ZeroAccess infection

[mollysneighbor]

Hello,

I am trying to help a friend with a virus/trojan infection on his computer, which appears to be ZeroAccess. He and I have tried a few things including MBAM and his Trend Micro AV software, which has quarantined and/or removed a few things, but it appears to still be infected. I've read through a number of related posts looking for a solution, but it seems that I will need some help to resolve this, please. We will much appreciate any assistance you can provide.

Attaching DDS.TXT, ATTACH.TXT, and RKReport.

Thanks very much and let me know if any additional information is required.

Attach.txt

DDS.txt

RKreport2.txt

[MrCharlie]

Here you go......

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.<------

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

On the System Recovery Options menu you will get the following options:

• 
  
  • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
    

  [*]Select Command Prompt

  [*]In the command window type in notepad and press Enter.

  [*]The notepad opens. Under File menu select Open.

  [*]Select "Computer" and find your flash drive letter and close the notepad.

  [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

  Note: Replace letter e with the drive letter of your flash drive.

  [*]The tool will start to run.

  [*]When the tool opens click Yes to disclaimer.

  [*]Press Scan button.

  [*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

  services.exe

  [*]Now press the Search button

  [*]When the search is complete, search.txt will also be written to your USB

  [*]Type exit and reboot the computer normally

  [*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

[mollysneighbor]

MrCharlie, many thanks for your help. Here are the results:

FRST.TXT:

Scan result of Farbar Recovery Scan Tool Version: 15-08-2012

Ran by SYSTEM at 15-08-2012 16:11:38

Running from F:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1713448 2009-03-18] (Synaptics Incorporated)

HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [487264 2009-03-06] (TOSHIBA Corporation)

HKLM\...\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe -set Silent "1" SplashURL "" [1111568 2011-10-08] (Trend Micro Inc.)

HKLM\...\Run: [igfxTray] C:\Windows\system32\igfxtray.exe [165912 2009-09-02] (Intel Corporation)

HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [387608 2009-09-02] (Intel Corporation)

HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [365592 2009-09-02] (Intel Corporation)

HKLM\...\Run: [ThpSrv] C:\Windows\system32\thpsrv /logon [x]

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7982112 2009-07-28] (Realtek Semiconductor)

HKLM\...\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [197152 2011-02-10] (Trend Micro Inc.)

HKLM-x32\...\Run: [TWebCamera] "%ProgramFiles(x86)%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [x]

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)

HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475584 2010-11-20] (Microsoft Corporation)

HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475584 2010-11-20] (Microsoft Corporation)

HKU\Sue\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [163328 2010-11-20] (Microsoft Corporation)

HKU\Sue\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-12-11] (Google Inc.)

HKU\Sue\...\Run: [Google Update] "C:\Users\Sue\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-06-06] (Google Inc.)

Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76 192.168.1.1

Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\V500_DLAgent.exe.lnk

ShortcutTarget: V500_DLAgent.exe.lnk -> C:\Windows\Installer\{E312B20A-7074-44E4-BDE6-27F68A5D48C3}\_895325C67468DB1BAE25F2.exe ()

==================== Services (Whitelisted) ======

2 camsvc; C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe [20544 2009-04-16] (TOSHIBA)

2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 [x]

3 WPFFontCache_v0400; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [x]

========================== Drivers (Whitelisted) =============

2 tmactmon; C:\Windows\System32\Drivers\tmactmon.sys [90704 2011-01-28] (Trend Micro Inc.)

2 tmcomm; C:\Windows\System32\Drivers\tmcomm.sys [144464 2011-01-28] (Trend Micro Inc.)

2 tmcomm; C:\Windows\SysWow64\Drivers\tmcomm.sys [256904 2012-06-04] (Trend Micro Inc.)

2 tmevtmgr; C:\Windows\System32\Drivers\tmevtmgr.sys [67664 2011-01-28] (Trend Micro Inc.)

1 tmtdi; C:\Windows\System32\Drivers\tmtdi.sys [105552 2011-01-28] (Trend Micro Inc.)

