Jump to content

bergnutz

Members
  • Posts

    9
  • Joined

  • Last visited

Everything posted by bergnutz

  1. Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-09-2013 Ran by Owner at 2013-09-28 23:27:17 Run:4 Running from E:\ Boot Mode: Normal ============================================== Content of fixlist: ***************** HKCU\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\Owner\AppData\Local\Temp\avddddqvtrttdsdoij.exe HKCU\...\Winlogon: [shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) HKCU\...\Command Processor: "C:\Users\Owner\AppData\Local\Temp\avddddqvtrttdsdoij.exe" C:\Users\Owner\AppData\Roaming\2433f433 C:\Users\Owner\AppData\Local\Temp\avddddqvtrttdsdoij.exe ***************** HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\qcgce2mrvjq91kk1e7pnbb19m52fx => Value deleted successfully. HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully. HKCU\Software\Microsoft\Command Processor\\AutoRun => Value deleted successfully. C:\Users\Owner\AppData\Roaming\2433f433 => Moved successfully. "C:\Users\Owner\AppData\Local\Temp\avddddqvtrttdsdoij.exe " => File/Directory not found. ==== End of Fixlog ====
  2. Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 24-09-2013 Ran by Owner (administrator) on OWNER-PC on 28-09-2013 22:51:24 Running from E:\ Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US) Internet Explorer Version 10 Boot Mode: Normal ==================== Processes (Whitelisted) ================= (AMD) C:\windows\system32\atiesrxx.exe (Microsoft Corporation) C:\windows\system32\WLANExt.exe (AMD) C:\windows\system32\atieclxx.exe (Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Microsoft Corporation) C:\Windows\system32\cmd.exe (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe (Verizon) C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe (Alcatel-Lucent) C:\Program Files (x86)\Common Files\Motive\McciCMService.exe (Alcatel-Lucent) C:\Program Files\Common Files\Motive\McciCMService.exe (Symantec Corporation) C:\Program Files (x86)\Norton AntiVirus\Engine\18.7.1.3\ccSvcHst.exe (Microsoft Corporation) C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe (Symantec Corporation) C:\Program Files (x86)\Norton AntiVirus\Engine\18.7.1.3\ccSvcHst.exe (Microsoft Corporation) C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE ==================== Registry (Whitelisted) ================== HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11448424 2010-08-20] (Realtek Semiconductor) HKLM\...\Run: [RtHDVBg] - C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2120808 2010-08-20] (Realtek Semiconductor) HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1894696 2010-01-07] (Synaptics Incorporated) HKLM\...\Run: [OnekeyStudio] - C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe [776608 2009-12-18] (Lenovo) HKLM\...\Run: [MRT] - C:\windows\system32\MRT.exe [79143768 2013-09-12] (Microsoft Corporation) HKLM-x32\...\RunOnce: [ (A0)] - cmd /c "C:\Users\Owner\Desktop\mbar\mbar.exe" /bootscan /s [1178424 2013-08-13] (Malwarebytes Corporation) HKCU\...\Run: [best Buy pc app] - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms HKCU\...\Run: [Regedit32] - C:\windows\system32\regedit.exe HKCU\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\Owner\AppData\Local\Temp\avddddqvtrttdsdoij.exe <===== ATTENTION HKCU\...\RunOnce: [FlashPlayerUpdate] - C:\windows\system32\Macromed\Flash\FlashUtil64_11_4_402_287_ActiveX.exe -update activex [421304 2012-10-21] (Adobe Systems Incorporated) HKCU\...\Winlogon: [shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION HKCU\...\Command Processor: "C:\Users\Owner\AppData\Local\Temp\avddddqvtrttdsdoij.exe" <======= ATTENTION HKCU\...\Policies\Explorer: [NoDesktopCleanupWizard] 1 HKLM-x32\...\Run: [startCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-07-19] (Advanced Micro Devices, Inc.) HKLM-x32\...\Run: [Microsoft Default Manager] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [439568 2010-05-10] (Microsoft Corporation) HKLM-x32\...\Run: [updateP2GShortCut] - C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [218408 2008-12-03] (CyberLink Corp.) HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2011-06-09] (Sun Microsystems, Inc.) HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-08-27] (Apple Inc.) HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2011-07-05] (Apple Inc.) HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [421776 2012-09-09] (Apple Inc.) Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft) Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft) ==================== Internet (Whitelisted) ==================== HKLM\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/ HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/ SearchScopes: HKLM - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox SearchScopes: HKLM-x32 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.) BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.) BHO-x32: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\18.7.1.3\IPS\IPSBHO.DLL (Symantec Corporation) BHO-x32: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation) BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.) BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) BHO-x32: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation) BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.) Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.) Toolbar: HKLM-x32 - @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation) Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 ==================== Services (Whitelisted) ================= S3 IGRS; C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe [38152 2009-07-14] (Lenovo Group Limited) R2 IHA_MessageCenter; C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [346696 2013-07-30] (Verizon) S3 Lenovo ReadyComm AppSvc; C:\Program Files\Lenovo\ReadyComm\AppSvc.exe [509192 2009-08-14] (Lenovo Group Limited) S3 Lenovo ReadyComm ConnSvc; C:\Program Files\Lenovo\ReadyComm\ConnSvc.exe [579400 2009-09-22] (Lenovo Group Limited) R2 McciCMService64; C:\Program Files\Common Files\Motive\McciCMService.exe [517632 2010-03-17] (Alcatel-Lucent) R2 NAV; C:\Program Files (x86)\Norton AntiVirus\Engine\18.7.1.3\ccSvcHst.exe [130008 2011-04-16] (Symantec Corporation) S3 PS_MDP; C:\Program Files (x86)\Lenovo\ReadyComm\PS_MDP.dll [276296 2009-07-15] (Lenovo Group Limited) S2 ReadyComm.DirectRouter; C:\Program Files (x86)\Lenovo\ReadyComm\common\router.dll [103688 2009-07-14] (Lenovo Group Limited) ==================== Drivers (Whitelisted) ==================== R1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\BASHDefs\20110518.001\BHDrvx64.sys [1127032 2011-04-15] (Symantec Corporation) R1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\BASHDefs\20110518.001\BHDrvx64.sys [1127032 2011-04-15] (Symantec Corporation) S3 Bridge0; C:\Windows\System32\drivers\WDBridge.sys [79376 2009-07-15] (Lenovo) R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [481912 2011-05-10] (Symantec Corporation) R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [481912 2011-05-10] (Symantec Corporation) R1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\IPSDefs\20110518.001\IDSvia64.sys [476792 2011-03-14] (Symantec Corporation) R1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\IPSDefs\20110518.001\IDSvia64.sys [476792 2011-03-14] (Symantec Corporation) S3 mbamchameleon; C:\windows\system32\drivers\mbamchameleon.sys [36680 2013-05-27] () S3 mbamchameleon; C:\windows\system32\drivers\mbamchameleon.sys [36680 2013-05-27] () R0 MBAMSwissArmy; C:\Windows\System32\drivers\48230029.sys [116440 2013-09-28] (Malwarebytes Corporation) S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\VirusDefs\20110519.002\ENG64.SYS [117880 2011-05-17] (Symantec Corporation) S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\VirusDefs\20110519.002\ENG64.SYS [117880 2011-05-17] (Symantec Corporation) S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\VirusDefs\20110519.002\EX64.SYS [2011768 2011-05-17] (Symantec Corporation) S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\VirusDefs\20110519.002\EX64.SYS [2011768 2011-05-17] (Symantec Corporation) S3 Serial; C:\Windows\system32\DRIVERS\serial.sys [94208 2009-07-13] (Brother Industries Ltd.) S3 SRTSP; C:\Windows\System32\Drivers\NAVx64\1207010.003\SRTSP64.SYS [744568 2011-03-30] (Symantec Corporation) R1 SRTSPX; C:\Windows\system32\drivers\NAVx64\1207010.003\SRTSPX64.SYS [40568 2011-03-30] (Symantec Corporation) R0 SymDS; C:\Windows\System32\drivers\NAVx64\1207010.003\SYMDS64.SYS [450680 2011-01-27] (Symantec Corporation) R0 SymEFA; C:\Windows\System32\drivers\NAVx64\1207010.003\SYMEFA64.SYS [912504 2011-03-14] (Symantec Corporation) R3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2011-05-10] (Symantec Corporation) R1 SymIRON; C:\Windows\system32\drivers\NAVx64\1207010.003\Ironx64.SYS [171128 2011-01-27] (Symantec Corporation) R1 SymNetS; C:\Windows\System32\Drivers\NAVx64\1207010.003\SYMNETS.SYS [386168 2011-04-20] (Symantec Corporation) R3 wdmirror; C:\Windows\System32\DRIVERS\WDMirror.sys [11280 2009-07-16] (Lenovo) U3 BcmSqlStartupSvc; S3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x] U2 IAStorDataMgrSvc; U2 IviRegMgr; U2 RichVideo; U3 SQLWriter; ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-09-29 01:37 - 2013-09-29 01:37 - 00000000 ____D C:\windows\system32\config\HiveBackup 2013-09-28 21:43 - 2013-09-28 22:45 - 00116440 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\48230029.sys 2013-09-28 21:43 - 2013-09-28 22:45 - 00000000 ____D C:\Users\Owner\Desktop\mbar 2013-09-23 10:00 - 2013-09-23 10:00 - 01865715 _____ C:\Users\Owner\AppData\Roaming\2433f433 2013-09-12 03:09 - 2013-08-10 01:22 - 02241024 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll 2013-09-12 03:09 - 2013-08-10 01:22 - 01365504 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll 2013-09-12 03:09 - 2013-08-10 01:22 - 00051712 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe 2013-09-12 03:09 - 2013-08-10 01:21 - 19246592 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll 2013-09-12 03:09 - 2013-08-10 01:21 - 00603136 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll 2013-09-12 03:09 - 2013-08-10 01:21 - 00053248 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll 2013-09-12 03:09 - 2013-08-10 01:20 - 15404544 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll 2013-09-12 03:09 - 2013-08-10 01:20 - 03959296 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll 2013-09-12 03:09 - 2013-08-10 01:20 - 02647040 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll 2013-09-12 03:09 - 2013-08-10 01:20 - 00855552 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll 2013-09-12 03:09 - 2013-08-10 01:20 - 00526336 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll 2013-09-12 03:09 - 2013-08-10 01:20 - 00136704 _____ (Microsoft Corporation) C:\windows\system32\iesysprep.dll 2013-09-12 03:09 - 2013-08-10 01:20 - 00067072 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll 2013-09-12 03:09 - 2013-08-10 01:20 - 00039936 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll 2013-09-12 03:09 - 2013-08-09 23:59 - 01767936 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll 2013-09-12 03:09 - 2013-08-09 23:59 - 01141248 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll 2013-09-12 03:09 - 2013-08-09 23:58 - 14332928 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll 2013-09-12 03:09 - 2013-08-09 23:58 - 13761024 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll 2013-09-12 03:09 - 2013-08-09 23:58 - 02876928 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll 2013-09-12 03:09 - 2013-08-09 23:58 - 02048000 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll 2013-09-12 03:09 - 2013-08-09 23:58 - 00690688 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript.dll 2013-09-12 03:09 - 2013-08-09 23:58 - 00493056 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll 2013-09-12 03:09 - 2013-08-09 23:58 - 00391168 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll 2013-09-12 03:09 - 2013-08-09 23:58 - 00109056 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesysprep.dll 2013-09-12 03:09 - 2013-08-09 23:58 - 00061440 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll 2013-09-12 03:09 - 2013-08-09 23:58 - 00039424 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll 2013-09-12 03:09 - 2013-08-09 23:58 - 00033280 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll 2013-09-12 03:09 - 2013-08-09 23:17 - 02706432 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb 2013-09-12 03:09 - 2013-08-09 23:07 - 02706432 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb 2013-09-12 03:09 - 2013-08-09 22:27 - 00089600 _____ (Microsoft Corporation) C:\windows\system32\RegisterIEPKEYs.exe 2013-09-12 03:09 - 2013-08-09 22:17 - 00071680 _____ (Microsoft Corporation) C:\windows\SysWOW64\RegisterIEPKEYs.exe 2013-09-12 03:08 - 2013-09-12 03:08 - 00005316 _____ C:\windows\SysWOW64\PerfStringBackup.TMP 2013-09-11 04:07 - 2013-08-07 21:20 - 03155456 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys 2013-09-11 04:07 - 2013-08-04 22:25 - 00155584 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ataport.sys 2013-09-11 04:07 - 2013-08-01 22:23 - 05550528 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe 2013-09-11 04:07 - 2013-08-01 22:15 - 01732032 _____ (Microsoft Corporation) C:\windows\system32\ntdll.dll 2013-09-11 04:07 - 2013-08-01 22:15 - 00362496 _____ (Microsoft Corporation) C:\windows\system32\wow64win.dll 2013-09-11 04:07 - 2013-08-01 22:15 - 00243712 _____ (Microsoft Corporation) C:\windows\system32\wow64.dll 2013-09-11 04:07 - 2013-08-01 22:15 - 00013312 _____ (Microsoft Corporation) C:\windows\system32\wow64cpu.dll 2013-09-11 04:07 - 2013-08-01 22:14 - 00215040 _____ (Microsoft Corporation) C:\windows\system32\winsrv.dll 2013-09-11 04:07 - 2013-08-01 22:14 - 00016384 _____ (Microsoft Corporation) C:\windows\system32\ntvdm64.dll 2013-09-11 04:07 - 2013-08-01 22:13 - 01161216 _____ (Microsoft Corporation) C:\windows\system32\kernel32.dll 2013-09-11 04:07 - 2013-08-01 22:13 - 00424448 _____ (Microsoft Corporation) C:\windows\system32\KernelBase.