trojan agent svchost.exe

[mcworthington1s]

I have a trojan agent coming up in my svchost.exe. I haven't had any luck getting rid of it. Been causing the blue screen of death. Thanks in advance for your help. Here are the logs for dds.txt and attach.txt:

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.7.2

Run by Deven Worthington at 21:04:35 on 2013-01-02

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1643.382 [GMT -6:00]

.

AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Program Files\Webroot\WRSA.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe

C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe

C:\Users\Deven Worthington\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe

C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe

C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe

C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe

C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE

\\.\globalroot\systemroot\svchost.exe -netsvcs

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Webroot\WRSA.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe

C:\Windows\System32\StikyNot.exe

C:\Users\Deven Worthington\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe

C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe

C:\Program Files (x86)\SOS Online Backup\SMessaging.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe

C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Program Files (x86)\Internet Explorer\IELowutil.exe

"C:\Windows\svchost.exe"

"C:\Windows\svchost.exe"

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_135_ActiveX.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

uSearch Bar = Preserve

uURLSearchHooks: <No Name>: {8ba2cfef-a1bc-4964-aadc-33be1ae5a33c} -

BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Qwiklinx: {3E7C8B5A-96AB-438F-BF9B-782400655440} - C:\Users\Deven Worthington\AppData\Roaming\Qwiklinx\Qwiklinx.dll

BHO: TBSB01620 Class: {58124A0B-DC32-4180-9BFF-E0E21AE34026} - C:\Program Files (x86)\IMinent Toolbar\tbcore3.dll

BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: DefaultTab Browser Helper: {7F6AFBF1-E065-4627-A2FD-810366367D01} - C:\Users\Deven Worthington\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Search Assistant BHO: {9b9dcae3-be34-424c-8d73-75e305a9e091} -

BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: TheSea.TheSeaPlugin: {C585D593-E7F3-4852-A200-561686EE02E4} -

BHO: Webroot Vault: {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - C:\ProgramData\WRData\PKG\LPBar.dll

BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

BHO: Toolbar BHO: {dc9051c2-8f55-479a-97a4-747980d9047f} -

BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll

BHO: Yontoo: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} -

TB: IMinent Toolbar: {977AE9CC-AF83-45E8-9E03-E2798216E2D5} - C:\Program Files (x86)\IMinent Toolbar\tbcore3.dll

TB: WeatherBlink: {F20DE5E0-2A6E-4C54-985F-1CF59551CE39} -

TB: IMinent Toolbar: {977AE9CC-AF83-45E8-9E03-E2798216E2D5} - C:\Program Files (x86)\IMinent Toolbar\tbcore3.dll

TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll

TB: Webroot Toolbar: {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\PKG\LPBar.dll

EB: TheSeaApp: {c585d593-e7f4-4852-a200-561686ee02e4} -

uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe

uRun: [spotify Web Helper] "C:\Users\Deven Worthington\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

uRun: [AdobeBridge] <no file>

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe

mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe

mRun: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

mRun: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin

mRun: [sOSUAUI] "C:\Program Files (x86)\SOS Online Backup\sosuploadagent.exe" -showui

mRun: [sMessaging] C:\Program Files (x86)\SOS Online Backup\SMessaging.exe

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [WRSVC] "C:\Program Files\Webroot\WRSA.exe" -ul

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\INSTAL~2.LNK - C:\Program Files (x86)\Common Files\wruninstall.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\INSTAL~1.LNK - C:\Program Files (x86)\Common Files\wruninstall.exe

uPolicies-Explorer: NoViewOnDrive = dword:0

uPolicies-Explorer: NoDrives = dword:0

uPolicies-Explorer: DisableLocalMachineRun = dword:0

uPolicies-Explorer: DisableLocalMachineRunOnce = dword:0

uPolicies-Explorer: DisableCurrentUserRun = dword:0

uPolicies-Explorer: DisableCurrentUserRunOnce = dword:0

uPolicies-Explorer: NoDriveTypeAutoRun = dword:0

uPolicies-Explorer: NoFile = dword:0

uPolicies-Explorer: HideClock = dword:0

uPolicies-Explorer: NoDevMgrUpdate = dword:0

uPolicies-Explorer: NoDFSTab = dword:0

uPolicies-Explorer: NoWindowsUpdate = dword:0

uPolicies-Explorer: NoEncryptOnMove = dword:0

uPolicies-Explorer: NoRunasInstallPrompt = dword:0

uPolicies-Explorer: NoResolveTrack = dword:0

uPolicies-Explorer: NoStartMenuSubFolders = dword:0

uPolicies-System: NoDispAppearancePage = dword:0

uPolicies-System: NoDispSettingsPage = dword:0

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoViewOnDrive = dword:0

mPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: DisableLocalMachineRun = dword:0

