Inactive Windows shutdown loop problem

[Lynn Johnson]

I have apparently picked up this nasty thing too. I tried virus removals at first and they did not stop the problem. I've read through some of the other posts and it looks like I could do the first step and save a little time so I'm attaching the FRST.txt contents and the Search.txt contents. The machine is running Windows Vista 64 bit. Strangely, I thought I had SP2 though below it says SP1. If I could turn it on for more than a minute, I could check again. I hope you can help and Thank YOU in advance. I will await your reply before doing anything else.

Lynndie

Scan result of Farbar Recovery Scan Tool Version: 08-08-2012
Ran by SYSTEM at 07-08-2012 23:58:07
Running from D:\
Windows Vista (TM) Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM-x32\...\Run: [] [x]
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\LogMeInRemoteUser\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\owner\...\Run: [AdobeBridge] [x]
HKLM-x32\...\Runonce: [removeSearchqudatamngr] cmd.exe /c RD /S /Q "C:\Program Files (x86)\Searchqu Toolbar" [x]
HKLM-x32\...\Runonce: [removeSearchqutoolbar] cmd.exe /c RD /S /Q "C:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar" [x]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 24.217.0.5 24.217.201.67
Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\LogMeInRemoteUser\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Services (Whitelisted) ======

2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
3 nosGetPlusHelper; C:\Program Files (x86)\NOS\bin\getPlus_Helper_3004.dll [66112 2010-09-01] (NOS Microsystems Ltd.)
2 RapiMgr; C:\Windows\WindowsMobile\rapimgr.dll [211968 2008-01-20] (Microsoft Corporation)
4 stllssvr; "C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe" [74384 2008-03-24] (MicroVision Development, Inc.)
2 WcesComm; C:\Windows\WindowsMobile\wcescomm.dll [428544 2008-01-20] (Microsoft Corporation)

