Jump to content

FBI Moneypak Ransomware - $200 version


Recommended Posts

Hi,

I'm a Windows 7 user with a nasty FBI virus infection. I seem to be able to operate in safe mode with networking. I have run Malwarebytes Anti-Malware a few times; a full scan is running now. I've tried a system restore but it got hung up for over an hour without completing. I've also tried manually removing files, but the files idenfitied by some sources as the offenders (0_0u_l.exe, ch810.exe, etc.) do not seem to be on my machine. I'm a modestly capable PC user, but I've exhaused my skills with this. I'd greatly appreciate any help!

Link to post
Share on other sites

Welcome to the forum, see if you can do this >>>>>>

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:



    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

    [*]Select Command Prompt

    [*]In the command window type in notepad and press Enter.

    [*]The notepad opens. Under File menu select Open.

    [*]Select "Computer" and find your flash drive letter and close the notepad.

    [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

    [*]The tool will start to run.

    [*]When the tool opens click Yes to disclaimer.

    [*]Press Scan button.

    [*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

    services.exe

    [*]Now press the Search button

    [*]When the search is complete, search.txt will also be written to your USB

    [*]Type exit and reboot the computer normally

    [*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

Link to post
Share on other sites

Hi,

Thanks for your help. The files are copied below. After following all instructions and rebooting the virus is still there.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02-12-2012

Ran by SYSTEM at 05-12-2012 21:17:37

Running from K:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [dleamon.exe] "C:\Program Files (x86)\Dell V310-V510 Series\dleamon.exe" [770728 2010-01-18] ()

HKLM\...\Run: [EzPrint] "C:\Program Files (x86)\Dell V310-V510 Series\ezprint.exe" [139944 2010-01-18] ()

HKLM\...\Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe [319488 2006-11-03] (PixArt Imaging Incorporation)

HKLM-x32\...\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\vdeck.exe [2243584 2009-07-28] (VIA)

HKLM-x32\...\Run: [startCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-06-14] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m [1779952 2009-09-11] ()

HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-06-24] (CyberLink Corp.)

HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()

HKLM-x32\...\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [206064 2009-05-21] (SupportSoft, Inc.)

HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)

HKLM-x32\...\Run: [Google Desktop Search] "C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" /startup [30192 2010-07-28] (Google)

HKLM-x32\...\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)

HKLM-x32\...\Run: [Nikon Transfer Monitor] C:\Program Files (x86)\Common Files\Nikon\Monitor\NkMonitor.exe [479232 2009-09-15] (Nikon Corporation)

HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1535112 2012-09-12] (McAfee, Inc.)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard)

HKLM-x32\...\Run: [] [x]

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)

HKU\horton\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [4280184 2012-03-08] (Microsoft Corporation)

HKU\horton\...\Run: [MoneyAgent] "C:\Program Files (x86)\Microsoft Money\System\mnyexpr.exe" [200704 2003-06-18] (Microsoft Corp.)

HKU\horton\...\Run: [Google Update] "C:\Users\horton\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-09-02] (Google Inc.)

HKU\horton\...\Run: [Creative MediaSource Go] "C:\Program Files (x86)\Creative\MediaSource5\Go\CTCMSGoU.exe" /SCB [204800 2006-11-09] (Creative Technology Ltd)

HKU\horton\...\Run: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart [16070136 2012-11-08] (Google)

HKU\horton\...\Run: [] C:\Users\horton\pmnekdjhfb.exe [103424 2012-12-04] ()

HKLM-x32\...\RunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe [165104 2009-09-17] (Softthinks)

HKLM-x32\...\RunOnce: [sTToasterLauncher] C:\program files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe [120048 2009-09-17] ()

HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [766536 2012-09-29] (Malwarebytes Corporation)

HKLM-x32\...\Runonce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [x]

Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk

ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk

ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

Startup: C:\Users\horton\Start Menu\Programs\Startup\Dell Dock.lnk

ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

Startup: C:\Users\horton\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ===================

2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)

2 dleaCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\dleaserv.exe [33448 2010-01-07] ()

2 dlea_device; C:\Windows\system32\dleacoms.exe -service [1052328 2010-01-07] ( )

2 dlea_device; C:\Windows\SysWow64\dleacoms.exe -service [598696 2010-01-07] ( )

3 GoogleDesktopManager-051210-111108; "C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" [30192 2010-07-28] (Google)

2 McAfee SiteAdvisor Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)

2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)

2 mcmscsvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)

2 McNaiAnn; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)

2 McNASvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)

3 McODS; "C:\Program Files\McAfee\VirusScan\mcods.exe" [383608 2012-09-10] (McAfee, Inc.)

2 McProxy; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)

2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [237920 2012-07-17] (McAfee, Inc.)

2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [218320 2012-07-17] (McAfee, Inc.)

2 mfevtp; "C:\Windows\system32\mfevtps.exe" [177144 2012-07-17] (McAfee, Inc.)

==================== Drivers (Whitelisted) =====================

3 cfwids; C:\Windows\System32\Drivers\cfwids.sys [69672 2012-07-17] (McAfee, Inc.)

3 HipShieldK; C:\Windows\System32\Drivers\HipShieldK.sys [196440 2012-04-20] (McAfee, Inc.)

3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [169320 2012-07-17] (McAfee, Inc.)

3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [300392 2012-07-17] (McAfee, Inc.)

3 mfefirek; C:\Windows\System32\Drivers\mfefirek.sys [513456 2012-07-17] (McAfee, Inc.)

0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [752672 2012-07-17] (McAfee, Inc.)

3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [106112 2012-07-17] (McAfee, Inc.)

0 mfewfpk; C:\Windows\System32\Drivers\mfewfpk.sys [335784 2012-07-17] (McAfee, Inc.)

3 PAC207; C:\Windows\System32\DRIVERS\PFC027.SYS [572416 2006-12-05] (PixArt Imaging Inc.)

3 usbbus; C:\Windows\System32\DRIVERS\lgx64bus.sys [17920 2010-01-21] (LG Electronics Inc.)

