Solved Sirefef.y and possibly .b infection.

Status
Not open for further replies.

Phoenix Gold

Posts: 15   +0
I am at a loss and a time bind at the same time to get this laptop back up to par.

I keep getting the infamous Critical problem found, restarting windows in one minute message.

I've been trying to acquire logs all day long for DDS and Gmer to no avail. System reboots too quickly...I need ideas and some help! Please let me know.
 
Scan result of Farbar Recovery Scan Tool Version: 05-08-2012 03
Ran by SYSTEM at 06-08-2012 09:50:34
Running from G:\techtools
Windows Vista (TM) Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet002

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2096424 2010-05-27] (Synaptics Incorporated)
HKLM\...\Run: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [912688 2008-09-23] (Hewlett-Packard)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [450048 2009-07-21] (IDT, Inc.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [162328 2011-02-11] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [386584 2011-02-11] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [417304 2011-02-11] (Intel Corporation)
HKLM-x32\...\Run: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [1148200 2008-09-26] (CyberLink Corp.)
HKLM-x32\...\Run: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [1152296 2008-09-25] (CyberLink Corp.)
HKLM-x32\...\Run: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [189736 2008-09-25] (CyberLink)
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [x]
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [x]
HKU\Owner\...\Run: [LightScribe Control Panel] "C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" -hidden [2363392 2008-06-09] (Hewlett-Packard Company)
HKU\Owner\...\Run: [HPAdvisor] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [x]
HKU\Owner\...\Run: [Sidebar] "C:\Program Files\Windows Sidebar\Sidebar.exe" /autorun [1555968 2009-04-10] (Microsoft Corporation)
HKU\Owner\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet [5244216 2009-11-10] (Yahoo! Inc.)
HKU\Owner\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\Owner\...\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe [x]
HKU\Owner\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5661056 2012-07-09] (SUPERAntiSpyware.com)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

==================== Services (Whitelisted) ======

4 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2011-08-11] (SUPERAntiSpyware.com)
2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_58be29c0\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
4 Recovery Service for Windows; C:\Program Files (x86)\SMINST\BLService.exe [365904 2008-09-23] ()
2 RichVideo; "C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe" [241734 2008-06-29] ()
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_58be29c0\STacSV64.exe [240128 2009-07-21] (IDT, Inc.)
4 WebrootSpySweeperService; "C:\Program Files (x86)\Webroot\WebrootSecurity\SpySweeper.exe" [4048240 2009-04-02] (Webroot Software, Inc. (www.webroot.com))
4 Norton Internet Security; "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 [x]
3 WinDefend; C:\Program Files (x86)\Windows Defender\mpsvc.dll [x]

