[Help - FBI Moneypak]

The only update for Adobe is Adobe Reader Language Support.

I don't that is necessary. Do you?

[Help - FBI Moneypak]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 4.9.4 (05.06.2013:1)

OS: Windows Vista Home Premium x86

Ran by Chris on Tue 05/21/2013 at 19:38:56.19

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Tue 05/21/2013 at 19:41:27.56

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[Help - FBI Moneypak]

Check Up

Results of screen317's Security Check version 0.99.63

Windows Vista Service Pack 2 x86 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

McAfee Anti-Virus and Anti-Spyware

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Secunia PSI (2.0.0.4003)

Malwarebytes Anti-Malware version 1.75.0.1300

Java 6 Update 30

Java version out of Date!

Adobe Reader 7 Adobe Reader out of Date!

````````Process Check: objlist.exe by Laurent````````

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 0 %

````````````````````End of Log``````````````````````

[Help - FBI Moneypak]

Haven't done the Security Check yet. Will work on that now.

# AdwCleaner v2.301 - Logfile created 05/21/2013 at 07:17:24

# Updated 16/05/2013 by Xplode

# Operating system : Windows Vista Home Premium Service Pack 2 (32 bits)

# User : Chris - WORKHORSE

# Boot Mode : Normal

# Running from : C:\Users\Chris\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Deleted : HKCU\Software\Conduit

Key Deleted : HKLM\Software\Conduit

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16483

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [722 octets] - [21/05/2013 06:19:37]

AdwCleaner[R2].txt - [781 octets] - [21/05/2013 07:16:25]

AdwCleaner[s1].txt - [717 octets] - [21/05/2013 07:17:24]

########## EOF - C:\AdwCleaner[s1].txt - [776 octets] ##########

[Help - FBI Moneypak]

Adw is "waiting for action"

[Help - FBI Moneypak]

# AdwCleaner v2.301 - Logfile created 05/21/2013 at 06:19:37

# Updated 16/05/2013 by Xplode

# Operating system : Windows Vista Home Premium Service Pack 2 (32 bits)

# User : Chris - WORKHORSE

# Boot Mode : Normal

# Running from : C:\Users\Chris\Desktop\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Found : HKCU\Software\Conduit

Key Found : HKLM\Software\Conduit

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16483

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [595 octets] - [21/05/2013 06:19:37]

########## EOF - C:\AdwCleaner[R1].txt - [654 octets] ##########

[Help - FBI Moneypak]

ComboFix 13-05-20.01 - Chris 05/20/2013 20:22:58.3.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.1266 [GMT -7:00]

Running from: c:\users\Chris\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}

FW: McAfee Firewall *Disabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}

SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Resident AV is active

.

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\$NtUninstallKB61696$

.

.

((((((((((((((((((((((((( Files Created from 2013-04-21 to 2013-05-21 )))))))))))))))))))))))))))))))

.

.

2013-05-21 03:46 . 2013-05-21 04:05 -------- d-----w- c:\users\Chris\AppData\Local\temp

2013-05-21 03:46 . 2013-05-21 04:01 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2013-05-21 03:46 . 2013-05-21 03:46 -------- d-----w- c:\users\Public\AppData\Local\temp

2013-05-21 03:46 . 2013-05-21 03:46 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-05-21 03:46 . 2013-05-21 03:46 -------- d-----w- c:\users\Hooper\AppData\Local\temp

2013-05-21 03:46 . 2013-05-21 03:46 -------- d-----w- c:\users\Guest\AppData\Local\temp

2013-05-21 03:46 . 2013-05-21 03:46 -------- d-----w- c:\users\Angi\AppData\Local\temp

2013-05-20 03:29 . 2013-05-20 03:29 -------- d-----w- C:\FRST

2013-05-15 10:19 . 2013-05-05 19:12 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2013-05-15 05:42 . 2013-04-15 14:20 638328 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2013-05-15 05:42 . 2013-04-13 10:56 37376 ----a-w- c:\windows\system32\cdd.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-05-15 07:09 . 2012-04-07 16:37 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-05-15 07:09 . 2011-06-07 14:11 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-04-09 01:36 . 2013-05-15 05:42 2049024 ----a-w- c:\windows\system32\win32k.sys

2013-04-04 22:02 . 2013-05-15 10:01 1129472 ----a-w- c:\windows\system32\wininet.dll

2013-04-04 21:57 . 2013-05-15 10:01 420864 ----a-w- c:\windows\system32\vbscript.dll