========================== Drivers (Whitelisted) =============

3 CAXHWBS2; C:\Windows\System32\Drivers\CAXHWBS2.sys [411136 2008-07-01] (Conexant Systems, Inc.)
3 EyeOneDisplay; C:\Windows\System32\Drivers\i1display_x64.sys [7808 2005-12-13] (GretagMacbeth LLC)
3 LVPr2M64; C:\Windows\System32\Drivers\LVPr2M64.sys [30304 2010-05-07] ()
3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30304 2010-05-07] ()
3 MusCAudio; C:\Windows\System32\Drivers\MusCAudio.sys [33336 2009-10-30] (Windows (R) Codename Longhorn DDK provider)
3 SeqCal; C:\Windows\System32\Drivers\SeqCal.sys [7808 2006-05-18] (GretagMacbeth LLC)
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 lmimirr; C:\Windows\System32\DRIVERS\lmimirr.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
2 PDIHWCTL; \??\C:\Windows\system32\drivers\pdihwctl.sys [x]
2 regi; \??\C:\Windows\system32\drivers\regi.sys [x]
3 WacomVKHid; C:\Windows\System32\DRIVERS\WacomVKHid.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-07 23:58 - 2012-08-07 23:58 - 00000000 ____D C:\FRST
2012-08-07 20:02 - 2012-08-07 20:02 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\nyuzseir.sys
2012-08-06 10:44 - 2012-08-06 10:44 - 524288000 ____A C:\REMOVE_THIS_FILE.livecd.swap
2012-08-06 09:12 - 2012-08-06 09:12 - 00000000 ____D C:\$WINDOWS.~BT
2012-08-06 09:11 - 2012-08-06 09:11 - 00001887 ____A C:\Windows\diagwrn.xml
2012-08-06 09:11 - 2012-08-06 09:11 - 00001887 ____A C:\Windows\diagerr.xml
2012-08-05 15:31 - 2012-08-06 15:37 - 00003403 ____A C:\Windows\setupact.log
2012-08-05 15:31 - 2012-08-06 09:11 - 00000000 ____A C:\Windows\setuperr.log
2012-08-05 13:06 - 2012-08-07 17:38 - 00004566 ____A C:\Windows\WindowsUpdate.log
2012-08-05 13:06 - 2012-08-05 13:06 - 00721626 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-05 13:06 - 2012-08-05 13:06 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-08-05 13:06 - 2012-08-05 13:06 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-08-05 11:39 - 2012-08-05 13:06 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-05 11:37 - 2012-08-05 11:37 - 12621696 ____A (Microsoft Corporation) C:\Users\owner\Downloads\mseinstall.exe
2012-08-04 17:22 - 2012-08-07 20:49 - 00039012 ____A C:\Windows\PFRO.log
2012-07-31 18:25 - 2012-07-31 18:36 - 00000732 ____A C:\Users\owner\AppData\Local\d3d9caps64.dat
2012-07-31 18:23 - 2012-08-02 13:54 - 00000000 ____D C:\Windows\Minidump
2012-07-31 13:35 - 2012-07-31 13:35 - 00000000 ____D C:\Users\owner\Doctor Web
2012-07-31 13:19 - 2012-07-31 13:19 - 00000000 ____D C:\Program Files\Common Files\Doctor Web
2012-07-31 13:18 - 2012-07-31 13:19 - 00000000 ____D C:\Users\All Users\Doctor Web
2012-07-30 17:05 - 2012-07-30 17:05 - 10651816 ____A (Malwarebytes Corporation ) C:\Users\owner\Downloads\mbam-setup.exe
2012-07-30 16:56 - 2012-07-30 16:56 - 00883616 ____A (Bleeping Computer, LLC) C:\Program Files (x86)\FixExec.scr
