Infected by trojan.

Status
Not open for further replies.
Hi chelseafan,

You will need a USB drive for this next part.

Please delete your copy of ComboFix and then download a fresh copy of ComboFix to your USB drive. When you download it to your USB drive please name it svchost.com and then transfer it to the infected computer and place it in your C:\ folder.

If you have problems let me know. :bigthumb:
 
Hi chelseafan,

When ComboFix runs and then flickers is there any error message or anything that is displayed? Is there a log in the C:\Combofix folder by chance? If there is please post that so we can take a look. :bigthumb:
 
Hi Chelseafan,

Please go to C:\Qoobox and look inside and see if you can find ComboFix.txt. If it is in there please post that into your next reply.
 
Due to lack of feedback, this topic will now be closed.
If you are the original poster and you still require help, please start a new thread.
 
Hi chelseafan,

Good to see that you returned. Be sure to subscribe to the topic. :)
----------

What symptoms are you experiencing with your system still. Since it has been a couple of days I would like a little update.
---------

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    Code: 
    :Services

:OTL
O4 - HKLM..\RunOnce: [combofix] 
O4 - HKLM..\Run: [combofix] 

:commands
[reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
----------

I would also like for you to delete your copy of aswMBR.exe using right-click >> delete and then download a new copy from here. Please run a new scan with aswMBR.
----------

In your next reply please post the OTL logs and the log created by aswMBR.exe.
 
OTL logfile created on: 1/8/2012 1:08:40 AM - Run 7
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\James\Downloads
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.87 Gb Total Physical Memory | 2.73 Gb Available Physical Memory | 70.69% Memory free
7.73 Gb Paging File | 6.43 Gb Available in Paging File | 83.16% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 97.56 Gb Total Space | 1.91 Gb Free Space | 1.95% Space Free | Partition Type: NTFS
Drive D: | 97.66 Gb Total Space | 41.39 Gb Free Space | 42.38% Space Free | Partition Type: NTFS
Drive E: | 270.44 Gb Total Space | 108.46 Gb Free Space | 40.11% Space Free | Partition Type: NTFS
Drive F: | 452.34 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive H: | 100.00 Mb Total Space | 70.07 Mb Free Space | 70.07% Space Free | Partition Type: NTFS

Computer Name: PAUL-PC | User Name: Paul | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\James\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files (x86)\Java\jre6\bin\javaw.exe (Sun Microsystems, Inc.)
PRC - C:\Windows\SysWOW64\java.exe (Sun Microsystems, Inc.)
PRC - C:\Windows\SysWOW64\PnkBstrA.exe ()
PRC - C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe (TeamViewer GmbH)
PRC - C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Windows\SysWOW64\cmd.exe (Microsoft Corporation)
PRC - C:\Program Files (x86)\OnlyWire\OnlyWireWindows.exe ()
PRC - C:\Users\James\My Documents\Texter\texter.exe ()


========== Modules (No Company Name) ==========

MOD - C:\Program Files (x86)\OpenOffice.org 3\program\libxml2.dll ()
MOD - C:\Program Files (x86)\OnlyWire\OnlyWireWindows.exe ()
MOD - C:\Users\James\My Documents\Texter\texter.exe ()


========== Win32 Services (SafeList) ==========

SRV:64bit: - (!SASCORE) -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE (SUPERAntiSpyware.com)
SRV:64bit: - (NisSrv) -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe (Microsoft Corporation)
SRV:64bit: - (MsMpSvc) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
SRV:64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (PnkBstrA) -- C:\Windows\SysWOW64\PnkBstrA.exe ()
SRV - (TeamViewer6) -- C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe (TeamViewer GmbH)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (SwitchBoard) -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (Crypkey License) -- C:\Windows\SysWow64\Crypserv.exe (CrypKey (Canada) Ltd.)


