Possible To Have A "Checkup"?

[tree_fu_go]

Okay I did the dequarantine thing, hope i did it right because I had a look through the log and I couldnt find that file in there:

ComboFix 13-02-23.01 - michelle 23/02/2013 23:44:12.5.8 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.6072.4215 [GMT 8:00]

Running from: c:\users\michelle\Desktop\ComboFix.exe

Command switches used :: c:\users\michelle\Desktop\CFScript.txt

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((( Files Created from 2013-01-23 to 2013-02-23 )))))))))))))))))))))))))))))))

.

.

2013-02-23 15:50 . 2013-02-23 15:50 -------- d-----w- c:\users\Public\AppData\Local\temp

2013-02-23 15:50 . 2013-02-23 15:50 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-02-22 15:42 . 2013-02-22 15:42 36680 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2013-02-21 18:45 . 2013-02-21 18:45 -------- d-----w- c:\program files (x86)\Common Files\Java

2013-02-21 18:44 . 2013-02-21 18:44 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll

2013-02-21 18:44 . 2013-02-21 18:44 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

2013-02-21 15:49 . 2013-02-21 15:49 -------- d-----w- c:\program files (x86)\Common Files\Adobe

2013-02-15 22:04 . 2013-02-15 22:04 208448 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-02-21 18:44 . 2010-09-07 02:21 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll

2013-01-13 07:33 . 2011-03-27 07:14 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll

2013-01-13 07:33 . 2011-05-06 00:51 336208 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll

2013-01-11 06:19 . 2011-04-25 10:59 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll

2013-01-11 06:19 . 2011-03-27 07:13 336208 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

2012-12-16 17:11 . 2012-12-21 20:10 46080 ----a-w- c:\windows\system32\atmlib.dll

2012-12-16 14:45 . 2012-12-21 20:10 367616 ----a-w- c:\windows\system32\atmfd.dll

2012-12-16 14:13 . 2012-12-21 20:10 295424 ----a-w- c:\windows\SysWow64\atmfd.dll

2012-12-16 14:13 . 2012-12-21 20:10 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

2012-12-14 08:49 . 2013-01-09 14:23 24176 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-12-13 10:00 . 2011-11-29 03:06 67413224 ----a-w- c:\windows\system32\MRT.exe

2012-12-12 13:55 . 2012-04-01 06:48 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-12-12 13:55 . 2011-12-19 21:21 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-12-12 13:55 . 2012-12-12 13:55 16363960 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]

"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2009-10-02 284696]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"mixer3"=wdmaud.drv

.

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-02-18 51712]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-03-25 1255736]

R4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-09-14 353384]

R4 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2010-07-28 267192]

R4 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2010-07-22 822192]

S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [2009-06-29 34880]

S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2009-06-29 14784]

S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [2010-09-02 482384]

S1 aswKbd;aswKbd; [x]

S1 aswSnx;aswSnx; [x]

S1 aswSP;aswSP; [x]

S2 aswFsBlk;aswFsBlk; [x]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-10-30 71600]

S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2010-01-28 249200]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

S2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-10-02 13336]

S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-17 14112]

S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys [2009-07-02 60416]

S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe64.sys [2010-05-08 80384]

S2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe64.sys [2011-04-25 53760]

S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-06-20 14472]

S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-03-03 2320920]

S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]

S3 hidshim;Service for HID-KMDF Shim layer;c:\windows\system32\DRIVERS\hidshim.sys [2009-08-31 6656]

S3 nuvotonhidcir;Nuvoton HID CIR Receiver;c:\windows\system32\DRIVERS\nuvotonhidcir.sys [2009-08-31 26624]

S3 nuvotonir;Nuvoton CIR Transceiver;c:\windows\system32\DRIVERS\nuvotonir.sys [2009-08-31 68096]

S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 35008]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-11-06 291328]

S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2010-06-11 1110560]

S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - 02750089

*NewlyCreated* - 13685351

*Deregistered* - 02750089

*Deregistered* - 13685351

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-02-01 18:46 1607120 ----a-w- c:\program files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2013-02-23 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 13:55]

.

2013-02-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-19 21:21]

.

2013-02-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-19 21:21]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2012-10-30 22:50 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ThpSrv"="c:\windows\system32\thpsrv" [X]

"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]

"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]

"TosReelTimeMonitor"="c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [bU]

"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [bU]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-03-10 10103840]

"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-03-10 896032]

"HSON"="c:\program files (x86)\TOSHIBA\TBS\HSON.exe" [bU]

"HDMICtrlMan"="c:\program files (x86)\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe" [bU]

"00TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [bU]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com.au/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~2\MICROS~4\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 10.0.0.138

FF - ProfilePath - c:\users\michelle\AppData\Roaming\Mozilla\Firefox\Profiles\pb73dy6u.default\

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1973585710-1515046713-2421341157-1001\Software\SecuROM\License information*]

"datasecu"=hex:25,15,87,64,f1,b8,dd,5e,91,be,63,db,b0,bb,53,e4,46,c4,74,6e,5e,

2a,37,dc,1c,a2,5d,47,5e,30,73,42,0e,3e,71,8d,cb,8c,a9,79,1e,4d,1c,d2,b0,56,\

"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-02-23 23:52:25

ComboFix-quarantined-files.txt 2013-02-23 15:52

ComboFix2.txt 2013-02-22 17:21

.

