[Resolved K] Welcome to NGINX

[kevinf80]

Hiya Tom,

Thanks for the update, up to now the logs are not showing much. OK run the following:

Download  RogueKiller (by tigzy) and save direct to your Desktop.

• Quit all programs
• Start RogueKiller.exe
  
• Wait until Prescan has finished ...
• Ensure all boxes are ticked under "Report" tab.
• Click on Scan.
• Click on Report when complete.Copy/paste the content of the report and paste to next reply....

Let me see that log in your reply,

Kevin.

[TomG]

Hi Kevin,

I don't know if this means anything or not............. After the scan, the PC was moving incredibly slow.  I ended up re-booting to get to my e-mail and then to Spywarehammer.  Here is the results

RogueKiller V7.4.5 [05/18/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Tom [Admin rights]
Mode: Scan -- Date: 05/19/2012 08:27:35

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 8 ¤¤¤
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
˙ţ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD3200AAKS-75L9A0 ATA Device +++++
--- User ---
[MBR] 1819d8e6143c56683717be359b0015ef
[BSP] 2f8722f9a86f009208ae8241a82a3fe9 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 290204 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt



Thanks

[kevinf80]

Hi Tom,

Just been going back over your thread to see if I missed anything. One point, there are a couple of drivers running related to Sunbelt Security, do you have or did you have anything installed relaing to Sunbelt?

Kevin

[TomG]

Hi Kevin,

I don't know anything about Sunbelt.  I don't think it is important

Thanks

Tom

[kevinf80]

Hiya Tom,

If you have no knowledge of anything related to Sunbelt we`ll remove the drivers and files, see if that helps:

Step 1

Re-Run   by double left click, Vista and Widows 7 will have to accept UAC alert.

• Under the box at the bottom, paste in the following
  
  

Code: [Select]

:OTL
:Services
SBFWIMCL
SBFWIMCLMP
sbhips
SbTis
SbFw
:Files
C:\Windows\SysNative\drivers\SbFw.sys
C:\Windows\SysNative\drivers\sbtis.sys
C:\Windows\SysNative\drivers\sbhips.sys
C:\Windows\SysNative\drivers\SbFwIm.sys
C:\Windows\SysNative\drivers\SbFwIm.sys
:Commands
[emptytemp]


• Then click button at the top
  
• Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
• Please post that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start > All Programs > Accessories > Notepad), click File > Open, in the File Name box enter  *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Step 2

Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Post those two logs please..

Kevin

[TomG]

Well I have a problem..........At least one of those files was resposnible for my wireless card.  I am sending this message from a different computer.

Any suggestions?

I never made it to step 2

Tom

[kevinf80]

OTL created a restore point earlier before that last fix, use system store and go back to that point....

Edit,

I`ve double checked the services and files that were removed with OTL, they are all related to Sunbelt Security:

1. (Sunbelt Software, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\SbFw.sys -- (SbFw)
2. (Sunbelt Software, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\sbtis.sys -- (SbTis)
3. (Sunbelt Software, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sbhips.sys -- (sbhips)
4. (Sunbelt Software, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SbFwIm.sys -- (SBFWIMCLMP)
5. (Sunbelt Software, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\SbFwIm.sys -- (SBFWIMCL)

No. 1 is Sunbelt Personal Firewall NDIS Intermediate driver
No. 2 is Sunbelt TDI Inspection System driver for Firewall.
No. 3 is Sunbelt Legacy Host Intrusion Prevention System Driver for Firewall
No. 4 is Sunbelt Software Firewall NDIS IM Filter Miniport
No. 5 is Sunbelt Software Firewall NDIS IM Filter Miniport

[TomG]

Ok I am back.

I had to restore to 5/16/12.  So can you help me ?  What scans should we start with?

Thanks

[kevinf80]

I do not see why removing the Sunbelt drivers should have affected your internet connection., that is strange.. OK, if you still have issues do the following:

Step 1

Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Step 2

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

Link 1
Link 2

• Ensure that Combofix is saved directly to the Desktop <--- Very important
  
  Before saving Combofix to the Desktop re-name to Gotcha.exe as below:
  
  
  
  
  
• Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
  
  
• Close any open browsers and any other programs you might have running
• Double click the icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  
  
• Instructions for running Combofix available Here if required.
  
  
• If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
• When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why  disabling autoruns is recommended.

