19 replies to this topic

[Johnheiderscheit]

I had a great experience a couple of years ago with your company and have MBAM on my computer. Unfortunately I picked up Live Security Platinum and now, even in safe mode with networking, I can't get IE to open. Therefore I am unable to start the cleanup process your site suggests.

Any thoughts on what I might do here. Running Windows Vista.

Subsequent to my original post I was able to get mbam-chameleon.exe to execute using the command line in safe mode. Chameleon launched and indicated that it was able to update mbam (Done!) and kill known malicious processes (Done!) and then mbam launched. The only malicious software detected were three pum.disabledsecurity items.

Edited by Maurice Naggar, 12 August 2012 - 07:07 AM.

[Maurice Naggar]

Hello johnh.

Kindly advise if you still need help.
If yes, then .....Download DDS and save it to your desktop from http://www.techsuppo...ctools/sUBs/dds here
or http://download.blee...om/sUBs/dds.scr or
http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.
Then double click dds.scr to run the tool.
DDS will run in a command prompt window and will take 3 to 4 minutes or so.

• When done, DDS will open two (2) logs:
• DDS.txt
• Attach.txt
• Save both reports to your desktop.

Please Copy & Paste contents of the following logs in your next reply:
DDS.txt
Attach.txt
Plus copy & paste the contents of the last MBAM scan log.

p.s. You should not make a reply to your own original help-post until after an authorized helper makes a reply.

[Johnheiderscheit]

Here are copies of the three items you mentioned. Please let me know if you think I need to do anything else.




DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by johnheiderscheit at 8:02:13 on 2012-08-12
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1915.1157 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\runservice.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Windows\system32\wbem\wmiprvse.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://yahoo.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [RtHDVCpl] "RtHDVCpl.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\iaanotif.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [NDSTray.exe] NDSTray.exe
mRun: [hpqSRMon]
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [csrfui] "c:\windows\system32\rundll32.exe" "c:\users\johnheiderscheit\appdata\roaming\csrfui.dll",List_AsTuple
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: loweslink.com\enroll
Trusted Zone: loweslink.com\secure
Trusted Zone: loweslink.com\secure2
Trusted Zone: loweslink.com\tplogin
Trusted Zone: rhapsody.com\rhap-app-4-0
Trusted Zone: rhapsody.com\rhapreg
Trusted Zone: turbotax.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 97.64.183.164 97.64.209.37
TCP: Interfaces\{0441260C-897F-4DCB-82D7-345D0A7AF92A} : DhcpNameServer = 97.64.183.164 97.64.209.37
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2009-1-11 20384]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-17 40960]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2009-9-8 2560]
R2 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2008-9-30 46392]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-9-30 7168]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2009-1-11 954368]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-8-12 26224]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 SVRPEDRV;SVRPEDRV;c:\windows\system32\sysprep\PEDRV.SYS [2008-9-30 9216]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-08-12 10:58:41 26224 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-08-12 02:08:25 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-12 02:05:11 -------- d-----w- c:\programdata\6F638C2DEC3A3F601032747E2F3B707C
2012-08-12 02:05:01 473600 ----a-w- c:\users\johnheiderscheit\appdata\roaming\csrfui.dll
2012-08-11 13:13:02 6891424 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4d969f66-9f68-48be-ac45-7eacd5839bcb}\mpengine.dll
2012-08-10 13:12:42 6891424 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
.
==================== Find3M ====================
.
2012-08-12 12:58:14 1441 --sha-w- c:\windows\system32\mmf.sys
2012-07-03 18:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-21 19:58:16 60304 ----a-w- c:\users\johnheiderscheit\g2mdlhlpx.exe
2012-06-19 21:19:10 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-19 21:19:09 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-13 13:40:21 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 16:47:28 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 16:47:27 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 15:26:04 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 00:04:25 278528 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 00:03:42 204288 ----a-w- c:\windows\system32\ncrypt.dll
.
============= FINISH: 8:02:53.88 ===============





UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume2
Install Date: 1/11/2009 7:11:42 PM
System Uptime: 8/12/2012 7:57:39 AM (1 hours ago)
.
Motherboard: TOSHIBA | | Portable PC
Processor: Genuine Intel® CPU 585 @ 2.16GHz | CPU | 2161/667mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 140 GiB total, 83.881 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Photosmart C7200 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart C7200 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Officejet Pro 8500 A909a
Device ID: ROOT\MULTIFUNCTION\0001
Manufacturer: HP
Name: Officejet Pro 8500 A909a
PNP Device ID: ROOT\MULTIFUNCTION\0001
Service:
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Photosmart C7200 series
Device ID: ROOT\MULTIFUNCTION\0002
Manufacturer: HP
Name: Photosmart C7200 series
PNP Device ID: ROOT\MULTIFUNCTION\0002
Service:
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Officejet J6400 series
Device ID: ROOT\MULTIFUNCTION\0003
Manufacturer: HP
Name: Officejet J6400 series
PNP Device ID: ROOT\MULTIFUNCTION\0003
Service:
.
==== System Restore Points ===================
.
RP1422: 8/11/2012 12:48:41 AM - Scheduled Checkpoint
RP1423: 8/11/2012 8:12:24 AM - Windows Update
RP1424: 8/12/2012 12:54:54 AM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
32 Bit HP CIO Components Installer
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.3)
Adobe Shockwave Player 11.6
Atheros Driver Installation Program
Atheros Wi-Fi Protected Setup Library
BufferChm
C4580
C4580_Help
Cards_Calendar_OrderGift_DoMorePlugout
CD/DVD Drive Acoustic Silencer
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DocProc
DocProcQFolder
DVD MovieFactory for TOSHIBA
eSupportQFolder
Europa Universalis III
EzBacktest 1.5.3
Front Office Football 2007
Front Office Football 2007 Demo
GPBaseService
GPBaseService2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Imaging Device Functions 11.0
HP Photosmart C4500 All-In-One Driver Software 11.0 Rel .4
HP Photosmart Essential 2.5
HP Photosmart Essential 3.0
HP Smart Web Printing
HP Solution Center 13.0
HP Update
HPPhotoSmartPhotobookWebPack1
HPProductAssistant
In Nomine 3.2
Intel® Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Java Auto Updater
Java™ 6 Update 31
Malwarebytes Anti-Malware version 1.62.0.1300
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
MSVCSetup
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
Napster
Napster Burn Engine
Network
OCR Software by I.R.I.S. 11.0
OGA Notifier 2.0.0048.0
OptionsOracle
Out of the Park 8
PanoStandAlone
PS_AIO_04_C4580_ProductContext
PS_AIO_04_C4580_Software
PS_AIO_04_C4580_Software_Min
PSSWCORE
Realtek 8169 8168 8101E 8102E Ethernet Driver
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Rhapsody
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
Security Update for Windows Media Encoder (KB2447961)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
SmartWebPrinting
SolutionCenter
Spelling Dictionaries Support For Adobe Reader 9
Star Trek -- Starfleet Academy
Status
StreetSmart Edge
SUPERAntiSpyware
swMSM
Synaptics Pointing Device Driver
Toolbox
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Desktop Links
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Hardware Setup
TOSHIBA Recovery Disc Creator
Toshiba Registration
TOSHIBA Service Station
TOSHIBA Software Modem
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TrayApp
TurboTax 2009
TurboTax 2009 wiaiper
TurboTax 2009 wiliper
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wrapper
TurboTax 2010
TurboTax 2010 wiaiper
TurboTax 2010 WinPerFedFormset
TurboTax 2010 WinPerReleaseEngine
TurboTax 2010 WinPerTaxSupport
TurboTax 2010 wrapper
TurboTax ItsDeductible 2006
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687310) 32-Bit Edition
VideoToolkit01
WebReg
WexTech AnswerWorks
Windows Live ID Sign-in Assistant
Windows Media Encoder 9 Series
.
==== Event Viewer Messages From Past Week ========
.
8/12/2012 8:01:46 AM, Error: Microsoft-Windows-WMPNSS-Service [14325] - Service 'WMPNetworkSvc' did not start correctly because QueryService encountered error '0x80070424'. In Windows Media Player, turn off media sharing, and then turn it back on.
