Jump to content

Another FBI Moneypack lockout


scotts

Recommended Posts

Hi,

My computer has been infected with the FBI moneypack malware. Windows Vista, sp2, x64, IE 9.0, AMD Quad core.

I have two user accounts, and oddly enough, I was able to switch users and runs MB and various scans for logs using my alternate account. MB did pick up two trojans, but after deleting and reboot, the FBI malware was still there. On the primary account, I am unable to access anything. On the alternate account, I can access most of everything, except it seems most internet sites lock up and stall. I was able to access your site, which again, is a bit odd.

Below are the logs generated from an MB quick Scan, followed by RKill, and DDS (two logs), As necessary, I closed all processes that were running, and disabled virus/malware protection to minimize interference.

Any help you can provide would be greatly appreciated. I'm a long time MB user, and this is my first time anything has gotten past MB (my account is the purchased version).

Regards,

Scott

MBAM Log

Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

Database version: v2013.01.13.09

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Scott Admin :: HOMECYBERPOWER [administrator]

1/14/2013 5:25:23 AM

mbam-log-2013-01-14 (05-25-23).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 299604

Time elapsed: 6 minute(s), 1 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

---------------------------------------------------------------------------------------------

RKill Log

Rkill 2.4.5 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2013 BleepingComputer.com

More Information about Rkill can be found at this link:

http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/14/2013 05:52:55 AM in x86 mode.

Windows Version: Windows Vista Home Premium Service Pack 2

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

::1 localhost

Program finished at: 01/14/2013 05:53:04 AM

Execution time: 0 hours(s), 0 minute(s), and 8 seconds(s

--------------------------------------------------------------------------------------------------------

DDS Attach.txt

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft® Windows Vista™ Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 3/11/2012 5:37:33 PM

System Uptime: 1/14/2013 5:10:45 AM (0 hours ago)

.

Motherboard: MSI | | MS-7390

Processor: AMD Phenom 9850 Quad-Core Processor | CPU 1 | 2511/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 466 GiB total, 149.042 GiB free.

D: is CDROM ()

E: is CDROM ()

F: is Removable

G: is Removable

H: is Removable

I: is Removable

J: is Removable

.

==== Disabled Device Manager Items =============

.

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: Microsoft ISATAP Adapter

Device ID: ROOT\*ISATAP\0000

Manufacturer: Microsoft

Name: Microsoft ISATAP Adapter

PNP Device ID: ROOT\*ISATAP\0000

Service: tunnel

.

Class GUID:

Description: SM Bus Controller

Device ID: PCI\VEN_10DE&DEV_0446&SUBSYS_73901462&REV_A1\3&267A616A&0&09

Manufacturer:

Name: SM Bus Controller

PNP Device ID: PCI\VEN_10DE&DEV_0446&SUBSYS_73901462&REV_A1\3&267A616A&0&09

Service:

.

==== System Restore Points ===================

.

.

==== Installed Programs ======================

.

Adobe Flash Player 11 ActiveX

Adobe Reader X (10.1.5)

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Bonjour

CameraHelperMsi

Diablo III

erLT

ERUNT 1.1j

ffdshow [rev 3154] [2009-12-09]

GameSpy Arcade

Google Talk (remove only)

Google Talk Plugin

Google Toolbar for Internet Explorer

Google Update Helper

Halo 2 for Windows Vista

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

ImageGrab 5.0.6 en

iTunes

Java 7 Update 9

Java Auto Updater

LIVE gaming on Windows Runtime Version 1.0.6027

Logitech Webcam Software

LWS Facebook

LWS Gallery

LWS Help_main

LWS Launcher

LWS Motion Detection

LWS Pictures And Video

LWS Twitter

LWS Webcam Software

LWS WLM Plugin

LWS YouTube Plugin

Malwarebytes Anti-Malware version 1.70.0.1100

Mass Effect™ 3

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Office 2007 Service Pack 3 (SP3)

Microsoft Office Excel MUI (English) 2007

Microsoft Office Home and Student 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Rise Of Nations

