9baritone Posted February 19, 2013 ID:648919 Share Posted February 19, 2013 DDS (Ver_2012-11-20.01) - NTFS_AMD64Internet Explorer: 9.0.8112.16464 BrowserJavaVersion: 10.13.2Run by Admin at 13:32:11 on 2013-02-19Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4009.2790 [GMT -5:00].AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Program Files (x86)\Avira\AntiVir Desktop\sched.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exeC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeC:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exeC:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXEC:\Windows\system32\svchost.exe -k imgsvcC:\Windows\system32\taskhost.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\System32\igfxtray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\MozyHome\mozystat.exeC:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exeC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeC:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exeC:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exeC:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exeC:\Windows\System32\WUDFHost.exeC:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.acC:\Windows\system32\SearchIndexer.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Windows\System32\svchost.exe -k LocalServicePeerNetC:\Windows\system32\Dwm.exeC:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXEC:\Windows\Explorer.EXEC:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXEC:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\MozyHome\mozystat.exeC:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exeC:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exeC:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.acC:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exeC:\Windows\system32\taskhost.exeC:\Program Files\MozyHome\mozybackup.exeC:\Program Files\MozyHome\mozybackup.exeC:\Program Files\MozyHome\mozybackup.exeC:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exeC:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEC:\Windows\system32\taskeng.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\System32\cscript.exe.============== Pseudo HJT Report ===============.uStart Page = hxxp://www.dell.comuDefault_Page_URL = hxxp://www.dell.commWinlogon: Userinit = userinit.exeBHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllBHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLLBHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dllBHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLLBHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dllmRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exemRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"mRun: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServicesmRun: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exemRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /minmRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MOZYHO~1.LNK - C:\Program Files\MozyHome\mozystat.exemPolicies-Explorer: NoActiveDesktop = dword:1mPolicies-Explorer: NoActiveDesktopChanges = dword:1mPolicies-System: ConsentPromptBehaviorAdmin = dword:5mPolicies-System: ConsentPromptBehaviorUser = dword:3mPolicies-System: EnableUIADesktopToggle = dword:0IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dllIE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dllDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cabTCP: NameServer = 192.168.0.1 192.168.1.1TCP: Interfaces\{82AE6F63-6B12-4B6A-BE7A-1296751EFAE4} : DHCPNameServer = 192.168.0.1 192.168.1.1TCP: Interfaces\{F35C5B0F-A89C-4CE3-9FC7-0655A3F38614} : DHCPNameServer = 192.168.0.1 192.168.1.1Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLLSSODL: WebCheck - <orphaned>SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLLx64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLLx64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLLx64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllx64-Run: [igfxTray] C:\Windows\System32\igfxtray.exex64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exex64-Run: [Persistence] C:\Windows\System32\igfxpers.exex64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dllx64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dllx64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cabx64-DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cabx64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cabx64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLLx64-Notify: igfxcui - igfxdev.dllx64-SSODL: WebCheck - <orphaned>x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL.============= SERVICES / DRIVERS ===============.R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2012-2-11 55856]R1 avkmgr;avkmgr;C:\Windows\System32\drivers\avkmgr.sys [2012-10-13 27800]R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2012-10-13 86752]R2 AntiVirService;Avira Real-Time Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2012-10-13 110816]R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2012-10-13 99912]R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-10-13 398184]R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-3-4 682344]R2 NOBU;Dell DataSafe Online;C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2010-8-25 2823000]R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2012-2-11 1692480]R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-2-11 317440]R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-3-4 24176]R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-2-11 539240]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-2-27 1255736].=============== Created Last 30 ================.2013-02-18 17:41:36 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll2013-02-13 03:25:46 996352 ----a-w- C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll2013-02-13 03:25:46 768000 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll2013-02-13 02:22:01 5553512 ----a-w- C:\Windows\System32\ntoskrnl.exe2013-02-13 02:22:01 3967848 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe2013-02-13 02:22:01 3913064 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe2013-02-13 02:21:54 3153408 ----a-w- C:\Windows\System32\win32k.sys2013-02-13 02:21:52 7680 ----a-w- C:\Windows\SysWow64\instnm.exe2013-02-13 02:21:52 5120 ----a-w- C:\Windows\SysWow64\wow32.dll2013-02-13 02:21:52 25600 ----a-w- C:\Windows\SysWow64\setup16.exe2013-02-13 02:21:52 215040 ----a-w- C:\Windows\System32\winsrv.dll2013-02-13 02:21:52 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll2013-02-13 02:21:51 2048 ----a-w- C:\Windows\SysWow64\user.exe2013-02-13 02:21:39 288088 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS2013-02-13 02:21:39 1913192 ----a-w- C:\Windows\System32\drivers\tcpip.sys.