mPolicies-Explorer: DisableLocalMachineRunOnce = dword:0

mPolicies-Explorer: DisableCurrentUserRun = dword:0

mPolicies-Explorer: DisableCurrentUserRunOnce = dword:0

mPolicies-Explorer: NoDriveTypeAutoRun = dword:0

mPolicies-Explorer: NoFile = dword:0

mPolicies-Explorer: HideClock = dword:0

mPolicies-Explorer: NoDevMgrUpdate = dword:0

mPolicies-Explorer: NoDFSTab = dword:0

mPolicies-Explorer: NoWindowsUpdate = dword:0

mPolicies-Explorer: NoEncryptOnMove = dword:0

mPolicies-Explorer: NoRunasInstallPrompt = dword:0

mPolicies-Explorer: NoResolveTrack = dword:0

mPolicies-Explorer: NoStartMenuSubFolders = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: NoDispAppearancePage = dword:0

mPolicies-System: NoDispSettingsPage = dword:0

mPolicies-Explorer: NoViewOnDrive = dword:0

mPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: DisableLocalMachineRun = dword:0

mPolicies-Explorer: DisableLocalMachineRunOnce = dword:0

mPolicies-Explorer: DisableCurrentUserRun = dword:0

mPolicies-Explorer: DisableCurrentUserRunOnce = dword:0

mPolicies-Explorer: NoDriveTypeAutoRun = dword:0

mPolicies-Explorer: NoFile = dword:0

mPolicies-Explorer: HideClock = dword:0

mPolicies-Explorer: NoDevMgrUpdate = dword:0

mPolicies-Explorer: NoDFSTab = dword:0

mPolicies-Explorer: NoWindowsUpdate = dword:0

mPolicies-Explorer: NoEncryptOnMove = dword:0

mPolicies-Explorer: NoRunasInstallPrompt = dword:0

mPolicies-Explorer: NoResolveTrack = dword:0

mPolicies-Explorer: NoStartMenuSubFolders = dword:0

mPolicies-System: NoDispAppearancePage = dword:0

mPolicies-System: NoDispSettingsPage = dword:0

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe

IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - C:\ProgramData\WRData\PKG\LPBar.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

TCP: NameServer = 192.168.1.1

TCP: Interfaces\{9ED832F4-B788-422F-A6D0-6D8264B91E7D} : DHCPNameServer = 192.168.1.1

TCP: Interfaces\{9ED832F4-B788-422F-A6D0-6D8264B91E7D}\234333023716E6026656C6960756 : DHCPNameServer = 192.168.1.1

TCP: Interfaces\{9ED832F4-B788-422F-A6D0-6D8264B91E7D}\2375942554737393 : DHCPNameServer = 192.168.1.254

TCP: Interfaces\{9ED832F4-B788-422F-A6D0-6D8264B91E7D}\77F62747869333 : NameServer = 192.168.0.1

TCP: Interfaces\{9ED832F4-B788-422F-A6D0-6D8264B91E7D}\77F62747869333 : DHCPNameServer = 192.168.1.1

TCP: Interfaces\{9ED832F4-B788-422F-A6D0-6D8264B91E7D}\C696E6B6379737 : DHCPNameServer = 208.84.188.130 208.84.191.130

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

SSODL: WebCheck - <orphaned>

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-BHO: Webroot Vault: {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - C:\ProgramData\WRData\PKG\LPBar64.dll

x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

x64-TB: Webroot Toolbar: {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\PKG\LPBar64.dll

x64-Run: [synTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe

x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s

x64-Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden

x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"

x64-IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - C:\ProgramData\WRData\PKG\LPBar64.dll

x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

x64-DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>

x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>

x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>

x64-SSODL: WebCheck - <orphaned>

.

============= SERVICES / DRIVERS ===============

.