========== Driver Services (SafeList) ==========

DRV:64bit: - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV:64bit: - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV:64bit: - (SeratoUsb) -- C:\Windows\SysNative\drivers\SeratoUsb.sys (Cristalink Ltd)
DRV:64bit: - (NisDrv) -- C:\Windows\SysNative\drivers\NisDrvWFP.sys (Microsoft Corporation)
DRV:64bit: - (dtsoftbus01) -- C:\Windows\SysNative\drivers\dtsoftbus01.sys (DT Soft Ltd)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV:64bit: - (cpuz135) -- C:\Windows\SysNative\drivers\cpuz135_x64.sys (CPUID)
DRV:64bit: - (taphss) -- C:\Windows\SysNative\drivers\taphss.sys (AnchorFree Inc)
DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (k57nd60a) Broadcom NetLink (TM) -- C:\Windows\SysNative\drivers\k57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (athr) -- C:\Windows\SysNative\drivers\athrx.sys (Atheros Communications, Inc.)
DRV:64bit: - (Impcd) -- C:\Windows\SysNative\drivers\Impcd.sys (Intel Corporation)
DRV:64bit: - (RTHDMIAzAudService) -- C:\Windows\SysNative\drivers\RtHDMIVX.sys (Realtek Semiconductor Corp.)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (RimUsb) -- C:\Windows\SysNative\drivers\RimUsb_AMD64.sys (Research In Motion Limited)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
DRV - (NetworkX) -- C:\Windows\system32\ckldrv.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: ""
FF - prefs.js..browser.search.defaultenginename: ""
FF - prefs.js..browser.search.order.1: ""
FF - prefs.js..browser.search.useDBForOrder: ""
FF - prefs.js..browser.startup.homepage: ""
FF - prefs.js..extensions.enabledItems: savedpasswords@adamfranco.com:1.2.3
FF - prefs.js..extensions.enabledItems: {0545b830-f0aa-4d7e-8820-50a4629a56fe}:4.6.5
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.9.1
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:2.0.7
FF - prefs.js..extensions.enabledItems: {F8A55C97-3DB6-4961-A81D-0DE0080E53CB}:0.9.5
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:5.0.0.6906
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: add-to-searchbox@maltekraus.de:2.0
FF - prefs.js..extensions.enabledItems: foxmarks@kei.com:4.0.0
FF - prefs.js..extensions.enabledItems: support@lastpass.com:1.72.0
FF - prefs.js..extensions.enabledItems: {317B5128-0B0B-49b2-B2DB-1E7560E16C74}:2.7.2
FF - prefs.js..extensions.enabledItems: pbupload@photobucket.com:1.3.1

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@qq.com/npqscall,version=1.0.0: %commonprogramfiles%\tencent\NPQSCALL\npqscall.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.18: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.18: C:\Program Files (x86)\Veetle\Player\npvlc.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/12/28 15:42:18 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/10/16 09:58:30 | 000,000,000 | ---D | M]

[2011/02/01 15:15:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Paul\AppData\Roaming\Mozilla\Extensions
[2011/12/22 21:00:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions
[2011/11/27 11:37:12 | 000,000,000 | ---D | M] (SeoQuake) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}
[2011/11/27 11:37:14 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/02/01 15:16:02 | 000,000,000 | ---D | M] (Download Manager Tweak) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\{F8A55C97-3DB6-4961-A81D-0DE0080E53CB}
[2011/03/19 10:54:31 | 000,000,000 | ---D | M] (Add to Search Bar) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\add-to-searchbox@maltekraus.de
[2011/11/27 11:37:10 | 000,000,000 | ---D | M] ("Xmarks") -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\foxmarks@kei.com
[2011/09/13 12:04:11 | 000,000,000 | ---D | M] (Awesome screenshot: Capture and Annotate) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\jid0-GXjLLfbCoAx0LcltEdFrEkQdQPI@jetpack
[2011/05/17 22:31:45 | 000,000,000 | ---D | M] (Saved Passwords Button) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\savedpasswords@adamfranco.com
[2011/12/22 21:00:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\staged
[2011/11/27 11:37:11 | 000,000,000 | ---D | M] (LastPass) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\support@lastpass.com
[2011/03/19 11:03:06 | 000,002,454 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\google-image-search.xml
[2011/03/23 22:45:21 | 000,001,097 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\mrtzcmp3--3.xml
[2011/03/19 10:59:26 | 000,001,060 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\the-internet-movie-database-imdb.xml
[2010/11/07 07:14:56 | 000,001,597 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\the-pirate-bay.xml
[2010/05/27 14:39:22 | 000,002,057 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\youtube-video-search.xml
[2011/12/28 15:43:15 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2011/06/12 04:20:04 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions\afurladvisor@anchorfree.com
() (No name found) -- C:\USERS\PAUL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8B6EQX2G.DEFAULT\EXTENSIONS\{02450954-CDD9-410F-B1DA-DB804E18C671}.XPI
() (No name found) -- C:\USERS\PAUL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8B6EQX2G.DEFAULT\EXTENSIONS\{DDC359D1-844A-42A7-9AA1-88A850A938A8}.XPI
() (No name found) -- C:\USERS\PAUL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8B6EQX2G.DEFAULT\EXTENSIONS\PBUPLOAD@PHOTOBUCKET.COM.XPI
[2011/12/21 07:24:52 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2011/05/04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
[2011/12/21 04:30:41 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2011/12/21 04:30:41 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: The Internet Movie Database (IMDb) (Enabled)
CHR - default_search_provider: search_url = http://www.imdb.com/find?s=all&q={searchTerms}
CHR - default_search_provider: suggest_url =
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\13.0.782.112\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\13.0.782.112\gears.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\13.0.782.112\gcswf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.200.2 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U20 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.2.183.23\npGoogleOneClick8.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Xmarks Bookmark Sync = C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\1.0.14_0\
CHR - Extension: Xmarks Bookmark Sync = C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\1.0.16_0\
CHR - Extension: Readable by Evernote = C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\halondangdgpjbcemokdmjlpjmndpljd\1.3313.163.470_0\
CHR - Extension: Readable by Evernote = C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\halondangdgpjbcemokdmjlpjmndpljd\1.3313.163.470_1\