==================== Find3M ====================.2013-02-18 17:41:33 861088 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll2013-02-18 17:41:33 782240 ----a-w- C:\Windows\SysWow64\deployJava1.dll2013-02-09 13:41:53 74096 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl2013-02-09 13:41:53 697712 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe2013-01-09 01:19:09 2312704 ----a-w- C:\Windows\System32\jscript9.dll2013-01-09 01:12:03 1392128 ----a-w- C:\Windows\System32\wininet.dll2013-01-09 01:11:06 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl2013-01-09 01:07:51 173056 ----a-w- C:\Windows\System32\ieUnatt.exe2013-01-09 01:07:47 599040 ----a-w- C:\Windows\System32\vbscript.dll2013-01-09 01:04:42 2382848 ----a-w- C:\Windows\System32\mshtml.tlb2013-01-08 22:11:21 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll2013-01-08 22:03:20 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll2013-01-08 22:03:12 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl2013-01-08 21:59:02 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe2013-01-08 21:58:29 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll2013-01-08 21:56:23 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb2013-01-04 04:43:21 44032 ----a-w- C:\Windows\apppatch\acwow64.dll2012-12-16 17:11:22 46080 ----a-w- C:\Windows\System32\atmlib.dll2012-12-16 14:45:03 367616 ----a-w- C:\Windows\System32\atmfd.dll2012-12-16 14:13:28 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll2012-12-16 14:13:20 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll2012-12-14 21:49:28 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys2012-12-11 23:52:07 99912 ----a-w- C:\Windows\System32\drivers\avgntflt.sys2012-12-07 13:20:16 441856 ----a-w- C:\Windows\System32\Wpc.dll2012-12-07 13:15:31 2746368 ----a-w- C:\Windows\System32\gameux.dll2012-12-07 12:26:17 308736 ----a-w- C:\Windows\SysWow64\Wpc.dll2012-12-07 12:20:43 2576384 ----a-w- C:\Windows\SysWow64\gameux.dll2012-12-07 11:20:04 30720 ----a-w- C:\Windows\System32\usk.rs2012-12-07 11:20:03 43520 ----a-w- C:\Windows\System32\csrr.rs2012-12-07 11:20:03 23552 ----a-w- C:\Windows\System32\oflc.rs2012-12-07 11:20:01 45568 ----a-w- C:\Windows\System32\oflc-nz.rs2012-12-07 11:20:01 44544 ----a-w- C:\Windows\System32\pegibbfc.rs2012-12-07 11:20:01 20480 ----a-w- C:\Windows\System32\pegi-fi.rs2012-12-07 11:20:00 20480 ----a-w- C:\Windows\System32\pegi-pt.rs2012-12-07 11:19:59 20480 ----a-w- C:\Windows\System32\pegi.rs2012-12-07 11:19:58 46592 ----a-w- C:\Windows\System32\fpb.rs2012-12-07 11:19:57 40960 ----a-w- C:\Windows\System32\cob-au.rs2012-12-07 11:19:57 21504 ----a-w- C:\Windows\System32\grb.rs2012-12-07 11:19:57 15360 ----a-w- C:\Windows\System32\djctq.rs2012-12-07 11:19:56 55296 ----a-w- C:\Windows\System32\cero.rs2012-12-07 11:19:55 51712 ----a-w- C:\Windows\System32\esrb.rs2012-11-30 05:45:35 362496 ----a-w- C:\Windows\System32\wow64win.dll2012-11-30 05:45:35 243200 ----a-w- C:\Windows\System32\wow64.dll2012-11-30 05:45:35 13312 ----a-w- C:\Windows\System32\wow64cpu.dll2012-11-30 05:43:12 16384 ----a-w- C:\Windows\System32\ntvdm64.dll2012-11-30 05:41:07 424448 ----a-w- C:\Windows\System32\KernelBase.dll2012-11-30 04:53:59 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll2012-11-30 03:23:48 338432 ----a-w- C:\Windows\System32\conhost.exe2012-11-30 02:38:59 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll2012-11-30 02:38:59 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll2012-11-30 02:38:59 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll2012-11-30 02:38:59 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll2012-11-23 03:13:57 68608 ----a-w- C:\Windows\System32\taskhost.exe2012-11-22 05:44:23 800768 ----a-w- C:\Windows\System32\usp10.dll2012-11-22 04:45:03 626688 ----a-w- C:\Windows\SysWow64\usp10.dll.============= FINISH: 13:32:23.36 ===============.UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2012-11-20.01).Microsoft Windows 7 Home PremiumBoot Device: \Device\HarddiskVolume2Install Date: 2/26/2012 8:29:19 PMSystem Uptime: 2/18/2013 10:29:13 PM (15 hours ago).Motherboard: Dell Inc. | | 0GDG8Y Processor: Intel® Core™ i5-2400 CPU @ 3.10GHz | CPU 1 | 1581/100mhz.==== Disk Partitions =========================.C: is FIXED (NTFS) - 454 GiB total, 387.115 GiB free.D: is CDROM (CDFS)E: is RemovableF: is RemovableG: is RemovableH: is RemovableI: is Removable.==== Disabled Device Manager Items =============.==== System Restore Points ===================.RP91: 1/27/2013 11:16:56 AM - Scheduled CheckpointRP92: 2/3/2013 11:34:20 AM - Scheduled CheckpointRP93: 2/10/2013 12:16:07 PM - Scheduled CheckpointRP94: 2/12/2013 10:24:02 PM - Windows UpdateRP95: 2/18/2013 12:40:50 PM - Installed Java 7 Update 13.==== Installed Programs ======================.Accidental Damage Services AgreementAdobe AIRAdobe Flash Player 11 ActiveXAdobe Reader X (10.1.4)ArcSoft Software SuiteAvira Free AntivirusBanctec Service AgreementComplete Care Business Service AgreementConexant HD AudioConsumer In-Home Service AgreementDefinition Update for Microsoft Office 2010 (KB982726) 32-Bit EditionDell DataSafe Local BackupDell DataSafe Local Backup - Support SoftwareDell DataSafe OnlineDell Edoc ViewerDell Home Systems Service AgreementDell Support CenterDirectX 9 RuntimeIntel® Processor GraphicsJava 7 Update 13Java Auto UpdaterJava™ 6 Update 27 (64-bit)Java™ 6 Update 31Malwarebytes Anti-Malware version 1.70.0.1100Microsoft .NET Framework 4 Client ProfileMicrosoft .NET Framework 4 ExtendedMicrosoft Office 2010 Service Pack 1 (SP1)Microsoft Office Access MUI (English) 2010Microsoft Office Access Setup Metadata MUI (English) 2010Microsoft Office Excel MUI (English) 2010Microsoft Office Groove MUI (English) 2010Microsoft Office InfoPath MUI (English) 2010Microsoft Office Office 64-bit Components 2010Microsoft Office OneNote MUI (English) 2010Microsoft Office Outlook MUI (English) 2010Microsoft Office PowerPoint MUI (English) 2010Microsoft Office Professional Plus 2010Microsoft Office Proof (English) 2010Microsoft Office Proof (French) 2010Microsoft Office Proof (Spanish) 2010Microsoft Office Proofing (English) 2010Microsoft Office Publisher MUI (English) 2010Microsoft Office Shared 64-bit MUI (English) 2010Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010Microsoft Office Shared MUI (English) 2010Microsoft Office Shared Setup Metadata MUI (English) 2010Microsoft Office Word MUI (English) 2010Microsoft SilverlightMicrosoft Visual C++ 2005 RedistributableMicrosoft Visual C++ 2005 Redistributable (x64)Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219MozyHomeMSXML 4.0 SP2 (KB954430)MSXML 4.0 SP2 (KB973688)PhotoShowExpressQualxServ Service AgreementRBVirtualFolder64InstRoxio Activation ModuleRoxio BackOnTrackRoxio BurnRoxio Creator StarterRoxio Express Labeler 3Roxio File BackupSecurity Update for Microsoft .NET Framework 4 Client Profile (KB2518870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)Security Update for Microsoft .NET Framework 4 Extended (KB2487367)Security Update for Microsoft .NET Framework 4 Extended (KB2656351)Security Update for Microsoft .NET Framework 4 Extended (KB2736428)Security Update for Microsoft .NET Framework 4 Extended (KB2742595)Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit EditionSecurity Update for Microsoft InfoPath 2010 (KB2687417) 32-Bit EditionSecurity Update for Microsoft InfoPath 2010 (KB2687436) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2553091)Security Update for Microsoft Office 2010 (KB2553096)Security Update for Microsoft Office 2010 (KB2553371) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2553447) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2589320) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2597986) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2598243) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2687501) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2687510) 32-Bit EditionSecurity Update for Microsoft Visio 2010 (KB2687508) 32-Bit EditionSecurity Update for Microsoft Visio Viewer 2010 (KB2598287) 32-Bit EditionSecurity Update for Microsoft Word 2010 (KB2760410) 32-Bit EditionSonic CinePlayer Decoder PackUpdate for Microsoft .NET Framework 4 Client Profile (KB2468871)Update for Microsoft .NET Framework 4 Client Profile (KB2533523)Update for Microsoft .NET Framework 4 Client Profile (KB2600217)Update for Microsoft .NET Framework 4 Extended (KB2468871)Update for Microsoft .NET Framework 4 Extended (KB2533523)Update for Microsoft .NET Framework 4 Extended (KB2600217)Update for Microsoft Office 2010 (KB2494150)Update for Microsoft Office 2010 (KB2553065)Update for Microsoft Office 2010 (KB2553092)Update for Microsoft Office 2010 (KB2553181) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2553267) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2553310) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2553378) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2566458)Update for Microsoft Office 2010 (KB2596964) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2598242) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2687509) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2760631) 32-Bit EditionUpdate for Microsoft OneNote 2010 (KB2553290) 32-Bit EditionUpdate for Microsoft OneNote 2010 (KB2687277) 32-Bit EditionUpdate for Microsoft Outlook 2010 (KB2597090) 32-Bit EditionUpdate for Microsoft Outlook 2010 (KB2687623) 32-Bit EditionUpdate for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit EditionUpdate for Microsoft PowerPoint 2010 (KB2598240) 32-Bit EditionUpdate for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition.==== Event Viewer Messages From Past Week ========.2/18/2013 2:00:41 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SftService service..==== End Of File =========================== Link to post Share on other sites More sharing options...
Staff CatByte Posted February 19, 2013 Staff ID:648981 Share Posted February 19, 2013 what symptoms are you experiencing?Please run the following:Please download aswMBR.exe and save it to your desktop.Double click aswMBR.exe to start the tool. When asked if you want to download Avast's virus definitions please select Yes.Click ScanUpon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet. You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well. Link to post Share on other sites More sharing options...
9baritone Posted February 19, 2013 Author ID:648988 Share Posted February 19, 2013 Thanks for responding. I re-posted, realizing I had not included a description of the problems, namely:"Yesterday's MBAM scan showed multiple instances of two malware programs in Windows 7:PUM.Disabled.security centerPUM.Hijack.start menuAlthough all malware instances have been quarantined, the start menu contents are missing...not just programs, but 'computer,' 'control panel,' etc. We cannot access or find links to our documents, though we believe they are still on the hard drive. Also, Internet Explorer 'Favorites' have vanished. "(New info starts here) Avira did not catch these. Additionally, each time the computer is re-started, and we run Avira to double-check, it finds a new malware file. No such file is generated if we leave the computer on. Not sure if this is related to the two PUM files above. Since Avira is produced by Avast, and Avira did not recognized the virus files, will it be useful to download and (re?)run Avast's virus definitions as you suggest?Thanks again. Link to post Share on other sites More sharing options...
Staff CatByte Posted February 19, 2013 Staff ID:648991 Share Posted February 19, 2013 yes please,as well, please run the following:Please download Unhide.exe to your desktop:Double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the hidden attributes from all the files on your system. Note: If you had purposely hidden any files, then you will need to hide them again after this tool has run. Link to post Share on other sites More sharing options...
9baritone Posted February 20, 2013 Author ID:649213 Share Posted February 20, 2013 Good morning.No file will visibly save to the desktop. I saved all on a thumb drive instead.I just ran asw.MBR.exe. Regarding the MBRdat file, sending to a zip file is not on the 'send to' menu. It is only a 1kb file. Should I send it as is, unzipped?Also just ran Unhide. It will only save to the desktop. Since I can't see it, I took a screen shot which says it says it could not make my files visible (I did turn off real-time anti-virus, so that was not a factor) and that is in fact the case. Unfortunately your system will not allow me to attach that type of file (saved in MSWord).I will send the MBRdat file upon receiving your advice about no zipping. Here is the aswMBR file:aswMBR version 0.9.9.1707 Copyright© 2011 AVAST SoftwareRun date: 2013-02-20 09:00:49-----------------------------09:00:49.187 OS Version: Windows x64 6.1.7601 Service Pack 109:00:49.187 Number of processors: 4 586 0x2A0709:00:49.188 ComputerName: MERLE-PC UserName: Admin09:00:50.848 Initialize success09:04:36.676 AVAST engine defs: 1302200009:05:48.785 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-009:05:48.788 Disk 0 Vendor: ST3500413AS JC49 Size: 476940MB BusType: 309:05:48.812 Disk 0 MBR read successfully09:05:48.815 Disk 0 MBR scan09:05:48.842 Disk 0 Windows VISTA default MBR code09:05:48.845 Disk 0 Partition 1 00 DE Dell Utility DELL 4.1 39 MB offset 6309:05:48.852 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 11868 MB offset 8192009:05:48.869 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 465028 MB offset 2438758409:05:48.889 Disk 0 scanning C:\Windows\system32\drivers09:05:59.452 Service scanning09:06:17.866 Modules scanning09:06:17.874 Disk 0 trace - called modules:09:06:17.901 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS intelide.sys PCIIDEX.SYS hal.dll atapi.sys09:06:18.231 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004d33060]09:06:18.236 3 CLASSPNP.SYS[fffff880018a543f] -> nt!IofCallDriver -> [0xfffffa800474d520]09:06:18.241 5 ACPI.sys[fffff88000f8b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800474f060]09:06:23.384 AVAST engine scan C:\Windows09:06:30.053 AVAST engine scan C:\Windows\system3209:10:01.295 AVAST engine scan C:\Windows\system32\drivers09:10:14.678 AVAST engine scan C:\Users\Admin09:10:43.828 AVAST engine scan C:\ProgramData09:11:54.444 Scan finished successfully09:15:19.731 Disk 0 MBR has been saved successfully to "C:\Users\Admin\Desktop\MBR.dat"09:15:19.734 The log file has been saved successfully to "C:\Users\Admin\Desktop\aswMBR.txt"09:16:40.540 Disk 0 MBR has been saved successfully to "I:\MBR.dat"09:16:40.556 The log file has been saved successfully to "I:\aswMBR.txt" Link to post Share on other sites More sharing options...