2013-04-04 21:50 . 2010-10-24 16:15 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-03-11 13:25 . 2013-04-10 07:52 3603816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-03-11 13:25 . 2013-04-10 07:52 3551080 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-03-09 03:45 . 2013-04-10 07:52 49152 ----a-w- c:\windows\system32\csrsrv.dll

2013-03-09 01:28 . 2013-04-10 07:52 64000 ----a-w- c:\windows\system32\smss.exe

2013-03-08 03:53 . 2013-04-10 07:53 376320 ----a-w- c:\windows\system32\winsrv.dll

2013-03-08 03:52 . 2013-04-10 07:53 2067968 ----a-w- c:\windows\system32\mstscax.dll

2013-03-03 19:07 . 2013-04-10 07:53 1082232 ----a-w- c:\windows\system32\drivers\ntfs.sys

2013-02-20 04:32 . 2013-02-20 04:32 6162704 ----a-w- c:\windows\system32\nvopencl.dll

2013-02-20 04:32 . 2013-02-20 04:32 10919200 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys

2013-02-20 04:32 . 2013-02-20 04:32 17560352 ----a-w- c:\windows\system32\nvcompiler.dll

2013-02-20 04:32 . 2008-09-19 23:09 2446416 ----a-w- c:\windows\system32\nvapi.dll

2013-02-20 04:32 . 2013-02-20 04:32 2577184 ----a-w- c:\windows\system32\nvcuvid.dll

2013-02-20 04:32 . 2013-02-20 04:32 1869088 ----a-w- c:\windows\system32\nvcuvenc.dll

2013-02-20 04:32 . 2013-02-20 04:32 15413704 ----a-w- c:\windows\system32\nvd3dum.dll

2013-02-20 04:32 . 2012-10-11 05:14 892704 ----a-w- c:\windows\system32\nvdispgenco32.dll

2013-02-20 04:32 . 2012-10-11 05:14 1010464 ----a-w- c:\windows\system32\nvdispco32.dll

2013-02-20 04:32 . 2013-02-20 04:32 7754560 ----a-w- c:\windows\system32\nvcuda.dll

2013-02-20 04:32 . 2013-02-20 04:32 19915552 ----a-w- c:\windows\system32\nvoglv32.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2006-11-12 446976]

"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-05-20 32768]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-22 30192]

"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2006-11-17 17920]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-05-10 94208]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 303104]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]

"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-03-14 1278064]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"WD Quick View"="c:\program files\Western Digital\WD Quick View\WDDMStatus.exe" [2012-04-30 5235608]

.

c:\users\Angi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

c:\users\Hooper\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-5-19 450560]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-5-19 593920]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ymetray.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ymetray.lnk

backup=c:\windows\pss\ymetray.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-01-23 03:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]

2006-05-17 21:18 480816 ----a-w- c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]

2006-05-17 17:12 243248 ----a-w- c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2013-05-21 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 07:09]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

Trusted Zone: secureserver.net\email14

Trusted Zone: secureserver.net\www.email

TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12

DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - hxxp://www3.authentium.com/cssrelease/bin/wizard.exe

DPF: {3528A58B-595D-4AFD-A5F6-B914BD306DC3} - hxxp://dishconnectivity.sling.com/dpit/downloads/pc/SlingHealth.cab

DPF: {42B182F9-3F08-484E-9913-07193A5D36A9} - hxxp://astak.dyndns.org:8080/web/WebClient.cab

DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://68.101.171.235:82/xplugLiteAL.cab

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

SafeBoot-WudfPf

SafeBoot-WudfRd

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-05-20 21:05

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,88,77,1d,12,35,f9,93,40,ab,0f,e4,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,88,77,1d,12,35,f9,93,40,ab,0f,e4,\

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="YMP.Media"

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="YMP.Media"

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="YMP.Media"

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="YMP.Media"

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="YMP.Media"

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="YMP.Media"

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="YMP.Media"

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="YMP.Media"

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="YMP.Media"

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="YMP.Media"

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="YMP.Media"

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="YMP.Media"

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="YMP.Media"

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="YMP.Media"

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="YMP.Media"

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="YMP.Media"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(5708)