Microsoft Silverlight

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Mouse Suite

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML4 Parser

NVIDIA 3D Vision Driver 306.97

NVIDIA Control Panel 306.97

NVIDIA Drivers

NVIDIA Graphics Driver 306.97

NVIDIA Install Application

NVIDIA PhysX

NVIDIA Stereoscopic 3D Driver

NVIDIA Update 1.10.8

NVIDIA Update Components

Origin

QuickTime

Replay Media Catcher 4 (4.4.3)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition

Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition

Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition

Update for Microsoft Office Excel 2007 Help (KB963678)

Update for Microsoft Office OneNote 2007 Help (KB963670)

Update for Microsoft Office Powerpoint 2007 Help (KB963669)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Word 2007 Help (KB963665)

Yahoo! Messenger

Yahoo! Software Update

Yahoo! Toolbar

Yontoo 1.10.02

.

==== End Of File ===========================

--------------------------------------------------------------------------------------------------------

DDS.txt

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.9.2

Run by Scott Admin at 5:58:19 on 2013-01-14

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3326.1952 [GMT -5:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ================

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\nvvsvc.exe

C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\SLsvc.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Windows\System32\WUDFHost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\System32\ico.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\System32\wsqmcons.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Windows\notepad.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\System32\notepad.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\System32\mobsync.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearch Bar = Preserve

BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll

BHO: Yontoo: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - c:\program files\yontoo\YontooIEClient.dll

TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter

mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide

mRun: [Mouse Suite 98 Daemon] ICO.EXE

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

StartupFolder: c:\users\scotta~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE

mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

TCP: NameServer = 192.168.1.1

TCP: Interfaces\{C6FD7229-3518-40D1-8535-3FE15460E1D7} : DHCPNameServer = 192.168.1.1

LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg

.

============= SERVICES / DRIVERS ===============

.

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2012-10-2 382824]

R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [2012-8-7 28256]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-1-14 40776]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [2012-8-7 28256]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2013-01-14 10:23:56 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2013-01-14 00:04:04 -------- d-----w- c:\users\scott admin\appdata\roaming\Malwarebytes

2013-01-13 22:09:32 82056 ----a-w- c:\programdata\ifgxpers.exe

2013-01-11 11:29:16 6812136 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{e6b2f347-3d3a-40fc-87ad-7b6b6e94b7e0}\mpengine.dll

2013-01-09 11:48:12 2048000 ----a-w- c:\windows\system32\win32k.sys

2013-01-09 11:47:59 204288 ----a-w- c:\windows\system32\ncrypt.dll

2013-01-09 11:47:58 1400832 ----a-w- c:\windows\system32\msxml6.dll

2012-12-21 12:24:30 34304 ----a-w- c:\windows\system32\atmlib.dll

2012-12-21 12:24:30 293376 ----a-w- c:\windows\system32\atmfd.dll

2012-12-18 14:28:14 186584 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

.

==================== Find3M ====================

.

2013-01-09 00:50:16 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-01-09 00:50:16 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-12-14 21:49:28 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-12-09 15:10:02 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-12-09 15:10:01 821736 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-12-09 15:10:01 746984 ----a-w- c:\windows\system32\deployJava1.dll

2012-11-14 02:09:22 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-11-14 01:58:15 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-11-14 01:57:37 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-11-14 01:49:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-11-14 01:48:27 420864 ----a-w- c:\windows\system32\vbscript.dll

2012-11-14 01:44:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-11-13 01:29:51 2048 ----a-w- c:\windows\system32\tzres.dll

2012-11-02 10:18:17 376320 ----a-w- c:\windows\system32\dpnet.dll

2012-11-02 08:26:06 23040 ----a-w- c:\windows\system32\dpnsvr.exe

.

============= FINISH: 5:58:57.48 ===============

Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Thanks MrC.

I ran RogueKiller as Admin without deleting anything.

Here is the report:

----------------------------------------

RogueKiller V8.4.3 [Jan 10 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Normal mode

User : Scott Admin [Admin rights]

Mode : Scan -- Date : 01/14/2013 13:39:14

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDP725050GLA360 ATA Device +++++

--- User ---

[MBR] 4d45d1ed5ebbebb032f02e0c59dfc0ca

[bSP] d0190f9143d16cd98d1192f40693a18c : Windows Vista MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 476938 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_01142013_02d1339.txt >>

RKreport[1]_S_01142013_02d1339.txt

Link to post
Share on other sites

Nothing showing there.........

