Jump to content

Moneypack Virus


Recommended Posts

I've been infected with the money pack virus and am unable to access the desktop when I road Windows. I run Windows 7. I've tried booting in safe mode, but the desktop is blocked by the virus then as well. This leaves me unable to download and run DDS to begin the process on this forum. What can I do?

Link to post
Share on other sites

See if you can do the following:

Download Farbar Recovery Scan Tool on a clean PC (if possible) and save to a flash drive (memory stick). Use which ever of the folllowing is applicable to your system. (32 or 64 bit)

Download http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ <--- 64 bit version Save to USB flash drive

Download http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ <--- 32 bit version Save to USB Flash drive

Plug the flashdrive into the infected PC.

Enter System Recovery Options I give two methods, use whichever is convenient for you.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair

System Restore

Windows Complete PC Restore

Windows Memory Diagnostic Tool

Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64 or e:\frst depending on your version. Press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Kevin

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-12-2012

Ran by SYSTEM at 04-01-2013 17:06:32

Running from F:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet002

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [2587944 2010-12-13] (ELAN Microelectronics Corp.)

HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)

HKLM-x32\...\Run: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [103720 2009-11-02] (CyberLink)

HKLM-x32\...\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [5732992 2010-08-17] (ASUS)

HKLM-x32\...\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [170624 2010-10-07] (ASUS)

HKLM-x32\...\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS)

HKLM-x32\...\Run: [ASUSWebStorage] C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSPanel.exe /S [731472 2011-02-23] (ecareme)

HKLM-x32\...\Run: [ASUS Screen Saver Protector] C:\Windows\AsScrPro.exe [3058304 2011-07-15] (ASUS)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Communicator] "C:\Program Files (x86)\Microsoft Lync\communicator.exe" /fromrunkey [12105344 2012-09-28] (Microsoft Corporation)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)

HKU\Greg\...\Run: [Google Update] "C:\Users\Greg\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-09-18] (Google Inc.)

HKU\Greg\...\Run: [sbitunesagent] C:\Program Files (x86)\Songbird\songbirditunesagent.exe [266240 2012-09-17] ()

HKU\Greg\...\Run: [MotoCast] "C:\Program Files (x86)\Motorola Mobility\MotoCast\MotoLauncher.lnk" [x]

HKU\Greg\...\Policies\system: [DisableTaskMgr] 1

HKLM\...\Winlogon: [shell] Explorer.exe, C:\ProgramData\nzqwwnh_ [x ] ()

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

Startup: C:\Users\All Users\Start Menu\Programs\Startup\AsusVibeLauncher.lnk

ShortcutTarget: AsusVibeLauncher.lnk -> C:\Program Files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe (ASUSTeK Computer Inc.)

Startup: C:\Users\Greg\Start Menu\Programs\Startup\Dropbox.lnk

ShortcutTarget: Dropbox.lnk -> (No File)

Startup: C:\Users\Greg\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk

ShortcutTarget: ERUNT AutoBackup.lnk -> C:\Program Files (x86)\ERUNT\AUTOBACK.EXE ()

==================== Services (Whitelisted) ===================

2 ATKGFNEXSrv; C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe [96896 2009-12-15] (ASUS)

2 BcmSqlStartupSvc; "C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [34216 2010-03-25] (Microsoft Corporation)

2 ccEvtMgr; "C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [107624 2006-12-07] (Symantec Corporation)

2 ccSetMgr; "C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [107624 2006-12-07] (Symantec Corporation)

2 DefWatch; "C:\Program Files (x86)\Symantec AntiVirus\DefWatch.exe" [30872 2006-12-13] (Symantec Corporation)

3 LiveUpdate; "C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE" [2541248 2006-10-31] (Symantec Corporation)

3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\3.0.207\McCHSvc.exe" [237008 2011-06-17] (McAfee, Inc.)

2 Motorola Device Manager; C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [120728 2012-10-02] ()

2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)

3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2011-05-02] ()

3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)

2 PST Service; C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe [65657 2011-09-02] (Motorola)

2 ReflectService.exe; "C:\Program Files\Macrium\Reflect\ReflectService.exe" [301760 2012-08-21] ()

2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)

4 SQLAgent$MSSMLBIZ; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.MSSMLBIZ\MSSQL\Binn\SQLAGENT.EXE" -i MSSMLBIZ [366936 2009-03-30] (Microsoft Corporation)

2 SSUService; C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe [386920 2012-10-16] (Splashtop Inc.)

2 Symantec AntiVirus; "C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe" [1962136 2006-12-13] (Symantec Corporation)

2 WinDefend; C:\Program Files (x86)\Windows Defender\mpsvc.dll [x]

==================== Drivers (Whitelisted) =====================

0 assd; C:\Windows\System32\Drivers\assd.sys [27264 2010-04-28] (ASUS Corporation)

1 ATKWMIACPIIO; \??\C:\Program Files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [17024 2010-07-26] (ASUS)

1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-08-15] (Symantec Corporation)

3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-08-15] (Symantec Corporation)

3 FLxHCIh; C:\Windows\System32\Drivers\FLxHCIh.sys [56320 2011-04-08] (Fresco Logic)

3 GEARAspiWDM; C:\Windows\SysWow64\Drivers\GEARAspiWDM.sys [15664 2012-09-17] (GEAR Software Inc.)

3 kbfiltr; C:\Windows\System32\Drivers\kbfiltr.sys [15416 2009-07-20] ( )

0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [203888 2012-03-20] (Microsoft Corporation)

3 NAVENG; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20121221.004\ENG64.SYS [126112 2012-09-05] (Symantec Corporation)

3 NAVEX15; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20121221.004\EX64.SYS [2084000 2012-09-05] (Symantec Corporation)

2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [98688 2012-03-20] (Microsoft Corporation)

1 SRTSP; C:\Windows\System32\Drivers\SRTSP64.SYS [394600 2006-11-22] (Symantec Corporation)

3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL64.SYS [426392 2006-11-22] (Symantec Corporation)

1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX64.SYS [30104 2006-11-22] (Symantec Corporation)

3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [156008 2012-08-30] (Symantec Corporation)

2 TurboB; C:\Windows\System32\Drivers\TurboB.sys [13832 2010-04-16] ()

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2012-12-24 11:32 - 2012-12-24 11:32 - 00000000 ____D C:\Windows\TempED59068B-FAD5-07EC-98BD-5FA1A41E29B2-Signatures

2012-12-24 11:23 - 2012-12-25 10:52 - 00158208 ____A (ADOSoft Int.) C:\Users\Greg\AppData\Roaming\nzqwwnh_.exe

2012-12-24 11:13 - 2012-12-25 10:57 - 00158208 ____A (ADOSoft Int.) C:\Users\Greg\AppData\Local\nzqwwnh_.exe

2012-12-24 11:13 - 2012-12-25 10:57 - 00158208 ____A (ADOSoft Int.) C:\Users\All Users\nzqwwnh_.exe

2012-12-23 21:30 - 2012-12-23 21:30 - 00000000 ____D C:\Windows\TempD3C4382E-CD23-1C28-A8C9-B5CBEE49AE57-Signatures

2012-12-19 22:24 - 2012-12-19 22:24 - 00000000 ____D C:\Windows\Temp1A1679BD-2AA6-2430-4776-4DC29E9BA6EE-Signatures

2012-12-17 02:01 - 2012-12-17 02:01 - 00000000 ____D C:\Windows\TempCC561410-34D5-25F0-5BCC-9F4FD37F4C0B-Signatures

2012-12-16 09:50 - 2012-12-16 09:50 - 00000000 ____D C:\Windows\Temp8C3E4FBF-2321-0D11-C06F-BB56B5F8A9BE-Signatures

2012-12-15 11:00 - 2012-12-01 07:55 - 00001086 ____A C:\Users\Greg\Desktop\Google Drive.lnk

2012-12-15 10:48 - 2012-12-15 10:55 - 486359257 ____A C:\Users\Greg\Downloads\Final Fantasy VII (Disc 1).7z

2012-12-15 10:33 - 2012-12-15 10:33 - 00000000 ____D C:\Users\Greg\AppData\Local\Splashtop

2012-12-15 10:25 - 2012-12-15 10:25 - 00000000 ____D C:\Users\Greg\AppData\Local\{AB7CBD6B-0741-4997-8430-950DB17CC940}

2012-12-15 10:25 - 2012-12-15 10:25 - 00000000 ____D C:\Users\All Users\Splashtop

2012-12-15 10:25 - 2012-12-15 10:25 - 00000000 ____D C:\Program Files (x86)\Splashtop

2012-12-15 10:23 - 2012-12-15 10:23 - 17265384 ____A (Splashtop Inc.) C:\Users\Greg\Downloads\Splashtop_Streamer_WIN_v2.2.0.0.EXE

2012-12-15 09:39 - 2012-12-15 09:39 - 00000000 ____D C:\Windows\TempAC120230-158B-DC1D-6FFE-B179C96CFD76-Signatures

2012-12-10 18:07 - 2012-12-10 18:07 - 00000000 ____D C:\Windows\Temp3A428D32-AD10-B11D-6BB4-C49FD263CAF0-Signatures

2012-12-09 08:26 - 2012-12-09 08:26 - 00000000 ____D C:\Windows\Temp6DF85126-4D9A-4AD1-10B2-BFAF0F4EE6BB-Signatures

==================== One Month Modified Files and Folders =======

2013-01-04 17:06 - 2013-01-04 17:06 - 00000000 ____D C:\FRST

2012-12-25 10:57 - 2012-12-24 11:13 - 00158208 ____A (ADOSoft Int.) C:\Users\Greg\AppData\Local\nzqwwnh_.exe