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\program files\Pure Networks\Network Magic\nmspce2.dll

c:\program files\Pure Networks\Network Magic\nmrsrc.dll

c:\program files\FileZilla FTP Client\fzshellext.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvvsvc.exe

c:\program files\NVIDIA Corporation\Display\nvxdsync.exe

c:\windows\system32\nvvsvc.exe

c:\windows\System32\LEXBCES.EXE

c:\windows\System32\LEXPPS.EXE

c:\windows\system32\atashost.exe

c:\windows\system32\dlbccoms.exe

c:\windows\system32\mfevtps.exe

c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

c:\program files\Secunia\PSI\sua.exe

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\program files\Western Digital\WD Drive Manager\WDDriveService.exe

c:\program files\Western Digital\WD SmartWare\WDRulesEngine.exe

c:\program files\Common Files\McAfee\SystemCore\mcshield.exe

c:\windows\System32\WUDFHost.exe

c:\program files\Common Files\McAfee\SystemCore\mfefire.exe

c:\program files\Western Digital\WD SmartWare\WDBackupEngine.exe

c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe

c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

c:\program files\NVIDIA Corporation\Display\nvtray.exe

c:\windows\sttray.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.EXE

c:\windows\servicing\TrustedInstaller.exe

.

**************************************************************************

.

Completion time: 2013-05-20 21:18:28 - machine was rebooted

ComboFix-quarantined-files.txt 2013-05-21 04:18

.

Pre-Run: 25,774,116,864 bytes free

Post-Run: 25,480,699,904 bytes free

.

- - End Of File - - 0D6347F94D368586A15802FAD0F96868

[Help - FBI Moneypak]

I did restart computer before running second scan.

[Help - FBI Moneypak]

Again, After First Scan - Running Second Scan Now

Malwarebytes Anti-Rootkit BETA 1.05.0.1001

www.malwarebytes.org

Database version: v2013.05.20.01

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Chris :: WORKHORSE [administrator]

5/19/2013 10:01:11 PM

mbar-log-2013-05-19 (22-01-11).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 29990

Time elapsed: 1 hour(s), 54 minute(s), 33 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 1

c:\Windows\$NtUninstallKB61696$\1260042778 (Backdoor.0Access) -> Delete on reboot.

Files Detected: 0

(No malicious items detected)

(end)

[Help - FBI Moneypak]

After First Scan - Running Second Scan Now

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.05.0.1001

© Malwarebytes Corporation 2011-2012

OS version: 6.0.6002 Windows Vista Service Pack 2 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_30

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED

CPU speed: 2.004000 GHz

Memory total: 2078023680, free: 1140490240

------------ Kernel report ------------

05/19/2013 20:05:50

------------ Loaded modules -----------

\SystemRoot\system32\ntkrnlpa.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\BOOTVID.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\acpi.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\nvstor.sys

\SystemRoot\system32\drivers\storport.sys

\SystemRoot\system32\DRIVERS\nvstor32.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\system32\drivers\mfehidk.sys

\SystemRoot\System32\Drivers\PxHelp20.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\msrpc.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\ecache.sys

\SystemRoot\system32\drivers\disk.sys

\SystemRoot\system32\drivers\CLASSPNP.SYS

\SystemRoot\system32\drivers\crcdisk.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\tunmp.sys

\SystemRoot\system32\DRIVERS\amdk8.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\System32\Drivers\nvBridge.kmd

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\system32\DRIVERS\usbohci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\bcm4sbxp.sys

\SystemRoot\system32\DRIVERS\ohci1394.sys

\SystemRoot\system32\DRIVERS\1394BUS.SYS

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\msiscsi.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\stwrt.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\System32\Drivers\Fs_Rec.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\System32\DRIVERS\rasacd.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\mfewfpk.sys

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\smb.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\system32\drivers\ws2ifsl.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\drivers\mfeavfk.sys

\SystemRoot\system32\drivers\mfefirek.sys

\SystemRoot\system32\DRIVERS\wdcsam.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_diskdump.sys

\SystemRoot\System32\Drivers\dump_nvstor32.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\system32\DRIVERS\LHidKE.Sys

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\LMouKE.Sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\system32\drivers\luafv.sys

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\drivers\spsys.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\pnarp.sys

\SystemRoot\system32\DRIVERS\purendis.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\system32\drivers\mrxdav.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\system32\DRIVERS\udfs.sys

\??\C:\Program Files\DellSupport\Drivers\dsunidrv.sys

\SystemRoot\System32\Drivers\LBeepKE.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\system32\DRIVERS\WUDFRd.sys

