Must press F8 and select "Disable Driver Signature Enforcement" to start sytem

B

barrejf

Active member
Joined
Mar 15, 2014
Posts
28
Location
USA
Must press F8 and select "Disable Driver Signature Enforcement" to start sytem

I'd been working with Richard in the "Windows Update" forum because SFC /SCANNOW would stop at 64% and report "Windows Resource Protection found corrupt files". While working with Richard, I ran several virus scans using Avast, Kaspersky Rescue Disk 10, and Microsoft Security Essentials. Avast had detected a root kit and 230 infected files. A susbequent scan with Kaspersky did not reveal any other infected files. Microsoft Security Essentials found one more infected file. SFC /SCANNOW now completes 100%. Richard suggested I review Malware Removal Posting Instructions and post a new topic here.

I downloaded and ran DDS.com as instructed in Malware Removal Posting Instructions. Listed below you will find the contents of DDS.txt and Attach.txt.

DDS.txt
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16540 BrowserJavaVersion: 10.51.2
Run by JFBAdmin at 17:11:49 on 2014-03-29
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.826 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: COMODO Antivirus *Disabled/Outdated* {0C2D2636-923D-EE52-2A83-E643204A8275}
FW: COMODO Firewall *Enabled* {8F7746F7-FE68-E084-3B6C-7404A51E8FB3}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\SLsvc.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\brsvc01a.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Windows\system32\brss01a.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Dragon\dragon_updater.exe
C:\Program Files\Toshiba\TOSHIBA HD DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\iolo\System Mechanic\iologovernor.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Copernic\DesktopSearch4\Copernic.DesktopSearch.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\WmiPrvSE.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\WmiPrvSE.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.com/
BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - c:\program files\mcafee security scan\3.8.141\McAfeeMSS_IE.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: avast! Online Security: {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [Copernic Desktop Search 4] "c:\program files\copernic\desktopsearch4\Copernic.DesktopSearch.exe" /tray
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [COMODO Internet Security] c:\program files\comodo\comodo internet security\cistray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
uPolicies-Explorer: NoDriveTypeAutoRun = dword:255
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1394642965956
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0017-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{5CF63800-A8B9-4061-BFD6-E01C4FF176F2} : NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{ECDACC13-76E1-49B9-BE97-F271E8F907BA} : NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{ECDACC13-76E1-49B9-BE97-F271E8F907BA} : DHCPNameServer = 192.168.1.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\belarcadvisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - c:\windows\system32\CbFsMntNtf3.dll
STS: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - c:\windows\system32\CbFsMntNtf3.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\33.0.1750.154\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jfbadmin\appdata\roaming\mozilla\firefox\profiles\s69ptccq.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.linkedin.com/|https://mail.google.com/intl/en/mai...signin/MyVzAuthorize?source=myvz&action=email
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.22.5\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mcafee security scan\3.8.141\npMcAfeeMSS.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1210150.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_77.dll
.
============= SERVICES / DRIVERS ===============
.
R0 amdkmafd;AMD Audio Bus Lower Filter;c:\windows\system32\drivers\amdkmafd.sys [2013-6-17 15968]
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2013-4-27 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2013-4-27 180248]
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2012-1-8 40560]
R0 MxEFUF;Matrox Extio Upper Function Filter;c:\windows\system32\drivers\MxEFUF32.sys [2013-6-17 102728]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-4-27 775952]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswsp.sys [2013-4-27 410784]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2013-6-18 20072]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2013-6-18 584496]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2013-6-18 43728]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2013-10-10 120088]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-4-27 67824]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-4-27 50344]
R2 DragonUpdater;COMODO Dragon Update Service;c:\program files\comodo\dragon\dragon_updater.exe [2014-1-28 2135232]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-1 21504]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2012-11-29 35088]
R2 PDFsFilter;PDFsFilter;c:\windows\system32\drivers\PDFsFilter.sys [2013-4-27 68464]
R3 cbfs3;EldoS Callback File System driver v3;c:\windows\system32\drivers\cbfs3.sys [2013-11-5 299024]
R3 DPPCMFilter;DPPCMFilter Driver;c:\windows\system32\drivers\DPPCMFilter.sys [2013-6-20 456960]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-2-28 7168]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2008-8-26 57344]
R3 NETwLv32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETwLv32.sys [2011-11-17 6639616]
R3 PGR1394b;PGR Bus host controllers;c:\windows\system32\drivers\PGR1394.sys [2013-6-19 92672]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-9-11 770168]
S2 BRA_Scheduler;Brother BRAdminPro Scheduler;c:\program files\brother\bradmin professional 3\bratimer.exe [2009-7-26 65536]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 cleanhlp;cleanhlp;c:\eek\run\cleanhlp32.sys [2013-11-16 50200]
S3 cmdvirth;COMODO Virtual Service Manager;c:\program files\comodo\comodo internet security\cmdvirth.exe [2013-6-18 131288]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2013-6-18 23456]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\belkin\f5d7010v8\jswpsapi.exe [2007-10-29 352338]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.8.141\McCHSvc.exe [2014-1-15 235696]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
S3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2014-2-20 3921880]
S3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2014-2-20 1042272]
S3 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2014-2-20 171416]
S3 WIMMount;WIMMount;c:\program files\windows kits\8.0\assessment and deployment kit\deployment tools\x86\dism\wimmount.sys [2012-7-25 34248]
S4 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2012-1-9 1168960]
S4 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2013-12-22 15688]
S4 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2013-12-22 10320]
.
=============== File Associations ===============
.
FileExt: .txt: txtfile=c:\windows\system32\NOTEPAD.EXE %1 [UserChoice]
FileExt: .vbe: VBEFile="c:\windows\system32\CScript.exe" "%1" %* [default=Open2]
FileExt: .vbs: VBSFile="c:\windows\system32\CScript.exe" "%1" %* [default=Open2]
FileExt: .js: JSFile=c:\windows\system32\CScript.exe "%1" %* [default=Open2]
FileExt: .jse: JSEFile=c:\windows\system32\CScript.exe "%1" %* [default=Open2]
FileExt: .wsf: WSFFile="c:\windows\system32\CScript.exe" "%1" %* [default=Open2]
.
=============== Created Last 30 ================
.