3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-08-15 11:36 - 2012-08-15 11:36 - 00002469 ____A C:\Users\Sue\Desktop\RKreport[2].txt

2012-08-15 11:34 - 2012-08-15 11:34 - 00017588 ____A C:\Users\Sue\Desktop\DDS.txt

2012-08-15 11:34 - 2012-08-15 11:34 - 00009763 ____A C:\Users\Sue\Desktop\Attach.txt

2012-08-15 09:18 - 2012-08-15 09:18 - 00607260 ____R (Swearware) C:\Users\Sue\Desktop\dds.scr

2012-08-15 06:52 - 2012-08-15 06:52 - 00002451 ____A C:\Users\Sue\Desktop\RKreport[1].txt

2012-08-15 06:51 - 2012-08-15 06:52 - 00000000 ____D C:\Users\Sue\Desktop\RK_Quarantine

2012-08-15 06:50 - 2012-08-15 06:42 - 01558528 ____A C:\Users\Sue\Desktop\RogueKiller.exe

2012-08-15 06:25 - 2012-08-15 06:26 - 00003700 ____A C:\Windows\DCEBOOT.CFG

2012-07-20 15:37 - 2012-08-15 03:35 - 00000000 ____D C:\Users\Sue\AppData\Roaming\Systweak

2012-07-20 15:37 - 2012-07-16 10:25 - 00018856 ____A (Systweak Inc., (www.systweak.com)) C:\Windows\System32\roboot64.exe

============ 3 Months Modified Files ========================

2012-08-15 12:06 - 2011-04-08 09:55 - 00011104 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-08-15 12:06 - 2011-04-08 09:55 - 00011104 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-08-15 11:39 - 2009-07-13 21:13 - 00741854 ____A C:\Windows\System32\PerfStringBackup.INI

2012-08-15 11:36 - 2012-08-15 11:36 - 00002469 ____A C:\Users\Sue\Desktop\RKreport[2].txt

2012-08-15 11:34 - 2012-08-15 11:34 - 00017588 ____A C:\Users\Sue\Desktop\DDS.txt

2012-08-15 11:34 - 2012-08-15 11:34 - 00009763 ____A C:\Users\Sue\Desktop\Attach.txt

2012-08-15 11:30 - 2012-04-17 20:02 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-08-15 11:29 - 2011-07-22 12:42 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2272393853-854540987-2418330432-1000UA.job

2012-08-15 11:29 - 2010-02-08 20:35 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-08-15 09:18 - 2012-08-15 09:18 - 00607260 ____R (Swearware) C:\Users\Sue\Desktop\dds.scr

2012-08-15 06:52 - 2012-08-15 06:52 - 00002451 ____A C:\Users\Sue\Desktop\RKreport[1].txt

2012-08-15 06:50 - 2009-07-13 20:51 - 00321951 ____A C:\Windows\setupact.log

2012-08-15 06:42 - 2012-08-15 06:50 - 01558528 ____A C:\Users\Sue\Desktop\RogueKiller.exe

2012-08-15 06:26 - 2012-08-15 06:25 - 00003700 ____A C:\Windows\DCEBOOT.CFG

2012-08-15 06:26 - 2011-04-10 15:44 - 00021520 ____A C:\Windows\DCEBoot64.exe

2012-08-15 06:23 - 2012-03-06 17:35 - 00000468 ____A C:\Windows\Tasks\SDMsgUpdate (TE).job

2012-08-15 06:23 - 2010-02-08 20:35 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-08-15 06:23 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-08-15 06:22 - 2012-06-21 15:55 - 00027770 ____A C:\Windows\DCEBOOT.RST

2012-08-15 06:22 - 2011-04-11 18:35 - 00000000 ____A C:\Windows\DCEBOOT.LOG

2012-08-15 06:22 - 2011-04-08 10:18 - 01067726 ____A C:\Windows\PFRO.log

2012-08-14 15:11 - 2011-07-22 12:42 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2272393853-854540987-2418330432-1000Core.job

2012-08-14 14:58 - 2011-04-08 10:37 - 01757935 ____A C:\Windows\WindowsUpdate.log