\SystemRoot\system32\drivers\mfeapfk.sys

\SystemRoot\system32\DRIVERS\cdfs.sys

\SystemRoot\system32\drivers\cfwids.sys

\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk6\DR6

Upper Device Object: 0xffffffff876cb030

Upper Device Driver Name: \Driver\disk\

Lower Device Name: \Device\00000077\

Lower Device Object: 0xffffffff876bf9d0

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

Initialization returned 0x0

Load Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk5\DR5

Upper Device Object: 0xffffffff86fdaac8

Upper Device Driver Name: \Driver\disk\

Lower Device Name: \Device\00000063\

Lower Device Object: 0xffffffff8756e7c8

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk4\DR4

Upper Device Object: 0xffffffff87471430

Upper Device Driver Name: \Driver\disk\

Lower Device Name: \Device\00000061\

Lower Device Object: 0xffffffff87499cb8

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk3\DR3

Upper Device Object: 0xffffffff874397c0

Upper Device Driver Name: \Driver\disk\

Lower Device Name: \Device\00000060\

Lower Device Object: 0xffffffff87449058

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk2\DR2

Upper Device Object: 0xffffffff87439030

Upper Device Driver Name: \Driver\disk\

Lower Device Name: \Device\0000005f\

Lower Device Object: 0xffffffff87411030

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xffffffff8746c030

Upper Device Driver Name: \Driver\disk\

Lower Device Name: \Device\0000005e\

Lower Device Object: 0xffffffff87412cb8

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xffffffff860e13e0

Upper Device Driver Name: \Driver\disk\

Lower Device Name: \Device\00000054\

Lower Device Object: 0xffffffff84df9c90

Lower Device Driver Name: \Driver\nvstor32\

Driver name found: nvstor32

Initialization returned 0x0

Port sub-driver loaded: \??\C:\Windows\System32\drivers\Storport.sys (0x0)

Load Function returned 0x0

Downloaded database version: v2013.05.20.01

Downloaded database version: v2013.05.14.03

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 3

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xffffffff860e13e0, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff861002e0, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff860e13e0, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\

DevicePointer: 0xffffffff84df9150, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xffffffff84df9c90, DeviceName: \Device\00000054\, DriverName: \Driver\nvstor32\

------------ End ----------

Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\

Upper DeviceData: 0xffffffffa7bebac0, 0xffffffff860e13e0, 0xffffffff861c5348

Lower DeviceData: 0xffffffffaa44dba0, 0xffffffff84df9c90, 0xffffffff85705b28

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\Windows\system32\drivers...

<<<2>>>

Device number: 0, partition: 3

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: B0000000

Partition information:

Partition 0 type is Other (0xde)

Partition is NOT ACTIVE.

Partition starts at LBA: 63 Numsec = 80262

Partition 1 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 81920 Numsec = 20971520

Partition 2 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 21053440 Numsec = 291442688

Partition file system is NTFS

Partition is bootable

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 160000000000 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-312480000-312500000)...

Physical Sector Size: 0

Drive: 1, DevicePointer: 0xffffffff8746c030, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff8746cd18, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff8746c030, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\disk\

DevicePointer: 0xffffffff87412cb8, DeviceName: \Device\0000005e\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 0

Drive: 2, DevicePointer: 0xffffffff87439030, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff87439d18, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff87439030, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\disk\

DevicePointer: 0xffffffff87411030, DeviceName: \Device\0000005f\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 0

Drive: 3, DevicePointer: 0xffffffff874397c0, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff87471020, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff874397c0, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\disk\

DevicePointer: 0xffffffff87449058, DeviceName: \Device\00000060\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 0

Drive: 4, DevicePointer: 0xffffffff87471430, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff8746daf0, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff87471430, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\disk\

DevicePointer: 0xffffffff87499cb8, DeviceName: \Device\00000061\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 0

Drive: 5, DevicePointer: 0xffffffff86fdaac8, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff86fd7bc8, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff86fdaac8, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\disk\

DevicePointer: 0xffffffff8756e7c8, DeviceName: \Device\00000063\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 512

Drive: 6, DevicePointer: 0xffffffff876cb030, DeviceName: \Device\Harddisk6\DR6\, DriverName: \Driver\disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff876cbd18, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff876cb030, DeviceName: \Device\Harddisk6\DR6\, DriverName: \Driver\disk\

DevicePointer: 0xffffffff876bf9d0, DeviceName: \Device\00000077\, DriverName: \Driver\USBSTOR\

------------ End ----------

Alternate DeviceName: \Device\Harddisk6\DR6\, DriverName: \Driver\disk\

Upper DeviceData: 0xffffffffad1a9d08, 0xffffffff876cb030, 0xffffffff866208f8

Lower DeviceData: 0xffffffffa5f44540, 0xffffffff876bf9d0, 0xffffffff86114520

Drive 6

Scanning MBR on drive 6...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 6EAEE6

Partition information:

Partition 0 type is Other (0xb)

Partition is ACTIVE.