========================== Drivers (Whitelisted) =============

3 PTDUBus; C:\Windows\System32\Drivers\PTDUBus.sys [70672 2009-08-12] (DEVGURU Co., LTD.)
3 PTDUMdm; C:\Windows\System32\Drivers\PTDUMdm.sys [173456 2009-08-12] (DEVGURU Co., LTD.(www.devguru.co.kr))
3 PTDUVsp; C:\Windows\System32\Drivers\PTDUVsp.sys [173456 2009-08-12] (DEVGURU Co., LTD.(www.devguru.co.kr))
3 PTDUWFLT; C:\Windows\System32\Drivers\PTDUWFLT.sys [12688 2009-08-12] (DEVGURU Co., LTD.)
3 PTDUWWAN; C:\Windows\System32\Drivers\PTDUWWAN.sys [141840 2009-08-12] (DEVGURU Co., LTD.)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
0 ssfs0bbc; C:\Windows\System32\Drivers\ssfs0bbc.sys [37488 2009-04-02] (Webroot Software, Inc. (www.webroot.com))
0 ssidrv; C:\Windows\System32\Drivers\ssidrv.sys [135280 2009-04-02] (Webroot Software, Inc. (www.webroot.com))
2 {55662437-DA8C-40c0-AADA-2C816A897A49}; \??\C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [27632 2008-09-26] (Cyberlink Corp.)
1 Beep; [x]
3 catchme; \??\C:\1ombox\catchme.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\ENG64.SYS [x]
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\EX64.SYS [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
1 SRTSP; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSP64.SYS [x]
1 SRTSPX; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSPX64.SYS [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-06 08:47 - 2012-08-06 08:47 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\jotnbxmr.sys
2012-08-06 08:43 - 2012-08-06 08:43 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.9F726B9816858747
2012-08-06 08:34 - 2012-08-06 08:34 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.0B99976C11C08FFC
2012-08-06 08:30 - 2012-08-06 08:30 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.BC119F2587F25F3E
2012-08-06 07:53 - 2012-08-06 07:53 - 00000000 ____D C:\Users\Owner\Application Data\SUPERAntiSpyware.com
2012-08-06 07:53 - 2012-08-06 07:53 - 00000000 ____D C:\Users\Owner\AppData\Roaming\SUPERAntiSpyware.com
2012-08-06 07:52 - 2012-08-06 08:45 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-06 07:52 - 2012-08-06 08:21 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-06 07:52 - 2012-08-06 07:53 - 00000000 ____D C:\Program Files (x86)\Google
2012-08-06 07:52 - 2012-08-06 07:52 - 00001655 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-08-06 07:52 - 2012-08-06 07:52 - 00001655 ____A C:\Users\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-08-06 07:52 - 2012-08-06 07:52 - 00000000 ____D C:\Users\Owner\Local Settings\Google
2012-08-06 07:52 - 2012-08-06 07:52 - 00000000 ____D C:\Users\Owner\Local Settings\Application Data\Google
2012-08-06 07:52 - 2012-08-06 07:52 - 00000000 ____D C:\Users\Owner\AppData\Local\Google
2012-08-06 07:52 - 2012-08-06 07:52 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-08-06 07:52 - 2012-08-06 07:52 - 00000000 ____D C:\Users\All Users\Application Data\SUPERAntiSpyware.com
2012-08-06 07:52 - 2012-08-06 07:52 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2012-08-06 07:40 - 2012-08-06 07:40 - 00000000 ____D C:\Users\All Users\SUPERSetup
2012-08-06 07:40 - 2012-08-06 07:40 - 00000000 ____D C:\Users\All Users\Application Data\SUPERSetup
2012-08-06 07:40 - 2012-08-06 07:12 - 18976248 ____A (SUPERAntiSpyware.com) C:\Users\Owner\Desktop\SAS_939C88.EXE
2012-08-06 06:24 - 2012-08-06 06:59 - 00000000 ____D C:\1ombox
2012-08-06 06:03 - 2012-08-06 06:25 - 00000000 ____D C:\Users\Owner\Desktop\sirefef removal
2012-08-06 05:53 - 2012-08-06 07:40 - 00001016 ____A C:\Users\Owner\Desktop\Rkill.txt
2012-08-06 05:53 - 2012-08-06 05:53 - 00000000 ____D C:\Users\Owner\Desktop\rkill-backup
2012-08-06 01:40 - 2012-08-06 01:41 - 00000000 ____D C:\FRST
2012-08-06 00:09 - 2012-08-06 00:09 - 00014986 ____A C:\Users\Owner\Desktop\MBRCheck_08.06.12_01.09.01.txt
2012-08-06 00:05 - 2012-08-06 00:06 - 00015310 ____A C:\Users\Owner\Desktop\MBRCheck_08.06.12_01.05.08.txt
2012-08-06 00:04 - 2012-08-06 00:05 - 00006788 ____A C:\Users\Owner\Desktop\MBRCheck_08.06.12_01.04.48.txt
2012-08-06 00:03 - 2012-08-06 00:04 - 00016072 ____A C:\Users\Owner\Desktop\MBRCheck_08.06.12_01.03.21.txt
2012-08-05 23:56 - 2012-08-05 23:56 - 00000000 ____D C:\Users\Owner\Desktop\Samples
2012-08-05 23:42 - 2012-08-05 23:42 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-08-05 23:09 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-08-05 23:09 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-08-05 23:09 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-08-05 23:09 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-08-05 23:09 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-08-05 23:09 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-08-05 23:09 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-08-05 23:09 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-08-05 23:03 - 2012-08-06 08:22 - 00000000 ____D C:\Users\Public\Desktop\CC Support
2012-08-05 23:03 - 2012-08-06 08:22 - 00000000 ____D C:\Users\All Users\Desktop\CC Support
2012-08-05 23:03 - 2012-08-05 23:03 - 04009167 ____A C:\Users\Owner\Downloads\ServicesRepair.exe
2012-08-05 23:02 - 2012-08-05 23:02 - 02030547 ____A C:\Users\Owner\Downloads\EZ_Sirefix.exe
2012-08-05 23:02 - 2012-08-05 23:02 - 00138120 ____A (ESET) C:\Users\Owner\Downloads\ESETSirefefRemover.exe
2012-08-05 23:00 - 2012-08-05 23:07 - 00065015 ____A C:\Users\Owner\Downloads\yorkyt.exe.log
2012-08-05 22:59 - 2012-08-05 23:00 - 01415784 ____A C:\Users\Owner\Downloads\yorkyt.exe
2012-08-05 22:32 - 2012-08-05 21:18 - 04725168 ____R (Swearware) C:\Users\Owner\Desktop\1ombox.com
2012-08-05 21:45 - 2012-08-05 22:03 - 00000000 ____D C:\Users\Owner\Application Data\vlc
2012-08-05 21:45 - 2012-08-05 22:03 - 00000000 ____D C:\Users\Owner\AppData\Roaming\vlc
2012-08-05 21:44 - 2012-08-05 21:44 - 00000861 ____A C:\Users\Public\Desktop\VLC media player.lnk
2012-08-05 21:44 - 2012-08-05 21:44 - 00000861 ____A C:\Users\All Users\Desktop\VLC media player.lnk
2012-08-05 21:43 - 2012-08-05 21:43 - 00000000 ____D C:\Program Files (x86)\VideoLAN
2012-08-05 21:42 - 2012-08-05 21:43 - 00000000 ____D C:\Users\Owner\Desktop\August 4th show for the zoo
2012-08-05 21:41 - 2012-08-05 21:42 - 22617148 ____A C:\Users\Owner\Downloads\vlc-2.0.3-win32.exe
2012-08-05 21:32 - 2012-08-05 21:32 - 00000000 ____D C:\Users\Public\CyberLink
2012-08-05 20:51 - 2012-08-05 20:53 - 12621696 ____A (Microsoft Corporation) C:\Users\Owner\Downloads\mseinstall.exe
2012-08-05 20:31 - 2012-08-05 20:38 - 00015345 ____A C:\Users\Owner\Desktop\MBRCheck_08.05.12_21.31.22.txt
2012-08-05 20:25 - 2012-08-06 06:56 - 00000000 ____D C:\Windows\erdnt
2012-08-05 20:25 - 2012-08-05 23:09 - 00000000 ____D C:\Qoobox
2012-08-05 20:25 - 2012-08-05 20:25 - 04725168 ____R (Swearware) C:\Users\Owner\Downloads\z123ComboFix.com
2012-08-05 20:04 - 2012-08-05 21:24 - 00000734 ____A C:\Windows\System32\Drivers\etc\hosts.new
2012-08-05 20:04 - 2012-08-05 20:04 - 00000000 ____D C:\Users\Owner\Application Data\Malwarebytes
2012-08-05 20:04 - 2012-08-05 20:04 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Malwarebytes
2012-08-05 20:02 - 2012-08-05 20:12 - 00000908 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-05 20:02 - 2012-08-05 20:12 - 00000908 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-05 20:02 - 2012-08-05 20:12 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-08-05 20:02 - 2012-08-05 20:02 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-08-05 20:02 - 2012-08-05 20:02 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2012-08-05 20:02 - 2012-07-03 12:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-29 22:04 - 2012-07-29 22:06 - 00000000 ____D C:\Users\All Users\Application Data\0C1CFB1300547533199543F32F3B707C
2012-07-29 22:04 - 2012-07-29 22:06 - 00000000 ____D C:\Users\All Users\0C1CFB1300547533199543F32F3B707C
2012-07-29 22:04 - 2012-07-29 22:04 - 00000000 ____D C:\Users\Owner\Local Settings\Application Data\{65B180A3-DA0C-11E1-8270-B8AC6F996F26}
2012-07-29 22:04 - 2012-07-29 22:04 - 00000000 ____D C:\Users\Owner\Local Settings\{65B180A3-DA0C-11E1-8270-B8AC6F996F26}
2012-07-29 22:04 - 2012-07-29 22:04 - 00000000 ____D C:\Users\Owner\AppData\Local\{65B180A3-DA0C-11E1-8270-B8AC6F996F26}
2012-07-29 22:03 - 2012-07-29 22:03 - 00063488 ___AH (FRISK Software International) C:\Windows\System32\Systeout64.dll
2012-07-24 12:22 - 2012-07-24 12:22 - 02136664 ____A (Kaspersky Lab ZAO) C:\Users\Owner\Desktop\TDSSKiller.exe
2012-07-11 20:45 - 2012-06-13 05:58 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-10 21:10 - 2012-06-08 09:59 - 12899840 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-10 21:10 - 2012-06-08 09:47 - 11586048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-07-10 21:10 - 2012-06-05 08:47 - 01401856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-07-10 21:10 - 2012-06-05 08:47 - 01248768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-07-10 21:10 - 2012-06-05 08:22 - 01869824 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-10 21:10 - 2012-06-05 08:22 - 01797120 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-10 21:10 - 2012-06-04 07:29 - 00516480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-10 21:10 - 2012-06-01 16:22 - 00347136 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-10 21:10 - 2012-06-01 16:22 - 00254464 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-10 21:10 - 2012-06-01 16:05 - 00077312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-07-10 21:10 - 2012-06-01 16:04 - 00278528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-07-10 21:10 - 2012-06-01 16:03 - 00204288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll


============ 3 Months Modified Files ========================

2012-08-06 08:47 - 2012-08-06 08:47 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4D81E605E6624FDA
2012-08-06 08:47 - 2012-08-06 08:47 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\jotnbxmr.sys
2012-08-06 08:45 - 2012-08-06 07:52 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-06 08:45 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-06 08:45 - 2006-11-02 07:22 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-06 08:45 - 2006-11-02 07:22 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-06 08:45 - 2006-11-02 07:21 - 00316224 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-06 08:43 - 2012-08-06 08:43 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.9F726B9816858747
2012-08-06 08:39 - 2009-12-04 12:31 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-08-06 08:34 - 2012-08-06 08:34 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.0B99976C11C08FFC
2012-08-06 08:30 - 2012-08-06 08:30 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.BC119F2587F25F3E
2012-08-06 08:27 - 2009-07-19 21:34 - 00000434 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{F132627D-0981-4A20-B84D-9DEE68BE3C90}.job
2012-08-06 08:21 - 2012-08-06 07:52 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-06 07:52 - 2012-08-06 07:52 - 00001655 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-08-06 07:52 - 2012-08-06 07:52 - 00001655 ____A C:\Users\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-08-06 07:40 - 2012-08-06 05:53 - 00001016 ____A C:\Users\Owner\Desktop\Rkill.txt
2012-08-06 07:12 - 2012-08-06 07:40 - 18976248 ____A (SUPERAntiSpyware.com) C:\Users\Owner\Desktop\SAS_939C88.EXE
2012-08-06 07:00 - 2006-11-02 07:42 - 00032552 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-06 06:56 - 2008-01-20 19:26 - 00177086 ____A C:\Windows\PFRO.log
2012-08-06 06:56 - 2006-11-02 04:34 - 00000215 ____A C:\Windows\system.ini
2012-08-06 06:55 - 2009-03-05 00:08 - 01093739 ____A C:\Windows\WindowsUpdate.log
2012-08-06 06:26 - 2006-11-02 04:46 - 00706916 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-06 00:09 - 2012-08-06 00:09 - 00014986 ____A C:\Users\Owner\Desktop\MBRCheck_08.06.12_01.09.01.txt
2012-08-06 00:06 - 2012-08-06 00:05 - 00015310 ____A C:\Users\Owner\Desktop\MBRCheck_08.06.12_01.05.08.txt
2012-08-06 00:05 - 2012-08-06 00:04 - 00006788 ____A C:\Users\Owner\Desktop\MBRCheck_08.06.12_01.04.48.txt
2012-08-06 00:04 - 2012-08-06 00:03 - 00016072 ____A C:\Users\Owner\Desktop\MBRCheck_08.06.12_01.03.21.txt
2012-08-05 23:49 - 2011-07-23 23:21 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-05 23:42 - 2011-07-23 23:20 - 00722256 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-05 23:07 - 2012-08-05 23:00 - 00065015 ____A C:\Users\Owner\Downloads\yorkyt.exe.log
2012-08-05 23:03 - 2012-08-05 23:03 - 04009167 ____A C:\Users\Owner\Downloads\ServicesRepair.exe
2012-08-05 23:02 - 2012-08-05 23:02 - 02030547 ____A C:\Users\Owner\Downloads\EZ_Sirefix.exe
2012-08-05 23:02 - 2012-08-05 23:02 - 00138120 ____A (ESET) C:\Users\Owner\Downloads\ESETSirefefRemover.exe
2012-08-05 23:00 - 2012-08-05 22:59 - 01415784 ____A C:\Users\Owner\Downloads\yorkyt.exe
2012-08-05 21:44 - 2012-08-05 21:44 - 00000861 ____A C:\Users\Public\Desktop\VLC media player.lnk
2012-08-05 21:44 - 2012-08-05 21:44 - 00000861 ____A C:\Users\All Users\Desktop\VLC media player.lnk
2012-08-05 21:42 - 2012-08-05 21:41 - 22617148 ____A C:\Users\Owner\Downloads\vlc-2.0.3-win32.exe
2012-08-05 21:24 - 2012-08-05 20:04 - 00000734 ____A C:\Windows\System32\Drivers\etc\hosts.new
2012-08-05 21:18 - 2012-08-05 22:32 - 04725168 ____R (Swearware) C:\Users\Owner\Desktop\1ombox.com
2012-08-05 20:53 - 2012-08-05 20:51 - 12621696 ____A (Microsoft Corporation) C:\Users\Owner\Downloads\mseinstall.exe
2012-08-05 20:38 - 2012-08-05 20:31 - 00015345 ____A C:\Users\Owner\Desktop\MBRCheck_08.05.12_21.31.22.txt
2012-08-05 20:25 - 2012-08-05 20:25 - 04725168 ____R (Swearware) C:\Users\Owner\Downloads\z123ComboFix.com
2012-08-05 20:12 - 2012-08-05 20:02 - 00000908 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-05 20:12 - 2012-08-05 20:02 - 00000908 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-05 20:01 - 2009-10-03 19:10 - 00049664 ____A C:\Users\Owner\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-08-05 20:01 - 2009-10-03 19:10 - 00049664 ____A C:\Users\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-08-05 20:01 - 2009-10-03 19:10 - 00049664 ____A C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-08-05 20:01 - 2006-11-02 07:27 - 00124578 ____A C:\Windows\setupact.log
2012-08-05 19:56 - 2009-04-15 21:33 - 00000680 ____A C:\Users\Owner\Local Settings\d3d9caps.dat
2012-08-05 19:56 - 2009-04-15 21:33 - 00000680 ____A C:\Users\Owner\Local Settings\Application Data\d3d9caps.dat
2012-08-05 19:56 - 2009-04-15 21:33 - 00000680 ____A C:\Users\Owner\AppData\Local\d3d9caps.dat
2012-07-29 22:03 - 2012-07-29 22:03 - 00063488 ___AH (FRISK Software International) C:\Windows\System32\Systeout64.dll
2012-07-24 12:22 - 2012-07-24 12:22 - 02136664 ____A (Kaspersky Lab ZAO) C:\Users\Owner\Desktop\TDSSKiller.exe
2012-07-11 20:46 - 2006-11-02 04:35 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-07-03 12:46 - 2012-08-05 20:02 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-13 05:58 - 2012-07-11 20:45 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-10 18:48 - 2011-05-28 12:10 - 00001784 ____A C:\Users\Owner\Application Data\wklnhst.dat
2012-06-10 18:48 - 2011-05-28 12:10 - 00001784 ____A C:\Users\Owner\AppData\Roaming\wklnhst.dat
2012-06-08 09:59 - 2012-07-10 21:10 - 12899840 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 09:47 - 2012-07-10 21:10 - 11586048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 08:47 - 2012-07-10 21:10 - 01401856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 08:47 - 2012-07-10 21:10 - 01248768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 08:22 - 2012-07-10 21:10 - 01869824 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 08:22 - 2012-07-10 21:10 - 01797120 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-04 07:29 - 2012-07-10 21:10 - 00516480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 14:19 - 2012-06-23 14:23 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-23 14:23 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-23 14:23 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2012-06-02 14:19 - 2012-06-23 14:23 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 14:19 - 2012-06-23 14:23 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2012-06-02 14:19 - 2012-06-23 14:23 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-23 14:23 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-23 14:23 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:19 - 2012-06-23 14:23 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2012-06-02 14:15 - 2012-06-23 14:23 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-23 14:23 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:15 - 2012-06-23 14:23 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 14:12 - 2012-06-23 14:23 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2012-06-02 14:12 - 2012-06-23 14:23 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2012-06-01 16:22 - 2012-07-10 21:10 - 00347136 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 16:22 - 2012-07-10 21:10 - 00254464 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 16:05 - 2012-07-10 21:10 - 00077312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 16:04 - 2012-07-10 21:10 - 00278528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 16:03 - 2012-07-10 21:10 - 00204288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-05-14 22:37 - 2012-06-12 21:12 - 01212416 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-05-14 22:37 - 2012-06-12 21:12 - 00916992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-14 22:37 - 2012-06-12 21:12 - 00105984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-05-14 22:35 - 2012-06-12 21:12 - 00206848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2012-05-14 22:33 - 2012-06-12 21:12 - 06007808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-05-14 22:33 - 2012-06-12 21:12 - 00629760 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-05-14 22:33 - 2012-06-12 21:12 - 00611840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstime.dll
2012-05-14 22:33 - 2012-06-12 21:12 - 00067072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-05-14 22:33 - 2012-06-12 21:12 - 00055296 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2012-05-14 22:32 - 2012-06-12 21:12 - 01469440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-05-14 22:32 - 2012-06-12 21:12 - 00043520 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
2012-05-14 22:32 - 2012-06-12 21:12 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-14 22:31 - 2012-06-12 21:12 - 11111424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-05-14 22:31 - 2012-06-12 21:12 - 02000384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-05-14 22:31 - 2012-06-12 21:12 - 00387584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2012-05-14 22:31 - 2012-06-12 21:12 - 00184320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2012-05-14 22:31 - 2012-06-12 21:12 - 00164352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-05-14 22:31 - 2012-06-12 21:12 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2012-05-14 22:31 - 2012-06-12 21:12 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2012-05-14 22:31 - 2012-06-12 21:12 - 00055808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2012-05-14 21:01 - 2012-06-12 21:12 - 00385024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2012-05-14 19:26 - 2012-06-12 21:12 - 00133632 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-05-14 19:25 - 2012-06-12 21:12 - 00174080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ie4uinit.exe
2012-05-14 19:24 - 2012-06-12 21:12 - 00013312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2012-05-14 19:23 - 2012-06-12 21:12 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-05-14 18:19 - 2012-06-12 21:12 - 01488384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-14 18:19 - 2012-06-12 21:12 - 01147392 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-14 18:19 - 2012-06-12 21:12 - 00108032 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-14 18:18 - 2012-06-12 21:12 - 00243712 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2012-05-14 18:16 - 2012-06-12 21:12 - 01062912 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll
2012-05-14 18:15 - 2012-06-12 21:12 - 09328640 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-14 18:15 - 2012-06-12 21:12 - 00742912 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-05-14 18:15 - 2012-06-12 21:12 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-14 18:15 - 2012-06-12 21:12 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-05-14 18:15 - 2012-06-12 21:12 - 00056832 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-05-14 18:15 - 2012-06-12 21:12 - 00031744 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-14 18:14 - 2012-06-12 21:12 - 12508672 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-14 18:14 - 2012-06-12 21:12 - 02350592 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-14 18:14 - 2012-06-12 21:12 - 01538560 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-14 18:14 - 2012-06-12 21:12 - 00459776 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-05-14 18:14 - 2012-06-12 21:12 - 00252416 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-05-14 18:14 - 2012-06-12 21:12 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-14 18:14 - 2012-06-12 21:12 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2012-05-14 18:14 - 2012-06-12 21:12 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2012-05-14 18:14 - 2012-06-12 21:12 - 00072192 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2012-05-14 17:21 - 2012-06-12 21:12 - 00479232 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-05-14 16:40 - 2012-06-12 21:12 - 00162816 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-14 16:40 - 2012-06-12 21:12 - 00070656 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2012-05-14 16:39 - 2012-06-12 21:12 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-14 16:39 - 2012-06-12 21:12 - 00012288 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe


ZeroAccess:
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U

ZeroAccess:
C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe BC81150939BD52DBC7A08C245F1FB229 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 16%
Total physical RAM: 3998.27 MB
Available physical RAM: 3335.36 MB
Total Pagefile: 3675.46 MB
Available Pagefile: 3315.82 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:285.62 GB) (Free:216.24 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (RECOVERY) (Fixed) (Total:12.47 GB) (Free:1.98 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive g: () (Removable) (Total:7.53 GB) (Free:2.59 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 1024 KB
Disk 1 No Media 0 B 0 B
Disk 2 Online 7728 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 286 GB 32 KB
Partition 2 Primary 12 GB 286 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 286 GB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D RECOVERY NTFS Partition 12 GB Healthy

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7728 MB 32 KB

==================================================================================

Disk: 2
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 7728 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-08-06 06:31

======================= End Of Log ==========================
 
Farbar Recovery Scan Tool Version: 05-08-2012 03
Ran by SYSTEM at 2012-08-06 09:52:19
Running from G:\techtools
================== Search: "services.exe" ===================
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-12-04 12:31] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[2009-12-04 12:31] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719
C:\Windows\SysWOW64\services.exe
[2009-12-04 12:31] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
C:\Windows\System32\services.exe
[2009-12-04 12:31] - [2012-08-06 08:39] - 0384512 ____A (Microsoft Corporation) BC81150939BD52DBC7A08C245F1FB229
C:\System Volume Information\SystemRestore\FRStaging\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
C:\System Volume Information\SystemRestore\FRStaging\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719
====== End Of Search ======
 
Hello, and welcome to TechSpot.


rulesx.png
Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

FRST64 Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe C:\Windows\System32\services.exe
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.
 
Thank you for your help DragonMasterJay for your help!
I would wish to learn you guy's skills. Virus and spyware removal fascinates me. I've done retail virus and spyware removal back about 5 or so years ago. Nothing to this extent. But I at least understand the lingo a bit. But just not adept at it yet!

Anyway I've rebooted the machine. And it seems like we are ok thus far. It hasn't warned me about it rebooting YET. But it's only been up for a few minutes. And I'm not scrambling to run any tools to beat the clock so to speak...(which could have potentially caused the issue sooner.)


Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 05-08-2012 03
Ran by SYSTEM at 2012-08-06 12:47:49 Run:1
Running from G:\techtools

==============================================

C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe copied successfully to C:\Windows\System32\services.exe
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} moved successfully.
C:\Users\Owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} moved successfully.

==== End of Fixlog ====
 
And so far so good...has not rebooted yet....I'm REALLY struggling on waiting for an answer! :p I want to fix! lol...but I will try and be patient.
 