3 UsbDiag; C:\Windows\System32\DRIVERS\lgx64diag.sys [27648 2010-01-21] (LG Electronics Inc.)

3 USBModem; C:\Windows\System32\DRIVERS\lgx64modem.sys [33280 2010-01-21] (LG Electronics Inc.)

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2012-12-04 19:12 - 2012-12-04 19:12 - 00001071 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-12-04 19:12 - 2012-12-04 19:12 - 00001071 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk

2012-12-04 12:01 - 2012-12-04 12:01 - 00103424 ____A C:\Users\horton\pmnekdjhfb.exe

2012-12-04 12:01 - 2012-12-04 12:01 - 00078848 ____A C:\Users\horton\nnnsmmxeouusw.exe

2012-11-30 21:13 - 2012-12-02 12:58 - 00000000 ____D C:\Users\horton\Local Settings\PokerStars.NET

2012-11-30 21:13 - 2012-12-02 12:58 - 00000000 ____D C:\Users\horton\Local Settings\Application Data\PokerStars.NET

2012-11-30 21:13 - 2012-12-02 12:58 - 00000000 ____D C:\Users\horton\AppData\Local\PokerStars.NET

2012-11-30 21:13 - 2012-11-30 21:13 - 00001055 ____A C:\Users\Public\Desktop\PokerStars.net.lnk

2012-11-30 21:13 - 2012-11-30 21:13 - 00001055 ____A C:\Users\All Users\Desktop\PokerStars.net.lnk

2012-11-30 21:13 - 2012-11-30 21:13 - 00000000 ____D C:\Program Files (x86)\PokerStars.NET

2012-11-29 09:48 - 2012-12-04 11:51 - 00000000 ____D C:\Users\horton\Local Settings\Application Data\{5486E65F-168C-42CD-824E-AAF4EEE8C28E}

2012-11-29 09:48 - 2012-12-04 11:51 - 00000000 ____D C:\Users\horton\Local Settings\{5486E65F-168C-42CD-824E-AAF4EEE8C28E}

2012-11-29 09:48 - 2012-12-04 11:51 - 00000000 ____D C:\Users\horton\AppData\Local\{5486E65F-168C-42CD-824E-AAF4EEE8C28E}

2012-11-26 14:45 - 2012-11-28 19:15 - 00000000 ____D C:\Users\horton\Local Settings\Application Data\{636D3B7A-D581-4639-BE04-4001497E9B77}

2012-11-26 14:45 - 2012-11-28 19:15 - 00000000 ____D C:\Users\horton\Local Settings\{636D3B7A-D581-4639-BE04-4001497E9B77}

2012-11-26 14:45 - 2012-11-28 19:15 - 00000000 ____D C:\Users\horton\AppData\Local\{636D3B7A-D581-4639-BE04-4001497E9B77}

2012-11-25 17:18 - 2012-11-25 17:18 - 00001025 ____A C:\Windows\SysWOW64\wuar9ys.tgz

2012-11-25 17:18 - 2012-11-25 17:18 - 00000000 ____D C:\Users\horton\Local Settings\Curl Corporation

2012-11-25 17:18 - 2012-11-25 17:18 - 00000000 ____D C:\Users\horton\Local Settings\Application Data\Curl Corporation

2012-11-25 17:18 - 2012-11-25 17:18 - 00000000 ____D C:\Users\horton\Application Data\Curl Corporation

2012-11-25 17:18 - 2012-11-25 17:18 - 00000000 ____D C:\Users\horton\AppData\Roaming\Curl Corporation

2012-11-25 17:18 - 2012-11-25 17:18 - 00000000 ____D C:\Users\horton\AppData\Local\Curl Corporation

2012-11-25 17:18 - 2012-11-25 17:18 - 00000000 ____D C:\Program Files (x86)\Curl Corporation

2012-11-22 06:11 - 2012-11-25 20:34 - 00000000 ____D C:\Users\horton\Local Settings\Application Data\{30FB0D7E-1DDC-4F66-8031-4EC8658BAC49}

2012-11-22 06:11 - 2012-11-25 20:34 - 00000000 ____D C:\Users\horton\Local Settings\{30FB0D7E-1DDC-4F66-8031-4EC8658BAC49}

2012-11-22 06:11 - 2012-11-25 20:34 - 00000000 ____D C:\Users\horton\AppData\Local\{30FB0D7E-1DDC-4F66-8031-4EC8658BAC49}

2012-11-20 20:33 - 2012-11-20 20:33 - 00000375 ____A C:\Users\horton\Downloads\TigerData.csv

2012-11-20 20:24 - 2012-11-20 20:24 - 00000000 ____D C:\Users\horton\Local Settings\Unity

2012-11-20 20:24 - 2012-11-20 20:24 - 00000000 ____D C:\Users\horton\Local Settings\Application Data\Unity

2012-11-20 20:24 - 2012-11-20 20:24 - 00000000 ____D C:\Users\horton\AppData\Local\Unity

2012-11-20 20:23 - 2012-11-20 20:23 - 00643896 ____A (Unity Technologies ApS) C:\Users\horton\Downloads\UnityWebPlayer.exe

2012-11-20 20:23 - 2012-11-20 20:23 - 00643896 ____A (Unity Technologies ApS) C:\Users\horton\Downloads\UnityWebPlayer (1).exe

2012-11-20 18:25 - 2012-04-20 15:40 - 00196440 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\HipShieldK.sys

2012-11-17 17:59 - 2012-11-21 13:00 - 00000000 ____D C:\Users\horton\Local Settings\Application Data\{EDD58DF3-A08D-48BC-8422-54EA545CF5B9}

2012-11-17 17:59 - 2012-11-21 13:00 - 00000000 ____D C:\Users\horton\Local Settings\{EDD58DF3-A08D-48BC-8422-54EA545CF5B9}

2012-11-17 17:59 - 2012-11-21 13:00 - 00000000 ____D C:\Users\horton\AppData\Local\{EDD58DF3-A08D-48BC-8422-54EA545CF5B9}

2012-11-14 06:58 - 2012-11-17 05:59 - 00000000 ____D C:\Users\horton\Local Settings\Application Data\{FCC22AAA-385B-485A-9915-7D58B063F856}