2012-12-25 10:57 - 2012-12-24 11:13 - 00158208 ____A (ADOSoft Int.) C:\Users\All Users\nzqwwnh_.exe

2012-12-25 10:57 - 2012-09-18 21:21 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-12-25 10:57 - 2012-08-14 19:14 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-12-25 10:57 - 2009-07-13 20:51 - 00172124 ____A C:\Windows\setupact.log

2012-12-25 10:52 - 2012-12-24 11:23 - 00158208 ____A (ADOSoft Int.) C:\Users\Greg\AppData\Roaming\nzqwwnh_.exe

2012-12-25 10:48 - 2011-07-15 17:45 - 00045056 ____A C:\Windows\System32\acovcnt.exe

2012-12-24 12:08 - 2011-07-15 17:24 - 02004567 ____A C:\Windows\WindowsUpdate.log

2012-12-24 11:47 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-12-24 11:47 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-12-24 11:46 - 2012-11-12 15:15 - 00000000 ____D C:\Users\Greg\.gstreamer-0.10

2012-12-24 11:46 - 2012-11-12 15:09 - 00000000 ____D C:\Users\Greg\AppData\Roaming\MotoCast

2012-12-24 11:46 - 2012-01-11 11:18 - 00000000 ___RD C:\Users\Greg\Dropbox

2012-12-24 11:46 - 2012-01-11 11:14 - 00000000 ____D C:\Users\Greg\AppData\Roaming\Dropbox

2012-12-24 11:40 - 2011-10-09 17:38 - 00002113 ____A C:\Windows\epplauncher.mif

2012-12-24 11:32 - 2012-12-24 11:32 - 00000000 ____D C:\Windows\TempED59068B-FAD5-07EC-98BD-5FA1A41E29B2-Signatures

2012-12-24 11:22 - 2011-04-01 20:17 - 00361758 ____A C:\Windows\PFRO.log

2012-12-23 21:30 - 2012-12-23 21:30 - 00000000 ____D C:\Windows\TempD3C4382E-CD23-1C28-A8C9-B5CBEE49AE57-Signatures

2012-12-19 22:24 - 2012-12-19 22:24 - 00000000 ____D C:\Windows\Temp1A1679BD-2AA6-2430-4776-4DC29E9BA6EE-Signatures

2012-12-17 02:01 - 2012-12-17 02:01 - 00000000 ____D C:\Windows\TempCC561410-34D5-25F0-5BCC-9F4FD37F4C0B-Signatures

2012-12-16 18:55 - 2012-02-01 21:48 - 00000000 ____D C:\Users\Greg\AppData\Roaming\Songbird2

2012-12-16 09:50 - 2012-12-16 09:50 - 00000000 ____D C:\Windows\Temp8C3E4FBF-2321-0D11-C06F-BB56B5F8A9BE-Signatures

2012-12-15 10:55 - 2012-12-15 10:48 - 486359257 ____A C:\Users\Greg\Downloads\Final Fantasy VII (Disc 1).7z

2012-12-15 10:46 - 2011-07-15 17:43 - 00001645 ____A C:\Windows\System32\ServiceFilter.ini

2012-12-15 10:33 - 2012-12-15 10:33 - 00000000 ____D C:\Users\Greg\AppData\Local\Splashtop

2012-12-15 10:25 - 2012-12-15 10:25 - 00000000 ____D C:\Users\Greg\AppData\Local\{AB7CBD6B-0741-4997-8430-950DB17CC940}

2012-12-15 10:25 - 2012-12-15 10:25 - 00000000 ____D C:\Users\All Users\Splashtop

2012-12-15 10:25 - 2012-12-15 10:25 - 00000000 ____D C:\Program Files (x86)\Splashtop

2012-12-15 10:25 - 2011-07-15 17:37 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information

2012-12-15 10:23 - 2012-12-15 10:23 - 17265384 ____A (Splashtop Inc.) C:\Users\Greg\Downloads\Splashtop_Streamer_WIN_v2.2.0.0.EXE

2012-12-15 09:44 - 2011-10-12 16:08 - 00000000 ____D C:\Users\All Users\Microsoft Help

2012-12-15 09:39 - 2012-12-15 09:39 - 00000000 ____D C:\Windows\TempAC120230-158B-DC1D-6FFE-B179C96CFD76-Signatures

2012-12-15 09:32 - 2011-10-11 09:09 - 67413224 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-12-11 20:36 - 2012-04-12 13:42 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-12-11 20:36 - 2011-10-10 16:13 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-12-10 18:07 - 2012-12-10 18:07 - 00000000 ____D C:\Windows\Temp3A428D32-AD10-B11D-6BB4-C49FD263CAF0-Signatures

2012-12-09 08:26 - 2012-12-09 08:26 - 00000000 ____D C:\Windows\Temp6DF85126-4D9A-4AD1-10B2-BFAF0F4EE6BB-Signatures

ZeroAccess:

C:\Windows\Installer\{648c7366-661d-8c7c-a2b5-bfc01b210a94}

C:\Windows\Installer\{648c7366-661d-8c7c-a2b5-bfc01b210a94}\U

ZeroAccess:

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{648c7366-661d-8c7c-a2b5-bfc01b210a94}

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{648c7366-661d-8c7c-a2b5-bfc01b210a94}\@

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{648c7366-661d-8c7c-a2b5-bfc01b210a94}\L

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{648c7366-661d-8c7c-a2b5-bfc01b210a94}\U

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-29 18:29:33

Restore point made on: 2012-12-02 11:41:48

Restore point made on: 2012-12-06 07:50:10

Restore point made on: 2012-12-09 08:21:15

Restore point made on: 2012-12-10 18:02:27

Restore point made on: 2012-12-14 16:57:56

Restore point made on: 2012-12-15 09:20:19

Restore point made on: 2012-12-15 09:21:50

Restore point made on: 2012-12-15 09:23:02

Restore point made on: 2012-12-15 09:24:24

Restore point made on: 2012-12-15 09:25:42

Restore point made on: 2012-12-15 09:27:07

Restore point made on: 2012-12-15 09:28:30

Restore point made on: 2012-12-15 09:29:43

Restore point made on: 2012-12-15 09:30:53

Restore point made on: 2012-12-15 09:32:07

Restore point made on: 2012-12-15 09:36:56

Restore point made on: 2012-12-15 09:38:04

Restore point made on: 2012-12-15 09:39:24

Restore point made on: 2012-12-15 09:44:29

Restore point made on: 2012-12-15 09:45:40

Restore point made on: 2012-12-15 09:46:43

Restore point made on: 2012-12-15 10:25:24

Restore point made on: 2012-12-16 09:47:16

Restore point made on: 2012-12-17 02:00:16

Restore point made on: 2012-12-19 17:22:10

Restore point made on: 2012-12-22 13:35:52

Restore point made on: 2012-12-22 13:37:02

Restore point made on: 2012-12-22 13:38:20

Restore point made on: 2012-12-23 21:27:07

Restore point made on: 2012-12-24 08:55:51

Restore point made on: 2012-12-24 11:28:56

==================== Memory info ===========================

Percentage of memory in use: 9%

Total physical RAM: 8102.76 MB

Available physical RAM: 7313.3 MB

Total Pagefile: 8100.91 MB

Available Pagefile: 7295.02 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (Piddle) (Fixed) (Total:279.45 GB) (Free:128.76 GB) NTFS ==>[system with boot components (obtained from reading drive)]

2 Drive d: (DATA) (Fixed) (Total:394.18 GB) (Free:394.07 GB) NTFS

4 Drive f: (FLASH CU) (Removable) (Total:0.25 GB) (Free:0.24 GB) FAT

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 698 GB 1024 KB

Disk 1 Online 252 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 25 GB 1024 KB

Partition 2 Primary 279 GB 25 GB

Partition 0 Extended 394 GB 304 GB

Partition 3 Logical 394 GB 304 GB

==================================================================================

Disk: 0

Partition 1

Type : 1C

Hidden: Yes

Active: No

There is no volume associated with this partition.

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C Piddle NTFS Partition 279 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 D DATA NTFS Partition 394 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 252 MB 31 KB

==================================================================================

Disk: 1

Partition 1

Type : 06

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 F FLASH CU FAT Removable 252 MB Healthy

=========================================================

Last Boot: 2012-12-15 11:46

==================== End Of Log =============================

Link to post
Share on other sites

Apologies, missed notification prompt... OK continue as follows:

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

start

HKU\Greg\...\Policies\system: [DisableTaskMgr] 1

HKLM\...\Winlogon: [shell] Explorer.exe, C:\ProgramData\nzqwwnh_ [x ] ()

2012-12-24 11:23 - 2012-12-25 10:52 - 00158208 ____A (ADOSoft Int.) C:\Users\Greg\AppData\Roaming\nzqwwnh_.exe

2012-12-24 11:13 - 2012-12-25 10:57 - 00158208 ____A (ADOSoft Int.) C:\Users\Greg\AppData\Local\nzqwwnh_.exe

2012-12-24 11:13 - 2012-12-25 10:57 - 00158208 ____A (ADOSoft Int.) C:\Users\All Users\nzqwwnh_.exe

C:\Windows\Installer\{648c7366-661d-8c7c-a2b5-bfc01b210a94}

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{648c7366-661d-8c7c-a2b5-bfc01b210a94}

end

Now please enter System Recovery Options as you did to get the log.