Staff CatByte Posted February 20, 2013 Staff ID:649312 Share Posted February 20, 2013 Please do the following:Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter Note: Replace letter e with the drive letter of your flash drive.[*]The tool will start to run.[*]When the tool opens click Yes to the disclaimer.[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there[*]Press Scan button.[*]type exit and reboot the computer normally[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply. Link to post Share on other sites More sharing options...
9baritone Posted February 20, 2013 Author ID:649341 Share Posted February 20, 2013 With Farbar, I got as far as :"In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press EnterNote: Replace letter e with the drive letter of your flash drive."At that point I got an error message "The subsystem to support the image type is not present."Now what? Link to post Share on other sites More sharing options...
Staff CatByte Posted February 20, 2013 Staff ID:649346 Share Posted February 20, 2013 you need the 64bit version Link to post Share on other sites More sharing options...
9baritone Posted February 20, 2013 Author ID:649370 Share Posted February 20, 2013 Yes, that was the problem. Here is the log:Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 17-02-2013 01Ran by SYSTEM at 20-02-2013 15:36:40Running from I:\Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)The current controlset is ControlSet001==================== Registry (Whitelisted) ===================HKLM-x32\...\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)HKLM-x32\...\Run: [] [x]HKLM-x32\...\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)HKLM-x32\...\Run: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)HKLM-x32\...\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [195072 2009-06-19] (ArcSoft Inc.)HKLM-x32\...\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min [385248 2013-02-12] (Avira Operations GmbH & Co. KG)HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)HKU\Merle\...\Run: [xUFNiAkNknT.exe] C:\ProgramData\xUFNiAkNknT.exe [x]Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 192.168.1.1Startup: C:\ProgramData\Start Menu\Programs\Startup\MozyHome Status.lnkShortcutTarget: MozyHome Status.lnk -> X:\Program Files\MozyHome\mozystat.exe (No File)==================== Services (Whitelisted) ===================2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [109056 2009-02-06] (ArcSoft Inc.)2 AntiVirSchedulerService; "C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe" [86752 2013-02-12] (Avira Operations GmbH & Co. KG)2 AntiVirService; "C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe" [110816 2013-02-12] (Avira Operations GmbH & Co. KG)2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [398184 2012-12-14] (Malwarebytes Corporation)2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [682344 2012-12-14] (Malwarebytes Corporation)2 mozybackup; "C:\Program Files\MozyHome\mozybackup.exe" [54632 2012-03-19] (Mozy, Inc.)==================== Drivers (Whitelisted) =====================2 avgntflt; C:\Windows\System32\Drivers\avgntflt.sys [99912 2012-12-11] (Avira Operations GmbH & Co. KG)1 avipbb; C:\Windows\System32\Drivers\avipbb.sys [129216 2012-12-11] (Avira Operations GmbH & Co. KG)1 avkmgr; C:\Windows\System32\Drivers\avkmgr.sys [27800 2012-09-24] (Avira Operations GmbH & Co. KG)3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24176 2012-12-14] (Malwarebytes Corporation)1 mozyFilter; C:\Windows\System32\DRIVERS\mozy.sys [67328 2012-03-19] (Mozy, Inc.)==================== NetSvcs (Whitelisted) ======================================== One Month Created Files and Folders ========2013-02-20 13:38 - 2013-02-20 13:38 - 00000000 ____D C:\FRST2013-02-20 08:28 - 2013-02-20 08:35 - 00002994 ____A C:\Users\Admin\Desktop\unhide.txt2013-02-20 08:15 - 2013-02-20 08:15 - 00002039 ____A C:\Users\Admin\Desktop\aswMBR.txt2013-02-20 08:15 - 2013-02-20 08:15 - 00000512 ____A C:\Users\Admin\Desktop\MBR.dat2013-02-19 12:32 - 2013-02-19 12:32 - 00016017 ____A C:\Users\Admin\Desktop\dds.txt2013-02-19 12:32 - 2013-02-19 12:32 - 00007807 ____A C:\Users\Admin\Desktop\attach.txt2013-02-18 13:34 - 2013-02-18 13:34 - 00008756 ____A C:\Users\Admin\My Documents\new file.xlsx2013-02-18 13:34 - 2013-02-18 13:34 - 00008756 ____A C:\Users\Admin\Documents\new file.xlsx2013-02-18 11:41 - 2013-02-18 11:41 - 00095648 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll2013-02-18 10:10 - 2013-02-18 10:10 - 00000176 ____A C:\ProgramData\-xUFNiAkNknTr2013-02-18 10:10 - 2013-02-18 10:10 - 00000176 ____A C:\ProgramData\Application Data\-xUFNiAkNknTr2013-02-18 10:10 - 2013-02-18 10:10 - 00000160 ____A C:\ProgramData\-xUFNiAkNknT2013-02-18 10:10 - 2013-02-18 10:10 - 00000160 ____A C:\ProgramData\Application Data\-xUFNiAkNknT2013-02-18 10:10 - 2013-02-18 10:10 - 00000088 ____A C:\ProgramData\xUFNiAkNknT2013-02-18 10:10 - 2013-02-18 10:10 - 00000088 ____A C:\ProgramData\Application Data\xUFNiAkNknT2013-02-12 21:24 - 2013-01-08 19:48 - 17812992 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll2013-02-12 21:24 - 2013-01-08 19:22 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll2013-02-12 21:24 - 2013-01-08 19:19 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll2013-02-12 21:24 - 2013-01-08 19:12 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll2013-02-12 21:24 - 2013-01-08 19:12 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll2013-02-12 21:24 - 2013-01-08 19:11 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl2013-02-12 21:24 - 2013-01-08 19:10 