2012-11-14 06:58 - 2012-11-17 05:59 - 00000000 ____D C:\Users\horton\Local Settings\{FCC22AAA-385B-485A-9915-7D58B063F856}

2012-11-14 06:58 - 2012-11-17 05:59 - 00000000 ____D C:\Users\horton\AppData\Local\{FCC22AAA-385B-485A-9915-7D58B063F856}

2012-11-14 02:12 - 2012-07-25 22:55 - 00785512 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys

2012-11-14 02:12 - 2012-07-25 22:55 - 00054376 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WdfLdr.sys

2012-11-14 02:12 - 2012-07-25 20:36 - 00009728 ____A (Microsoft Corporation) C:\Windows\System32\Wdfres.dll

2012-11-14 02:12 - 2012-06-02 08:35 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf

2012-11-14 02:06 - 2012-10-08 05:31 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-11-14 02:06 - 2012-10-08 05:24 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-11-14 02:06 - 2012-10-08 05:23 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-11-14 02:06 - 2012-10-08 05:22 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-11-14 02:06 - 2012-10-08 05:22 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-11-14 02:06 - 2012-10-08 05:20 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-11-14 02:06 - 2012-10-08 05:18 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-11-14 02:06 - 2012-10-08 05:17 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-11-14 02:06 - 2012-10-08 05:17 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2012-11-14 02:06 - 2012-10-08 05:15 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2012-11-14 02:06 - 2012-10-08 05:13 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-11-14 02:06 - 2012-10-08 05:13 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-11-14 02:06 - 2012-10-08 05:09 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-11-14 02:06 - 2012-10-08 01:56 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-11-14 02:06 - 2012-10-08 01:48 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-11-14 02:06 - 2012-10-08 01:48 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-11-14 02:06 - 2012-10-08 01:47 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-11-14 02:06 - 2012-10-08 01:46 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-11-14 02:06 - 2012-10-08 01:44 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-11-14 02:06 - 2012-10-08 01:43 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-11-14 02:06 - 2012-10-08 01:43 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2012-11-14 02:06 - 2012-10-08 01:42 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2012-11-14 02:06 - 2012-10-08 01:41 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-11-14 02:06 - 2012-10-08 01:40 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-11-14 02:06 - 2012-10-08 01:37 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-11-14 02:05 - 2012-10-08 06:19 - 17811968 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-11-14 02:05 - 2012-10-08 05:42 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-11-14 02:05 - 2012-10-08 05:15 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-11-14 02:05 - 2012-10-08 02:28 - 12320768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-11-14 02:05 - 2012-10-08 02:02 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-11-14 02:05 - 2012-10-08 01:45 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-11-14 02:05 - 2012-10-08 01:41 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-11-14 02:02 - 2012-07-25 21:08 - 00744448 ____A (Microsoft Corporation) C:\Windows\System32\WUDFx.dll

2012-11-14 02:02 - 2012-07-25 21:08 - 00229888 ____A (Microsoft Corporation) C:\Windows\System32\WUDFHost.exe

2012-11-14 02:02 - 2012-07-25 21:08 - 00194048 ____A (Microsoft Corporation) C:\Windows\System32\WUDFPlatform.dll

2012-11-14 02:02 - 2012-07-25 21:08 - 00084992 ____A (Microsoft Corporation) C:\Windows\System32\WUDFSvc.dll

2012-11-14 02:02 - 2012-07-25 21:08 - 00045056 ____A (Microsoft Corporation) C:\Windows\System32\WUDFCoinstaller.dll

2012-11-14 02:02 - 2012-07-25 20:26 - 00198656 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFRd.sys

2012-11-14 02:02 - 2012-07-25 20:26 - 00087040 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFPf.sys

2012-11-14 02:02 - 2012-06-02 08:57 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf

2012-11-13 15:04 - 2012-10-18 12:25 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-11-13 15:04 - 2012-10-09 12:17 - 00226816 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcore6.dll

2012-11-13 15:04 - 2012-10-09 12:17 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcsvc6.dll

2012-11-13 15:04 - 2012-10-09 11:40 - 00193536 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcore6.dll

2012-11-13 15:04 - 2012-10-09 11:40 - 00044032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcsvc6.dll

2012-11-13 15:04 - 2012-10-03 11:56 - 01914248 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

2012-11-13 15:04 - 2012-10-03 11:44 - 00303104 ____A (Microsoft Corporation) C:\Windows\System32\nlasvc.dll

2012-11-13 15:04 - 2012-10-03 11:44 - 00246272 ____A (Microsoft Corporation) C:\Windows\System32\netcorehc.dll

2012-11-13 15:04 - 2012-10-03 11:44 - 00216576 ____A (Microsoft Corporation) C:\Windows\System32\ncsi.dll

2012-11-13 15:04 - 2012-10-03 11:44 - 00070656 ____A (Microsoft Corporation) C:\Windows\System32\nlaapi.dll

2012-11-13 15:04 - 2012-10-03 11:44 - 00018944 ____A (Microsoft Corporation) C:\Windows\System32\netevent.dll

2012-11-13 15:04 - 2012-10-03 11:42 - 00569344 ____A (Microsoft Corporation) C:\Windows\System32\iphlpsvc.dll

2012-11-13 15:04 - 2012-10-03 10:42 - 00175104 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netcorehc.dll

2012-11-13 15:04 - 2012-10-03 10:42 - 00156672 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll

2012-11-13 15:04 - 2012-10-03 10:42 - 00018944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netevent.dll

2012-11-13 15:04 - 2012-10-03 10:07 - 00045568 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys

2012-11-13 15:04 - 2012-01-13 01:12 - 00052224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll

2012-11-13 15:03 - 2012-09-25 16:47 - 00078336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\synceng.dll

2012-11-13 15:03 - 2012-09-25 16:46 - 00095744 ____A (Microsoft Corporation) C:\Windows\System32\synceng.dll

==================== One Month Modified Files and Folders =======

2012-12-05 21:16 - 2012-12-05 21:16 - 00000000 ____D C:\FRST

2012-12-05 18:32 - 2011-04-16 21:32 - 00001830 ____A C:\Users\Public\Desktop\McAfee AntiVirus Plus.lnk