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://www.itxassoci...T-Tools/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

The scan will take about 10 minutes...depends on your hard drive size.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

Link to post
Share on other sites

Here is the OTL log:

OTL logfile created on: 1/14/2013 3:01:04 PM - Run 1

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Scott Admin\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.58 Gb Available Physical Memory | 79.40% Memory free

6.72 Gb Paging File | 5.90 Gb Available in Paging File | 87.78% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 465.76 Gb Total Space | 148.99 Gb Free Space | 31.99% Space Free | Partition Type: NTFS

Computer Name: HOMECYBERPOWER | User Name: Scott Admin | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/01/14 15:00:44 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Scott Admin\Desktop\OTL.exe

PRC - [2012/12/18 09:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

PRC - [2012/10/02 14:29:14 | 000,864,616 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

PRC - [2012/10/02 14:28:55 | 001,820,520 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

PRC - [2012/10/02 13:15:38 | 000,382,824 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

PRC - [2012/09/12 23:38:44 | 000,204,136 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe

PRC - [2012/09/12 23:38:20 | 000,264,040 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe

PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

PRC - [2008/01/20 21:23:33 | 000,192,000 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wsqmcons.exe

PRC - [2008/01/20 21:23:32 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe

PRC - [2004/07/14 17:36:54 | 000,057,344 | ---- | M] (Primax Electronics Ltd.) -- C:\Windows\System32\ico.exe

========== Modules (No Company Name) ==========

MOD - [2012/09/12 23:39:18 | 000,336,232 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LWSPlugins\LWS\Applets\CameraHelper\DevManagerCore.dll

MOD - [2012/09/12 23:38:52 | 007,955,304 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\QTGui4.dll

MOD - [2012/09/12 23:38:52 | 000,341,352 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\QTXml4.dll

MOD - [2012/09/12 23:38:52 | 000,127,336 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\ImageFormats\QJpeg4.dll

MOD - [2012/09/12 23:38:52 | 000,028,008 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\ImageFormats\QGif4.dll

MOD - [2012/09/12 23:38:44 | 002,144,104 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\QTCore4.dll

MOD - [2012/09/12 23:38:20 | 000,264,040 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe

MOD - [2012/02/20 23:29:04 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll

MOD - [2012/02/20 23:28:42 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll

========== Services (SafeList) ==========

SRV - [2013/01/08 19:50:16 | 000,251,400 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)

SRV - [2012/12/18 09:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)

SRV - [2012/10/10 21:15:04 | 001,258,856 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService)

SRV - [2012/10/02 13:15:38 | 000,382,824 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)

SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)

SRV - [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)

DRV - [2012/10/10 21:14:28 | 010,837,352 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)

DRV - [2012/09/21 14:09:06 | 004,261,224 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lvuvc.sys -- (LVUVC)

DRV - [2012/09/21 14:09:00 | 000,310,504 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lvrs.sys -- (LVRS)

DRV - [2011/06/25 19:56:44 | 000,028,256 | ---- | M] (Applian Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\appliand.sys -- (appliandMP)

DRV - [2011/06/25 19:56:44 | 000,028,256 | ---- | M] (Applian Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\appliand.sys -- (appliand)

DRV - [2008/08/01 21:51:14 | 001,052,704 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)

DRV - [2003/02/11 15:25:14 | 000,009,216 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pelusblf.sys -- (pelusblf)

DRV - [2003/01/10 15:55:32 | 000,016,384 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PELMOUSE.SYS -- (pelmouse)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}

IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=287&systemid=406&sr=0&q={searchTerms}

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1135540072-695541943-2338846879-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve

IE - HKU\S-1-5-21-1135540072-695541943-2338846879-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-21-1135540072-695541943-2338846879-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp

IE - HKU\S-1-5-21-1135540072-695541943-2338846879-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us

IE - HKU\S-1-5-21-1135540072-695541943-2338846879-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = B0 D1 D0 A5 EB F1 CD 01 [binary data]

IE - HKU\S-1-5-21-1135540072-695541943-2338846879-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKU\S-1-5-21-1135540072-695541943-2338846879-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.9.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)

FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

O1 HOSTS File: ([2006/09/18 16:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: ::1 localhost

O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)

O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

O2 - BHO: (Yontoo) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo\YontooIEClient.dll (Yontoo LLC)

O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)

O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.