*EXTRA NOTES*

• If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
• If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
     
• If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin

[TomG]

I am trying to remove "Super AntiSpyware" from the computer and I am unable.  I get a message that basically says that it cannot be uninstalled.  I removed it from another computer with a program called "**** cleaner".  I tried to load it onto this computer but it is a newer addition that did not seem to offer "uninstall" anymore.  Ideas?

[kevinf80]

I do not see why you cannot uninstall SAS, if it is running you may have to boot to Safemode and do it from there.. Regarding CCleaner, the latest version still has the UNinstall feature, open the application and select tools... you`ll see the UNinstall tab....

[TomG]

 Results of screen317's Security Check version 0.99.33 
 Windows 7  x64 (UAC is disabled!) 
 Internet Explorer 8 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
 Java(TM) 7 Update 4 
  Adobe Flash Player    10.2.153.1 Flash Player out of Date! 
 Mozilla Firefox (12.0)
````````````````````````````````
Process Check: 
objlist.exe by Laurent
``````````End of Log````````````



ComboFix 12-05-21.05 - Tom 05/21/2012  21:26:55.1.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3839.2620 [GMT -4:00]
Running from: c:\users\Tom\Desktop\Gotcha.exe.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Tom\AppData\Local\Temp\DEL2706.tmp
c:\users\Tom\Documents\~WRL0004.tmp
c:\users\Tom\WINDOWS
c:\windows\TEMP\logishrd\LVPrcInj01.dll . . . . Failed to delete
.
.
(((((((((((((((((((((((((   Files Created from 2012-04-22 to 2012-05-22  )))))))))))))))))))))))))))))))
.
.
2012-05-22 01:31 . 2012-05-22 01:31   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-05-21 02:32 . 2012-05-21 02:32   --------   d--h--w-   c:\windows\msdownld.tmp
2012-05-21 02:01 . 2012-05-21 02:01   --------   d-----w-   c:\programdata\Evonsoft
2012-05-21 01:55 . 2012-05-21 01:54   955848   ----a-w-   c:\windows\system32\npDeployJava1.dll
2012-05-21 01:55 . 2012-05-21 01:54   839112   ----a-w-   c:\windows\system32\deployJava1.dll
2012-05-21 01:33 . 2012-05-21 01:33   --------   d-----w-   c:\program files (x86)\Common Files\Java
2012-05-21 01:33 . 2012-05-08 17:02   8955792   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{EDEF8EEB-B5DC-4678-A4A3-09B74E72495F}\mpengine.dll
2012-05-21 01:30 . 2012-05-21 01:30   772552   ----a-w-   c:\windows\SysWow64\npDeployJava1.dll
2012-05-16 19:19 . 2012-05-16 19:35   --------   d-----w-   c:\program files (x86)\Bucksbee Loyalty Plugin - 100815
2012-05-16 19:19 . 2012-05-16 19:36   --------   d-----w-   c:\programdata\Tarma Installer
2012-05-16 00:41 . 2012-05-16 00:41   --------   d-----w-   C:\_OTL
2012-05-11 23:51 . 2012-05-20 20:10   --------   d-----w-   c:\program files (x86)\Trend Micro
2012-05-11 21:37 . 2012-05-22 01:13   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-05-09 18:19 . 2012-05-09 18:19   --------   d-sh--w-   c:\windows\SysWow64\%APPDATA%
2012-05-09 11:52 . 2012-03-03 06:35   1544704   ----a-w-   c:\windows\system32\DWrite.dll
2012-05-09 11:52 . 2012-03-03 05:31   1077248   ----a-w-   c:\windows\SysWow64\DWrite.dll
2012-05-09 11:52 . 2012-03-31 06:05   5559664   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-05-09 11:52 . 2012-03-31 03:10   3146240   ----a-w-   c:\windows\system32\win32k.sys
2012-05-09 11:52 . 2012-03-31 04:39   3968368   ----a-w-   c:\windows\SysWow64\ntkrnlpa.exe
2012-05-09 11:52 . 2012-03-31 04:39   3913072   ----a-w-   c:\windows\SysWow64\ntoskrnl.exe
2012-05-09 11:46 . 2012-03-17 07:58   75120   ----a-w-   c:\windows\system32\drivers\partmgr.sys
2012-05-09 11:45 . 2012-03-30 11:35   1918320   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2012-05-09 11:45 . 2012-03-31 05:42   1732096   ----a-w-   c:\program files\Windows Journal\NBDoc.DLL