Good work!

ComboFix

Please download ComboFix
combofix.gif
by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.
After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:
  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.
Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
 
After the system rebooted, I do see an error message:
C:\windows\system32\gfxUI.exe

A device attached to the system is not functioning.

Combofix is still doing it's thing.
 
ComboFix 12-08-05.02 - Owner 08/06/2012 13:18:36.4.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3998.2610 [GMT -7:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\data\default\us_sres.data
c:\program files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe
c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe
c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe
c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe
c:\program files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe
c:\programdata\SymUpdate.exe
c:\users\Owner\AppData\Roaming\maprk.dll
c:\windows\security\Database\tmp.edb
.
-- Previous Run --
.
c:\windows\system32\Services.exe . . . is infected!!
.
--------
.
.
((((((((((((((((((((((((( Files Created from 2012-07-06 to 2012-08-06 )))))))))))))))))))))))))))))))
.
.
2012-08-06 20:24 . 2012-08-06 20:24--------d-----w-c:\users\Default\AppData\Local\temp
2012-08-06 16:47 . 2012-08-06 16:47384512----a-w-c:\windows\system32\services.exe.4D81E605E6624FDA
2012-08-06 16:43 . 2012-08-06 16:43384512----a-w-c:\windows\system32\services.exe.9F726B9816858747
2012-08-06 16:34 . 2012-08-06 16:34384512----a-w-c:\windows\system32\services.exe.0B99976C11C08FFC
2012-08-06 16:30 . 2012-08-06 16:30384512----a-w-c:\windows\system32\services.exe.BC119F2587F25F3E
2012-08-06 15:53 . 2012-08-06 15:53--------d-----w-c:\users\Owner\AppData\Roaming\SUPERAntiSpyware.com
2012-08-06 15:52 . 2012-08-06 15:52--------d-----w-c:\users\Owner\AppData\Local\Google
2012-08-06 15:52 . 2012-08-06 15:53--------d-----w-c:\program files (x86)\Google
2012-08-06 15:52 . 2012-08-06 15:52--------d-----w-c:\program files\SUPERAntiSpyware
2012-08-06 15:52 . 2012-08-06 15:52--------d-----w-c:\programdata\SUPERAntiSpyware.com
2012-08-06 15:40 . 2012-08-06 15:40--------d-----w-c:\programdata\SUPERSetup
2012-08-06 09:40 . 2012-08-06 09:41--------d-----w-C:\FRST
2012-08-06 07:42 . 2012-08-06 07:42--------d-----w-c:\program files (x86)\Microsoft Security Client
2012-08-06 04:04 . 2012-08-06 04:04--------d-----w-c:\users\Owner\AppData\Roaming\Malwarebytes
2012-08-06 04:02 . 2012-08-06 04:02--------d-----w-c:\programdata\Malwarebytes
2012-08-06 04:02 . 2012-08-06 04:12--------d-----w-c:\program files (x86)\Malwarebytes' Anti-Malware
2012-08-06 04:02 . 2012-07-03 20:4624904----a-w-c:\windows\system32\drivers\mbam.sys
2012-07-30 06:04 . 2012-07-30 06:06--------d-----w-c:\programdata\0C1CFB1300547533199543F32F3B707C
2012-07-30 06:04 . 2012-07-30 06:04--------d-----w-c:\users\Owner\AppData\Local\{65B180A3-DA0C-11E1-8270-B8AC6F996F26}
2012-07-30 06:03 . 2012-07-30 06:0363488---ha-w-c:\windows\system32\Systeout64.dll
2012-07-12 04:45 . 2012-06-13 13:582769408----a-w-c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-06 20:25 . 2012-08-06 20:2569000----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5A8ABB24-A135-49B4-A4AD-D4268827543A}\offreg.dll
2012-07-12 04:46 . 2006-11-02 12:3559701280----a-w-c:\windows\system32\mrt.exe
2012-06-29 10:04 . 2012-08-06 08:049133488----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5A8ABB24-A135-49B4-A4AD-D4268827543A}\mpengine.dll
2012-06-02 22:19 . 2012-06-23 22:2338424----a-w-c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-23 22:232428952----a-w-c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-23 22:2357880----a-w-c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-23 22:2344056----a-w-c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-23 22:23186752----a-w-c:\windows\system32\wuwebv.dll
2012-06-02 22:19 . 2012-06-23 22:23171904----a-w-c:\windows\SysWow64\wuwebv.dll
2012-06-02 22:19 . 2012-06-23 22:2335864----a-w-c:\windows\SysWow64\wups.dll
2012-06-02 22:19 . 2012-06-23 22:23701976----a-w-c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-23 22:23577048----a-w-c:\windows\SysWow64\wuapi.dll
2012-06-02 22:15 . 2012-06-23 22:232622464----a-w-c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-23 22:2336864----a-w-c:\windows\system32\wuapp.exe
2012-06-02 22:15 . 2012-06-23 22:2399840----a-w-c:\windows\system32\wudriver.dll
2012-06-02 22:12 . 2012-06-23 22:2333792----a-w-c:\windows\SysWow64\wuapp.exe
2012-06-02 22:12 . 2012-06-23 22:2388576----a-w-c:\windows\SysWow64\wudriver.dll
2012-05-15 06:37 . 2012-06-13 05:12916992----a-w-c:\windows\SysWow64\wininet.dll
2012-05-15 06:32 . 2012-06-13 05:1243520----a-w-c:\windows\SysWow64\licmgr10.dll
2012-05-15 06:32 . 2012-06-13 05:121469440----a-w-c:\windows\SysWow64\inetcpl.cpl
2012-05-15 06:31 . 2012-06-13 05:12109056----a-w-c:\windows\SysWow64\iesysprep.dll
2012-05-15 06:31 . 2012-06-13 05:1271680----a-w-c:\windows\SysWow64\iesetup.dll
2012-05-15 05:01 . 2012-06-13 05:12385024----a-w-c:\windows\SysWow64\html.iec
2012-05-15 03:26 . 2012-06-13 05:12133632----a-w-c:\windows\SysWow64\ieUnatt.exe
2012-05-15 03:23 . 2012-06-13 05:121638912----a-w-c:\windows\SysWow64\mshtml.tlb
2012-05-15 02:19 . 2012-06-13 05:121147392----a-w-c:\windows\system32\wininet.dll
2012-05-15 02:19 . 2012-06-13 05:121488384----a-w-c:\windows\system32\urlmon.dll
2012-05-15 02:19 . 2012-06-13 05:12108032----a-w-c:\windows\system32\url.dll
2012-05-15 02:18 . 2012-06-13 05:12243712----a-w-c:\windows\system32\occache.dll
2012-05-15 02:16 . 2012-06-13 05:121062912----a-w-c:\windows\system32\mstime.dll
2012-05-15 02:15 . 2012-06-13 05:129328640----a-w-c:\windows\system32\mshtml.dll
2012-05-15 02:15 . 2012-06-13 05:1298304----a-w-c:\windows\system32\mshtmled.dll
2012-05-15 02:15 . 2012-06-13 05:12742912----a-w-c:\windows\system32\msfeeds.dll
2012-05-15 02:15 . 2012-06-13 05:1271680----a-w-c:\windows\system32\msfeedsbs.dll
2012-05-15 02:15 . 2012-06-13 05:1256832----a-w-c:\windows\system32\licmgr10.dll
2012-05-15 02:15 . 2012-06-13 05:1231744----a-w-c:\windows\system32\jsproxy.dll
2012-05-15 02:14 . 2012-06-13 05:121538560----a-w-c:\windows\system32\inetcpl.cpl
2012-05-15 02:14 . 2012-06-13 05:122350592----a-w-c:\windows\system32\iertutil.dll
2012-05-15 02:14 . 2012-06-13 05:1277312----a-w-c:\windows\system32\iesetup.dll
2012-05-15 02:14 . 2012-06-13 05:12219136----a-w-c:\windows\system32\ieui.dll
2012-05-15 02:14 . 2012-06-13 05:12132096----a-w-c:\windows\system32\iesysprep.dll
2012-05-15 02:14 . 2012-06-13 05:1272192----a-w-c:\windows\system32\iernonce.dll
2012-05-15 02:14 . 2012-06-13 05:1212508672----a-w-c:\windows\system32\ieframe.dll
2012-05-15 02:14 . 2012-06-13 05:12252416----a-w-c:\windows\system32\iepeers.dll
2012-05-15 02:14 . 2012-06-13 05:12459776----a-w-c:\windows\system32\iedkcs32.dll
2012-05-15 01:21 . 2012-06-13 05:12479232----a-w-c:\windows\system32\html.iec
2012-05-15 00:40 . 2012-06-13 05:12162816----a-w-c:\windows\system32\ieUnatt.exe
2012-05-15 00:40 . 2012-06-13 05:1270656----a-w-c:\windows\system32\ie4uinit.exe
2012-05-15 00:39 . 2012-06-13 05:1212288----a-w-c:\windows\system32\msfeedssync.exe
2012-05-15 00:39 . 2012-06-13 05:121638912----a-w-c:\windows\system32\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn3\yt.dll" [2012-06-11 1524056]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"Sidebar"="c:\program files\Windows Sidebar\Sidebar.exe" [2009-04-11 1555968]
"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-07-09 5661056]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2008-09-26 1148200]
"TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-09-26 1152296]
"CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-09-26 189736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 09:3834672----a-w-c:\program files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2008-06-16 15:0375008----a-w-c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 23:2454840----a-w-c:\program files (x86)\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2008-04-15 21:51488752----a-w-c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
2008-08-01 23:14202032----a-w-c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 11:27144784----a-w-c:\program files (x86)\Java\jre1.6.0_07\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_58be29c0\AESTSr64.exe [2009-03-03 89600]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 18:14451872----a-w-c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-06 15:52]
.
2012-08-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-06 15:52]
.
2012-08-06 c:\windows\Tasks\User_Feed_Synchronization-{F132627D-0981-4A20-B84D-9DEE68BE3C90}.job
- c:\windows\system32\msfeedssync.exe [2012-06-13 03:24]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-07-22 450048]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 417304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SYSTEM32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\xtuh39iz.default\
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-HPAdvisor - c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
MSConfigStartUp-UCam_Menu - c:\program files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe
MSConfigStartUp-UpdateLBPShortCut - c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe
MSConfigStartUp-UpdateP2GoShortCut - c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe
MSConfigStartUp-UpdatePDIRShortCut - c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe
MSConfigStartUp-UpdatePSTShortCut - c:\program files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-SmartMenu - c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\CyberLink\Shared files\RichVideo.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files (x86)\Yahoo!\Messenger\YahooMessenger.exe
.
**************************************************************************
.
Completion time: 2012-08-06 13:31:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-06 20:31
.
Pre-Run: 232,177,369,088 bytes free
Post-Run: 232,069,844,992 bytes free
.
- - End Of File - - D529977EB276C0A65C5D46AACD15B3AD
 