O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)

O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe (Google)

O4 - HKLM..\Run: [LWS] C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe (Logitech Inc.)

O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\Windows\System32\ico.exe (Primax Electronics Ltd.)

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)

O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)

O4 - HKU\S-1-5-21-1135540072-695541943-2338846879-1000..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)

O4 - Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk = C:\Program Files\Logitech\Ereg\eReg.exe (Leader Technologies/Logitech)

O4 - Startup: C:\Users\Scott Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()

O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O13 - gopher Prefix: missing

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C6FD7229-3518-40D1-8535-3FE15460E1D7}: DhcpNameServer = 192.168.1.1

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg

O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/01/14 15:00:44 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Scott Admin\Desktop\OTL.exe

[2013/01/14 13:38:06 | 000,000,000 | ---D | C] -- C:\Users\Scott Admin\Desktop\RK_Quarantine

[2013/01/14 06:34:05 | 000,000,000 | ---D | C] -- C:\Users\Scott Admin\Documents\Diablo III

[2013/01/14 06:01:07 | 000,000,000 | ---D | C] -- C:\Users\Scott Admin\AppData\Roaming\Yahoo!

[2013/01/14 05:57:53 | 000,688,992 | R--- | C] (Swearware) -- C:\Users\Scott Admin\Desktop\dds.scr

[2013/01/14 05:52:01 | 001,754,528 | ---- | C] (Bleeping Computer, LLC) -- C:\Users\Scott Admin\Desktop\rkill.com

[2013/01/14 05:36:13 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT

[2013/01/14 05:35:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT

[2013/01/14 05:35:35 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT

[2013/01/13 19:04:04 | 000,000,000 | ---D | C] -- C:\Users\Scott Admin\AppData\Roaming\Malwarebytes

[2013/01/13 17:09:32 | 000,082,056 | ---- | C] (Microsoft Corporation) -- C:\ProgramData\ifgxpers.exe

========== Files - Modified Within 30 Days ==========

[2013/01/14 15:00:44 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Scott Admin\Desktop\OTL.exe

[2013/01/14 14:49:59 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job

[2013/01/14 14:35:59 | 000,000,940 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1135540072-695541943-2338846879-500UA.job

[2013/01/14 14:34:32 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2013/01/14 14:34:32 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2013/01/14 14:30:59 | 000,000,900 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2013/01/14 13:36:49 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2013/01/14 13:36:27 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2013/01/14 12:41:42 | 000,604,264 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2013/01/14 12:41:42 | 000,103,964 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2013/01/14 12:34:29 | 3488,866,304 | -HS- | M] () -- C:\hiberfil.sys

[2013/01/14 12:34:28 | 282,271,171 | ---- | M] () -- C:\Windows\MEMORY.DMP

[2013/01/14 08:36:00 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1135540072-695541943-2338846879-500Core.job

[2013/01/14 05:57:53 | 000,688,992 | R--- | M] (Swearware) -- C:\Users\Scott Admin\Desktop\dds.scr

[2013/01/14 05:55:41 | 000,764,416 | ---- | M] () -- C:\Users\Scott Admin\Desktop\RogueKiller.exe

[2013/01/14 05:52:01 | 001,754,528 | ---- | M] (Bleeping Computer, LLC) -- C:\Users\Scott Admin\Desktop\rkill.com

[2013/01/14 05:35:56 | 000,000,913 | ---- | M] () -- C:\Users\Scott Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk

[2013/01/14 05:35:36 | 000,000,733 | ---- | M] () -- C:\Users\Scott Admin\Desktop\NTREGOPT.lnk

[2013/01/14 05:35:36 | 000,000,714 | ---- | M] () -- C:\Users\Scott Admin\Desktop\ERUNT.lnk

[2013/01/13 19:04:31 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

[2013/01/13 17:39:57 | 002,250,054 | ---- | M] () -- C:\ProgramData\1.bmp

[2013/01/13 17:39:43 | 000,444,396 | ---- | M] () -- C:\ProgramData\1.jpg

[2013/01/10 03:25:04 | 000,270,552 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