8/12/2012 7:59:41 AM, Error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
8/12/2012 7:59:40 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
8/12/2012 7:59:40 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
8/12/2012 7:59:40 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
8/12/2012 7:25:41 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC jswpslwf MpFilter NetBIOS netbt nsiproxy PSched RasAcd rdbss SASDIFSV SASKUTIL Smb spldr tdx Wanarpv6
8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
8/12/2012 7:25:41 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
8/12/2012 6:59:07 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: MpFilter SASDIFSV SASKUTIL spldr Wanarpv6
8/12/2012 6:58:22 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
8/12/2012 6:58:18 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/12/2012 6:58:11 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
8/12/2012 6:58:03 AM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\system32\athihvs.dll Error Code: 21
8/12/2012 6:55:24 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1115" attempting to start the service hpqcxs08 with arguments "" in order to run the server: {1DAEDD8A-30ED-4585-9CF1-13BDF7791DDE}
8/12/2012 6:55:24 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1069" attempting to start the service HPSLPSVC with arguments "" in order to run the server: {10DA4F3C-CC99-4190-BE4D-58330754E882}
8/12/2012 6:54:37 AM, Error: EventLog [6008] - The previous system shutdown at 6:52:47 AM on 8/12/2012 was unexpected.
8/12/2012 6:48:23 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
8/12/2012 6:48:23 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
8/12/2012 6:42:20 AM, Error: Microsoft-Windows-WLAN-AutoConfig [10003] - WLAN Extensibility Module has stopped unexpectedly. Module Path: C:\Windows\system32\athihvs.dll
8/12/2012 6:41:11 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Live ID Sign-in Assistant service to connect.
8/12/2012 6:41:11 AM, Error: Service Control Manager [7000] - The Windows Live ID Sign-in Assistant service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/12/2012 6:41:01 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Presentation Foundation Font Cache 3.0.0.0 service to connect.
8/12/2012 6:41:01 AM, Error: Service Control Manager [7000] - The Windows Presentation Foundation Font Cache 3.0.0.0 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/12/2012 6:41:00 AM, Error: Service Control Manager [7034] - The Volume Shadow Copy service terminated unexpectedly. It has done this 1 time(s).
8/12/2012 6:41:00 AM, Error: Service Control Manager [7034] - The Ulead Burning Helper service terminated unexpectedly. It has done this 1 time(s).
8/12/2012 6:41:00 AM, Error: Service Control Manager [7034] - The TOSHIBA Optical Disc Drive Service service terminated unexpectedly. It has done this 1 time(s).
8/12/2012 6:41:00 AM, Error: Service Control Manager [7034] - The TOSHIBA Navi Support Service service terminated unexpectedly. It has done this 1 time(s).
8/12/2012 6:41:00 AM, Error: Service Control Manager [7034] - The TMachInfo service terminated unexpectedly. It has done this 1 time(s).
8/12/2012 6:41:00 AM, Error: Service Control Manager [7034] - The LicCtrl Service service terminated unexpectedly. It has done this 1 time(s).
8/12/2012 6:41:00 AM, Error: Service Control Manager [7034] - The Intel® Matrix Storage Event Monitor service terminated unexpectedly. It has done this 1 time(s).
8/12/2012 6:41:00 AM, Error: Service Control Manager [7034] - The ConfigFree Service service terminated unexpectedly. It has done this 1 time(s).
8/12/2012 6:41:00 AM, Error: Service Control Manager [7034] - The Agere Modem Call Progress Audio service terminated unexpectedly. It has done this 1 time(s).
8/12/2012 6:41:00 AM, Error: Service Control Manager [7034] - The Adobe Acrobat Update Service service terminated unexpectedly. It has done this 1 time(s).
8/12/2012 6:41:00 AM, Error: Service Control Manager [7031] - The Windows Presentation Foundation Font Cache 3.0.0.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
8/12/2012 6:41:00 AM, Error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
