Another system32/services.exe infection

[craigsiegel]

Help. I have picked up the system32/services.exe trojan and now my windows Vista won't stay up for more than a couple of minutes. It crashes and goes into an automatic restart. My original problem was that I picked up the live security platinum trojan. I ran fixexec and malwarebytes to get rid of it. But then microsoft security essentials wouldn't run. I reinstalled it and that is when I started getting the windows crashes. I ran kaspersky rescue disk 10 which picked up the trojan but can't clean it.

I have not run hijackthis but I ran farbar and got what looks to be the log you really need, so I am including it here. It flags the system32\services.exe file in the MD5 check. I am also including the results of the search in farbar for services.exe. The results files are attached.

Help -- I have been at this almost constantly for two days.

-------------------------------------------

Search.txt

FRST.txt

[MrCharlie]

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

[craigsiegel]

Thank you, thank you, thank you.

Here is the log.

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 05-08-2012 01

Ran by SYSTEM at 2012-08-08 12:18:17 Run:1

Running from F:\MalwareFix

==============================================

C:\Windows\Installer\{bce63da1-5ed8-b0ec-38c5-863b6df10fa5} moved successfully.

C:\Users\Craig and Susan\AppData\Local\{bce63da1-5ed8-b0ec-38c5-863b6df10fa5} moved successfully.

C:\Windows\System32\services.exe moved successfully.

C:\Windows\ERDNT\cache\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

Now what?

[MrCharlie]

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[craigsiegel]

Question: Can I now start the PC in regular windows without fear of it crashing again after a few minutes?

[MrCharlie]

Yes, give it a try, MrC

[craigsiegel]

So far so good. PC is still up and running. But I was so excited to finally be making progress that I forgot to disable MSE before I started combofix. I got it turned off as combofix was installing and before combo fix started running. I think that is OK.

Combofix ran and generated its log, but I got the "illegal operation" message when I tried to copy it. I am restarting now to see if I can grab it.

[craigsiegel]

Reboot appears to have taken care of that problem. Here is the combofix log.

ComboFix 12-08-08.01 - Craig and Susan 08/08/2012 12:42:24.2.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1822 [GMT -7:00]

Running from: c:\users\Craig and Susan\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\install.exe

c:\users\Craig and Susan\AppData\Roaming\agrer.dll

c:\users\Craig and Susan\AppData\Roaming\vrdms.dll

c:\users\Craig and Susan\Documents\~WRL0005.tmp

c:\users\Craig and Susan\Documents\~WRL0144.tmp

c:\users\Craig and Susan\Documents\~WRL0162.tmp

c:\users\Craig and Susan\Documents\~WRL0307.tmp

c:\users\Craig and Susan\Documents\~WRL1058.tmp

c:\users\Craig and Susan\Documents\~WRL1159.tmp

c:\users\Craig and Susan\Documents\~WRL1446.tmp

c:\users\Craig and Susan\Documents\~WRL1654.tmp

c:\users\Craig and Susan\Documents\~WRL1896.tmp

c:\users\Craig and Susan\Documents\~WRL3248.tmp

c:\users\Craig and Susan\Documents\~WRL3531.tmp

c:\users\Craig and Susan\Documents\~WRL3639.tmp

c:\users\Craig and Susan\Documents\~WRL3766.tmp

c:\users\Craig and Susan\g2mdlhlpx.exe

c:\users\Craig and Susan\Once upon a time there were two caterpillars .doc

.

.

((((((((((((((((((((((((( Files Created from 2012-07-08 to 2012-08-08 )))))))))))))))))))))))))))))))

.

.