2012-07-18 17:01 - 2012-02-01 16:37 - 00001120 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-07-16 10:25 - 2012-07-20 15:37 - 00018856 ____A (Systweak Inc., (www.systweak.com)) C:\Windows\System32\roboot64.exe

2012-07-11 18:31 - 2009-07-13 20:45 - 00373536 ____A C:\Windows\System32\FNTCACHE.DAT

2012-07-11 17:48 - 2011-07-02 17:45 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-07-11 17:30 - 2012-04-17 20:02 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-07-11 17:30 - 2011-06-17 18:52 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-07-11 17:19 - 2012-07-11 17:20 - 00384844 ____A C:\Users\Sue\AppData\Local\funmoods-speeddial.crx

2012-07-06 07:30 - 2009-07-13 21:08 - 00032638 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-07-05 19:32 - 2012-06-20 20:03 - 00129024 ____A C:\Windows\RegBootClean64.exe

2012-07-03 09:46 - 2011-04-08 03:06 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-07-01 16:27 - 2012-06-22 17:10 - 00000036 ____A C:\Users\Sue\AppData\Local\housecall.guid.cache

2012-06-22 17:22 - 2012-06-22 17:22 - 00187493 ____A C:\Users\Sue\AppData\Local\census.cache

2012-06-22 17:22 - 2012-06-22 17:22 - 00107711 ____A C:\Users\Sue\AppData\Local\ars.cache

2012-06-11 19:08 - 2012-07-11 18:14 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-06-11 16:36 - 2012-06-11 16:36 - 00001856 ____A C:\Users\Public\Desktop\QuickTime Player.lnk

2012-06-10 12:29 - 2012-06-10 12:29 - 00006109 ____A C:\Users\Sue\Documents\Approved! The Huddle.htm

2012-06-08 21:43 - 2012-07-11 17:26 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-06-08 20:41 - 2012-07-11 17:26 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2012-06-05 22:06 - 2012-07-11 17:26 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-06-05 22:06 - 2012-07-11 17:26 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-06-05 22:02 - 2012-07-11 17:25 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll

2012-06-05 21:05 - 2012-07-11 17:26 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2012-06-05 21:05 - 2012-07-11 17:26 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2012-06-05 21:03 - 2012-07-11 17:25 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll

2012-06-04 23:37 - 2012-06-22 17:11 - 00256904 ____A (Trend Micro Inc.) C:\Windows\SysWOW64\Drivers\tmcomm.sys

2012-06-02 14:19 - 2012-06-23 07:36 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 14:19 - 2012-06-23 07:36 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-02 14:19 - 2012-06-23 07:36 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 14:19 - 2012-06-23 07:36 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 14:19 - 2012-06-23 07:36 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-02 14:15 - 2012-06-23 07:36 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 14:15 - 2012-06-23 07:36 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-02 11:19 - 2012-06-23 07:36 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 11:15 - 2012-06-23 07:36 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-06-01 21:50 - 2012-07-11 17:25 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-06-01 21:48 - 2012-07-11 17:25 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-06-01 21:48 - 2012-07-11 17:25 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-06-01 21:45 - 2012-07-11 17:25 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-06-01 21:44 - 2012-07-11 17:25 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-06-01 20:40 - 2012-07-11 17:25 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2012-06-01 20:40 - 2012-07-11 17:25 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2012-06-01 20:39 - 2012-07-11 17:25 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2012-06-01 20:34 - 2012-07-11 17:25 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

ZeroAccess:

C:\Windows\Installer\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01}

C:\Windows\Installer\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01}\L

C:\Windows\Installer\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01}\U

C:\Windows\Installer\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01}\L\00000004.@

C:\Windows\Installer\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01}\L\1afb2d56

C:\Windows\Installer\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01}\L\201d3dde

C:\Windows\Installer\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01}\L\55490ac4

C:\Windows\Installer\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01}\U\80000064.@

ZeroAccess:

C:\Users\Sue\AppData\Local\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01}

C:\Users\Sue\AppData\Local\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01}\L

C:\Users\Sue\AppData\Local\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01}\U

ZeroAccess:

C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:

C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 14%

Total physical RAM: 3963.99 MB

Available physical RAM: 3392.26 MB

Total Pagefile: 3962.14 MB

Available Pagefile: 3383.16 MB

Total Virtual: 8192 MB

Available Virtual: 8191.88 MB

======================= Partitions =========================

1 Drive c: (TI100343V0F) (Fixed) (Total:286.38 GB) (Free:196.29 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

2 Drive d: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.31 GB) NTFS

4 Drive f: () (Removable) (Total:3.82 GB) (Free:3.33 GB) FAT32

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 298 GB 0 B

Disk 1 Online 3919 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Recovery 1500 MB 1024 KB

Partition 2 Primary 286 GB 1501 MB

Partition 3 Primary 10 GB 287 GB

==================================================================================

Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 D TOSHIBA SYS NTFS Partition 1500 MB Healthy Hidden

==================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C TI100343V0F NTFS Partition 286 GB Healthy

==================================================================================

Disk: 0

Partition 3

Type : 17 (Suspicious Type)

Hidden: Yes

Active: No

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 3919 MB 31 KB

==================================================================================

Disk: 1

Partition 1

Type : 0B

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 F FAT32 Removable 3919 MB Healthy

==================================================================================

Last Boot: 2012-06-22 00:09

======================= End Of Log ==========================

SEARCH.TXT:

Farbar Recovery Scan Tool Version: 15-08-2012

Ran by SYSTEM at 2012-08-15 16:16:07

Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======

[MrCharlie]

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

[mollysneighbor]

Hello, here it is:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 15-08-2012

Ran by SYSTEM at 2012-08-15 17:04:50 Run:1

Running from F:\

==============================================

C:\Windows\Installer\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01} moved successfully.

C:\Users\Sue\AppData\Local\{54c64e8f-79d8-2222-d9f5-89b17cbc6d01} moved successfully.

C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.

C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

C:\Windows\System32\services.exe moved successfully.

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

[MrCharlie]

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[mollysneighbor]

_{MrCharlie, here is the ComboFix log:}

_{ComboFix 12-08-15.01 - Sue 08/15/2012 17:25:05.1.2 - x64}

_{Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3964.2891 [GMT -4:00]}

_{Running from: c:\users\Sue\Desktop\ComboFix.exe}

_{AV: Trend Micro Titanium Internet Security *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}}

_{SP: Trend Micro Titanium Internet Security *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}}

_{SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}}

_.

_.

_{((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))}

_.

_.

_{c:\programdata\9F10101B-73FD-2F0D-F397-825EE14DA198.ico}

_{c:\programdata\Microsoft\Windows\Start Menu\Programs\Security Defender}

_{c:\programdata\Microsoft\Windows\Start Menu\Programs\Security Defender\Security Defender.lnk}

_{c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\V500_DLAgent.exe.lnk}

_{c:\programdata\Roaming}

_{c:\users\Sue\AppData\Roaming\3534.2C9}

_{c:\users\Sue\AppData\Roaming\9F10101B-73FD-2F0D-F397-825EE14DA198.ico}

_{c:\users\Sue\AppData\Roaming\Adobe\plugs}

_{c:\users\Sue\AppData\Roaming\Adobe\plugs\mmc155}

_{c:\users\Sue\AppData\Roaming\Adobe\shed}

_{c:\users\Sue\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security Defender}

_{c:\users\Sue\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security Defender\Security Defender.lnk}

_.

_.

_{((((((((((((((((((((((((( Files Created from 2012-07-15 to 2012-08-15 )))))))))))))))))))))))))))))))}

_.

_.

_{2012-08-16 00:11 . 2012-08-16 00:11 -------- d-----w- C:\FRST}

_{2012-07-20 23:37 . 2012-08-15 11:35 -------- d-----w- c:\users\Sue\AppData\Roaming\Systweak}

_{2012-07-20 23:37 . 2012-07-16 18:25 18856 ----a-w- c:\windows\system32\roboot64.exe}

_.

_.

_.

_{(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))}

_.