2012-07-30 16:39 - 2012-07-30 17:02 - 00001246 ____A C:\Users\owner\Desktop\FixExec.txt
2012-07-30 15:56 - 2012-07-30 15:56 - 01050016 ____A (Bleeping Computer, LLC) C:\Users\owner\Downloads\iExplore(2).exe
2012-07-30 15:55 - 2012-07-30 15:55 - 00001205 ____A C:\Users\owner\Downloads\registryfix(1).reg
2012-07-30 15:27 - 2012-07-30 15:27 - 01050016 ____A (Bleeping Computer, LLC) C:\Users\owner\Downloads\iExplore(1).exe
2012-07-30 15:14 - 2012-07-30 15:57 - 00001004 ____A C:\Users\owner\Desktop\Rkill.txt
2012-07-30 15:14 - 2012-07-30 15:14 - 00000000 ____D C:\Users\owner\Desktop\rkill-backup
2012-07-30 15:12 - 2012-07-30 15:12 - 01050016 ____A (Bleeping Computer, LLC) C:\Users\owner\Downloads\iExplore.exe
2012-07-30 15:11 - 2012-07-30 15:11 - 00001205 ____A C:\Users\owner\Downloads\registryfix.reg
2012-07-30 14:30 - 2012-07-30 14:30 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-07-30 14:25 - 2012-07-30 20:17 - 00000000 ____D C:\Users\All Users\7531CC9600714A53199543F32F3B707C
2012-07-12 13:56 - 2012-07-12 13:56 - 03875048 ____A (AVG Technologies) C:\Users\owner\Downloads\avg_free_stb_all_2012_2195_cnet.exe
2012-07-12 13:53 - 2012-07-12 13:53 - 03889704 ____A (Piriform Ltd) C:\Users\owner\Downloads\ccsetup320.exe
2012-07-12 13:53 - 2012-07-12 13:53 - 03889704 ____A (Piriform Ltd) C:\Users\owner\Downloads\ccsetup320(1).exe
2012-07-12 13:39 - 2012-07-12 13:39 - 00002071 ____A C:\Users\Public\Desktop\HP Photosmart Essential.lnk
2012-07-12 13:39 - 2012-07-12 13:39 - 00001894 ____A C:\Users\Public\Desktop\Shop for HP Supplies.lnk
2012-07-12 13:39 - 2012-07-12 13:39 - 00000000 ____D C:\Users\All Users\HPSSUPPLY
2012-07-12 00:01 - 2012-06-13 05:58 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-11 02:14 - 2012-06-08 09:59 - 12899840 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-11 02:14 - 2012-06-08 09:47 - 11586048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-07-11 02:14 - 2012-06-05 08:47 - 01401856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-07-11 02:14 - 2012-06-05 08:47 - 01248768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-07-11 02:14 - 2012-06-05 08:22 - 01869824 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-11 02:14 - 2012-06-05 08:22 - 01797120 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-11 02:14 - 2012-06-04 07:29 - 00516480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-11 02:14 - 2012-06-01 16:22 - 00347136 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-11 02:14 - 2012-06-01 16:22 - 00254464 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-11 02:14 - 2012-06-01 16:05 - 00077312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-07-11 02:14 - 2012-06-01 16:04 - 00278528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-07-11 02:14 - 2012-06-01 16:03 - 00204288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