R0 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2010-11-11 77952]

R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2010-11-11 37504]

R0 WRkrn;WRkrn;C:\Windows\System32\drivers\WRkrn.sys [2012-12-19 111712]

R1 aswKbd;aswKbd;C:\Windows\System32\drivers\aswKbd.sys [2012-3-27 19600]

R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2011-7-29 98208]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-3-4 203776]

R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-3-4 354304]

R2 AMD Reservation Manager;AMD Reservation Manager;C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-6-17 194496]

R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]

R2 DefaultTabUpdate;DefaultTabUpdate;C:\Users\Deven Worthington\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe [2012-7-29 107520]

R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2012-9-27 86528]

R2 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-7-21 103992]

R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-8-5 291896]

R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2012-3-5 35200]

R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-7-29 1817088]

R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-30 398184]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-30 682344]

R2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]

R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]

R2 WRSVC;WRSVC;C:\Program Files\Webroot\WRSA.exe [2012-12-19 733232]

R3 amdiox64;AMD IO Driver;C:\Windows\System32\drivers\amdiox64.sys [2011-7-29 46136]

R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\System32\drivers\clwvd.sys [2011-2-9 31088]

R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-12-30 24176]

R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\System32\drivers\RtsPStor.sys [2011-7-29 335464]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-7-29 436840]

R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\System32\drivers\rtl8192ce.sys [2011-7-29 878184]

R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]

R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]

R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]

R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]

R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]

R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2011-7-29 44672]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 DefaultTabSearch;DefaultTabSearch;C:\Program Files (x86)\DefaultTab\DefaultTabSearch.exe [2012-11-14 568832]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-6-7 160944]

S3 ScreamBAudioSvc;ScreamBee Audio;C:\Windows\System32\drivers\ScreamingBAudio64.sys [2010-7-1 38992]

S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]

S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]

S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]

S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-12-27 1255736]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== File Associations ===============

.

FileExt: .txt: txtfile=C:\Windows\SysWow64\NOTEPAD.EXE %1

FileExt: .ini: inifile=C:\Windows\SysWow64\NOTEPAD.EXE %1

FileExt: .inf: inffile=C:\Windows\SysWow64\NOTEPAD.EXE %1

.

=============== Created Last 30 ================

.

2013-01-03 01:11:27 20480 ----a-w- C:\Windows\svchost.exe

2012-12-31 20:59:08 -------- d-----w- C:\EFSTMPWP

2012-12-31 01:27:21 -------- d-----w- C:\Users\Deven Worthington\AppData\Roaming\Malwarebytes

2012-12-31 01:27:08 -------- d-----w- C:\ProgramData\Malwarebytes

2012-12-31 01:27:05 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-12-31 01:27:04 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-12-31 01:26:47 -------- d-----w- C:\Users\Deven Worthington\AppData\Local\Programs

2012-12-29 09:17:04 -------- d-----w- C:\8b9139c4573887d14330b183

2012-12-28 01:49:13 -------- d-----w- C:\Program Files (x86)\Microsoft Application Virtualization Client

2012-12-28 01:47:11 -------- d-----w- C:\Users\Deven Worthington\AppData\Roaming\TP

2012-12-28 01:11:27 -------- d-----w- C:\adobeTemp

2012-12-23 22:53:47 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll

2012-12-23 22:53:46 46080 ----a-w- C:\Windows\System32\atmlib.dll

2012-12-23 22:53:36 367616 ----a-w- C:\Windows\System32\atmfd.dll

2012-12-23 22:53:25 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll

2012-12-20 09:40:15 -------- d-----w- C:\132a09b146be1acf1cf83edf

2012-12-20 09:39:31 -------- d-----w- C:\Program Files (x86)\The Weather Channel

2012-12-19 22:05:32 -------- d-----w- C:\Users\Deven Worthington\AppData\Local\lptmp1469847479

2012-12-19 22:03:43 151816 ----a-w- C:\Windows\SysWow64\WRusr.dll

2012-12-19 22:03:43 111712 ----a-w- C:\Windows\System32\drivers\WRkrn.sys

2012-12-19 22:03:43 104960 ----a-w- C:\Windows\System32\WRusr.dll

2012-12-19 22:03:24 -------- d-----w- C:\Program Files\Webroot

2012-12-19 22:03:13 -------- d-----w- C:\ProgramData\WRData

2012-12-17 05:44:18 -------- d-----w- C:\Users\Deven Worthington\AppData\Roaming\System

2012-12-13 00:54:14 -------- d-----w- C:\.file_store_32

2012-12-12 05:22:57 2048 ----a-w- C:\Windows\SysWow64\tzres.dll

2012-12-12 05:22:57 2048 ----a-w- C:\Windows\System32\tzres.dll

2012-12-12 05:22:27 3149824 ----a-w- C:\Windows\System32\win32k.sys

2012-12-12 05:20:44 478208 ----a-w- C:\Windows\System32\dpnet.dll

2012-12-12 05:20:42 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll

.