Run FRST64 or FRST and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if windows will now boot ok, if so run DDS and post the two produced logs:

Download and save DDS to your Desktop from either of the following links:

http://download.bleepingcomputer.com/sUBs/dds.scr

http://compendiate.net/sUBs/dds/dds.scr

Note: You must use Internet Explorer to download dds.scr, other browsers will open the file in the browser and not save it. Or if you must use Firefox, or Chrome, then right click the link and select "save link as" and save the file to your desktop.

Double-click the dds.scr file to run the program.

It will automatically run in silent mode and then you will see the following note:

"Two logs shall be created on your Desktop"

The logs will be named dds.txt and attach.txt".

Wait until the logs appear and then copy and paste their contents in your post.

Kevin

Link to post
Share on other sites

The desktop loads but looks something like safe mode. I was able to run DDS. Here is the Fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 31-12-2012

Ran by SYSTEM at 2013-01-11 16:09:49 Run:1

Running from F:\

==============================================

HKEY_USERS\Greg\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableTaskMgr Value deleted successfully.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value was restored successfully .

C:\Users\Greg\AppData\Roaming\nzqwwnh_.exe moved successfully.

C:\Users\Greg\AppData\Local\nzqwwnh_.exe moved successfully.

C:\Users\All Users\nzqwwnh_.exe moved successfully.

C:\Windows\Installer\{648c7366-661d-8c7c-a2b5-bfc01b210a94} moved successfully.

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{648c7366-661d-8c7c-a2b5-bfc01b210a94} moved successfully.

==== End of Fixlog ====

Here is the DDS file.

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 9.0.8112.16447 BrowserJavaVersion: 1.6.0_31

Run by Greg at 16:31:28 on 2013-01-11

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8103.5994 [GMT -7:00]

.

AV: Microsoft Security Essentials *Enabled/Outdated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Microsoft Security Essentials *Enabled/Outdated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\WLANExt.exe

C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe

C:\Windows\system32\FBAgent.exe

C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe

C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskeng.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe

C:\Program Files (x86)\Symantec AntiVirus\DefWatch.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt

C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\System32\svchost.exe -k HPZ12

C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe

C:\Program Files\Macrium\Reflect\ReflectService.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Intel\TurboBoost\TurboBoost.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe

C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe

C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe

C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe

C:\Windows\system32\taskeng.exe

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

C:\Program Files (x86)\ASUS\Splendid\ACMON.exe

C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe

C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe

C:\Program Files\P4G\BatteryLife.exe

C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe

C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe

C:\Program Files\ASUS\ASUS Secure Delete\ADDEL.exe

C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Users\Greg\AppData\Local\Google\Update\GoogleUpdate.exe

C:\Program Files (x86)\Songbird\songbirditunesagent.exe

C:\Program Files (x86)\Asus\AsusVibe\AsusVibe2.0.exe

C:\Windows\system32\SearchIndexer.exe

C:\Users\Greg\AppData\Roaming\Dropbox\bin\Dropbox.exe

C:\Program Files (x86)\Motorola Mobility\MotoCast\MotoCast.exe

C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe

C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe

C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe

C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSPanel.exe

C:\Windows\AsScrPro.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.creighton.edu/students/

mStart Page = hxxp://asus.msn.com

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL

BHO: Google Dictionary Compression sdch: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

BHO: WOT Helper: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB: WOT: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

TB: WOT: {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll

uRun: [Google Update] "C:\Users\Greg\AppData\Local\Google\Update\GoogleUpdate.exe" /c

uRun: [sbitunesagent] C:\Program Files (x86)\Songbird\songbirditunesagent.exe

uRun: [MotoCast] "C:\Program Files (x86)\Motorola Mobility\MotoCast\MotoLauncher.lnk"

mRun: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe"

mRun: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe

mRun: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe

mRun: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe

mRun: [ASUSWebStorage] C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSPanel.exe /S

mRun: [ASUS Screen Saver Protector] C:\Windows\AsScrPro.exe

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [Communicator] "C:\Program Files (x86)\Microsoft Lync\communicator.exe" /fromrunkey

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

StartupFolder: C:\Users\Greg\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Greg\AppData\Roaming\Dropbox\bin\Dropbox.exe

StartupFolder: C:\Users\Greg\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ASUSVI~1.LNK - C:\Program Files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

uPolicies-Explorer: NoDrives = dword:0

uPolicies-Explorer: NoDriveAutoRun = dword:0

mPolicies-Explorer: NoDrives = dword:0

mPolicies-System: ConsentPromptBehaviorAdmin = dword:0

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableLUA = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: PromptOnSecureDesktop = dword:0

IE: E&xport to Microsoft Excel - C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\PROGRA~1\MIF5BA~1\Office14\ONBttnIE.dll/105

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll

.

INFO: HKCU has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

.

INFO: HKLM has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

TCP: NameServer = 192.168.1.1

TCP: Interfaces\{C2C1BA8E-C66C-4AD1-95F7-33459BE7D32C} : DHCPNameServer = 192.168.1.1

TCP: Interfaces\{C2C1BA8E-C66C-4AD1-95F7-33459BE7D32C}\0586F656E69687 : DHCPNameServer = 10.0.1.1

TCP: Interfaces\{C2C1BA8E-C66C-4AD1-95F7-33459BE7D32C}\2516D626C65627 : DHCPNameServer = 192.168.1.1

TCP: Interfaces\{C2C1BA8E-C66C-4AD1-95F7-33459BE7D32C}\26C6575602C696E656 : DHCPNameServer = 192.168.0.1

TCP: Interfaces\{C2C1BA8E-C66C-4AD1-95F7-33459BE7D32C}\342716E67756C6C6 : DHCPNameServer = 192.168.0.1

TCP: Interfaces\{C2C1BA8E-C66C-4AD1-95F7-33459BE7D32C}\46F6E64747F6573686D69727F657475627C616272797 : DHCPNameServer = 192.168.0.1

TCP: Interfaces\{C2C1BA8E-C66C-4AD1-95F7-33459BE7D32C}\541444 : DHCPNameServer = 68.105.28.12 68.105.29.12 68.105.28.11

TCP: Interfaces\{E997BF41-65F0-41F3-93DA-1932E5BCA901} : DHCPNameServer = 192.168.1.1 205.171.2.25

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll

SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL

x64-mStart Page = hxxp://asus.msn.com

x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

x64-BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg64.dll

x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL

x64-BHO: WOT Helper: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll

x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

x64-TB: WOT: {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll

x64-Run: [ETDCtrl] C:\Program Files (x86)\Elantech\ETDCtrl.exe

x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

.

INFO: x64-HKLM has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>

x64-Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll

x64-Notify: igfxcui - igfxdev.dll

x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Greg\AppData\Roaming\Mozilla\Firefox\Profiles\w8lfpb9n.default\

FF - prefs.js: browser.startup.homepage - www.dyingscene.com/

FF - prefs.js: network.proxy.type - 0

FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL

FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin.dll

FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll

FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dll

FF - plugin: C:\Program Files (x86)\Nuance\PDF Reader\bin\nppdf.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Users\Greg\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll

FF - plugin: C:\Users\Greg\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: C:\Users\Greg\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll

FF - plugin: C:\Users\Greg\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_268.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_135.dll

.

============= SERVICES / DRIVERS ===============

.

R0 assd;assd;C:\Windows\System32\drivers\assd.sys [2011-7-15 27264]

R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2012-3-20 203888]

R1 ATKWMIACPIIO;ATKWMIACPI Driver;C:\Program Files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [2010-7-26 17024]

R2 ASMMAP64;ASMMAP64;C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-7-2 15416]

R3 AMPPAL;Intel® Centrino® Bluetooth 3.0 + High Speed Virtual Adapter;C:\Windows\System32\drivers\AmpPal.sys [2011-3-22 261632]

R3 btmaux;Intel Bluetooth Auxiliary Service;C:\Windows\System32\drivers\btmaux.sys [2011-3-8 51712]

R3 btmhsf;btmhsf;C:\Windows\System32\drivers\btmhsf.sys [2011-3-8 274944]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-8-30 138912]

R3 ETD;ELAN PS/2 Port Input Device;C:\Windows\System32\drivers\ETD.sys [2011-5-26 138024]

R3 FLxHCIc;Fresco Logic xHCI (USB3) Device Driver;C:\Windows\System32\drivers\FLxHCIc.sys [2011-4-8 177152]

R3 FLxHCIh;Fresco Logic xHCI (USB3) Hub Device Driver;C:\Windows\System32\drivers\FLxHCIh.sys [2011-4-8 56320]

R3 iBtFltCoex;iBtFltCoex;C:\Windows\System32\drivers\iBtFltCoex.sys [2011-3-22 59904]

R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-5-26 317440]

R3 iwdbus;IWD Bus Enumerator;C:\Windows\System32\drivers\iwdbus.sys [2011-3-24 25496]

R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2011-5-26 76912]

S2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-3-20 98688]

S3 AMPPALP;Intel® Centrino® Bluetooth 3.0 + High Speed Protocol;C:\Windows\System32\drivers\AmpPal.sys [2011-3-22 261632]

S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2011-4-1 48488]

S3 intaud_WaveExtensible;Intel WiDi Audio Device;C:\Windows\System32\drivers\intelaud.sys [2011-3-24 34200]

.

=============== File Associations ===============

.

FileExt: .inf: inffile=C:\Windows\SysWow64\NOTEPAD.EXE %1

FileExt: .vbe: VBEFile=C:\Windows\SysWow64\WScript.exe "%1" %*

FileExt: .vbs: VBSFile=C:\Windows\SysWow64\WScript.exe "%1" %*

FileExt: .js: JSFile=C:\Windows\SysWow64\WScript.exe "%1" %*

.