2014-03-29 12:21:19 1190 ----a-w- C:\temp237.bat
2014-03-28 12:46:10 7969936 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{709f98e4-12cf-4c48-8c3b-ed05ee3aca67}\mpengine.dll
2014-03-28 01:58:36 264556 ----a-w- c:\users\jfbadmin\hklmswmswinntcvschedtaskcache.reg
2014-03-27 01:44:20 1190 ----a-w- C:\temp585.bat
2014-03-26 19:09:15 1190 ----a-w- C:\temp420.bat
2014-03-26 18:11:31 -------- d-----w- C:\Quarantine
2014-03-26 18:05:53 -------- d-----w- c:\program files\stinger
2014-03-26 16:44:21 -------- d-----w- c:\program files\Microsoft ATS
2014-03-19 16:56:39 1208 ----a-w- C:\temp488.bat
2014-03-19 01:59:55 33280 ----a-w- c:\windows\system32\appinfo.dll
2014-03-19 01:46:54 -------- d-----w- c:\users\jfbadmin\appdata\local\niemiro
2014-03-18 14:03:09 81920 ----a-w- c:\windows\system32\consent.exe
2014-03-17 03:22:19 -------- d-----w- c:\program files\Copernic
2014-03-17 03:21:14 -------- d-----w- c:\users\jfbadmin\appdata\local\Copernic
2014-03-16 01:56:01 -------- d-----w- c:\program files\Microsoft OneDrive
2014-03-16 01:55:58 -------- d-----r- c:\users\jfbadmin\OneDrive
2014-03-16 01:55:15 -------- d-----w- c:\programdata\Microsoft OneDrive
2014-03-15 19:00:09 -------- d-----w- C:\SFCFix
2014-03-15 02:51:22 -------- d-----w- c:\windows\winsxs.sav
2014-03-15 00:17:40 -------- d-----w- c:\program files\Universal Extractor
2014-03-14 15:56:10 -------- d-----w- c:\users\jfbadmin\appdata\roaming\DriverCure
2014-03-14 15:56:09 -------- d-----w- c:\users\jfbadmin\appdata\roaming\MyTurboPC.com
2014-03-14 15:54:04 -------- d-----w- c:\programdata\MyTurboPC.com
2014-03-14 15:54:04 -------- d-----w- c:\program files\MyTurboPC.com
2014-03-14 03:14:33 -------- d-----w- c:\programdata\ioloGovernor
2014-03-14 03:14:30 56200 ----a-w- c:\windows\system32\offreg.dll
2014-03-14 03:14:30 -------- d-----w- c:\users\jfbadmin\appdata\roaming\ioloGovernor
2014-03-14 03:13:16 -------- d-----w- C:\iolo
2014-03-14 02:49:57 -------- d-----w- c:\program files\Windows Portable Devices
2014-03-14 02:44:48 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2014-03-14 02:44:47 252928 ----a-w- c:\windows\system32\dxdiag.exe
2014-03-14 02:44:46 847360 ----a-w- c:\windows\system32\OpcServices.dll
2014-03-14 02:44:46 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2014-03-14 02:44:43 519680 ----a-w- c:\windows\system32\d3d11.dll
2014-03-14 02:43:35 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2014-03-14 01:52:04 -------- d-----w- c:\windows\system32\eu-ES
2014-03-14 01:52:04 -------- d-----w- c:\windows\system32\ca-ES
2014-03-14 01:52:03 -------- d-----w- c:\windows\system32\vi-VN
2014-03-14 01:24:04 -------- d-----w- c:\windows\system32\SPReview
2014-03-14 00:56:15 467456 ----a-w- c:\windows\system32\pkiview.dll
2014-03-14 00:56:15 464384 ----a-w- c:\windows\system32\pcaui.dll
2014-03-14 00:56:15 149480 ----a-w- c:\windows\system32\drivers\pci.sys
2014-03-14 00:56:14 53760 ----a-w- c:\windows\system32\nlb.exe
2014-03-14 00:56:14 366080 ----a-w- c:\windows\system32\ntdsutil.exe
2014-03-14 00:56:14 361984 ----a-w- c:\windows\system32\nlbmgr.exe
2014-03-14 00:56:14 321536 ----a-w- c:\windows\system32\nltest.exe
2014-03-14 00:56:13 253952 ----a-w- c:\windows\system32\OCSPAdminNative.dll
2014-03-14 00:56:13 2153472 ----a-w- c:\windows\system32\oobefldr.dll
2014-03-14 00:56:13 146944 ----a-w- c:\windows\system32\ocsprevp.dll
2014-03-14 00:56:12 1381376 ----a-w- c:\windows\system32\Query.dll
2014-03-14 00:56:11 253952 ----a-w- c:\windows\system32\repadmin.exe
2014-03-14 00:54:52 16384 ----a-w- c:\windows\system32\iscsilog.dll
2014-03-14 00:54:31 17408 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2014-03-14 00:54:25 167424 ----a-w- c:\windows\system32\wdmaud.drv
2014-03-14 00:54:20 58880 ----a-w- c:\windows\system32\Volshext.dll
2014-03-14 00:54:14 34304 ----a-w- c:\windows\system32\wshbth.dll
2014-03-14 00:54:10 53760 ----a-w- c:\windows\system32\wlbs.exe
2014-03-14 00:54:02 66048 ----a-w- c:\windows\system32\srmtrace.dll
2014-03-14 00:54:01 58880 ----a-w- c:\windows\system32\srmclient.dll
2014-03-14 00:54:01 301568 ----a-w- c:\windows\system32\srchadmin.dll
2014-03-14 00:54:01 180736 ----a-w- c:\windows\system32\srm.dll
2014-03-14 00:53:49 551424 ----a-w- c:\windows\system32\uddi.mmc.dll
2014-03-14 00:52:28 53224 ----a-w- c:\windows\system32\drivers\termdd.sys
2014-03-13 23:23:05 -------- d-----w- c:\windows\system32\sandbox
2014-03-13 19:21:13 -------- d-----w- c:\program files\HD Tune
2014-03-13 19:16:00 26624 ----a-w- c:\windows\system32\TrueSight.sys
2014-03-13 01:19:20 -------- d-----w- c:\windows\system32\catroot2
2014-03-12 23:57:26 -------- d-sh--w- C:\$RECYCLE.BIN
2014-03-12 23:57:16 -------- d-----w- c:\users\jfbadmin\appdata\local\temp
2014-03-12 21:26:29 -------- d-----w- c:\windows\SoftwareDistribution.old
2014-03-12 19:37:10 -------- d-----w- c:\windows\system32\Catroot2.old
2014-03-12 16:55:14 -------- d-----w- c:\users\jfbadmin\New Folder (1)
2014-03-12 11:57:14 2050560 ----a-w- c:\windows\system32\win32k.sys
2014-03-12 11:57:12 505344 ----a-w- c:\windows\system32\qedit.dll
2014-03-12 11:57:10 876032 ----a-w- c:\windows\system32\wer.dll
2014-03-12 11:57:02 2048 ----a-w- c:\windows\system32\tzres.dll
2014-03-11 19:01:17 -------- d-----w- c:\program files\DLLSuite
2014-03-11 17:04:07 -------- d-----w- c:\windows\system32\TasksBkp
2014-03-11 16:36:50 -------- d-----w- c:\windows\pss
2014-03-11 12:46:36 -------- d-sh--we c:\users\jfbadmin\appdata\local\Temporary Internet Files
2014-03-11 01:44:18 -------- d-----w- c:\users\jfbadmin\appdata\local\Apps
2014-03-11 00:29:48 -------- d-----w- c:\program files\Bonjour
2014-03-10 22:14:00 388096 ----a-r- c:\users\jfbadmin\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2014-03-10 22:13:57 -------- d-----w- c:\program files\HJT
2014-03-05 04:24:51 98816 ----a-w- c:\windows\sed.exe
2014-03-05 04:24:51 256000 ----a-w- c:\windows\PEV.exe
2014-03-05 04:24:51 208896 ----a-w- c:\windows\MBR.exe
2014-03-05 03:20:25 24832 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys
2014-03-05 03:20:25 19968 ----a-w- c:\windows\system32\drivers\lgusbdiag.sys
2014-03-05 03:20:25 13056 ----a-w- c:\windows\system32\drivers\lgusbbus.sys
2014-03-05 03:20:24 -------- d-----w- c:\program files\LG Electronics
2014-03-05 02:57:42 -------- d-----w- c:\program files\common files\InterVideo
2014-03-04 23:56:52 251672 ----a-w- c:\windows\system32\xactengine2_5.dll
2014-03-04 23:56:50 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2014-03-04 23:56:47 237848 ----a-w- c:\windows\system32\xactengine2_4.dll
2014-03-04 23:56:46 68888 ----a-w- c:\windows\system32\xinput1_3.dll
2014-03-04 23:56:46 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2014-03-04 23:56:46 236824 ----a-w- c:\windows\system32\xactengine2_3.dll
2014-03-04 23:56:46 15128 ----a-w- c:\windows\system32\x3daudio1_1.dll
2014-03-04 23:56:45 62744 ----a-w- c:\windows\system32\xinput1_2.dll
2014-03-04 23:53:53 -------- d-----w- C:\temp.hddvdplayer
2014-03-04 17:26:01 1414440 ----a-w- c:\windows\system32\ShellManager310E2D762.dll
2014-03-04 16:48:12 -------- d-----w- c:\users\jfbadmin\appdata\local\Innovative Solutions
2014-03-04 15:57:26 -------- d-----w- C:\FRST
2014-03-04 12:42:50 -------- d-----w- c:\program files\WinDFT
2014-03-03 19:57:08 -------- d-----w- c:\users\jfbadmin\appdata\local\CrashDumps
2014-03-02 07:31:33 -------- d-----w- c:\windows\system32\%LOCALAPPDATA%
2014-03-01 16:53:31 -------- d-----w- C:\_OTL
.
==================== Find3M ====================
.