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll2013-02-12 21:24 - 2013-01-08 19:09 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll2013-02-12 21:24 - 2013-01-08 19:07 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll2013-02-12 21:24 - 2013-01-08 19:07 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll2013-02-12 21:24 - 2013-01-08 19:07 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe2013-02-12 21:24 - 2013-01-08 19:06 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll2013-02-12 21:24 - 2013-01-08 19:05 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll2013-02-12 21:24 - 2013-01-08 19:04 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb2013-02-12 21:24 - 2013-01-08 19:04 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll2013-02-12 21:24 - 2013-01-08 19:00 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll2013-02-12 21:24 - 2013-01-08 16:23 - 12321280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll2013-02-12 21:24 - 2013-01-08 16:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll2013-02-12 21:24 - 2013-01-08 16:09 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll2013-02-12 21:24 - 2013-01-08 16:03 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl2013-02-12 21:24 - 2013-01-08 16:03 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll2013-02-12 21:24 - 2013-01-08 16:03 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll2013-02-12 21:24 - 2013-01-08 16:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll2013-02-12 21:24 - 2013-01-08 16:00 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll2013-02-12 21:24 - 2013-01-08 15:59 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe2013-02-12 21:24 - 2013-01-08 15:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll2013-02-12 21:24 - 2013-01-08 15:58 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll2013-02-12 21:24 - 2013-01-08 15:57 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll2013-02-12 21:24 - 2013-01-08 15:56 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb2013-02-12 21:24 - 2013-01-08 15:56 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll2013-02-12 21:24 - 2013-01-08 15:56 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll2013-02-12 21:24 - 2013-01-08 15:53 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll2013-02-12 20:22 - 2013-01-04 23:53 - 05553512 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe2013-02-12 20:22 - 2013-01-04 23:00 - 03967848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe2013-02-12 20:22 - 2013-01-04 23:00 - 03913064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe2013-02-12 20:21 - 2013-01-03 23:46 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll2013-02-12 20:21 - 2013-01-03 22:51 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll2013-02-12 20:21 - 2013-01-03 21:26 - 03153408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys2013-02-12 20:21 - 2013-01-03 20:47 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe2013-02-12 20:21 - 2013-01-03 20:47 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll2013-02-12 20:21 - 2013-01-03 20:47 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe2013-02-12 20:21 - 2013-01-03 20:47 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe2013-02-12 20:21 - 2013-01-03 00:00 - 01913192 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys2013-02-12 20:21 - 2013-01-03 00:00 - 00288088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS==================== One Month Modified Files and Folders =======2013-02-20 13:41 - 2012-10-17 07:02 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job2013-02-20 13:41 - 2012-03-04 16:06 - 00000564 ____A C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job2013-02-20 13:40 - 2012-02-11 02:19 - 01589515 ____A C:\Windows\WindowsUpdate.log2013-02-20 13:38 - 2013-02-20 13:38 - 00000000 ____D C:\FRST2013-02-20 13:34 - 2012-03-04 16:05 - 00000506 ____A C:\Windows\Tasks\SystemToolsDailyTest.job2013-02-20 08:59 - 2012-03-19 13:58 - 00004460 ____A C:\Windows\mozy.flt2013-02-20 08:59 - 2012-03-19 13:58 - 00003618 ____A C:\Windows\mozy.blk2013-02-20 08:35 - 2013-02-20 08:28 - 00002994 ____A C:\Users\Admin\Desktop\unhide.txt2013-02-20 08:15 - 2013-02-20 08:15 - 00002039 ____A C:\Users\Admin\Desktop\aswMBR.txt2013-02-20 08:15 - 2013-02-20 08:15 - 00000512 ____A C:\Users\Admin\Desktop\MBR.dat2013-02-19 12:32 - 2013-02-19 12:32 - 00016017 ____A C:\Users\Admin\Desktop\dds.txt2013-02-19 12:32 - 2013-02-19 12:32 - 00007807 ____A C:\Users\Admin\Desktop\attach.txt2013-02-19 12:32 - 2009-07-13 23:13 - 00794430 ____A C:\Windows\System32\PerfStringBackup.INI2013-02-18 21:08 - 2012-02-27 20:24 - 00000000 ____D C:\Users\Merle\My Documents\Outlook Files2013-02-18 21:08 - 2012-02-27 20:24 - 00000000 ____D C:\Users\Merle\Documents\Outlook Files2013-02-18 13:34 - 2013-02-18 13:34 - 00008756 ____A C:\Users\Admin\My Documents\new file.xlsx2013-02-18 13:34 - 2013-02-18 13:34 - 00008756 ____A C:\Users\Admin\Documents\new file.xlsx2013-02-18 13:07 - 2009-07-13 22:45 - 00021296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A02013-02-18 13:07 - 2009-07-13 22:45 - 00021296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A02013-02-18 13:00 - 2012-02-11 00:38 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup2013-02-18 12:59 - 2012-02-11 00:55 - 00000000 ____D C:\Users\Default\Local Settings\SoftThinks2013-02-18 12:59 - 2012-02-11 00:55 - 00000000 ____D C:\Users\Default\Local Settings\Application Data\SoftThinks2013-02-18 12:59 - 2012-02-11 00:55 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks2013-02-18 12:59 - 2012-02-11 00:55 - 00000000 ____D C:\Users\Default