Partition starts at LBA: 32 Numsec = 4071392

Partition file system is FAT32

Partition is not bootable

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 2084569088 bytes

Sector size: 512 bytes

Done!

Performing system, memory and registry scan...

Infected: c:\Windows\$NtUninstallKB61696$\1260042778 --> [backdoor.0Access]

Done!

Scan finished

Creating System Restore point...

Scheduling clean up...

<<<2>>>

Device number: 0, partition: 3

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Executing an action fixdamage.exe...

Success!

Removal successful. No system shutdown is required.

=======================================

[Help - FBI Moneypak]

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 18-05-2013

Ran by SYSTEM at 2013-05-19 19:54:24 Run:1

Running from K:\

Boot Mode: Recovery

==============================================

HKEY_USERS\Chris\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.

C:\Users\Chris\AppData\Roaming\skype.dat => Moved successfully.

C:\Users\Chris\AppData\Roaming\skype.ini => Moved successfully.

C:\Users\Chris\Application Data\skype.dat => File/Directory not found.

C:\Users\Chris\Application Data\skype.ini => File/Directory not found.

C:\ProgramData\ntuser.dat => Moved successfully.

C:\ProgramData\qci.pad => Moved successfully.

C:\ProgramData\redaertaborca.pad => Moved successfully.

==== End of Fixlog ====

[Help - FBI Moneypak]

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 18-05-2013

Ran by SYSTEM on 19-05-2013 19:29:28

Running from K:\

Windows Vista Home Premium (X86) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

The current controlset is ControlSet001

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup [221184 2006-10-03] (Macrovision Corporation)

HKLM\...\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start [81920 2006-10-03] (Macrovision Corporation)

HKLM\...\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [30192 2010-08-22] (Google)

HKLM\...\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe [17920 2006-11-17] ( )

HKLM\...\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE [x]

HKLM\...\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [16384 2007-11-15] ( )

HKLM\...\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [206064 2009-05-21] (SupportSoft, Inc.)

HKLM\...\Run: [sigmatelSysTrayApp] sttray.exe [x]

HKLM\...\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [647216 2009-07-07] (Cisco Systems, Inc.)

HKLM\...\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash [472112 2009-07-08] (Cisco Systems, Inc.)

HKLM\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1278064 2013-03-13] (McAfee, Inc.)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)

HKLM\...\Run: [WD Quick View] C:\Program Files\Western Digital\WD Quick View\WDDMStatus.exe [5235608 2012-04-30] (Western Digital Technologies, Inc.)

HKLM\...\Winlogon: [system]

HKU\Angi\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2006-11-11] (Gteko Ltd.)

HKU\Angi\...\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [ 2007-05-19] (Logitech)

HKU\Angi\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [ 2008-01-18] (Microsoft Corporation)

HKU\Chris\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2006-11-11] (Gteko Ltd.)

HKU\Chris\...\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [ 2007-05-19] (Logitech)

HKU\Chris\...\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [ 2009-05-21] (SupportSoft, Inc.)

HKU\Chris\...\Winlogon: [shell] explorer.exe,C:\Users\Chris\AppData\Roaming\skype.dat <==== ATTENTION

HKU\Default\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2006-11-11] (Gteko Ltd.)

HKU\Default User\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2006-11-11] (Gteko Ltd.)

HKU\Guest\...\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [ 2007-05-19] (Logitech)

HKU\Hooper\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2006-11-11] (Gteko Ltd.)

HKU\Hooper\...\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [ 2007-05-19] (Logitech)

HKU\Hooper\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [ 2008-01-18] (Microsoft Corporation)

HKU\UpdatusUser\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2006-11-11] (Gteko Ltd.)