8/12/2012 6:38:24 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume SQ004890V03.
8/12/2012 6:11:54 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
8/12/2012 5:54:54 AM, Error: EventLog [6008] - The previous system shutdown at 5:53:21 AM on 8/12/2012 was unexpected.
8/12/2012 5:49:34 AM, Error: EventLog [6008] - The previous system shutdown at 5:47:38 AM on 8/12/2012 was unexpected.
8/12/2012 4:54:17 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Media Player Network Sharing Service service to connect.
8/12/2012 4:54:17 AM, Error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/12/2012 4:54:16 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Intuit Update Service service to connect.
8/12/2012 4:54:16 AM, Error: Service Control Manager [7000] - The Intuit Update Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/12/2012 4:54:15 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.
8/12/2012 4:52:25 AM, Error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
8/12/2012 3:07:29 AM, Error: EventLog [6008] - The previous system shutdown at 2:58:34 AM on 8/12/2012 was unexpected.
8/12/2012 1:55:09 AM, Error: Service Control Manager [7034] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 3 time(s).
8/12/2012 1:54:49 AM, Error: Service Control Manager [7034] - The Intuit Update Service service terminated unexpectedly. It has done this 1 time(s).
8/11/2012 9:33:05 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
8/11/2012 9:29:19 PM, Error: EventLog [6008] - The previous system shutdown at 9:27:28 PM on 8/11/2012 was unexpected.
8/11/2012 9:23:51 PM, Error: EventLog [6008] - The previous system shutdown at 9:21:51 PM on 8/11/2012 was unexpected.
8/11/2012 9:13:14 PM, Error: EventLog [6008] - The previous system shutdown at 9:10:57 PM on 8/11/2012 was unexpected.
8/11/2012 9:08:05 PM, Error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: A required privilege is not held by the client.
8/11/2012 9:07:35 PM, Error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
8/11/2012 9:04:34 PM, Error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
8/11/2012 11:03:28 PM, Error: EventLog [6008] - The previous system shutdown at 9:40:33 PM on 8/11/2012 was unexpected.
.
==== End Of File ===========================
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.12.03
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
johnheiderscheit :: JOHNHEIDERSC-PC [administrator]
8/12/2012 7:38:09 AM
mbam-log-2012-08-12 (07-38-09).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 226043
Time elapsed: 9 minute(s), 6 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 2
C:\Windows\System32\getmxext.dll (Trojan.Steppa) -> Delete on reboot.
C:\Users\johnheiderscheit\AppData\Roaming\nhuti.dll (Trojan.Midhos) -> Delete on reboot.
Registry Keys Detected: 2
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.
Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|nhuti (Trojan.Midhos) -> Data: rundll32.exe "C:\Users\johnheiderscheit\AppData\Roaming\nhuti.dll",BindContext -> Quarantined and deleted successfully.
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Users\johnheiderscheit\AppData\Local\{26b48154-0abb-b0d4-76a8-de7301767732}\n. -> Quarantined and deleted successfully.
Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|ANTIVIRUSDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FIREWALLDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UPDATESDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
Folders Detected: 1
C:\Users\johnheiderscheit\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.
Files Detected: 6
C:\Windows\System32\getmxext.dll (Trojan.Steppa) -> Delete on reboot.
C:\Users\johnheiderscheit\AppData\Roaming\nhuti.dll (Trojan.Midhos) -> Delete on reboot.
C:\Windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}\n (RootKit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Users\johnheiderscheit\Desktop\Live Security Platinum.lnk (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.
C:\Users\johnheiderscheit\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum\Live Security Platinum.lnk (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.
(end)