Pre-Run: 639,215,890,432 bytes free

Post-Run: 639,223,734,272 bytes free

.

- - End Of File - - 15EFC89530FCDAEC9A5EDD1EA632BA86

[MrCharlie]

Was this log produced:

DeQuarantine_log.txt

MrC

[tree_fu_go]

Um not sure, Only the one I posted popped up, I had a look and couldn't find dequarantine_log.txt... Did I do something wrong??

[MrCharlie]

This is the one you said you wanted restored: (you modified it with the xxxxx)

(c:\users\michelle\AppData\Roaming\Microsoft\Windows\Recent\Xxxxxxxxxxxxxxxxxxxxxxxxxxx.doc.url)

C:\Qoobox\Quarantine\C\Users\michelle\AppData\Roaming\Microsoft\Windows\Recent\xxxxxxxxxxxxx.doc.url.vir

Here was my instructions:

http://forums.malwar...ndpost&p=649985

You have to replace all the xxxx in the script with what ever is supposed to be there in order for it to work.

MrC

[tree_fu_go]

I did, i double checked!! I still have it saved, I opened it and it has the right name in it!! There is a log in C:\Qoobox called:  CFScript_used_2013-02-23_23.43.48 But all it is is that script you got me to save. It has the right name so I'm not sure what i did wrong:

I opened notepad, copied and pasted that script, I made sure to change the xxx's. I saved it to dekstop, then I disabled avast and dragged the cfscript.txt onto combofix from the dekstop.

but I dont think its that important now.EDIT: I only changed the xxxx's, was I suppose to change the whole file?

[MrCharlie]

I only changed the xxxx's, was I suppose to change the whole file?

No just the xxxxxx

Is that file in the C:\Qoobox\Quarantine folder??

It just appears to be an url

MrC

[tree_fu_go]

No all I see in C:\Quoobox\Quarantine is a folder called: C

A folder called: Registry_Backups

And 2 text documents called: catch_me

I even searched DeQuarantine_log.txt in windows explorer and it didn't find anything.

Well, as longs as that last combofix fun didn't wreck the computer I guess its ok.

[MrCharlie]

Well that's the procedure to restore that file.

Please download AdwCleaner from here and save it on your Desktop.

AdwCleaner is a reliable removal tool for Adware, Foistware, toolbars and potentially unwanted programs.

AdwCleaner is a tool that deletes :

· Adwares (software ads)

· PUP/LPI (Potentially Undesirable Program)

· Toolbars

· Hijacker (Hijack of the browser's homepage)

It works with a Search and Deletion methode. It can be easily uninstalled using the "Uninstall" mode.

1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
   
2. Now click on the Search tab.
   
3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

Please look over what was found, we're going to delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.

MrC

[tree_fu_go]

# AdwCleaner v2.112 - Logfile created 02/24/2013 at 01:07:39

# Updated 10/02/2013 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : michelle - MICHELLE-PC

# Boot Mode : Normal

# Running from : C:\Users\michelle\Desktop\adwcleaner0.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Found : HKLM\SOFTWARE\Software

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Mozilla Firefox v19.0 (en-US)

File : C:\Users\michelle\AppData\Roaming\Mozilla\Firefox\Profiles\pb73dy6u.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v24.0.1312.57

File : C:\Users\michelle\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [862 octets] - [24/02/2013 01:07:39]

########## EOF - C:\AdwCleaner[R1].txt - [921 octets] ##########

[MrCharlie]

OK...That's clean.

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt.
  
• Please Post the contents of that document.
  
• Do Not Attach It!!!
  

MrC

[tree_fu_go]

Results of screen317's Security Check version 0.99.59

Windows 7 Service Pack 1 x64 (UAC is disabled!)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

avast! Antivirus

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.70.0.1100

Java 7 Update 15

Java version out of Date!

Adobe Flash Player 11.5.502.135 Flash Player out of Date!

Adobe Reader XI

Mozilla Firefox (19.0)

Google Chrome 24.0.1312.56

Google Chrome 24.0.1312.57

````````Process Check: objlist.exe by Laurent````````

AVAST Software Avast AvastSvc.exe

AVAST Software Avast AvastUI.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 1%

````````````````````End of Log``````````````````````

Weird how the java's out of date since i uninstalled the old one and reinstalled the new one, unless theres a new update available or something..

Also, whats UAC? (Im guessing User Account Control).. What is ti and do I need to enable it> if so how?

[MrCharlie]

Java 7 Update 15 <--this the correct version > no action required!!

Java version out of Date! <---ignore!

Check for an update on this if available (this is very important)

Adobe Flash Player 11.5.502.135 Flash Player out of Date!