Startup: C:\ProgramData\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

ShortcutTarget: Adobe Reader Speed Launch.lnk -> C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)

Startup: C:\ProgramData\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

ShortcutTarget: Logitech Desktop Messenger.lnk -> C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe (Logitech)

Startup: C:\ProgramData\Start Menu\Programs\Startup\Logitech SetPoint.lnk

ShortcutTarget: Logitech SetPoint.lnk -> C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech Inc.)

Startup: C:\Users\Angi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

Startup: C:\Users\Hooper\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

========================== Services (Whitelisted) =================

S4 Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [144712 2009-06-05] (Apple Inc.)

S2 dlbc_device; C:\Windows\system32\dlbccoms.exe [538096 2007-02-07] ( )

S3 DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [70656 2006-11-07] ()

S3 GoogleDesktopManager-051210-111108; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-08-22] (Google)

S2 LexBceS; C:\Windows\System32\LEXBCES.EXE [311296 2004-03-04] (Lexmark International, Inc.)

S2 McMPFSvc; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)

S2 mcmscsvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)

S2 McNaiAnn; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)

S2 McNASvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)

S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [279048 2012-11-16] (McAfee, Inc.)

S2 McProxy; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)

S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [203840 2013-02-19] (McAfee, Inc.)

S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [169320 2013-02-19] (McAfee, Inc.)

S2 mfevtp; C:\Windows\system32\mfevtps.exe [172416 2013-02-19] (McAfee, Inc.)

S2 nmservice; C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe [647216 2009-07-07] (Cisco Systems, Inc.)

S3 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [994360 2011-10-13] (Secunia)

S2 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [399416 2011-10-13] (Secunia)

S2 sprtsvc_dellsupportcenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe [201968 2008-08-13] (SupportSoft, Inc.)

S2 WDBackup; C:\Program Files\Western Digital\WD SmartWare\WDBackupEngine.exe [1150368 2012-04-24] (Western Digital )

S2 WDDriveService; C:\Program Files\Western Digital\WD Drive Manager\WDDriveService.exe [247704 2012-04-11] (Western Digital)

==================== Drivers (Whitelisted) ====================

S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [60920 2013-02-19] (McAfee, Inc.)

S3 DSproct; C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys [4736 2006-10-05] (Gteko Ltd.)

S2 dsunidrv; C:\Program Files\DellSupport\Drivers\dsunidrv.sys [7424 2006-08-17] (Gteko Ltd.)

S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [146872 2012-04-20] (McAfee, Inc.)

S3 Jukebox; C:\Windows\System32\DRIVERS\ctpdusb2.sys [16890 2003-10-28] (Creative Technology Ltd.)

S2 LBeepKE; C:\Windows\System32\Drivers\LBeepKE.sys [3712 2006-05-24] (Logitech, Inc.)

S3 LHidKe; C:\Windows\System32\DRIVERS\LHidKE.Sys [27264 2006-05-10] (Logitech, Inc.)

S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [133416 2013-02-19] (McAfee, Inc.)

S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [235264 2013-02-19] (McAfee, Inc.)

S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [65928 2013-02-19] (McAfee, Inc.)

S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [363080 2013-02-19] (McAfee, Inc.)

S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [565888 2013-02-19] (McAfee, Inc.)

S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [92632 2013-02-19] (McAfee, Inc.)

S1 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [210608 2013-02-19] (McAfee, Inc.)

S3 mr7910; C:\Windows\System32\DRIVERS\mr7910.sys [46848 2007-03-20] (Mars Semiconductor Corp.)

S2 pnarp; C:\Windows\System32\DRIVERS\pnarp.sys [26672 2009-07-07] (Cisco Systems, Inc.)

S3 PSI; C:\Windows\System32\DRIVERS\psi_mf.sys [15544 2010-09-01] (Secunia)

S2 purendis; C:\Windows\System32\DRIVERS\purendis.sys [27696 2009-07-07] (Cisco Systems, Inc.)

S3 STHDA; C:\Windows\System32\drivers\stwrt.sys [647680 2007-02-07] (SigmaTel, Inc.)