========== Files Created - No Company Name ==========

[2013/01/14 05:55:41 | 000,764,416 | ---- | C] () -- C:\Users\Scott Admin\Desktop\RogueKiller.exe

[2013/01/14 05:35:56 | 000,000,913 | ---- | C] () -- C:\Users\Scott Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk

[2013/01/14 05:35:36 | 000,000,733 | ---- | C] () -- C:\Users\Scott Admin\Desktop\NTREGOPT.lnk

[2013/01/14 05:35:36 | 000,000,714 | ---- | C] () -- C:\Users\Scott Admin\Desktop\ERUNT.lnk

[2013/01/13 17:39:57 | 002,250,054 | ---- | C] () -- C:\ProgramData\1.bmp

[2013/01/13 17:39:35 | 000,444,396 | ---- | C] () -- C:\ProgramData\1.jpg

[2012/09/30 10:44:21 | 000,085,504 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll

[2012/09/21 14:08:36 | 010,919,784 | ---- | C] () -- C:\Windows\System32\LogiDPP.dll

[2012/09/21 14:08:36 | 000,338,136 | ---- | C] () -- C:\Windows\System32\DevManagerCore.dll

[2012/09/21 14:08:36 | 000,103,272 | ---- | C] () -- C:\Windows\System32\LogiDPPApp.exe

[2012/09/21 13:48:30 | 000,028,418 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini

[2012/03/18 09:57:23 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin

[2012/03/18 09:57:22 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll

[2012/03/13 23:01:57 | 000,004,984 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin

[2012/03/13 23:00:47 | 000,024,576 | ---- | C] () -- C:\Windows\System32\FSRremoC.DLL

[2012/03/13 23:00:47 | 000,020,480 | ---- | C] () -- C:\Windows\System32\FSRremoS.EXE

[2012/03/13 20:11:23 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin

========== ZeroAccess Check ==========

[2006/11/02 07:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 12:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]

"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 01:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 01:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Both

========== LOP Check ==========

[2012/12/09 10:13:49 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\.minecraft

[2011/02/17 18:51:05 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\acccore

[2010/09/21 22:00:54 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

[2011/04/10 17:09:49 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1

[2012/03/13 22:29:44 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\GetRightToGo

[2011/02/17 15:33:54 | 000,000,000 | -HSD | M] -- C:\Users\Administrator\AppData\Roaming\Internet Security Essentials

[2012/10/11 19:02:22 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Leadertech

[2012/03/11 22:32:14 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Origin

[2012/08/07 15:16:48 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Replay Media Catcher 4

========== Purity Check ==========

< End of report >

Link to post
Share on other sites

Not seeing anything......

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Thanks again MrC. Combofix ran without a hitch. Here is the log file:

--------------------------------------------------------------------------------------------------------------------

ComboFix 13-01-14.01 - Scott Admin 01/14/2013 18:35:46.1.4 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3326.2554 [GMT -5:00]

Running from: c:\users\Scott Admin\Desktop\ComboFix.exe

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\ifgxpers.exe

c:\users\Administrator\AppData\Roaming\Internet Security Essentials

.

.

((((((((((((((((((((((((( Files Created from 2012-12-14 to 2013-01-14 )))))))))))))))))))))))))))))))

.

.

2013-01-14 23:40 . 2013-01-14 23:40 -------- d-----w- c:\users\Scott Admin\AppData\Local\temp

2013-01-14 11:01 . 2013-01-14 11:01 -------- d-----w- c:\users\Scott Admin\AppData\Roaming\Yahoo!

2013-01-14 10:35 . 2013-01-14 10:35 -------- d-----w- c:\program files\ERUNT

2013-01-14 00:04 . 2013-01-14 00:04 -------- d-----w- c:\users\Scott Admin\AppData\Roaming\Malwarebytes

2013-01-11 11:29 . 2012-11-08 18:00 6812136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E6B2F347-3D3A-40FC-87AD-7B6B6E94B7E0}\mpengine.dll

2013-01-09 11:48 . 2012-11-23 01:35 2048000 ----a-w- c:\windows\system32\win32k.sys

2013-01-09 11:47 . 2012-11-20 04:22 204288 ----a-w- c:\windows\system32\ncrypt.dll

