Jump to content

Google Redirect Virus


Recommended Posts

I appear to have the Google re-direct virus. I've updated Malwarebytes and run it. It removed two items and is showng clear now; however, the re-direct is still happening. Thank you in advance for the assistance. Logs are pasted below...Thanks, willie655

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume2

Install Date: 1/20/2010 10:24:47 AM

System Uptime: 7/1/2012 8:35:47 PM (2 hours ago)

.

Motherboard: Dell Inc. | | 0K83V0

Processor: Pentium® Dual-Core CPU E5400 @ 2.70GHz | CPU 1 | 2700/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 581 GiB total, 527.768 GiB free.

D: is CDROM ()

E: is Removable

F: is Removable

G: is Removable

H: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP354: 6/8/2012 5:10:27 PM - Windows Update

RP355: 6/12/2012 8:35:29 AM - Windows Update

RP356: 6/13/2012 11:44:17 PM - Windows Update

RP357: 6/19/2012 9:26:52 AM - Windows Update

RP358: 6/21/2012 8:50:35 AM - Windows Update

RP359: 6/22/2012 9:29:37 AM - Windows Update

RP360: 6/26/2012 9:19:20 AM - Windows Update

RP361: 6/29/2012 9:44:32 AM - Windows Update

.

==== Installed Programs ======================

.

.

Adobe Reader 9.5.0

Adobe Shockwave Player 11.6

Apple Application Support

Apple Software Update

Bing Bar

Canon Easy-WebPrint EX

Canon IJ Network Scan Utility

Canon IJ Network Tool

Canon Inkjet Printer/Scanner/Fax Extended Survey Program

Canon MP Navigator EX 3.1

Canon MX870 series User Registration

Canon Speed Dial Utility

Canon Utilities Easy-PhotoPrint EX

Canon Utilities My Printer

Canon Utilities Solution Menu

Compatibility Pack for the 2007 Office system

Coupon Printer for Windows

Cozi

Dell DataSafe Online

Dell Getting Started Guide

Digital Line Detect

Google Chrome

Google Earth

Google Toolbar for Internet Explorer

Google Update Helper

GoToAssist 8.0.0.514

Java Auto Updater

Java™ 6 Update 26

Junk Mail filter update

Malwarebytes Anti-Malware version 1.61.0.1400

McAfee Security Scan Plus

Microsoft .NET Framework 1.1

Microsoft Choice Guard

Microsoft Office File Validation Add-In

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Office Professional Edition 2003

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Sync Framework Runtime Native v1.0 (x86)

Microsoft Sync Framework Services Native v1.0 (x86)

Microsoft Web Publishing Wizard 1.52

Microsoft Works

MSVCRT

Netwaiting

Norton Security Scan

Pivot Stickfigure Animator

PowerDVD DX

QuickTime

RealNetworks - Microsoft Visual C++ 2008 Runtime

RealPlayer

Realtek High Definition Audio Driver

RealUpgrade 1.1

Roxio Burn

Security Update for CAPICOM (KB931906)

Smilebox

swMSM

The Print Shop 22

Trend Micro OfficeScan Client

WildTangent Games

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Mail

Windows Live Messenger

Windows Live Movie Maker

Windows Live Photo Gallery

Windows Live Sign-in Assistant

Windows Live Sync

Windows Live Upload Tool

Windows Live Writer

.

==== Event Viewer Messages From Past Week ========

.

7/1/2012 8:53:14 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891

7/1/2012 8:53:14 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891

7/1/2012 8:36:07 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFS

7/1/2012 8:36:04 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

7/1/2012 8:36:02 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

7/1/2012 8:36:01 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

7/1/2012 2:56:22 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.

.

==== End Of File ===========================

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421

Run by Andrea at 22:04:17 on 2012-07-01

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6109.4223 [GMT -4:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FW: Trend Micro Personal Firewall *Enabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\Dell\DellDock\DockLogin.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k HsfXAudioService

C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE

C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Windows\system32\WUDFHost.exe

C:\WINDOWS\TEMP\MKC581.EXE

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files (x86)\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE

C:\Users\Andrea\AppData\Roaming\Smilebox\SmileboxTray.exe

C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Windows\System32\rundll32.exe

C:\Program Files (x86)\Digital Line Detect\DLG.exe

C:\Program Files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe

C:\Program Files\Dell\DellDock\DellDock.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe

C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe

C:\Program Files (x86)\Trend Micro\OfficeScan Client\PccNTMon.exe

C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\iPod\bin\iPodService.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11f_ActiveX.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Windows\SysWOW64\svchost.exe" -k LocalServiceDns

C:\Windows\system32\taskeng.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyOverride = *.local

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll

uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background

uRun: [smileboxTray] "C:\Users\Andrea\AppData\Roaming\Smilebox\SmileboxTray.exe"

uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

uRun: [mdmsp] rundll32.exe "C:\Users\Andrea\AppData\Roaming\mdmsp.dll",ADeviceResumePlay

uRun: [benpr] "C:\Windows\System32\rundll32.exe" "C:\Users\Andrea\AppData\Roaming\benpr.dll",CreateEffectFromResourceW

mRun: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m

mRun: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

mRun: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"

mRun: [OfficeScanNT Monitor] "C:\Program Files (x86)\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [iJNetworkScanUtility] C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

StartupFolder: C:\Users\Andrea\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLDO~1.LNK - C:\Program Files (x86)\Dell\DellDock\DellDock.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\DIGITA~1.LNK - C:\Program Files (x86)\Digital Line Detect\DLG.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://remote.scana.com/dana-cached/sc/JuniperSetupClient.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{1AD3B2FC-8345-4FDE-B833-AF553ADBAB1F} : DhcpNameServer = 192.168.1.254

Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

BHO-X64: Canon Easy-WebPrint EX BHO: {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll

BHO-X64: Canon Easy-WebPrint EX BHO - No File

BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"

BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB-X64: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll

TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"

TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

EB-X64: {21347690-EC41-4F9A-8887-1F4AEE672439} - No File

mRun-x64: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m

mRun-x64: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

mRun-x64: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"

mRun-x64: [OfficeScanNT Monitor] "C:\Program Files (x86)\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

mRun-x64: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [iJNetworkScanUtility] C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe

mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

.

============= SERVICES / DRIVERS ===============

.

R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]

R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;C:\Windows\system32\DRIVERS\tmlwf.sys --> C:\Windows\system32\DRIVERS\tmlwf.sys [?]

R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2010-1-5 92160]

R2 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-10-13 249648]

R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]

R2 HsfXAudioService;HsfXAudioService;C:\Windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]

R2 TmFilter;Trend Micro Filter;C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmxpflt.sys [2008-6-16 342288]

R2 TmPreFilter;Trend Micro PreFilter;C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmpreflt.sys [2008-6-16 42768]

R2 tmwfp;Trend Micro WFP Callout Driver;C:\Windows\system32\DRIVERS\tmwfp.sys --> C:\Windows\system32\DRIVERS\tmwfp.sys [?]