2012-08-08 19:54 . 2012-08-08 19:54 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2CA333C5-A7DA-4692-A634-AB2A6D7726F0}\offreg.dll

2012-08-08 19:53 . 2012-08-08 19:53 -------- d-----w- c:\users\Public\AppData\Local\temp

2012-08-08 19:53 . 2012-08-08 19:53 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp

2012-08-08 19:53 . 2012-08-08 19:53 -------- d-----w- c:\users\LogMeInRemoteUser.CraigSusan-PC\AppData\Local\temp

2012-08-08 19:53 . 2012-08-08 19:53 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-08-07 22:43 . 2012-08-07 22:43 -------- d-----w- C:\FRST

2012-08-07 20:21 . 2012-02-09 21:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{937272F2-4CA6-4830-8EB6-0E864380F4EA}\gapaengine.dll

2012-08-07 20:18 . 2012-07-16 09:41 6891424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2CA333C5-A7DA-4692-A634-AB2A6D7726F0}\mpengine.dll

2012-08-07 19:50 . 2012-08-07 19:50 -------- d-----w- c:\program files\Microsoft Security Client

2012-08-07 17:43 . 2012-08-07 17:40 883616 ----a-w- C:\FixExec.exe

2012-08-07 16:51 . 2012-08-07 17:04 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0

2012-08-07 16:41 . 2012-08-07 16:41 -------- d-sh--w- c:\windows\system32\%APPDATA%

2012-08-07 16:36 . 2012-08-07 16:38 -------- d-----w- c:\programdata\036E19320357F9631A6804E82F3B707C

2012-08-07 16:36 . 2012-08-07 16:36 -------- d-----w- c:\windows\scoped_dir_9056_23239

2012-08-07 16:36 . 2012-08-07 16:36 -------- d-----w- c:\windows\scoped_dir_9056_12794

2012-08-07 16:36 . 2012-08-07 16:36 -------- d-----w- c:\users\Craig and Susan\AppData\Local\{E94AF4AB-E0AD-11E1-8270-B8AC6F996F26}

2012-08-07 16:36 . 2012-08-07 16:36 -------- d-----w- c:\users\Craig and Susan\AppData\Local\{E94AB980-E0AD-11E1-8270-B8AC6F996F26}

2012-08-07 16:35 . 2012-08-07 16:35 57344 ---ha-w- c:\windows\system32\mobsEXEC.dll

2012-07-17 00:26 . 2012-07-17 00:26 -------- d-----w- c:\users\Craig and Susan\New Folder (1)

2012-07-11 03:40 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll

2012-07-11 03:39 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll

2012-07-11 03:39 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll

2012-07-11 03:39 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-07-11 03:39 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll

2012-07-11 03:39 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-08-03 16:54 . 2012-05-02 18:26 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-08-03 16:54 . 2011-06-16 13:02 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-12 19:37 . 2009-04-30 03:02 83392 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2012-07-12 19:37 . 2009-04-30 03:02 52128 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll

2012-07-12 19:37 . 2009-04-30 03:02 30624 ----a-w- c:\windows\system32\LMIport.dll

2012-07-12 19:37 . 2009-04-30 03:02 87456 ----a-w- c:\windows\system32\LMIinit.dll

2012-07-03 20:46 . 2011-02-18 08:18 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-13 13:40 . 2012-07-11 10:08 2047488 ----a-w- c:\windows\system32\win32k.sys

2012-06-02 22:19 . 2012-06-19 05:45 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 22:19 . 2012-06-19 05:46 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-06-19 05:46 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2012-06-19 05:45 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2012-06-19 05:45 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:19 . 2012-06-19 05:46 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:12 . 2012-06-19 05:46 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:12 . 2012-06-19 05:45 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-02 22:12 . 2012-06-19 05:45 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 08:25 . 2012-07-11 10:03 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-05-19 02:04 . 2009-04-30 03:02 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak

2012-07-19 14:02 . 2012-02-05 01:08 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

"googletalk"="c:\users\Craig and Susan\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

"SlickRun"="c:\program files\SlickRun\sr.exe" [2009-06-02 1161568]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]

"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-27 13539872]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-27 92704]

"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]

"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]

"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]

"UpdatePSTShortCut"="c:\program files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2008-09-11 210216]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-07 148888]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-25 63048]

"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2009-10-17 1325936]

"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2009-10-17 904840]

"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2009-10-17 136544]

"DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-09-09 1148200]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200]

.

c:\users\Craig and Susan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

goSoft (3.1.2.0 F).lnk - c:\program files\goFluent\goSoft(3.1.2.0 F)\goStart.exe [N/A]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Find Fast.lnk

backup=c:\windows\pss\Microsoft Find Fast.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2012-08-08 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-02 16:54]

.