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00043520 _____ (Microsoft Corporation) C:\windows\system32\csrsrv.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00006656 _____ (Microsoft Corporation) C:\windows\system32\apisetschema.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00006144 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-security-base-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00005120 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-file-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00004608 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00004608 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-synch-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-localization-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-misc-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-memory-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-heap-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-util-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-string-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-profile-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-io-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-handle-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-debug-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 22:12 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-console-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:59 - 03968960 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntkrnlpa.exe 2013-09-11 04:07 - 2013-08-01 21:59 - 03913664 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntoskrnl.exe 2013-09-11 04:07 - 2013-08-01 21:51 - 01292192 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntdll.dll 2013-09-11 04:07 - 2013-08-01 21:50 - 01114112 _____ (Microsoft Corporation) C:\windows\SysWOW64\kernel32.dll 2013-09-11 04:07 - 2013-08-01 21:50 - 00274944 _____ (Microsoft Corporation) C:\windows\SysWOW64\KernelBase.dll 2013-09-11 04:07 - 2013-08-01 21:50 - 00005120 _____ (Microsoft Corporation) C:\windows\SysWOW64\wow32.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00006656 _____ (Microsoft Corporation) C:\windows\SysWOW64\apisetschema.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00005120 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00004608 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 21:09 - 00338432 _____ (Microsoft Corporation) C:\windows\system32\conhost.exe 2013-09-11 04:07 - 2013-08-01 20:59 - 00112640 _____ (Microsoft Corporation) C:\windows\system32\smss.exe 2013-09-11 04:07 - 2013-08-01 20:45 - 00025600 _____ (Microsoft Corporation) C:\windows\SysWOW64\setup16.exe 2013-09-11 04:07 - 2013-08-01 20:45 - 00014336 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntvdm64.dll 2013-09-11 04:07 - 2013-08-01 20:45 - 00007680 _____ (Microsoft Corporation) C:\windows\SysWOW64\instnm.exe 2013-09-11 04:07 - 2013-08-01 20:45 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\user.exe 2013-09-11 04:07 - 2013-08-01 20:43 - 00006144 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 20:43 - 00004608 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 20:43 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll 2013-09-11 04:07 - 2013-08-01 20:43 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll 2013-09-11 04:07 - 2013-07-25 22:24 - 14172672 _____ (Microsoft Corporation) C:\windows\system32\shell32.dll 2013-09-11 04:07 - 2013-07-25 22:24 - 00197120 _____ (Microsoft Corporation) C:\windows\system32\shdocvw.dll 2013-09-11 04:07 - 2013-07-25 21:55 - 12872704 _____ (Microsoft Corporation) C:\windows\SysWOW64\shell32.dll 2013-09-11 04:07 - 2013-07-25 21:55 - 00180224 _____ (Microsoft Corporation) C:\windows\SysWOW64\shdocvw.dll ==================== One Month Modified Files and Folders ======= 2013-09-29 02:22 - 2011-04-20 08:29 - 00000000 ____D C:\ProgramData\Norton 2013-09-29 02:22 - 2011-04-20 06:07 - 00000000 ____D C:\Users\Owner 2013-09-29 01:37 - 2013-09-29 01:37 - 00000000 ____D C:\windows\system32\config\HiveBackup 2013-09-28 22:47 - 2013-04-09 09:39 - 01194648 _____ C:\FaceProv.log 2013-09-28 22:47 - 2011-11-23 00:59 - 00000892 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-09-28 22:46 - 2013-04-09 09:49 - 00005848 _____ C:\windows\setupact.log 2013-09-28 22:46 - 2009-07-14 01:08 - 00000006 ____H C:\windows\Tasks\SA.DAT 2013-09-28 22:45 - 2013-09-28 21:43 - 00116440 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\48230029.sys 2013-09-28 22:45 - 2013-09-28 21:43 - 00000000 ____D C:\Users\Owner\Desktop\mbar 2013-09-28 22:42 - 2013-04-09 10:06 - 01861659 _____ C:\windows\WindowsUpdate.log 2013-09-28 22:14 - 2009-07-14 00:45 - 00013632 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-09-28 22:14 - 2009-07-14 00:45 - 00013632 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-09-28 22:06 - 2011-11-23 00:59 - 00000896 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-09-28 21:50 - 2013-04-09 10:11 - 00005354 _____ C:\windows\system32\PerfStringBackup.TMP 2013-09-23 10:00 - 2013-09-23 10:00 - 01865715 _____ C:\Users\Owner\AppData\Roaming\2433f433 2013-09-18 23:50 - 2011-07-08 01:37 - 00000000 ____D C:\Users\Owner\AppData\Local\CrashDumps 2013-09-12 12:07 - 2009-07-13 23:20 - 00000000 ____D C:\windows\rescache 2013-09-12 03:31 - 2013-05-15 03:39 - 00000000 ___RD C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 2013-09-12 03:31 - 2011-04-20 06:08 - 00000000 ___RD C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools 2013-09-12 03:30 - 2009-07-14 00:45 - 00282960 _____ C:\windows\system32\FNTCACHE.DAT 2013-09-12 03:08 - 2013-09-12 03:08 - 00005316 _____ C:\windows\SysWOW64\PerfStringBackup.TMP 2013-09-12 03:08 - 2013-08-14 03:01 - 00000000 ____D C:\windows\system32\MRT 2013-09-12 03:08 - 2011-05-10 10:56 - 00000000 ____D C:\Program Files (x86)\Microsoft Application Virtualization Client 2013-09-12 03:04 - 2011-04-20 08:11 - 79143768 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit LastRegBack: 2013-09-22 19:07 ==================== End Of Log ============================
  3. tried rebooting and it still gives the same error message
  4. it's halfway there. they moneypak screen is gone, but now it still comes up with the black cmd.exe command prompt. I try to run mbar through it and it gives me an error message "dda driver was not installed which may be caused by rootkit activity. do you want to reboot the compute to install dda driver (scan will continue after reboot)?"