R3 CAXHWBS2;CAXHWBS2;C:\Windows\system32\DRIVERS\CAXHWBS2.sys --> C:\Windows\system32\DRIVERS\CAXHWBS2.sys [?]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]

S2 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-11-9 136176]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-11-9 136176]

S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [2010-9-3 227232]

S3 TmPfw;OfficeScan NT Firewall;C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmPfw.exe [2008-6-16 585648]

S3 TmProxy;OfficeScan NT Proxy Service;C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe [2008-6-16 865032]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

.

=============== Created Last 30 ================

.

2012-06-30 22:24:07 364032 ----a-w- C:\Users\Andrea\AppData\Roaming\benpr.dll

2012-06-30 22:23:18 143360 ----a-w- C:\Users\Andrea\AppData\Roaming\mdmsp.dll

2012-06-30 21:41:01 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%

2012-06-29 13:45:16 9013136 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{50716AE9-AD1E-4623-B18F-5BE028A10378}\mpengine.dll

2012-06-22 21:49:47 -------- d-----w- C:\Users\Andrea\AppData\Roaming\.minecraft

2012-06-21 12:51:28 2622464 ----a-w- C:\Windows\System32\wucltux.dll

2012-06-21 12:51:12 99840 ----a-w- C:\Windows\System32\wudriver.dll

2012-06-21 12:50:56 36864 ----a-w- C:\Windows\System32\wuapp.exe

2012-06-21 12:50:56 186752 ----a-w- C:\Windows\System32\wuwebv.dll

2012-06-14 03:17:36 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll

2012-06-14 03:17:35 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe

2012-06-14 03:17:35 77312 ----a-w- C:\Windows\System32\rdpwsx.dll

2012-06-14 03:17:30 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe

2012-06-14 03:17:29 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2012-06-14 03:17:29 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2012-06-14 03:17:26 3146752 ----a-w- C:\Windows\System32\win32k.sys

2012-06-14 03:17:25 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys

.

==================== Find3M ====================

.

2012-05-18 02:06:48 2311680 ----a-w- C:\Windows\System32\jscript9.dll

2012-05-18 01:59:14 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-05-18 01:58:39 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-05-18 01:55:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-05-18 01:51:30 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-05-17 22:45:37 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-05-17 22:35:47 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-05-17 22:35:39 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-05-17 22:29:45 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-05-17 22:24:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-04-04 19:56:40 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys

.

============= FINISH: 22:04:48.78 ===============

Link to post
Share on other sites

  • Staff

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us


  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

    [*]Please do not attach logs or use code boxes, just copy and paste the text.

    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.

    [*]Please read every post completely before doing anything.

    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

    [*]Please provide feedback about your experience as we go.

    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from
here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Link to post
Share on other sites

The combofix log is pasted below. Thank you again for the assistance. We have not had as many re-directs today, but I am getting a few trojan notifications on Trend Micro...Thanks

ComboFix 12-07-02.01 - Andrea 07/02/2012 6:39.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6109.4598 [GMT -4:00]

Running from: c:\users\Andrea\Desktop\ComboFix.exe

FW: Trend Micro Personal Firewall *Enabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

* Resident AV is active

.

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\627f0ae9

c:\users\Andrea\AppData\Roaming\benpr.dll

c:\users\Andrea\AppData\Roaming\c927d1dd

c:\users\Andrea\AppData\Roaming\mdmsp.dll

c:\windows\assembly\GAC_32\Desktop.ini

c:\windows\assembly\GAC_64\Desktop.ini

c:\windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10}\@

c:\windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10}\L\00000004.@

c:\windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10}\L\201d3dde

c:\windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10}\L\55490ac4

c:\windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10}\U\00000004.@

c:\windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10}\U\000000cb.@

c:\windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10}\U\80000032.@

c:\windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10}\U\80000064.@

c:\windows\system32\fxsst.dll . . . . Failed to delete

c:\windows\SysWow64\odbcad32.exe

c:\windows\TEMP\WC212F.EXE

.

----- File Replicators -----

.

c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

c:\programdata\Adobe\Reader\9.4\ARM\19507\AcrobatUpdater.exe

c:\programdata\Adobe\Reader\9.4\ARM\19507\AdobeARMHelper.exe

c:\programdata\Adobe\Reader\9.4\ARM\19507\ReaderUpdater.exe

c:\programdata\Adobe\Reader\9.4\ARM\22166\AcrobatUpdater.exe

c:\programdata\Adobe\Reader\9.4\ARM\22166\AdobeARMHelper.exe

c:\programdata\Adobe\Reader\9.4\ARM\22166\ReaderUpdater.exe

c:\programdata\Adobe\Reader\9.4\ARM\24645\AcrobatUpdater.exe

c:\programdata\Adobe\Reader\9.4\ARM\24645\AdobeARMHelper.exe

c:\programdata\Adobe\Reader\9.4\ARM\24645\ReaderUpdater.exe

c:\programdata\Adobe\Reader\9.4\ARM\26820\AcrobatUpdater.exe

c:\programdata\Adobe\Reader\9.4\ARM\26820\AdobeARMHelper.exe

c:\programdata\Adobe\Reader\9.4\ARM\26820\ReaderUpdater.exe

c:\programdata\Adobe\Reader\9.4\ARM\27185\AcrobatUpdater.exe

c:\programdata\Adobe\Reader\9.4\ARM\27185\AdobeARMHelper.exe

c:\programdata\Adobe\Reader\9.4\ARM\27185\ReaderUpdater.exe

c:\programdata\Adobe\Reader\9.4\ARM\28808\AcrobatUpdater.exe

c:\programdata\Adobe\Reader\9.4\ARM\28808\AdobeARMHelper.exe

c:\programdata\Adobe\Reader\9.4\ARM\28808\ReaderUpdater.exe

c:\users\All Users\Adobe\Reader\9.4\ARM\19507\AcrobatUpdater.exe

c:\users\All Users\Adobe\Reader\9.4\ARM\19507\AdobeARMHelper.exe

c:\users\All Users\Adobe\Reader\9.4\ARM\19507\ReaderUpdater.exe

c:\users\All Users\Adobe\Reader\9.4\ARM\22166\AcrobatUpdater.exe

c:\users\All Users\Adobe\Reader\9.4\ARM\22166\AdobeARMHelper.exe

c:\users\All Users\Adobe\Reader\9.4\ARM\22166\ReaderUpdater.exe

c:\users\All Users\Adobe\Reader\9.4\ARM\24645\AcrobatUpdater.exe

c:\users\All Users\Adobe\Reader\9.4\ARM\24645\AdobeARMHelper.exe

c:\users\All Users\Adobe\Reader\9.4\ARM\24645\ReaderUpdater.exe

c:\users\All Users\Adobe\Reader\9.4\ARM\26820\AcrobatUpdater.exe

c:\users\All Users\Adobe\Reader\9.4\ARM\26820\AdobeARMHelper.exe

c:\users\All Users\Adobe\Reader\9.4\ARM\26820\ReaderUpdater.exe

c:\users\All Users\Adobe\Reader\9.4\ARM\27185\AcrobatUpdater.exe

c:\users\All Users\Adobe\Reader\9.4\ARM\27185\AdobeARMHelper.exe

c:\users\All Users\Adobe\Reader\9.4\ARM\27185\ReaderUpdater.exe

c:\users\All Users\Adobe\Reader\9.4\ARM\28808\AcrobatUpdater.exe

c:\users\All Users\Adobe\Reader\9.4\ARM\28808\AdobeARMHelper.exe

c:\users\All Users\Adobe\Reader\9.4\ARM\28808\ReaderUpdater.exe

.