ComboFix 12-08-07.03 - Owner 08/07/2012 12:41:36.5.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3998.2221 [GMT -7:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-07-07 to 2012-08-07 )))))))))))))))))))))))))))))))
.
.
2012-08-07 19:49 . 2012-08-07 19:49--------d-----w-c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-08-07 19:49 . 2012-08-07 19:49--------d-----w-c:\users\Default\AppData\Local\temp
2012-08-07 04:16 . 2012-08-07 19:5169000----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{902BB310-D588-4E87-96BF-83F14AEF30EB}\offreg.dll
2012-08-07 01:34 . 2012-06-29 10:049133488----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{902BB310-D588-4E87-96BF-83F14AEF30EB}\mpengine.dll
2012-08-06 16:47 . 2012-08-06 16:47384512----a-w-c:\windows\system32\services.exe.4D81E605E6624FDA
2012-08-06 16:43 . 2012-08-06 16:43384512----a-w-c:\windows\system32\services.exe.9F726B9816858747
2012-08-06 16:34 . 2012-08-06 16:34384512----a-w-c:\windows\system32\services.exe.0B99976C11C08FFC
2012-08-06 16:30 . 2012-08-06 16:30384512----a-w-c:\windows\system32\services.exe.BC119F2587F25F3E
2012-08-06 15:53 . 2012-08-06 15:53--------d-----w-c:\users\Owner\AppData\Roaming\SUPERAntiSpyware.com
2012-08-06 15:52 . 2012-08-06 15:52--------d-----w-c:\users\Owner\AppData\Local\Google
2012-08-06 15:52 . 2012-08-06 15:53--------d-----w-c:\program files (x86)\Google
2012-08-06 15:52 . 2012-08-06 15:52--------d-----w-c:\program files\SUPERAntiSpyware
2012-08-06 15:52 . 2012-08-06 15:52--------d-----w-c:\programdata\SUPERAntiSpyware.com
2012-08-06 15:40 . 2012-08-06 15:40--------d-----w-c:\programdata\SUPERSetup
2012-08-06 09:40 . 2012-08-06 09:41--------d-----w-C:\FRST
2012-08-06 08:08 . 2012-02-09 20:17927800------w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-08-06 08:08 . 2012-02-09 20:17927800------w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{805A4FAA-1427-42AB-A1BC-B25B32429636}\gapaengine.dll
2012-08-06 08:04 . 2012-06-29 10:049133488----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-06 07:42 . 2012-08-06 07:42--------d-----w-c:\program files (x86)\Microsoft Security Client
2012-08-06 05:45 . 2012-08-06 06:03--------d-----w-c:\users\Owner\AppData\Roaming\vlc
2012-08-06 05:43 . 2012-08-06 05:43--------d-----w-c:\program files (x86)\VideoLAN
2012-08-06 05:32 . 2012-08-06 05:32--------d-----w-c:\users\Public\CyberLink
2012-08-06 04:57 . 2012-08-06 04:57--------d-s---w-c:\windows\SysWow64\Microsoft
2012-08-06 04:04 . 2012-08-06 04:04--------d-----w-c:\users\Owner\AppData\Roaming\Malwarebytes
2012-08-06 04:02 . 2012-08-06 04:02--------d-----w-c:\programdata\Malwarebytes
2012-08-06 04:02 . 2012-08-06 04:12--------d-----w-c:\program files (x86)\Malwarebytes' Anti-Malware
2012-08-06 04:02 . 2012-07-03 20:4624904----a-w-c:\windows\system32\drivers\mbam.sys
2012-07-30 06:04 . 2012-07-30 06:06--------d-----w-c:\programdata\0C1CFB1300547533199543F32F3B707C
2012-07-30 06:04 . 2012-07-30 06:04--------d-----w-c:\users\Owner\AppData\Local\{65B180A3-DA0C-11E1-8270-B8AC6F996F26}
2012-07-12 04:45 . 2012-06-13 13:582769408----a-w-c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-12 04:46 . 2006-11-02 12:3559701280----a-w-c:\windows\system32\mrt.exe
2012-06-02 22:19 . 2012-06-23 22:2338424----a-w-c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-23 22:232428952----a-w-c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-23 22:2357880----a-w-c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-23 22:2344056----a-w-c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-23 22:23186752----a-w-c:\windows\system32\wuwebv.dll
2012-06-02 22:19 . 2012-06-23 22:23171904----a-w-c:\windows\SysWow64\wuwebv.dll
2012-06-02 22:19 . 2012-06-23 22:2335864----a-w-c:\windows\SysWow64\wups.dll
2012-06-02 22:19 . 2012-06-23 22:23701976----a-w-c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-23 22:23577048----a-w-c:\windows\SysWow64\wuapi.dll
2012-06-02 22:15 . 2012-06-23 22:232622464----a-w-c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-23 22:2336864----a-w-c:\windows\system32\wuapp.exe
2012-06-02 22:15 . 2012-06-23 22:2399840----a-w-c:\windows\system32\wudriver.dll
2012-06-02 22:12 . 2012-06-23 22:2333792----a-w-c:\windows\SysWow64\wuapp.exe
2012-06-02 22:12 . 2012-06-23 22:2388576----a-w-c:\windows\SysWow64\wudriver.dll
2012-05-15 06:37 . 2012-06-13 05:12916992----a-w-c:\windows\SysWow64\wininet.dll
2012-05-15 06:32 . 2012-06-13 05:1243520----a-w-c:\windows\SysWow64\licmgr10.dll
2012-05-15 06:32 . 2012-06-13 05:121469440----a-w-c:\windows\SysWow64\inetcpl.cpl
2012-05-15 06:31 . 2012-06-13 05:12109056----a-w-c:\windows\SysWow64\iesysprep.dll
2012-05-15 06:31 . 2012-06-13 05:1271680----a-w-c:\windows\SysWow64\iesetup.dll
2012-05-15 05:01 . 2012-06-13 05:12385024----a-w-c:\windows\SysWow64\html.iec
2012-05-15 03:26 . 2012-06-13 05:12133632----a-w-c:\windows\SysWow64\ieUnatt.exe
2012-05-15 03:23 . 2012-06-13 05:121638912----a-w-c:\windows\SysWow64\mshtml.tlb
2012-05-15 02:19 . 2012-06-13 05:121147392----a-w-c:\windows\system32\wininet.dll
2012-05-15 02:19 . 2012-06-13 05:121488384----a-w-c:\windows\system32\urlmon.dll
2012-05-15 02:19 . 2012-06-13 05:12108032----a-w-c:\windows\system32\url.dll
2012-05-15 02:18 . 2012-06-13 05:12243712----a-w-c:\windows\system32\occache.dll
2012-05-15 02:16 . 2012-06-13 05:121062912----a-w-c:\windows\system32\mstime.dll
2012-05-15 02:15 . 2012-06-13 05:129328640----a-w-c:\windows\system32\mshtml.dll
2012-05-15 02:15 . 2012-06-13 05:1298304----a-w-c:\windows\system32\mshtmled.dll
2012-05-15 02:15 . 2012-06-13 05:12742912----a-w-c:\windows\system32\msfeeds.dll
2012-05-15 02:15 . 2012-06-13 05:1271680----a-w-c:\windows\system32\msfeedsbs.dll
2012-05-15 02:15 . 2012-06-13 05:1256832----a-w-c:\windows\system32\licmgr10.dll
2012-05-15 02:15 . 2012-06-13 05:1231744----a-w-c:\windows\system32\jsproxy.dll
2012-05-15 02:14 . 2012-06-13 05:121538560----a-w-c:\windows\system32\inetcpl.cpl
2012-05-15 02:14 . 2012-06-13 05:122350592----a-w-c:\windows\system32\iertutil.dll
2012-05-15 02:14 . 2012-06-13 05:1277312----a-w-c:\windows\system32\iesetup.dll
2012-05-15 02:14 . 2012-06-13 05:12219136----a-w-c:\windows\system32\ieui.dll
2012-05-15 02:14 . 2012-06-13 05:12132096----a-w-c:\windows\system32\iesysprep.dll
2012-05-15 02:14 . 2012-06-13 05:1272192----a-w-c:\windows\system32\iernonce.dll
2012-05-15 02:14 . 2012-06-13 05:1212508672----a-w-c:\windows\system32\ieframe.dll
2012-05-15 02:14 . 2012-06-13 05:12252416----a-w-c:\windows\system32\iepeers.dll