UAC: (turn on or off > turn it on)

http://www.howtogeek...-windows-vista/

-----------------------------------------------

You have out dated programs on the system which are vulnerable to malware.

Please update or uninstall them

Info on doing that can be found in my Preventive Maintenance

~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[tree_fu_go]

Sorry, Do I need to uninstall my flash player and re install a new one or just open the program and check for updates?

[MrCharlie]

Open up the program (should be in your control panel) and check for updates.

After you update it..... make sure it's set to automatically check for updates.

MrC

[tree_fu_go]

Its weird, it IS set to auto install and auto update.

Okay I think I updated it right, can i run security check again to make sure I did it right or...?

[MrCharlie]

Sure go ahead....MrC

[tree_fu_go]

Okay, looks like I did it right.

I posted it just in case:

Results of screen317's Security Check version 0.99.59

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

avast! Antivirus

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.70.0.1100

Java 7 Update 15

Java version out of Date!

Adobe Flash Player 11.6.602.168

Adobe Reader XI

Mozilla Firefox (19.0)

Google Chrome 24.0.1312.56

Google Chrome 24.0.1312.57

````````Process Check: objlist.exe by Laurent````````

AVAST Software Avast AvastSvc.exe

AVAST Software Avast AvastUI.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 1%

````````````````````End of Log``````````````````````

So now I got to delete all the other stuff.

btw thanks for helping me check the computer!!

EDIT: Okay thats weird now its like really slow using firefox, maybe its just malwarebytes forum. Is it slow for you? It keeps loading and loading butt never stops when I click to load a page sometimes!

EDIT2: Yeah its really slow, I checked task manager and for a second avast was using 16 CPU, so I checked the shields and it the files system shield kept scanning stuff. It was scanning stuff in the c:\Windows\Installer folder, they were around 5 characters long with random numbers and letters..I don't know if thats normal or not but I tried using malwarebytes forum on my other computer ands it slow on the forum aswell. It took awhile to get to edit this post!Im going to do a quick scan with malwarebytes and avast then ill do the cleanup.

EDIT3: It could be my internet because I was on a different site with a differant computer and it was loading loading loading... btw avast scan is not done yet.. also sorry I keep re-editing the post over and over, I hope it doesn't keep sending you annoying email notifications...

[MrCharlie]

I've noticed that the web has been very slow the last couple of days myself.

MrC

[tree_fu_go]

Crap! I don't know if I was supposed to disable avast while uninstalling combofix but it blocked 2 actions while uninstalling!!! After i saw, while combofix was still uninstalling, i tried to quickly disable the shields.

I'll type what they but I cant guarantee they'll be 100% the same because I hate writing registry! But I also attached pictures of them.

Action blocked

avast! Behavior Shield has blocked an action.

No further action is required.

Program: C:\Users\michelle\Desktop\Combofix.exe

Action: Deny

Target: \REGISTRY\USER\S-1-5-21-1973585710-1515046713-2421341157-1001\Software\Microsoft\Command Processor

And

Action blocked

avast! Behavior Shield has blocked an action.

No further action is required.

Program: C:\32788R22FWJFW\pev.3XE

Action: Deny

Target: \REGISTRY\MACHINE\SOFTWARE\Classes|exefile\shell\open\command

It still said Combofix was uninstalled but...

Please tell me I haven't wrecked anything!!

[MrCharlie]

Disable it or download and run the uninstaller:

http://download.bleepingcomputer.com/sUBs/CF_UNINST.EXE

MrC

[tree_fu_go]

Sorry, I want to make sure and not do another mistake again. Firefox asks me to save the file, not run it, so do I just save the file then click on it to run it? If so do I Run as administrator?

Sorry and thanks!

[MrCharlie]

Save it and then run it.....MrC

[tree_fu_go]

When I tried to run it it popped up immediately:

Done!

But after I clicked OK it came up with this:

Program compatibility Assistant

This program might not have installed correctly

If this program didn't install correctly, try reinstalling using settings that are compatible with this version of Windows.

Program: Unknown Program

Publisher: Unknown Publisher

Location: C:\Users\michelle\Desktop\CF_UNINST.exe

My options are:

Reinstall using recommended settings

This Program installed correctly

Cancel

What settings are applied?

What do I do???

Edit: I didn't feel comfortable with leaving it like that with avast turned off so I clicked cancel. I hope that didn't wreck anything... Now that I think about it maybe I should've left it...

Now Im thinking about it all... Why didn't I think to disable avast while uninstalling combofix originally!! .....I've probably created a bigger problem now... Why didn't I think!!!!! Im so sorry!!!

[MrCharlie]

If you download and run OTL as outlined before > click on Clean-up

That will uninstall ComboFix also.

MrC

[tree_fu_go]

Okay I ran OTL, uninstalled adwcleaner and deleted MBAR, roguekiller and security check. Can I delete CF_UNINSTL.exe?

Thank you so much for helping!! I really appreciate it!!

So was there actually anything on the computer or......... did.... I just.... waste your time.........?