Jump to content

FBI Moneypak removal brickwall


Recommended Posts

Hello,

I saw previous posts stating to start a new thread per each individual with an issue so here is mine. I have a really nasty FBI Moneypak version that I can't get rid of on my own. I've gotten these takeover viruses twice before and was able to access run command for Rkill and then Malwarebytes. Not this time :(

* I believe the infected computer is Windows 7 Professional - 64 bit.

I can access safe mode options via F8, however I am unable to access run feature or explorer via Safe Mode with command or Networking. I have even tried to click the Windows button trick mentioned as working for others 2-3 seconds before the virus takes over and it didn't work for me either.

Can someone help me get to the step to be able to run Malwarebytes and whatever else is required? Please suggest options that only require USB and not a CD as the computer I'm writing this from can't burn CDs.

Thank you

Link to post
Share on other sites

Welcome to the forum.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

services.exe

[*]Now press the Search button

[*]When the search is complete, search.txt will also be written to your USB

[*]Type exit and reboot the computer normally

[*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

Link to post
Share on other sites

FRST log:

-----------------------------------------------------------------------------------------------------------------

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 09-01-2013

Ran by SYSTEM at 14-01-2013 11:39:04

Running from H:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet004

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s [11369576 2010-08-10] (Realtek Semiconductor)

HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [2588968 2010-11-12] (ELAN Microelectronics Corp.)

HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [446392 2012-01-30] (Adobe Systems Incorporated)

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2818856 2011-08-25] (Synaptics Incorporated)

HKLM-x32\...\Run: [HP Software Update] "C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [49208 2010-06-09] (Hewlett-Packard)

HKLM-x32\...\Run: [] [x]

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-10-11] (Apple Inc.)

HKLM-x32\...\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin [406992 2010-02-22] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [switchBoard] "C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [517096 2010-02-19] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [T-Mobile webConnect Manager] "C:\Program Files (x86)\T-Mobile\webConnect Manager\TMobileCM.exe" -a [23584 2009-12-14] (T-Mobile)

HKLM-x32\...\Run: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot [296096 2012-09-24] (RealNetworks, Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)

HKLM-x32\...\Run: [searchProtection] "C:\ProgramData\Search Protection\_run.bat" [x]

HKLM-x32\...\Run: [Ad-Aware Antivirus] "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher" --windows-run [x]

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)

HKU\Owner\...\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe" [9728 2009-07-13] (Microsoft Corporation)

HKU\Owner\...\Run: [AdobeBridge] [x]

HKU\Owner\...\Run: [starfield Updater] "C:\Users\Owner\AppData\Local\Workspace\WorkspaceUpdate.exe" [34496 2011-12-11] ()

HKU\Owner\...\Run: [og_fehuborr] C:\Users\Owner\AppData\Roaming\_gzysxapmk [x]

HKU\Owner\...\Policies\system: [DisableTaskMgr] 1

HKU\UpdatusUser\...\Run: [sidebar] "%ProgramFiles%\Windows Sidebar\Sidebar.exe" /autoRun [1475584 2010-11-20] (Microsoft Corporation)

HKU\UpdatusUser\...\RunOnce: [mctadmin] "C:\Windows\System32\mctadmin.exe" [97280 2009-07-13] (Microsoft Corporation)

HKLM-x32\...\Winlogon: [userinit] C:\Windows\SysWOW64\userinit.exe [26624 2010-11-20] (Microsoft Corporation)

HKLM\...\Winlogon: [shell] explorer.exe, C:\ProgramData\_gzysxapmk [x ] ()

AppInit_DLLs: c:\windows\system32\nvinitx.dll

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\SRS Premium Sound.lnk

ShortcutTarget: SRS Premium Sound.lnk -> C:\windows\Installer\{340BE65B-7621-4B0B-B0F9-DBCCD8D70887}\NewShortcut5_21C7B668029A47458B27645FE6E4A715.exe (Acresso Software Inc.)

Startup: C:\Users\Classic .NET AppPool\Start Menu\Programs\Startup\Best Buy pc app.lnk

ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy pc app.lnk

ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy pc app.lnk

ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

Startup: C:\Users\DefaultAppPool\Start Menu\Programs\Startup\Best Buy pc app.lnk

ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

Startup: C:\Users\Owner\Start Menu\Programs\Startup\Yahoo! Widgets.lnk

ShortcutTarget: Yahoo! Widgets.lnk -> C:\Program Files (x86)\Yahoo!\Widgets\YahooWidgets.exe (Yahoo! Inc.)

==================== Services (Whitelisted) ===================

2 Ad-Aware Service; "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe" [1236368 2012-11-21] (Lavasoft Limited)

3 CATmobile; "C:\Program Files (x86)\T-Mobile\webConnect Manager\conappssvc.exe" /n "CATmobile" [124184 2009-12-08] (SmithMicro Inc.)

2 File Backup; C:\Program Files (x86)\Workspace\offSyncService.exe [1187600 2012-01-05] (Starfield Technologies)

2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [108904 2012-12-21] (SurfRight B.V.)