2012-12-05 18:32 - 2011-04-16 21:32 - 00001830 ____A C:\Users\All Users\Desktop\McAfee AntiVirus Plus.lnk

2012-12-05 17:29 - 2009-07-13 23:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI

2012-12-05 17:04 - 2009-07-13 23:10 - 01610314 ____A C:\Windows\WindowsUpdate.log

2012-12-05 06:01 - 2011-01-10 18:04 - 00000519 ____A C:\Windows\demdata.txt

2012-12-04 21:00 - 2012-09-18 05:34 - 00000000 ___SD C:\Users\horton\Google Drive

2012-12-04 20:59 - 2010-02-26 08:43 - 00000000 ____D C:\Users\horton\Tracing

2012-12-04 20:59 - 2010-02-18 16:28 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup

2012-12-04 20:58 - 2011-10-26 19:58 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-12-04 20:58 - 2011-04-16 21:16 - 00000416 ____A C:\Windows\Tasks\vtscheduletask.job

2012-12-04 20:58 - 2010-05-06 19:56 - 00040565 ____A C:\Users\All Users\dleascan.log

2012-12-04 20:58 - 2010-05-06 19:56 - 00040565 ____A C:\Users\All Users\Application Data\dleascan.log

2012-12-04 20:58 - 2010-02-25 18:19 - 00000000 ____D C:\Users\horton\Local Settings\SoftThinks

2012-12-04 20:58 - 2010-02-25 18:19 - 00000000 ____D C:\Users\horton\Local Settings\Application Data\SoftThinks

2012-12-04 20:58 - 2010-02-25 18:19 - 00000000 ____D C:\Users\horton\AppData\Local\SoftThinks

2012-12-04 20:58 - 2010-02-18 18:14 - 00522912 ____A C:\Windows\PFRO.log

2012-12-04 20:58 - 2010-02-18 16:45 - 00000072 ____A C:\Windows\SysWOW64\ToasterLauncherLog.log

2012-12-04 20:58 - 2009-07-13 23:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-12-04 20:58 - 2009-07-13 22:51 - 00216097 ____A C:\Windows\setupact.log

2012-12-04 19:12 - 2012-12-04 19:12 - 00001071 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-12-04 19:12 - 2012-12-04 19:12 - 00001071 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk

2012-12-04 19:12 - 2010-07-19 16:00 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-12-04 17:02 - 2012-05-20 11:41 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-12-04 17:02 - 2011-10-26 19:58 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-12-04 17:02 - 2010-09-02 17:34 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3759047393-1638677309-226871114-1001UA.job

2012-12-04 13:04 - 2010-02-25 18:57 - 00000000 ____D C:\Users\horton\afiles

2012-12-04 12:01 - 2012-12-04 12:01 - 00103424 ____A C:\Users\horton\pmnekdjhfb.exe

2012-12-04 12:01 - 2012-12-04 12:01 - 00078848 ____A C:\Users\horton\nnnsmmxeouusw.exe

2012-12-04 12:01 - 2010-02-25 18:19 - 00000000 ____D C:\users\horton

2012-12-04 11:51 - 2012-11-29 09:48 - 00000000 ____D C:\Users\horton\Local Settings\Application Data\{5486E65F-168C-42CD-824E-AAF4EEE8C28E}

2012-12-04 11:51 - 2012-11-29 09:48 - 00000000 ____D C:\Users\horton\Local Settings\{5486E65F-168C-42CD-824E-AAF4EEE8C28E}

2012-12-04 11:51 - 2012-11-29 09:48 - 00000000 ____D C:\Users\horton\AppData\Local\{5486E65F-168C-42CD-824E-AAF4EEE8C28E}

2012-12-04 07:41 - 2010-09-02 17:34 - 00000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3759047393-1638677309-226871114-1001Core.job

2012-12-04 06:27 - 2009-07-13 22:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-12-04 06:27 - 2009-07-13 22:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-12-02 12:58 - 2012-11-30 21:13 - 00000000 ____D C:\Users\horton\Local Settings\PokerStars.NET

2012-12-02 12:58 - 2012-11-30 21:13 - 00000000 ____D C:\Users\horton\Local Settings\Application Data\PokerStars.NET

2012-12-02 12:58 - 2012-11-30 21:13 - 00000000 ____D C:\Users\horton\AppData\Local\PokerStars.NET

2012-12-01 10:46 - 2010-03-02 22:02 - 00000000 ____D C:\Users\horton\Local Settings\PokerStars

2012-12-01 10:46 - 2010-03-02 22:02 - 00000000 ____D C:\Users\horton\Local Settings\Application Data\PokerStars

2012-12-01 10:46 - 2010-03-02 22:02 - 00000000 ____D C:\Users\horton\AppData\Local\PokerStars

2012-12-01 08:09 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\System32\NDF

2012-11-30 21:13 - 2012-11-30 21:13 - 00001055 ____A C:\Users\Public\Desktop\PokerStars.net.lnk

2012-11-30 21:13 - 2012-11-30 21:13 - 00001055 ____A C:\Users\All Users\Desktop\PokerStars.net.lnk

2012-11-30 21:13 - 2012-11-30 21:13 - 00000000 ____D C:\Program Files (x86)\PokerStars.NET

2012-11-30 10:53 - 2009-07-13 23:32 - 00000000 ____D C:\Windows\System32\FxsTmp

2012-11-29 16:04 - 2011-10-26 19:59 - 00002336 ____A C:\Users\Public\Desktop\Google Chrome.lnk

2012-11-29 16:04 - 2011-10-26 19:59 - 00002336 ____A C:\Users\All Users\Desktop\Google Chrome.lnk

2012-11-29 02:56 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\rescache

2012-11-28 19:15 - 2012-11-26 14:45 - 00000000 ____D C:\Users\horton\Local Settings\Application Data\{636D3B7A-D581-4639-BE04-4001497E9B77}

2012-11-28 19:15 - 2012-11-26 14:45 - 00000000 ____D C:\Users\horton\Local Settings\{636D3B7A-D581-4639-BE04-4001497E9B77}