============ 3 Months Modified Files ========================

2012-08-07 20:53 - 2006-11-02 07:42 - 00032568 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-07 20:53 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-07 20:52 - 2011-11-26 05:30 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-07 20:49 - 2012-08-04 17:22 - 00039012 ____A C:\Windows\PFRO.log
2012-08-07 20:02 - 2012-08-07 20:02 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\nyuzseir.sys
2012-08-07 17:38 - 2012-08-05 13:06 - 00004566 ____A C:\Windows\WindowsUpdate.log
2012-08-07 17:34 - 2011-11-26 05:30 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-07 17:33 - 2012-03-27 17:23 - 00000928 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2274459378-4032421509-301073050-1000UA.job
2012-08-06 15:37 - 2012-08-05 15:31 - 00003403 ____A C:\Windows\setupact.log
2012-08-06 15:36 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-06 15:36 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-06 10:44 - 2012-08-06 10:44 - 524288000 ____A C:\REMOVE_THIS_FILE.livecd.swap
2012-08-06 09:11 - 2012-08-06 09:11 - 00001887 ____A C:\Windows\diagwrn.xml
2012-08-06 09:11 - 2012-08-06 09:11 - 00001887 ____A C:\Windows\diagerr.xml
2012-08-06 09:11 - 2012-08-05 15:31 - 00000000 ____A C:\Windows\setuperr.log
2012-08-05 13:06 - 2012-08-05 13:06 - 00721626 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-05 13:06 - 2012-08-05 11:39 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-05 12:17 - 2006-11-02 04:46 - 00703342 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-05 11:46 - 2006-11-02 07:21 - 05154120 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-05 11:37 - 2012-08-05 11:37 - 12621696 ____A (Microsoft Corporation) C:\Users\owner\Downloads\mseinstall.exe
2012-08-04 14:33 - 2012-03-27 17:23 - 00000906 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2274459378-4032421509-301073050-1000Core.job
2012-07-31 18:36 - 2012-07-31 18:25 - 00000732 ____A C:\Users\owner\AppData\Local\d3d9caps64.dat
2012-07-30 17:05 - 2012-07-30 17:05 - 10651816 ____A (Malwarebytes Corporation ) C:\Users\owner\Downloads\mbam-setup.exe
2012-07-30 17:02 - 2012-07-30 16:39 - 00001246 ____A C:\Users\owner\Desktop\FixExec.txt
2012-07-30 16:56 - 2012-07-30 16:56 - 00883616 ____A (Bleeping Computer, LLC) C:\Program Files (x86)\FixExec.scr
2012-07-30 15:57 - 2012-07-30 15:14 - 00001004 ____A C:\Users\owner\Desktop\Rkill.txt
2012-07-30 15:56 - 2012-07-30 15:56 - 01050016 ____A (Bleeping Computer, LLC) C:\Users\owner\Downloads\iExplore(2).exe
2012-07-30 15:55 - 2012-07-30 15:55 - 00001205 ____A C:\Users\owner\Downloads\registryfix(1).reg
2012-07-30 15:27 - 2012-07-30 15:27 - 01050016 ____A (Bleeping Computer, LLC) C:\Users\owner\Downloads\iExplore(1).exe
2012-07-30 15:12 - 2012-07-30 15:12 - 01050016 ____A (Bleeping Computer, LLC) C:\Users\owner\Downloads\iExplore.exe
2012-07-30 15:11 - 2012-07-30 15:11 - 00001205 ____A C:\Users\owner\Downloads\registryfix.reg
2012-07-30 14:27 - 2009-08-07 12:29 - 00009746 ____A C:\Users\owner\AppData\Roaming\wklnhst.dat
2012-07-25 19:12 - 2012-01-03 08:07 - 00024576 ____A C:\Users\owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-22 19:28 - 2010-07-27 13:28 - 00001848 ____A C:\Users\owner\Desktop\mpixpro ROES.lnk
2012-07-12 13:56 - 2012-07-12 13:56 - 03875048 ____A (AVG Technologies) C:\Users\owner\Downloads\avg_free_stb_all_2012_2195_cnet.exe
2012-07-12 13:54 - 2011-04-13 16:56 - 00000858 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-07-12 13:53 - 2012-07-12 13:53 - 03889704 ____A (Piriform Ltd) C:\Users\owner\Downloads\ccsetup320.exe
2012-07-12 13:53 - 2012-07-12 13:53 - 03889704 ____A (Piriform Ltd) C:\Users\owner\Downloads\ccsetup320(1).exe
2012-07-12 13:41 - 2010-11-19 09:34 - 00148401 ____A C:\Windows\hpoins19.dat
2012-07-12 13:41 - 2010-11-19 08:35 - 00012239 ____A C:\Users\All Users\hpzinstall.log
2012-07-12 13:39 - 2012-07-12 13:39 - 00002071 ____A C:\Users\Public\Desktop\HP Photosmart Essential.lnk
2012-07-12 13:39 - 2012-07-12 13:39 - 00001894 ____A C:\Users\Public\Desktop\Shop for HP Supplies.lnk
2012-07-12 00:04 - 2006-11-02 04:35 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-06-18 15:20 - 2012-06-18 15:20 - 00841568 ____A (WinRecovery Software ) C:\Users\owner\Downloads\cardrecovery_setup(1).exe
2012-06-18 15:17 - 2012-06-18 15:17 - 00841568 ____A (WinRecovery Software ) C:\Users\owner\Downloads\cardrecovery_setup.exe
2012-06-18 15:12 - 2012-06-18 15:12 - 03917522 ____A ( ) C:\Users\owner\Downloads\zar91setup.exe
2012-06-18 14:41 - 2012-06-18 14:41 - 04149019 ____A (InstallShield Software Corporation) C:\Users\owner\Downloads\pci_us_smartrecovery.exe.part
2012-06-14 09:13 - 2012-06-14 09:13 - 00001872 ____A C:\Users\owner\Desktop\Diversified Digital Link.lnk
2012-06-13 05:58 - 2012-07-12 00:01 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 09:59 - 2012-07-11 02:14 - 12899840 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 09:47 - 2012-07-11 02:14 - 11586048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 08:47 - 2012-07-11 02:14 - 01401856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 08:47 - 2012-07-11 02:14 - 01248768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 08:22 - 2012-07-11 02:14 - 01869824 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 08:22 - 2012-07-11 02:14 - 01797120 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-04 07:29 - 2012-07-11 02:14 - 00516480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 14:19 - 2012-06-20 18:29 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-20 18:29 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-20 18:29 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-18 16:29 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-18 16:29 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2012-06-02 14:19 - 2012-06-18 16:29 