Infected copy of c:\windows\system32\services.exe was found and disinfected

Restored copy from - c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-06-02 to 2012-07-02 )))))))))))))))))))))))))))))))

.

.

2012-07-02 10:47 . 2012-07-02 10:47 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-06-30 21:41 . 2012-06-30 21:41 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%

2012-06-29 13:45 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{50716AE9-AD1E-4623-B18F-5BE028A10378}\mpengine.dll

2012-06-22 21:49 . 2012-06-22 21:51 -------- d-----w- c:\users\Andrea\AppData\Roaming\.minecraft

2012-06-21 12:51 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-21 12:51 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-21 12:51 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll

2012-06-21 12:51 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-06-21 12:51 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll

2012-06-21 12:51 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll

2012-06-21 12:51 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll

2012-06-21 12:50 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-21 12:50 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe

2012-06-14 03:17 . 2012-04-26 05:41 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll

2012-06-14 03:17 . 2012-04-26 05:41 77312 ----a-w- c:\windows\system32\rdpwsx.dll

2012-06-14 03:17 . 2012-04-26 05:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe

2012-06-14 03:17 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-06-14 03:17 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2012-06-14 03:17 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2012-06-14 03:17 . 2012-05-15 01:32 3146752 ----a-w- c:\windows\system32\win32k.sys

2012-06-14 03:17 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-04-04 19:56 . 2012-01-14 00:23 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SmileboxTray"="c:\users\Andrea\AppData\Roaming\Smilebox\SmileboxTray.exe" [2012-05-15 325448]

"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-11-09 39408]

"benpr"="c:\windows\System32\rundll32.exe" [2009-07-14 44544]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2009-09-11 1779952]

"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]

"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]

"OfficeScanNT Monitor"="c:\program files (x86)\Trend Micro\OfficeScan Client\pccntmon.exe" [2008-06-16 1117488]

"TkBellExe"="c:\program files (x86)\Real\RealPlayer\Update\realsched.exe" [2010-11-09 274608]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-06-07 421160]

"IJNetworkScanUtility"="c:\program files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-09-28 140640]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]

.

c:\users\Andrea\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-9-21 1316192]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files (x86)\Digital Line Detect\DLG.exe [2010-1-5 50688]

McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-3 255536]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-9-21 1316192]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux1"=wdmaud.drv

.

R0 AFS;AFS; [x]

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-09 136176]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-09 136176]

R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [2010-09-03 227232]

R3 TmProxy;OfficeScan NT Proxy Service;c:\program files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe [2008-06-16 865032]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-05-10 51712]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-05 1255736]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]

S1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\DRIVERS\tmlwf.sys [2008-06-16 192528]

S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-03-31 92160]

S2 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]

S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-10-13 249648]

S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]

S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]

S2 TmFilter;Trend Micro Filter;c:\program files (x86)\Trend Micro\OfficeScan Client\TmXPFlt.sys [2011-07-12 342288]

S2 TmPreFilter;Trend Micro PreFilter;c:\program files (x86)\Trend Micro\OfficeScan Client\TmPreFlt.sys [2011-07-12 42768]

S2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\DRIVERS\tmwfp.sys [2008-06-16 277008]

S3 CAXHWBS2;CAXHWBS2;c:\windows\system32\DRIVERS\CAXHWBS2.sys [2009-02-13 411136]

S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-05-26 138752]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-07-31 236544]

S3 TmPfw;OfficeScan NT Firewall;c:\program files (x86)\Trend Micro\OfficeScan Client\TmPfw.exe [2008-06-16 585648]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-09 19:10]

.

2012-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-09 19:10]

.

2012-07-01 c:\windows\Tasks\Norton Security Scan for Andrea.job

- c:\progra~2\NORTON~2\Engine\361~1.11\Nss.exe [2011-12-24 06:45]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-08-06 8060960]

"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2710856]

"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

TCP: DhcpNameServer = 192.168.1.254

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Wow6432Node-HKCU-Run-mdmsp - c:\users\Andrea\AppData\Roaming\mdmsp.dll

SafeBoot-mcmscsvc

SafeBoot-MCODS

Toolbar-Locked - (no file)

AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files (x86)\Bonjour\mDNSResponder.exe

c:\program files (x86)\Canon\IJPLM\IJPLMSVC.EXE

c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe

.

**************************************************************************

.

Completion time: 2012-07-02 06:53:55 - machine was rebooted

ComboFix-quarantined-files.txt 2012-07-02 10:53

.

Pre-Run: 569,215,438,848 bytes free

Post-Run: 569,297,211,392 bytes free

.

- - End Of File - - 176851443E3704701A499A2033AF55BB

Link to post
Share on other sites

  • Staff

Hello

download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Gringo

Link to post
Share on other sites

The frst report is pasted below...Thanks, willie655

Scan result of Farbar Recovery Scan Tool Version: 02-07-2012

Ran by Andrea at 02-07-2012 22:34:11

Running from I:\

Service Pack 1 (X64) OS Language: English(US)

Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.

============ One Month Created Files and Folders ==============

2012-07-02 22:34 - 2012-07-02 22:34 - 00000000 ____D C:\FRST

2012-07-02 06:56 - 2012-07-02 06:56 - 00017918 ____A C:\Users\Andrea\Desktop\combo fix.txt

2012-07-02 06:53 - 2012-07-02 06:53 - 00017918 ____A C:\ComboFix.txt

2012-07-02 06:38 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe

2012-07-02 06:38 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe

2012-07-02 06:38 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe

2012-07-02 06:38 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe

2012-07-02 06:38 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe

2012-07-02 06:38 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe

2012-07-02 06:38 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe

2012-07-02 06:38 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe

2012-07-02 06:36 - 2012-07-02 06:53 - 00000000 ____D C:\Qoobox

2012-07-02 06:36 - 2012-07-02 06:52 - 00000000 ____D C:\Windows\erdnt

2012-07-02 06:36 - 2012-07-02 06:36 - 04568951 ____R (Swearware) C:\Users\Andrea\Desktop\ComboFix.exe

2012-07-02 06:35 - 2012-07-02 06:35 - 00001166 ____A C:\Users\Andrea\Desktop\checkup.txt

2012-07-02 06:32 - 2012-07-02 06:32 - 00881475 ____A C:\Users\Andrea\Downloads\SecurityCheck.exe

2012-07-01 22:05 - 2012-07-01 22:05 - 00016966 ____A C:\Users\Andrea\Desktop\DDS.txt

2012-07-01 22:05 - 2012-07-01 22:05 - 00004364 ____A C:\Users\Andrea\Desktop\Attach.txt