User\Local Settings\SoftThinks2013-02-18 12:59 - 2012-02-11 00:55 - 00000000 ____D C:\Users\Default User\Local Settings\Application Data\SoftThinks2013-02-18 12:59 - 2012-02-11 00:55 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks2013-02-18 12:58 - 2009-07-13 23:08 - 00000006 ____A C:\Windows\Tasks\SA.DAT2013-02-18 12:58 - 2009-07-13 22:51 - 00064205 ____A C:\Windows\setupact.log2013-02-18 12:03 - 2012-03-04 14:22 - 00000000 ____D C:\Users\Merle\My Documents\Personal2013-02-18 12:03 - 2012-03-04 14:22 - 00000000 ____D C:\Users\Merle\Documents\Personal2013-02-18 11:41 - 2013-02-18 11:41 - 00095648 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll2013-02-18 11:41 - 2012-10-17 07:07 - 00861088 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll2013-02-18 11:41 - 2012-10-17 07:07 - 00262560 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe2013-02-18 11:41 - 2012-02-26 19:46 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe2013-02-18 11:41 - 2012-02-26 19:46 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe2013-02-18 11:41 - 2012-02-26 19:46 - 00000000 ____D C:\Program Files (x86)\Java2013-02-18 11:41 - 2012-02-11 00:37 - 00782240 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll2013-02-18 11:07 - 2012-02-11 00:45 - 00000000 ____D C:\ProgramData\Sonic2013-02-18 11:07 - 2012-02-11 00:45 - 00000000 ____D C:\ProgramData\Application Data\Sonic2013-02-18 11:04 - 2010-11-20 21:47 - 00323458 ____A C:\Windows\PFRO.log2013-02-18 10:10 - 2013-02-18 10:10 - 00000176 ____A C:\ProgramData\-xUFNiAkNknTr2013-02-18 10:10 - 2013-02-18 10:10 - 00000176 ____A C:\ProgramData\Application Data\-xUFNiAkNknTr2013-02-18 10:10 - 2013-02-18 10:10 - 00000160 ____A C:\ProgramData\-xUFNiAkNknT2013-02-18 10:10 - 2013-02-18 10:10 - 00000160 ____A C:\ProgramData\Application Data\-xUFNiAkNknT2013-02-18 10:10 - 2013-02-18 10:10 - 00000088 ____A C:\ProgramData\xUFNiAkNknT2013-02-18 10:10 - 2013-02-18 10:10 - 00000088 ____A C:\ProgramData\Application Data\xUFNiAkNknT2013-02-18 10:08 - 2012-02-26 19:29 - 00000000 ____D C:\users\Merle2013-02-18 09:11 - 2012-11-23 21:23 - 00008854 ____A C:\Users\Merle\My Documents\Book2.xlsx2013-02-18 09:11 - 2012-11-23 21:23 - 00008854 ____A C:\Users\Merle\Documents\Book2.xlsx2013-02-14 18:19 - 2009-07-13 22:45 - 00461464 ____A C:\Windows\System32\FNTCACHE.DAT2013-02-12 21:29 - 2012-02-27 19:49 - 00000000 ____D C:\ProgramData\Microsoft Help2013-02-12 21:29 - 2012-02-27 19:49 - 00000000 ____D C:\ProgramData\Application Data\Microsoft Help2013-02-12 21:28 - 2012-02-27 19:25 - 70004024 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe2013-02-10 10:09 - 2012-03-12 18:32 - 00000000 ____D C:\users\Admin2013-02-09 07:41 - 2012-10-17 07:02 - 00697712 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe2013-02-09 07:41 - 2012-02-11 00:25 - 00074096 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cplZeroAccess:C:\$Recycle.Bin\S-1-5-21-2745952499-3031613733-4158007069-1001\$abd52ccb60633f718eed4225d16b7b9aC:\$Recycle.Bin\S-1-5-21-2745952499-3031613733-4158007069-1001\$abd52ccb60633f718eed4225d16b7b9a\@C:\$Recycle.Bin\S-1-5-21-2745952499-3031613733-4158007069-1001\$abd52ccb60633f718eed4225d16b7b9a\LC:\$Recycle.Bin\S-1-5-21-2745952499-3031613733-4158007069-1001\$abd52ccb60633f718eed4225d16b7b9a\U==================== Known DLLs (Whitelisted) ===================================== Bamital & volsnap Check =================C:\Windows\System32\winlogon.exe => MD5 is legitC:\Windows\System32\wininit.exe => MD5 is legitC:\Windows\SysWOW64\wininit.exe => MD5 is legitC:\Windows\explorer.exe => MD5 is legitC:\Windows\SysWOW64\explorer.exe => MD5 is legitC:\Windows\System32\svchost.exe => MD5 is legitC:\Windows\SysWOW64\svchost.exe => MD5 is legitC:\Windows\System32\services.exe => MD5 is legitC:\Windows\System32\User32.dll => MD5 is legitC:\Windows\SysWOW64\User32.dll => MD5 is legitC:\Windows\System32\userinit.exe => MD5 is legitC:\Windows\SysWOW64\userinit.exe => MD5 is legitC:\Windows\System32\Drivers\volsnap.sys => MD5 is legit==================== EXE ASSOCIATION =====================HKLM\...\.exe: exefile => OKHKLM\...\exefile\DefaultIcon: %1 => OKHKLM\...\exefile\open\command: "%1" %* => OK==================== Restore Points =========================Restore point made on: 2013-02-03 10:34:30Restore point made on: 2013-02-03 19:34:15Restore point made on: 2013-02-03 19:40:20Restore point made on: 2013-02-09 07:51:47Restore point made on: 2013-02-10 11:16:13Restore point made on: 2013-02-10 19:34:19Restore point made on: 2013-02-11 20:02:40Restore point made on: 2013-02-12 21:24:07Restore point made on: 2013-02-14 18:50:25Restore point made on: 2013-02-16 07:35:24Restore point made on: 2013-02-18 11:41:03Restore point made on: 2013-02-18 11:57:08Restore point made on: 2013-02-18 12:06:00Restore point made on: 2013-02-18 13:20:44Restore point made on: 2013-02-20 08:59:00==================== Memory info ===========================Percentage of memory in use: 14%Total physical RAM: 4008.63 MBAvailable physical RAM: 3408.32 MBTotal Pagefile: 4006.83 MBAvailable Pagefile: 3398.83 MBTotal Virtual: 8192 MBAvailable Virtual: 8191.91 MB==================== Partitions =============================1 Drive c: (OS) (Fixed) (Total:454.13 GB) (Free:387.98 GB) NTFS2 Drive d: (HPPP) (CDROM) (Total:0.31 GB) (Free:0 GB) CDFS7 Drive i: () (Removable) (Total:0.94 GB) (Free:0.94 GB) FAT8 Drive j: (RECOVERY) (Fixed) (Total:11.59 GB) (Free:5.32 GB) NTFS ==>[system with boot components (obtained from reading drive)]9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 465 GB 3072 KB Disk 1 No Media 0 B 0 B Disk 2 No Media 0 B 0 B Disk 3 No Media 