2012-11-28 19:15 - 2012-11-26 14:45 - 00000000 ____D C:\Users\horton\AppData\Local\{636D3B7A-D581-4639-BE04-4001497E9B77}

2012-11-25 20:34 - 2012-11-22 06:11 - 00000000 ____D C:\Users\horton\Local Settings\Application Data\{30FB0D7E-1DDC-4F66-8031-4EC8658BAC49}

2012-11-25 20:34 - 2012-11-22 06:11 - 00000000 ____D C:\Users\horton\Local Settings\{30FB0D7E-1DDC-4F66-8031-4EC8658BAC49}

2012-11-25 20:34 - 2012-11-22 06:11 - 00000000 ____D C:\Users\horton\AppData\Local\{30FB0D7E-1DDC-4F66-8031-4EC8658BAC49}

2012-11-25 17:18 - 2012-11-25 17:18 - 00001025 ____A C:\Windows\SysWOW64\wuar9ys.tgz

2012-11-25 17:18 - 2012-11-25 17:18 - 00000000 ____D C:\Users\horton\Local Settings\Curl Corporation

2012-11-25 17:18 - 2012-11-25 17:18 - 00000000 ____D C:\Users\horton\Local Settings\Application Data\Curl Corporation

2012-11-25 17:18 - 2012-11-25 17:18 - 00000000 ____D C:\Users\horton\Application Data\Curl Corporation

2012-11-25 17:18 - 2012-11-25 17:18 - 00000000 ____D C:\Users\horton\AppData\Roaming\Curl Corporation

2012-11-25 17:18 - 2012-11-25 17:18 - 00000000 ____D C:\Users\horton\AppData\Local\Curl Corporation

2012-11-25 17:18 - 2012-11-25 17:18 - 00000000 ____D C:\Program Files (x86)\Curl Corporation

2012-11-25 17:18 - 2012-10-10 16:29 - 00001025 ____A C:\Windows\SysWOW64\wuar9ys.dll

2012-11-25 17:18 - 2012-10-10 16:29 - 00001025 ____A C:\Windows\SysWOW64\grcauth2.dll

2012-11-25 17:18 - 2012-10-10 16:29 - 00001025 ____A C:\Windows\SysWOW64\grcauth1.dll

2012-11-25 17:18 - 2012-10-10 16:29 - 00001025 ____A C:\Windows\SysWOW64\clauth2.dll

2012-11-25 17:18 - 2012-10-10 16:29 - 00001025 ____A C:\Windows\SysWOW64\clauth1.dll

2012-11-25 17:18 - 2012-10-10 16:29 - 00000218 ____A C:\Windows\SysWOW64\s4wab4p.tgz

2012-11-25 17:18 - 2012-10-10 16:29 - 00000204 ____A C:\Windows\SysWOW64\s4wab4p.dll

2012-11-25 17:18 - 2012-10-10 16:29 - 00000114 ____A C:\Windows\SysWOW64\prsgrc.tgz

2012-11-25 17:18 - 2012-10-10 16:29 - 00000100 ____A C:\Windows\SysWOW64\prsgrc.dll

2012-11-25 17:18 - 2012-10-10 16:29 - 00000086 ____A C:\Windows\SysWOW64\ssprs.tgz

2012-11-25 17:18 - 2012-10-10 16:29 - 00000072 ____A C:\Windows\SysWOW64\ssprs.dll

2012-11-25 17:18 - 2012-10-10 16:29 - 00000000 ____A C:\Windows\SysWOW64\serauth2.dll

2012-11-25 17:18 - 2012-10-10 16:29 - 00000000 ____A C:\Windows\SysWOW64\serauth1.dll

2012-11-25 17:18 - 2012-10-10 16:29 - 00000000 ____A C:\Windows\SysWOW64\nsprs.tgz

2012-11-25 17:18 - 2012-10-10 16:29 - 00000000 ____A C:\Windows\SysWOW64\nsprs.dll

2012-11-21 17:22 - 2011-04-16 21:14 - 00000000 ____D C:\Program Files\Common Files\McAfee

2012-11-21 13:00 - 2012-11-17 17:59 - 00000000 ____D C:\Users\horton\Local Settings\Application Data\{EDD58DF3-A08D-48BC-8422-54EA545CF5B9}

2012-11-21 13:00 - 2012-11-17 17:59 - 00000000 ____D C:\Users\horton\Local Settings\{EDD58DF3-A08D-48BC-8422-54EA545CF5B9}

2012-11-21 13:00 - 2012-11-17 17:59 - 00000000 ____D C:\Users\horton\AppData\Local\{EDD58DF3-A08D-48BC-8422-54EA545CF5B9}

2012-11-20 20:38 - 2010-02-25 18:47 - 00000000 ____D C:\Users\All Users\Microsoft Help

2012-11-20 20:38 - 2010-02-25 18:47 - 00000000 ____D C:\Users\All Users\Application Data\Microsoft Help

2012-11-20 20:33 - 2012-11-20 20:33 - 00000375 ____A C:\Users\horton\Downloads\TigerData.csv

2012-11-20 20:24 - 2012-11-20 20:24 - 00000000 ____D C:\Users\horton\Local Settings\Unity

2012-11-20 20:24 - 2012-11-20 20:24 - 00000000 ____D C:\Users\horton\Local Settings\Application Data\Unity

2012-11-20 20:24 - 2012-11-20 20:24 - 00000000 ____D C:\Users\horton\AppData\Local\Unity

2012-11-20 20:23 - 2012-11-20 20:23 - 00643896 ____A (Unity Technologies ApS) C:\Users\horton\Downloads\UnityWebPlayer.exe

2012-11-20 20:23 - 2012-11-20 20:23 - 00643896 ____A (Unity Technologies ApS) C:\Users\horton\Downloads\UnityWebPlayer (1).exe

2012-11-20 18:25 - 2010-02-18 16:40 - 00000000 ____D C:\Users\All Users\McAfee

2012-11-20 18:25 - 2010-02-18 16:40 - 00000000 ____D C:\Users\All Users\Application Data\McAfee