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:19 - 2012-06-18 16:29 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2012-06-02 14:15 - 2012-06-20 18:29 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-18 16:29 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:12 - 2012-06-20 18:29 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2012-06-02 12:19 - 2012-06-18 16:29 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 12:19 - 2012-06-18 16:29 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2012-06-02 12:15 - 2012-06-18 16:29 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 12:12 - 2012-06-18 16:29 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2012-06-01 16:22 - 2012-07-11 02:14 - 00347136 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 16:22 - 2012-07-11 02:14 - 00254464 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 16:05 - 2012-07-11 02:14 - 00077312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 16:04 - 2012-07-11 02:14 - 00278528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 16:03 - 2012-07-11 02:14 - 00204288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-05-14 22:37 - 2012-06-13 20:04 - 01212416 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-05-14 22:37 - 2012-06-13 20:04 - 00916992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-14 22:37 - 2012-06-13 20:04 - 00105984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-05-14 22:35 - 2012-06-13 20:04 - 00206848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2012-05-14 22:33 - 2012-06-13 20:04 - 06007808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-05-14 22:33 - 2012-06-13 20:04 - 00629760 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-05-14 22:33 - 2012-06-13 20:04 - 00611840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstime.dll
2012-05-14 22:33 - 2012-06-13 20:04 - 00067072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-05-14 22:33 - 2012-06-13 20:04 - 00055296 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2012-05-14 22:32 - 2012-06-13 20:04 - 01469440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-05-14 22:32 - 2012-06-13 20:04 - 00043520 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
2012-05-14 22:32 - 2012-06-13 20:04 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-14 22:31 - 2012-06-13 20:04 - 11111424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-05-14 22:31 - 2012-06-13 20:04 - 02000384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-05-14 22:31 - 2012-06-13 20:04 - 00387584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2012-05-14 22:31 - 2012-06-13 20:04 - 00184320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2012-05-14 22:31 - 2012-06-13 20:04 - 00164352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-05-14 22:31 - 2012-06-13 20:04 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2012-05-14 22:31 - 2012-06-13 20:04 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2012-05-14 22:31 - 2012-06-13 20:04 - 00055808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2012-05-14 21:01 - 2012-06-13 20:04 - 00385024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2012-05-14 19:26 - 2012-06-13 20:04 - 00133632 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-05-14 19:25 - 2012-06-13 20:04 - 00174080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ie4uinit.exe
2012-05-14 19:24 - 2012-06-13 20:04 - 00013312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2012-05-14 19:23 - 2012-06-13 20:04 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-05-14 18:19 - 2012-06-13 20:04 - 01488384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-14 18:19 - 2012-06-13 20:04 - 01147392 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-14 18:19 - 2012-06-13 20:04 - 00108032 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-14 18:18 - 2012-06-13 20:04 - 00243712 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2012-05-14 18:16 - 2012-06-13 20:04 - 01062912 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll
2012-05-14 18:15 - 2012-06-13 20:04 - 09328640 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-14 18:15 - 2012-06-13 20:04 - 00742912 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-05-14 18:15 - 2012-06-13 20:04 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-14 18:15 - 2012-06-13 20:04 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-05-14 18:15 - 2012-06-13 20:04 - 00056832 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-05-14 18:15 - 2012-06-13 20:04 - 00031744 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-14 18:14 - 2012-06-13 20:04 - 12508672 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-14 18:14 - 2012-06-13 20:04 - 02350592 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-14 18:14 - 2012-06-13 20:04 - 01538560 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-14 18:14 - 2012-06-13 20:04 - 00459776 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-05-14 18:14 - 2012-06-13 20:04 - 00252416 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-05-14 18:14 - 2012-06-13 20:04 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-14 18:14 - 2012-06-13 20:04 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2012-05-14 18:14 - 2012-06-13 20:04 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2012-05-14 18:14 - 2012-06-13 20:04 - 00072192 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2012-05-14 17:21 - 2012-06-13 20:04 - 00479232 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-05-14 16:40 - 2012-06-13 20:04 - 00162816 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-14 16:40 - 2012-06-13 20:04 - 00070656 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2012-05-14 16:39 - 2012-06-13 20:04 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-14 16:39 - 2012-06-13 20:04 - 00012288 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe


ZeroAccess:
C:\Windows\Installer\{5cbbb43c-55e9-d992-a3af-aff90a8bd5c8}
C:\Windows\Installer\{5cbbb43c-55e9-d992-a3af-aff90a8bd5c8}\@
C:\Windows\Installer\{5cbbb43c-55e9-d992-a3af-aff90a8bd5c8}\L
C:\Windows\Installer\{5cbbb43c-55e9-d992-a3af-aff90a8bd5c8}\U
C:\Windows\Installer\{5cbbb43c-55e9-d992-a3af-aff90a8bd5c8}\L\00000004.@
C:\Windows\Installer\{5cbbb43c-55e9-d992-a3af-aff90a8bd5c8}\L\201d3dde

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe B8844F93D2C5F1DCDB179AAA9AF134B7 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 7%
Total physical RAM: 8189.27 MB
Available physical RAM: 7566.78 MB
Total Pagefile: 7938.67 MB
Available Pagefile: 7550.45 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:916.82 GB) (Free:719.78 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: () (Removable) (Total:0.24 GB) (Free:0.05 GB) FAT32
8 Drive x: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:7.88 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 932 GB 0 B
Disk 1 Online 245 MB 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 32 KB
Partition 2 Primary 15 GB 40 MB
Partition 3 Primary 917 GB 15 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 8 FAT Partition 39 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 X RECOVERY NTFS Partition 15 GB Healthy Boot

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 917 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 245 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D FAT32 Removable 245 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-08-05 12:17

======================= End Of Log ==========================

 

[Lynn Johnson]

Farbar Recovery Scan Tool Version: 08-08-2012
Ran by SYSTEM at 2012-08-07 23:59:57
Running from D:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-09-17 15:42] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[2009-09-17 15:43] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

C:\Windows\SysWOW64\services.exe
[2009-09-17 15:42] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\System32\services.exe
[2009-09-17 15:43] - [2009-04-10 23:10] - 0381952 ____A (Microsoft Corporation) B8844F93D2C5F1DCDB179AAA9AF134B7

====== End Of Search ======

 

[Jay Pfoutz]

Hello, and welcome to TechSpot.

Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information

• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
• If you have already asked for help somewhere, please post the link to the topic you were helped.
• We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

FRST64 Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{5cbbb43c-55e9-d992-a3af-aff90a8bd5c8}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.

 

[Lynn Johnson]

It appears to be working fine. The fixlog is below. Thank you very much for your help and quick reply.

Lynndie


start
C:\Windows\Installer\{5cbbb43c-55e9-d992-a3af-aff90a8bd5c8}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe C:\Windows\System32\services.exe
end

 

[Jay Pfoutz]

ComboFix

Please download ComboFix

by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:

• Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
• It is important to rename ComboFix before the download.
• Please do not rename ComboFix to other names, but only the one indicated.

After the download:

• Close any open browsers.
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

• Double click on svchost.exe & follow the prompts.
• It will attempt to install the Recovery Console:

• When ComboFix finishes, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

 

[Lynn Johnson]

I received the warning below. I ran the uninstaller for this program and I also ran the avg_remover_stf_x86_2012_2125 removal tool. I'm not sure what else to do to stop or get rid of this program. Is there a place that I might find further removal instructions?

 

[Jay Pfoutz]

Go ahead with ComboFix and see what happens...

 

[Lynn Johnson]

Below is the Combofix log.