==================== Find3M ====================

.

2013-01-01 04:05:28 0 ----a-w- C:\Windows\SysWow64\Sendori.dll

2012-12-12 03:35:31 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-12-12 03:35:31 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-11-14 06:11:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2012-11-14 06:04:11 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-11-14 06:02:49 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-11-14 05:57:46 599040 ----a-w- C:\Windows\System32\vbscript.dll

2012-11-14 05:57:35 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-11-14 05:52:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-11-14 02:09:22 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-11-14 01:58:15 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-11-14 01:57:37 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-11-14 01:49:25 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-11-14 01:48:27 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll

2012-11-14 01:44:42 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-10-30 03:32:17 2615400 ----a-w- C:\Windows\System32\RtPgEx64.dll

2012-10-30 03:32:17 1560168 ----a-w- C:\Windows\System32\RTSnMg64.cpl

2012-10-30 03:32:16 4730344 ----a-w- C:\Windows\System32\drivers\RTKVHD64.sys

2012-10-30 03:32:16 331880 ----a-w- C:\Windows\System32\RtlCPAPI64.dll

2012-10-30 03:32:14 14952 ----a-w- C:\Windows\System32\RtkCoLDR64.dll

2012-10-30 03:32:13 823912 ----a-w- C:\Windows\System32\RtkApi64.dll

2012-10-30 03:32:13 3747944 ----a-w- C:\Windows\System32\RtkAPO64.dll

2012-10-30 03:32:11 100968 ----a-w- C:\Windows\System32\RCoInstII64.dll

2012-10-30 03:31:26 1698408 ----a-w- C:\Windows\RtlExUpd.dll

2012-10-16 08:38:37 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll

2012-10-16 08:38:34 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll

2012-10-16 07:39:52 561664 ----a-w- C:\Windows\apppatch\AcLayers.dll

2012-10-09 18:17:13 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll

2012-10-09 18:17:13 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll

2012-10-09 17:40:31 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll

2012-10-09 17:40:31 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll

.

============= FINISH: 21:07:44.42 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 12/25/2011 10:20:10 PM

System Uptime: 1/2/2013 7:09:43 PM (2 hours ago)

.

Motherboard: Hewlett-Packard | | 3577

Processor: AMD C-50 Processor | Socket FT1 | 800/100mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 219 GiB total, 158.793 GiB free.

D: is FIXED (NTFS) - 14 GiB total, 1.703 GiB free.

E: is CDROM (UDF)

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP125: 12/26/2012 11:02:08 PM - Restore Operation

RP126: 12/29/2012 3:12:06 AM - Windows Update

RP127: 12/29/2012 6:35:17 PM - Windows Update

RP128: 12/30/2012 3:00:47 AM - Windows Update

.

==== Installed Programs ======================

.

Adobe Flash Player 11 ActiveX

Adobe Photoshop CS6

Adobe Reader X (10.1.4) MUI

Adobe Shockwave Player 11.5

Agatha Christie - Peril at End House

AMD Fuel

ATI Catalyst Install Manager

Bejeweled 2 Deluxe

Blackhawk Striker 2

Blasterball 3

Bounce Symphony

Build-a-lot 2

Cake Mania

Catalyst Control Center - Branding

Catalyst Control Center Graphics Previews Common

Catalyst Control Center InstallProxy

Catalyst Control Center Localization All

ccc-core-static

ccc-utility64

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

Chuzzle Deluxe

Compaq Setup Manager

CyberLink YouCam

D3DX10

DefaultTab

DefaultTab Chrome

Diner Dash 2 Restaurant Rescue

Dora's World Adventure

Energy Star Digital Logo

Escape Rosecliff Island

ESU for Microsoft Windows 7

Farm Frenzy

FATE

Final Drive Nitro

Heroes of Hellas 2 - Olympia

Hewlett-Packard ACLM.NET v1.2.1.1

HP Auto

HP Client Services

HP CloudDrive

HP Customer Experience Enhancements

HP Documentation

HP Game Console

HP Games

HP MovieStore

HP On Screen Display

HP Power Manager

HP Quick Launch

HP Setup

HP Software Framework

HP Support Assistant

HP Wireless Assistant

IMinent Toolbar

Java 7 Update 7

Java Auto Updater

Java™ 6 Update 22

Java™ 6 Update 22 (64-bit)