2012-07-01 22:04 - 2012-07-01 22:04 - 00607260 ____R (Swearware) C:\Users\Andrea\Downloads\dds (1).scr

2012-07-01 22:03 - 2012-07-01 22:03 - 00607260 ____A (Swearware) C:\Users\Andrea\Downloads\dds.scr

2012-06-30 17:41 - 2012-06-30 17:41 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%

2012-06-25 17:43 - 2012-06-25 17:43 - 00251392 ____A C:\Users\Andrea\Documents\anniversary concert.sig

2012-06-22 17:49 - 2012-06-22 17:51 - 00000000 ____D C:\Users\Andrea\AppData\Roaming\.minecraft

2012-06-21 08:51 - 2012-06-02 18:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-21 08:51 - 2012-06-02 18:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-21 08:51 - 2012-06-02 18:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-21 08:51 - 2012-06-02 18:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-21 08:51 - 2012-06-02 18:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-21 08:51 - 2012-06-02 18:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-21 08:51 - 2012-06-02 18:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-21 08:50 - 2012-06-02 15:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-21 08:50 - 2012-06-02 15:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-06-13 23:44 - 2012-05-17 22:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-06-13 23:44 - 2012-05-17 22:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-06-13 23:44 - 2012-05-17 22:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-06-13 23:44 - 2012-05-17 21:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-06-13 23:44 - 2012-05-17 21:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-06-13 23:44 - 2012-05-17 21:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-06-13 23:44 - 2012-05-17 21:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-06-13 23:44 - 2012-05-17 21:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-06-13 23:44 - 2012-05-17 21:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-06-13 23:44 - 2012-05-17 21:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-06-13 23:44 - 2012-05-17 21:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-06-13 23:44 - 2012-05-17 21:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-06-13 23:44 - 2012-05-17 21:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-06-13 23:44 - 2012-05-17 21:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-06-13 23:44 - 2012-05-17 19:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-06-13 23:44 - 2012-05-17 18:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-06-13 23:44 - 2012-05-17 18:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-06-13 23:44 - 2012-05-17 18:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-06-13 23:44 - 2012-05-17 18:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-06-13 23:44 - 2012-05-17 18:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-06-13 23:44 - 2012-05-17 18:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-06-13 23:44 - 2012-05-17 18:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-06-13 23:44 - 2012-05-17 18:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-06-13 23:44 - 2012-05-17 18:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-06-13 23:44 - 2012-05-17 18:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-06-13 23:44 - 2012-05-17 18:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-06-13 23:44 - 2012-05-17 18:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-06-13 23:44 - 2012-05-17 18:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-06-13 23:17 - 2012-05-14 21:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-06-13 23:17 - 2012-05-04 07:06 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2012-06-13 23:17 - 2012-05-04 06:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe

2012-06-13 23:17 - 2012-05-04 06:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe

2012-06-13 23:17 - 2012-04-27 23:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

2012-06-13 23:17 - 2012-04-26 01:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll

2012-06-13 23:17 - 2012-04-26 01:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll

2012-06-13 23:17 - 2012-04-26 01:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe

============ 3 Months Modified Files ========================

2012-07-02 22:21 - 2010-11-09 15:10 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-07-02 22:21 - 2009-07-14 01:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-07-02 22:21 - 2009-07-14 00:51 - 00107579 ____A C:\Windows\setupact.log

2012-07-02 22:15 - 2009-07-14 01:10 - 01161408 ____A C:\Windows\WindowsUpdate.log

2012-07-02 22:00 - 2010-11-09 15:10 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-07-02 18:26 - 2011-12-24 17:26 - 00000454 ___AH C:\Windows\Tasks\Norton Security Scan for Andrea.job

2012-07-02 09:49 - 2009-07-14 00:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-07-02 09:49 - 2009-07-14 00:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-07-02 06:56 - 2012-07-02 06:56 - 00017918 ____A C:\Users\Andrea\Desktop\combo fix.txt

2012-07-02 06:53 - 2012-07-02 06:53 - 00017918 ____A C:\ComboFix.txt

2012-07-02 06:49 - 2009-07-13 22:34 - 00000215 ____A C:\Windows\system.ini

2012-07-02 06:48 - 2010-01-05 12:43 - 00501710 ____A C:\Windows\PFRO.log

2012-07-02 06:36 - 2012-07-02 06:36 - 04568951 ____R (Swearware) C:\Users\Andrea\Desktop\ComboFix.exe

2012-07-02 06:35 - 2012-07-02 06:35 - 00001166 ____A C:\Users\Andrea\Desktop\checkup.txt

2012-07-02 06:32 - 2012-07-02 06:32 - 00881475 ____A C:\Users\Andrea\Downloads\SecurityCheck.exe

2012-07-02 06:28 - 2009-07-14 01:13 - 00727362 ____A C:\Windows\System32\PerfStringBackup.INI

2012-07-01 22:05 - 2012-07-01 22:05 - 00016966 ____A C:\Users\Andrea\Desktop\DDS.txt

2012-07-01 22:05 - 2012-07-01 22:05 - 00004364 ____A C:\Users\Andrea\Desktop\Attach.txt

2012-07-01 22:04 - 2012-07-01 22:04 - 00607260 ____R (Swearware) C:\Users\Andrea\Downloads\dds (1).scr

2012-07-01 22:03 - 2012-07-01 22:03 - 00607260 ____A (Swearware) C:\Users\Andrea\Downloads\dds.scr

2012-06-25 17:43 - 2012-06-25 17:43 - 00251392 ____A C:\Users\Andrea\Documents\anniversary concert.sig

2012-06-14 08:09 - 2009-07-14 00:45 - 01156936 ____A C:\Windows\System32\FNTCACHE.DAT

2012-06-13 23:46 - 2010-02-27 17:44 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-06-02 18:19 - 2012-06-21 08:51 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 18:19 - 2012-06-21 08:51 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-02 18:19 - 2012-06-21 08:51 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 18:19 - 2012-06-21 08:51 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 18:19 - 2012-06-21 08:51 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-02 18:15 - 2012-06-21 08:51 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 18:15 - 2012-06-21 08:51 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-02 15:19 - 2012-06-21 08:50 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 15:15 - 2012-06-21 08:50 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-05-17 22:47 - 2012-06-13 23:44 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-05-17 22:16 - 2012-06-13 23:44 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-05-17 22:06 - 2012-06-13 23:44 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-05-17 21:59 - 2012-06-13 23:44 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-05-17 21:59 - 2012-06-13 23:44 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-05-17 21:58 - 2012-06-13 23:44 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-05-17 21:58 - 2012-06-13 23:44 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-05-17 21:56 - 2012-06-13 23:44 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-05-17 21:55 - 2012-06-13 23:44 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-05-17 21:55 - 2012-06-13 23:44 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-05-17 21:54 - 2012-06-13 23:44 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-05-17 21:51 - 2012-06-13 23:44 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-05-17 21:51 - 2012-06-13 23:44 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-05-17 21:47 - 2012-06-13 23:44 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-05-17 19:11 - 2012-06-13 23:44 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-05-17 18:48 - 2012-06-13 23:44 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-05-17 18:45 - 2012-06-13 23:44 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-05-17 18:36 - 2012-06-13 23:44 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-05-17 18:35 - 2012-06-13 23:44 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-05-17 18:35 - 2012-06-13 23:44 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-05-17 18:33 - 2012-06-13 23:44 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-05-17 18:31 - 2012-06-13 23:44 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-05-17 18:29 - 2012-06-13 23:44 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-05-17 18:29 - 2012-06-13 23:44 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-05-17 18:27 - 2012-06-13 23:44 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-05-17 18:25 - 2012-06-13 23:44 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-05-17 18:24 - 2012-06-13 23:44 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-05-17 18:20 - 2012-06-13 23:44 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-05-14 21:32 - 2012-06-13 23:17 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-05-09 23:59 - 2009-07-13 22:34 - 00000499 ____A C:\Windows\win.ini