2014-03-15 22:21:53 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-15 22:21:53 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-03-14 01:19:04 3766272 ----a-w- c:\windows\system32\gppref.dll
2014-03-14 01:19:04 222720 ----a-w- c:\windows\system32\gpregistrybrowser.dll
2014-03-14 01:19:00 691200 ----a-w- c:\windows\system32\gpprefbr.dll
2014-03-14 01:18:57 2139136 ----a-w- c:\windows\system32\propshts.dll
2014-03-14 01:18:54 202240 ----a-w- c:\windows\system32\gpprefcn.dll
2014-02-23 05:47:19 1806848 ----a-w- c:\windows\system32\jscript9.dll
2014-02-23 05:40:18 1129472 ----a-w- c:\windows\system32\wininet.dll
2014-02-23 05:39:28 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2014-02-23 05:38:08 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2014-02-23 05:37:49 421376 ----a-w- c:\windows\system32\vbscript.dll
2014-02-23 05:36:22 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2014-01-31 00:48:10 775952 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2014-01-31 00:48:10 67824 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-01-31 00:48:09 43152 ----a-w- c:\windows\avastSS.scr
2014-01-31 00:30:40 48392 ----a-w- c:\windows\system32\certsentry.dll
2014-01-21 21:22:18 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-01-19 07:32:23 231584 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 17:15:12.86 ===============

Attach.txt
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 3/20/2007 11:28:12 AM
System Uptime: 3/29/2014 4:12:37 PM (1 hours ago)
.
Motherboard: Intel Corporation | | CAPELL VALLEY(NAPA) CRB
Processor: Intel(R) Core(TM)2 CPU T5300 @ 1.73GHz | U2E1 | 1733/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 139 GiB total, 44.335 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Marvell Yukon 88E8039 PCI-E Fast Ethernet Controller
Device ID: PCI\VEN_11AB&DEV_4353&SUBSYS_FF101179&REV_14\4&367B9776&0&00E0
Manufacturer: Marvell
Name: Marvell Yukon 88E8039 PCI-E Fast Ethernet Controller
PNP Device ID: PCI\VEN_11AB&DEV_4353&SUBSYS_FF101179&REV_14\4&367B9776&0&00E0
Service: yukonwlh
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Activation Assistant for the 2007 Microsoft Office suites
Administative Templates for Windows Vista (.admx)
Adobe AIR
Adobe Flash Player 12 ActiveX
Adobe Flash Player 12 Plugin
Adobe Reader X (10.1.9)
Adobe Shockwave Player 12.1
Adobe® Photoshop® Album Starter Edition 3.2
Advanced File Optimizer
Apple Software Update
avast! Free Antivirus
Belarc Advisor 8.4
Belkin Wireless G Cardbus Adapter
Bluetooth Stack for Windows by Toshiba
Bonjour
BRAdmin Professional 3
Brother Driver Deployment Wizard
Brother MFL-Pro Suite
CCleaner
CD/DVD Drive Acoustic Silencer
Comodo Dragon
COMODO Firewall
Copernic Desktop Search 4
Crystal XI
CutePDF Writer 3.0
CVE-2014-0322
Data Lifeguard Diagnostic for Windows 1.24
Defraggler
Desktop Dialer
DivX Setup
DVD MovieFactory for TOSHIBA
East-Tec Eraser 2012 Version 10.0
ESET Online Scanner v3
Google Chrome
Google Drive
Google Update Helper
HD Tune 2.55
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
iCare Data Recovery Free 5.2.1
iCloud
iExplorer 3.2.5.0
ImgBurn
Intel(R) Graphics Media Accelerator Driver
iolo technologies' System Mechanic
Java 7 Update 51
Java Auto Updater
LG USB Modem driver
LocalGPO
Logger Pro 3.4.6
Malwarebytes Anti-Malware version 1.75.0.1300
Marvell Miniport Driver
McAfee Security Scan Plus
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4.5.1
Microsoft Application Error Reporting
Microsoft Automated Troubleshooting Services Shim
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft OneDrive
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft XML Parser
MiniTool Partition Wizard Home Edition 8.1.1
Mozilla Firefox 27.0.1 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
neroxml
Nmap 6.25
OGA Notifier 2.0.0048.0
Paragon Partition Manager™ 11 Free Edition
PhoneBrowse 2.0.4
Realtek High Definition Audio Driver
Ruby 1.8.7-p357
Ruckus Player
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2861697)
Security Update for Microsoft .NET Framework 4.5.1 (KB2898869)
Security Update for Microsoft .NET Framework 4.5.1 (KB2901126)
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596825) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597973) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760411) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760415) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760585) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760591) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2817641) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2827326) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2837615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2850022) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2827324) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2837617) 32-Bit Edition
Security Update for Windows Media Encoder (KB954156)
Sentinel System Driver Installer 7.5.7
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
SUPERAntiSpyware
swMSM
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Hardware Setup
Toshiba Registration
TOSHIBA SD Memory Utilities
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
Tweaking.com - Advanced System Tweaker
Tweaking.com - Windows Repair (All in One)
Ultra Defragmenter
Universal Extractor 1.6.1
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VC80CRTRedist - 8.0.50727.6195
Verizon Cloud
Vista Services Optimizer
WebEx Recorder and Player
WinDFT
Windows Deployment Tools
Windows PE x86 x64
Windows PE x86 x64 wims
Windows Resource Kit Tools - SubInAcl.exe
WinDriversBackup
WinDVD for TOSHIBA
WinPcap 4.1.2
WinSCP 4.2.3 beta
Wise Disk Cleaner 8.04
Wise Registry Cleaner 8.03
.
==== End Of File ===========================


Here's checkup.txt from SecurityCheck.exe.

checkup.txt
Results of screen317's Security Check version 0.99.81
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
avast! Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
SUPERAntiSpyware
Malwarebytes Anti-Malware version 1.75.0.1300
CCleaner
Wise Disk Cleaner 8.04
Wise Registry Cleaner 8.03
Java 7 Update 51
Adobe Flash Player 12.0.0.77
Adobe Reader 9 Adobe Reader out of Date!
Adobe Reader 10.1.9 Adobe Reader out of Date!
Mozilla Firefox 27.0.1 Firefox out of Date!
Google Chrome 33.0.1750.146
Google Chrome 33.0.1750.154
````````Process Check: objlist.exe by Laurent````````
Comodo Firewall cmdagent.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
iolo System Mechanic iologovernor.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 3 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````


Any assistance you can provide will be most appreciated!

Regards,

Jim
 
Re: Must press F8 and select "Disable Driver Signature Enforcement" to start sytem

Hi, Jim.

I will do my best to assist you. However, in order to do so, please follow all instructions provided in the sequence given. Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use. This may cause conflicts with the tools being used in the cleanup process.

If you have questions regarding any of the instructions or problems running any tools, please let me know.

1. Have you recently received or are you currently receiving malware removal assistance elsewhere? I ask for two reasons. First, because your log shows FRST, OTL and HiJackThis. Second, if you are receiving help elsewhere, please provide a link to the thread so there are no conflicts in instructions, which could cause issues. Also, since HijackThis is now open source, it is seldom used, so you can go ahead and uninstall it (again, unless you are actively receiving assistance elsewhere and were asked to install it).

Note: If you are receiving malware removal assistance elsewhere, please stop here and let me know! If not, continue with the instructions below.

2. I can see in your log that Comdo Antivirus is shown as disabled and you are using the Comodo Firewall and Dragon Browser. Since you have Avast Antivirus installed, please be sure you don't activate Comodo A/V as having two antivirus programs can cause conflicts.

3. It appears you have been doing a lot of self-help. My first recommendation is to discontinue use of any registry cleaner as they generally do more harm than good. Thus, I suggest you consider uninstalling the following:
  • iolo technologies' System Mechanic
  • Wise Disk Cleaner 8.04
  • Wise Registry Cleaner 8.03

4. It appears as though you got an unnecessary extra at some point when updating Adobe products: McAfee Security Scan Plus, which you also uninstall.

5. Speaking of Adobe, you need to update Adobe Reader, which has had critical security updates. The current version is Adobe Reader XI (11.0.06). First, however, please uninstall both Adobe Reader 9 and Adobe Reader 10. Then download version XI for Windows, available here: Adobe - Adobe Reader : For Windows.

Note: UNcheck any pre-checked additional options presented with the update (including McAfee Security Scan Plus!). They are not part of the software update and are completely optional.

6. Firefox has also had critical security updates. To get the update to version 28.0, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."