JavaFX 2.1.1

Jewel Quest Solitaire 2

Junk Mail filter update

Malwarebytes Anti-Malware version 1.70.0.1100

Mesh Runtime

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Office 2010

Microsoft Office Click-to-Run 2010

Microsoft Silverlight

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2005 Redistributable (x64)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Microsoft WSE 3.0 Runtime

Microsoft_VC80_CRT_x86

Microsoft_VC90_CRT_x86

MSVCRT

MSVCRT_amd64

Mystery P.I. - The London Caper

PDF Settings CS6

Penguins!

Pepakura Viewer 3

Plants vs. Zombies

Poker Superstars III

Polar Bowler

Polar Golfer

Qwiklinx

Realtek Ethernet Controller Driver

Realtek High Definition Audio Driver

Realtek PCIE Card Reader

REALTEK Wireless LAN Driver

Recovery Manager

RoxioNow Player

Sansa Updater

Security Update for CAPICOM (KB931906)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Skype Click to Call

Skype™ 5.10

Smart PC Cleaner v3.0

SOS Online Backup

Spotify

Synaptics Pointing Device Driver

The Sea App (Internet Explorer)

The Weather Channel App

The Weather Channel Desktop 6

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

VideoFileDownload

Virtual Families

Virtual Villagers 4 - The Tree of Life

WeatherBug

Webroot SecureAnywhere

Wheel of Fortune 2

Windows Live Communications Platform

Windows Live Essentials

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Language Selector

Windows Live Mail

Windows Live Mesh

Windows Live Mesh ActiveX Control for Remote Connections

Windows Live Messenger

Windows Live MIME IFilter

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live Remote Client

Windows Live Remote Client Resources

Windows Live Remote Service

Windows Live Remote Service Resources

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

Winferno Registry Power Cleaner

WMV9/VC-1 Video Playback

World of Warcraft

Yahoo! Software Update

Yahoo! Toolbar

Yontoo 1.10.02

Zuma Deluxe

.

==== Event Viewer Messages From Past Week ========

.

12/31/2012 9:39:12 PM, Error: Service Control Manager [7000] - The Sendori Interceptor service failed to start due to the following error: The system cannot find the file specified.

12/31/2012 9:39:03 PM, Error: Service Control Manager [7000] - The Sendori service failed to start due to the following error: The system cannot find the file specified.

12/31/2012 9:23:38 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Error Reporting Service service to connect.

12/31/2012 5:04:32 AM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.

12/31/2012 10:05:22 PM, Error: Service Control Manager [7000] - The Sendoriv1 service failed to start due to the following error: The system cannot find the file specified.

12/31/2012 1:43:16 PM, Error: Service Control Manager [7031] - The WRSVC service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

1/2/2013 7:14:17 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891

1/2/2013 7:14:17 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891

1/2/2013 7:10:44 PM, Error: Service Control Manager [7034] - The DefaultTabSearch service terminated unexpectedly. It has done this 1 time(s).

1/2/2013 7:10:34 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

1/2/2013 7:10:33 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

1/2/2013 7:10:32 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

1/2/2013 7:10:30 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\system32\Rtlihvs.dll Error Code: 126

1/2/2013 7:10:30 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000096, 0xfffff80002cce16a, 0x0000000000000000, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 010213-42369-01.

1/2/2013 7:08:10 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Font Cache Service service to connect.

1/2/2013 7:08:10 PM, Error: Service Control Manager [7000] - The Windows Font Cache Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

1/2/2013 7:07:39 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.

1/2/2013 7:07:39 PM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

1/2/2013 7:07:39 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

1/1/2013 1:57:09 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x0000000000000089, 0x0000000000000002, 0x0000000000000001, 0xfffff80002cc4aa6). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: .

1/1/2013 1:57:08 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1005] - Unable to produce a minidump file from the full dump file.

.