  5. Yes I am. I've had a crazy week at work and haven't had access to a second computer, but here is the results of the log. Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-09-2013 Ran by SYSTEM at 2013-09-28 21:37:02 Run:2 Running from G:\ Boot Mode: Recovery ============================================== Content of fixlist: ***************** C:\Users\Owner\AppData\Local\Temp\298839847585666393393.exe C:\Users\Owner\AppData\Local\Temp\517278442.exe C:\Users\Owner\AppData\Local\Temp\avddddqvtrttdsdoij.exe C:\Users\Owner\AppData\Local\Temp\avdsdoij.exe C:\Users\Owner\AppData\Local\Temp\GoogleToolbarInstaller_en32_signed.exe C:\Users\Owner\AppData\Local\Temp\InstallFlashPlayer.exe C:\Users\Owner\AppData\Local\2433f433 C:\Users\Owner\AppData\Roaming\2433f433 C:\ProgramData\2433f433 LastRegBack: 2013-09-22 15:07 ***************** C:\Users\Owner\AppData\Local\Temp\298839847585666393393.exe => Moved successfully. C:\Users\Owner\AppData\Local\Temp\517278442.exe => Moved successfully. C:\Users\Owner\AppData\Local\Temp\avddddqvtrttdsdoij.exe => Moved successfully. C:\Users\Owner\AppData\Local\Temp\avdsdoij.exe => Moved successfully. C:\Users\Owner\AppData\Local\Temp\GoogleToolbarInstaller_en32_signed.exe => Moved successfully. C:\Users\Owner\AppData\Local\Temp\InstallFlashPlayer.exe => Moved successfully. C:\Users\Owner\AppData\Local\2433f433 => Moved successfully. C:\ProgramData\2433f433 => Moved successfully. DEFAULT hive was successfully copied to System32\config\HiveBackup DEFAULT hive was successfully restored from registry back up. SAM hive was successfully copied to System32\config\HiveBackup SAM hive was successfully restored from registry back up. SECURITY hive was successfully copied to System32\config\HiveBackup SECURITY hive was successfully restored from registry back up. SOFTWARE hive was successfully copied to System32\config\HiveBackup SOFTWARE hive was successfully restored from registry back up. SYSTEM hive was successfully copied to System32\config\HiveBackup SYSTEM hive was successfully restored from registry back up. ==== End of Fixlog ====
  6. MrC, can you please help! This is the scan that I got from running the farbar removal tool for the moneypak virus.Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 24-09-2013 Ran by SYSTEM on MININT-TFTV4BQ on 24-09-2013 11:32:03 Running from G:\ WIN_7 (X64) OS Language: English(US) Boot Mode: Recovery Attention: Could not load system hive. ==================== Registry (Whitelisted) ================== ATTENTION: Software hive is not loaded. Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft) Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft) ==================== Services (Whitelisted) ================= ==================== Drivers (Whitelisted) ==================== ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-09-23 06:00 - 2013-09-23 06:00 - 01865734 _____ C:\Users\Owner\AppData\Local\2433f433 2013-09-23 06:00 - 2013-09-23 06:00 - 01865715 _____ C:\Users\Owner\AppData\Roaming\2433f433 2013-09-23 06:00 - 2013-09-23 06:00 - 01865700 _____ C:\ProgramData\2433f433 2013-09-11 23:09 - 2013-08-09 21:22 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll 2013-09-11 23:09 - 2013-08-09 21:22 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2013-09-11 23:09 - 2013-08-09 21:22 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe 2013-09-11 23:09 - 2013-08-09 21:21 - 19246592 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2013-09-11 23:09 - 2013-08-09 21:21 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll 2013-09-11 23:09 - 2013-08-09 21:21 - 00053248 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2013-09-11 23:09 - 2013-08-09 21:20 - 15404544 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2013-09-11 23:09 - 2013-08-09 21:20 - 03959296 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2013-09-11 23:09 - 2013-08-09 21:20 - 02647040 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2013-09-11 23:09 - 2013-08-09 21:20 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll 2013-09-11 23:09 - 2013-08-09 21:20 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll 2013-09-11 23:09 - 2013-08-09 21:20 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll 2013-09-11 23:09 - 2013-08-09 21:20 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll 2013-09-11 23:09 - 2013-08-09 21:20 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll 2013-09-11 23:09 - 2013-08-09 19:59 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2013-09-11 23:09 - 2013-08-09 19:59 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2013-09-11 23:09 - 2013-08-09 19:58 - 14332928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2013-09-11 23:09 - 2013-08-09 19:58 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2013-09-11 23:09 - 2013-08-09 19:58 - 02876928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2013-09-11 23:09 - 2013-08-09 19:58 - 02048000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2013-09-11 23:09 - 2013-08-09 19:58 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2013-09-11 23:09 - 2013-08-09 19:58 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2013-09-11 23:09 - 2013-08-09 19:58 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2013-09-11 23:09 - 2013-08-09 19:58 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll 2013-09-11 23:09 - 2013-08-09 19:58 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2013-09-11 23:09 - 2013-08-09 19:58 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2013-09-11 23:09 - 2013-08-09 19:58 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2013-09-11 23:09 - 2013-08-09 19:17 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2013-09-11 23:09 - 2013-08-09 19:07 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2013-09-11 23:09 - 2013-08-09 18:27 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe 2013-09-11 23:09 - 2013-08-09 18:17 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe 2013-09-11 23:08 - 2013-09-11 23:08 - 00005316 _____ C:\Windows\SysWOW64\PerfStringBackup.TMP 2013-09-11 00:07 - 2013-08-07 17:20 - 03155456 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys 2013-09-11 00:07 - 2013-08-04 18:25 - 00155584 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ataport.sys 2013-09-11 00:07 - 2013-08-01 18:23 - 05550528 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe 2013-09-11 00:07 - 2013-08-01 18:15 - 01732032 _____ (Microsoft Corporation) C:\Windows\System32\ntdll.dll 2013-09-11 00:07 - 2013-08-01 18:15 - 00362496 _____ (Microsoft Corporation) C:\Windows\System32\wow64win.dll 2013-09-11 00:07 - 2013-08-01 18:15 - 00243712 _____ (Microsoft Corporation) C:\Windows\System32\wow64.dll 2013-09-11 00:07 - 2013-08-01 18:15 - 00013312 _____ (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll 2013-09-11 00:07 - 2013-08-01 18:14 - 00215040 _____ (Microsoft Corporation) C:\Windows\System32\winsrv.dll 2013-09-11 00:07 - 2013-08-01 18:14 - 00016384 _____ (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll 2013-09-11 00:07 - 2013-08-01 18:13 - 01161216 _____ (Microsoft Corporation) C:\Windows\System32\kernel32.dll 2013-09-11 00:07 - 2013-08-01 18:13 - 00424448 _____ (Microsoft Corporation) C:\Windows\System32\KernelBase.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00043520 _____ (Microsoft Corporation) C:\Windows\System32\csrsrv.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00006656 _____ (Microsoft Corporation) C:\Windows\System32\apisetschema.