7. Again, if you are receiving malware removal assistance elsewhere, please do not proceed. Otherwise, after completing the above steps, please follow these instructions carefully. Download ComboFix from the following location: Link 1

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.
    Note: If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum: How to disable your security applications.
  • If infections are found, ComboFix will automatically reboot the machine to complete the removal process. Please ensure all opened windows are closed before proceeding.
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, a log will be produced. Please copy C:\ComboFix.txt in your next reply.
 
Re: Must press F8 and select "Disable Driver Signature Enforcement" to start sytem

Hi Corrine,

Thanks so much for the prompt reply! I truly appreciate any assistance you can offer. I promise to follow all your instructions.

1. I have not received malware removal assistance elsewhere. The tools you saw listed on my system were there from my earlier attempts to rid the system of malware and viruses. The system in question was used by my son at college. He has a new system now and try as I may, I've not been able to fully clean the system. This system has become my laptop and has had me scratching my head for awhile now. Unfortunately, for me he had deleted the Toshiba recovery partition and Toshiba will charge me $29.95 for a recovery disk as the system is no longer under warranty.

2. I had disabled the Comodo Antivirus because I am aware of the conflicts/problems one can encounter using multiple antivirus solutions.

3. As instructed, I have uninstalled the following:

  • iolo technologies' System Mechanic
  • Wise Disk Cleaner 8.04
  • Wise Registry Cleaner 8.03

I'd been using Wise Registry Cleaner to rid the registry of strange chinese symbols I'd found during earlier reviews. The symbols would re-appear a few days after deleting. I have both a .jpg and .reg file depicting the characters. Please let me know if you'd like a copy.

4. McAfee Security Scan Plus has been removed. You are correct I picked it up when upgrading Adobe. That'll teach me for not reviewing checkboxes on the screens before clicking Ok.

5. I uninstalled Adobe Reader 10 and upgraded to Adobe Reader XI (11.0.06). I could not find an uninstall for Adobe Reader 9 in Control Panel/Programs and Features nor C:\Program Files\Adobe.

6. Firefox has been updated to version 28.0.

7. I downloaded and ran ComboFix as instructed. Listed below you will find the contents of ComboFix.txt. I found this file in C:\ComboFix not the root of C:\. If I did something wrong, please let me know.

ComboFix.txt
ComboFix 14-03-24.01 - JFBAdmin 03/30/2014 0:17:29.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.710 [GMT -4:00]
Running from: C:\Users\JFBAdmin\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
FW: COMODO Firewall *Enabled* {8F7746F7-FE68-E084-3B6C-7404A51E8FB3}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: COMODO Antivirus *Disabled/Outdated* {0C2D2636-923D-EE52-2A83-E643204A8275}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}




Thanks again for assisting me!
 
Re: Must press F8 and select "Disable Driver Signature Enforcement" to start sytem

Hi, Jim.

Only the heading for the ComboFix log managed to post. Please give it another shot so I can see the entire log.

Thanks.
 
Re: Must press F8 and select "Disable Driver Signature Enforcement" to start sytem

Hi Corrine,

I receive the following popup error shortly after launching ComboFix.exe:

"The contents of folder C:\Windows\erdnt\Hiv-Backup could not be completely deleted". I waited a 1/2 hour as I saw hard disk activity and wasn't sure if ComboFix was still running. I could not find a ComboFix.txt file and a subsequent attempt to run ComboFix generated the same error and result.

Please let me know what steps you would like me to perform next.

Regards,

Jim
 
Re: Must press F8 and select "Disable Driver Signature Enforcement" to start sytem

The message about C:\Windows\erdnt\Hiv-Backup should have included an OK button. Did you click it? Please restart your computer and see if there is a complete log in the ComboFix folder.
 
Re: Must press F8 and select "Disable Driver Signature Enforcement" to start sytem

Hi Corrine,

I did click the "Ok" button. I've since re-booted but cannot find a complete log in the ComboFix folder. A search of my system for ComboFix.txt did uncover two files (ComboFix2.txt 03/12/2014) and (ComboFix3.txt 03/05/2014) located in C:\Qoobox, I'd apparently run ComboFix on March 5th and March 12th. I apologize that I did not remember doing so. MS has done a number on my memory. Listed below you will find the contents of those files.


ComboFix2.txt
ComboFix 14-03-10.01 - JFBAdmin 03/12/2014 19:36:36.2.2 - x86Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.1066 [GMT -4:00]
Running from: c:\users\JFBAdmin\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
FW: COMODO Firewall *Enabled* {8F7746F7-FE68-E084-3B6C-7404A51E8FB3}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: COMODO Antivirus *Disabled/Outdated* {0C2D2636-923D-EE52-2A83-E643204A8275}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\DEBUG.log
c:\windows\system32\drivers\etc\lmhosts
.
.
((((((((((((((((((((((((( Files Created from 2014-02-12 to 2014-03-12 )))))))))))))))))))))))))))))))
.
.
2014-03-12 23:51 . 2014-03-12 23:51 -------- d-----w- c:\users\JFBAdmin\AppData\Local\temp
2014-03-12 23:51 . 2014-03-12 23:51 -------- d-----w- c:\users\jimmy\AppData\Local\temp
2014-03-12 23:51 . 2014-03-12 23:51 -------- d-----w- c:\users\Experience\AppData\Local\temp
2014-03-12 23:51 . 2014-03-12 23:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-03-12 23:51 . 2014-03-12 23:51 -------- d-----w- c:\users\Allison\AppData\Local\temp
2014-03-12 23:51 . 2014-03-12 23:51 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2014-03-12 19:37 . 2014-03-12 21:34 -------- d-----w- c:\windows\system32\catroot2
2014-03-12 16:55 . 2014-03-12 16:55 -------- d-----w- c:\users\JFBAdmin\New Folder (1)
2014-03-12 16:54 . 2014-03-12 16:54 -------- d-----w- c:\users\JFBAdmin\MS10
2014-03-12 11:57 . 2014-02-07 10:38 2050560 ----a-w- c:\windows\system32\win32k.sys
2014-03-12 11:57 . 2014-02-03 10:37 505344 ----a-w- c:\windows\system32\qedit.dll
2014-03-12 11:57 . 2014-01-30 07:46 876032 ----a-w- c:\windows\system32\wer.dll
2014-03-12 11:57 . 2013-11-13 00:30 2048 ----a-w- c:\windows\system32\tzres.dll
2014-03-11 19:01 . 2014-03-11 19:01 -------- d-----w- c:\program files\DLLSuite
2014-03-11 17:04 . 2014-03-11 17:04 -------- d-----w- c:\windows\system32\TasksBkp
2014-03-11 16:24 . 2014-02-06 07:08 7947048 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A1541CDE-099F-4E70-9D10-E155F79D91E2}\mpengine.dll
2014-03-11 01:44 . 2014-03-11 01:44 -------- d-----w- c:\users\JFBAdmin\AppData\Local\Apps
2014-03-11 00:30 . 2014-03-11 00:30 -------- d-----w- c:\program files\Apple Software Update
2014-03-11 00:29 . 2014-03-11 00:29 -------- d-----w- c:\program files\Bonjour
2014-03-10 22:14 . 2014-03-10 22:14 388096 ----a-r- c:\users\JFBAdmin\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2014-03-10 22:13 . 2014-03-10 22:13 -------- d-----w- c:\program files\HJT
2014-03-06 16:21 . 2014-03-06 16:21 -------- d-----w- c:\users\JFBAdmin\AppData\Local\Systweak
2014-03-05 03:20 . 2008-11-11 18:42 24832 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys
2014-03-05 03:20 . 2008-11-11 18:41 19968 ----a-w- c:\windows\system32\drivers\lgusbdiag.sys
2014-03-05 03:20 . 2008-11-11 18:41 13056 ----a-w- c:\windows\system32\drivers\lgusbbus.sys
2014-03-05 03:20 . 2014-03-05 03:20 -------- d-----w- c:\program files\LG Electronics
2014-03-05 02:57 . 2014-03-05 02:57 -------- d-----w- c:\program files\Common Files\InterVideo