==== End Of File ===========================

[CatByte]

Please run the following:

Please download Malwarebytes Anti-Rootkit and save it to your desktop.

• Be sure to print out and follow the instructions provided on that same page for performing a scan.
  
• Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  
• When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  
• Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  
• Copy and paste the contents of these two log files in your next reply.

Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.

[mcworthington1s]

Sorry for the delayed response. Had to get some blank dvd's to backup my system and then had to do a bunch of troubleshooting to get my computer to back up. Finally got it backed up today and then I installed the anti-rootkit and ran a scan. When i ran the cleanup, after the scan, it wanted to reboot my system. My computer shut down but now it wont restart correctly. The windows boot manager has come up and says "windows failed to start. A recent hardware or software change might be the cause". Status: 0xc000000f Ifno: The boot selection failed because a requred device is inaccessible.

Can you assist me with this? It wants me to insert my windows installation disc but I don't have one.

[CatByte]

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to the disclaimer.

[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there

[*]Press Scan button.

[*]type exit and reboot the computer normally

[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

[mcworthington1s]

On the windeos boot maanger there are no options for repair. It just say to insert the windows installation disc and restart the computer. I can hit enter and it goes back to the tools option but only lists 'windows memory diagnostic'. The only option for operating system to start is Ramdisk Options (EMS Enable) but that does nothing. If I hit enter or f8 it just takes me back to teh part telling me to insert the installation disc and shows the status and info like before.

[CatByte]

ok, you probably don't have the recovery environment pre-installed.

Do you have access to another Win 7 machine, you can make a recovery disk in order to access the recovery environment

I'm suspecting the BCD has been altered by the malware and when it was removed it has caused this situation, once I can see a log with FRST, I anticicpate being able to rectify this.

Please do the following:

Create a Windows 7 System Repair Disc

• Click on Start(Windows 7 Orb) >> Run...(or the Windows key and R together) to bring up the Run box, then copy/paste the following command into the box and click on OK:

  recdisc.exe

• Allow the UAC(User Account Control) prompt via selecting Yes.
  
• You should now see a menu like the below:-
  

• Put a blank rewritable CD/DVD in your optical(CD/DVD) drive and then click on Create disc.
  
• Note: If an AutoPlay window pops up, just close it.
  
• When the SRD has been created you will see the below:-
  

• Now click on Close >> OK.
  
• You now have a Windows 7 System Repair Disc.
  

Use this CD to boot the ailing computer instead of tapping on F8, and proceed with the instructions above in the command prompt.

[mcworthington1s]

I can't seem to find anyone with windows 7. Is there a way I could dowload it off the internet? Everyone I know has Vista or an Apple computer.

[CatByte]

There are sites on-line that say they are offering legal Win7.iso repair disks for download,

they can't be used to install an operating system, but I believe they violates terms of service with Microsoft to post a repair disk.iso on line, so I wouldn't try that route.

It would be best to keep asking around till you find someone with a Win7 who could make a repair disk, or contact the manufacture of the machine to see if they can send you a repair disk.

[CatByte]

Please try the following:

When you reboot press the F10 to bring up 'Edit Boot Options' screen. If you press it too early you might get the bios screen instead.

If it says /minint or int/min after /NOEXECUTE=OPTIN,

hit the Backspace key until that entry reads:

/NOEXECUTE=OPTIN

now see if the machine will boot

If not, we will need the recovery disk

[mcworthington1s]

ok, I finally found someone with Windows 7 and made the disk. Now the issue is I can 'restart' the computer. I turned it on and put the disk in but when I turn the computer off or on, it doesn't really reboot. It just turns off or turns on and goes immediately to the windows boot manager. Still doesn't recognize there is a disk in there.

[CatByte]

you will need to boot into the BIOS to change the boot order to boot from CD first

(Try F2 to access the BIOS or F9 or F10 might work too)

http://pcsupport.about.com/od/fixtheproblem/ss/bootorderchange.htm

[CatByte]

are you still with me?

Any luck booting from the CD?

[mcworthington1s]

sorry, I've been away and haven't had a chance to mess with it. f2 took me to my system diagnostics. ill try again with f9 or f10

[CatByte]

ok, I did a bit of research and F10 should do it on the HP system

[mcworthington1s]

Yeah, that is what I used and it worked. Was able to restore windows and I had to download a new update for the anti-rootkit. I did that and now I am having it scan my system again.