2012-11-20 18:25 - 2010-02-18 16:40 - 00000000 ____D C:\Program Files\McAfee

2012-11-20 18:25 - 2010-02-18 16:39 - 00000000 ____D C:\Program Files (x86)\McAfee

2012-11-17 05:59 - 2012-11-14 06:58 - 00000000 ____D C:\Users\horton\Local Settings\Application Data\{FCC22AAA-385B-485A-9915-7D58B063F856}

2012-11-17 05:59 - 2012-11-14 06:58 - 00000000 ____D C:\Users\horton\Local Settings\{FCC22AAA-385B-485A-9915-7D58B063F856}

2012-11-17 05:59 - 2012-11-14 06:58 - 00000000 ____D C:\Users\horton\AppData\Local\{FCC22AAA-385B-485A-9915-7D58B063F856}

2012-11-14 06:57 - 2010-02-25 18:19 - 00147576 ____A C:\Users\horton\Local Settings\GDIPFONTCACHEV1.DAT

2012-11-14 06:57 - 2010-02-25 18:19 - 00147576 ____A C:\Users\horton\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2012-11-14 06:57 - 2010-02-25 18:19 - 00147576 ____A C:\Users\horton\AppData\Local\GDIPFONTCACHEV1.DAT

2012-11-14 02:35 - 2009-07-13 22:45 - 00507752 ____A C:\Windows\System32\FNTCACHE.DAT

2012-11-14 02:03 - 2010-03-03 16:20 - 66395536 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-11-14 02:01 - 2009-07-13 20:34 - 00000603 ____A C:\Windows\win.ini

2012-11-13 14:48 - 2012-11-01 20:24 - 00000000 ____D C:\Users\horton\Local Settings\Application Data\{0B3AEF7A-66F7-4798-9206-8EFAD3DA1357}

2012-11-13 14:48 - 2012-11-01 20:24 - 00000000 ____D C:\Users\horton\Local Settings\{0B3AEF7A-66F7-4798-9206-8EFAD3DA1357}

2012-11-13 14:48 - 2012-11-01 20:24 - 00000000 ____D C:\Users\horton\AppData\Local\{0B3AEF7A-66F7-4798-9206-8EFAD3DA1357}

2012-11-09 20:37 - 2010-09-23 17:58 - 00000000 ____D C:\Users\horton\My Documents\My Scans

2012-11-09 20:37 - 2010-09-23 17:58 - 00000000 ____D C:\Users\horton\Documents\My Scans

2012-11-06 20:40 - 2012-05-20 20:12 - 00000000 ____D C:\Users\horton\Application Data\HpUpdate

2012-11-06 20:40 - 2012-05-20 20:12 - 00000000 ____D C:\Users\horton\AppData\Roaming\HpUpdate

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-11 10:09:18

Restore point made on: 2012-11-14 02:01:16

Restore point made on: 2012-11-21 17:59:52

Restore point made on: 2012-11-25 17:17:33

Restore point made on: 2012-11-29 02:00:35

==================== Memory info ===========================

Percentage of memory in use: 12%

Total physical RAM: 5887.12 MB

Available physical RAM: 5178.84 MB

Total Pagefile: 5885.27 MB

Available Pagefile: 5167.32 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:683.95 GB) (Free:467.98 GB) NTFS

8 Drive j: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:9.1 GB) NTFS ==>[system with boot components (obtained from reading drive)]

9 Drive k: (KINGSTON) (Removable) (Total:1.92 GB) (Free:1.92 GB) FAT

10 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 698 GB 0 B

Disk 1 No Media 0 B 0 B

Disk 2 No Media 0 B 0 B

Disk 3 No Media 0 B 0 B

Disk 4 No Media 0 B 0 B

Disk 5 No Media 0 B 0 B

Disk 6 Online 1967 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 39 MB 31 KB

Partition 2 Primary 14 GB 40 MB

Partition 3 Primary 683 GB 14 GB

==================================================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 9 FAT Partition 39 MB Healthy Hidden

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 J RECOVERY NTFS Partition 14 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C OS NTFS Partition 683 GB Healthy

=========================================================

Partitions of Disk 6:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 1967 MB 16 KB

==================================================================================

Disk: 6

Partition 1

Type : 0E

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 8 K KINGSTON FAT Removable 1967 MB Healthy

=========================================================

Last Boot: 2012-11-25 08:37

==================== End Of Log =============================

Farbar Recovery Scan Tool (x64) Version: 02-12-2012

Ran by SYSTEM at 2012-12-05 21:19:22

Running from K:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 17:19] - [2009-07-13 19:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 17:19] - [2009-07-13 19:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

Farbar Recovery Scan Tool (x64) Version: 02-12-2012

Ran by SYSTEM at 2012-12-05 21:19:22

Running from K:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 17:19] - [2009-07-13 19:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 17:19] - [2009-07-13 19:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

Link to post
Share on other sites

Please use the default font when responding and posting logs!!!!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

Link to post
Share on other sites

Done. Here's the log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-12-2012

Ran by SYSTEM at 2012-12-05 22:32:22 Run:1

Running from K:\

==============================================

HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.

C:\Users\horton\pmnekdjhfb.exe moved successfully.

C:\Users\horton\nnnsmmxeouusw.exe moved successfully.

C:\Windows\SysWOW64\wuar9ys.tgz moved successfully.

C:\Windows\Tasks\vtscheduletask.job moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites

Good, we still have some more work to do.

I'm gone for tonight...be back in the AM

But please do this............

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

MrC,

Done. It took a long time (>1 hour). I did indeed get the "Illegal operation attempted..." error which made me briefly think all of my windows programs were gone, but then I read your note carefully :-). Here's the log. What's next?