2014-03-04 23:56 . 2006-12-08 17:02 251672 ----a-w- c:\windows\system32\xactengine2_5.dll
2014-03-04 23:56 . 2006-11-29 18:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2014-03-04 23:56 . 2006-09-28 21:05 237848 ----a-w- c:\windows\system32\xactengine2_4.dll
2014-03-04 23:56 . 2006-11-15 16:38 15128 ----a-w- c:\windows\system32\x3daudio1_1.dll
2014-03-04 23:56 . 2006-09-28 21:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2014-03-04 23:56 . 2006-09-28 21:04 68888 ----a-w- c:\windows\system32\xinput1_3.dll
2014-03-04 23:56 . 2006-07-28 14:30 236824 ----a-w- c:\windows\system32\xactengine2_3.dll
2014-03-04 23:56 . 2006-07-28 14:30 62744 ----a-w- c:\windows\system32\xinput1_2.dll
2014-03-04 23:53 . 2014-03-04 23:54 -------- d-----w- C:\temp.hddvdplayer
2014-03-04 17:26 . 2008-02-28 18:26 1414440 ----a-w- c:\windows\system32\ShellManager310E2D762.dll
2014-03-04 16:48 . 2014-03-04 16:48 -------- d-----w- c:\users\JFBAdmin\AppData\Local\Innovative Solutions
2014-03-04 15:57 . 2014-03-04 16:01 -------- d-----w- C:\FRST
2014-03-04 12:42 . 2014-03-04 12:42 -------- d-----w- c:\program files\WinDFT
2014-03-04 11:23 . 2013-03-18 03:36 26248 ----a-w- c:\windows\system32\drivers\ElRawDsk.sys
2014-03-03 19:57 . 2014-03-12 23:19 -------- d-----w- c:\users\JFBAdmin\AppData\Local\CrashDumps
2014-03-02 07:31 . 2014-03-02 07:31 -------- d-----w- c:\windows\system32\%LOCALAPPDATA%
2014-03-01 16:53 . 2014-03-01 16:53 -------- d-----w- C:\_OTL
2014-02-21 23:48 . 2014-02-21 23:48 -------- d-----w- c:\users\Default\AppData\Local\Google
2014-02-20 21:39 . 2013-09-20 15:49 18968 ----a-w- c:\windows\system32\sdnclean.exe
2014-02-20 21:39 . 2014-02-20 21:43 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2014-02-17 14:38 . 2014-02-17 14:38 -------- d-----w- c:\program files\McAfee Security Scan
2014-02-13 11:34 . 2013-12-05 02:12 1248768 ----a-w- c:\windows\system32\msxml3.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-12 19:40 . 2013-04-27 22:32 181064 ----a-w- c:\windows\PSEXESVC.EXE
2014-02-25 02:26 . 2013-04-27 17:48 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-02-25 02:26 . 2012-01-02 19:35 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-01-31 00:48 . 2013-04-27 17:35 410784 ----a-w- c:\windows\system32\drivers\aswsp.sys
2014-01-31 00:48 . 2013-04-27 17:35 54832 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2014-01-31 00:48 . 2013-04-27 17:35 57672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2014-01-31 00:48 . 2013-04-27 17:35 775952 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2014-01-31 00:48 . 2013-04-27 17:35 67824 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-01-31 00:48 . 2013-04-27 17:35 270240 ----a-w- c:\windows\system32\aswBoot.exe
2014-01-31 00:48 . 2013-04-27 17:34 43152 ----a-w- c:\windows\avastSS.scr
2014-01-31 00:30 . 2014-01-31 00:30 48392 ----a-w- c:\windows\system32\certsentry.dll
2014-01-21 21:22 . 2014-01-21 21:22 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-12-22 15:46 . 2013-04-27 17:35 180248 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-12-18 11:13 . 2009-10-02 17:13 231584 ----a-w- c:\windows\system32\MpSigStub.exe
2010-07-07 20:12 . 2014-02-17 17:46 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-01-31 00:48 259464 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
2012-04-09 21:27 158224 ----a-w- c:\windows\System32\CbFsMntNtf3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2014-01-30 20:05 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-01-30 20:05 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2014-01-30 20:05 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2014-01-30 20:05 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2014-01-30 20:05 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ApplePhotoStreams"="c:\program files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2013-10-31 59720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-08 622592]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cistray.exe" [2013-11-11 1576152]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-01-31 3767096]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2013-05-07 115440]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-11-21 16:57 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDVCPL]
2013-03-29 14:57 11930696 ----a-w- c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
2013-07-25 16:19 5624784 ----a-w- c:\program files\Spybot - Search & Destroy 2\SDTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-08-14 15:40 1348904 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2013-10-10 120088]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-04 11:28 1150280 ----a-w- c:\program files\Google\Chrome\Application\33.0.1750.146\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-02-20 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2014-02-20 15:57]
.
2014-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 08:00]
.
2014-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 08:00]
.
2012-01-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-574940311-2613744836-3021488733-1006Core.job
- c:\users\jimmy\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-19 21:39]
.
2012-01-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-574940311-2613744836-3021488733-1006UA.job
- c:\users\jimmy\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-19 21:39]
.
2014-02-20 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2014-02-20 15:49]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: apple.com\www
Trusted Zone: cnet.com\download
Trusted Zone: linkedin.com\www
Trusted Zone: microsoft.com\update
Trusted Zone: verizon.com\auth
Trusted Zone: verizon.com\mail
Trusted Zone: verizon.com\signin
Trusted Zone: verizon.com\webmail
Trusted Zone: verizon.com\www
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5CF63800-A8B9-4061-BFD6-E01C4FF176F2}: NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{ECDACC13-76E1-49B9-BE97-F271E8F907BA}: NameServer = 156.154.70.22,156.154.71.22
FF - ProfilePath - c:\users\JFBAdmin\AppData\Roaming\Mozilla\Firefox\Profiles\s69ptccq.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.linkedin.com/|https://mail.google.com/intl/en/mai...signin/MyVzAuthorize?source=myvz&action=email
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
jsefile\shell\open2\command=c:\windows\System32\CScript.exe "%1" %*
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2014-03-12 19:51
Windows 6.0.6002 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\guard32.dll
.
Completion time: 2014-03-12 19:57:11
ComboFix-quarantined-files.txt 2014-03-12 23:57
ComboFix2.txt 2014-03-05 04:51
.
Pre-Run: 60,268,359,680 bytes free
Post-Run: 60,202,098,688 bytes free
.
- - End Of File - - 742AF3770F396A18E9D7572627C13470
5C616939100B85E558DA92B899A0FC36



ComboFix3.txt
ComboFix 14-03-04.03 - JFBAdmin 03/04/2014 23:31:37.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.976 [GMT -5:00]
Running from: c:\users\JFBAdmin\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
FW: COMODO Firewall *Enabled* {8F7746F7-FE68-E084-3B6C-7404A51E8FB3}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: COMODO Antivirus *Disabled/Outdated* {0C2D2636-923D-EE52-2A83-E643204A8275}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\program files\SecureW2
c:\program files\SecureW2\Uninstall.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\SecureW2
c:\programdata\Microsoft\Windows\Start Menu\Programs\SecureW2\TTLS Manager.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\SecureW2\Uninstall.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\hpoddt01.exe.lnk
c:\users\jimmy\g2mdlhlpx.exe
.
.
((((((((((((((((((((((((( Files Created from 2014-02-05 to 2014-03-05 )))))))))))))))))))))))))))))))
.
.