Lynndie


ComboFix 12-08-09.01 - owner 08/09/2012 13:32:37.1.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.8189.5958 [GMT -5:00]
Running from: F:\svchost.exe.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\boost_interprocess\20120731161100.109997
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\YO GABBA GABBA.url
K:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-07-09 to 2012-08-09 )))))))))))))))))))))))))))))))
.
.
2012-08-09 18:41 . 2012-08-09 18:41 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0ACC08C6-E4F5-4229-A29E-E7B8D6DB0C21}\offreg.dll
2012-08-09 18:39 . 2012-08-09 18:41 -------- d-----w- c:\users\owner\AppData\Local\temp
2012-08-08 07:58 . 2012-08-08 07:58 -------- d-----w- C:\FRST
2012-08-08 04:02 . 2012-08-08 04:02 50392 ----a-w- c:\windows\system32\drivers\nyuzseir.sys
2012-08-06 17:12 . 2012-08-06 17:12 -------- d-----w- C:\$WINDOWS.~BT
2012-08-05 21:08 . 2012-02-09 19:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{ABDE32EC-4C7F-4880-AD7F-36D081C3EA98}\gapaengine.dll
2012-08-05 21:08 . 2012-07-16 07:40 9133488 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0ACC08C6-E4F5-4229-A29E-E7B8D6DB0C21}\mpengine.dll
2012-08-05 21:06 . 2012-08-05 21:06 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-08-05 21:06 . 2012-08-05 21:06 -------- d-----w- c:\program files\Microsoft Security Client
2012-07-31 21:35 . 2012-07-31 21:35 -------- d-----w- c:\users\owner\Doctor Web
2012-07-31 21:19 . 2012-07-31 21:19 -------- d-----w- c:\program files\Common Files\Doctor Web
2012-07-31 21:18 . 2012-07-31 21:19 -------- d-----w- c:\programdata\Doctor Web
2012-07-31 00:56 . 2012-07-31 00:56 883616 ----a-w- c:\program files (x86)\FixExec.scr
2012-07-30 22:30 . 2012-07-30 22:30 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-07-30 22:25 . 2012-07-31 04:17 -------- d-----w- c:\programdata\7531CC9600714A53199543F32F3B707C
2012-07-12 21:39 . 2012-07-12 21:39 -------- d-----w- c:\programdata\HPSSUPPLY
2012-07-12 08:01 . 2012-06-13 13:58 2769408 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-12 08:04 . 2006-11-02 12:35 59701280 ----a-w- c:\windows\system32\mrt.exe
2012-06-02 22:19 . 2012-06-19 00:29 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 02:29 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-21 02:29 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 02:29 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-19 00:29 35864 ----a-w- c:\windows\SysWow64\wups.dll
2012-06-02 22:19 . 2012-06-19 00:29 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-19 00:29 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
2012-06-02 22:15 . 2012-06-21 02:29 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-19 00:29 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 22:12 . 2012-06-21 02:29 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
2012-06-02 20:19 . 2012-06-19 00:29 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:19 . 2012-06-19 00:29 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
2012-06-02 20:15 . 2012-06-19 00:29 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 20:12 . 2012-06-19 00:29 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
2012-05-15 06:37 . 2012-06-14 04:04 916992 ----a-w- c:\windows\SysWow64\wininet.dll
2012-05-15 06:32 . 2012-06-14 04:04 43520 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-05-15 06:32 . 2012-06-14 04:04 1469440 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-05-15 06:31 . 2012-06-14 04:04 109056 ----a-w- c:\windows\SysWow64\iesysprep.dll
2012-05-15 06:31 . 2012-06-14 04:04 71680 ----a-w- c:\windows\SysWow64\iesetup.dll
2012-05-15 05:01 . 2012-06-14 04:04 385024 ----a-w- c:\windows\SysWow64\html.iec
2012-05-15 03:26 . 2012-06-14 04:04 133632 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-05-15 03:23 . 2012-06-14 04:04 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-05-15 02:19 . 2012-06-14 04:04 1147392 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 02:19 . 2012-06-14 04:04 1488384 ----a-w- c:\windows\system32\urlmon.dll
2012-05-15 02:19 . 2012-06-14 04:04 108032 ----a-w- c:\windows\system32\url.dll