3 MsDepSvc; "C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe" -runService:MsDepSvc [63304 2011-02-04] (Microsoft Corporation)

3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-10-18] ()

2 RichVideo; "C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe" [247152 2009-07-07] ()

2 SBAMSvc; "C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe" [3677000 2012-09-20] (GFI Software)

3 TMobileRcAppSvc; "C:\Program Files (x86)\T-Mobile\webConnect Manager\RcAppSvc.exe" /n "TMobileRcAppSvc" [120088 2009-12-08] (SmithMicro Inc.)

2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)

2 W3SVC; C:\Windows\SysWow64\inetsrv\iisw3adm.dll [397824 2010-11-20] (Microsoft Corporation)

2 WebFarmService; "C:\Program Files\IIS\Microsoft Web Farm Framework\WebFarmService.exe" [15640 2011-01-20] (Microsoft Corporation)

==================== Drivers (Whitelisted) =====================

3 ewusbnet; C:\Windows\System32\Drivers\ewusbnet.sys [243200 2009-10-21] (Huawei Technologies Co., Ltd.)

3 gfiark; C:\Windows\System32\Drivers\gfiark.sys [38096 2012-12-17] (GFI Software)

0 gfibto; C:\Windows\System32\Drivers\gfibto.sys [14456 2012-11-25] (GFI Software)

2 MySQL; "C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld" --defaults-file="C:\Program Files\MySQL\MySQL Server 5.1\my.ini" MySQL [8916 2011-02-23] ()

3 PCTINDIS5X64; \??\C:\windows\system32\PCTINDIS5X64.SYS [43032 2009-12-08] (Smith Micro Inc.)

3 rtport; C:\Windows\SysWow64\Drivers\rtport.sys [15144 2011-01-06] (Windows ® 2003 DDK 3790 provider)

1 SBRE; \??\C:\windows\system32\drivers\SBREdrv.sys [57976 2011-10-26] (GFI Software)

2 TurboB; C:\Windows\System32\Drivers\TurboB.sys [13832 2010-04-16] ()

2 WinFLdrv; C:\Windows\SysWow64\WinFLdrv.sys [21888 2011-05-18] ()

3 WinVd32; \??\C:\windows\WinVd32.sys [197728 2011-05-18] ()

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2013-01-11 17:19 - 2013-01-13 17:51 - 00153088 ____A (Eventys Co. Ltd.) C:\Users\Owner\AppData\Roaming\_gzysxapmk.exe

2013-01-11 16:53 - 2013-01-13 17:51 - 00153088 ____A (Eventys Co. Ltd.) C:\Users\Owner\AppData\Local\_gzysxapmk.exe

2013-01-11 16:53 - 2013-01-13 17:46 - 00153088 ____A (Eventys Co. Ltd.) C:\Users\All Users\_gzysxapmk.exe

2013-01-09 13:22 - 2013-01-09 13:22 - 00000000 ____D C:\Users\All Users\Webroot

2013-01-09 08:20 - 2013-01-09 08:21 - 00000000 ___RD C:\Program Files (x86)\Skype

2013-01-09 08:10 - 2013-01-09 08:11 - 29290672 ____A (Skype Technologies S.A.) C:\Users\Owner\Downloads\SkypeSetupFull.exe

2013-01-09 07:12 - 2012-12-07 05:20 - 00441856 ____A (Microsoft Corporation) C:\Windows\System32\Wpc.dll

2013-01-09 07:12 - 2012-12-07 05:15 - 02746368 ____A (Microsoft Corporation) C:\Windows\System32\gameux.dll

2013-01-09 07:12 - 2012-12-07 04:26 - 00308736 ____A (Microsoft Corporation) C:\Windows\SysWOW64\Wpc.dll

2013-01-09 07:12 - 2012-12-07 04:20 - 02576384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gameux.dll

2013-01-09 07:12 - 2012-12-07 03:20 - 00045568 ____A (Microsoft) C:\Windows\System32\oflc-nz.rs

2013-01-09 07:12 - 2012-12-07 03:20 - 00044544 ____A (Microsoft) C:\Windows\System32\pegibbfc.rs

2013-01-09 07:12 - 2012-12-07 03:20 - 00043520 ____A (Microsoft) C:\Windows\System32\csrr.rs

2013-01-09 07:12 - 2012-12-07 03:20 - 00030720 ____A (Microsoft) C:\Windows\System32\usk.rs

2013-01-09 07:12 - 2012-12-07 03:20 - 00023552 ____A (Microsoft) C:\Windows\System32\oflc.rs

2013-01-09 07:12 - 2012-12-07 03:20 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-pt.rs

2013-01-09 07:12 - 2012-12-07 03:20 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-fi.rs

2013-01-09 07:12 - 2012-12-07 03:19 - 00055296 ____A (Microsoft) C:\Windows\System32\cero.rs

2013-01-09 07:12 - 2012-12-07 03:19 - 00051712 ____A (Microsoft) C:\Windows\System32\esrb.rs