O1 HOSTS File: ([2011/12/20 19:57:19 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4:64bit: - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKCU..\Run: [SansaDispatch] C:\Users\Paul\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe (SanDisk Corporation)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4:64bit: - HKLM..\RunOnce: [*WerKernelReporting] C:\Windows\SysNative\WerFault.exe (Microsoft Corporation)
O4 - Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files (x86)\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Texter.lnk = C:\Program Files (x86)\Texter\texter.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O1364bit: - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5FBA79C8-743B-45CB-B3F6-4EC3856F55EA}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5FBA79C8-743B-45CB-B3F6-4EC3856F55EA}: NameServer = 8.8.8.8,208.67.220.220
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/26 18:26:52 | 000,000,000 | --SD | C] -- C:\svhost.com
[2011/12/23 16:25:33 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/12/23 16:14:05 | 004,350,311 | R--- | C] (Swearware) -- C:\svhost.com.exe
[2011/12/20 19:57:23 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2011/12/17 23:25:53 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\temp
[2011/12/17 22:56:45 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/12/16 19:58:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2011/12/16 19:58:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ERUNT
[2011/12/15 19:13:09 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/12/15 19:13:09 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/12/15 19:13:09 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/12/15 19:13:02 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/12/15 19:13:00 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/12/14 21:12:49 | 000,702,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2011/12/14 21:12:49 | 000,247,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2011/12/14 21:12:49 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2011/12/14 21:12:48 | 000,134,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2011/12/14 21:12:48 | 000,132,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2011/12/14 21:12:48 | 000,097,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2011/12/14 21:12:48 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2011/12/14 20:36:11 | 000,723,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\EncDec.dll
[2011/12/14 20:36:10 | 000,534,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\EncDec.dll
[2011/12/14 20:11:40 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\csrsrv.dll