_{2012-08-15 14:26 . 2011-04-10 23:44 21520 ----a-w- c:\windows\DCEBoot64.exe}

_{2012-07-12 01:48 . 2011-07-03 01:45 59701280 ----a-w- c:\windows\system32\MRT.exe}

_{2012-07-12 01:30 . 2012-04-18 04:02 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe}

_{2012-07-12 01:30 . 2011-06-18 02:52 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl}

_{2012-07-06 03:32 . 2012-06-21 04:03 129024 ----a-w- c:\windows\RegBootClean64.exe}

_{2012-07-03 17:46 . 2011-04-08 11:06 24904 ----a-w- c:\windows\system32\drivers\mbam.sys}

_{2012-06-12 03:08 . 2012-07-12 02:14 3148800 ----a-w- c:\windows\system32\win32k.sys}

_{2012-06-09 05:43 . 2012-07-12 01:26 14172672 ----a-w- c:\windows\system32\shell32.dll}

_{2012-06-06 06:06 . 2012-07-12 01:26 2004480 ----a-w- c:\windows\system32\msxml6.dll}

_{2012-06-06 06:06 . 2012-07-12 01:26 1881600 ----a-w- c:\windows\system32\msxml3.dll}

_{2012-06-06 06:02 . 2012-07-12 01:25 1133568 ----a-w- c:\windows\system32\cdosys.dll}

_{2012-06-06 05:05 . 2012-07-12 01:26 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll}

_{2012-06-06 05:05 . 2012-07-12 01:26 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll}

_{2012-06-06 05:03 . 2012-07-12 01:25 805376 ----a-w- c:\windows\SysWow64\cdosys.dll}

_{2012-06-05 07:37 . 2012-06-23 01:11 256904 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys}

_{2012-06-02 22:19 . 2012-06-23 15:36 38424 ----a-w- c:\windows\system32\wups.dll}

_{2012-06-02 22:19 . 2012-06-23 15:36 2428952 ----a-w- c:\windows\system32\wuaueng.dll}

_{2012-06-02 22:19 . 2012-06-23 15:36 57880 ----a-w- c:\windows\system32\wuauclt.exe}

_{2012-06-02 22:19 . 2012-06-23 15:36 44056 ----a-w- c:\windows\system32\wups2.dll}

_{2012-06-02 22:19 . 2012-06-23 15:36 701976 ----a-w- c:\windows\system32\wuapi.dll}

_{2012-06-02 22:15 . 2012-06-23 15:36 2622464 ----a-w- c:\windows\system32\wucltux.dll}

_{2012-06-02 22:15 . 2012-06-23 15:36 99840 ----a-w- c:\windows\system32\wudriver.dll}

_{2012-06-02 19:19 . 2012-06-23 15:36 186752 ----a-w- c:\windows\system32\wuwebv.dll}

_{2012-06-02 19:15 . 2012-06-23 15:36 36864 ----a-w- c:\windows\system32\wuapp.exe}

_{2012-06-02 05:50 . 2012-07-12 01:25 458704 ----a-w- c:\windows\system32\drivers\cng.sys}

_{2012-06-02 05:48 . 2012-07-12 01:25 151920 ----a-w- c:\windows\system32\drivers\ksecpkg.sys}

_{2012-06-02 05:48 . 2012-07-12 01:25 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys}

_{2012-06-02 05:45 . 2012-07-12 01:25 340992 ----a-w- c:\windows\system32\schannel.dll}

_{2012-06-02 05:44 . 2012-07-12 01:25 307200 ----a-w- c:\windows\system32\ncrypt.dll}

_{2012-06-02 04:40 . 2012-07-12 01:25 22016 ----a-w- c:\windows\SysWow64\secur32.dll}

_{2012-06-02 04:40 . 2012-07-12 01:25 225280 ----a-w- c:\windows\SysWow64\schannel.dll}

_{2012-06-02 04:39 . 2012-07-12 01:25 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll}

_{2012-06-02 04:34 . 2012-07-12 01:25 96768 ----a-w- c:\windows\SysWow64\sspicli.dll}

_{2012-05-31 04:04 . 2012-06-19 16:14 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B297B822-353D-43D5-9263-03AE01160E75}\mpengine.dll}

_.