2013-01-09 11:47 . 2012-11-02 10:19 1400832 ----a-w- c:\windows\system32\msxml6.dll

2012-12-21 12:24 . 2012-12-16 13:12 34304 ----a-w- c:\windows\system32\atmlib.dll

2012-12-21 12:24 . 2012-12-16 10:50 293376 ----a-w- c:\windows\system32\atmfd.dll

2012-12-18 14:28 . 2012-12-18 14:28 186584 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-01-09 00:50 . 2012-05-13 10:26 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-01-09 00:50 . 2012-03-12 05:10 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-12-14 21:49 . 2012-03-12 03:25 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-12-09 15:10 . 2012-12-09 15:10 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-12-09 15:10 . 2012-12-09 15:10 821736 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-12-09 15:10 . 2012-12-09 15:10 746984 ----a-w- c:\windows\system32\deployJava1.dll

2012-11-14 02:09 . 2012-12-12 08:05 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-11-14 01:58 . 2012-12-12 08:05 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-11-14 01:57 . 2012-12-12 08:05 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-11-14 01:49 . 2012-12-12 08:05 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-11-14 01:48 . 2012-12-12 08:05 420864 ----a-w- c:\windows\system32\vbscript.dll

2012-11-14 01:44 . 2012-12-12 08:05 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-11-13 01:29 . 2012-12-11 23:07 2048 ----a-w- c:\windows\system32\tzres.dll

2012-11-02 10:18 . 2012-12-11 23:08 376320 ----a-w- c:\windows\system32\dpnet.dll

2012-11-02 08:26 . 2012-12-11 23:08 23040 ----a-w- c:\windows\system32\dpnsvr.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Mouse Suite 98 Daemon"="ICO.EXE" [2004-07-14 57344]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]

"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2012-09-13 204136]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

.

c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Logitech . Product Registration.lnk - c:\program files\Logitech\Ereg\eReg.exe [2009-11-16 517384]

.

c:\users\Scott Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - TRUESIGHT

*Deregistered* - TrueSight

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-14 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-13 00:50]

.

2013-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-12 05:11]

.

2013-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-12 05:11]

.

2013-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1135540072-695541943-2338846879-500Core.job

- c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2012-11-13 02:26]

.

2013-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1135540072-695541943-2338846879-500UA.job

- c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2012-11-13 02:26]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

TCP: DhcpNameServer = 192.168.1.1

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-10 - (no file)

SafeBoot-WudfPf

SafeBoot-WudfRd

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-01-14 18:40

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2013-01-14 18:42:07

ComboFix-quarantined-files.txt 2013-01-14 23:42

.

Pre-Run: 160,951,566,336 bytes free

Post-Run: 162,305,298,432 bytes free

.

- - End Of File - - 45774866BF4BC280FC0D3514CC920C67

Link to post
Share on other sites

Success....I think:) My primary account is now clean. No sign of the FBI virus. I ran MB to get a log, and it did detect one item which you can see in the log. I had MB delete it, then rebooted. I'm pretty sure I saw that same item on a previous scan but can't see it in my MB logs. Here is the log:

------------------------------------------------------------------------------------------------------

Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

Database version: v2013.01.13.09

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Administrator :: HOMECYBERPOWER [administrator]

1/14/2013 7:00:08 PM

mbam-log-2013-01-14 (19-00-08).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 309812

Time elapsed: 4 minute(s), 55 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 1

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Adobe ARM (Trojan.FakeMS) -> Data: "C:\ProgramData\ifgxpers.exe" -> Quarantined and deleted successfully.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Great, while your here lets check the system for any adware.....

Please download AdwCleaner from here and save it on your Desktop.

AdwCleaner is a reliable removal tool for Adware, Foistware, toolbar and potentially unwanted programs.

AdwCleaner is a tool that deletes :

· Adwares (software ads)

· PUP/LPI (Potentially Undesirable Program)

· Toolbars

· Hijacker (Hijack of the browser's homepage)

It works with a Search and Deletion methode. It can be easily uninstalled using the "Uninstall" mode.

  1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
  2. Now click on the Search tab.
  3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

Please look over what was found, we're going to delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.

MrC

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.