ComboFix 12-12-04.01 - horton 12/06/2012 8:33.1.4 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5887.3981 [GMT -5:00]

Running from: c:\users\horton\Downloads\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}

FW: McAfee Firewall *Disabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}

SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\SPL149B.tmp

c:\programdata\SPL3EBB.tmp

c:\programdata\SPL7C15.tmp

c:\users\horton\AppData\Local\{AD49C81E-BFEF-4B31-B522-DAAEB5773701}

c:\users\horton\AppData\Local\{AD49C81E-BFEF-4B31-B522-DAAEB5773701}\chrome.manifest

c:\users\horton\AppData\Local\{AD49C81E-BFEF-4B31-B522-DAAEB5773701}\chrome\content\_cfg.js

c:\users\horton\AppData\Local\{AD49C81E-BFEF-4B31-B522-DAAEB5773701}\chrome\content\overlay.xul

c:\users\horton\AppData\Local\{AD49C81E-BFEF-4B31-B522-DAAEB5773701}\install.rdf

c:\users\horton\AppData\Local\Temp\_MEI13002\_ctypes.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\_elementtree.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\_hashlib.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\_socket.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\_ssl.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\pyexpat.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\pysqlite2._sqlite.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\python26.dll

c:\users\horton\AppData\Local\Temp\_MEI13002\pythoncom26.dll

c:\users\horton\AppData\Local\Temp\_MEI13002\PyWinTypes26.dll

c:\users\horton\AppData\Local\Temp\_MEI13002\select.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\unicodedata.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\win32api.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\win32com.shell.shell.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\win32crypt.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\win32event.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\win32file.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\win32inet.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\win32pdh.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\win32process.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\win32profile.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\win32security.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\win32ts.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\windows._cacheinvalidation.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\wx._controls_.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\wx._core_.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\wx._gdi_.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\wx._html2.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\wx._misc_.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\wx._windows_.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\wx._wizard.pyd

c:\users\horton\AppData\Local\Temp\_MEI13002\wxbase293u_net_vc.dll

c:\users\horton\AppData\Local\Temp\_MEI13002\wxbase293u_vc.dll

c:\users\horton\AppData\Local\Temp\_MEI13002\wxmsw293u_adv_vc.dll

c:\users\horton\AppData\Local\Temp\_MEI13002\wxmsw293u_core_vc.dll

c:\users\horton\AppData\Local\Temp\_MEI13002\wxmsw293u_html_vc.dll

c:\users\horton\AppData\Local\Temp\_MEI13002\wxmsw293u_webview_vc.dll

c:\windows\SysWow64\nsprs.dll

c:\windows\SysWow64\prsgrc.dll

c:\windows\SysWow64\s4wab4p.dll

c:\windows\SysWow64\serauth1.dll

c:\windows\SysWow64\serauth2.dll

c:\windows\SysWow64\ssprs.dll

.

.

((((((((((((((((((((((((( Files Created from 2012-11-06 to 2012-12-06 )))))))))))))))))))))))))))))))

.

.

2012-12-06 14:20 . 2012-12-06 14:20 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-12-06 03:16 . 2012-12-06 03:16 -------- d-----w- C:\FRST

2012-12-01 03:13 . 2012-12-02 18:58 -------- d-----w- c:\users\horton\AppData\Local\PokerStars.NET

2012-12-01 03:13 . 2012-12-01 03:13 -------- d-----w- c:\program files (x86)\PokerStars.NET

2012-11-25 23:18 . 2012-11-25 23:18 -------- d-----w- c:\users\horton\AppData\Roaming\Curl Corporation

2012-11-25 23:18 . 2012-11-25 23:18 -------- d-----w- c:\users\horton\AppData\Local\Curl Corporation

2012-11-25 23:18 . 2012-11-25 23:18 -------- d-----w- c:\program files (x86)\Curl Corporation

2012-11-21 02:24 . 2012-11-21 02:24 -------- d-----w- c:\users\horton\AppData\Local\Unity

2012-11-21 00:25 . 2012-04-20 21:40 196440 ----a-w- c:\windows\system32\drivers\HipShieldK.sys

2012-11-14 08:12 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys

2012-11-14 08:12 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys

2012-11-14 08:12 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui

2012-11-14 08:12 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll

2012-11-14 08:05 . 2012-10-08 11:26 887296 ----a-w- c:\program files\Internet Explorer\iedvtool.dll

2012-11-14 08:05 . 2012-10-08 11:25 499200 ----a-w- c:\program files\Internet Explorer\jsdbgui.dll

2012-11-14 08:05 . 2012-10-08 11:15 2144768 ----a-w- c:\windows\system32\iertutil.dll

2012-11-14 08:05 . 2012-10-08 07:50 678912 ----a-w- c:\program files (x86)\Internet Explorer\iedvtool.dll

2012-11-14 08:05 . 2012-10-08 07:49 387584 ----a-w- c:\program files (x86)\Internet Explorer\jsdbgui.dll

2012-11-14 08:05 . 2012-10-08 12:19 17811968 ----a-w- c:\windows\system32\mshtml.dll

2012-11-14 08:05 . 2012-10-08 11:42 10925568 ----a-w- c:\windows\system32\ieframe.dll

2012-11-14 08:02 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe

2012-11-14 08:02 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll

2012-11-14 08:02 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll

2012-11-14 08:02 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll

2012-11-14 08:02 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll

2012-11-14 08:02 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys

2012-11-14 08:02 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys

2012-11-13 21:03 . 2012-09-25 22:47 78336 ----a-w- c:\windows\SysWow64\synceng.dll

2012-11-13 21:03 . 2012-09-25 22:46 95744 ----a-w- c:\windows\system32\synceng.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-11-14 08:03 . 2010-03-03 22:20 66395536 ----a-w- c:\windows\system32\MRT.exe

2012-10-31 20:10 . 2012-10-31 20:10 829264 ----a-w- c:\windows\system32\msvcr100.dll

2012-10-31 20:10 . 2012-10-31 20:10 773968 ----a-w- c:\windows\SysWow64\msvcr100.dll

2012-10-31 20:10 . 2012-10-31 20:10 421200 ----a-w- c:\windows\SysWow64\msvcp100.dll

2012-10-31 20:10 . 2012-10-31 20:10 158536 ----a-w- c:\windows\system32\atl100.dll

2012-10-31 20:10 . 2012-10-31 20:10 138056 ----a-w- c:\windows\SysWow64\atl100.dll