=============== Created Last 30 ================

.

2013-01-05 01:06:26 -------- d-----w- C:\FRST

2012-12-24 20:08:50 9125352 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{04D620D3-4486-4183-92B6-FC262A6442BB}\mpengine.dll

2012-12-24 19:32:43 -------- d-----w- C:\Windows\TempED59068B-FAD5-07EC-98BD-5FA1A41E29B2-Signatures

2012-12-24 05:30:23 -------- d-----w- C:\Windows\TempD3C4382E-CD23-1C28-A8C9-B5CBEE49AE57-Signatures

2012-12-20 06:24:51 -------- d-----w- C:\Windows\Temp1A1679BD-2AA6-2430-4776-4DC29E9BA6EE-Signatures

2012-12-18 14:28:14 186584 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nppdf32.dll

2012-12-18 14:28:14 186584 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\nppdf32.dll

2012-12-17 10:01:45 -------- d-----w- C:\Windows\TempCC561410-34D5-25F0-5BCC-9F4FD37F4C0B-Signatures

2012-12-16 17:50:02 -------- d-----w- C:\Windows\Temp8C3E4FBF-2321-0D11-C06F-BB56B5F8A9BE-Signatures

2012-12-15 18:33:25 -------- d-----w- C:\Users\Greg\AppData\Local\Splashtop

2012-12-15 18:25:45 -------- d-----w- C:\ProgramData\Splashtop

2012-12-15 18:25:32 -------- d-----w- C:\Program Files (x86)\Splashtop

2012-12-15 18:25:09 -------- d-----w- C:\Users\Greg\AppData\Local\{AB7CBD6B-0741-4997-8430-950DB17CC940}

2012-12-15 17:39:54 -------- d-----w- C:\Windows\TempAC120230-158B-DC1D-6FFE-B179C96CFD76-Signatures

.

==================== Find3M ====================

.

2012-12-25 18:48:07 45056 ----a-w- C:\Windows\System32\acovcnt.exe

2012-12-12 04:36:39 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-12-12 04:36:39 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

.

============= FINISH: 16:36:20.28 ===============

And here is the Attach file

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume2

Install Date: 10/9/2011 4:44:52 PM

System Uptime: 1/11/2013 4:27:14 PM (0 hours ago)

.

Motherboard: ASUSTeK Computer Inc. | | U46E

Processor: Intel® Core i5-2410M CPU @ 2.30GHz | CPU 1 | 2301/100mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 279 GiB total, 127.223 GiB free.

D: is FIXED (NTFS) - 394 GiB total, 394.068 GiB free.

E: is CDROM ()

F: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP269: 11/29/2012 7:29:18 PM - Windows Update

RP270: 12/2/2012 12:38:38 PM - Windows Update

RP271: 12/6/2012 8:49:54 AM - Windows Update

RP272: 12/9/2012 9:21:00 AM - Windows Update

RP273: 12/10/2012 7:01:30 PM - Windows Update

RP274: 12/14/2012 5:57:37 PM - Windows Update

RP275: 12/15/2012 10:20:10 AM - Windows Modules Installer

RP276: 12/15/2012 10:20:36 AM - Windows Modules Installer

RP277: 12/15/2012 10:21:59 AM - Windows Modules Installer

RP278: 12/15/2012 10:23:14 AM - Windows Modules Installer

RP279: 12/15/2012 10:25:09 AM - Windows Modules Installer

RP280: 12/15/2012 10:26:09 AM - Windows Modules Installer

RP281: 12/15/2012 10:27:18 AM - Windows Modules Installer

RP282: 12/15/2012 10:28:40 AM - Windows Modules Installer

RP283: 12/15/2012 10:30:02 AM - Windows Modules Installer

RP284: 12/15/2012 10:31:31 AM - Windows Modules Installer

RP285: 12/15/2012 10:36:49 AM - Windows Modules Installer

RP286: 12/15/2012 10:37:44 AM - Windows Modules Installer

RP287: 12/15/2012 10:38:27 AM - Windows Modules Installer

RP288: 12/15/2012 10:44:21 AM - Windows Modules Installer

RP289: 12/15/2012 10:45:21 AM - Windows Modules Installer

RP290: 12/15/2012 10:46:17 AM - Windows Modules Installer

RP291: 12/15/2012 11:25:17 AM - Installed Splashtop Streamer

RP292: 12/16/2012 10:47:11 AM - Windows Update

RP293: 12/17/2012 3:00:13 AM - Windows Update

RP294: 12/19/2012 6:22:02 PM - Windows Update

RP295: 12/22/2012 2:35:41 PM - Windows Modules Installer

RP296: 12/22/2012 2:36:35 PM - Windows Modules Installer

RP297: 12/22/2012 2:37:17 PM - Windows Modules Installer

RP298: 12/23/2012 10:26:41 PM - Windows Update

RP299: 12/24/2012 9:55:46 AM - Windows Modules Installer

RP300: 12/24/2012 12:28:41 PM - Windows Update

.

==== Installed Programs ======================

.

??????? Windows Live Mesh ActiveX ??(????)

??????? Windows Live Mesh ActiveX ???

64 Bit HP CIO Components Installer

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader X (10.1.5)

AIO_Scan

Alcor Micro USB Card Reader

Amazon MP3 Downloader 1.0.15

Amazon MP3 Uploader

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ASUS AI Recovery

ASUS FancyStart

ASUS LifeFrame3

ASUS Live Update

ASUS Power4Gear Hybrid

ASUS Secure Delete

ASUS SmartLogon

ASUS Splendid Video Enhancement Technology

ASUS U Series ScreenSaver

ASUS Virtual Camera

ASUS WebStorage

AsusVibe2.0

ATK Package

Bonjour

BufferChm

Business Contact Manager for Microsoft Outlook 2010

Contrôle ActiveX Windows Live Mesh pour connexions à distance

Control ActiveX de Windows Live Mesh para conexiones remotas

Controlo ActiveX do Windows Live Mesh para Ligações Remotas

Copy

CustomerResearchQFolder

CyberLink LabelPrint

CyberLink Power2Go

D3DX10

Definition Update for Microsoft Office 2010 (KB982726) 64-Bit Edition

Destinations

DeviceManagementQFolder

DJ_AIO_ProductContext

DJ_AIO_Software

DJ_AIO_Software_min

Dropbox

ERUNT 1.1j

eSupportQFolder

ETDWare PS/2-X64 8.0.5.0_WHQL

F4100

F4100_Help

Fast Boot

Free Mp3 Wma Converter V 2.2

Fresco Logic USB3.0 Host Controller

Galeria de Fotografias do Windows Live

Galerie de photos Windows Live

Galería fotográfica de Windows Live

Google Chrome

Google Drive

Google Earth Plug-in

Google Talk Plugin

Google Toolbar for Internet Explorer

Google Update Helper

gPad Server 2.0 2.0.0

HP Customer Participation Program 8.0

HP Deskjet All-In-One Software 8.0

HP Imaging Device Functions 8.0

HP Photosmart Essential

HP Solution Center 8.0

HP Update

HPProductAssistant

HPSSupply

Intel PROSet Wireless

Intel® Control Center

Intel® Processor Graphics

Intel® PROSet/Wireless for Bluetooth® 3.0 + High Speed

Intel® PROSet/Wireless Software for Bluetooth® Technology

Intel® PROSet/Wireless WiFi Software

Intel® Turbo Boost Technology Monitor

Intel® WiDi

Intel® Wireless Display

iTunes

Java Auto Updater

Java 6 Update 31

Junk Mail filter update

LiveUpdate 3.2 (Symantec Corporation)

Macrium Reflect Free Edition

Malwarebytes Anti-Malware version 1.65.1.1000

MarketResearch

McAfee Security Scan Plus

Mesh Runtime

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Chart Controls for Microsoft .NET Framework 3.5 (KB2500170)

Microsoft IntelliPoint 8.2

Microsoft Lync 2010

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Groove MUI (English) 2010

Microsoft Office InfoPath MUI (English) 2010

Microsoft Office Office 32-bit Components 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Professional Plus 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared 32-bit MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Word MUI (English) 2010

Microsoft Security Client

Microsoft Security Essentials

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft SQL Server 2008

Microsoft SQL Server 2008 Browser

Microsoft SQL Server 2008 Common Files

Microsoft SQL Server 2008 Database Engine Services

Microsoft SQL Server 2008 Database Engine Shared

Microsoft SQL Server 2008 Native Client

Microsoft SQL Server 2008 RsFx Driver

Microsoft SQL Server 2008 Setup Support Files

Microsoft SQL Server VSS Writer

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2005 Redistributable (x64)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft® Office Language Pack 2010 – English (Business Contact Manager for Microsoft Outlook 2010)

MotoCast

Motorola Device Manager

Motorola Device Software Update

Motorola Mobile Drivers Installation 5.9.0

Mozilla Firefox 15.0.1 (x86 en-US)

Mozilla Maintenance Service

MSVCRT

MSVCRT_amd64

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Nuance PDF Reader

QuickTime

Realtek High Definition Audio Driver

Scan

SceneSwitch

Secure Download Manager

Security Update for CAPICOM (KB931906)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft Excel 2010 (KB2597126) 64-Bit Edition

Security Update for Microsoft InfoPath 2010 (KB2687417) 64-Bit Edition

Security Update for Microsoft InfoPath 2010 (KB2687436) 64-Bit Edition

Security Update for Microsoft Office 2010 (KB2553091)