2013-01-09 07:12 - 2012-12-07 03:19 - 00046592 ____A (Microsoft) C:\Windows\System32\fpb.rs

2013-01-09 07:12 - 2012-12-07 03:19 - 00040960 ____A (Microsoft) C:\Windows\System32\cob-au.rs

2013-01-09 07:12 - 2012-12-07 03:19 - 00021504 ____A (Microsoft) C:\Windows\System32\grb.rs

2013-01-09 07:12 - 2012-12-07 03:19 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi.rs

2013-01-09 07:12 - 2012-12-07 03:19 - 00015360 ____A (Microsoft) C:\Windows\System32\djctq.rs

2013-01-09 07:12 - 2012-12-07 02:46 - 00055296 ____A (Microsoft) C:\Windows\SysWOW64\cero.rs

2013-01-09 07:12 - 2012-12-07 02:46 - 00051712 ____A (Microsoft) C:\Windows\SysWOW64\esrb.rs

2013-01-09 07:12 - 2012-12-07 02:46 - 00046592 ____A (Microsoft) C:\Windows\SysWOW64\fpb.rs

2013-01-09 07:12 - 2012-12-07 02:46 - 00045568 ____A (Microsoft) C:\Windows\SysWOW64\oflc-nz.rs

2013-01-09 07:12 - 2012-12-07 02:46 - 00044544 ____A (Microsoft) C:\Windows\SysWOW64\pegibbfc.rs

2013-01-09 07:12 - 2012-12-07 02:46 - 00043520 ____A (Microsoft) C:\Windows\SysWOW64\csrr.rs

2013-01-09 07:12 - 2012-12-07 02:46 - 00040960 ____A (Microsoft) C:\Windows\SysWOW64\cob-au.rs

2013-01-09 07:12 - 2012-12-07 02:46 - 00030720 ____A (Microsoft) C:\Windows\SysWOW64\usk.rs

2013-01-09 07:12 - 2012-12-07 02:46 - 00023552 ____A (Microsoft) C:\Windows\SysWOW64\oflc.rs

2013-01-09 07:12 - 2012-12-07 02:46 - 00021504 ____A (Microsoft) C:\Windows\SysWOW64\grb.rs

2013-01-09 07:12 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-pt.rs

2013-01-09 07:12 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-fi.rs

2013-01-09 07:12 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi.rs

2013-01-09 07:12 - 2012-12-07 02:46 - 00015360 ____A (Microsoft) C:\Windows\SysWOW64\djctq.rs

2013-01-09 07:12 - 2012-11-21 21:44 - 00800768 ____A (Microsoft Corporation) C:\Windows\System32\usp10.dll

2013-01-09 07:12 - 2012-11-21 20:45 - 00626688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\usp10.dll

2013-01-09 07:12 - 2012-11-19 21:48 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2013-01-09 07:12 - 2012-11-19 20:51 - 00220160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2013-01-09 07:12 - 2012-11-08 21:45 - 00750592 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll

2013-01-09 07:12 - 2012-11-08 20:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll

2013-01-09 07:12 - 2012-10-31 21:43 - 02002432 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2013-01-09 07:12 - 2012-10-31 21:43 - 01882624 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2013-01-09 07:12 - 2012-10-31 20:47 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2013-01-09 07:12 - 2012-10-31 20:47 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2013-01-09 07:11 - 2012-11-29 21:45 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll

2013-01-09 07:11 - 2012-11-29 21:45 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll

2013-01-09 07:11 - 2012-11-29 21:45 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll

2013-01-09 07:11 - 2012-11-29 21:45 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll

2013-01-09 07:11 - 2012-11-29 21:43 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll

2013-01-09 07:11 - 2012-11-29 21:41 - 01161216 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll

2013-01-09 07:11 - 2012-11-29 21:41 - 00424448 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 20:54 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll

2013-01-09 07:11 - 2012-11-29 20:53 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll

2013-01-09 07:11 - 2012-11-29 20:53 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll

2013-01-09 07:11 - 2012-11-29 20:45 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 20:45 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 19:23 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe

2013-01-09 07:11 - 2012-11-29 18:44 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe

2013-01-09 07:11 - 2012-11-29 18:44 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll

2013-01-09 07:11 - 2012-11-29 18:44 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe

2013-01-09 07:11 - 2012-11-29 18:44 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe

2013-01-09 07:11 - 2012-11-29 18:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 18:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 18:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 18:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll

2013-01-09 07:11 - 2012-11-29 15:17 - 00420064 ____A C:\Windows\SysWOW64\locale.nls

2013-01-09 07:11 - 2012-11-29 15:15 - 00420064 ____A C:\Windows\System32\locale.nls

2013-01-09 07:11 - 2012-11-22 19:26 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-01-09 07:11 - 2012-11-22 19:13 - 00068608 ____A (Microsoft Corporation) C:\Windows\System32\taskhost.exe

2012-12-23 07:18 - 2012-12-16 09:11 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll

2012-12-23 07:18 - 2012-12-16 06:45 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll

2012-12-23 07:18 - 2012-12-16 06:13 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll

2012-12-23 07:18 - 2012-12-16 06:13 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll

2012-12-21 14:00 - 2012-12-21 14:00 - 00000000 ____D C:\Users\Owner\Documents\Sony PMB

2012-12-21 14:00 - 2012-12-21 14:00 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Sony Corporation

2012-12-20 16:41 - 2012-12-20 16:47 - 127011424 ____A (Sony Corporation) C:\Users\Owner\Downloads\PMHOME_2000.EXE

2012-12-17 19:31 - 2012-12-18 13:48 - 00000000 ____D C:\Users\Owner\Desktop\New Camera

==================== One Month Modified Files and Folders =======

2013-01-14 11:26 - 2013-01-14 11:26 - 00000000 ____D C:\FRST

2013-01-13 17:58 - 2010-12-02 17:16 - 01836078 ____A C:\Windows\WindowsUpdate.log

2013-01-13 17:55 - 2009-07-13 21:13 - 00952288 ____A C:\Windows\System32\PerfStringBackup.INI

2013-01-13 17:53 - 2012-09-22 17:45 - 00001868 ____A C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk

2013-01-13 17:53 - 2011-12-11 16:09 - 00187066 ____A C:\Users\Owner\Documents\WorkspaceUpdate.log

2013-01-13 17:53 - 2011-12-11 16:07 - 01310598 ____A C:\Users\Owner\Documents\workspaceinstall.log

2013-01-13 17:53 - 2010-12-02 17:18 - 00000050 ____A C:\Windows\System32\SupplicantTest.log

2013-01-13 17:52 - 2011-12-11 16:10 - 00032348 ____A C:\Windows\offSyncService.log

2013-01-13 17:51 - 2013-01-11 17:19 - 00153088 ____A (Eventys Co. Ltd.) C:\Users\Owner\AppData\Roaming\_gzysxapmk.exe

2013-01-13 17:51 - 2013-01-11 16:53 - 00153088 ____A (Eventys Co. Ltd.) C:\Users\Owner\AppData\Local\_gzysxapmk.exe

2013-01-13 17:49 - 2009-07-13 20:51 - 00063168 ____A C:\Windows\setupact.log

2013-01-13 17:46 - 2013-01-11 16:53 - 00153088 ____A (Eventys Co. Ltd.) C:\Users\All Users\_gzysxapmk.exe

2013-01-11 21:37 - 2009-07-13 20:45 - 00014144 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-01-11 21:37 - 2009-07-13 20:45 - 00014144 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-01-11 17:39 - 2011-02-13 14:35 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-01-11 17:38 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-01-11 16:58 - 2012-07-10 15:57 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-01-11 16:57 - 2011-02-13 14:35 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-01-11 16:06 - 2011-02-25 14:52 - 00000000 ____D C:\Users\Owner\Documents\Outlook Files

2013-01-10 12:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

2013-01-10 07:03 - 2009-07-13 20:45 - 05007656 ____A C:\Windows\System32\FNTCACHE.DAT

2013-01-10 07:01 - 2010-12-02 18:11 - 00893254 ____A C:\Windows\PFRO.log

2013-01-10 06:46 - 2011-02-05 10:27 - 00949000 ____A C:\Windows\SysWOW64\PerfStringBackup.INI

2013-01-10 06:37 - 2011-01-29 08:44 - 67599240 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-01-10 06:27 - 2011-02-12 16:31 - 00000000 ____D C:\Users\All Users\Microsoft Help

2013-01-09 21:04 - 2011-03-14 17:17 - 00000000 ____D C:\Users\Owner\Documents\Employment Related

2013-01-09 13:32 - 2011-09-26 12:26 - 07653899 ____A C:\Users\Owner\Desktop\Budget (v8 update).xlsx

2013-01-09 13:22 - 2013-01-09 13:22 - 00000000 ____D C:\Users\All Users\Webroot

2013-01-09 12:05 - 2011-03-22 22:06 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Skype

2013-01-09 09:59 - 2012-04-12 05:55 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2013-01-09 09:59 - 2011-06-01 11:39 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2013-01-09 08:22 - 2010-12-02 17:33 - 00000000 ____D C:\Users\All Users\Skype

2013-01-09 08:21 - 2013-01-09 08:20 - 00000000 ___RD C:\Program Files (x86)\Skype

2013-01-09 08:21 - 2010-12-02 18:24 - 00000000 ____D C:\Program Files (x86)\Windows Live

2013-01-09 08:11 - 2013-01-09 08:10 - 29290672 ____A (Skype Technologies S.A.) C:\Users\Owner\Downloads\SkypeSetupFull.exe

2013-01-08 16:34 - 2011-03-14 17:39 - 00000000 ___RD C:\Users\Owner\Documents\Urban Impressionist

2013-01-08 07:55 - 2011-03-02 11:52 - 03074048 ____A C:\Users\Owner\Desktop\Monthly Painting Timesheet.xls