2012-05-15 02:18 . 2012-06-14 04:04 243712 ----a-w- c:\windows\system32\occache.dll
2012-05-15 02:16 . 2012-06-14 04:04 1062912 ----a-w- c:\windows\system32\mstime.dll
2012-05-15 02:15 . 2012-06-14 04:04 9328640 ----a-w- c:\windows\system32\mshtml.dll
2012-05-15 02:15 . 2012-06-14 04:04 98304 ----a-w- c:\windows\system32\mshtmled.dll
2012-05-15 02:15 . 2012-06-14 04:04 742912 ----a-w- c:\windows\system32\msfeeds.dll
2012-05-15 02:15 . 2012-06-14 04:04 71680 ----a-w- c:\windows\system32\msfeedsbs.dll
2012-05-15 02:15 . 2012-06-14 04:04 56832 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-15 02:15 . 2012-06-14 04:04 31744 ----a-w- c:\windows\system32\jsproxy.dll
2012-05-15 02:14 . 2012-06-14 04:04 1538560 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-15 02:14 . 2012-06-14 04:04 77312 ----a-w- c:\windows\system32\iesetup.dll
2012-05-15 02:14 . 2012-06-14 04:04 2350592 ----a-w- c:\windows\system32\iertutil.dll
2012-05-15 02:14 . 2012-06-14 04:04 219136 ----a-w- c:\windows\system32\ieui.dll
2012-05-15 02:14 . 2012-06-14 04:04 132096 ----a-w- c:\windows\system32\iesysprep.dll
2012-05-15 02:14 . 2012-06-14 04:04 72192 ----a-w- c:\windows\system32\iernonce.dll
2012-05-15 02:14 . 2012-06-14 04:04 12508672 ----a-w- c:\windows\system32\ieframe.dll
2012-05-15 02:14 . 2012-06-14 04:04 252416 ----a-w- c:\windows\system32\iepeers.dll
2012-05-15 02:14 . 2012-06-14 04:04 459776 ----a-w- c:\windows\system32\iedkcs32.dll
2012-05-15 01:21 . 2012-06-14 04:04 479232 ----a-w- c:\windows\system32\html.iec
2012-05-15 00:40 . 2012-06-14 04:04 162816 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-15 00:40 . 2012-06-14 04:04 70656 ----a-w- c:\windows\system32\ie4uinit.exe
2012-05-15 00:39 . 2012-06-14 04:04 12288 ----a-w- c:\windows\system32\msfeedssync.exe
2012-05-15 00:39 . 2012-06-14 04:04 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-6 1312096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R4 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-01-13 88576]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-08 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2274459378-4032421509-301073050-1000Core.job
- c:\users\owner\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-03-28 22:28]
.
2012-08-09 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2274459378-4032421509-301073050-1000UA.job
- c:\users\owner\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-03-28 22:28]
.
2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-26 13:30]
.
2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-26 13:30]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.searchnu.com/406
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 24.217.0.5 24.217.201.67
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\nc80knnu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=119&systemid=406&sr=0&q=
FF - prefs.js: network.proxy.type - 4
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
Wow6432Node-HKCU-Run-AdobeBridge - (no file)
BHO-{9D717F81-9148-4f12-8568-69135F087DB0} - (no file)
Toolbar-10 - (no file)
AddRemove-Diversified Digital Link - c:\windows\system32\javaws.exe
AddRemove-mpixpro ROES - c:\windows\system32\javaws.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_4f7fccd.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
.
**************************************************************************
.
Completion time: 2012-08-09 13:48:13 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-09 18:48
.
Pre-Run: 768,578,605,056 bytes free
Post-Run: 769,311,965,184 bytes free
.
- - End Of File - - D73EE2FE9B984D1A058707AC47831BDF

 

[Jay Pfoutz]

Good job!

ComboFix Script

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the codebox below into it:
  

  ClearJavaCache::
  
  DDS::
  uStart Page = hxxp://www.searchnu.com/406
  uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;
  FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=119&systemid=406&sr=0&q=

• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
• Please post the contents of the log in your next reply.

 

[Jay Pfoutz]

Hello. Are you still with us?

Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

Thanks.