2014-03-05 04:45 . 2014-03-05 04:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-03-05 03:20 . 2008-11-11 18:42 24832 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys
2014-03-05 03:20 . 2008-11-11 18:41 19968 ----a-w- c:\windows\system32\drivers\lgusbdiag.sys
2014-03-05 03:20 . 2008-11-11 18:41 13056 ----a-w- c:\windows\system32\drivers\lgusbbus.sys
2014-03-05 03:20 . 2014-03-05 03:20 -------- d-----w- c:\program files\LG Electronics
2014-03-05 02:57 . 2014-03-05 02:57 -------- d-----w- c:\program files\Common Files\InterVideo
2014-03-04 23:56 . 2006-12-08 17:02 251672 ----a-w- c:\windows\system32\xactengine2_5.dll
2014-03-04 23:56 . 2006-11-29 18:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2014-03-04 23:56 . 2006-09-28 21:05 237848 ----a-w- c:\windows\system32\xactengine2_4.dll
2014-03-04 23:56 . 2006-11-15 16:38 15128 ----a-w- c:\windows\system32\x3daudio1_1.dll
2014-03-04 23:56 . 2006-09-28 21:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2014-03-04 23:56 . 2006-09-28 21:04 68888 ----a-w- c:\windows\system32\xinput1_3.dll
2014-03-04 23:56 . 2006-07-28 14:30 236824 ----a-w- c:\windows\system32\xactengine2_3.dll
2014-03-04 23:56 . 2006-07-28 14:30 62744 ----a-w- c:\windows\system32\xinput1_2.dll
2014-03-04 23:53 . 2014-03-04 23:54 -------- d-----w- C:\temp.hddvdplayer
2014-03-04 17:26 . 2008-02-28 18:26 1414440 ----a-w- c:\windows\system32\ShellManager310E2D762.dll
2014-03-04 16:48 . 2014-03-04 16:48 -------- d-----w- c:\users\JFBAdmin\AppData\Local\Innovative Solutions
2014-03-04 15:57 . 2014-03-04 16:01 -------- d-----w- C:\FRST
2014-03-04 15:16 . 2014-02-06 07:08 7947048 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{824DE81F-FC52-419D-A5CD-78FBFE5BE57D}\mpengine.dll
2014-03-04 12:42 . 2014-03-04 12:42 -------- d-----w- c:\program files\WinDFT
2014-03-04 11:23 . 2013-03-18 03:36 26248 ----a-w- c:\windows\system32\drivers\ElRawDsk.sys
2014-03-03 19:57 . 2014-03-05 01:03 -------- d-----w- c:\users\JFBAdmin\AppData\Local\CrashDumps
2014-03-02 07:31 . 2014-03-02 07:31 -------- d-----w- c:\windows\system32\%LOCALAPPDATA%
2014-03-01 16:53 . 2014-03-01 16:53 -------- d-----w- C:\_OTL
2014-02-21 23:48 . 2014-02-21 23:48 -------- d-----w- c:\users\Default\AppData\Local\Google
2014-02-20 21:39 . 2013-09-20 15:49 18968 ----a-w- c:\windows\system32\sdnclean.exe
2014-02-20 21:39 . 2014-02-20 21:43 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2014-02-17 14:38 . 2014-02-17 14:38 -------- d-----w- c:\program files\McAfee Security Scan
2014-02-13 11:34 . 2013-12-05 02:12 1248768 ----a-w- c:\windows\system32\msxml3.dll
2014-02-09 03:42 . 2014-02-09 03:42 -------- d-----w- c:\windows\ERUNT
2014-02-09 03:33 . 2014-03-05 03:53 -------- d-----w- C:\AdwCleaner
2014-02-09 01:53 . 2014-02-09 01:53 -------- d-----w- C:\MATS
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-02-25 02:26 . 2013-04-27 17:48 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-02-25 02:26 . 2012-01-02 19:35 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-01-31 00:48 . 2013-04-27 17:35 410784 ----a-w- c:\windows\system32\drivers\aswsp.sys
2014-01-31 00:48 . 2013-04-27 17:35 54832 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2014-01-31 00:48 . 2013-04-27 17:35 57672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2014-01-31 00:48 . 2013-04-27 17:35 775952 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2014-01-31 00:48 . 2013-04-27 17:35 67824 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-01-31 00:48 . 2013-04-27 17:35 270240 ----a-w- c:\windows\system32\aswBoot.exe
2014-01-31 00:48 . 2013-04-27 17:34 43152 ----a-w- c:\windows\avastSS.scr
2014-01-31 00:30 . 2014-01-31 00:30 48392 ----a-w- c:\windows\system32\certsentry.dll
2014-01-21 21:22 . 2014-01-21 21:22 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-12-22 15:46 . 2013-04-27 17:35 180248 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-12-18 11:13 . 2009-10-02 17:13 231584 ------w- c:\windows\system32\MpSigStub.exe
2013-12-08 16:46 . 2012-12-31 18:19 2244 ----a-w- c:\windows\system32\ud-boot-time.cmd
2010-07-07 20:12 . 2014-02-17 17:46 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-01-31 00:48 259464 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
2012-04-09 21:27 158224 ----a-w- c:\windows\System32\CbFsMntNtf3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2014-01-30 20:05 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-01-30 20:05 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2014-01-30 20:05 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2014-01-30 20:05 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2014-01-30 20:05 579400 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-08 622592]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2013-03-29 11930696]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cistray.exe" [2013-11-11 1576152]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-01-31 3767096]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware (cleanup)"="c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll" [2013-04-04 1127496]
"*Restore"="c:\windows\System32\rstrui.exe" [2008-01-19 318464]
"20131224"="c:\program files\AVAST Software\Avast\setup\emupdate\c91c363b-17d6-4554-a447-13bf79111730.exe" [2014-02-25 181136]
"OTL"="c:\utils\Diagnostic\OTL.exe" [2014-03-01 602112]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.8.141\SSScheduler.exe [2014-1-15 277920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2013-05-07 115440]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-11-21 16:57 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-08-14 15:40 1348904 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2013-10-10 120088]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-04 11:28 1150280 ----a-w- c:\program files\Google\Chrome\Application\33.0.1750.146\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-02-20 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2014-02-20 15:57]
.
2014-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 08:00]
.
2014-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 08:00]
.
2012-01-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-574940311-2613744836-3021488733-1006Core.job
- c:\users\jimmy\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-19 21:39]
.
2012-01-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-574940311-2613744836-3021488733-1006UA.job
- c:\users\jimmy\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-19 21:39]
.
2014-02-20 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2014-02-20 15:49]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: apple.com\www
Trusted Zone: cnet.com\download
Trusted Zone: linkedin.com\www
Trusted Zone: microsoft.com\update
Trusted Zone: verizon.com\auth
Trusted Zone: verizon.com\mail
Trusted Zone: verizon.com\signin
Trusted Zone: verizon.com\webmail
Trusted Zone: verizon.com\www
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5CF63800-A8B9-4061-BFD6-E01C4FF176F2}: NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{ECDACC13-76E1-49B9-BE97-F271E8F907BA}: NameServer = 156.154.70.22,156.154.71.22
FF - ProfilePath - c:\users\JFBAdmin\AppData\Roaming\Mozilla\Firefox\Profiles\s69ptccq.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.linkedin.com/|https://mail.google.com/intl/en/mai...signin/MyVzAuthorize?source=myvz&action=email
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
jsefile\shell\open2\command=c:\windows\System32\CScript.exe "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
HKLM-RunOnce-WinSat - winsat dwm -xml results.xml
Notify-SDWinLogon - SDWinLogon.dll
SafeBoot-CleanHlp
SafeBoot-CleanHlp.sys
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-SecureW2 EAP Suite - c:\program files\SecureW2\Uninstall.exe
AddRemove-SecureW2 Enterprise Client - c:\program files\SecureW2\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2014-03-04 23:45
Windows 6.0.6002 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_70_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_70_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet007\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet007\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001
.
Completion time: 2014-03-04 23:51:56
ComboFix-quarantined-files.txt 2014-03-05 04:51
.
Pre-Run: 63,487,266,816 bytes free
Post-Run: 63,390,470,144 bytes free
.
- - End Of File - - E96E8C642470BC43BA698B096CD8BC20
5C616939100B85E558DA92B899A0FC36



What will I need to do to create a current ComboFix.txt? Also, please send me an e-mail (*removed your email address so spam bots don't get it*).

Regards,

Jim
 
Last edited by a moderator:
Re: Must press F8 and select "Disable Driver Signature Enforcement" to start sytem

Hi, Jim.

Unfortunately, too much has been done to your computer for the old CF logs to be of much value.

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click mbam-setup-2.0.0.1000.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may see this message box.
    • 'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click on 'Cancel'.
  • Click Yes at the next message.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.