S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [x]

S3 IpInIp; system32\DRIVERS\ipinip.sys [x]

S3 mfeavfk01; No ImagePath

S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]

S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-19 19:29 - 2013-05-19 19:29 - 00000000 ____D C:\FRST

2013-05-15 05:48 - 2013-05-15 05:49 - 00000004 ____A C:\Users\Chris\AppData\Roaming\skype.ini

2013-05-15 02:19 - 2013-05-05 11:25 - 12324864 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-15 02:19 - 2013-05-05 11:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-15 02:01 - 2013-04-04 14:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-05-15 02:01 - 2013-04-04 14:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2013-05-15 02:01 - 2013-04-04 14:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-05-15 02:01 - 2013-04-04 14:02 - 01104384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-05-15 02:01 - 2013-04-04 14:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2013-05-15 02:01 - 2013-04-04 13:59 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-05-15 02:01 - 2013-04-04 13:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-05-15 02:01 - 2013-04-04 13:58 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2013-05-15 02:01 - 2013-04-04 13:57 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2013-05-15 02:01 - 2013-04-04 13:56 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-05-15 02:01 - 2013-04-04 13:55 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-05-15 02:01 - 2013-04-04 13:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2013-05-15 02:01 - 2013-04-04 13:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-05-15 02:00 - 2013-04-04 14:09 - 09738752 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-05-14 21:42 - 2013-04-15 06:20 - 00638328 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys

2013-05-14 21:42 - 2013-04-13 02:56 - 00037376 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll

2013-05-14 21:42 - 2013-04-08 17:36 - 02049024 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

==================== One Month Modified Files and Folders ========

2013-05-19 19:29 - 2013-05-19 19:29 - 00000000 ____D C:\FRST

2013-05-15 05:49 - 2013-05-15 05:48 - 00000004 ____A C:\Users\Chris\AppData\Roaming\skype.ini

2013-05-15 05:09 - 2012-04-07 08:37 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-05-15 04:40 - 2006-11-02 04:47 - 00003568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2013-05-15 04:40 - 2006-11-02 04:47 - 00003568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2013-05-15 03:10 - 2007-05-10 10:39 - 01680306 ____A C:\Windows\WindowsUpdate.log

2013-05-15 03:00 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\Microsoft.NET

2013-05-15 02:50 - 2012-12-11 15:22 - 00262144 ____A C:\Windows\System32\config\ELAM

2013-05-15 02:47 - 2006-11-02 02:33 - 00703516 ____A C:\Windows\System32\PerfStringBackup.INI

2013-05-15 02:40 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-05-15 02:39 - 2006-11-02 04:47 - 00313136 ____A C:\Windows\System32\FNTCACHE.DAT

2013-05-15 02:36 - 2006-11-02 05:01 - 00032528 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2013-05-15 02:03 - 2006-11-02 02:24 - 72607752 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe

2013-05-14 23:09 - 2012-04-07 08:37 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2013-05-14 23:09 - 2011-06-07 06:11 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2013-05-14 15:23 - 2007-05-10 11:14 - 00243584 ____A C:\Windows\PFRO.log

2013-05-05 11:25 - 2013-05-15 02:19 - 12324864 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-05 11:12 - 2013-05-15 02:19 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-02 19:53 - 2009-07-05 21:01 - 00000000 ____D C:\Users\Chris\Desktop\From Phone

2013-04-27 06:03 - 2012-01-04 08:22 - 00000908 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2013-04-27 06:03 - 2010-10-24 08:15 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

Other Malware:

===========

C:\Users\Chris\AppData\Roaming\skype.dat

C:\Users\Chris\AppData\Roaming\skype.ini

C:\Users\Chris\Application Data\skype.dat

C:\Users\Chris\Application Data\skype.ini

C:\ProgramData\ntuser.dat

C:\ProgramData\qci.pad

C:\ProgramData\redaertaborca.pad

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-04-16 18:12:59

Restore point made on: 2013-04-17 23:00:30

Restore point made on: 2013-04-18 23:00:32

Restore point made on: 2013-04-19 23:00:30

Restore point made on: 2013-04-20 23:00:28

Restore point made on: 2013-04-21 20:03:40

Restore point made on: 2013-04-21 22:36:00

Restore point made on: 2013-04-22 03:57:10

Restore point made on: 2013-04-22 04:23:10

Restore point made on: 2013-04-22 05:07:14

Restore point made on: 2013-04-22 05:37:14

Restore point made on: 2013-04-22 10:05:19

Restore point made on: 2013-04-22 11:40:21

Restore point made on: 2013-04-22 12:50:24

Restore point made on: 2013-04-22 13:21:29

Restore point made on: 2013-04-22 14:09:29

Restore point made on: 2013-04-22 18:48:33

Restore point made on: 2013-04-23 07:21:44

Restore point made on: 2013-04-23 19:27:54

Restore point made on: 2013-04-23 19:39:54

Restore point made on: 2013-04-23 19:52:55

Restore point made on: 2013-04-24 18:31:53

Restore point made on: 2013-04-24 18:42:25

Restore point made on: 2013-04-24 18:49:44

Restore point made on: 2013-04-24 19:00:45

Restore point made on: 2013-04-24 19:06:44

Restore point made on: 2013-04-24 19:12:45

Restore point made on: 2013-04-24 20:10:45

Restore point made on: 2013-04-25 17:22:58

Restore point made on: 2013-04-25 17:28:00

Restore point made on: 2013-04-25 17:36:58

Restore point made on: 2013-04-25 17:56:02

Restore point made on: 2013-04-25 18:12:58

Restore point made on: 2013-04-26 06:03:08

Restore point made on: 2013-04-26 16:19:16

Restore point made on: 2013-04-26 17:58:18

Restore point made on: 2013-04-26 18:16:18

Restore point made on: 2013-04-27 05:59:28

Restore point made on: 2013-04-28 17:19:39

Restore point made on: 2013-04-29 05:01:51

Restore point made on: 2013-04-29 07:14:53

Restore point made on: 2013-04-29 12:08:58

Restore point made on: 2013-04-29 12:55:00

Restore point made on: 2013-04-29 14:06:01

Restore point made on: 2013-04-29 22:03:08

Restore point made on: 2013-05-02 17:58:29

Restore point made on: 2013-05-02 20:50:32

Restore point made on: 2013-05-03 14:53:56

Restore point made on: 2013-05-03 15:51:24

Restore point made on: 2013-05-03 17:29:25

Restore point made on: 2013-05-06 08:28:17

Restore point made on: 2013-05-08 17:48:04

Restore point made on: 2013-05-08 21:11:15

Restore point made on: 2013-05-08 22:02:28

Restore point made on: 2013-05-09 18:02:06

Restore point made on: 2013-05-10 19:19:52

Restore point made on: 2013-05-10 19:55:46

Restore point made on: 2013-05-10 22:46:49

Restore point made on: 2013-05-11 08:33:57

Restore point made on: 2013-05-11 11:38:56

Restore point made on: 2013-05-11 12:01:57

Restore point made on: 2013-05-11 13:48:01

Restore point made on: 2013-05-11 14:15:00

Restore point made on: 2013-05-11 14:45:59

Restore point made on: 2013-05-11 15:59:00

Restore point made on: 2013-05-12 08:12:42

Restore point made on: 2013-05-12 11:37:45

Restore point made on: 2013-05-12 16:03:48

Restore point made on: 2013-05-12 16:35:49

Restore point made on: 2013-05-15 02:00:13

Restore point made on: 2013-05-15 02:00:49

Restore point made on: 2013-05-15 02:02:19

Restore point made on: 2013-05-15 02:05:13

Restore point made on: 2013-05-15 02:15:17

Restore point made on: 2013-05-15 02:19:13

Restore point made on: 2013-05-15 02:35:36

Restore point made on: 2013-05-15 05:48:40

==================== Memory info ===========================

Percentage of memory in use: 13%

Total physical RAM: 1981.88 MB

Available physical RAM: 1705.6 MB

Total Pagefile: 1915.61 MB

Available Pagefile: 1777.77 MB

Total Virtual: 2047.88 MB

Available Virtual: 1975.72 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:138.97 GB) (Free:19.9 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

Drive j: (WD Unlocker) (CDROM) (Total:0.02 GB) (Free:0 GB) UDF

Drive k: () (Removable) (Total:1.94 GB) (Free:1.9 GB) FAT32

Drive x: (RECOVERY) (Fixed) (Total:10 GB) (Free:5.47 GB) NTFS

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows Vista) (Size: 149 GB) (Disk ID: B0000000)

Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)

Partition 2: (Not Active) - (Size=10 GB) - (Type=07 NTFS)

Partition 3: (Active) - (Size=139 GB) - (Type=07 NTFS)

Attempted reading MBR returned 0 bytes.

Could not read MBR for disk 5.

========================================================

Disk: 6 (Size: 2 GB) (Disk ID: 006EAEE6)

Partition 1: (Active) - (Size=2 GB) - (Type=0B)

Last Boot: 2013-05-15 02:53

==================== End Of Log ============================

[Help - FBI Moneypak]

Please help.

I saw the FBI Moneypak pop up on my screen and I instantly powered off the computer and have not turn it back on. What is my first step?

I am running Vista.

Thank you in advance