0 B 0 B Disk 4 No Media 0 B 0 B Disk 5 Online 963 MB 0 B Partitions of Disk 0:===============Disk ID: 3EFE19BA Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 OEM 39 MB 31 KB Partition 2 Primary 11 GB 40 MB Partition 3 Primary 454 GB 11 GB==================================================================================Disk: 0Partition 1Type : DEHidden: YesActive: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- --------* Volume 8 FAT Partition 39 MB Healthy Hidden =========================================================Disk: 0Partition 2Type : 07Hidden: NoActive: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- --------* Volume 1 J RECOVERY NTFS Partition 11 GB Healthy =========================================================Disk: 0Partition 3Type : 07Hidden: NoActive: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- --------* Volume 2 C OS NTFS Partition 454 GB Healthy =========================================================Partitions of Disk 5:===============Disk ID: 91F72D24 Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 963 MB 31 KB==================================================================================Disk: 5Partition 1Type : 06Hidden: NoActive: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- --------* Volume 7 I FAT Removable 963 MB Healthy =========================================================Last Boot: 2013-02-14 19:17==================== End Of Log ============================= Link to post Share on other sites More sharing options...
Staff CatByte Posted February 20, 2013 Staff ID:649394 Share Posted February 20, 2013 Please do the following:Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt startHKLM-x32\...\Run: [] [x]HKU\Merle\...\Run: [xUFNiAkNknT.exe] C:\ProgramData\xUFNiAkNknT.exe [x]2013-02-18 10:10 - 2013-02-18 10:10 - 00000176 ____A C:\ProgramData\-xUFNiAkNknTr2013-02-18 10:10 - 2013-02-18 10:10 - 00000176 ____A C:\ProgramData\Application Data\-xUFNiAkNknTr2013-02-18 10:10 - 2013-02-18 10:10 - 00000160 ____A C:\ProgramData\-xUFNiAkNknT2013-02-18 10:10 - 2013-02-18 10:10 - 00000160 ____A C:\ProgramData\Application Data\-xUFNiAkNknT2013-02-18 10:10 - 2013-02-18 10:10 - 00000088 ____A C:\ProgramData\xUFNiAkNknT2013-02-18 10:10 - 2013-02-18 10:10 - 00000088 ____A C:\ProgramData\Application Data\xUFNiAkNknTC:\$Recycle.Bin\S-1-5-21-2745952499-3031613733-4158007069-1001\$abd52ccb60633f718eed4225d16b7b9aendNOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating systemNow please enter System Recovery Options then select Command PromptRun FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.Reboot Normally.NEXTPlease re-run unhide, let me know if your programs are still hidden (describe in as much detail as possible before we move on to other tools) Link to post Share on other sites More sharing options...
9baritone Posted February 20, 2013 Author ID:649415 Share Posted February 20, 2013 Okay, first here is the Foxlog file:Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 17-02-2013 01Ran by SYSTEM at 2013-02-20 16:37:25 Run:1Running from I:\==============================================HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.HKEY_USERS\Merle\Software\Microsoft\Windows\CurrentVersion\Run\\xUFNiAkNknT.exe Value deleted successfully.C:\ProgramData\-xUFNiAkNknTr moved successfully.C:\ProgramData\Application Data\-xUFNiAkNknTr not found.C:\ProgramData\-xUFNiAkNknT moved successfully.C:\ProgramData\Application Data\-xUFNiAkNknT not found.C:\ProgramData\xUFNiAkNknT moved successfully.C:\$Recycle.Bin\S-1-5-21-2745952499-3031613733-4158007069-1001\$abd52ccb60633f718eed4225d16b7b9a moved successfully.==== End of Fixlog ====Now my manual transcription of the re-run of UnhideProcessing the F drive Link to post Share on other sites More sharing options...
9baritone Posted February 20, 2013 Author ID:649418 Share Posted February 20, 2013 Now my manual transcription of the re-run of UnhideProcessing the F drive 3 files processedThe C:\users\admin\AppData\Local\Temp\smtmp\folder does not exist!!Unhide cannot restore your missing shortcuts!!Please see this topic in order to learn how to restore defaultStart menu shortcuts: http://www.bleepongcomputer.com/forums/topic405109.htmlSearching for Windows Registry changes made by fake HDD Rogues.-Checking HKLM\SOFTWARE\Microsoft Windows\Current Version\Policies\Explorer-Checking HKCU\SOFTWARE\Microsoft Windows\Current Version\\Explorer\AdvancedNo registry changes detected. Link to post Share on other sites More sharing options...
Staff CatByte Posted February 20, 2013 Staff ID:649424 Share Posted February 20, 2013 Please run the followingRefer to the ComboFix User's Guide Download ComboFix from the following location:Link * IMPORTANT !!! Place ComboFix.exe on your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.You can get help on disabling your protection programs hereDouble click on ComboFix.exe & follow the prompts.Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next replyNote: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.---------------------------------------------------------------------------------------------Ensure your AntiVirus and AntiSpyware applications are re-enabled.---------------------------------------------------------------------------------------------NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error. Link to post Share on other sites More sharing options...
9baritone Posted February 20, 2013 Author ID:649425 Share Posted February 20, 2013 Obviously, the typo in the link should read bleepingcomputer, not bleepong Link to post Share on other sites More sharing options...