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00006144 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00005120 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00004608 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00004608 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:59 - 03968960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe 2013-09-11 00:07 - 2013-08-01 17:59 - 03913664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe 2013-09-11 00:07 - 2013-08-01 17:51 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll 2013-09-11 00:07 - 2013-08-01 17:50 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll 2013-09-11 00:07 - 2013-08-01 17:50 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll 2013-09-11 00:07 - 2013-08-01 17:50 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 17:09 - 00338432 _____ (Microsoft Corporation) C:\Windows\System32\conhost.exe 2013-09-11 00:07 - 2013-08-01 16:59 - 00112640 _____ (Microsoft Corporation) C:\Windows\System32\smss.exe 2013-09-11 00:07 - 2013-08-01 16:45 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe 2013-09-11 00:07 - 2013-08-01 16:45 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll 2013-09-11 00:07 - 2013-08-01 16:45 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe 2013-09-11 00:07 - 2013-08-01 16:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe 2013-09-11 00:07 - 2013-08-01 16:43 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 16:43 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 16:43 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll 2013-09-11 00:07 - 2013-08-01 16:43 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll 2013-09-11 00:07 - 2013-07-25 18:24 - 14172672 _____ (Microsoft Corporation) C:\Windows\System32\shell32.dll 2013-09-11 00:07 - 2013-07-25 18:24 - 00197120 _____ (Microsoft Corporation) C:\Windows\System32\shdocvw.dll 2013-09-11 00:07 - 2013-07-25 17:55 - 12872704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll 2013-09-11 00:07 - 2013-07-25 17:55 - 00180224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll ==================== One Month Modified Files and Folders ======= 2013-09-24 07:20 - 2013-04-09 05:49 - 00005456 _____ C:\Windows\setupact.log 2013-09-24 07:20 - 2013-04-09 05:39 - 01166247 _____ C:\FaceProv.log 2013-09-24 07:20 - 2011-11-22 20:59 - 00000892 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-09-24 07:20 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2013-09-23 06:06 - 2011-11-22 20:59 - 00000896 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-09-23 06:00 - 2013-09-23 06:00 - 01865734 _____ C:\Users\Owner\AppData\Local\2433f433 2013-09-23 06:00 - 2013-09-23 06:00 - 01865715 _____ C:\Users\Owner\AppData\Roaming\2433f433 2013-09-23 06:00 - 2013-09-23 06:00 - 01865700 _____ C:\ProgramData\2433f433 2013-09-23 00:07 - 2013-04-09 06:06 - 01807460 _____ C:\Windows\WindowsUpdate.log 2013-09-22 14:19 - 2009-07-13 20:45 - 00013632 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-09-22 14:19 - 2009-07-13 20:45 - 00013632 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-09-18 19:50 - 2011-07-07 21:37 - 00000000 ____D C:\Users\Owner\AppData\Local\CrashDumps 2013-09-12 08:07 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache 2013-09-11 23:30 - 2009-07-13 20:45 - 00282960 _____ C:\Windows\System32\FNTCACHE.DAT 2013-09-11 23:08 - 2013-09-11 23:08 - 00005316 _____ C:\Windows\SysWOW64\PerfStringBackup.TMP 2013-09-11 23:08 - 2013-08-13 23:01 - 00000000 ____D C:\Windows\System32\MRT 2013-09-11 23:08 - 2011-05-10 06:56 - 00000000 ____D C:\Program Files (x86)\Microsoft Application Virtualization Client 2013-09-11 23:04 - 2011-04-20 04:11 - 79143768 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe 2013-09-07 19:25 - 2013-04-09 06:11 - 00005354 _____ C:\Windows\System32\PerfStringBackup.TMP 2013-08-25 20:34 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF Some content of TEMP: ==================== C:\Users\Owner\AppData\Local\Temp\298839847585666393393.exe C:\Users\Owner\AppData\Local\Temp\517278442.exe C:\Users\Owner\AppData\Local\Temp\avddddqvtrttdsdoij.exe C:\Users\Owner\AppData\Local\Temp\avdsdoij.exe C:\Users\Owner\AppData\Local\Temp\GoogleToolbarInstaller_en32_signed.exe C:\Users\Owner\AppData\Local\Temp\InstallFlashPlayer.exe ==================== Known DLLs (Whitelisted) ================ ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: <===== ATTENTION! HKLM\...\exefile\DefaultIcon: <===== ATTENTION! HKLM\...\exefile\open\command: <===== ATTENTION! ==================== Restore Points ========================= 6 Restore point made on: 2013-08-27 00:40:22 Restore point made on: 2013-09-03 14:32:45 Restore point made on: 2013-09-05 04:39:12 Restore point made on: 2013-09-09 23:44:47 Restore point made on: 2013-09-11 23:00:51 Restore point made on: 2013-09-17 07:44:58 ==================== Memory info =========================== Percentage of memory in use: 16% Total physical RAM: 2810.9 MB Available physical RAM: 2347.32 MB Total Pagefile: 2809.05 MB Available Pagefile: 2340.02 MB Total Virtual: 8192 MB Available Virtual: 8191.89 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:254.14 GB) (Free:61.41 GB) NTFS Drive d: (LENOVO) (Fixed) (Total:29 GB) (Free:28.07 GB) NTFS Drive g: () (Removable) (Total:0.49 GB) (Free:0.49 GB) FAT Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS Drive y: () (Fixed) (Total:0.2 GB) (Free:0.16 GB) NTFS ==>[system with boot components (obtained from reading drive)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 4B4C58A2) Partition 1: (Active) - (Size=200 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=254 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=29 GB) - (Type=OF Extended) Partition 4: (Not Active) - (Size=15 GB) - (Type=12) ======================================================== Disk: 1 (Size: 501 MB) (Disk ID: 00978B1A) Partition 1: (Active) - (Size=504 MB) - (Type=06) LastRegBack: 2013-09-22 15:07 ==================== End Of Log ============================
  7. Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 27-05-2013 Ran by Owner (administrator) on 27-05-2013 19:33:58 Running from E:\ Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US) Internet Explorer Version 9 Boot Mode: Safe Mode (minimal) ==================== Processes (Whitelisted) ================= (Microsoft Corporation) C:\Windows\system32\cmd.exe (Farbar) E:\FRST64.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11448424 2010-08-20] (Realtek Semiconductor) HKLM\...\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3 [2120808 2010-08-20] (Realtek Semiconductor) HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1894696 2010-01-07] (Synaptics Incorporated) HKLM\...\Run: [OnekeyStudio] C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe [776608 2009-12-18] (Lenovo) HKLM\...\Run: [MRT] "C:\windows\system32\MRT.exe" /R [75016696 2013-05-15] (Microsoft Corporation) HKCU\...\Run: [best Buy pc app] C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms [x] HKCU\...\Run: [Realtek] Regsvr32.exe C:\Users\Owner\AppData\Local\Realtek\rhyiijlr.dll [681984 2013-05-22] (CANON INC.) HKCU\...\RunOnce: [FlashPlayerUpdate] C:\windows\system32\Macromed\Flash\FlashUtil64_11_4_402_287_ActiveX.exe -update activex [421304 2012-10-21] (Adobe Systems Incorporated) HKCU\...\Winlogon: [shell] explorer.exe,C:\Users\Owner\AppData\Roaming\skype.dat [146944 2011-11-17] (AutoRix Software LLC) <==== ATTENTION HKLM-x32\...\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2010-07-19] (Advanced Micro Devices, Inc.) HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [439568 2010-05-10] (Microsoft Corporation) HKLM-x32\...\Run: [updateP2GShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\5.0" [218408 2008-12-03] (CyberLink Corp.) HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.) HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.) HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.) HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.) Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft) Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft) ==================== Internet (Whitelisted) ==================== BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.) BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.) BHO-x32: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\18.7.1.3\IPS\IPSBHO.DLL (Symantec Corporation) BHO-x32: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation) BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.) BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) BHO-x32: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation) BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.) Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.) Toolbar: HKLM-x32 - @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation) Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) Winsock: Catalog5 10 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [20992] (Microsoft Corporation) Winsock: Catalog5-x64 10 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 ==================== Services (Whitelisted) ================= S3 IGRS; C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe [38152 2009-07-14] (Lenovo Group Limited) S2 IHA_MessageCenter; C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [352248 2012-08-03] (Verizon) S3 Lenovo ReadyComm AppSvc; C:\Program Files\Lenovo\ReadyComm\AppSvc.exe [509192 2009-08-14] (Lenovo Group Limited) S3 Lenovo ReadyComm ConnSvc; C:\Program Files\Lenovo\ReadyComm\ConnSvc.exe [579400 2009-09-22] (Lenovo Group Limited) S2 McciCMService64; C:\Program Files\Common Files\Motive\McciCMService.exe [517632 2010-03-17] (Alcatel-Lucent) S2 NAV; C:\Program Files (x86)\Norton AntiVirus\Engine\18.7.1.3\diMaster.dll [262584 2011-03-31] (Symantec Corporation) S3 PS_MDP; C:\Program Files (x86)\Lenovo\ReadyComm\PS_MDP.dll [276296 2009-07-15] (Lenovo Group Limited) S2 ReadyComm.DirectRouter; C:\Program Files (x86)\Lenovo\ReadyComm\common\router.dll [103688 2009-07-14] (Lenovo Group Limited) ==================== Drivers (Whitelisted) ==================== S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\BASHDefs\20110518.001\BHDrvx64.sys [1127032 2011-04-15] (Symantec Corporation) S3 Bridge0; C:\Windows\System32\drivers\WDBridge.sys [79376 2009-07-15] (Lenovo) S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [481912 2011-05-10] (Symantec Corporation) S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\IPSDefs\20110518.001\IDSvia64.sys [476792 2011-03-14] (Symantec Corporation) S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\VirusDefs\20110519.002\ENG64.SYS [117880 2011-05-17] (Symantec Corporation) S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\VirusDefs\20110519.002\EX64.SYS [2011768 2011-05-17] (Symantec Corporation) S3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2011-05-10] (Symantec Corporation) S3 wdmirror; C:\Windows\System32\DRIVERS\WDMirror.sys [11280 2009-07-16] (Lenovo) U3 BcmSqlStartupSvc; U2 IAStorDataMgrSvc; U2 IviRegMgr; U2 RichVideo; U3 SQLWriter; S3 SRTSP; \SystemRoot\System32\Drivers\NAVx64\1207010.003\SRTSP64.SYS [x] S1 SRTSPX; \SystemRoot\system32\drivers\NAVx64\1207010.003\SRTSPX64.SYS [x] R0 SymDS; system32\drivers\NAVx64\1207010.003\SYMDS64.SYS [x] R0 SymEFA; system32\drivers\NAVx64\1207010.003\SYMEFA64.SYS [x] S1 SymIRON; \SystemRoot\system32\drivers\NAVx64\1207010.003\Ironx64.SYS [x] S1 SymNetS; \SystemRoot\System32\Drivers\NAVx64\1207010.003\SYMNETS.SYS [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-05-27 19:21 - 2013-05-27 19:21 - 00000000 ____D C:\FRST 2013-05-27 09:50 - 2013-05-27 10:22 - 00000004 ____A C:\Users\Owner\AppData\Roaming\skype.ini 2013-05-22 01:38 - 2013-05-22 10:50 - 00000000 ____D C:\Users\Owner\AppData\Local\Realtek 2013-05-22 01:37 - 2013-05-22 01:37 - 00000000 ____D C:\Users\Owner\AppData\Local\Apps\Windows Live Writer 2013-05-15 03:01 - 2013-04-05 02:52 - 02242048 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2013-05-15 03:01 - 2013-04-05 02:52 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2013-05-15 03:01 - 2013-04-05 02:52 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe 2013-05-15 03:01 - 2013-04-05 02:50 - 19231232 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2013-05-15 03:01 - 2013-04-05 02:50 - 15404032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2013-05-15 03:01 - 2013-04-05 02:50 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2013-05-15 03:01 - 2013-04-05 02:50 - 02647552 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2013-05-15 03:01 - 2013-04-05 02:50 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2013-05-15 03:01 - 2013-04-05 02:50 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll 2013-05-15 03:01 - 2013-04-05 02:50 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2013-05-15 03:01 - 2013-04-05 02:50 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll 2013-05-15 03:01 - 2013-04-05 02:50 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll 2013-05-15 03:01 - 2013-04-05 02:50 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2013-05-15 03:01 - 2013-04-05 02:50 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll 2013-05-15 03:01 - 2013-04-05 01:28 - 01767424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2013-05-15 03:01 - 2013-04-05 01:28 - 01130496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2013-05-15 03:01 - 2013-04-05 01:26 - 14323712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2013-05-15 03:01 - 2013-04-05 01:26 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2013-05-15 03:01 - 2013-04-05 01:26 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2013-05-15 03:01 - 2013-04-05 01:26 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2013-05-15 03:01 - 2013-04-05 01:26 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2013-05-15 03:01 - 2013-04-05 01:26 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2013-05-15 03:01 - 2013-04-05 01:26 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2013-05-15 03:01 - 2013-04-05 01:26 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll 2013-05-15 03:01 - 2013-04-05 01:26 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2013-05-15 03:01 - 2013-04-05 01:26 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2013-05-15 03:01 - 2013-04-05 01:26 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2013-05-15 03:01 - 2013-04-05 00:43 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2013-05-15 03:01 - 2013-04-05 00:29 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2013-05-15 03:01 - 2013-04-04 23:51 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe 2013-05-15 03:01 - 2013-04-04 23:38 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe 2013-05-14 20:37 - 2013-04-10 02:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys 2013-05-14 20:37 - 2013-04-10 02:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys 2013-05-14 20:37 - 2011-02-03 07:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll 2013-05-14 20:36 - 2013-04-09 23:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2013-05-14 20:36 - 2013-03-19 01:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll 2013-05-14 20:36 - 2013-03-19 01:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll 2013-05-14 20:36 - 2013-02-27 02:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe 2013-05-14 20:36 - 2013-02-27 01:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll 2013-05-14 20:36 - 2013-02-27 01:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll 2013-05-14 20:36 - 2013-02-27 01:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll 2013-05-14 20:36 - 2013-02-27 01:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll 2013-05-14 20:36 - 2013-02-27 00:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll 2013-05-14 20:36 - 2013-02-27 00:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll 2013-05-14 20:36 - 2013-02-27 00:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll 2013-04-27 12:30 - 2013-04-27 