Security Update for Microsoft Office 2010 (KB2553096)

Security Update for Microsoft Office 2010 (KB2553371) 64-Bit Edition

Security Update for Microsoft Office 2010 (KB2553447) 64-Bit Edition

Security Update for Microsoft Office 2010 (KB2589320) 64-Bit Edition

Security Update for Microsoft Office 2010 (KB2598243) 64-Bit Edition

Security Update for Microsoft Office 2010 (KB2687501) 64-Bit Edition

Security Update for Microsoft Office 2010 (KB2687510) 64-Bit Edition

Security Update for Microsoft PowerPoint 2010 (KB2553185) 64-Bit Edition

Security Update for Microsoft Visio 2010 (KB2687508) 64-Bit Edition

Security Update for Microsoft Visio Viewer 2010 (KB2598287) 64-Bit Edition

Security Update for Microsoft Word 2010 (KB2760410) 64-Bit Edition

Service Pack 1 for SQL Server 2008 (KB968369)

SolutionCenter

Songbird 1.10.2 (Build 2199)

Sonic Focus

Splashtop Streamer

Spybot - Search & Destroy

SpywareBlaster 4.6

Sql Server Customer Experience Improvement Program

Status

Symantec AntiVirus Win64

syncables desktop SE

Toolbox

TrayApp

Unity Web Player

UnloadSupport

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft Office 2010 (KB2553065)

Update for Microsoft Office 2010 (KB2553092)

Update for Microsoft Office 2010 (KB2553181) 64-Bit Edition

Update for Microsoft Office 2010 (KB2553267) 64-Bit Edition

Update for Microsoft Office 2010 (KB2553310) 64-Bit Edition

Update for Microsoft Office 2010 (KB2566458)

Update for Microsoft Office 2010 (KB2598242) 64-Bit Edition

Update for Microsoft Office 2010 (KB2687509) 64-Bit Edition

Update for Microsoft OneNote 2010 (KB2553290) 64-Bit Edition

Update for Microsoft OneNote 2010 (KB2687277) 64-Bit Edition

Update for Microsoft Outlook 2010 (KB2687623) 64-Bit Edition

Update for Microsoft Outlook Social Connector 2010 (KB2553406) 64-Bit Edition

Update for Microsoft SharePoint Workspace 2010 (KB2589371) 64-Bit Edition

WebReg

Windows Live

Windows Live ???

Windows Live ????

Windows Live Communications Platform

Windows Live Essentials

Windows Live Family Safety

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Language Selector

Windows Live Mail

Windows Live Mesh

Windows Live Mesh ActiveX Control for Remote Connections

Windows Live Messenger

Windows Live MIME IFilter

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live Remote Client

Windows Live Remote Client Resources

Windows Live Remote Service

Windows Live Remote Service Resources

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

Windows Media Player Firefox Plugin

WinFlash

Wireless Console 3

WOT for Internet Explorer

.

==== Event Viewer Messages From Past Week ========

.

1/11/2013 4:36:20 PM, Error: Ntfs [137] - The default transaction resource manager on volume C: encountered a non-retryable error and could not start. The data contains the error code.

1/11/2013 4:35:41 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.

1/11/2013 4:30:58 PM, Error: Service Control Manager [7024] - The HomeGroup Listener service terminated with service-specific error %%-2147023143.

1/11/2013 4:29:57 PM, Error: Service Control Manager [7023] - The Windows Defender service terminated with the following error: The specified module could not be found.

1/11/2013 4:29:47 PM, Error: Service Control Manager [7001] - The IPsec Policy Agent service depends on the BFE service which failed to start because of the following error: Access is denied.

1/11/2013 4:29:46 PM, Error: Service Control Manager [7001] - The Microsoft Network Inspection System service depends on the BFE service which failed to start because of the following error: Access is denied.

1/11/2013 4:29:43 PM, Error: Service Control Manager [7001] - The IKE and AuthIP IPsec Keying Modules service depends on the BFE service which failed to start because of the following error: Access is denied.

1/11/2013 4:29:27 PM, Error: Service Control Manager [7001] - The Windows Firewall service depends on the BFE service which failed to start because of the following error: Access is denied.

1/11/2013 4:29:27 PM, Error: Service Control Manager [7000] - The BFE service failed to start due to the following error: Access is denied.

1/11/2013 4:26:39 PM, Error: Service Control Manager [7043] - The Windows Update service did not shut down properly after receiving a preshutdown control.

1/11/2013 4:14:32 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Motorola Device Manager Service service to connect.

1/11/2013 4:14:32 PM, Error: Service Control Manager [7000] - The Motorola Device Manager Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

.

==== End Of File ===========================

Link to post
Share on other sites

Upload a File to Virustotal

Go to http://www.virustotal.com/

  • Click the Browse... button
  • Navigate to the file C:\Windows\System32\acovcnt.exe or just copy/paste it in.
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the results back here please.

Next,

download Farbar Service Scanner and run it on the computer with the issue.

Make sure the following options are checked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender

  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Kevin...

Link to post
Share on other sites

When I try browsing for acovcnt.exe on the VirusTotal web page, I cannot locate it. I can, however, locate it in my computer's file browser. When I copy it and try to paste in the VirusTotal file browser, I get a notification that the file cannot be found. So I'm unable to scan it.

Should I still proceed with Farbar Service Scanner?

Link to post
Share on other sites

Run this instead please:

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended.

*EXTRA NOTES*

  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin

Link to post
Share on other sites

ComboFix 13-01-11.02 - Greg 01/11/2013 18:06:25.3.4 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8103.5047 [GMT -7:00]

Running from: c:\users\Greg\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

.

.

((((((((((((((((((((((((( Files Created from 2012-12-12 to 2013-01-12 )))))))))))))))))))))))))))))))

.

.

2013-01-12 01:11 . 2013-01-12 01:11 -------- d-----w- c:\users\Public\AppData\Local\temp

2013-01-12 01:11 . 2013-01-12 01:11 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-01-11 23:48 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7B078EA0-7749-4AB2-A1A5-70B171BB4DE6}\mpengine.dll

2013-01-05 01:06 . 2013-01-05 01:06 -------- d-----w- C:\FRST

2012-12-24 20:08 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-12-24 19:32 . 2012-12-24 19:32 -------- d-----w- c:\windows\TempED59068B-FAD5-07EC-98BD-5FA1A41E29B2-Signatures

2012-12-24 05:30 . 2012-12-24 05:30 -------- d-----w- c:\windows\TempD3C4382E-CD23-1C28-A8C9-B5CBEE49AE57-Signatures

2012-12-20 06:24 . 2012-12-20 06:24 -------- d-----w- c:\windows\Temp1A1679BD-2AA6-2430-4776-4DC29E9BA6EE-Signatures

2012-12-18 14:28 . 2012-12-18 14:28 186584 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll

2012-12-18 14:28 . 2012-12-18 14:28 186584 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll

2012-12-17 10:01 . 2012-12-17 10:01 -------- d-----w- c:\windows\TempCC561410-34D5-25F0-5BCC-9F4FD37F4C0B-Signatures

2012-12-16 17:50 . 2012-12-16 17:50 -------- d-----w- c:\windows\Temp8C3E4FBF-2321-0D11-C06F-BB56B5F8A9BE-Signatures

2012-12-15 18:33 . 2012-12-15 18:33 -------- d-----w- c:\users\Greg\AppData\Local\Splashtop

2012-12-15 18:25 . 2012-12-15 18:25 -------- d-----w- c:\programdata\Splashtop

2012-12-15 18:25 . 2012-12-15 18:25 -------- d-----w- c:\program files (x86)\Splashtop

2012-12-15 18:25 . 2012-12-15 18:25 -------- d-----w- c:\users\Greg\AppData\Local\{AB7CBD6B-0741-4997-8430-950DB17CC940}

2012-12-15 17:39 . 2012-12-15 17:39 -------- d-----w- c:\windows\TempAC120230-158B-DC1D-6FFE-B179C96CFD76-Signatures

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-01-12 01:14 . 2011-07-16 01:45 45056 ----a-w- c:\windows\system32\acovcnt.exe

2013-01-12 00:35 . 2012-04-12 21:42 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-01-12 00:35 . 2011-10-11 00:13 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-12-15 17:32 . 2011-10-11 17:09 67413224 ----a-w- c:\windows\system32\MRT.exe

2012-11-29 03:54 . 2012-11-29 03:55 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{623FB21E-C0CC-443D-B84E-3CB6447F2249}\gapaengine.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 94208 ----a-w- c:\users\Greg\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 94208 ----a-w- c:\users\Greg\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 94208 ----a-w- c:\users\Greg\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 94208 ----a-w- c:\users\Greg\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"sbitunesagent"="c:\program files (x86)\Songbird\songbirditunesagent.exe" [2012-09-18 266240]

"MotoCast"="c:\program files (x86)\Motorola Mobility\MotoCast\MotoLauncher.lnk" [2012-11-12 2057]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"CLMLServer"="c:\program files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [2009-11-02 103720]

"ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2010-08-17 5732992]

"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2010-10-07 170624]

"HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]

"ASUSWebStorage"="c:\program files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSPanel.exe" [2011-02-23 731472]

"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2011-07-16 3058304]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]

"Communicator"="c:\program files (x86)\Microsoft Lync\communicator.exe" [2012-09-29 12105344]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]

.

c:\users\Greg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dropbox.lnk - c:\users\Greg\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]

ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

AsusVibeLauncher.lnk - c:\program files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe [2011-4-1 549040]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 AMPPALP;Intel® Centrino® Bluetooth 3.0 + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [2011-03-22 261632]

R3 Bluetooth Media Service;Bluetooth Media Service;c:\program files (x86)\Intel\Bluetooth\mediasrv.exe [2011-03-30 1321296]

R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 47616]

R3 intaud_WaveExtensible;Intel WiDi Audio Device;c:\windows\system32\drivers\intelaud.sys [2011-03-24 34200]

R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\3.0.207\McCHSvc.exe [2011-06-17 237008]

R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2011-05-02 340240]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-27 291696]

R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440]

R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]

R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys [2009-06-10 56832]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 31232]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-10-11 1255736]

R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-03-31 47128]

R4 SQLAgent$MSSMLBIZ;SQL Server Agent (MSSMLBIZ);c:\program files (x86)\Microsoft SQL Server\MSSQL10.MSSMLBIZ\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]

S0 assd;assd; [x]

S1 ATKWMIACPIIO;ATKWMIACPI Driver;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [2010-07-26 17024]

S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [2011-03-03 379520]

S2 AMPPALR3;Intel® Centrino® Bluetooth 3.0 + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [2011-03-22 1136128]

S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-07-03 15416]

S2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe [2011-03-30 923984]

S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe [2011-03-30 1001808]

S2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2011-02-24 134928]

S2 Motorola Device Manager;Motorola Device Manager Service;c:\program files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [2012-10-02 120728]

S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]

S2 PST Service;PST Service;c:\program files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe [2011-09-02 65657]

S2 ReflectService.exe;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [2012-08-21 301760]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

S2 SplashtopRemoteService;Splashtop® Remote Service;c:\program files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe [2012-11-28 548264]

S2 SSUService;Splashtop Software Updater Service;c:\program files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe [2012-10-17 386920]

S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2010-04-16 13832]

S2 TurboBoost;Intel® Turbo Boost Technology Monitor;c:\program files\Intel\TurboBoost\TurboBoost.exe [2010-04-16 134928]

S3 AMPPAL;Intel® Centrino® Bluetooth 3.0 + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [2011-03-22 261632]

S3 btmaux;Intel Bluetooth Auxiliary Service;c:\windows\system32\DRIVERS\btmaux.sys [2011-03-08 51712]

S3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys [2011-03-08 274944]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-08-16 138912]

S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2010-12-13 138024]

S3 FLxHCIc;Fresco Logic xHCI (USB3) Device Driver;c:\windows\system32\DRIVERS\FLxHCIc.sys [2011-04-08 177152]

S3 FLxHCIh;Fresco Logic xHCI (USB3) Hub Device Driver;c:\windows\system32\DRIVERS\FLxHCIh.sys [2011-04-08 56320]

S3 iBtFltCoex;iBtFltCoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys [2011-03-23 59904]

S3 InputFilter_Hid_FlexDef2b;Siliten HID Devices(FlexDef2b) Driver Service;c:\windows\system32\DRIVERS\InputFilter_FlexDef2b.sys [2010-06-19 17920]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-14 317440]

S3 iwdbus;IWD Bus Enumerator;c:\windows\system32\DRIVERS\iwdbus.sys [2011-03-24 25496]

S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2010-08-24 76912]

S3 wdkmd;Intel WiDi KMD;c:\windows\system32\DRIVERS\WDKMD.sys [2011-03-24 42392]

.

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-02 04:36]

.

2012-10-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-361652323-931365113-2029874430-1000Core.job

- c:\users\Greg\AppData\Local\Google\Update\GoogleUpdate.exe [2012-10-26 05:20]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]

@="{6D4133E5-0742-4ADC-8A8C-9303440F7190}"

[HKEY_CLASSES_ROOT\CLSID\{6D4133E5-0742-4ADC-8A8C-9303440F7190}]

2010-09-02 08:41 220160 ----a-w- c:\program files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSShellExt64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]

@="{64174815-8D98-4CE6-8646-4C039977D808}"

[HKEY_CLASSES_ROOT\CLSID\{64174815-8D98-4CE6-8646-4C039977D808}]

2010-09-02 08:41 220160 ----a-w- c:\program files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSShellExt64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 97792 ----a-w- c:\users\Greg\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 97792 ----a-w- c:\users\Greg\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 97792 ----a-w- c:\users\Greg\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 97792 ----a-w- c:\users\Greg\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]

2012-11-08 23:58 755224 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]

2012-11-08 23:58 755224 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]

2012-11-08 23:58 755224 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]

2012-11-08 23:58 755224 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 1271168]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.creighton.edu/students/

mStart Page = hxxp://asus.msn.com

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local;192.168.*.*

IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MIF5BA~1\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\users\Greg\AppData\Roaming\Mozilla\Firefox\Profiles\w8lfpb9n.default\

FF - prefs.js: browser.startup.homepage - www.dyingscene.com/

FF - prefs.js: network.proxy.type - 0

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

SafeBoot-71288519.sys

HKLM-Run-ETDCtrl - c:\program files (x86)\Elantech\ETDCtrl.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]

@Denied: (2) (LocalSystem)

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,

27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b

"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,

1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7

"{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}"=hex:51,66,7a,6c,4c,1d,38,12,ce,98,c3,

35,c7,5c,a0,09,c1,9c,6a,63,e2,38,41,ce

"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,

76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a

"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,

72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57

"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,

94,30,02,d1,0f,f1,da,12,24,73,56,27,d2

"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,

ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3

"{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"=hex:51,66,7a,6c,4c,1d,38,12,2d,dd,7a,

ab,6a,33,56,03,c9,ec,8d,26,b0,f3,64,49

"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,

b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb

"{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}"=hex:51,66,7a,6c,4c,1d,38,12,90,71,5e,

cc,4f,af,fb,04,c4,32,35,80,2b,70,38,5a

"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,

df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd

"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,

2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (LocalSystem)

"Timestamp"=hex:66,fc,4a,ac,9e,7a,cd,01

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]

"v5Licence0"="15-V6EH-T255-DTEV-63BB-TK2M-NWAPJK5"

"Activated"="Y"

.

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Symantec Shared\ccSvcHst.exe

c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe

c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe

c:\program files (x86)\ASUS\Splendid\ACMON.exe

c:\program files (x86)\ASUS\SmartLogon\sensorsrv.exe

c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe

c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe

c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe

c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe

c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files (x86)\Symantec AntiVirus\DefWatch.exe

c:\program files (x86)\Motorola Mobility\MotoCast\MotoCast.exe

c:\program files (x86)\Symantec AntiVirus\Rtvscan.exe

c:\program files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe

c:\program files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe

c:\program files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe

c:\program files (x86)\ASUS\AI Recovery\AIRecoveryRemind.exe

c:\program files (x86)\Motorola Mobility\MotoCast\bin\MotoCast-thumbnailer.exe

.

**************************************************************************

.

Completion time: 2013-01-11 18:21:19 - machine was rebooted

ComboFix-quarantined-files.txt 2013-01-12 01:21

.

Pre-Run: 138,611,527,680 bytes free

Post-Run: 139,231,653,888 bytes free

.

- - End Of File - - 092BEE08F9275B402B28A31FED763AA6

Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Quote box below into it:

ClearJavaCache::

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

CF3.jpg

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next,

Run Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page http://www.eset.com/home/products/online-scanner/ to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

If threats were found

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

close program

copy and paste the report here

Next,

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop.

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Post those logs. Also give update on any remaining issues or concerns....

Kevin

Link to post
Share on other sites

Everything ran smoothly. Here is the ComboFix log first:

ComboFix 13-01-11.02 - Greg 01/11/2013 19:11:40.4.4 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8103.5164 [GMT -7:00]

Running from: c:\users\Greg\Desktop\ComboFix.exe

Command switches used :: c:\users\Greg\Desktop\CFScript.txt

AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((( Files Created from 2012-12-12 to 2013-01-12 )))))))))))))))))))))))))))))))

.

.

2013-01-12 02:16 . 2013-01-12 02:16 -------- d-----w- c:\users\Public\AppData\Local\temp

2013-01-12 02:16 . 2013-01-12 02:16 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-01-12 02:15 . 2013-01-12 02:15 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0B4176E7-D3B8-4F14-AAD3-21F2075193D8}\offreg.dll

2013-01-12 01:19 . 2012-11-19 08:01 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0B4176E7-D3B8-4F14-AAD3-21F2075193D8}\mpengine.dll

2013-01-11 23:48 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7B078EA0-7749-4AB2-A1A5-70B171BB4DE6}\mpengine.dll

2013-01-05 01:06 . 2013-01-05 01:06 -------- d-----w- C:\FRST

2012-12-24 20:08 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-12-24 19:32 . 2012-12-24 19:32 -------- d-----w- c:\windows\TempED59068B-FAD5-07EC-98BD-5FA1A41E29B2-Signatures

2012-12-24 05:30 . 2012-12-24 05:30 -------- d-----w- c:\windows\TempD3C4382E-CD23-1C28-A8C9-B5CBEE49AE57-Signatures

2012-12-20 06:24 . 2012-12-20 06:24 -------- d-----w- c:\windows\Temp1A1679BD-2AA6-2430-4776-4DC29E9BA6EE-Signatures

2012-12-18 14:28 . 2012-12-18 14:28 186584 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll

2012-12-18 14:28 . 2012-12-18 14:28 186584 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll

2012-12-17 10:01 . 2012-12-17 10:01 -------- d-----w- c:\windows\TempCC561410-34D5-25F0-5BCC-9F4FD37F4C0B-Signatures