_.

_{((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))}

_.

_.

_{*Note* empty entries & legit default entries are not shown}

_REGEDIT4

_.

_{[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]}

_{"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2010-11-20 163328]}

_{"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-12 39408]}

_.

_{[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]}

_{"TWebCamera"="%ProgramFiles(x86)%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe autorun" [X]}

_{"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]}

_{"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]}

_{"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]}

_{"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]}

_.

_{c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\}

_{HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]}

_.

_{[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]}

_{"ConsentPromptBehaviorAdmin"= 5 (0x5)}

_{"ConsentPromptBehaviorUser"= 3 (0x3)}

_{"EnableUIADesktopToggle"= 0 (0x0)}

_.

_{[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]}

_@="Service"

_.

_{[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]}

_{2009-02-17 00:09 196608 ----a-w- c:\program files (x86)\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe}

_.

_{[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]}

_{2009-07-13 19:24 304496 ----a-w- c:\program files (x86)\TOSHIBA\ConfigFree\NDSTray.exe}

_.

_{[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMAgent]}

_{2009-02-17 00:09 143360 ----a-w- c:\program files (x86)\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe}

_.

_{R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]}

_{R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-09 135664]}

_{R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-12 250056]}

_{R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]}

_{R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]}

_{R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-09 135664]}

_{R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]}

_{R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]}

_{R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-04-08 1255736]}

_{R4 RSELSVC;TOSHIBA Modem region select service;c:\program files\TOSHIBA\rselect\RSelSvc.exe [2009-02-19 55808]}

_{R4 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2009-04-15 251392]}

_{S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [2009-06-29 34880]}

_{S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2009-06-29 14784]}

_{S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [2009-07-24 482384]}

_{S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]}

_{S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x]}

_{S2 camsvc;TOSHIBA Web Camera Service;c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe [2009-04-17 20544]}

_{S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2009-08-10 248688]}

_{S2 ConfigFree Gadget Service;ConfigFree Gadget Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe [2009-07-14 42368]}

_{S2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-10 46448]}

_{S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys [2009-02-12 57344]}

_{S2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe64.sys [2009-01-14 55296]}

_{S2 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-04-01 62776]}

_{S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2011-01-29 67664]}

_{S2 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2009-04-09 803696]}

_{S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-03-23 14472]}

_{S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 8704]}

_{S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-10 139264]}

_{S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2010-01-13 7675392]}

_{S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-03-18 32832]}

_{S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-01-21 413800]}

_.

_.

_{--- Other Services/Drivers In Memory ---}

_.

_{*NewlyCreated* - WS2IFSL}

_.

_{Contents of the 'Scheduled Tasks' folder}

_.

_{2012-08-15 c:\windows\Tasks\Adobe Flash Player Updater.job}

_{- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 01:30]}

_.

_{2012-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job}

_{- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-09 04:34]}

_.

_{2012-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job}

_{- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-09 04:34]}

_.

_{2012-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2272393853-854540987-2418330432-1000Core.job}

_{- c:\users\Sue\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-22 23:54]}

_.

_{2012-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2272393853-854540987-2418330432-1000UA.job}

_{- c:\users\Sue\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-22 23:54]}

_.

_{2012-08-15 c:\windows\Tasks\SDMsgUpdate (TE).job}

_{- c:\progra~2\SMARTD~1\Messages\SDNotify.exe [2012-03-07 18:22]}

_.

_.

_{--------- X64 Entries -----------}

_.

_.

_{[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]}

_{"ThpSrv"="c:\windows\system32\thpsrv" [X]}

_{"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-18 1713448]}

_{"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-10-08 1111568]}

_{"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 165912]}

_{"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 387608]}

_{"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 365592]}

_{"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-29 7982112]}

_{"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 197152]}

_.

_{[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]}

_{"LoadAppInit_DLLs"=0x0}

_.

_{------- Supplementary Scan -------}

_.