2012-05-09 11:45 . 2012-03-31 05:40   1367552   ----a-w-   c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-09 11:45 . 2012-03-31 04:29   936960   ----a-w-   c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-09 11:45 . 2012-03-31 05:40   1402880   ----a-w-   c:\program files\Windows Journal\JNWDRV.dll
2012-05-09 11:45 . 2012-03-31 05:40   1393664   ----a-w-   c:\program files\Windows Journal\JNTFiltr.dll
2012-05-06 20:47 . 2012-05-16 12:20   --------   d-----w-   c:\programdata\Spybot - Search & Destroy
2012-05-06 20:47 . 2012-05-16 12:20   --------   d-----w-   c:\program files (x86)\Spybot - Search & Destroy
2012-05-06 20:32 . 2011-04-05 21:35   94296   ----a-w-   c:\windows\system32\drivers\sbtis.sys
2012-05-06 20:32 . 2011-04-05 21:35   60504   ----a-w-   c:\windows\system32\drivers\sbhips.sys
2012-05-06 20:32 . 2011-04-05 21:35   253528   ----a-w-   c:\windows\system32\drivers\SbFw.sys
2012-05-06 20:32 . 2011-02-08 13:14   84568   ----a-w-   c:\windows\system32\drivers\SbFwIm.sys
2012-05-06 20:31 . 2012-05-06 20:31   --------   d-----w-   c:\users\Tom\AppData\Local\adawarebp
2012-05-02 19:53 . 2012-05-20 18:45   --------   d-----w-   c:\users\Tom\AppData\Local\ElevatedDiagnostics
2012-04-28 18:36 . 2012-04-28 18:36   --------   d-----w-   c:\users\Tom\AppData\Roaming\SumatraPDF
2012-04-28 18:36 . 2012-04-28 18:36   237   ----a-w-   C:\user.js
2012-04-28 18:36 . 2012-04-28 18:36   --------   d-----w-   c:\program files (x86)\PDFReader
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-21 01:30 . 2010-04-16 11:06   687560   ----a-w-   c:\windows\SysWow64\deployJava1.dll
2012-03-07 23:09 . 2012-03-07 23:09   162664   ----a-w-   c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10140.bin
2012-03-01 06:46 . 2012-04-13 02:57   23408   ----a-w-   c:\windows\system32\drivers\fs_rec.sys
2012-03-01 06:38 . 2012-04-13 02:57   220672   ----a-w-   c:\windows\system32\wintrust.dll
2012-03-01 06:33 . 2012-04-13 02:57   81408   ----a-w-   c:\windows\system32\imagehlp.dll
2012-03-01 06:28 . 2012-04-13 02:57   5120   ----a-w-   c:\windows\system32\wmi.dll
2012-03-01 05:37 . 2012-04-13 02:57   172544   ----a-w-   c:\windows\SysWow64\wintrust.dll
2012-03-01 05:33 . 2012-04-13 02:57   159232   ----a-w-   c:\windows\SysWow64\imagehlp.dll
2012-03-01 05:29 . 2012-04-13 02:57   5120   ----a-w-   c:\windows\SysWow64\wmi.dll
2012-02-28 06:39 . 2012-04-11 21:03   1188864   ----a-w-   c:\windows\system32\wininet.dll
2012-02-28 05:38 . 2012-04-11 21:03   981504   ----a-w-   c:\windows\SysWow64\wininet.dll
2012-02-28 04:31 . 2012-04-11 21:03   1638912   ----a-w-   c:\windows\system32\mshtml.tlb
2012-02-28 03:52 . 2012-04-11 21:03   1638912   ----a-w-   c:\windows\SysWow64\mshtml.tlb
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2010-04-20 26192680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2011-11-11 273528]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-6-30 1316192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
.
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SessionLauncher;SessionLauncher;c:\users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe

R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys

R3 LVUVC64;Logitech Webcam Pro 9000(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-21 129976]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-06-26 1124848]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Service;c:\windows\system32\DRIVERS\sbfwim.sys

R3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys

S1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys

S1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe

S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
S2 LVPrcS64;Process Monitor;c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-10-07 191000]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2010-08-20 689472]
S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys

S3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28x.sys

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys

S3 SBFWIMCLMP;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\DRIVERS\SBFWIM.sys