[Maurice Naggar]

I am moving this to the Malware-help forum so that there's no interference by stray posters.

[Maurice Naggar]

You're system is infected with ZeroAccess, a BackDoor Trojan.
Your best and safest option is to wipe/reformat/ and install Windows & your applications from scratch.
If you have a full backup (mirror-image backup) on offline media (CD/DVD/external drive) from before the infection, you can use that to restore the system.

This is a point where you need to decide about whether to make a clean start.
According to the information provided in logs, one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.
You are strongly advised to do the following immediately.
1. Contact your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.
2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.
3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.
* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh.

While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions.

I would recommend that you do a full reformat and reinstall of Windows rather than clean the system.
I suggest that you backup important files and reinstall everything from scratch. There are so many changes that could have been done if that backdoor was used.

Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo...backdoor-trojan
Danger: Remote Access Trojans http://www.microsoft...o/virusrat.mspx
Consumers – Identity Theft http://www.ftc.gov/b...mers/index.html
When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451
Rootkits: The Obscure Hacker Attack http://www.microsoft...tip/st1005.mspx
Help: I Got Hacked. Now What Do I Do? http://www.microsoft...gmt/sm0504.mspx
Help: I Got Hacked. Now What Do I Do? Part II http://www.microsoft...gmt/sm0704.mspx
Microsoft Says Recovery from Malware Becoming Impossible http://www.eweek.com...,1945808,00.asp

Let me know of your decison.

[Johnheiderscheit]

Okay, thanks for the info. I guess I will use this computer for off line stuff going forward. (As you probably can tell from the fact that I am running Vista its pretty old.) I have changed all my passwords using a "clean" computer.

If you would help me making sure the previously infected computer is "clean" that would be great. Right now it seems to be running okay.

[Maurice Naggar]

You will want to print out or copy these instructions to Notepad for offline reference!
These steps are for member Johnheiders only. If you are a casual viewer, do NOT try this on your system!
If you are not and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

Step 1
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT by doing a Right-Click on it & select Run As Admisnistrator

4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

Step 2
Show all files:

• Click the Start button, and then click Computer.
  
• On the Organize menu, click Folder and Search Options.
  
• Click the View tab.
  
• Locate and uncheck Hide file extensions for known file types.
  
• Locate and uncheck Hide protected operating system files (Recommended).
  
• Locate and click Show hidden files and folders.
  
• Click Apply > OK.

Step 3
If you have a prior copy of Combofix, delete it now

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Turn OFF your antivirus, otherwise it will interfere. How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs


Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages
It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.
You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.
Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)or a UPS system


Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Right- click on Combo-Fix.exe on your Desktop and select "Run as Administrator".

• A window may open with a warning or prompts. Accept the EULA and follow the prompts during the start phase of Combofix.
  
  When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.


A file will be created at => C:\Combofix.txt.

Notes:
[1] IF after Combofix reboot you get the message

Quote

Illegal operation attempted on registry key that has been marked for deletion

....please reboot the computer, this should resolve the problem. You may have reboot the pc a second time if needed.

[2] Do not mouseclick combofix's window nor run any program while Combofix is running.
That may cause it to stall.

[3]When all done, IF Combofix did not do a Restart...then ... I need for you to Restart the system fresh !

Reply & attach the C:\Combofix.txt log and tell me, How is the system now ?

Re-enable your antivirus program.

[Johnheiderscheit]

Okay ran combofix, which seemed to do fine. I got the "illegal operation attempted . . ." message and rebooted per your instructions.

Prior to rebooting, combofix created a text file of the results.

Now that I have rebooted the computer is running normally but I have searched high and low and I cannot find the combofix.txt file. Any suggestions on where it could be? I looked at c:\combofix.txt and also used the file search feature of vista with no luck.

Thanks for your help.

