Jump to content

FBI Moneypack Virus


Recommended Posts

My nephew's computer is infected with the FBI Moneypack Virus (asking for $500 to remove it.)

The FBI splash screen appears immediately upon booting, whether I choose safe mode or boot normally. We are unable to access Task Manager to kill the process or start any other processes. By accessing the Recovery Tools options (at the safe mode boot screen) I am able to get to a command prompt, and start registry editor. When I access the command prompt, it seems as though his drive is "X" and not the usual "C", in case this matters for future instructions.

I have seen the helpers here assist others, and hope that someone may be able to assist me, as well. Please be aware that the computer is not at my home, so there may be a 24 hour lag between your instructions and my response, but I will do whatever is asked of me in order to solve this issue.

Thank you in advance.

Jae C.

Imagine Peace...

Link to post
Share on other sites

Welcome to the forum.

To save time since it's not your computer......

This will work if you have a good system restore point:

Step 1: Use F8 to Boot to SafeMode With Command Prompt

Step 2: Type the word "explorer" in black screen > enter

Step 3: Then Navigate to:

Win XP: C:\windows\system32\restore\rstrui.exe and press Enter (double click rstrui.exe)

Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter (double click rstrui.exe)

Step 4: Restore Computer to Date you know you were virus free

Step 5: Run Malwarebytes

If not and it's XP:

Follow the instruction at the link below to create and scan the system with an OTLPE disk:

http://forums.malwar...ndpost&p=627789

Vista and W7:


Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Plug the flash drive into the infected PC.

If you are using Vista or Windows 7 enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.

  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.

  • Use the arrow keys to select the Repair your computer menu item.

  • Select US as the keyboard language settings, and then click Next.

  • Select the operating system you want to repair, and then click Next.

  • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

To make a repair disk on Windows 7 consult: http://www.sevenforu...isc-create.html

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.

  • Restart your computer.

  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.

  • Click Repair your computer.

  • Select US as the keyboard language settings, and then click Next.

  • Select the operating system you want to repair, and then click Next.

  • Select your user account and click Next.

  • On the System Recovery Options menu you will get the following options:

Startup Repair

System Restore

Windows Complete PC Restore

Windows Memory Diagnostic Tool

Command Prompt

Select Command Prompt

Once in the Command Prompt:

  • In the command window type in notepad and press Enter.

  • The notepad opens. Under File menu select Open.

  • Select "Computer" and find your flash drive letter and close the notepad.

  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

  • The tool will start to run.

  • When the tool opens click Yes to disclaimer.

  • Press Scan button.

  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

MrC

Link to post
Share on other sites

I am still here, and I see your response. I apologize for not noticing it sooner. I have the day off tomorrow and will follow your instructions as best I can. Each time we have tried to boot into safe mode (using each of the three options: command prompt, networking, and … whatever the other one was) it changes the screen resolution (as if it is in safe mode) but the FBI page still appears and prevents and further progress. I will try the other methods tomorrow and follow up here with my progress.

Thank you again for your time, and again I apologize for the delayed response.

Jae C.

Link to post
Share on other sites

Hello, Mr. C, and thank you again.

Here are the results of running the tool:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-01-2013 02 (ATTENTION: FRST version is 6 days old)

Ran by SYSTEM at 27-01-2013 12:03:35

Running from J:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [unattend0000000001{BFA3D12B-66DD-4617-923A-E864BC7D20B5}] C:\Windows\test.bat [x]

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11057768 2010-07-06] (Realtek Semiconductor)

HKLM\...\Run: [uMonit] C:\windows\SysWOW64\UMonit.exe [40960 2010-01-20] ()

HKLM-x32\...\Run: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-09-13] (Intel Corporation)

HKLM-x32\...\Run: [jmekey] C:\Program Files (x86)\jmesoft\hotkey.exe [114688 2009-07-16] (JME)

HKLM-x32\...\Run: [ModeSwitch] "C:\Program Files\Lenovo\Power Dial\LitModeSwitch.exe" /AutoRun [163840 2010-09-26] (Lenovo)

HKLM-x32\...\Run: [Lenovo Dynamic Brightness System] C:\Program Files\Lenovo\Lenovo Brightness System\Lenovo Dynamic Brightness System.exe 1 [285696 2010-10-08] (Lenovo)

HKLM-x32\...\Run: [Lenovo Eye Distance System] C:\Program Files\Lenovo\Lenovo Eye Distance System\Lenovo Eye Distance System.exe 1 [265216 2010-09-09] (Lenovo)

HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1535112 2012-09-12] (McAfee, Inc.)

HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [439568 2010-05-10] (Microsoft Corporation)

HKLM-x32\...\Run: [CLMLServer] "C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc.exe" [103720 2009-12-04] (CyberLink)

HKLM-x32\...\Run: [updateP2GoShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [222504 2009-05-19] (CyberLink Corp.)

HKLM-x32\...\Run: [updatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery" [222504 2009-05-13] (CyberLink Corp.)

HKLM-x32\...\Run: [setDefaultSCR] C:\Program Files (x86)\Lenovo\Lenovo Screensaver\SetDefaultSCR.exe [102400 2009-12-30] (Lenovo)

HKLM-x32\...\Run: [] [x]

HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1564872 2012-06-06] (Ask)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)

HKU\noah\...\Run: [gtlcMtoallcy] C:\ProgramData\pj_bsfjeb [x]

HKU\noah\...\Policies\system: [DisableTaskMgr] 1

HKLM\...\Winlogon: [shell] explorer.exe, C:\ProgramData\pj_bsfjeb [x ] ()

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

Startup: C:\Users\All Users\Start Menu\Programs\Startup\NETGEAR WNA3100 Smart Wizard.lnk

ShortcutTarget: NETGEAR WNA3100 Smart Wizard.lnk -> C:\Program Files (x86)\NETGEAR\WNA3100\WNA3100.exe ()

==================== Services (Whitelisted) ===================

2 CEEBC40A-FDED-4C59-B354-939132350B01; C:\Program Files (x86)\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe [96752 2010-08-29] ()

2 LenovoCOMSvc; "C:\Program Files\Lenovo\Power Dial\LenovoCOMSvc.exe" [49152 2009-09-30] (Lenovo)

3 LitModeCtrl; "C:\Program Files\Lenovo\Power Dial\LitModeCtrl.exe" [81920 2010-09-09] (Lenovo)

2 McAfee SiteAdvisor Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)

2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)

2 mcmscsvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)

2 McNaiAnn; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)

2 McNASvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)

3 McODS; "C:\Program Files\mcafee\VirusScan\mcods.exe" [383608 2012-11-16] (McAfee, Inc.)

4 McOobeSv; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)

2 McProxy; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)

2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [241016 2012-11-09] (McAfee, Inc.)

2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [218320 2012-11-09] (McAfee, Inc.)

2 mfevtp; "C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe" [177680 2012-11-09] (McAfee, Inc.)

2 WSWNA3100; C:\Program Files (x86)\NETGEAR\WNA3100\WifiSvc.exe [285152 2010-08-26] ()

==================== Drivers (Whitelisted) =====================

3 cfwids; C:\Windows\System32\Drivers\cfwids.sys [69672 2012-11-09] (McAfee, Inc.)

3 HipShieldK; C:\Windows\System32\Drivers\HipShieldK.sys [196440 2012-04-20] (McAfee, Inc.)

3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [178840 2012-11-09] (McAfee, Inc.)

3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [309400 2012-11-09] (McAfee, Inc.)

3 mfefirek; C:\Windows\System32\Drivers\mfefirek.sys [515528 2012-11-09] (McAfee, Inc.)

0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [771096 2012-11-09] (McAfee, Inc.)

3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [106112 2012-11-09] (McAfee, Inc.)

0 mfewfpk; C:\Windows\System32\Drivers\mfewfpk.sys [339776 2012-11-09] (McAfee, Inc.)