[CatByte]

Was able to restore windows and I had to download a new update for the anti-rootkit

Can you please explain in a little more detail exactly what took place (for those following this topic)

thanks

[CatByte]

also, please see if you can locate the system-log > navigate to the MBAR folder, open the log and please post the content of the log.

[mcworthington1s]

Can you please explain in a little more detail exactly what took place (for those following this topic)

thanks

I was able to change the boot order so that the computer would check cd/rom first. It restored windows. I then went back to malware anti-rootkit to run a scan again and it wanted me to update anti-rootkit. I have ran that again and still found 95 malware items. I'm going to cleanup and see what happens. I'll add the log on my next post.

[mcworthington1s]

Malwarebytes Anti-Rootkit BETA 1.01.0.1016

www.malwarebytes.org

Database version: v2013.01.13.09

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Deven Worthington :: DEVEN [administrator]

1/13/2013 6:37:55 PM

mbar-log-2013-01-13 (18-37-55).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 29929

Time elapsed: 35 minute(s), 26 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 95

HKLM\SOFTWARE\CLASSES\INTERFACE\{55555555-5555-5555-5555-550055465539} (PUP.CrossFire.SA) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\TypeLib\{44444444-4444-4444-4444-440044464439} (PUP.CrossFire.SA) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{66666666-6666-6666-6666-660066466639} (PUP.CrossFire.SA) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{77777777-7777-7777-7777-770077467739} (PUP.CrossFire.SA) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{17DE5E5E-BFE3-4E83-8E1F-8755795359EC} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\TypeLib\{C8CECDE3-1AE1-4C4A-AD82-6D5B00212144} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{1F52A5FA-A705-4415-B975-88503B291728} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{A626CDBD-3D13-4F78-B819-440A28D7E8FC} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{1F52A5FA-A705-4415-B975-88503B291728} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{A626CDBD-3D13-4F78-B819-440A28D7E8FC} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\TypeLib\{C8CECDE3-1AE1-4C4A-AD82-6D5B00212144} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{3E720451-B472-4954-B7AA-33069EB53906} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\TypeLib\{3E720450-B472-4954-B7AA-33069EB53906} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{3E720453-B472-4954-B7AA-33069EB53906} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{3E720453-B472-4954-B7AA-33069EB53906} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\TypeLib\{3E720450-B472-4954-B7AA-33069EB53906} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{6E74766C-4D93-4CC0-96D1-47B8E07FF9CA} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\TypeLib\{F42228FB-E84E-479E-B922-FBBD096E792C} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{DE38C398-B328-4F4C-A3AD-1B5E4ED93477} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{DE38C398-B328-4F4C-A3AD-1B5E4ED93477} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\TypeLib\{F42228FB-E84E-479E-B922-FBBD096E792C} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{72EE7F04-15BD-4845-A005-D6711144D86A} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\TypeLib\{E79DFBC0-5697-4FBD-94E5-5B2A9C7C1612} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{E79DFBC9-5697-4FBD-94E5-5B2A9C7C1612} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{E79DFBC9-5697-4FBD-94E5-5B2A9C7C1612} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\TypeLib\{E79DFBC0-5697-4FBD-94E5-5B2A9C7C1612} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{07B18EAA-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\TypeLib\{07B18EA0-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{07B18EAC-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{8E9CF769-3D3B-40EB-9E2D-76E7A205E4D2} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{AAA9C380-E19A-4436-88F6-02942C31CC9E} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{AAA9C381-E19A-4436-88F6-02942C31CC9E} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{F87D7FB5-9DC5-4C8C-B998-D8DFE02E2978} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{07B18EAC-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{8E9CF769-3D3B-40EB-9E2D-76E7A205E4D2} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{AAA9C380-E19A-4436-88F6-02942C31CC9E} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{AAA9C381-E19A-4436-88F6-02942C31CC9E} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{F87D7FB5-9DC5-4C8C-B998-D8DFE02E2978} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\TypeLib\{07B18EA0-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25E} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\TypeLib\{0D26BC71-A633-4E71-AD31-EADC3A1B6A3A} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\TypeLib\{0D26BC71-A633-4E71-AD31-EADC3A1B6A3A} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{2E3537FC-CF2F-4F56-AF54-5A6A3DD375CC} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\TypeLib\{29D67D3C-509A-4544-903F-C8C1B8236554} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\TypeLib\{29D67D3C-509A-4544-903F-C8C1B8236554} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{7473D291-B7BB-4F24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\TypeLib\{7473D290-B7BB-4F24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{7473D293-B7BB-4F24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{7473D295-B7BB-4F24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{7473D297-B7BB-4F24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{7473D298-B7BB-4F24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{7473D293-B7BB-4F24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{7473D295-B7BB-4F24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{7473D297-B7BB-4F24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{7473D298-B7BB-4F24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\TypeLib\{7473D290-B7BB-4F24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{1093995A-BA37-41D2-836E-091067C4AD17} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\TypeLib\{8CA01F0E-987C-49C3-B852-2F1AC4A7094C} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{120927BF-1700-43BC-810F-FAB92549B390} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{247A115F-06C2-4FB3-967D-2D62D3CF4F0A} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{3E53E2CB-86DB-4A4A-8BD9-FFEB7A64DF82} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{90449521-D834-4703-BB4E-D3AA44042FF8} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{991AAC62-B100-47CE-8B75-253965244F69} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{BBABDC90-F3D5-4801-863A-EE6AE529862D} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{D6FF3684-AD3B-48EB-BBB4-B9E6C5A355C1} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{120927BF-1700-43BC-810F-FAB92549B390} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{247A115F-06C2-4FB3-967D-2D62D3CF4F0A} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{3E53E2CB-86DB-4A4A-8BD9-FFEB7A64DF82} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{90449521-D834-4703-BB4E-D3AA44042FF8} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{991AAC62-B100-47CE-8B75-253965244F69} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{BBABDC90-F3D5-4801-863A-EE6AE529862D} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{D6FF3684-AD3B-48EB-BBB4-B9E6C5A355C1} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\TypeLib\{8CA01F0E-987C-49C3-B852-2F1AC4A7094C} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{63D0ED2B-B45B-4458-8B3B-60C69BBBD83C} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\TypeLib\{8E6F1830-9607-4440-8530-13BE7C4B1D14} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\WOW6432NODE\CLASSES\TypeLib\{8E6F1830-9607-4440-8530-13BE7C4B1D14} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{CF54BE1C-9359-4395-8533-1657CF209CFE} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{3E1656ED-F60E-4597-B6AA-B6A58E171495} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\TypeLib\{E47CAEE0-DEEA-464A-9326-3F2801535A4D} (PUP.MyWebSearch) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\INTERFACE\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF} (PUP.MyWebSearch) -> Delete on reboot.

HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9} (Hijack.Trojan.Siredef.C) -> Delete on reboot.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[CatByte]

Please run the following

Refer to the ComboFix User's Guide

1. Download ComboFix from the following location:
   Link
   * IMPORTANT !!! Place ComboFix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   You can get help on disabling your protection programs here
   
3. Double click on ComboFix.exe & follow the prompts.
   
4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
5. When finished, it shall produce a log for you. Post that log in your next reply
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   ---------------------------------------------------------------------------------------------
   
6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

[mcworthington1s]

Before I saw your last message I ran the anti-rootkit program again (found the virus again) and then did a cleanup. Do you want to see another report now that it cleaned it or should i run combofix first? I won't be able to work on it until this evening.

[CatByte]

please run Combofix first and also post the system log from MBAR (the one when the computer crashed)

navigate to the MBAR folder, open the log and please post the content of the log.

and I'm still trying to figure out how you were able to finally boot, when you pressed F10 what exactly happened, did the computer go into start-up repair automatically, or did something else take place?

[mcworthington1s]

Right now I'm having trouble accessing the internet on the infected computer to do the next step you requested. I just got a notice from webroot secure anywhere that a file is trying to install itself every time I start my computer. It is C:/Windows/SysWOW64/lodctr.exe

I'm blocking it for now.

[CatByte]

ok

hopefully ComboFix will be able to eradicate that infection

[mcworthington1s]

please run Combofix first and also post the system log from MBAR (the one when the computer crashed) navigate to the MBAR folder, open the log and please post the content of the log. and I'm still trying to figure out how you were able to finally boot, when you pressed F10 what exactly happened, did the computer go into start-up repair automatically, or did something else take place?

hitting f10 just got me to the BIOS system and I followed the instructions on http://pcsupport.about.com/od/fixtheproblem/ss/bootorderchange.htm for changing the start up order.