[Maurice Naggar]

It should be right there at root of C drive C:\combofix.txt
I need that one

Also, look within C:\Qoobox
I need another one
something line Combofix-quarantine ****.txt

[Johnheiderscheit]

I attached the text files.
ComboFix 12-08-10.02 - johnheiderscheit 08/12/2012 11:09:12.2.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1915.1165 [GMT -5:00]
Running from: c:\users\johnheiderscheit\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\34594552
c:\users\johnheiderscheit\AppData\Roaming\csrfui.dll
c:\users\johnheiderscheit\Documents\~WRL0003.tmp
c:\users\johnheiderscheit\g2mdlhlpx.exe
c:\windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}\@
c:\windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}\U\00000001.@
c:\windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}\U\80000000.@
c:\windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}\U\800000cb.@
c:\windows\system32\pt
c:\windows\system32\pt\toscdspd.cpl.mui
.
Infected copy of c:\windows\system32\services.exe was found and disinfected
Restored copy from - c:\32788r22fwjfw\HarddiskVolumeShadowCopy1_!Windows!System32!services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-12 to 2012-08-12 )))))))))))))))))))))))))))))))
.
.
2012-08-12 16:26 . 2012-08-12 16:31 -------- d-----w- c:\users\johnheiderscheit\AppData\Local\temp
2012-08-12 16:26 . 2012-08-12 16:26 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-08-12 16:26 . 2012-08-12 16:26 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-08-12 16:26 . 2012-08-12 16:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-12 15:52 . 2012-08-12 15:53 -------- d-----w- c:\program files\ERUNT
2012-08-12 10:58 . 2012-08-12 10:58 26224 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-08-12 02:08 . 2012-08-12 02:08 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-12 02:05 . 2012-08-12 12:21 -------- d-----w- c:\programdata\6F638C2DEC3A3F601032747E2F3B707C
2012-08-11 13:13 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4D969F66-9F68-48BE-AC45-7EACD5839BCB}\mpengine.dll
2012-08-10 13:12 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 18:46 . 2011-06-13 21:14 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-19 21:19 . 2012-05-15 01:21 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-19 21:19 . 2011-06-02 13:11 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-13 13:40 . 2012-07-13 10:52 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 16:47 . 2012-07-13 00:02 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 16:47 . 2012-07-13 00:02 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 15:26 . 2012-07-13 00:02 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 22:19 . 2012-06-22 13:27 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-22 13:27 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-22 13:27 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-22 13:27 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-22 13:27 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-22 13:27 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-22 13:27 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19 . 2012-06-22 13:26 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:12 . 2012-06-22 13:26 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33 . 2012-07-13 10:39 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25 . 2012-07-13 10:39 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25 . 2012-07-13 10:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20 . 2012-07-13 10:39 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16 . 2012-07-13 10:40 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 00:04 . 2012-07-13 00:02 278528 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 00:03 . 2012-07-13 00:02 204288 ----a-w- c:\windows\system32\ncrypt.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1029416]
"NDSTray.exe"="NDSTray.exe" [BU]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
c:\users\johnheiderscheit\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
2010-01-19 17:48 323280 ----a-w- c:\program files\Napster\napster.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-07-19 17:50 2403568 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
Trusted Zone: loweslink.com\enroll
Trusted Zone: loweslink.com\secure
Trusted Zone: loweslink.com\secure2
Trusted Zone: loweslink.com\tplogin
Trusted Zone: rhapsody.com\rhap-app-4-0
Trusted Zone: rhapsody.com\rhapreg
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 97.64.183.164 97.64.209.37
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-hpqSRMon - (no file)
HKLM-Run-csrfui - c:\users\johnheiderscheit\AppData\Roaming\csrfui.dll
SafeBoot-MsMpSvc
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-12 11:32
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1517136145-1328366619-2469452859-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f7,71,1a,f6,20,73,ea,a5,37,c3,46,fc,85,ad,ce,15,24,ad,8d,15,a3,07,8b,
d5,39,d3,5f,cf,f4,0c,33,b6,6d,e7,4d,86,cd,1c,95,fd,7d,e0,99,64,31,20,14,45,\
"??"=hex:b2,f5,80,ec,4b,7b,dc,0a,6d,4b,4f,90,bd,8e,3f,45
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\runservice.exe
c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\RtHDVCpl.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\windows\System32\rundll32.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
.
**************************************************************************
.
Completion time: 2012-08-12 11:37:55 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-12 16:37
.
Pre-Run: 89,452,507,136 bytes free
Post-Run: 89,793,986,560 bytes free
.
- - End Of File - - C79804F91FC93150DB78537082FF2EC1