2012-10-16 08:38 . 2012-11-28 10:26 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2012-10-16 08:38 . 2012-11-28 10:26 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2012-10-16 07:39 . 2012-11-28 10:26 561664 ----a-w- c:\windows\apppatch\AcLayers.dll

2012-10-09 03:27 . 2012-05-20 17:41 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-10-09 03:27 . 2011-06-30 22:00 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-09-30 00:54 . 2010-07-19 22:00 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-14 19:19 . 2012-10-10 22:27 2048 ----a-w- c:\windows\system32\tzres.dll

2012-09-14 18:28 . 2012-10-10 22:27 2048 ----a-w- c:\windows\SysWow64\tzres.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MoneyAgent"="c:\program files (x86)\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

"Creative MediaSource Go"="c:\program files (x86)\Creative\MediaSource5\Go\CTCMSGoU.exe" [2006-11-09 204800]

"GoogleDriveSync"="c:\program files (x86)\Google\Drive\googledrivesync.exe" [2012-11-08 16070136]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\vdeck.exe" [2009-07-28 2243584]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-06-15 98304]

"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2009-09-11 1779952]

"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]

"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]

"DellSupportCenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]

"Google Desktop Search"="c:\program files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-28 30192]

"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]

"Nikon Transfer Monitor"="c:\program files (x86)\Common Files\Nikon\Monitor\NkMonitor.exe" [2009-09-15 479232]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-09-12 1535112]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]

"Launcher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe" [2009-09-17 165104]

.

c:\users\horton\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-9-21 1316192]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-23 270336]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-9-21 1316192]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

"AppInit_DLLs"=c:\progra~2\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 dleaCATSCustConnectService;dleaCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\dleaserv.exe [2010-01-07 33448]

R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [2010-11-03 35840]

R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]

R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files (x86)\Google\Google Desktop Search\GoogleDesktop.exe [2010-07-28 30192]

R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-04-20 196440]

R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-07-17 106112]

R3 PAC207;SoC PC-Camera;c:\windows\system32\DRIVERS\PFC027.SYS [2006-12-05 572416]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-05 1255736]

S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2012-07-17 335784]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-06-15 203264]

S2 dlea_device;dlea_device;c:\windows\system32\dleacoms.exe [2010-01-07 1052328]

S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-08-31 201304]

S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-08-31 201304]

S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-08-31 201304]

S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2012-07-17 218320]

S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-07-17 177144]

S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2009-09-17 656624]

S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-07-17 69672]

S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-07-17 513456]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-05-23 215040]

S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-07-25 1224704]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

*Deregistered* - mfeavfk01

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-06 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-20 03:27]

.

2012-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-27 01:58]

.

2012-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-27 01:58]

.

2012-12-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3759047393-1638677309-226871114-1001Core.job

- c:\users\horton\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-02 23:34]

.

2012-12-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3759047393-1638677309-226871114-1001UA.job

- c:\users\horton\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-02 23:34]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]

2012-11-08 21:58 755224 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]

2012-11-08 21:58 755224 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]

2012-11-08 21:58 755224 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]

2012-11-08 21:58 755224 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"dleamon.exe"="c:\program files (x86)\Dell V310-V510 Series\dleamon.exe" [2010-01-18 770728]

"EzPrint"="c:\program files (x86)\Dell V310-V510 Series\ezprint.exe" [2010-01-18 139944]

"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.yahoo.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office12\EXCEL.EXE/3000

Trusted Zone: internet

Trusted Zone: mcafee.com

TCP: DhcpNameServer = 192.168.1.1

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Toolbar-Locked - (no file)

AddRemove-Shockwave - c:\windows\System32\Macromed\SHOCKW~1\UNWISE.EXE

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\windows\SysWOW64\rundll32.exe

c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe

c:\program files (x86)\Dell Support Center\bin\sprtsvc.exe

.

**************************************************************************

.

Completion time: 2012-12-06 09:39:15 - machine was rebooted

ComboFix-quarantined-files.txt 2012-12-06 14:39

.

Pre-Run: 508,801,236,992 bytes free

Post-Run: 510,711,951,360 bytes free

.

- - End Of File - - 43A9EC87A47E8B312B89C4A20C8F47E2

Link to post
Share on other sites

Please download AdwCleaner from here and save it on your Desktop.

  1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
  2. Now click on the Search tab.
  3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

MrC

Link to post
Share on other sites

Thanks MrC. Here's the log.

# AdwCleaner v2.011 - Logfile created 12/07/2012 at 17:00:07

# Updated 02/12/2012 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : horton - HORTON-PC

# Boot Mode : Normal

# Running from : C:\Users\horton\Downloads\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}

Key Found : HKLM\Software\Freeze.com

Key Found : HKLM\SOFTWARE\Software

Key Found : HKU\S-1-5-21-3759047393-1638677309-226871114-1001\Software\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16455

[OK] Registry is clean.

-\\ Google Chrome v23.0.1271.95

File : C:\Users\horton\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [999 octets] - [07/12/2012 17:00:07]

########## EOF - C:\AdwCleaner[R1].txt - [1058 octets] ##########

Link to post
Share on other sites

Great thumbsup.gif

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!

MrC

Link to post
Share on other sites

Done; here's the log:

Results of screen317's Security Check version 0.99.56

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

McAfee Anti-Virus and Anti-Spyware

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.1.1000

Java 6 Update 31

Java version out of Date!

Adobe Reader 9 Adobe Reader out of Date!

Google Chrome 21.0.1180.83

Google Chrome 21.0.1180.89

Google Chrome 22.0.1229.79

Google Chrome 22.0.1229.92

Google Chrome 22.0.1229.94

Google Chrome 23.0.1271.64

Google Chrome 23.0.1271.91

Google Chrome 23.0.1271.95

````````Process Check: objlist.exe by Laurent````````

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 0%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

Java™ 6 Update 31 <---please uninstall from add/remove programs

Java version out of Date! <-------Download and install the latest version from Here

Adobe Reader 9 Adobe Reader out of Date! <---please check for an update

You have out dated programs on the system which are vulnerable to malware.

Please update or uninstall them

Info on doing that can be found in my Preventive Maintenance

~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.