2012-12-16 17:50 . 2012-12-16 17:50 -------- d-----w- c:\windows\Temp8C3E4FBF-2321-0D11-C06F-BB56B5F8A9BE-Signatures

2012-12-15 18:33 . 2012-12-15 18:33 -------- d-----w- c:\users\Greg\AppData\Local\Splashtop

2012-12-15 18:25 . 2012-12-15 18:25 -------- d-----w- c:\programdata\Splashtop

2012-12-15 18:25 . 2012-12-15 18:25 -------- d-----w- c:\program files (x86)\Splashtop

2012-12-15 18:25 . 2012-12-15 18:25 -------- d-----w- c:\users\Greg\AppData\Local\{AB7CBD6B-0741-4997-8430-950DB17CC940}

2012-12-15 17:39 . 2012-12-15 17:39 -------- d-----w- c:\windows\TempAC120230-158B-DC1D-6FFE-B179C96CFD76-Signatures

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-01-12 01:14 . 2011-07-16 01:45 45056 ----a-w- c:\windows\system32\acovcnt.exe

2013-01-12 00:35 . 2012-04-12 21:42 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-01-12 00:35 . 2011-10-11 00:13 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-12-15 17:32 . 2011-10-11 17:09 67413224 ----a-w- c:\windows\system32\MRT.exe

2012-11-29 03:54 . 2012-11-29 03:55 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{623FB21E-C0CC-443D-B84E-3CB6447F2249}\gapaengine.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 94208 ----a-w- c:\users\Greg\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 94208 ----a-w- c:\users\Greg\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 94208 ----a-w- c:\users\Greg\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 94208 ----a-w- c:\users\Greg\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"sbitunesagent"="c:\program files (x86)\Songbird\songbirditunesagent.exe" [2012-09-18 266240]

"MotoCast"="c:\program files (x86)\Motorola Mobility\MotoCast\MotoLauncher.lnk" [2012-11-12 2057]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"CLMLServer"="c:\program files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [2009-11-02 103720]

"ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2010-08-17 5732992]

"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2010-10-07 170624]

"HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]

"ASUSWebStorage"="c:\program files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSPanel.exe" [2011-02-23 731472]

"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2011-07-16 3058304]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]

"Communicator"="c:\program files (x86)\Microsoft Lync\communicator.exe" [2012-09-29 12105344]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]

.

c:\users\Greg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dropbox.lnk - c:\users\Greg\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]

ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

AsusVibeLauncher.lnk - c:\program files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe [2011-4-1 549040]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 AMPPALP;Intel® Centrino® Bluetooth 3.0 + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [2011-03-22 261632]

R3 Bluetooth Media Service;Bluetooth Media Service;c:\program files (x86)\Intel\Bluetooth\mediasrv.exe [2011-03-30 1321296]

R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 47616]

R3 intaud_WaveExtensible;Intel WiDi Audio Device;c:\windows\system32\drivers\intelaud.sys [2011-03-24 34200]

R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\3.0.207\McCHSvc.exe [2011-06-17 237008]

R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2011-05-02 340240]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-27 291696]

R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440]

R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]

R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys [2009-06-10 56832]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 31232]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-10-11 1255736]

R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-03-31 47128]

R4 SQLAgent$MSSMLBIZ;SQL Server Agent (MSSMLBIZ);c:\program files (x86)\Microsoft SQL Server\MSSQL10.MSSMLBIZ\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]

S0 assd;assd; [x]

S1 ATKWMIACPIIO;ATKWMIACPI Driver;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [2010-07-26 17024]

S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [2011-03-03 379520]

S2 AMPPALR3;Intel® Centrino® Bluetooth 3.0 + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [2011-03-22 1136128]

S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-07-03 15416]

S2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe [2011-03-30 923984]

S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe [2011-03-30 1001808]

S2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2011-02-24 134928]

S2 Motorola Device Manager;Motorola Device Manager Service;c:\program files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [2012-10-02 120728]

S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]

S2 PST Service;PST Service;c:\program files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe [2011-09-02 65657]

S2 ReflectService.exe;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [2012-08-21 301760]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

S2 SplashtopRemoteService;Splashtop® Remote Service;c:\program files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe [2012-11-28 548264]

S2 SSUService;Splashtop Software Updater Service;c:\program files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe [2012-10-17 386920]

S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2010-04-16 13832]

S2 TurboBoost;Intel® Turbo Boost Technology Monitor;c:\program files\Intel\TurboBoost\TurboBoost.exe [2010-04-16 134928]

S3 AMPPAL;Intel® Centrino® Bluetooth 3.0 + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [2011-03-22 261632]

S3 btmaux;Intel Bluetooth Auxiliary Service;c:\windows\system32\DRIVERS\btmaux.sys [2011-03-08 51712]

S3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys [2011-03-08 274944]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-08-16 138912]

S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2010-12-13 138024]

S3 FLxHCIc;Fresco Logic xHCI (USB3) Device Driver;c:\windows\system32\DRIVERS\FLxHCIc.sys [2011-04-08 177152]

S3 FLxHCIh;Fresco Logic xHCI (USB3) Hub Device Driver;c:\windows\system32\DRIVERS\FLxHCIh.sys [2011-04-08 56320]

S3 iBtFltCoex;iBtFltCoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys [2011-03-23 59904]

S3 InputFilter_Hid_FlexDef2b;Siliten HID Devices(FlexDef2b) Driver Service;c:\windows\system32\DRIVERS\InputFilter_FlexDef2b.sys [2010-06-19 17920]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-14 317440]

S3 iwdbus;IWD Bus Enumerator;c:\windows\system32\DRIVERS\iwdbus.sys [2011-03-24 25496]

S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2010-08-24 76912]

S3 wdkmd;Intel WiDi KMD;c:\windows\system32\DRIVERS\WDKMD.sys [2011-03-24 42392]

.

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-02 04:36]

.

2012-10-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-361652323-931365113-2029874430-1000Core.job

- c:\users\Greg\AppData\Local\Google\Update\GoogleUpdate.exe [2012-10-26 05:20]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]

@="{6D4133E5-0742-4ADC-8A8C-9303440F7190}"

[HKEY_CLASSES_ROOT\CLSID\{6D4133E5-0742-4ADC-8A8C-9303440F7190}]

2010-09-02 08:41 220160 ----a-w- c:\program files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSShellExt64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]

@="{64174815-8D98-4CE6-8646-4C039977D808}"

[HKEY_CLASSES_ROOT\CLSID\{64174815-8D98-4CE6-8646-4C039977D808}]

2010-09-02 08:41 220160 ----a-w- c:\program files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSShellExt64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 97792 ----a-w- c:\users\Greg\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 97792 ----a-w- c:\users\Greg\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 97792 ----a-w- c:\users\Greg\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 97792 ----a-w- c:\users\Greg\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]

2012-11-08 23:58 755224 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]

2012-11-08 23:58 755224 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]

2012-11-08 23:58 755224 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]

2012-11-08 23:58 755224 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ETDCtrl"="c:\program files (x86)\Elantech\ETDCtrl.exe" [bU]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 1271168]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.creighton.edu/students/

mStart Page = hxxp://asus.msn.com

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local;192.168.*.*

IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MIF5BA~1\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\users\Greg\AppData\Roaming\Mozilla\Firefox\Profiles\w8lfpb9n.default\

FF - prefs.js: browser.startup.homepage - www.dyingscene.com/

FF - prefs.js: network.proxy.type - 0

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]

@Denied: (2) (LocalSystem)

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,

27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b

"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,

1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7

"{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}"=hex:51,66,7a,6c,4c,1d,38,12,ce,98,c3,

35,c7,5c,a0,09,c1,9c,6a,63,e2,38,41,ce

"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,

76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a

"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,

72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57

"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,

94,30,02,d1,0f,f1,da,12,24,73,56,27,d2

"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,

ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3

"{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"=hex:51,66,7a,6c,4c,1d,38,12,2d,dd,7a,

ab,6a,33,56,03,c9,ec,8d,26,b0,f3,64,49

"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,

b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb

"{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}"=hex:51,66,7a,6c,4c,1d,38,12,90,71,5e,

cc,4f,af,fb,04,c4,32,35,80,2b,70,38,5a

"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,

df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd

"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,

2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (LocalSystem)

"Timestamp"=hex:66,fc,4a,ac,9e,7a,cd,01

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]

"v5Licence0"="15-V6EH-T255-DTEV-63BB-TK2M-NWAPJK5"

"Activated"="Y"

.

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-01-11 19:18:23

ComboFix-quarantined-files.txt 2013-01-12 02:18

ComboFix2.txt 2013-01-12 01:21

.

Pre-Run: 138,099,343,360 bytes free

Post-Run: 137,778,520,064 bytes free

.

- - End Of File - - 70FD0E7A814DEE56ECD37983B89A06E7

Next the ESET SCAN results:

C:\FRST\Quarantine\nzqwwnh_.exe a variant of Win32/Kryptik.ARFJ trojan

C:\TDSSKiller_Quarantine\20.08.2012_18.19.50\mbr0000\tdlfs0000\tsk0003.dta Win64/Olmarik.AL trojan

C:\TDSSKiller_Quarantine\20.08.2012_18.19.50\zasubsys0000\file0000\tsk0000.dta Win64/Patched.B.Gen trojan

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JH4HZQIY\favorites[1].htm HTML/ScrInject.B.Gen virus

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JH4HZQIY\favorites[1].htm HTML/ScrInject.B.Gen virus

Now the Security Check file:

Results of screen317's Security Check version 0.99.56

Windows 7 Service Pack 1 x64 (UAC is disabled!)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Microsoft Security Essentials

(On Access scanning disabled!)