2012-05-15 02:14 . 2012-06-13 05:12459776----a-w-c:\windows\system32\iedkcs32.dll
2012-05-15 01:21 . 2012-06-13 05:12479232----a-w-c:\windows\system32\html.iec
2012-05-15 00:40 . 2012-06-13 05:12162816----a-w-c:\windows\system32\ieUnatt.exe
2012-05-15 00:40 . 2012-06-13 05:1270656----a-w-c:\windows\system32\ie4uinit.exe
2012-05-15 00:39 . 2012-06-13 05:1212288----a-w-c:\windows\system32\msfeedssync.exe
2012-05-15 00:39 . 2012-06-13 05:121638912----a-w-c:\windows\system32\mshtml.tlb
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-06_20.25.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 02:23 . 2012-08-07 19:5344910 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2012-08-07 19:5389688 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-04-16 04:32 . 2012-08-07 19:5314572 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-433754658-1946245845-779923464-1000_UserData.bin
+ 2012-08-07 02:12 . 2012-08-07 02:1222016 c:\windows\Installer\13e296d.msi
+ 2009-04-16 05:52 . 2012-08-07 19:503374 c:\windows\system32\WDI\ERCQueuedResolutions.dat
- 2012-08-06 20:25 . 2012-08-06 20:252048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-07 19:51 . 2012-08-07 19:512048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-08-06 20:25 . 2012-08-06 20:252048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-07 19:51 . 2012-08-07 19:512048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-05-06 05:56 . 2012-08-07 13:54329970 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2009-04-16 05:52 . 2012-08-07 12:52412432 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2006-11-02 12:46 . 2012-08-06 20:18606864 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-08-06 20:31606864 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-08-06 20:31105432 c:\windows\system32\perfc009.dat
- 2006-11-02 12:46 . 2012-08-06 20:18105432 c:\windows\system32\perfc009.dat
+ 2009-03-05 08:10 . 2012-08-07 01:05163840 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-03-05 08:10 . 2012-08-06 06:33163840 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-03-05 08:10 . 2012-08-06 06:33294912 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-03-05 08:10 . 2012-08-07 01:05294912 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-02-10 21:36 . 2012-08-07 19:50292612 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-02-10 21:36 . 2012-08-06 20:24292612 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-07-25 06:12 . 2012-08-07 19:50585484 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-433754658-1946245845-779923464-1000-12288.dat
- 2011-07-25 06:12 . 2012-08-06 14:55585484 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-433754658-1946245845-779923464-1000-12288.dat
+ 2011-01-14 14:10 . 2011-01-14 14:10155520 c:\windows\Installer\$PatchCache$\Managed\00004109500200000000000000F01FEC\14.0.5130\GKWORD6.DLL
+ 2011-01-14 14:10 . 2011-01-14 14:10140160 c:\windows\Installer\$PatchCache$\Managed\00004109500200000000000000F01FEC\14.0.5130\GKEXCEL2.DLL
- 2009-03-05 08:10 . 2012-08-06 06:332277376 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-05 08:10 . 2012-08-07 01:052277376 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-07-21 19:34 . 2011-07-21 19:343456000 c:\windows\Installer\2ea8bc4.msp
+ 2011-01-14 14:10 . 2011-01-14 14:102395008 c:\windows\Installer\$PatchCache$\Managed\00004109500200000000000000F01FEC\14.0.5130\GKWORD.DLL
+ 2011-01-14 14:10 . 2011-01-14 14:102180992 c:\windows\Installer\$PatchCache$\Managed\00004109500200000000000000F01FEC\14.0.5130\GKPOWERPOINT.DLL
+ 2011-01-14 14:10 . 2011-01-14 14:103443072 c:\windows\Installer\$PatchCache$\Managed\00004109500200000000000000F01FEC\14.0.5130\GKEXCEL.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn3\yt.dll" [2012-06-11 1524056]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"Sidebar"="c:\program files\Windows Sidebar\Sidebar.exe" [2009-04-11 1555968]
"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-07-09 5661056]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2008-09-26 1148200]
"TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-09-26 1152296]
"CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-09-26 189736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 09:3834672----a-w-c:\program files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2008-06-16 15:0375008----a-w-c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 23:2454840----a-w-c:\program files (x86)\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2008-04-15 21:51488752----a-w-c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
2008-08-01 23:14202032----a-w-c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 11:27144784----a-w-c:\program files (x86)\Java\jre1.6.0_07\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
c:\program files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateLBPShortCut]
c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateP2GoShortCut]
c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePDIRShortCut]
c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePSTShortCut]
c:\program files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_58be29c0\AESTSr64.exe [2009-03-03 89600]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 18:14451872----a-w-c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-06 15:52]
.
2012-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-06 15:52]
.
2012-08-07 c:\windows\Tasks\User_Feed_Synchronization-{F132627D-0981-4A20-B84D-9DEE68BE3C90}.job
- c:\windows\system32\msfeedssync.exe [2012-06-13 03:24]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"SmartMenu"="c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [BU]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-07-22 450048]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 417304]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SYSTEM32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\xtuh39iz.default\
FF - prefs.js: network.proxy.type - 0
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\CyberLink\Shared files\RichVideo.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files (x86)\Yahoo!\Messenger\YahooMessenger.exe
.
**************************************************************************
.
Completion time: 2012-08-07 13:02:19 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-07 20:02
ComboFix2.txt 2012-08-06 20:31
.
Pre-Run: 232,095,727,616 bytes free
Post-Run: 232,049,487,872 bytes free
.
- - End Of File - - CE2E26E866802A6A86BCCC4F06D199AE
 