2012-05-04 07:06 - 2012-06-13 23:17 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2012-05-04 06:03 - 2012-06-13 23:17 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe

2012-05-04 06:03 - 2012-06-13 23:17 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe

2012-04-27 23:55 - 2012-06-13 23:17 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

2012-04-26 01:41 - 2012-06-13 23:17 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll

2012-04-26 01:41 - 2012-06-13 23:17 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll

2012-04-26 01:34 - 2012-06-13 23:17 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe

2012-04-18 12:05 - 2012-01-21 15:00 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-04-04 15:56 - 2012-01-13 20:23 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-04-04 07:18 - 2012-04-04 07:18 - 00910616 ____A C:\Windows\Minidump\040412-12651-01.dmp

2012-04-04 07:18 - 2011-07-23 22:01 - 588655569 ____A C:\Windows\MEMORY.DMP

ZeroAccess:

C:\Windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10}

C:\Windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10}\@

C:\Windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10}\L

C:\Windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10}\U

C:\Windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10}\L\00000004.@

C:\Windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10}\U\00000004.@

C:\Windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10}\U\00000008.@

C:\Windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10}\U\000000cb.@

C:\Windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10}\U\80000000.@

C:\Windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10}\U\80000032.@

C:\Windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10}\U\80000064.@

ZeroAccess:

C:\Users\Andrea\AppData\Local\{95383168-b823-4219-a7b0-3865230b2d10}

C:\Users\Andrea\AppData\Local\{95383168-b823-4219-a7b0-3865230b2d10}\@

C:\Users\Andrea\AppData\Local\{95383168-b823-4219-a7b0-3865230b2d10}\L

C:\Users\Andrea\AppData\Local\{95383168-b823-4219-a7b0-3865230b2d10}\U

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 17%

Total physical RAM: 6108.98 MB

Available physical RAM: 5009.48 MB

Total Pagefile: 12216.16 MB

Available Pagefile: 11125.84 MB

Total Virtual: 8192 MB

Available Virtual: 8191.86 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:581.48 GB) (Free:528.86 GB) NTFS

7 Drive i: (CRUZER-USB) (Removable) (Total:3.82 GB) (Free:1.67 GB) FAT32

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 596 GB 0 B

Disk 1 Online 3919 MB 0 B

Disk 2 No Media 0 B 0 B

Disk 3 No Media 0 B 0 B

Disk 4 No Media 0 B 0 B

Disk 5 No Media 0 B 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 39 MB 31 KB

Partition 2 Primary 14 GB 40 MB

Partition 3 Primary 581 GB 14 GB

==================================================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

There is no volume associated with this partition.

==================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 RECOVERY NTFS Partition 14 GB Healthy System (partition with boot components)

==================================================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C OS NTFS Partition 581 GB Healthy Boot

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 3919 MB 31 KB

==================================================================================

Disk: 1

Partition 1

Type : 0B

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 I CRUZER-USB FAT32 Removable 3919 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-06-28 11:56

======================= End Of Log ==========================

Link to post
Share on other sites

  • Staff

Greetings

Ok lets see if we can find a replacement for the infected file

In Vista or Windows 7: Boot to System Recovery Options and run FRST.

Type the following in the edit box after "Search:".

winlogon.exe;explorer.exe

Note: The file names should be separated by semicolon (;)

It then should look like:

Search: winlogon.exe;explorer.exe

Click Search button and post the log (Search.txt) it makes to your reply.

Gringo

Link to post
Share on other sites

Search results are pasted below...Thanks, willie655

Farbar Recovery Scan Tool Version: 02-07-2012

Ran by Andrea at 2012-07-03 21:01:40

Running from I:\

================== Search: "winlogon.exe;explorer.exe" ===================

C:\Windows\explorer.exe

[2011-06-20 19:50] - [2010-11-20 09:24] - 2872320 ____A (Microsoft Corporation) AC4C51EB24AA95B77F705AB159189E24

C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_ba2f56d3c4bcbafb\explorer.exe

[2011-06-20 19:50] - [2010-11-20 08:17] - 2616320 ____A (Microsoft Corporation) 40D777B7A95E00593EB1568C68514493

C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_b89b8100e0dd69c2\explorer.exe

[2010-02-27 17:14] - [2009-10-31 02:00] - 2614272 ____A (Microsoft Corporation) C76153C7ECA00FA852BB0C193378F917

C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_b8d95faae0af7617\explorer.exe

[2010-01-05 12:41] - [2010-01-05 12:41] - 2613248 ____A (Microsoft Corporation) 9FF6C4C91A3711C0A3B18F87B08B518D

C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_b819b343c7ba6202\explorer.exe

[2010-02-27 17:14] - [2009-10-31 01:45] - 2614272 ____A (Microsoft Corporation) 2626FC9755BE22F805D3CFA0CE3EE727

C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_b853c407c78e3ba9\explorer.exe

[2010-01-05 12:41] - [2010-01-05 12:41] - 2613248 ____A (Microsoft Corporation) B95EEB0F4E5EFBF1038A35B3351CF047

C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_b7fe430bc7ce3761\explorer.exe

[2009-07-13 19:41] - [2009-07-13 21:14] - 2613248 ____A (Microsoft Corporation) 15BC38A7492BEFE831966ADB477CF76F

C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636\winlogon.exe

[2011-06-20 19:50] - [2010-11-20 09:25] - 0390656 ____A (Microsoft Corporation) 1151B1BAA6F350B1DB6598E0FEA7C457

C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_cc522fd507b468f8\winlogon.exe

[2010-02-27 17:14] - [2009-10-28 03:01] - 0389632 ____A (Microsoft Corporation) A93D41A4D4B0D91C072D11DD8AF266DE

C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_cbe534e7ee8042ad\winlogon.exe

[2010-02-27 17:14] - [2009-10-28 02:24] - 0389632 ____A (Microsoft Corporation) DA3E2A6FA9660CC75B471530CE88453A

C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_cbb7f2bdeea2829c\winlogon.exe

[2009-07-13 19:52] - [2009-07-13 21:39] - 0389120 ____A (Microsoft Corporation) 132328DF455B0028F13BF0ABEE51A63A