12:30 - 00001502 ____A C:\ProgramData\SMRResults322.dat 2013-04-27 12:04 - 2013-04-27 12:04 - 00000000 ____A C:\Users\Owner\spoolsv.exe 2013-04-27 12:04 - 2013-04-27 12:04 - 00000000 ____A C:\Users\Owner\skype.exe 2013-04-27 12:04 - 2013-04-27 12:04 - 00000000 ____A C:\Users\Owner\msconfig.exe ==================== One Month Modified Files and Folders ======= 2013-05-27 19:21 - 2013-05-27 19:21 - 00000000 ____D C:\FRST 2013-05-27 10:22 - 2013-05-27 09:50 - 00000004 ____A C:\Users\Owner\AppData\Roaming\skype.ini 2013-05-27 10:22 - 2011-11-23 00:59 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-05-27 10:21 - 2013-04-09 09:49 - 00001120 ____A C:\Windows\setupact.log 2013-05-27 10:21 - 2013-04-09 09:39 - 00254551 ____A C:\FaceProv.log 2013-05-27 10:21 - 2009-07-14 01:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-05-27 09:34 - 2011-11-23 00:59 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-05-27 09:06 - 2013-04-09 10:06 - 01290486 ____A C:\Windows\WindowsUpdate.log 2013-05-22 10:50 - 2013-05-22 01:38 - 00000000 ____D C:\Users\Owner\AppData\Local\Realtek 2013-05-22 01:37 - 2013-05-22 01:37 - 00000000 ____D C:\Users\Owner\AppData\Local\Apps\Windows Live Writer 2013-05-22 01:37 - 2011-07-08 01:37 - 00000000 ____D C:\Users\Owner\AppData\Local\CrashDumps 2013-05-18 23:08 - 2009-07-14 00:45 - 00013632 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-05-18 23:08 - 2009-07-14 00:45 - 00013632 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-05-15 04:39 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\rescache 2013-05-15 03:37 - 2009-07-14 00:45 - 00282960 ____A C:\Windows\System32\FNTCACHE.DAT 2013-05-15 03:09 - 2011-04-20 08:11 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe 2013-05-02 02:06 - 2011-04-20 06:59 - 00278800 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe 2013-04-28 04:01 - 2013-04-09 10:11 - 00005354 ____A C:\Windows\System32\PerfStringBackup.TMP 2013-04-27 12:30 - 2013-04-27 12:30 - 00001502 ____A C:\ProgramData\SMRResults322.dat 2013-04-27 12:30 - 2011-04-20 06:07 - 00000000 ____D C:\users\Owner 2013-04-27 12:28 - 2013-04-09 10:17 - 00000000 ____D C:\Users\Owner\AppData\Local\NPE 2013-04-27 12:04 - 2013-04-27 12:04 - 00000000 ____A C:\Users\Owner\spoolsv.exe 2013-04-27 12:04 - 2013-04-27 12:04 - 00000000 ____A C:\Users\Owner\skype.exe 2013-04-27 12:04 - 2013-04-27 12:04 - 00000000 ____A C:\Users\Owner\msconfig.exe Other Malware: =========== C:\Users\Owner\msconfig.exe C:\Users\Owner\skype.exe C:\Users\Owner\spoolsv.exe C:\Users\Owner\AppData\Roaming\skype.dat C:\Users\Owner\AppData\Roaming\skype.ini C:\ProgramData\SMRResults322.dat ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit Last Boot: 2013-05-24 02:09 ==================== End Of Log ============================
  8. Related to the moneypak virus, this is the frst.txt file that it came up with. Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 27-05-2013 Ran by Owner (administrator) on 27-05-2013 19:33:58 Running from E:\ Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US) Internet Explorer Version 9 Boot Mode: Safe Mode (minimal) ==================== Processes (Whitelisted) ================= (Microsoft Corporation) C:\Windows\system32\cmd.exe (Farbar) E:\FRST64.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11448424 2010-08-20] (Realtek Semiconductor) HKLM\...\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3 [2120808 2010-08-20] (Realtek Semiconductor) HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1894696 2010-01-07] (Synaptics Incorporated) HKLM\...\Run: [OnekeyStudio] C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe [776608 2009-12-18] (Lenovo) HKLM\...\Run: [MRT] "C:\windows\system32\MRT.exe" /R [75016696 2013-05-15] (Microsoft Corporation) HKCU\...\Run: [best Buy pc app] C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms [x] HKCU\...\Run: [Realtek] Regsvr32.exe C:\Users\Owner\AppData\Local\Realtek\rhyiijlr.dll [681984 2013-05-22] (CANON INC.) HKCU\...\RunOnce: [FlashPlayerUpdate] C:\windows\system32\Macromed\Flash\FlashUtil64_11_4_402_287_ActiveX.exe -update activex [421304 2012-10-21] (Adobe Systems Incorporated) HKCU\...\Winlogon: [shell] explorer.exe,C:\Users\Owner\AppData\Roaming\skype.dat [146944 2011-11-17] (AutoRix Software LLC) <==== ATTENTION HKLM-x32\...\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2010-07-19] (Advanced Micro Devices, Inc.) HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [439568 2010-05-10] (Microsoft Corporation) HKLM-x32\...\Run: [updateP2GShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\5.0" [218408 2008-12-03] (CyberLink Corp.) HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.) HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.) HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.) HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.) Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft) Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft) ==================== Internet (Whitelisted) ==================== BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.) BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.) BHO-x32: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\18.7.1.3\IPS\IPSBHO.DLL (Symantec Corporation) BHO-x32: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation) BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.) BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) BHO-x32: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation) BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.) Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.) Toolbar: HKLM-x32 - @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation) Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) Winsock: Catalog5 10 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [20992] (Microsoft Corporation) Winsock: Catalog5-x64 10 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 ==================== Services (Whitelisted) ================= S3 IGRS; C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe [38152 2009-07-14] (Lenovo Group Limited) S2 IHA_MessageCenter; C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [352248 2012-08-03] (Verizon) S3 Lenovo ReadyComm AppSvc; C:\Program Files\Lenovo\ReadyComm\AppSvc.exe [509192 2009-08-14] (Lenovo Group Limited) S3 Lenovo ReadyComm ConnSvc; C:\Program Files\Lenovo\ReadyComm\ConnSvc.exe [579400 2009-09-22] (Lenovo Group Limited) S2 McciCMService64; C:\Program Files\Common Files\Motive\McciCMService.exe [517632 2010-03-17] (Alcatel-Lucent) S2 NAV; C:\Program Files (x86)\Norton AntiVirus\Engine\18.7.1.3\diMaster.dll [262584 2011-03-31] (Symantec Corporation) S3 PS_MDP; C:\Program Files (x86)\Lenovo\ReadyComm\PS_MDP.dll [276296 2009-07-15] (Lenovo Group Limited) S2 ReadyComm.DirectRouter; C:\Program Files (x86)\Lenovo\ReadyComm\common\router.dll [103688 2009-07-14] (Lenovo Group Limited) ==================== Drivers (Whitelisted) ==================== S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\BASHDefs\20110518.001\BHDrvx64.sys [1127032 2011-04-15] (Symantec Corporation) S3 Bridge0; C:\Windows\System32\drivers\WDBridge.sys [79376 2009-07-15] (Lenovo) S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [481912 2011-05-10] (Symantec Corporation) S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\IPSDefs\20110518.001\IDSvia64.sys [476792 2011-03-14] (Symantec Corporation) S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\VirusDefs\20110519.002\ENG64.SYS [117880 2011-05-17] (Symantec Corporation) S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\VirusDefs\20110519.002\EX64.SYS [2011768 2011-05-17] (Symantec Corporation) S3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2011-05-10] (Symantec Corporation) S3 wdmirror; C:\Windows\System32\DRIVERS\WDMirror.sys [11280 2009-07-16] (Lenovo) U3 