========== Files - Modified Within 30 Days ==========

[2012/01/08 01:07:19 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/01/08 01:06:52 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/01/08 01:06:46 | 3113,295,872 | -HS- | M] () -- C:\hiberfil.sys
[2012/01/08 01:05:22 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/01/08 01:05:22 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/01/08 00:33:14 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/12/28 15:42:21 | 000,002,056 | ---- | M] () -- C:\Users\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/12/28 15:42:21 | 000,001,142 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011/12/27 15:23:18 | 417,591,496 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/12/23 16:13:52 | 004,350,311 | R--- | M] (Swearware) -- C:\svhost.com.exe
[2011/12/20 21:10:38 | 000,782,638 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/12/20 21:10:38 | 000,667,092 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/12/20 21:10:38 | 000,126,696 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/12/20 19:57:19 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2011/12/16 19:58:42 | 000,001,108 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/12/16 19:58:28 | 000,000,928 | ---- | M] () -- C:\Users\Paul\Desktop\NTREGOPT.lnk
[2011/12/16 19:58:28 | 000,000,909 | ---- | M] () -- C:\Users\Paul\Desktop\ERUNT.lnk
[2011/12/15 03:21:04 | 004,853,768 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/12/12 18:19:55 | 000,000,512 | ---- | M] () -- C:\Users\Paul\Documents\MBR.dat
[2011/12/12 18:18:49 | 000,000,512 | ---- | M] () -- C:\Users\Paul\Desktop\MBR.dat
[2011/12/12 18:17:38 | 000,000,168 | ---- | M] () -- C:\Users\Paul\defogger_reenable
[2011/12/10 14:59:13 | 000,000,971 | ---- | M] () -- C:\Users\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2011/12/10 14:59:13 | 000,000,947 | ---- | M] () -- C:\Users\Public\Desktop\µTorrent.lnk
[2011/12/09 14:40:30 | 000,003,974 | ---- | M] () -- C:\Users\Paul\Desktop\Attach.zip

========== Files Created - No Company Name ==========

[2011/12/28 15:42:21 | 000,001,142 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011/12/27 15:23:18 | 417,591,496 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/12/16 19:58:42 | 000,001,108 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/12/16 19:58:28 | 000,000,928 | ---- | C] () -- C:\Users\Paul\Desktop\NTREGOPT.lnk
[2011/12/16 19:58:28 | 000,000,909 | ---- | C] () -- C:\Users\Paul\Desktop\ERUNT.lnk
[2011/12/15 19:13:09 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/12/15 19:13:09 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/12/15 19:13:09 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/12/15 19:13:09 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/12/15 19:13:09 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/12/12 18:19:55 | 000,000,512 | ---- | C] () -- C:\Users\Paul\Documents\MBR.dat
[2011/12/12 18:18:49 | 000,000,512 | ---- | C] () -- C:\Users\Paul\Desktop\MBR.dat
[2011/12/12 18:17:37 | 000,000,168 | ---- | C] () -- C:\Users\Paul\defogger_reenable
[2011/12/10 14:59:13 | 000,000,947 | ---- | C] () -- C:\Users\Public\Desktop\µTorrent.lnk
[2011/12/09 14:40:30 | 000,003,974 | ---- | C] () -- C:\Users\Paul\Desktop\Attach.zip
[2011/07/07 19:29:03 | 000,001,456 | ---- | C] () -- C:\Users\Paul\AppData\Local\Adobe Save for Web 12.0 Prefs
[2011/07/07 13:32:18 | 000,000,132 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\Adobe GIF Format CS5 Prefs
[2011/06/19 14:01:15 | 000,000,132 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\Adobe BMP Format CS5 Prefs
[2011/05/13 14:38:36 | 000,000,132 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\Adobe PNG Format CS5 Prefs
[2011/04/20 07:22:21 | 000,189,248 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2011/04/20 07:22:19 | 000,075,136 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2011/04/09 17:55:28 | 000,179,261 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2011/04/09 16:22:55 | 000,000,077 | ---- | C] () -- C:\Windows\Crypkey.ini
[2011/04/09 16:22:49 | 000,031,846 | ---- | C] () -- C:\Windows\SysWow64\Ckldrv.sys
[2011/04/09 16:22:49 | 000,027,648 | R--- | C] () -- C:\Windows\Setup_ck.exe
[2011/04/09 16:22:49 | 000,018,432 | ---- | C] () -- C:\Windows\Setup_ck.dll
[2011/04/09 16:22:49 | 000,011,776 | ---- | C] () -- C:\Windows\Ckrfresh.exe
[2011/02/17 20:36:52 | 000,000,268 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2011/02/10 06:32:14 | 000,018,760 | ---- | C] () -- C:\Windows\SysWow64\QQVistaHelper.dll
[2011/02/09 16:37:18 | 000,002,384 | ---- | C] () -- C:\Windows\SysWow64\LOWERP.ini
[2011/02/09 16:37:18 | 000,001,248 | ---- | C] () -- C:\Windows\SysWow64\LPOff.ini
[2011/02/09 06:55:45 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\cd.dat
[2011/02/02 15:23:37 | 000,010,752 | ---- | C] () -- C:\Windows\SysWow64\BASSMOD.dll
[2011/02/01 16:12:20 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011/02/01 16:00:37 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2011/02/01 15:36:03 | 000,002,137 | ---- | C] () -- C:\Windows\SysWow64\atipblup.dat
[2011/02/01 15:35:40 | 000,002,137 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2011/02/01 15:11:20 | 000,768,550 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2009/07/14 05:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 02:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/14 02:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/14 00:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 23:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 21:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 21:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2008/10/07 08:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\SysWow64\physxcudart_20.dll
[2008/10/07 08:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll
[2005/10/14 09:56:50 | 003,596,288 | ---- | C] () -- C:\Windows\SysWow64\qt-dx331.dll
[2005/10/14 09:56:50 | 000,921,600 | ---- | C] () -- C:\Windows\SysWow64\VorbisEnc.dll
[2005/10/14 09:56:50 | 000,778,240 | ---- | C] () -- C:\Windows\SysWow64\DivXsm.exe
[2005/10/14 09:56:50 | 000,761,856 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2005/10/14 09:56:50 | 000,344,064 | ---- | C] () -- C:\Windows\SysWow64\xvid.dll
[2005/10/14 09:56:50 | 000,237,568 | ---- | C] () -- C:\Windows\SysWow64\OggDS.dll
[2005/10/14 09:56:50 | 000,188,416 | ---- | C] () -- C:\Windows\SysWow64\vorbis.dll
[2005/10/14 09:56:50 | 000,155,136 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll
[2005/10/14 09:56:50 | 000,045,056 | ---- | C] () -- C:\Windows\SysWow64\ogg.dll