C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_afdaac81905bf900\explorer.exe

[2011-06-20 19:50] - [2010-11-20 09:24] - 2872320 ____A (Microsoft Corporation) AC4C51EB24AA95B77F705AB159189E24

C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_ae46d6aeac7ca7c7\explorer.exe

[2010-02-27 17:14] - [2009-10-31 02:38] - 2870272 ____A (Microsoft Corporation) B8EC4BD49CE8F6FC457721BFC210B67F

C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_ae84b558ac4eb41c\explorer.exe

[2010-01-05 12:41] - [2010-01-05 12:41] - 2868224 ____A (Microsoft Corporation) 700073016DAC1C3D2E7E2CE4223334B6

C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_adc508f19359a007\explorer.exe

[2010-02-27 17:14] - [2009-10-31 02:34] - 2870272 ____A (Microsoft Corporation) 9AAAEC8DAC27AA17B053E6352AD233AE

C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_adff19b5932d79ae\explorer.exe

[2010-01-05 12:41] - [2010-01-05 12:41] - 2868224 ____A (Microsoft Corporation) F170B4A061C9E026437B193B4D571799

C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_ada998b9936d7566\explorer.exe

[2009-07-13 19:56] - [2009-07-13 21:39] - 2868224 ____A (Microsoft Corporation) C235A51CB740E45FFA0EBFB9BAFCDA64

C:\Windows\SysWOW64\explorer.exe

[2011-06-20 19:50] - [2010-11-20 08:17] - 2616320 ____A (Microsoft Corporation) 40D777B7A95E00593EB1568C68514493

C:\Windows\System32\winlogon.exe

[2011-06-20 19:50] - [2010-11-20 09:25] - 0390656 ____A (Microsoft Corporation) 1151B1BAA6F350B1DB6598E0FEA7C457

C:\Windows\erdnt\cache86\explorer.exe

[2012-07-02 06:52] - [2010-11-20 09:24] - 2872320 ____A (Microsoft Corporation) AC4C51EB24AA95B77F705AB159189E24

C:\Windows\erdnt\cache64\winlogon.exe

[2012-07-02 06:52] - [2010-11-20 09:25] - 0390656 ____A (Microsoft Corporation) 1151B1BAA6F350B1DB6598E0FEA7C457

C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe

[2012-01-21 15:00] - [2012-04-04 15:56] - 0199240 ____A () 097D0E812D7A9A3101CE46CB2BE0474D

====== End Of Search ======

Link to post
Share on other sites

  • Staff

Greetings

Ok lets see if we can find a replacement for the infected file

In Vista or Windows 7: Boot to System Recovery Options and run FRST.

Type the following in the edit box after "Search:".

services.exe

It then should look like:

Search: services.exe

Click Search button and post the log (Search.txt) it makes to your reply.

Gringo

Link to post
Share on other sites

Search results are below...willie655

Farbar Recovery Scan Tool Version: 02-07-2012

Ran by Andrea at 2012-07-03 21:39:22

Running from I:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 19:19] - [2009-07-13 21:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 19:19] - [2009-07-13 21:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

C:\Windows\erdnt\cache64\services.exe

[2012-07-02 06:52] - [2009-07-13 21:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

Link to post
Share on other sites

  • Staff

Hello

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt


Replace: C:\Windows\erdnt\cache64\services.exe C:\Windows\System32\services.exe
C:\Windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10}
C:\Users\Andrea\AppData\Local\{95383168-b823-4219-a7b0-3865230b2d10}

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.

The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Gringo

Link to post
Share on other sites

Fixlog is pasted below...Thanks, willie655

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 02-07-2012

Ran by Andrea at 2012-07-04 08:29:41 Run:1

Running from I:\

ATTENTION: THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.

==============================================

Could not find C:\Windows\System32\services.exe C:\Windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10}.

Could not replece C:\Windows\System32\services.exe C:\Windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10}.

C:\Users\Andrea\AppData\Local\{95383168-b823-4219-a7b0-3865230b2d10} moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites

Fixlog is below. Originally, I incorrectly went into "safe mode with command prompt" to run the fix. Your instructions were very clear. I didn't follow them correctly. Looks like appdata was moved the first time I ran the fix in safe mode. Do I need to back up several steps and restart??? Sorry for the confusion...Thanks, willie655

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 02-07-2012

Ran by SYSTEM at 2012-07-04 13:40:59 Run:2

Running from J:\

==============================================

Could not find C:\Windows\System32\services.exe C:\Windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10}.

Could not replece C:\Windows\System32\services.exe C:\Windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10}.

C:\Users\Andrea\AppData\Local\{95383168-b823-4219-a7b0-3865230b2d10} not found.

==== End of Fixlog ====

Link to post
Share on other sites

Gringo...I think I may have figured out part of the problem. I thought I had disabled anti-virus, but it is still running. At least one file in fixlist has been quarantined. This is why it can't be found. I have tried to stop and uninstall the anti-virus program, but neither action will work...Thanks, willie655

Link to post
Share on other sites

Fixlog is below...Thanks, willie655

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 02-07-2012

Ran by SYSTEM at 2012-07-04 16:22:23 Run:3

Running from F:\

==============================================

C:\Windows\System32\services.exe moved successfully.

C:\Windows\erdnt\cache64\services.exe copied successfully to C:\Windows\System32\services.exe

C:\Windows\Installer\{95383168-b823-4219-a7b0-3865230b2d10} moved successfully.

C:\Users\Andrea\AppData\Local\{95383168-b823-4219-a7b0-3865230b2d10} not found.

==== End of Fixlog ====

Link to post
Share on other sites

  • Staff

Hello

That looks allot better

I would like you to download an updated version of combofix.

update combofix

  • Delete the version of combofix you have now on your desktop and download a new one from here
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Link to post
Share on other sites

The frst log is below...Thanks, willie655

Scan result of Farbar Recovery Scan Tool Version: 02-07-2012

Ran by SYSTEM at 04-07-2012 22:26:55

Running from F:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8060960 2009-08-05] (Realtek Semiconductor)

HKLM\...\Run: [iAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)

HKLM\...\Run: [igfxTray] C:\Windows\system32\igfxtray.exe [161304 2010-08-25] (Intel Corporation)

HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [386584 2010-08-25] (Intel Corporation)

HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [415256 2010-08-25] (Intel Corporation)

HKLM\...\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon [2710856 2009-11-01] (CANON INC.)

HKLM\...\Run: [CanonSolutionMenu] C:\Program Files (x86)\Canon\SolutionMenu\CNSLMAIN.exe /logon [767312 2009-09-03] (CANON INC.)

HKLM\...\Run: [OfficeScanNT Monitor] -HideWindow [x]

HKLM-x32\...\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m [1779952 2009-09-11] ()

HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-06-24] (CyberLink Corp.)

HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()

HKLM-x32\...\Run: [OfficeScanNT Monitor] "C:\Program Files (x86)\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow [1117488 2008-06-16] (Trend Micro Inc.)

HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot [274608 2010-11-09] (RealNetworks, Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2011-06-07] (Apple Inc.)