9baritone Posted February 20, 2013 Author ID:649426 Share Posted February 20, 2013 Your instructions say to place combofix on the desktop. As mentioned previously, no files I attach to the desktop are visible, so I can't click on them. Can I run it from a flash drive? Link to post Share on other sites More sharing options...
Staff CatByte Posted February 20, 2013 Staff ID:649435 Share Posted February 20, 2013 yes, ComboFix will run from a flash drive Link to post Share on other sites More sharing options...
9baritone Posted February 21, 2013 Author ID:649478 Share Posted February 21, 2013 I just ran Combofix twice. Even though I had turned off Avira live protection, Avira ran a pop-up saying it had blocked a suspicious attempt to access the registry. After saving the log file, which indicated removal of three infected files, I uninstalled Avira and ran Combofix again. No additional deletions on the second pass, but perhaps it did allow a peek at the registry. I am attaching both logs. The problems with links to files and non-populating the start menu are still occurring.Combofix log.txtcombofix 2.txt Link to post Share on other sites More sharing options...
9baritone Posted February 21, 2013 Author ID:649595 Share Posted February 21, 2013 An additional note in case it is useful for diagnosis: Last night I determined that the problems only affect the one non-administrator account on the computer. The administrator account is unaffected. Also, I discovered that although I had run all of the diagnostic scans from the non-admin account, they must have had admin authority because all of the logs were posted to the desktop of the admin account. No wonder they didn't show up on the desktop of the non-admin account! Link to post Share on other sites More sharing options...
Staff CatByte Posted February 22, 2013 Staff ID:649903 Share Posted February 22, 2013 Is the start menu OK on the Admin account too?Please run the following:Please download Junkware Removal Tool to your desktop.Shutdown your antivirus to avoid any conflicts.Right-mouse click JRT.exe and select Run as administratorThe tool will open and start scanning your system.Please be patient as this can take a while to complete.On completion, a log (JRT.txt) is saved to your desktop and will automatically open.Post the contents of JRT.txt into your next messageNEXTDownload AdwCleaner from here and save it to your desktop.Run AdwCleaner and select DeleteOnce done it will ask to reboot, allow the rebootOn reboot a log will be produced, please attach the content of the log to your next replyNEXTPlease open your MalwareBytes AntiMalware ProgramClick the Update Tab and search for updatesIf an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish, so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected. <-- very importantWhen disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. NEXTGo here to run an online scanner from ESET.Turn off the real time scanner of any existing antivirus program while performing the online scanTick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the activeX control to installClick StartMake sure that the option Remove found threats is unticked and the Scan Archives option is ticked.Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.Click ScanWait for the scan to finishWhen the scan completes, press the LIST OF THREATS FOUND buttonPress EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop Include the contents of this report in your next reply.Press the BACK button.Press Finish Link to post Share on other sites More sharing options...
9baritone Posted February 22, 2013 Author ID:649965 Share Posted February 22, 2013 Yes, the start menu on the admin account is fine.Attached are the 4 scan results...several infections found.Enjoy the weekend!JRT.txtAdwCleanerS1.txtmbam-log-2013-02-22 (14-14-59).txtESETSCAN.txt Link to post Share on other sites More sharing options...
Staff CatByte Posted February 23, 2013 Staff ID:650030 Share Posted February 23, 2013 Please do the following:Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".Copy/paste the text inside the Codebox below into notepad:Here's how to do that:Press the WinKey + R to open a run box, type Notepad > click OK.This will open an empty notepad file:Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')File::C:\Users\Admin\AppData\Local\temp\AskSLib.dll C:\Users\Merle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\c3418f5-5b22d453 C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\ApnIC[1].0 C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\ApnIC[1].0 ClearJavaCache::Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')Save this file to your desktop, Save this as "CFScript"Here's how to do that:1.Click File;2.Click Save As... Change the directory to your desktop;3.Change the Save as type to "All Files";4.Type in the file name: CFScript5.Click Save ...Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.ComboFix may request an update; please allow it.ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.Please describe any outstanding issues Link to post Share on other sites More sharing options...
9baritone Posted February 24, 2013 Author ID:650799 Share Posted February 24, 2013 Hello again,I ran Combofix, but all previous noted problems still exist. I have attached the log.ComboFix.txt Link to post Share on other sites More sharing options...
Staff CatByte Posted February 25, 2013 Staff ID:650832 Share Posted February 25, 2013 all previous noted problems still existplease describe each issue in as much detail as possible Link to post Share on other sites More sharing options...
9baritone Posted February 25, 2013 Author ID:651022 Share Posted February 25, 2013 Start menu still missing almost all links that were previously there. Only an Arcsoft photo software, MS Excel, and 'computer' are visible. Cannot go directly to files via missing shortcut. By clicking through 'computer' we have located all of our files. By clicking on 'All Programs" and the MS Office Suite we have restored shortcuts for the MS Office Suite to the taskbar at the bottom of the screen. Internet Explorer Favorites link has been restored, probably by our clicking through 'computer' and opening the Favorites file.New issues:1. since running the Combofix scan, an unusual thing happens sometimes when I restart the computer. An error message pops up, then disappears and the process of restarting completes. It is intermittent and I can only (approximately) remember a large fragment of what it says."The application was unable to start correctly due to an attempt to access x86(I couldn't get the rest of file name) which has been marked for deletion." Of course, now I can't get it to recur in order to fill in the missing part. If it does, I will send the completed or corrected info to you.2. Oracle pop-up messages are dunning me to install a new version of Java. If I do so, I will go directly to their site. But the question is should I delay until the problems noted above are resolved?Thank you once again. Link to post Share on other sites More sharing options...
Staff CatByte Posted February 26, 2013 Staff ID:651114 Share Posted February 26, 2013 Right click on the Start Menu button, select properties, now select the Start Menu tab and then click on the Customize button. You will now be presented with a variety of menus and shortcuts that can be added back to the Windows Start Menu. Please select the various items you would like to add and then click on the OK button. Then press the Apply button and close the Start Menu properties screen, or click Use Default Settings.let me know if the default menu items are now showing: Link to post Share on other sites More sharing options...
Recommended Posts