< End of report >


aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-12 18:18:18
-----------------------------
18:18:18.539 OS Version: Windows x64 6.1.7601 Service Pack 1
18:18:18.539 Number of processors: 4 586 0x2502
18:18:18.540 ComputerName: PAUL-PC UserName: Paul
18:18:19.228 Initialize success
18:18:33.750 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
18:18:33.753 Disk 0 Vendor: WDC_WD5000BEVT-22A0RT0 01.01A01 Size: 476940MB BusType: 3
18:18:35.770 Disk 0 MBR read successfully
18:18:35.776 Disk 0 MBR scan
18:18:35.779 Disk 0 Windows 7 default MBR code
18:18:35.784 Service scanning
18:18:36.610 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
18:18:37.268 Modules scanning
18:18:37.274 Disk 0 trace - called modules:
18:18:37.326 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
18:18:37.332 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800527e060]
18:18:37.338 3 CLASSPNP.SYS[fffff8800197143f] -> nt!IofCallDriver -> [0xfffffa8004fe3580]
18:18:37.344 5 ACPI.sys[fffff88000f8a7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004fd1060]
18:18:37.351 Scan finished successfully
18:18:49.769 Disk 0 MBR has been saved successfully to "C:\Users\Paul\Desktop\MBR.dat"
18:18:49.800 The log file has been saved successfully to "C:\Users\Paul\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-08 01:15:15
-----------------------------
01:15:15.100 OS Version: Windows x64 6.1.7601 Service Pack 1
01:15:15.100 Number of processors: 4 586 0x2502
01:15:15.101 ComputerName: PAUL-PC UserName: Paul
01:15:15.814 Initialize success
01:16:48.605 AVAST engine defs: 12010701
01:17:28.640 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
01:17:28.644 Disk 0 Vendor: WDC_WD5000BEVT-22A0RT0 01.01A01 Size: 476940MB BusType: 3
01:17:28.659 Disk 0 MBR read successfully
01:17:28.663 Disk 0 MBR scan
01:17:28.670 Disk 0 Windows 7 default MBR code
01:17:28.674 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
01:17:28.728 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 99900 MB offset 206848
01:17:28.774 Disk 0 Partition 3 00 06 FAT16 NTFS 100000 MB offset 204802048
01:17:28.780 Disk 0 Partition - 00 0F Extended LBA 276932 MB offset 409609305
01:17:28.794 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 276932 MB offset 409609368
01:17:28.801 Service scanning
01:17:30.834 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
01:17:31.418 Modules scanning
01:17:31.756 Disk 0 trace - called modules:
01:17:31.803 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
01:17:31.812 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800527f060]
01:17:31.821 3 CLASSPNP.SYS[fffff8800197143f] -> nt!IofCallDriver -> [0xfffffa8004fc3290]
01:17:31.829 5 ACPI.sys[fffff88000f537a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004fd6060]
01:17:32.562 AVAST engine scan C:\Windows
01:17:36.595 AVAST engine scan C:\Windows\system32
01:20:05.620 AVAST engine scan C:\Windows\system32\drivers
01:20:17.964 AVAST engine scan C:\Users\Paul
01:31:57.277 Disk 0 MBR has been saved successfully to "C:\Users\Paul\Documents\MBR.dat"
01:31:57.340 The log file has been saved successfully to "C:\Users\Paul\Documents\aswMBR.txt"
01:33:40.298 Disk 0 MBR has been saved successfully to "C:\Users\Paul\Desktop\MBR.dat"
01:33:40.303 The log file has been saved successfully to "C:\Users\Paul\Desktop\aswMBR.txt"
 