2013-01-01 19:45 - 2012-02-03 16:19 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2013-01-01 19:45 - 2011-02-08 09:24 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-12-30 20:03 - 2012-09-19 09:03 - 00000528 ____A C:\Users\Owner\Desktop\Stock ratings.website

2012-12-24 14:36 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF

2012-12-21 14:47 - 2011-07-01 00:49 - 00000000 ____D C:\Users\Owner\AppData\Local\Windows Live

2012-12-21 14:38 - 2012-03-06 12:06 - 00000000 ____D C:\Users\All Users\HitmanPro

2012-12-21 14:32 - 2012-03-06 12:06 - 00001897 ____A C:\Users\Public\Desktop\HitmanPro.lnk

2012-12-21 14:00 - 2012-12-21 14:00 - 00000000 ____D C:\Users\Owner\Documents\Sony PMB

2012-12-21 14:00 - 2012-12-21 14:00 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Sony Corporation

2012-12-20 16:47 - 2012-12-20 16:41 - 127011424 ____A (Sony Corporation) C:\Users\Owner\Downloads\PMHOME_2000.EXE

2012-12-18 13:48 - 2012-12-17 19:31 - 00000000 ____D C:\Users\Owner\Desktop\New Camera

2012-12-18 10:01 - 2011-02-12 16:31 - 00000000 ____D C:\Users\Owner\AppData\Local\Microsoft Help

2012-12-17 04:43 - 2012-12-04 11:36 - 00038096 ____A (GFI Software) C:\Windows\System32\Drivers\gfiark.sys

2012-12-16 09:11 - 2012-12-23 07:18 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll

2012-12-16 06:45 - 2012-12-23 07:18 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll

2012-12-16 06:13 - 2012-12-23 07:18 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll

2012-12-16 06:13 - 2012-12-23 07:18 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll

2012-12-15 16:14 - 2011-02-09 12:19 - 00000000 ___RD C:\Users\Owner\Desktop\Ground Zero - Freedom Tower

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-12-23 07:18:21

Restore point made on: 2012-12-27 11:19:52

Restore point made on: 2012-12-27 11:21:05

Restore point made on: 2012-12-27 17:45:25

Restore point made on: 2012-12-29 10:00:47

Restore point made on: 2013-01-06 16:37:26

Restore point made on: 2013-01-10 06:23:33

==================== Memory info ===========================

Percentage of memory in use: 22%

Total physical RAM: 3882.09 MB

Available physical RAM: 3014.56 MB

Total Pagefile: 3880.23 MB

Available Pagefile: 3098.76 MB

Total Virtual: 8192 MB

Available Virtual: 8191.88 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:232 GB) (Free:80.99 GB) NTFS

2 Drive d: () (Fixed) (Total:346.39 GB) (Free:345.53 GB) NTFS

3 Drive f: (SAMSUNG_REC) (Fixed) (Total:17.68 GB) (Free:0.94 GB) NTFS ==>[system with boot components (obtained from reading drive)]

5 Drive h: () (Removable) (Total:15.01 GB) (Free:4.94 GB) FAT32

6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

7 Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 596 GB 1024 KB

Disk 1 Online 15 GB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 232 GB 101 MB

Partition 0 Extended 346 GB 232 GB

Partition 4 Logical 346 GB 232 GB

Partition 3 Recovery 17 GB 578 GB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y SYSTEM NTFS Partition 100 MB Healthy

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 232 GB Healthy

=========================================================

Disk: 0

Partition 4

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 D NTFS Partition 346 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 27

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 F SAMSUNG_REC NTFS Partition 17 GB Healthy Hidden

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 15 GB 31 KB

==================================================================================

Disk: 1

Partition 1

Type : 0C

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 5 H FAT32 Removable 15 GB Healthy

=========================================================

Last Boot: 2013-01-06 16:30

==================== End Of Log =============================

Search log:

-----------------------------------------------------------------------------------------------------------------

Farbar Recovery Scan Tool (x64) Version: 09-01-2013

Ran by SYSTEM at 2013-01-14 11:28:42

Running from H:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

Link to post
Share on other sites

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

Link to post
Share on other sites

Yes was (seemingly) able to reboot normally (although I did see something about Windows can't provide updates right now). I can se bottom task bar now!

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 09-01-2013

Ran by SYSTEM at 2013-01-14 12:26:36 Run:1

Running from H:\

==============================================

HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.

HKEY_USERS\Owner\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge Value deleted successfully.

HKEY_USERS\Owner\Software\Microsoft\Windows\CurrentVersion\Run\\og_fehuborr Value deleted successfully.

HKEY_USERS\Owner\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableTaskMgr Value deleted successfully.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value was restored successfully .

C:\Users\Owner\AppData\Roaming\_gzysxapmk.exe moved successfully.

C:\Users\Owner\AppData\Local\_gzysxapmk.exe moved successfully.

C:\Users\All Users\_gzysxapmk.exe moved successfully.

C:\Users\Owner\AppData\Roaming\_gzysxapmk.exe not found.

C:\Users\Owner\AppData\Local\_gzysxapmk.exe not found.