Error obtaining update status for antivirus!

`````````Anti-malware/Other Utilities Check:`````````

SpywareBlaster 4.6

Spybot - Search & Destroy

Malwarebytes Anti-Malware version 1.65.1.1000

Java 6 Update 31

Java version out of Date!

Adobe Flash Player 11.5.502.146

Adobe Reader 10.1.5 Adobe Reader out of Date!

Mozilla Firefox 15.0.1 Firefox out of Date!

Google Chrome 21.0.1180.89

Google Chrome 22.0.1229.79

Google Chrome 22.0.1229.92

Google Chrome 22.0.1229.94

Google Chrome 22.0.1229.96

Google Chrome 23.0.1271.64

Google Chrome 23.0.1271.91

Google Chrome 23.0.1271.95

Google Chrome 23.0.1271.97

Google Chrome 3.0.195.27

````````Process Check: objlist.exe by Laurent````````

Norton ccSvcHst.exe

Microsoft Security Essentials MSMpEng.exe

Spybot Teatimer.exe is disabled!

Symantec AntiVirus DefWatch.exe

Symantec AntiVirus Rtvscan.exe

Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 2%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

Download OTM from either of the following links and save to your Desktop:

http://oldtimer.geekstogo.com/OTM.exe.

http://www.itxassociates.com/OT-Tools/OTM.com

http://www.itxassociates.com/OT-Tools/OTM.exe

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion....

  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Files
    ipconfig /flushdns /c
    C:\FRST
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JH4HZQIY\favorites[1].htm
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JH4HZQIY\favorites[1].htm
    :Commands
    [EmptyTemp]


  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red btnmoveit.png button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Next,

Your Java javaicon.gif maybe out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

Go to http://java.com/en/ and click on "Do I have Java"

It will check your current version and then offer to update to the latest version

Watch for and make sure you untick the box next to whatever free program they prompt you to install during the installation, unless you want it.

***Note: Check in start > control panel > uninstall a program, make sure old versions of java are removed...

Next,

Adobe Reader is outdated...

Visit http://get.adobe.com/uk/reader/otherversions/ and download the latest version of Acrobat Reader

Step 1 - Select your Operating System.

Step 2 - Select your Langauge.

Step 3 - Select latest version.

Untick the option for McAfee security scanner if offered.

Download and install.

Having the latest updates ensures there are no security vulnerabilities in your system.

Post log from OTM, let me know if those steps complete OK. Give update on any remaining issues or concerns..

Kevin

Link to post
Share on other sites

Everything went fine. I'm concerned because my desktop still has not returned to normal. It still looks something like a safemode desktop. I can post a screenshot if you'd like. Here are the results of OTM. Please advise on further steps for me to take.

All processes killed

========== FILES ==========

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Users\Greg\Desktop\cmd.bat deleted successfully.

C:\Users\Greg\Desktop\cmd.txt deleted successfully.

Folder move failed. C:\FRST\Quarantine\{648c7366-661d-8c7c-a2b5-bfc01b210a94}\{648c7366-661d-8c7c-a2b5-bfc01b210a94} scheduled to be moved on reboot.

C:\FRST\Quarantine\{648c7366-661d-8c7c-a2b5-bfc01b210a94}\U folder moved successfully.

Folder move failed. C:\FRST\Quarantine\{648c7366-661d-8c7c-a2b5-bfc01b210a94} scheduled to be moved on reboot.

Folder move failed. C:\FRST\Quarantine scheduled to be moved on reboot.

C:\FRST\Logs folder moved successfully.

C:\FRST\Hives folder moved successfully.

C:\FRST folder moved successfully.

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JH4HZQIY\favorites[1].htm moved successfully.

File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JH4HZQIY\favorites[1].htm not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Flash cache emptied: 0 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Greg

->Temp folder emptied: 1122888 bytes

Link to post
Share on other sites

Sorry about that. Is this the completed log? I've attached the image of the desktop.

All processes killed

========== FILES ==========

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Users\Greg\Desktop\cmd.bat deleted successfully.

C:\Users\Greg\Desktop\cmd.txt deleted successfully.

Folder move failed. C:\FRST\Quarantine\{648c7366-661d-8c7c-a2b5-bfc01b210a94}\{648c7366-661d-8c7c-a2b5-bfc01b210a94} scheduled to be moved on reboot.

C:\FRST\Quarantine\{648c7366-661d-8c7c-a2b5-bfc01b210a94}\U folder moved successfully.

Folder move failed. C:\FRST\Quarantine\{648c7366-661d-8c7c-a2b5-bfc01b210a94} scheduled to be moved on reboot.

Folder move failed. C:\FRST\Quarantine scheduled to be moved on reboot.

C:\FRST\Logs folder moved successfully.

C:\FRST\Hives folder moved successfully.

C:\FRST folder moved successfully.

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JH4HZQIY\favorites[1].htm moved successfully.

File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JH4HZQIY\favorites[1].htm not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Flash cache emptied: 0 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Greg

->Temp folder emptied: 1122888 bytes

->Temporary Internet Files folder emptied: 10921715 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 89977457 bytes

->Google Chrome cache emptied: 8977481 bytes

->Flash cache emptied: 524 bytes

User: Public

->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 245 bytes

%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 136326796 bytes

%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 595 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 236.00 mb

OTM by OldTimer - Version 3.1.21.0 log created on 01122013_100415

Files moved on Reboot...

File C:\FRST\Quarantine\{648c7366-661d-8c7c-a2b5-bfc01b210a94}\{648c7366-661d-8c7c-a2b5-bfc01b210a94} not found!

File C:\FRST\Quarantine\{648c7366-661d-8c7c-a2b5-bfc01b210a94} not found!

File C:\FRST\Quarantine not found!

File move failed. C:\Users\Greg\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be moved on reboot.

C:\Users\Greg\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 moved successfully.

C:\Users\Greg\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 moved successfully.

C:\Users\Greg\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2 moved successfully.

C:\Users\Greg\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3 moved successfully.

C:\Users\Greg\AppData\Local\Google\Chrome\User Data\Default\Cache\index moved successfully.

Registry entries deleted on Reboot...

post-114998-0-65301000-1358013503.png

Link to post
Share on other sites

Just need to clean up:

Remove Combofix now that we're done with it

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

The above procedure will delete the following:

  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.

Next,

Remove ESET online scanner (Only If installed):

  • Click Start, type Uninstall a Program into the Search programs and files box, and then press ENTER.
  • Click to select ESET Online Scanner from the listing of installed products, and then click Uninstall/Change from the bar that displays the available tasks. Uninstall ESETonline Scanner, only re-boot if prompted.

Next,

  • Download OTC by OldTimer from here http://oldtimer.geekstogo.com/OTC.exe or here http://www.itxassociates.com/OT-Tools/OTC.exe and save to your Desktop.
  • Double click OTC_Icon.jpg icon to start the program.
    If you are using Vista or Windows 7 accept UAC
  • Then Click the big CleanUp.jpg button.
  • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
  • This will remove tools we have used and itself.

Any tools/logs remaining on the Desktop can be deleted.

Next,

Download tfc_icon.png TFC to your desktop, from either of the following links

http://oldtimer.geekstogo.com/TFC.exe

http://itxassociates.com/OT-Tools/TFC.exe

  • Save any open work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program. Vista or Windows 7 users accept the UAC alert.
  • If prompted, click "Yes" to reboot.

TFC will automatically close any open programs, including your Desktop. Let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. TFC may re-boot your system, if not Re-boot it yourself to complete cleaning process <---- Very Important

Keep TFC it is an excellent, run weekly utility to keep your system optimized, it empties all user temp folders, Java cache etc etc. Always remember to re-boot after a run, even if not prompted

Let me know if those steps complete OK, also if any remaining issues or concerns...

Kevin

Link to post
Share on other sites

Glad to have helped.... here are some tips to reduce the potential for malware infection in the future:

Make proper use of your antivirus and firewall

Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Install and use WinPatrol from here http://www.winpatrol.com/download.html This will inform you of any attempted unauthorized changes to your system.

WinPatrol features explained here http://www.winpatrol.com/features.html

Go here http://www.filehippo.com/updatechecker/ run the FileHippo Update Checker, update all applications as suggested by the Update Checker. Ignore any Beta updates. (Use stand alone version, not a full install)

If Java or Adobe are updated please check under Start > Control Panel > Add/Remove Programs, ensure any old versions are removed. <--- Very important

Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:

FireFox http://www.mozilla.com/en-US/,

Opera http://www.opera.com/, and

Chrome http://www.google.com/chrome.

All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here http://www.bleepingcomputer.com/tutorials/tutorial102.html which will help you to make IE MUCH safer.

These browser add-ons will help to make your browser safer:

Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:

Available for Firefox and Internet Explorer.

Green to go,

Yellow for caution, and

Red to stop.

Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

These are just a couple of the most popular add-ons, if you're interested in more, take a look at this article:

http://browsers.about.com/od/addonsplugi2/tp/browser_security_privacy.htm

Here a couple of links by two security experts that will give some excellent tips and advice.

So how did I get infected in the first place by Tony Klein

How to prevent Malware by Miekiemoes

Finally this link http://www.geekstogo.com/forum/topic/38-free-antivirus-and-antispyware-software will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.

Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.

If no remaining issues is it ok to close out your thread,

Take care,

Kevin

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.