3 NPF; C:\Windows\System32\Drivers\NPF.sys [47632 2010-02-03] (CACE Technologies, Inc.)

3 RTL8023x64; C:\Windows\System32\DRIVERS\Rtnic64.sys [51712 2009-06-10] (Realtek Semiconductor Corporation )

3 USTOR2K; C:\Windows\System32\Drivers\USTOR2K.sys [52224 2010-02-21] (Genesys Logic)

0 WinI2C-DDC; C:\Windows\System32\drivers\DDCDrv.sys [20832 2008-04-08] (Nicomsoft Ltd.)

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2013-01-17 07:24 - 2013-01-23 14:25 - 00117248 ____A (Bikuvas) C:\Users\noah\AppData\Roaming\pj_bsfjeb.exe

2013-01-17 07:23 - 2013-01-23 15:21 - 00117248 ____A (Bikuvas) C:\Users\noah\AppData\Local\pj_bsfjeb.exe

2013-01-17 07:22 - 2013-01-23 15:21 - 00117248 ____A (Bikuvas) C:\Users\All Users\pj_bsfjeb.exe

2013-01-10 06:18 - 2012-11-08 21:34 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll

2013-01-10 06:18 - 2012-11-08 20:49 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll

2013-01-10 06:17 - 2012-12-06 21:41 - 00441856 ____A (Microsoft Corporation) C:\Windows\System32\Wpc.dll

2013-01-10 06:17 - 2012-12-06 21:35 - 02745856 ____A (Microsoft Corporation) C:\Windows\System32\gameux.dll

2013-01-10 06:17 - 2012-12-06 21:04 - 00308736 ____A (Microsoft Corporation) C:\Windows\SysWOW64\Wpc.dll

2013-01-10 06:17 - 2012-12-06 20:57 - 02576384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gameux.dll

2013-01-10 06:17 - 2012-12-06 19:45 - 00055296 ____A (Microsoft) C:\Windows\System32\cero.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00051712 ____A (Microsoft) C:\Windows\System32\esrb.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00046592 ____A (Microsoft) C:\Windows\System32\fpb.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00045568 ____A (Microsoft) C:\Windows\System32\oflc-nz.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00044544 ____A (Microsoft) C:\Windows\System32\pegibbfc.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00043520 ____A (Microsoft) C:\Windows\System32\csrr.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00040960 ____A (Microsoft) C:\Windows\System32\cob-au.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00030720 ____A (Microsoft) C:\Windows\System32\usk.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00023552 ____A (Microsoft) C:\Windows\System32\oflc.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00021504 ____A (Microsoft) C:\Windows\System32\grb.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-pt.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-fi.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00015360 ____A (Microsoft) C:\Windows\System32\djctq.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00055296 ____A (Microsoft) C:\Windows\SysWOW64\cero.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00051712 ____A (Microsoft) C:\Windows\SysWOW64\esrb.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00046592 ____A (Microsoft) C:\Windows\SysWOW64\fpb.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00045568 ____A (Microsoft) C:\Windows\SysWOW64\oflc-nz.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00044544 ____A (Microsoft) C:\Windows\SysWOW64\pegibbfc.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00043520 ____A (Microsoft) C:\Windows\SysWOW64\csrr.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00040960 ____A (Microsoft) C:\Windows\SysWOW64\cob-au.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00030720 ____A (Microsoft) C:\Windows\SysWOW64\usk.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00023552 ____A (Microsoft) C:\Windows\SysWOW64\oflc.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00021504 ____A (Microsoft) C:\Windows\SysWOW64\grb.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-pt.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-fi.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00015360 ____A (Microsoft) C:\Windows\SysWOW64\djctq.rs

2013-01-10 06:17 - 2012-11-22 02:32 - 00801280 ____A (Microsoft Corporation) C:\Windows\System32\usp10.dll

2013-01-10 06:17 - 2012-11-22 01:33 - 00627712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\usp10.dll

2013-01-10 06:17 - 2012-11-19 21:55 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2013-01-10 06:17 - 2012-11-19 21:10 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2013-01-10 06:17 - 2012-11-01 21:30 - 02001408 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2013-01-10 06:17 - 2012-11-01 21:30 - 01880064 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2013-01-10 06:17 - 2012-11-01 20:50 - 01388544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2013-01-10 06:17 - 2012-11-01 20:50 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2013-01-10 06:16 - 2012-11-29 21:50 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll

2013-01-10 06:16 - 2012-11-29 21:50 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll

2013-01-10 06:16 - 2012-11-29 21:50 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll

2013-01-10 06:16 - 2012-11-29 21:49 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll

2013-01-10 06:16 - 2012-11-29 21:46 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll

2013-01-10 06:16 - 2012-11-29 21:43 - 01161216 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll

2013-01-10 06:16 - 2012-11-29 21:43 - 00424960 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:06 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll

2013-01-10 06:16 - 2012-11-29 21:06 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll

2013-01-10 06:16 - 2012-11-29 21:06 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 19:33 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe

2013-01-10 06:16 - 2012-11-29 18:56 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe

2013-01-10 06:16 - 2012-11-29 18:56 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll

2013-01-10 06:16 - 2012-11-29 18:56 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe

2013-01-10 06:16 - 2012-11-29 18:56 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe

2013-01-10 06:16 - 2012-11-29 18:51 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 18:51 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 18:51 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 18:51 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 15:21 - 00420032 ____A C:\Windows\SysWOW64\locale.nls

2013-01-10 06:16 - 2012-11-29 15:19 - 00420032 ____A C:\Windows\System32\locale.nls

2013-01-10 06:15 - 2012-11-22 19:45 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-01-09 13:07 - 2013-01-16 07:42 - 00000491 ____A C:\Users\noah\Desktop\Netflix.website

==================== One Month Modified Files and Folders =======

2013-01-27 12:03 - 2013-01-27 12:03 - 00000000 ____D C:\FRST

2013-01-23 15:21 - 2013-01-17 07:23 - 00117248 ____A (Bikuvas) C:\Users\noah\AppData\Local\pj_bsfjeb.exe

2013-01-23 15:21 - 2013-01-17 07:22 - 00117248 ____A (Bikuvas) C:\Users\All Users\pj_bsfjeb.exe

2013-01-23 14:29 - 2012-08-22 13:39 - 00065536 _____ C:\Windows\System32\Ikeext.etl

2013-01-23 14:29 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-01-23 14:29 - 2009-07-13 20:51 - 00068277 ____A C:\Windows\setupact.log

2013-01-23 14:25 - 2013-01-17 07:24 - 00117248 ____A (Bikuvas) C:\Users\noah\AppData\Roaming\pj_bsfjeb.exe

2013-01-23 13:53 - 2010-12-18 14:44 - 01816066 ____A C:\Windows\WindowsUpdate.log

2013-01-23 13:53 - 2009-07-13 20:45 - 00043008 ____A C:\Windows\System32\umstartup.etl

2013-01-23 13:47 - 2009-07-13 20:45 - 00017952 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-01-23 13:47 - 2009-07-13 20:45 - 00017952 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-01-23 13:44 - 2010-12-18 15:31 - 00001828 ____A C:\Users\Public\Desktop\McAfee AntiVirus Plus.lnk

2013-01-23 13:44 - 2009-07-13 21:13 - 00726316 ____A C:\Windows\System32\PerfStringBackup.INI

2013-01-17 07:23 - 2010-12-18 15:27 - 00025248 ____A C:\Windows\PFRO.log

2013-01-17 07:04 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\tracing

2013-01-16 13:12 - 2012-08-27 09:19 - 00000000 ____D C:\Users\noah\AppData\Roaming\.minecraft

2013-01-16 07:42 - 2013-01-09 13:07 - 00000491 ____A C:\Users\noah\Desktop\Netflix.website

2013-01-10 13:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

2013-01-10 09:52 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF

2013-01-10 09:47 - 2009-07-13 21:08 - 00032636 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2013-01-10 09:39 - 2009-07-13 20:45 - 00300296 ____A C:\Windows\System32\FNTCACHE.DAT