HKLM-x32\...\Run: [iJNetworkScanUtility] C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [140640 2009-09-28] (CANON INC.)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-01-03] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)

HKU\Andrea\...\Run: [smileboxTray] "C:\Users\Andrea\AppData\Roaming\Smilebox\SmileboxTray.exe" [325448 2012-05-15] (Smilebox, Inc.)

HKU\Andrea\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-11-09] (Google Inc.)

HKU\Andrea\...\Run: [benpr] "C:\Windows\System32\rundll32.exe" "C:\Users\Andrea\AppData\Roaming\benpr.dll",CreateEffectFromResourceW [x]

Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]

Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files (x86)\Digital Line Detect\DLG.exe (Avanquest Software )

Startup: C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk

ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe (McAfee, Inc.)

Startup: C:\Users\Andrea\Start Menu\Programs\Startup\Dell Dock.lnk

ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk

ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk

ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Services (Whitelisted) ======

2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [116104 2009-09-08] ()

3 iPod Service; "C:\Program Files (x86)\iPod\bin\iPodService.exe" [934176 2011-06-07] (Apple Inc.)

3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe" [227232 2010-09-02] (McAfee, Inc.)

2 ntrtscan; "C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe" [1250096 2008-06-16] (Trend Micro Inc.)

2 tmlisten; "C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe" [1355568 2008-06-16] (Trend Micro Inc.)

3 TmPfw; "C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmPfw.exe" [585648 2008-06-16] (Trend Micro Inc.)

3 TmProxy; "C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe" [865032 2008-06-16] (Trend Micro Inc.)

3 aspnet_state; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [x]

========================== Drivers (Whitelisted) =============

3 CAXHWBS2; C:\Windows\System32\Drivers\CAXHWBS2.sys [411136 2009-02-13] (Conexant Systems, Inc.)

2 TmFilter; \??\C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmXPFlt.sys [342288 2011-07-12] (Trend Micro Inc.)

1 tmlwf; C:\Windows\System32\Drivers\tmlwf.sys [192528 2008-06-16] (Trend Micro Inc.)

2 TmPreFilter; \??\C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmPreFlt.sys [42768 2011-07-12] (Trend Micro Inc.)

1 tmtdi; C:\Windows\System32\Drivers\tmtdi.sys [86792 2008-06-16] (Trend Micro Inc.)

2 tmwfp; C:\Windows\System32\Drivers\tmwfp.sys [277008 2008-06-16] (Trend Micro Inc.)

2 VSApiNt; \??\C:\Program Files (x86)\Trend Micro\OfficeScan Client\VSApiNt.sys [2077456 2011-07-12] (Trend Micro Inc.)

3 catchme; \??\C:\ComboFix\catchme.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-07-04 13:02 - 2012-07-04 13:00 - 04571247 ____A (Swearware) C:\Users\Andrea\Desktop\ComboFix.exe

2012-07-03 16:46 - 2012-07-03 16:46 - 00314880 ____A C:\Users\Andrea\AppData\Local\zajzd.exe

2012-07-02 18:34 - 2012-07-02 18:34 - 00000000 ____D C:\FRST

2012-07-02 02:56 - 2012-07-02 02:56 - 00017918 ____A C:\Users\Andrea\Desktop\combo fix.txt

2012-07-02 02:53 - 2012-07-02 02:53 - 00017918 ____A C:\ComboFix.txt

2012-07-02 02:38 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe

2012-07-02 02:38 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe

2012-07-02 02:38 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe

2012-07-02 02:38 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe

2012-07-02 02:38 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe

2012-07-02 02:38 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe

2012-07-02 02:38 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe

2012-07-02 02:38 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe

2012-07-02 02:36 - 2012-07-02 02:53 - 00000000 ____D C:\Qoobox

2012-07-02 02:36 - 2012-07-02 02:52 - 00000000 ____D C:\Windows\erdnt

2012-07-02 02:35 - 2012-07-02 02:35 - 00001166 ____A C:\Users\Andrea\Desktop\checkup.txt

2012-07-02 02:32 - 2012-07-02 02:32 - 00881475 ____A C:\Users\Andrea\Downloads\SecurityCheck.exe

2012-07-01 18:05 - 2012-07-01 18:05 - 00016966 ____A C:\Users\Andrea\Desktop\DDS.txt

2012-07-01 18:05 - 2012-07-01 18:05 - 00004364 ____A C:\Users\Andrea\Desktop\Attach.txt

2012-07-01 18:04 - 2012-07-01 18:04 - 00607260 ____R (Swearware) C:\Users\Andrea\Downloads\dds (1).scr

2012-07-01 18:03 - 2012-07-01 18:03 - 00607260 ____A (Swearware) C:\Users\Andrea\Downloads\dds.scr

2012-06-30 13:41 - 2012-06-30 13:41 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%

2012-06-25 13:43 - 2012-06-25 13:43 - 00251392 ____A C:\Users\Andrea\Documents\anniversary concert.sig

2012-06-22 13:49 - 2012-06-22 13:51 - 00000000 ____D C:\Users\Andrea\AppData\Roaming\.minecraft

2012-06-21 04:51 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-21 04:51 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-21 04:51 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-21 04:51 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-21 04:51 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-21 04:51 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-21 04:51 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-21 04:50 - 2012-06-02 11:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-21 04:50 - 2012-06-02 11:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-06-13 19:44 - 2012-05-17 18:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-06-13 19:44 - 2012-05-17 18:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-06-13 19:44 - 2012-05-17 18:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-06-13 19:44 - 2012-05-17 17:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-06-13 19:44 - 2012-05-17 17:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-06-13 19:44 - 2012-05-17 17:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-06-13 19:44 - 2012-05-17 17:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-06-13 19:44 - 2012-05-17 17:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-06-13 19:44 - 2012-05-17 17:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-06-13 19:44 - 2012-05-17 17:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-06-13 19:44 - 2012-05-17 17:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-06-13 19:44 - 2012-05-17 17:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-06-13 19:44 - 2012-05-17 17:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-06-13 19:44 - 2012-05-17 17:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-06-13 19:44 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-06-13 19:44 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-06-13 19:44 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-06-13 19:44 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-06-13 19:44 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-06-13 19:44 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-06-13 19:44 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-06-13 19:44 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-06-13 19:44 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-06-13 19:44 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-06-13 19:44 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-06-13 19:44 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-06-13 19:44 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-06-13 19:44 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-06-13 19:17 - 2012-05-14 17:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-06-13 19:17 - 2012-05-04 03:06 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2012-06-13 19:17 - 2012-05-04 02:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe

2012-06-13 19:17 - 2012-05-04 02:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe

2012-06-13 19:17 - 2012-04-27 19:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

2012-06-13 19:17 - 2012-04-25 21:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll

2012-06-13 19:17 - 2012-04-25 21:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll

2012-06-13 19:17 - 2012-04-25 21:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe

============ 3 Months Modified Files ========================

2012-07-04 18:24 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-07-04 18:24 - 2009-07-13 20:51 - 00108307 ____A C:\Windows\setupact.log