Hi chelseafan,

That OTL fix seemed to remove those odd ComboFix entries that I was looking at.

Please delete your copy of ComboFix and then download a fresh copy. Once you have the fresh copy please attempt to run ComboFix and then post the log into your next reply. :)
 
The same thing happened as before.
Now i've been infected with a new virus because I forgot to turn on Microsoft Security after following your prompts, an adobe update popped up so I typed in my password and the virus appeared.
The virus is 'Win 7 Antispyware 2012'.
 
Hi chelseafan,

Ok...lets start fresh.

Run DDS and post both of the logs that are created into your next reply.
 
May I also add that the virus has taken away the taskbar. All I see is a blank blue screen with the windows icon in the centre and the virus opens up libraries.




DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_26
Run by Paul at 11:55:30 on 2012-01-09
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.3959.2369 [GMT 0:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\Explorer.EXE
C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Users\James\AppData\Local\itq.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\OnlyWire\OnlyWireWindows.exe
C:\Users\James\AppData\Local\SanctionedMedia\Smad\Smad.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Users\James\Documents\Texter\texter.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\explorer.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Java\jre6\bin\javaw.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\java.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
uRun: [SansaDispatch] C:\Users\Paul\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [combofix] C:\ComboFix\CF27623.3XE /c C:\ComboFix\Combobatch.bat
mRunOnce: [combofix] C:\ComboFix\CF27623.3XE /c C:\ComboFixCombobatch.bat
StartupFolder: C:\Users\Paul\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
StartupFolder: C:\Users\Paul\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Texter.lnk - C:\Program Files (x86)\Texter\texter.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\OnlyWire.LNK - C:\Program Files (x86)\OnlyWire\OnlyWireWindows.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}\044525555475946494 : DhcpNameServer = 10.42.254.10 10.42.254.26
TCP: Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}\2456C6B696E6F5E4F5144435C4F5343313736433 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}\35B4952353435333 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}\3747164796F6E6F547F677562723 : DhcpNameServer = 50.23.239.24 208.67.222.222
TCP: Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}\64C6F6F62753D224 : DhcpNameServer = 10.0.1.1 203.144.207.49
TCP: Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}\75C414E4E45445 : DhcpNameServer = 172.16.0.1
TCP: Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}\E6F64747F577966696 : DhcpNameServer = 50.23.239.24 208.67.222.222
TCP: Interfaces\{5FBA79C8-743B-45CB-B3F6-4EC3856F55EA} : NameServer = 8.8.8.8,208.67.220.220
TCP: Interfaces\{5FBA79C8-743B-45CB-B3F6-4EC3856F55EA} : DhcpNameServer = 192.168.2.1
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [combofix] C:\ComboFix\CF27623.3XE /c C:\ComboFix\Combobatch.bat
mRunOnce-x64: [combofix] C:\ComboFix\CF27623.3XE /c C:\ComboFixCombobatch.bat
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\
FF - prefs.js: browser.startup.homepage -
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Veetle\Player\npvlc.dll
FF - plugin: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Paul\AppData\Roaming\Mozilla\plugins\np-mswmp.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-2-17 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-2-17 12368]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [2010-6-29 140672]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]
R2 TeamViewer6;TeamViewer 6;C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-2-1 2253688]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-2-1 136176]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-2-1 136176]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== File Associations ===============
.
inffile=%SystemRoot%\SysWow64\NOTEPAD.EXE %1
VBEFile=%SystemRoot%\SysWow64\WScript.exe "%1" %*
VBSFile=%SystemRoot%\SysWow64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-01-09 01:00:44 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{16A69288-E0A5-4A9B-ADFA-BAC371A5619A}\offreg.dll
2012-01-09 00:24:09 -------- d-----we C:\Windows\system64
2012-01-08 21:56:38 -------- d-----w- C:\Users\Paul\AppData\Local\temp
2012-01-08 21:48:37 -------- d-s---w- C:\ComboFix
2012-01-08 12:21:25 8822856 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{16A69288-E0A5-4A9B-ADFA-BAC371A5619A}\mpengine.dll
2011-12-28 15:42:18 626688 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr80.dll
2011-12-28 15:42:18 548864 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp80.dll
2011-12-28 15:42:18 479232 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcm80.dll
2011-12-28 15:42:18 43992 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozutils.dll
2011-12-28 15:42:18 121816 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\browsercomps.dll
2011-12-20 19:57:23 -------- d-----w- C:\$RECYCLE.BIN
2011-12-17 22:56:45 -------- d-----w- C:\_OTL
2011-12-15 19:13:09 98816 ----a-w- C:\Windows\sed.exe
2011-12-15 19:13:09 518144 ----a-w- C:\Windows\SWREG.exe
2011-12-15 19:13:09 256000 ----a-w- C:\Windows\PEV.exe
2011-12-15 19:13:09 208896 ----a-w- C:\Windows\MBR.exe
2011-12-14 20:36:23 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-12-14 20:36:23 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-12-14 20:36:11 723456 ----a-w- C:\Windows\System32\EncDec.dll
2011-12-14 20:36:10 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-12-14 20:34:50 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-12-14 20:11:40 43520 ----a-w- C:\Windows\System32\csrsrv.dll
.
==================== Find3M ====================
.
2011-11-19 10:54:38 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-05 05:41:43 1188864 ----a-w- C:\Windows\System32\wininet.dll
2011-11-05 04:35:00 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-05 03:32:47 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-05 02:48:51 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
.
============= FINISH: 11:57:26.04 ===============
 