 
Re: Must press F8 and select "Disable Driver Signature Enforcement" to start sytem

Hi Corrine,

Listed below you will find the Malwarebytes Application Log:

Malwarebytes Anti-Malware
Malwarebytes | Free Anti-Malware & Internet Security Software


Scan Date: 3/30/2014
Scan Time: 8:35:11 PM
Logfile:
Administrator: Yes


Version: 2.00.0.1000
Malware Database: v2014.03.30.07
Rootkit Database: v2014.03.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled


OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: JFBAdmin


Scan Type: Threat Scan
Result: Completed
Objects Scanned: 358903
Time Elapsed: 1 hr, 8 min, 35 sec


Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Shuriken: Enabled
PUP: Warn
PUM: Enabled


Processes: 0
(No malicious items detected)


Modules: 0
(No malicious items detected)


Registry Keys: 1
PUP.Optional.InstallCore.A, HKU\S-1-5-21-574940311-2613744836-3021488733-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE, No Action By User, [26da57a95ea280802083c4b9020104fc],


Registry Values: 1
PUP.Optional.InstallCore.A, HKU\S-1-5-21-574940311-2613744836-3021488733-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE|tb, 0F, No Action By User, [26da57a95ea280802083c4b9020104fc]


Registry Data: 0
(No malicious items detected)


Folders: 0
(No malicious items detected)


Files: 0
(No malicious items detected)


Physical Sectors: 0
(No malicious items detected)




(end)

Regards,

Jim
 
Re: Must press F8 and select "Disable Driver Signature Enforcement" to start sytem

Hi Corrine,

I performed a Google Search "Combofx will not run" and found a thread which suggested renaming ComboFix.exe to something like ABC123.exe. I did this and ComboFix ran, although I got a message during processing which indicated that version of CombFix had expired. Listed below you will find the associated ComboFix.txt which was located in C:\ABC123.

ComboFix.txt
ComboFix 14-03-24.01 - JFBAdmin 03/30/2014 20:59:59.3.2 - x86
Running from: C:\Users\JFBAdmin\Desktop\ABC123.exe
* Created a new restore point


- REDUCED FUNCTIONALITY MODE -



Regards,

Jim
 
Re: Must press F8 and select "Disable Driver Signature Enforcement" to start sytem

Hi, Jim.

Yes, I'm aware that renaming ComboFix will sometimes solve the problem of it not running. Since the version you have downloaded has expired, it would be necessary to delete it from your desktop and download a fresh copy.

I've been researching the driver signature enforcement. Since the Malwarebytes rootkit scan didn't turn up anything, I am guessing that UBCD4WIN may have included an unsigned driver. The MSDN instructions have been removed (Content Moved (Windows)) an indication of the content moved. However, that doesn't not provide instructions for disabling driver signature enforcement. Although it is not recommended to run unsigned drivers, aside from the F8 method, there is a command line for Windows Vista that reportedly will disable signature enforcement (See the October 14, 2007 post by Cukkas),

Do you know what these files are? Did you change your registry with the .reg file?

C:\temp237.bat
C:\temp585.bat
C:\temp420.bat
c:\users\jfbadmin\hklmswmswinntcvschedtaskcache.reg
 
Re: Must press F8 and select "Disable Driver Signature Enforcement" to start sytem

Hi Corrine,

Thanks for removing my e-mail address from my earlier post! I thought of it afterwards and was going to ask you to remove it for me. I'm not the sharpest knife in the drawer when I do stupid things like that.

The hklmswmswinntcvschedtaskcache.reg file was a backup of the scheduled tasks section of the registry. The .bat files were created by Tweaking.com - Windows Repair to cleanup the temp folder.

I reviewed the Windows System log and saw I was receiving "TaskScheduler" errors at startup. Error details are as follows:

Level Date and Time Source Event ID Task Category
Error 3/26/2014 12:34:15 PM Microsoft-Windows-TaskScheduler 412 Service critical error Task Scheduler service failed to launch tasks triggered by computer startup. Additional Data: Error Value: 2147942402. User Action: restart task scheduler service.

I performed a Google Search and found the following:

How to get the task scheduler operational ? - Microsoft Community

I performed the steps outlined in the answer section which allowed me to identify and resolve the error. The file hklmswmswinntcvschedtaskcache.reg was a backup of the registry hive/section before the edit.

The batch files were created by "Windows Repair Tool" Windows Repair (All In One) which I ran in an attempt to resolve the problems before contacting you.

Listed below you will find the .bat files and its contents

C:\temp237.bat
@echo on
Title Remove Temp Files
Color 80
setlocal DisableDelayedExpansion
set path=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
ATTRIB -A -R -S -H "C:\Users\JFBAdmin\AppData\Local\Temp\*.*" /S /D 1>> "C:\Users\JFBAdmin\Desktop\Tweaking.com - Windows Repair\Logs\3.29.2014_8.19.52-AM\Remove_Temp_Files.txt" 2>&1
del /f /s /q "C:\Users\JFBAdmin\AppData\Local\Temp\*.*" 1>> "C:\Users\JFBAdmin\Desktop\Tweaking.com - Windows Repair\Logs\3.29.2014_8.19.52-AM\Remove_Temp_Files.txt" 2>&1
rd "C:\Users\JFBAdmin\AppData\Local\Temp" /s /q 1>> "C:\Users\JFBAdmin\Desktop\Tweaking.com - Windows Repair\Logs\3.29.2014_8.19.52-AM\Remove_Temp_Files.txt" 2>&1
ATTRIB -A -R -S -H "C:\Windows\Temp\*.*" /S /D 1>> "C:\Users\JFBAdmin\Desktop\Tweaking.com - Windows Repair\Logs\3.29.2014_8.19.52-AM\Remove_Temp_Files.txt" 2>&1
del /f /s /q "C:\Windows\Temp\*.*" 1>> "C:\Users\JFBAdmin\Desktop\Tweaking.com - Windows Repair\Logs\3.29.2014_8.19.52-AM\Remove_Temp_Files.txt" 2>&1
rd "C:\Windows\Temp" /s /q 1>> "C:\Users\JFBAdmin\Desktop\Tweaking.com - Windows Repair\Logs\3.29.2014_8.19.52-AM\Remove_Temp_Files.txt" 2>&1
del /f /q C:\repairs_running.dat
del /f /q "C:\temp237.bat"



C:\temp585.bat
@echo on
Title Remove Temp Files
Color 80
setlocal DisableDelayedExpansion
set path=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
ATTRIB -A -R -S -H "C:\Users\JFBAdmin\AppData\Local\Temp\*.*" /S /D 1>> "C:\Users\JFBAdmin\Desktop\Tweaking.com - Windows Repair\Logs\3.26.2014_9.42.44-PM\Remove_Temp_Files.txt" 2>&1
del /f /s /q "C:\Users\JFBAdmin\AppData\Local\Temp\*.*" 1>> "C:\Users\JFBAdmin\Desktop\Tweaking.com - Windows Repair\Logs\3.26.2014_9.42.44-PM\Remove_Temp_Files.txt" 2>&1
rd "C:\Users\JFBAdmin\AppData\Local\Temp" /s /q 1>> "C:\Users\JFBAdmin\Desktop\Tweaking.com - Windows Repair\Logs\3.26.2014_9.42.44-PM\Remove_Temp_Files.txt" 2>&1
ATTRIB -A -R -S -H "C:\Windows\Temp\*.*" /S /D 1>> "C:\Users\JFBAdmin\Desktop\Tweaking.com - Windows Repair\Logs\3.26.2014_9.42.44-PM\Remove_Temp_Files.txt" 2>&1
del /f /s /q "C:\Windows\Temp\*.*" 1>> "C:\Users\JFBAdmin\Desktop\Tweaking.com - Windows Repair\Logs\3.26.2014_9.42.44-PM\Remove_Temp_Files.txt" 2>&1
rd "C:\Windows\Temp" /s /q 1>> "C:\Users\JFBAdmin\Desktop\Tweaking.com - Windows Repair\Logs\3.26.2014_9.42.44-PM\Remove_Temp_Files.txt" 2>&1
del /f /q C:\repairs_running.dat
del /f /q "C:\temp585.bat"



C:\temp420.bat
@echo on
Title Remove Temp Files
Color 80
setlocal DisableDelayedExpansion
set path=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
ATTRIB -A -R -S -H "C:\Users\JFBAdmin\AppData\Local\Temp\*.*" /S /D 1>> "C:\Users\JFBAdmin\Desktop\Tweaking.com - Windows Repair\Logs\3.26.2014_3.07.59-PM\Remove_Temp_Files.txt" 2>&1
del /f /s /q "C:\Users\JFBAdmin\AppData\Local\Temp\*.*" 1>> "C:\Users\JFBAdmin\Desktop\Tweaking.com - Windows Repair\Logs\3.26.2014_3.07.59-PM\Remove_Temp_Files.txt" 2>&1
rd "C:\Users\JFBAdmin\AppData\Local\Temp" /s /q 1>> "C:\Users\JFBAdmin\Desktop\Tweaking.com - Windows Repair\Logs\3.26.2014_3.07.59-PM\Remove_Temp_Files.txt" 2>&1
ATTRIB -A -R -S -H "C:\Windows\Temp\*.*" /S /D 1>> "C:\Users\JFBAdmin\Desktop\Tweaking.com - Windows Repair\Logs\3.26.2014_3.07.59-PM\Remove_Temp_Files.txt" 2>&1
del /f /s /q "C:\Windows\Temp\*.*" 1>> "C:\Users\JFBAdmin\Desktop\Tweaking.com - Windows Repair\Logs\3.26.2014_3.07.59-PM\Remove_Temp_Files.txt" 2>&1
rd "C:\Windows\Temp" /s /q 1>> "C:\Users\JFBAdmin\Desktop\Tweaking.com - Windows Repair\Logs\3.26.2014_3.07.59-PM\Remove_Temp_Files.txt" 2>&1
del /f /q C:\repairs_running.dat
del /f /q "C:\temp420.bat"

UBCD4WIN (UBCD for Windows) is a Win PE Boot CD which allows you to access your system when it is no longer bootable. My system had become "unbootable" while working with Richard. I was able to correct the problem which prevented the system from booting, although I must now use the "Disable Driver Signature Enforcement" option.