S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys

.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page =
mLocal Page = c:\windows\SysWOW64\blank.htm
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: freewebs.com\link.members
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\spjqucz8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - user.js: extensions.BabylonToolbar_i.id - 80ca956900000000000048022af81d5c
FF - user.js: extensions.BabylonToolbar_i.hardId - 80ca956900000000000048022af81d5c
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15458
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1714:36
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109935
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-mcmscsvc
SafeBoot-MCODS
Toolbar-Locked - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-PDF Reader - c:\program files (x86)\PDFReader\Uninstall\Uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe
c:\program files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files (x86)\Skype\Plugin Manager\skypePM.exe
c:\program files (x86)\Dell Support Center\bin\sprtsvc.exe
.
**************************************************************************
.
Completion time: 2012-05-21  21:35:36 - machine was rebooted
ComboFix-quarantined-files.txt  2012-05-22 01:35
ComboFix2.txt  2010-01-06 21:01
.
Pre-Run: 171,457,712,128 bytes free
Post-Run: 170,977,214,464 bytes free
.
- - End Of File - - 9B5703807193A432899A0A2AF46A74AB

[kevinf80]

Hiya Tom,

You appear to have NO anti-virus program running on your system, that is not good and will have to be addressed. I see from the Combofix output that the Sunbelt Firewall drivers are still installed, Can you remember having this FW installed, we need to know why they are there.

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys  <---- Running and active, starting with your system.
R3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys <---- Running, not active. Is currently "On demand"
R3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys  <---- Running, not active. Is currently "On demand"
S1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys <--------- Stopped, not active.
S1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys   <--------- Stopped, not active.

OK,

Do the following:

Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

Code: [Select]

KillAll::
ClearJavaCache::
FireFox::
FF - ProfilePath - c:\users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\spjqucz8.default\
FF - user.js: extensions.BabylonToolbar_i.id - 80ca956900000000000048022af81d5c
FF - user.js: extensions.BabylonToolbar_i.hardId - 80ca956900000000000048022af81d5c
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15458
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1714:36
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109935
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2

Run ESET Online Scan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.

ESET OnlineScan

• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

• Check
  
• Click the button.
  
• Accept any security warnings from your browser.
• Check
  
• Ensure remove found threats is checked
  
• Push the Start button.
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push
  
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  
• Push the button.
  
• Push
  

You can refer to this animation by neomage if needed.
Frequently asked questions available Here  Please read them before running the scan.

Also be aware this scan can take several hours to complete depending on the size of your system.

ESET log can be found here "C:\Program Files\ESET\EsetOnlineScanner\log.txt".

Step 3

To keep safe when online you need a good Antivirus/Antspyware/Antimalware/Anti-Rootkit combination application. Microsoft Security Essentials covers all of those bases, but better still it is free. Go Here and hit the "Download free" tab, follow the prompts. Once installed it will want to update and carry out a quick scan, allow that to happen.

Let me know if MSE finds anything, you will not get a log as such but can check under the "History" tab from the main interface when it finishes....

Step 4

Your Adobe Flash Player is out of date. Older versions are vulnerable to attack and exploitation
Please go to the link below to update.
Adobe Flash Player Untick the Free McAfee® Security Scan Plus (optional) Not required

Step 5

Create a new restore point:

   1. Right-click on Computer and go to Properties.
   2. Next click on the System Protection link.
   3. The System Properties dialog screen opens up and you will want to click on Create.
   4. Type in a description for the restore point which will help you remember the point at which it was created. Click on create.
   5. You should see the message "The restore point was created successfully.

If you do not get that successful message do not do the next step,

Step 6

Download AppRemover  and save to your Desktop.

Double click the    icon to run the application. Vista or Windows 7 user right click and select “Run as Administrator”

Click Next >>



Ensure "Remove Security Application" is selected and click Next >>



AppRemover will scan all the security applications on your PC



Select any SunBelt Kerio entries from the applications offered and click Next >>  twice.



Follow any further on-screen instructions. If asked to reboot, please do so.

Let me see the folowing in your reply :-

• Log from Combofix
• Log from ESET
• Let me know if MSE install was successful, also if it found anything
• The outcome of AppRemover
• Update on current issues/concerns

I also note User Access Control (UAC) is turned OFF, is there a specific reason for that action?

Kevin

[TomG]

I will work on this tonight or tomorrow.  I am using Microsoft essentials.  Is this adequate for anti virus?  I removed it before the last process because i was afraid that I might not properly disable it.

[TomG]

Hi Kevin,

I wanted to be sure that I am doing what you want.  I do not have ComboFix.exe on my desktop, because I changed it to Gotcha.exe during the previous step.  Do you want me to drag the CFScript.txt into Gotcha.exe or should I delete Gotcha.exe and reinstall ComboFix.exe?

Thanks

Tom