2013-01-09 14:01 - 2012-12-16 08:45 - 00262144 ____A C:\Windows\System32\config\ELAM

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys

[2012-12-13 11:58] - [2012-09-06 09:38] - 0295792 ____A (Microsoft Corporation) 9E425AC5C9A5A973273D169F43B4F5E1

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

==================== Memory info ===========================

Percentage of memory in use: 11%

Total physical RAM: 5992.38 MB

Available physical RAM: 5288.61 MB

Total Pagefile: 5990.53 MB

Available Pagefile: 5276.4 MB

Total Virtual: 8192 MB

Available Virtual: 8191.89 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:906.34 GB) (Free:863.72 GB) NTFS ==>[system with boot components (obtained from reading drive)]

2 Drive e: (AC) (CDROM) (Total:6.36 GB) (Free:0 GB) UDF

7 Drive j: (WHITEHEART) (Removable) (Total:29.92 GB) (Free:29.91 GB) FAT32

8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

9 Drive y: () (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 931 GB 0 B

Disk 1 No Media 0 B 0 B

Disk 2 No Media 0 B 0 B

Disk 3 No Media 0 B 0 B

Disk 4 No Media 0 B 0 B

Disk 5 Online 29 GB 0 B

Partitions of Disk 0:

===============

Disk ID: 7B4D476C

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 906 GB 101 MB

Partition 3 OEM 25 GB 906 GB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y NTFS Partition 100 MB Healthy

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 906 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 12

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 8 LENOVO_PART NTFS Partition 25 GB Healthy Hidden

=========================================================

Partitions of Disk 5:

===============

Disk ID: C3072E18

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 29 GB 16 KB

==================================================================================

Disk: 5

Partition 1

Type : 0C

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 7 J WHITEHEART FAT32 Removable 29 GB Healthy

=========================================================

Last Boot: 2013-01-09 19:08

==================== End Of Log =============================

Link to post
Share on other sites

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

Link to post
Share on other sites

Hello, Mr. C, and thank you so much for your super-fast reply!

I followed your instructions and posted the results below. The computer now starts properly (as properly as looking at someone else's desktop looks) now. Two windows popped up upon startup:

1. Dial-Up Connection window, asking me to select a network. (My nephew says that this regularly pops up.)

2. Ask Updater - Ask Updater has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available. (My nephew says that he's never seen this before. It has a button that says "Close Program." I haven't close it yet.)

We'll hang out here a bit and see if there's more to be done. We're so thankful for what you've done thus far! :)

Jae C.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-01-2013 02 (ATTENTION: FRST version is 6 days old)

Ran by SYSTEM at 27-01-2013 12:03:35

Running from J:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [unattend0000000001{BFA3D12B-66DD-4617-923A-E864BC7D20B5}] C:\Windows\test.bat [x]

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11057768 2010-07-06] (Realtek Semiconductor)

HKLM\...\Run: [uMonit] C:\windows\SysWOW64\UMonit.exe [40960 2010-01-20] ()

HKLM-x32\...\Run: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-09-13] (Intel Corporation)

HKLM-x32\...\Run: [jmekey] C:\Program Files (x86)\jmesoft\hotkey.exe [114688 2009-07-16] (JME)

HKLM-x32\...\Run: [ModeSwitch] "C:\Program Files\Lenovo\Power Dial\LitModeSwitch.exe" /AutoRun [163840 2010-09-26] (Lenovo)

HKLM-x32\...\Run: [Lenovo Dynamic Brightness System] C:\Program Files\Lenovo\Lenovo Brightness System\Lenovo Dynamic Brightness System.exe 1 [285696 2010-10-08] (Lenovo)

HKLM-x32\...\Run: [Lenovo Eye Distance System] C:\Program Files\Lenovo\Lenovo Eye Distance System\Lenovo Eye Distance System.exe 1 [265216 2010-09-09] (Lenovo)

HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1535112 2012-09-12] (McAfee, Inc.)

HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [439568 2010-05-10] (Microsoft Corporation)

HKLM-x32\...\Run: [CLMLServer] "C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc.exe" [103720 2009-12-04] (CyberLink)

HKLM-x32\...\Run: [updateP2GoShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [222504 2009-05-19] (CyberLink Corp.)