Hi chelseafan,

Looks like we still have the ZeroAccess Rootkit on your system that I noted in the beginning. Let's take this step by step.
---------

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Right-click and Run as Administrator TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)
----------

Please post the log made by TDSSKiller in your next reply. :)
 
Nothing was detected.
It has got worse, I can no longer access the internet via desktop as the Library folder no longer opens. I'm using aother PC.

It says 'Internet explorer alert. Visiting this site may pose a security threat..'
Possible reasons include:

bla bla bla

Things you can do:

Get a copy of 'Win 7 Antispyware 2012' to safeguard your PC

Run a spyware scan

Continue surfing without security
 
It has changed again. The taskbar has reappeared, Microsoft Security Essentials has reappeared and detected 2 trojans..

Trojan:Win32/Alureon.TK
Trojan:Win/64/Sirefoff.J

I tried to remove the trojans and it prompted me to restart but upon restart the same 2 trojans remain.
 
Hi chelseafan,

Get a copy of 'Win 7 Antispyware 2012' to safeguard your PC
Click to expand...
Do not do this. It is a rogue antivirus program.

For the time being I would not use the infected computer for anything but coming here so we can attempt to fix it or to go to the sites that I send you for tools. We MAY be dealing with a new variant of the ZeroAccess Rootkit. I am talking with some of my colleagues presently. I will return as quickly as I can.
 
Hi chelseafan,

  • Go to start>control panel>folder options>view
  • Choose to "show hidden files and folders,"
  • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
  • Close the window with ok
----------

I would like for you to run RKill again and then, once RKill is run, immediately open, update and then run Malwarebytes. Be sure to remove any entries found by Malwarebytes. Do not reboot.
----------

I would like for you to go to C:\Combofix and delete that folder.
Now I would like for you to download a fresh copy of ComboFix but rename it svchost.exe before saving it to your Desktop. Once the new ComboFix is is downloaded (renamed svchost.exe) to your Desktop please run a new scan with ComboFix.
----------

In your next reply please post the logs created by Malwarebytes and ComboFix. If you have any problems please let me know. :)
 
Status
Not open for further replies.
Back
Top