C:\ProgramData\_gzysxapmk not found.

C:\Users\Owner\AppData\Roaming\_gzysxapmk not found.

C:\ProgramData\_gzysxapmk not found.

C:\Users\Owner\AppData\Local\_gzysxapmk.exe not found.

C:\Users\All Users\_gzysxapmk.exe not found.

==== End of Fixlog ====

Link to post
Share on other sites

Good......next >>>>

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC

Link to post
Share on other sites

Ugh, as (un)luck would have it my Wifi is stuck. It's a Samsung laptop with a hardware wifi button and it's stuck on (light showing) however the icon in the lower right is stuck off (riddle anyone that one). I'm not sure if it's stuck/broken because I hit it too much during the virus trying to get it off so the virus couldn't connect to the net or if the virus has messed up my wifi settings to disable? Thoughts on this problem? :/

Link to post
Share on other sites

You can run ComboFix, put it on the drive and then transfer:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Good news is that attachment (started) working, however the process showed the following (attached) which is surprising to me on both because I had recently uninstalled Webroot [it was constantly running and slowing down my computer tremendously (perhaps a very dumb decision in hindsight)] and for AdAware (2nd attachment) I cant find any setting for disable on their new interface.

post-125054-0-10309700-1358198979.jpg

post-125054-0-38683100-1358200626.jpg

Link to post
Share on other sites

ComboFix Log

---------------------------------------------------------------------------

ComboFix 13-01-14.01 - Owner 01/14/2013 16:20:40.1.4 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3882.2685 [GMT -6:00]

Running from: c:\users\Owner\AppData\Local\Temp\Temp1_ComboFix.zip\ComboFix.exe

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}

AV: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}

SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}

SP: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\{1A6CC3D6-020A-49B4-83C0-89070A47C9A9}.xps

c:\users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\{76AA3B13-7A94-4616-9BC6-C92410ECA66C}.xps

c:\users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\{819334E7-65F7-4483-90E3-41BD6AF91738}.xps

c:\users\Owner\AppData\Local\xox.exe

c:\users\Owner\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk

c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix

c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix\System Fix.lnk

c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix\Uninstall System Fix.lnk

c:\users\Owner\g2mdlhlpx.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-12-14 to 2013-01-14 )))))))))))))))))))))))))))))))

.

.

2013-01-14 22:33 . 2013-01-14 22:33 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2013-01-14 22:33 . 2013-01-14 22:33 -------- d-----w- c:\users\DefaultAppPool\AppData\Local\temp

2013-01-14 22:33 . 2013-01-14 22:33 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-01-14 22:33 . 2013-01-14 22:33 -------- d-----w- c:\users\Classic .NET AppPool\AppData\Local\temp

2013-01-14 20:32 . 2013-01-14 19:55 1653440 ----a-w- C:\7zip_bimo_d154539.exe

2013-01-14 19:26 . 2013-01-14 19:26 -------- d-----w- C:\FRST

2013-01-09 21:22 . 2013-01-09 21:22 -------- d-----w- c:\programdata\Webroot

2013-01-09 16:20 . 2013-01-09 16:20 -------- d-----w- c:\program files (x86)\Common Files\Skype

2013-01-09 16:20 . 2013-01-09 16:21 -------- d-----r- c:\program files (x86)\Skype

2013-01-09 15:11 . 2012-11-30 05:41 424448 ----a-w- c:\windows\system32\KernelBase.dll

2013-01-02 03:45 . 2013-01-02 03:45 -------- d-----w- c:\users\Owner\AppData\Local\Programs

2012-12-23 15:18 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll

2012-12-23 15:18 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

2012-12-23 15:18 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll

2012-12-23 15:18 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll

2012-12-21 22:00 . 2012-12-21 22:00 -------- d-----w- c:\users\Owner\AppData\Roaming\Sony Corporation

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-01-10 14:37 . 2011-01-29 16:44 67599240 ----a-w- c:\windows\system32\MRT.exe

2013-01-09 17:59 . 2012-04-12 13:55 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-01-09 17:59 . 2011-06-01 19:39 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-12-17 12:43 . 2012-12-04 19:36 38096 ----a-w- c:\windows\system32\drivers\gfiark.sys

2012-12-14 22:49 . 2011-02-08 17:24 24176 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-30 04:45 . 2013-01-09 15:11 44032 ----a-w- c:\windows\apppatch\acwow64.dll

2012-11-25 21:15 . 2012-11-25 21:15 14456 ----a-w- c:\windows\system32\drivers\gfibto.sys

2012-11-14 07:06 . 2012-12-12 09:03 17811968 ----a-w- c:\windows\system32\mshtml.dll

2012-11-14 06:32 . 2012-12-12 09:03 10925568 ----a-w- c:\windows\system32\ieframe.dll

2012-11-14 06:11 . 2012-12-12 09:03 2312704 ----a-w- c:\windows\system32\jscript9.dll

2012-11-14 06:04 . 2012-12-12 09:03 1346048 ----a-w- c:\windows\system32\urlmon.dll