2012-07-04 13:24 - 2009-07-13 21:10 - 01229691 ____A C:\Windows\WindowsUpdate.log

2012-07-04 13:04 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-07-04 13:04 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-07-04 13:00 - 2012-07-04 13:02 - 04571247 ____A (Swearware) C:\Users\Andrea\Desktop\ComboFix.exe

2012-07-04 13:00 - 2010-11-09 11:10 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-07-04 12:57 - 2010-11-09 11:10 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-07-04 12:56 - 2010-01-05 08:43 - 00503732 ____A C:\Windows\PFRO.log

2012-07-04 11:40 - 2009-07-13 21:08 - 00032566 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-07-03 16:46 - 2012-07-03 16:46 - 00314880 ____A C:\Users\Andrea\AppData\Local\zajzd.exe

2012-07-03 12:57 - 2011-12-24 13:26 - 00000454 ___AH C:\Windows\Tasks\Norton Security Scan for Andrea.job

2012-07-02 02:56 - 2012-07-02 02:56 - 00017918 ____A C:\Users\Andrea\Desktop\combo fix.txt

2012-07-02 02:53 - 2012-07-02 02:53 - 00017918 ____A C:\ComboFix.txt

2012-07-02 02:49 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini

2012-07-02 02:35 - 2012-07-02 02:35 - 00001166 ____A C:\Users\Andrea\Desktop\checkup.txt

2012-07-02 02:32 - 2012-07-02 02:32 - 00881475 ____A C:\Users\Andrea\Downloads\SecurityCheck.exe

2012-07-02 02:28 - 2009-07-13 21:13 - 00727362 ____A C:\Windows\System32\PerfStringBackup.INI

2012-07-01 18:05 - 2012-07-01 18:05 - 00016966 ____A C:\Users\Andrea\Desktop\DDS.txt

2012-07-01 18:05 - 2012-07-01 18:05 - 00004364 ____A C:\Users\Andrea\Desktop\Attach.txt

2012-07-01 18:04 - 2012-07-01 18:04 - 00607260 ____R (Swearware) C:\Users\Andrea\Downloads\dds (1).scr

2012-07-01 18:03 - 2012-07-01 18:03 - 00607260 ____A (Swearware) C:\Users\Andrea\Downloads\dds.scr

2012-06-25 13:43 - 2012-06-25 13:43 - 00251392 ____A C:\Users\Andrea\Documents\anniversary concert.sig

2012-06-14 04:09 - 2009-07-13 20:45 - 01156936 ____A C:\Windows\System32\FNTCACHE.DAT

2012-06-13 19:46 - 2010-02-27 13:44 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-06-02 14:19 - 2012-06-21 04:51 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 14:19 - 2012-06-21 04:51 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-02 14:19 - 2012-06-21 04:51 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 14:19 - 2012-06-21 04:51 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 14:19 - 2012-06-21 04:51 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-02 14:15 - 2012-06-21 04:51 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 14:15 - 2012-06-21 04:51 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-02 11:19 - 2012-06-21 04:50 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 11:15 - 2012-06-21 04:50 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-05-17 18:47 - 2012-06-13 19:44 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-05-17 18:16 - 2012-06-13 19:44 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-05-17 18:06 - 2012-06-13 19:44 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-05-17 17:59 - 2012-06-13 19:44 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-05-17 17:59 - 2012-06-13 19:44 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-05-17 17:58 - 2012-06-13 19:44 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-05-17 17:58 - 2012-06-13 19:44 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-05-17 17:56 - 2012-06-13 19:44 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-05-17 17:55 - 2012-06-13 19:44 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-05-17 17:55 - 2012-06-13 19:44 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-05-17 17:54 - 2012-06-13 19:44 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-05-17 17:51 - 2012-06-13 19:44 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-05-17 17:51 - 2012-06-13 19:44 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-05-17 17:47 - 2012-06-13 19:44 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-05-17 15:11 - 2012-06-13 19:44 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-05-17 14:48 - 2012-06-13 19:44 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-05-17 14:45 - 2012-06-13 19:44 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-05-17 14:36 - 2012-06-13 19:44 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-05-17 14:35 - 2012-06-13 19:44 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-05-17 14:35 - 2012-06-13 19:44 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-05-17 14:33 - 2012-06-13 19:44 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-05-17 14:31 - 2012-06-13 19:44 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-05-17 14:29 - 2012-06-13 19:44 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-05-17 14:29 - 2012-06-13 19:44 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-05-17 14:27 - 2012-06-13 19:44 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-05-17 14:25 - 2012-06-13 19:44 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-05-17 14:24 - 2012-06-13 19:44 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-05-17 14:20 - 2012-06-13 19:44 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-05-14 17:32 - 2012-06-13 19:17 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-05-09 19:59 - 2009-07-13 18:34 - 00000499 ____A C:\Windows\win.ini

2012-05-04 03:06 - 2012-06-13 19:17 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2012-05-04 02:03 - 2012-06-13 19:17 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe

2012-05-04 02:03 - 2012-06-13 19:17 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe

2012-04-27 19:55 - 2012-06-13 19:17 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

2012-04-25 21:41 - 2012-06-13 19:17 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll

2012-04-25 21:41 - 2012-06-13 19:17 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll

2012-04-25 21:34 - 2012-06-13 19:17 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe

2012-04-18 08:05 - 2012-01-21 11:00 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 11%

Total physical RAM: 6108.98 MB

Available physical RAM: 5395.25 MB

Total Pagefile: 6107.13 MB

Available Pagefile: 5385.16 MB

Total Virtual: 8192 MB

Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:581.48 GB) (Free:527.99 GB) NTFS

3 Drive f: (CRUZER-USB) (Removable) (Total:3.82 GB) (Free:1.67 GB) FAT32

8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

9 Drive y: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:9.27 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 596 GB 0 B

Disk 1 Online 3919 MB 0 B

Disk 2 No Media 0 B 0 B

Disk 3 No Media 0 B 0 B

Disk 4 No Media 0 B 0 B

Disk 5 No Media 0 B 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 39 MB 31 KB

Partition 2 Primary 14 GB 40 MB

Partition 3 Primary 581 GB 14 GB

==================================================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 8 FAT Partition 39 MB Healthy Hidden

==================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y RECOVERY NTFS Partition 14 GB Healthy

==================================================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C OS NTFS Partition 581 GB Healthy

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 3919 MB 31 KB

==================================================================================

Disk: 1

Partition 1

Type : 0B

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 F CRUZER-USB FAT32 Removable 3919 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-06-28 07:56

======================= End Of Log ==========================

Link to post
Share on other sites

  • Staff

Hello

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt


2012-07-03 16:46 - 2012-07-03 16:46 - 00314880 ____A C:\Users\Andrea\AppData\Local\zajzd.exe

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.

The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Gringo

Link to post
Share on other sites

Fixlog is posted below...Thanks, willie655

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 02-07-2012

Ran by SYSTEM at 2012-07-05 10:22:42 Run:4

Running from F:\

==============================================

C:\Users\Andrea\AppData\Local\zajzd.exe moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.