I've scanned the system numerous times with Kaspersky TDSSKiller, McAfee Rootkit Remover, MalwareBytes, etc. to see if remnants of an earlier detected RootKit were present. The scanners did find a few suspect files which were deleted or quarantined, but I've yet to detect any traces of the rootkit.

I realize you are very busy and do not wish to tie up a lot of your time. I appreciate being able to consult with you and thank you for your help!

Regards,

Jim
 
Re: Must press F8 and select "Disable Driver Signature Enforcement" to start sytem

barrejf said:
My system had become "unbootable" while working with Richard.
Click to expand...
(& @Corrine)

The initial problem I fixed with you was a missing appinfo.dll file. This is not a driver file, so is not the direct cause of the problem (potentially, if I had made a mistake in repairing a driver file, I could have directly caused the problem so I had to think very carefully about that. However, upon consideration, with this particular file, I could only have caused the problem indirectly, not through a faulty replacement (plus I've also double checked my replacement anyway, which looks good)).

The problem then occurred when you installed http://support.microsoft.com/kb/2442962.

Oh look, it's the same component again, and it's all to do with LUA and UAC.

It does certainly make me wonder whether there's still an undiscovered rootkit element here which needs the broken appinfo.dll & whatever else to function properly. I don't know the exact purpose of appinfo.dll, and I can't find anything about it in Windows Internals, but it is certainly a boot time LUA component....


Corrine, do you think it likely that there's still an active infection which you want to throw some more tools at? Or if you think that unlikely, I can see if I can get some useful boot-time logging.

Richard
 
Re: Must press F8 and select "Disable Driver Signature Enforcement" to start sytem

Hi Richard/Corrine,

My apologies. I did not mean to imply that Richard has caused my system to become unbootable. It was in fact MS10-100: Vulnerability in Consent User Interface could allow elevation of privilege which I was prompted to install after running the SFCFix Richard supplied. I really appreciate all the help you have both offerred me and do not feel as though either of you have done anything to make my system worse.

The weird results I got when running as renamed ComboFix lead me to believe there are still remnants of the rootkit infection present. I will download a new ComboFix (I've removed the prior one) and attempt to run it as is, and renamed if necessary. I'll post any results I receive from this particular test.

Regards,

Jim
 
Re: Must press F8 and select "Disable Driver Signature Enforcement" to start sytem

I just downloaded and ran ComboFix from the link Corrine provided in her initial posting to me. Attached you will find a MS Word document containing screenshots of the results. I will now attempt to run ComboFix renamed (ComboFx).
 

Attachments

Re: Must press F8 and select "Disable Driver Signature Enforcement" to start sytem

Here are the results of running ComboFix renamed as ComboFx. Attached you will find a MS Word document depicting the results.

For the record, I had shutdown Commodo Firewall and disabled Avast AntiVirus before running ComboFix in its native form and renamed. I will now attempt to run ComboFix renamed (ComboFx) immediately after running RKill. I will rename C:\ComboFx to C:\ComboFxOld beforehand to preserve earlier test results.
 

Attachments

Re: Must press F8 and select "Disable Driver Signature Enforcement" to start sytem

Here are the results from running RKill followed by ComboFix renamed as ComboFx.
 

Attachments

Re: Must press F8 and select "Disable Driver Signature Enforcement" to start sytem

Jim,

Do you still have copies of the logs that showed what was removed? It might help to have a name of the rootkit that was on your computer..

niemiro said:
It does certainly make me wonder whether there's still an undiscovered rootkit element here which needs the broken appinfo.dll & whatever else to function properly. I don't know the exact purpose of appinfo.dll, and I can't find anything about it in Windows Internals, but it is certainly a boot time LUA component....
Click to expand...

appinfo.dll
Part of Windows Application Experience Note: Located in \%WINDIR%\%System%\ Note: This service on Vista or Windows 7 - 64 bit operating system is launched by svchost.exe, but the actual application is what is listed as the filename. Note: Older "non-Vista or Windows 7 compatible" programs may need this service running.
Click to expand...

The problem with ComboFix, as illustrated by the screen copies in the Word file is permissions --> Access Denied.

Richard, nothing showed in the MBAM scan for rootkits and with Jim having run the various rootkit removal tools (TDSS Killer, McAfee Rootkit Remover, etc.) with no results, it does not appear that the rootkit remains on the system.
 
Re: Must press F8 and select "Disable Driver Signature Enforcement" to start sytem

Hi Corrine/Richard,

Thank you both for your time and questions! I sat down the other night and realized I needed to put together a plan which would provide useful data and minimize your time and efforts. It proved quite productive and resulted in a number of breakthroughs.

The Plan

Uninstall recently installed software
Uninstalled Universal Extractor
Uninstalled Copernic Desktop Search

Uninstall Anti-Virus/Firewall Software
Uninstalled Avast
Uninstalled Comodo

Review System Log/Resolve Errors
Success - No errors in System Log

Review Application Log/Resolve Errors
Success - No errors in Application Log

Review Security Log/Identify Issues
Success - Filtered Security Log & Saved Audit Failures to file (AuditFail20140402)

Installed Microsoft Security Essentials - Ran Full System scan (no viruses detected)

Latest Results
Ran RKill - RKill.txt
Ran ComboFix (Success) - ComboFix.txt
Ran sfc /SCANNOW - sfc20140402.txt & cbslog.txt
Searched system for appinfo.dll - appinfo_dll.docx
Reviewed Avast log for RootKit detected - C:\ProgramData\Alwil Software\Avast5\log\aswAr.log

It appears as though aswAr.log appears to overwritten daily. I could not locate any log naming the rootkit detected. Was it a false positive?

I ran RougueKiller V8.8.10 to scan for malware - a few items were detected on March 31st- RKreport[0]_D_03312014_085318.txt.
Latest scan shows a few items (RKreport[0]_D_03312014_085318.txt) - No action was taken.

I'd appreciate your thoughts/opinions and advice.

Thanks again for all your help!
 

Attachments

Re: Must press F8 and select "Disable Driver Signature Enforcement" to start sytem

Hi, Jim.

I'm winding down from a long day and will take a look tomorrow.
 
You must log in or register to reply here.

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top