2012-11-14 06:04 . 2012-12-12 09:03 1392128 ----a-w- c:\windows\system32\wininet.dll

2012-11-14 06:02 . 2012-12-12 09:03 1494528 ----a-w- c:\windows\system32\inetcpl.cpl

2012-11-14 06:02 . 2012-12-12 09:03 237056 ----a-w- c:\windows\system32\url.dll

2012-11-14 05:59 . 2012-12-12 09:03 85504 ----a-w- c:\windows\system32\jsproxy.dll

2012-11-14 05:58 . 2012-12-12 09:03 816640 ----a-w- c:\windows\system32\jscript.dll

2012-11-14 05:57 . 2012-12-12 09:03 599040 ----a-w- c:\windows\system32\vbscript.dll

2012-11-14 05:57 . 2012-12-12 09:03 173056 ----a-w- c:\windows\system32\ieUnatt.exe

2012-11-14 05:55 . 2012-12-12 09:03 2144768 ----a-w- c:\windows\system32\iertutil.dll

2012-11-14 05:55 . 2012-12-12 09:03 729088 ----a-w- c:\windows\system32\msfeeds.dll

2012-11-14 05:53 . 2012-12-12 09:03 96768 ----a-w- c:\windows\system32\mshtmled.dll

2012-11-14 05:52 . 2012-12-12 09:03 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-11-14 05:46 . 2012-12-12 09:03 248320 ----a-w- c:\windows\system32\ieui.dll

2012-11-14 02:09 . 2012-12-12 09:03 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll

2012-11-14 01:58 . 2012-12-12 09:03 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl

2012-11-14 01:57 . 2012-12-12 09:03 1129472 ----a-w- c:\windows\SysWow64\wininet.dll

2012-11-14 01:49 . 2012-12-12 09:03 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe

2012-11-14 01:48 . 2012-12-12 09:03 420864 ----a-w- c:\windows\SysWow64\vbscript.dll

2012-11-14 01:44 . 2012-12-12 09:03 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb

2012-11-09 05:45 . 2012-12-12 03:00 2048 ----a-w- c:\windows\system32\tzres.dll

2012-11-09 04:42 . 2012-12-12 03:00 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2012-11-02 05:59 . 2012-12-12 03:00 478208 ----a-w- c:\windows\system32\dpnet.dll

2012-11-02 05:11 . 2012-12-12 03:00 376832 ----a-w- c:\windows\SysWow64\dpnet.dll

2012-10-25 09:12 . 2012-10-25 09:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx

2012-10-25 09:12 . 2012-10-25 09:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Starfield Updater"="c:\users\Owner\AppData\Local\Workspace\workspaceupdate.exe" [2011-12-12 34496]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Ad-Aware Antivirus"="c:\program files (x86)\Ad-Aware Antivirus\AdAwareLauncher --windows-run" [X]

"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]

"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]

"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"T-Mobile webConnect Manager"="c:\program files (x86)\T-Mobile\webConnect Manager\TMobileCM.exe" [2009-12-14 23584]

"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2012-09-24 296096]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

.

c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Yahoo! Widgets.lnk - c:\program files (x86)\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-3-14 98304]

SRS Premium Sound.lnk - c:\windows\Installer\{340BE65B-7621-4B0B-B0F9-DBCCD8D70887}\NewShortcut5_21C7B668029A47458B27645FE6E4A715.exe [2010-12-2 156952]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe [2010-6-24 9216]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]

@="Ad-Aware Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]

@="Service"

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;c:\program files\Intel\WiMAX\Bin\DMAgent.exe [2010-09-01 408576]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-11-09 160944]

R2 WebFarmService;Web Farm Controller Service;c:\program files\IIS\Microsoft Web Farm Framework\WebFarmService.exe [2011-01-20 15640]

R3 bpmp;Intel® Centrino® WiMAX 6050 Series;c:\windows\system32\DRIVERS\bpmp.sys [2010-05-16 175104]

R3 CATmobile;T-Mobile Con App Svc;c:\program files (x86)\T-Mobile\webConnect Manager\conappssvc.exe [2009-12-09 124184]

R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [2009-10-21 243200]

R3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2012-12-17 38096]

R3 MsDepSvc;Web Deployment Agent Service;c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe [2011-02-04 63304]

R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2010-10-19 340240]

R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [2009-12-09 43032]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]

R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]

R3 TMobileRcAppSvc;T-Mobile RcApp Svc;c:\program files (x86)\T-Mobile\webConnect Manager\RcAppSvc.exe [2009-12-09 120088]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-01-29 1255736]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2010-08-30 394016]

R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2010-04-03 59744]

R4 RsFx0150;RsFx0150 Driver;c:\windows\system32\DRIVERS\RsFx0150.sys [2010-04-03 313696]

R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2010-04-03 428384]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]

S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2012-11-25 14456]

S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys [2011-01-17 25960]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]

S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 13824]

S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2011-10-26 57976]

