 05:27 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-09-06 20:51 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-09-06 20:51 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-09-06 20:51 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-09-06 20:51 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="c:\users\Matt\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe" [2011-12-14 79872]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2012-09-27 896912]
"GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2012-09-06 15668432]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-30 61440]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-03-28 10029672]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-05-26 1159168]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-08 421776]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2011-10-07 280576]
.
c:\users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
SATARaid5Manager.lnk - c:\windows\Installer\{2ABC904F-6915-40AC-8CF8-B48743698CEC}\_4E324AB483CECB59D49F7F.exe [2011-5-15 1206]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R0 DasBoot;Panda AntiMalware Support;c:\windows\\SystemRoot\system32\drivers\DasBoot.SYS [x]
R0 DasBootF;Panda AntiMalware Support MF;c:\windows\\SystemRoot\system32\drivers\DasBootF.SYS [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 PRSBDrvr;PRSBDrvr;c:\windows\system32\DRIVERS\PRSBDrvr.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
R4 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S1 MpKsl68428d03;MpKsl68428d03;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{57E34F42-FEEE-49B2-9B87-5A7AE4447CBF}\MpKsl68428d03.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 SATARaid5 Config Service;SATARaid5 Configuration Service;c:\program files\Silicon Image\3132-W-R\SATARaid5ConfigService.exe [x]
S3 YMIDUSBW;Yamaha USB-MIDI Driver (WDM);c:\windows\system32\drivers\ymidusbw.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
svcboot_shvuszrb REG_MULTI_SZ svcboot_shvuszrb
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-23 04:08]
.
2012-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-13 03:25]
.
2012-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-13 03:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
Trusted Zone: mywalmart.com
Trusted Zone: rhapsody.com\rhap-app-4-0
Trusted Zone: rhapsody.com\rhapreg
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\clnafw2j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3072253&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{687578b9-7132-4a7a-80e4-30ee31099e03} - (no file)
WebBrowser-{687578B9-7132-4A7A-80E4-30EE31099E03} - (no file)
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-FastCAD - c:\program files\ProFantasy\CC3\UNINST.EXE
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe
AddRemove-Silicon Image SiI 3132 Windows BASE & SATARAID5 Driver - c:\users\Matt\AppData\Local\Temp\SII3132\uninst.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2685272336-3550735784-773737833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2685272336-3550735784-773737833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\taskhost.exe
c:\program files\Google\Update\1.3.21.123\GoogleCrashHandler.exe
c:\windows\system32\conhost.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-10-09 17:07:53 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-09 22:07
.
Pre-Run: 31,794,765,824 bytes free
Post-Run: 41,739,485,184 bytes free
.
- - End Of File - - 48BEFCA90206F83EE9344D27F779666D