HKLM-x32\...\Run: [updatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery" [222504 2009-05-13] (CyberLink Corp.)

HKLM-x32\...\Run: [setDefaultSCR] C:\Program Files (x86)\Lenovo\Lenovo Screensaver\SetDefaultSCR.exe [102400 2009-12-30] (Lenovo)

HKLM-x32\...\Run: [] [x]

HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1564872 2012-06-06] (Ask)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)

HKU\noah\...\Run: [gtlcMtoallcy] C:\ProgramData\pj_bsfjeb [x]

HKU\noah\...\Policies\system: [DisableTaskMgr] 1

HKLM\...\Winlogon: [shell] explorer.exe, C:\ProgramData\pj_bsfjeb [x ] ()

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

Startup: C:\Users\All Users\Start Menu\Programs\Startup\NETGEAR WNA3100 Smart Wizard.lnk

ShortcutTarget: NETGEAR WNA3100 Smart Wizard.lnk -> C:\Program Files (x86)\NETGEAR\WNA3100\WNA3100.exe ()

==================== Services (Whitelisted) ===================

2 CEEBC40A-FDED-4C59-B354-939132350B01; C:\Program Files (x86)\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe [96752 2010-08-29] ()

2 LenovoCOMSvc; "C:\Program Files\Lenovo\Power Dial\LenovoCOMSvc.exe" [49152 2009-09-30] (Lenovo)

3 LitModeCtrl; "C:\Program Files\Lenovo\Power Dial\LitModeCtrl.exe" [81920 2010-09-09] (Lenovo)

2 McAfee SiteAdvisor Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)

2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)

2 mcmscsvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)

2 McNaiAnn; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)

2 McNASvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)

3 McODS; "C:\Program Files\mcafee\VirusScan\mcods.exe" [383608 2012-11-16] (McAfee, Inc.)

4 McOobeSv; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)

2 McProxy; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)

2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [241016 2012-11-09] (McAfee, Inc.)

2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [218320 2012-11-09] (McAfee, Inc.)

2 mfevtp; "C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe" [177680 2012-11-09] (McAfee, Inc.)

2 WSWNA3100; C:\Program Files (x86)\NETGEAR\WNA3100\WifiSvc.exe [285152 2010-08-26] ()

==================== Drivers (Whitelisted) =====================

3 cfwids; C:\Windows\System32\Drivers\cfwids.sys [69672 2012-11-09] (McAfee, Inc.)

3 HipShieldK; C:\Windows\System32\Drivers\HipShieldK.sys [196440 2012-04-20] (McAfee, Inc.)

3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [178840 2012-11-09] (McAfee, Inc.)

3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [309400 2012-11-09] (McAfee, Inc.)

3 mfefirek; C:\Windows\System32\Drivers\mfefirek.sys [515528 2012-11-09] (McAfee, Inc.)

0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [771096 2012-11-09] (McAfee, Inc.)

3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [106112 2012-11-09] (McAfee, Inc.)

0 mfewfpk; C:\Windows\System32\Drivers\mfewfpk.sys [339776 2012-11-09] (McAfee, Inc.)

3 NPF; C:\Windows\System32\Drivers\NPF.sys [47632 2010-02-03] (CACE Technologies, Inc.)

3 RTL8023x64; C:\Windows\System32\DRIVERS\Rtnic64.sys [51712 2009-06-10] (Realtek Semiconductor Corporation )

3 USTOR2K; C:\Windows\System32\Drivers\USTOR2K.sys [52224 2010-02-21] (Genesys Logic)

0 WinI2C-DDC; C:\Windows\System32\drivers\DDCDrv.sys [20832 2008-04-08] (Nicomsoft Ltd.)

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2013-01-17 07:24 - 2013-01-23 14:25 - 00117248 ____A (Bikuvas) C:\Users\noah\AppData\Roaming\pj_bsfjeb.exe