2012-08-12 16:36:36 . 2012-08-12 16:36:36 542 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-MsMpSvc.reg.dat
2012-08-12 16:36:21 . 2012-08-12 16:36:21 207 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-csrfui.reg.dat
2012-08-12 16:36:21 . 2012-08-12 16:36:21 95 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-hpqSRMon.reg.dat
2012-08-12 16:20:58 . 2012-08-12 16:20:58 4,707 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-08-12 16:04:29 . 2012-08-12 16:09:12 62 ----a-w- C:\Qoobox\Quarantine\catchme.log
2012-08-12 15:52:27 . 2012-08-12 15:52:27 20,480 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}\U\800000cb.@.vir
2012-08-12 02:05:02 . 2012-08-12 02:05:02 13,312 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}\U\80000000.@.vir
2012-08-12 02:05:01 . 2012-08-12 02:05:02 473,600 ----a-w- C:\Qoobox\Quarantine\C\Users\johnheiderscheit\AppData\Roaming\csrfui.dll.vir
2012-08-12 02:04:47 . 2012-08-12 02:04:47 1,712 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}\U\00000001.@.vir
2012-06-21 19:58:14 . 2012-06-21 19:58:16 60,304 ----a-w- C:\Qoobox\Quarantine\C\Users\johnheiderscheit\g2mdlhlpx.exe.vir
2012-01-11 13:50:20 . 2011-11-18 20:23:34 2,048 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}\@.vir
2011-05-19 16:17:31 . 2011-05-19 16:17:31 336 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\34594552.vir
2010-04-29 14:20:48 . 2010-05-20 17:54:34 14,611 ----a-w- C:\Qoobox\Quarantine\C\Users\johnheiderscheit\Documents\~WRL0003.tmp.vir
2009-09-17 13:36:57 . 2009-04-11 06:27:59 279,552 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\services.exe.vir
2008-09-30 19:01:47 . 2008-04-02 19:59:52 3,584 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\pt\toscdspd.cpl.mui.vir

[Maurice Naggar]

Please make a note, henceforth, going forward, do NOT attach logs. Always Copy and Paste the contents into main-body of reply box.
You may use a separate reply for each log.

[Maurice Naggar]

If you did not purchase S*perantispyware, then Uninstall it.

Next, Turn off (disable) your antivirus program so that it does not interfere.

MBAM update & new Full scan
Save and close any work documents, close any apps that you started.
Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.
Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.
Do a Full Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

When done, Copy and Paste the MBAM scan log into a reply.

Stinger
Download and Save McAfee Stinger to your Desktop
http://www.mcafee.co...ls/stinger.aspx

Close all browsers before starting. Disable your antivirus program and anti-malware,if any.
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

On Windows 7 & Vista systems, Right Click and select Run as Administrator.
On XP, double-click to start it.

The GUI interface will look like this


The C drive is the default for scanning.
Press the Preferences button. In the top right-block "On virus detection", click Rename
In the bottom block "Heuristic network check for suspicious files" select High

Click the Scan Now button.
When done, use the File menu and select Save report to file
Stinger.txt is the log report and will be saved to your Desktop. I will need a copy of that log.

RE-Enable your anti-virus program.