BcmSqlStartupSvc; U2 IAStorDataMgrSvc; U2 IviRegMgr; U2 RichVideo; U3 SQLWriter; S3 SRTSP; \SystemRoot\System32\Drivers\NAVx64\1207010.003\SRTSP64.SYS [x] S1 SRTSPX; \SystemRoot\system32\drivers\NAVx64\1207010.003\SRTSPX64.SYS [x] R0 SymDS; system32\drivers\NAVx64\1207010.003\SYMDS64.SYS [x] R0 SymEFA; system32\drivers\NAVx64\1207010.003\SYMEFA64.SYS [x] S1 SymIRON; \SystemRoot\system32\drivers\NAVx64\1207010.003\Ironx64.SYS [x] S1 SymNetS; \SystemRoot\System32\Drivers\NAVx64\1207010.003\SYMNETS.SYS [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-05-27 19:21 - 2013-05-27 19:21 - 00000000 ____D C:\FRST 2013-05-27 09:50 - 2013-05-27 10:22 - 00000004 ____A C:\Users\Owner\AppData\Roaming\skype.ini 2013-05-22 01:38 - 2013-05-22 10:50 - 00000000 ____D C:\Users\Owner\AppData\Local\Realtek 2013-05-22 01:37 - 2013-05-22 01:37 - 00000000 ____D C:\Users\Owner\AppData\Local\Apps\Windows Live Writer 2013-05-15 03:01 - 2013-04-05 02:52 - 02242048 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2013-05-15 03:01 - 2013-04-05 02:52 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2013-05-15 03:01 - 2013-04-05 02:52 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe 2013-05-15 03:01 - 2013-04-05 02:50 - 19231232 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2013-05-15 03:01 - 2013-04-05 02:50 - 15404032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2013-05-15 03:01 - 2013-04-05 02:50 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2013-05-15 03:01 - 2013-04-05 02:50 - 02647552 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2013-05-15 03:01 - 2013-04-05 02:50 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2013-05-15 03:01 - 2013-04-05 02:50 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll 2013-05-15 03:01 - 2013-04-05 02:50 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2013-05-15 03:01 - 2013-04-05 02:50 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll 2013-05-15 03:01 - 2013-04-05 02:50 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll 2013-05-15 03:01 - 2013-04-05 02:50 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2013-05-15 03:01 - 2013-04-05 02:50 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll 2013-05-15 03:01 - 2013-04-05 01:28 - 01767424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2013-05-15 03:01 - 2013-04-05 01:28 - 01130496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2013-05-15 03:01 - 2013-04-05 01:26 - 14323712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2013-05-15 03:01 - 2013-04-05 01:26 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2013-05-15 03:01 - 2013-04-05 01:26 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2013-05-15 03:01 - 2013-04-05 01:26 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2013-05-15 03:01 - 2013-04-05 01:26 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2013-05-15 03:01 - 2013-04-05 01:26 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2013-05-15 03:01 - 2013-04-05 01:26 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2013-05-15 03:01 - 2013-04-05 01:26 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll 2013-05-15 03:01 - 2013-04-05 01:26 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2013-05-15 03:01 - 2013-04-05 01:26 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2013-05-15 03:01 - 2013-04-05 01:26 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2013-05-15 03:01 - 2013-04-05 00:43 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2013-05-15 03:01 - 2013-04-05 00:29 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2013-05-15 03:01 - 2013-04-04 23:51 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe 2013-05-15 03:01 - 2013-04-04 23:38 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe 2013-05-14 20:37 - 2013-04-10 02:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys 2013-05-14 20:37 - 2013-04-10 02:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys 2013-05-14 20:37 - 2011-02-03 07:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll 2013-05-14 20:36 - 2013-04-09 23:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2013-05-14 20:36 - 2013-03-19 01:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll 2013-05-14 20:36 - 2013-03-19 01:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll 2013-05-14 20:36 - 2013-02-27 02:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe 2013-05-14 20:36 - 2013-02-27 01:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll 2013-05-14 20:36 - 2013-02-27 01:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll 2013-05-14 20:36 - 2013-02-27 01:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll 2013-05-14 20:36 - 2013-02-27 01:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll 2013-05-14 20:36 - 2013-02-27 00:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll 2013-05-14 20:36 - 2013-02-27 00:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll 2013-05-14 20:36 - 2013-02-27 00:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll 2013-04-27 12:30 - 2013-04-27 12:30 - 00001502 ____A C:\ProgramData\SMRResults322.dat 2013-04-27 12:04 - 2013-04-27 12:04 - 00000000 ____A C:\Users\Owner\spoolsv.exe 2013-04-27 12:04 - 2013-04-27 12:04 - 00000000 ____A C:\Users\Owner\skype.exe 2013-04-27 12:04 - 2013-04-27 12:04 - 00000000 ____A C:\Users\Owner\msconfig.exe ==================== One Month Modified Files and Folders ======= 2013-05-27 19:21 - 2013-05-27 19:21 - 00000000 ____D C:\FRST 2013-05-27 10:22 - 2013-05-27 09:50 - 00000004 ____A C:\Users\Owner\AppData\Roaming\skype.ini 2013-05-27 10:22 - 2011-11-23 00:59 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-05-27 10:21 - 2013-04-09 09:49 - 00001120 ____A C:\Windows\setupact.log 2013-05-27 10:21 - 2013-04-09 09:39 - 00254551 ____A C:\FaceProv.log 2013-05-27 10:21 - 2009-07-14 01:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-05-27 09:34 - 2011-11-23 00:59 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-05-27 09:06 - 2013-04-09 10:06 - 01290486 ____A C:\Windows\WindowsUpdate.log 2013-05-22 10:50 - 2013-05-22 01:38 - 00000000 ____D C:\Users\Owner\AppData\Local\Realtek 2013-05-22 01:37 - 2013-05-22 01:37 - 00000000 ____D C:\Users\Owner\AppData\Local\Apps\Windows Live Writer 2013-05-22 01:37 - 2011-07-08 01:37 - 00000000 ____D C:\Users\Owner\AppData\Local\CrashDumps 2013-05-18 23:08 - 2009-07-14 00:45 - 00013632 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-05-18 23:08 - 2009-07-14 00:45 - 00013632 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-05-15 04:39 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\rescache 2013-05-15 03:37 - 2009-07-14 00:45 - 00282960 ____A C:\Windows\System32\FNTCACHE.DAT 2013-05-15 03:09 - 2011-04-20 08:11 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe 2013-05-02 02:06 - 2011-04-20 06:59 - 00278800 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe 2013-04-28 04:01 - 2013-04-09 10:11 - 00005354 ____A C:\Windows\System32\PerfStringBackup.TMP 2013-04-27 12:30 - 2013-04-27 12:30 - 00001502 ____A C:\ProgramData\SMRResults322.dat 2013-04-27 12:30 - 2011-04-20 06:07 - 00000000 ____D C:\users\Owner 2013-04-27 12:28 - 2013-04-09 10:17 - 00000000 ____D C:\Users\Owner\AppData\Local\NPE 2013-04-27 12:04 - 2013-04-27 12:04 - 00000000 ____A C:\Users\Owner\spoolsv.exe 2013-04-27 12:04 - 2013-04-27 12:04 - 00000000 ____A C:\Users\Owner\skype.exe 2013-04-27 12:04 - 2013-04-27 12:04 - 00000000 ____A C:\Users\Owner\msconfig.exe Other Malware: =========== C:\Users\Owner\msconfig.exe C:\Users\Owner\skype.exe C:\Users\Owner\spoolsv.exe C:\Users\Owner\AppData\Roaming\skype.dat C:\Users\Owner\AppData\Roaming\skype.ini C:\ProgramData\SMRResults322.dat ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit Last Boot: 2013-05-24 02:09 ==================== End Of Log ============================
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.