2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-31 03:27]

.

2012-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-31 03:27]

.

2012-08-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1015957308-2917552244-2219005616-1000Core.job

- c:\users\Craig and Susan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-14 02:29]

.

2012-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1015957308-2917552244-2219005616-1000UA.job

- c:\users\Craig and Susan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-14 02:29]

.

2012-07-09 c:\windows\Tasks\PCDRScheduledMaintenance.job

- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2008-09-10 14:43]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig

mStart Page = hxxp://www.yahoo.com

uInternet Settings,ProxyOverride = *.local

uInternet Settings,ProxyServer = http=127.0.0.1:63556

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105

Trusted Zone: gofluent.com

TCP: DhcpNameServer = 192.168.0.1 205.171.3.25

DPF: {F9BF64A0-5A65-43E0-ACDB-B223E7F9DDD9} - hxxp://watch.sniffdoghotel.com:10205/WEBWATCH2.cab

FF - ProfilePath - c:\users\Craig and Susan\AppData\Roaming\Mozilla\Firefox\Profiles\0368sgmm.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxps://portal.gofluent.com/group/trainer|https://mail.google.com/mail/?shva=1#inbox

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 63556

FF - prefs.js: network.proxy.type - 0

FF - user.js: extentions.y2layers.installId - 45064580-de3b-4a86-878b-7bb7035d3d86

FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,Buzzdock,

FF - user.js: extensions.autoDisableScopes - 14

FF - user.js: security.csp.enable - false

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-vrdms - c:\users\Craig and Susan\AppData\Roaming\vrdms.dll

HKLM-Run-agrer - c:\users\Craig and Susan\AppData\Roaming\agrer.dll

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-08-08 12:55

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]

"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvvsvc.exe

c:\program files\Microsoft Security Client\MsMpEng.exe

c:\windows\system32\rundll32.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\LogMeIn\x86\LMIGuardianSvc.exe

c:\program files\LogMeIn\x86\RaMaint.exe

c:\program files\LogMeIn\x86\LogMeIn.exe

c:\program files\CDBurnerXP\NMSAccessU.exe

c:\program files\Common Files\Seagate\Schedule2\schedul2.exe

c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe

c:\program files\TeamViewer\Version5\TeamViewer_Service.exe

c:\program files\TomTom HOME 2\TomTomHOMEService.exe

c:\windows\system32\DRIVERS\xaudio.exe

c:\program files\TeamViewer\Version5\TeamViewer.exe

c:\windows\system32\WUDFHost.exe

c:\windows\System32\rundll32.exe

c:\windows\ehome\ehmsas.exe

c:\windows\servicing\TrustedInstaller.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe

c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

.

**************************************************************************

.

Completion time: 2012-08-08 13:06:12 - machine was rebooted

ComboFix-quarantined-files.txt 2012-08-08 20:06

ComboFix2.txt 2011-02-19 23:06

.

Pre-Run: 139,235,803,136 bytes free

Post-Run: 139,302,969,344 bytes free

.

- - End Of File - - EAAE98F1B430770519114F8200B8FB89

[MrCharlie]

This was deleted > is it something you want?

c:\users\Craig and Susan\Once upon a time there were two caterpillars .doc

-------------------------------------------

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[craigsiegel]

Nope. Don't need the caterpillar doc.

Here is the MBAM quickscan log. I think I am OK now, right?

Craig

---------------------------------------------

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.07.06

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Craig and Susan :: CRAIGSUSAN-PC [administrator]

8/8/2012 1:45:44 PM

mbam-log-2012-08-08 (13-45-44).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 235072

Time elapsed: 12 minute(s), 48 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[MrCharlie]

Yes.......

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[craigsiegel]

Done.

You rock.

Small donation coming.

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!