Stinger is a standalone utility used to detect and remove specific malware. It is not a full scan for all types of malware or viruses.
It is not intended as virus protection.

Download Security Check by screen317 from here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

[Johnheiderscheit]

Got it and thank you again for your help. Do you any further suggestions?

[Maurice Naggar]

See my reply just before this post of yours (above)

[Johnheiderscheit]

Results of screen317's Security Check version 0.99.43
Windows Vista Service Pack 2 x86 (UAC is disabled!)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
(On Access scanning disabled!)
Error obtaining update status for antivirus!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.62.0.1300
Java™ 6 Update 31
Java version out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Adobe Reader X (10.1.3)
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1 %
````````````````````End of Log``````````````````````


Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.12.05
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
johnheiderscheit :: JOHNHEIDERSC-PC [administrator]
8/12/2012 4:05:25 PM
mbam-log-2012-08-12 (16-05-25).txt
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 477132
Time elapsed: 2 hour(s), 28 minute(s), 38 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

McAfee® Labs Stinger™ Version 10.2.0.735 built on Aug 10 2012
Copyright © 2012 McAfee, Inc. All Rights Reserved.
Virus data file v1000.0000 created on Aug 10 2012.
Ready to scan for 4827 viruses, trojans and variants.
Scan initiated on Sun Aug 12 19:13:31 2012
Rootkit scan result : Clean
No files scanned
Scan initiated on Sun Aug 12 19:15:48 2012
Rootkit scan result : Clean

Master Boot Record(s):....1
Possibly Infected:.............0
Boot Sector(s):.................1
Possibly Infected: ............0
Number of clean files: 19583

[Maurice Naggar]

The MBAM & Stinger results are good. But we are not at all done. There's a bunch more to do.

You forgot to do SecurityCheck tool & report.
Step 1
Download Security Check by screen317 from here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Step 2
Download Dr.Web CureIt to the desktop.

• Turn OFF your antivirus program.
  How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  
• Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  
• Once the short scan has finished, chose the Complete Scan.
  
• Select all drives. A red dot shows which drives have been chosen.
  
• Click the green arrow at the right, and the scan will start.
  
• Click 'Yes to all' if it asks if you want to cure/move the file.
  
• When the scan has finished, look and see if you can click the following icon next to the files found:
  
  
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  
• This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit.
  
• Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Re-Enable your antivirus program when all done.

Step 3
Using IE (only!) to http://support.microsoft.com/kb/923737
[ignore any DOES NOT APPLY warning as well as the APPLIES TO section],
run the Fix It and then reboot.

Tip: For optimal results, enable the Delete personal settings option.

Step 4
Download >> Farbar's Service Scanner utility << and Save to your Desktop.
If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Admisnitrator.
If using XP, double-click to start.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are checkmarked:

• Internet Services
  
• Windows Firewall
  
• System Restore
  
• Security Center/Action Center
  
• Windows Update
  
• Windows Defender

Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.


Post those logs for review. And do not go away. There is yet more to follow.

Edited by Maurice Naggar, 13 August 2012 - 11:13 AM.
added IE reset and FSS report

[Johnheiderscheit]

thanks so much for your help!

I am in hour five of a "quick scan" on cureit. Looks like it could be 15-20 hrs to complete. Based on that I doubt it is worth doing a full scan in the sense that this computer is old and the HD isn't the greatest. I also worry about the fun if I run the computer for days on end without shutting down.

I will check back in tomorrow and see if the so-called "quick scan" completed.

[Maurice Naggar]

Let the scan finish. I would find it hard to believe it would be anywhere near 15 hours. No, do not do a full scan.
Post the log result when it finishes.

As to shutting down, you should logoff when the pc is all done for the day.

Edited by Maurice Naggar, 13 August 2012 - 03:29 PM.

[Maurice Naggar]

It's been nearly 3 days +
Status update ?

[Maurice Naggar]

This thread is Closed due to no response.