ESET Online Scan

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
 
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f9bc7b92a675434f81b4baf61ad118f7
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-08-08 09:54:57
# local_time=2012-08-08 02:54:57 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776574 100 56 0 181012817 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=192174
# found=2
# cleaned=2
# scan_time=5585
C:\FRST\Quarantine\services.exeWin64/Patched.B trojan (deleted - quarantined)00000000000000000000000000000000C
C:\Users\Owner\AppData\Local\{65B180A3-DA0C-11E1-8270-B8AC6F996F26}\chrome\content\browser.xulJS/Redirector.NIQ trojan (cleaned by deleting - quarantined)00000000000000000000000000000000C
 
Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

  • Slow computer
  • Error messages
  • Fake antivirus alerts or the icon in the system tray
  • svchost.exe running at 100%
  • System crashes or blue screen of death
 
Looks like everything is running fine. It isn't my computer. It's my friend's. I haven't had a chance to get her to have a test run her self. But everything appears to be running as it should. I had taken care of most of the other infections prior to contacting Techspot. Just sirefef was kicking my butt! :p

Anyway I believe it is solved for now!

I thank you for your time.
 
Let's finish up then, please...

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point
  • Go to Control Panel and select System and Maintenance
  • Select System
  • On the left select Advance System Settings and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name I.e. Clean
  • Select Create
Now we can purge the infected ones
  • Go back to the System and Maintenance page
  • Select Performance Information and Tools
  • On the left select Open Disk Cleanup
  • Select Files from all users and accept the warning if you get one
  • In the drop down box select your main drive I.e. C
  • For a few moments the system will make some calculations:
    diskcleanup1.png
  • Select the More Options tab
    moreoptions.png
  • In the System Restore and Shadow Backups select Clean up
    moreoptions2.png
  • Select Delete on the pop up
  • Select OK
  • Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:
  • Cleaned System Restore
  • Ran OTC
  • Ran TFC
  • Ran Security Check
Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
 
System Restore Cleaned
OTC Ran
TFC? (temporary files are cleaned via CCleaner etc)...
Ran Security Check.

Log:
Results of screen317's Security Check version 0.99.43
Windows Vista Service Pack 2 x64 (UAC is disabled!)
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
(On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Spy Sweeper Core
Malwarebytes Anti-Malware version 1.62.0.1300
Java(TM) 6 Update 7
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player10.3.181.14 Flash Player out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (5.0.1)
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 4 % Defragment your hard drive soon!
````````````````````End of Log``````````````````````
Computer seems to be fine.
 
Adobe Reader Update!

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

Java Update!

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

Read more about Java exploit problems

Adobe Flash Player Update!

Please download the newest version of Adobe Flash Player from Adobe.com

Before installing: it is important to remove older versions of Flash Player since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Flash Player. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

Personal Tips on Preventing Malware

See this page for more info about malware and prevention.

Read more about "FAQ: How did Sirefef or ZeroAccess Infect You?"

Any other questions before I mark this topic solved?
 
Status
Not open for further replies.
Back