S2 Ad-Aware Service;Ad-Aware Service;c:\program files (x86)\Ad-Aware Antivirus\AdAwareService.exe [2012-11-22 1236368]

S2 File Backup;File Backup Service;c:\program files (x86)\Workspace\offSyncService.exe [2012-01-05 1187600]

S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [2012-12-21 108904]

S2 SBAMSvc;Ad-Aware;c:\program files (x86)\Ad-Aware Antivirus\SBAMSvc.exe [2012-09-20 3677000]

S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [2012-09-13 82872]

S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-12-13 3290896]

S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2010-04-17 13832]

S2 TurboBoost;Intel® Turbo Boost Technology Monitor;c:\program files\Intel\TurboBoost\TurboBoost.exe [2010-04-17 134928]

S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-02-03 2320920]

S2 WiMAXAppSrv;Intel® PROSet/Wireless WiMAX Service;c:\program files\Intel\WiMAX\Bin\AppSrv.exe [2010-09-01 911872]

S2 WinFLdrv;WinFLdrv;SysWOW64\WinFLdrv.sys [x]

S3 bpenum;bpenum;c:\windows\system32\DRIVERS\bpenum.sys [2010-05-16 71168]

S3 bpusb;bpusb;c:\windows\system32\Drivers\bpusb.sys [2010-05-16 81920]

S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2010-11-12 138024]

S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]

S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-08-30 289280]

S3 wdkmd;Intel WiDi KMD;c:\windows\system32\DRIVERS\WDKMD.sys [2010-10-05 42392]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

iissvcs REG_MULTI_SZ w3svc was

apphost REG_MULTI_SZ apphostsvc

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-12 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 17:59]

.

2013-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-13 22:34]

.

2013-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-13 22:34]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-08-11 11369576]

"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-01-30 446392]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files (x86)\Stardock\Fences\FencesMenu64.dll" [2010-06-22 253288]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=c:\windows\System32\nvinitx.dll

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.usaa.com/

mStart Page = hxxp://samsung.msn.com

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105

FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\7vq9svsi.default\

FF - prefs.js: browser.startup.homepage - about:home

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=

FF - ExtSQL: 2013-01-09 10:22; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; c:\program files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}

FF - user.js: yahoo.homepage.dontask - true

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Wow6432Node-HKLM-Run-SearchProtection - c:\programdata\Search Protection\_run.bat

Toolbar-Locked - (no file)

HKLM-Run-ETDCtrl - c:\program files (x86)\Elantech\ETDCtrl.exe

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

AddRemove-Adobe SVG Viewer - c:\windows\System32\Adobe\SVG Viewer\Uninst.isu

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\services\MsDepSvc]

"ImagePath"="\"c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe\" -runService:MsDepSvc"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\services\MySQL]

"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]

@Denied: (2) (LocalSystem)

"{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,

89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b

"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,

1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7

"{6EBF7485-159F-4BFF-A14F-B9E3AAC4465B}"=hex:51,66,7a,6c,4c,1d,38,12,eb,77,ac,

6a,ad,5b,91,0e,de,59,fa,a3,af,9a,02,4f

"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,

94,30,02,d1,0f,f1,da,12,24,73,56,27,d2

"{9FDDE16B-836F-4806-AB1F-1455CBEFF289}"=hex:51,66,7a,6c,4c,1d,38,12,05,e2,ce,

9b,5d,cd,68,0d,d4,09,57,15,ce,b1,b6,9d

"{AA609D72-8482-4076-8991-8CDAE5B93BCB}"=hex:51,66,7a,6c,4c,1d,38,12,1c,9e,73,

ae,b0,ca,18,05,f6,87,cf,9a,e0,e7,7f,df

"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,

b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb

"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,

d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b

"{E99987AC-6311-4686-B095-EB30B69F9258}"=hex:51,66,7a,6c,4c,1d,38,12,c2,84,8a,

ed,23,2d,e8,03,cf,83,a8,70,b3,c1,d6,4c

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (LocalSystem)

"Timestamp"=hex:dc,bc,b1,e5,8b,e4,cb,01

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

c:\program files (x86)\CyberLink\Shared files\RichVideo.exe

c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

.

**************************************************************************

.

Completion time: 2013-01-14 17:31:27 - machine was rebooted

ComboFix-quarantined-files.txt 2013-01-14 23:31

.

Pre-Run: 88,703,115,264 bytes free

Post-Run: 90,813,988,864 bytes free

.

- - End Of File - - 3F09E3CF0EB55C1FAAD3FFCE4616220C

Link to post
Share on other sites

Ok the programs open/work again. I still have the odd wifi button issue (Button stuck to on, but setting stuck off). Is that something that occurs sometimes from this virus or is that now just some coincidental issue I'm going to have to address with the manufacturer? (I can't locate a digital toggle switch :(

Link to post
Share on other sites

Hi. So still can't get wifi working after speaking with Samasung reps and updating the Network adapter WLAN device manager and 'easy display manager.' Since I already have Malwarebytes is it possible to download the latest updates on a good computer, transfer them via USB, then upload them to the problem one's Malwarebytes?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.