_{uLocal Page = c:\windows\system32\blank.htm}

_{uStart Page = hxxp://www.google.com/}

_{mStart Page = hxxp://start.funmoods.com/?f=1&a=aln&chnl=aln&cd=2XzuyEtN2Y1L1QzutDtDtC0EyCyDyEyD0A0CtDzz0AyD0ByBtN0D0Tzu0CtCzytAtN1L2XzutBtFtCtFtDtFtAtDtC&cr=73528215}

_{mLocal Page = c:\windows\SysWOW64\blank.htm}

_{uInternet Settings,ProxyOverride = *.local}

_{uInternet Settings,ProxyServer = http=127.0.0.1:51253}

_{IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000}

_{TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1}

_{Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files (x86)\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll}

_.

_{- - - - ORPHANS REMOVED - - - -}

_.

_{MSConfigStartUp-cfFncEnabler - c:\program files (x86)\TOSHIBA\ConfigFree\cfFncEnabler.exe}

_{MSConfigStartUp-TUSBSleepChargeSrv - %ProgramFiles(x86)%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe}

_{HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE}

_.

_.

_.

_{--------------------- LOCKED REGISTRY KEYS ---------------------}

_.

_{[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]}

_{@Denied: (A 2) (Everyone)}

_{@="FlashBroker"}

_{"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"}

_.

_{[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]}

_{"Enabled"=dword:00000001}

_.

_{[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]}

_{@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"}

_.

_{[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]}

_{@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"}

_.

_{[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]}

_{@Denied: (A 2) (Everyone)}

_{@="Shockwave Flash Object"}

_.

_{[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]}

_{@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"}

_{"ThreadingModel"="Apartment"}

_.

_{[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]}

_@="0"

_.

_{[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]}

_{@="ShockwaveFlash.ShockwaveFlash.11"}

_.

_{[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]}

_{@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"}

_.

_{[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]}

_{@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"}

_.

_{[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]}

_@="1.0"

_.

_{[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]}

_{@="ShockwaveFlash.ShockwaveFlash"}

_.

_{[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]}

_{@Denied: (A 2) (Everyone)}

_{@="Macromedia Flash Factory Object"}

_.

_{[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]}

_{@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"}

_{"ThreadingModel"="Apartment"}

_.

_{[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]}

_{@="FlashFactory.FlashFactory.1"}

_.

_{[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]}

_{@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"}

_.

_{[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]}

_{@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"}

_.

_{[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]}

_@="1.0"

_.

_{[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]}

_{@="FlashFactory.FlashFactory"}

_.

_{[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]}

_{@Denied: (A 2) (Everyone)}

_{@="IFlashBroker4"}

_.

_{[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]}

_{@="{00020424-0000-0000-C000-000000000046}"}

_.

_{[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]}

_{@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"}

_{"Version"="1.0"}

_.

_{[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]}

_{@Denied: (A) (Users)}

_{@Denied: (A) (Everyone)}

_{@Allowed: (B 1 2 3 4 5) (S-1-5-20)}

_{"BlindDial"=dword:00000001}

_{"MSCurrentCountry"=dword:000000b5}

_.

_{[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]}

_{@Denied: (Full) (Everyone)}

_.

_{------------------------ Other Running Processes ------------------------}

_.

_{c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe}

_{c:\program files (x86)\Bonjour\mDNSResponder.exe}

_{c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe}

_.

_{**************************************************************************}

_.

_{Completion time: 2012-08-15 17:39:10 - machine was rebooted}

_{ComboFix-quarantined-files.txt 2012-08-15 21:39}

_.

_{Pre-Run: 210,777,845,760 bytes free}

_{Post-Run: 211,959,578,624 bytes free}

_.

_{- - End Of File - - 9D831B86E0956727303CCDC19B8FF837}

[MrCharlie]

Looks Good.....

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[mollysneighbor]

Hello again, it looks good!

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.15.08

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

Sue :: SUE-PC [administrator]

8/15/2012 6:06:50 PM

mbam-log-2012-08-15 (18-06-50).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 196842

Time elapsed: 4 minute(s), 50 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[MrCharlie]

Great

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassociates.com/OT-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[mollysneighbor]

I will ... thanks again for your assistance!

[MrCharlie]

OK....Take Care, MrC

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!