2013-01-17 07:23 - 2013-01-23 15:21 - 00117248 ____A (Bikuvas) C:\Users\noah\AppData\Local\pj_bsfjeb.exe

2013-01-17 07:22 - 2013-01-23 15:21 - 00117248 ____A (Bikuvas) C:\Users\All Users\pj_bsfjeb.exe

2013-01-10 06:18 - 2012-11-08 21:34 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll

2013-01-10 06:18 - 2012-11-08 20:49 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll

2013-01-10 06:17 - 2012-12-06 21:41 - 00441856 ____A (Microsoft Corporation) C:\Windows\System32\Wpc.dll

2013-01-10 06:17 - 2012-12-06 21:35 - 02745856 ____A (Microsoft Corporation) C:\Windows\System32\gameux.dll

2013-01-10 06:17 - 2012-12-06 21:04 - 00308736 ____A (Microsoft Corporation) C:\Windows\SysWOW64\Wpc.dll

2013-01-10 06:17 - 2012-12-06 20:57 - 02576384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gameux.dll

2013-01-10 06:17 - 2012-12-06 19:45 - 00055296 ____A (Microsoft) C:\Windows\System32\cero.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00051712 ____A (Microsoft) C:\Windows\System32\esrb.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00046592 ____A (Microsoft) C:\Windows\System32\fpb.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00045568 ____A (Microsoft) C:\Windows\System32\oflc-nz.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00044544 ____A (Microsoft) C:\Windows\System32\pegibbfc.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00043520 ____A (Microsoft) C:\Windows\System32\csrr.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00040960 ____A (Microsoft) C:\Windows\System32\cob-au.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00030720 ____A (Microsoft) C:\Windows\System32\usk.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00023552 ____A (Microsoft) C:\Windows\System32\oflc.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00021504 ____A (Microsoft) C:\Windows\System32\grb.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-pt.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-fi.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi.rs

2013-01-10 06:17 - 2012-12-06 19:45 - 00015360 ____A (Microsoft) C:\Windows\System32\djctq.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00055296 ____A (Microsoft) C:\Windows\SysWOW64\cero.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00051712 ____A (Microsoft) C:\Windows\SysWOW64\esrb.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00046592 ____A (Microsoft) C:\Windows\SysWOW64\fpb.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00045568 ____A (Microsoft) C:\Windows\SysWOW64\oflc-nz.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00044544 ____A (Microsoft) C:\Windows\SysWOW64\pegibbfc.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00043520 ____A (Microsoft) C:\Windows\SysWOW64\csrr.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00040960 ____A (Microsoft) C:\Windows\SysWOW64\cob-au.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00030720 ____A (Microsoft) C:\Windows\SysWOW64\usk.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00023552 ____A (Microsoft) C:\Windows\SysWOW64\oflc.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00021504 ____A (Microsoft) C:\Windows\SysWOW64\grb.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-pt.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-fi.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi.rs

2013-01-10 06:17 - 2012-12-06 19:21 - 00015360 ____A (Microsoft) C:\Windows\SysWOW64\djctq.rs

2013-01-10 06:17 - 2012-11-22 02:32 - 00801280 ____A (Microsoft Corporation) C:\Windows\System32\usp10.dll

2013-01-10 06:17 - 2012-11-22 01:33 - 00627712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\usp10.dll

2013-01-10 06:17 - 2012-11-19 21:55 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2013-01-10 06:17 - 2012-11-19 21:10 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2013-01-10 06:17 - 2012-11-01 21:30 - 02001408 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2013-01-10 06:17 - 2012-11-01 21:30 - 01880064 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2013-01-10 06:17 - 2012-11-01 20:50 - 01388544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2013-01-10 06:17 - 2012-11-01 20:50 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2013-01-10 06:16 - 2012-11-29 21:50 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll

2013-01-10 06:16 - 2012-11-29 21:50 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll

2013-01-10 06:16 - 2012-11-29 21:50 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll

2013-01-10 06:16 - 2012-11-29 21:49 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll

2013-01-10 06:16 - 2012-11-29 21:46 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll

2013-01-10 06:16 - 2012-11-29 21:43 - 01161216 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll

2013-01-10 06:16 - 2012-11-29 21:43 - 00424960 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 21:06 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll

2013-01-10 06:16 - 2012-11-29 21:06 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll

2013-01-10 06:16 - 2012-11-29 21:06 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 20:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 19:33 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe

2013-01-10 06:16 - 2012-11-29 18:56 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe

2013-01-10 06:16 - 2012-11-29 18:56 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll

2013-01-10 06:16 - 2012-11-29 18:56 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe

2013-01-10 06:16 - 2012-11-29 18:56 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe

2013-01-10 06:16 - 2012-11-29 18:51 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 18:51 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 18:51 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 18:51 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll

2013-01-10 06:16 - 2012-11-29 15:21 - 00420032 ____A C:\Windows\SysWOW64\locale.nls

2013-01-10 06:16 - 2012-11-29 15:19 - 00420032 ____A C:\Windows\System32\locale.nls

2013-01-10 06:15 - 2012-11-22 19:45 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-01-09 13:07 - 2013-01-16 07:42 - 00000491 ____A C:\Users\noah\Desktop\Netflix.website

==================== One Month Modified Files and Folders =======

2013-01-27 12:03 - 2013-01-27 12:03 - 00000000 ____D C:\FRST

2013-01-23 15:21 - 2013-01-17 07:23 - 00117248 ____A (Bikuvas) C:\Users\noah\AppData\Local\pj_bsfjeb.exe

2013-01-23 15:21 - 2013-01-17 07:22 - 00117248 ____A (Bikuvas) C:\Users\All Users\pj_bsfjeb.exe

2013-01-23 14:29 - 2012-08-22 13:39 - 00065536 _____ C:\Windows\System32\Ikeext.etl

2013-01-23 14:29 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-01-23 14:29 - 2009-07-13 20:51 - 00068277 ____A C:\Windows\setupact.log

2013-01-23 14:25 - 2013-01-17 07:24 - 00117248 ____A (Bikuvas) C:\Users\noah\AppData\Roaming\pj_bsfjeb.exe

2013-01-23 13:53 - 2010-12-18 14:44 - 01816066 ____A C:\Windows\WindowsUpdate.log

2013-01-23 13:53 - 2009-07-13 20:45 - 00043008 ____A C:\Windows\System32\umstartup.etl

2013-01-23 13:47 - 2009-07-13 20:45 - 00017952 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-01-23 13:47 - 2009-07-13 20:45 - 00017952 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-01-23 13:44 - 2010-12-18 15:31 - 00001828 ____A C:\Users\Public\Desktop\McAfee AntiVirus Plus.lnk

2013-01-23 13:44 - 2009-07-13 21:13 - 00726316 ____A C:\Windows\System32\PerfStringBackup.INI

2013-01-17 07:23 - 2010-12-18 15:27 - 00025248 ____A C:\Windows\PFRO.log

2013-01-17 07:04 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\tracing

2013-01-16 13:12 - 2012-08-27 09:19 - 00000000 ____D C:\Users\noah\AppData\Roaming\.minecraft

2013-01-16 07:42 - 2013-01-09 13:07 - 00000491 ____A C:\Users\noah\Desktop\Netflix.website

2013-01-10 13:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

2013-01-10 09:52 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF

2013-01-10 09:47 - 2009-07-13 21:08 - 00032636 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2013-01-10 09:39 - 2009-07-13 20:45 - 00300296 ____A C:\Windows\System32\FNTCACHE.DAT

2013-01-09 14:01 - 2012-12-16 08:45 - 00262144 ____A C:\Windows\System32\config\ELAM

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys

[2012-12-13 11:58] - [2012-09-06 09:38] - 0295792 ____A (Microsoft Corporation) 9E425AC5C9A5A973273D169F43B4F5E1

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

==================== Memory info ===========================

Percentage of memory in use: 11%

Total physical RAM: 5992.38 MB

Available physical RAM: 5288.61 MB

Total Pagefile: 5990.53 MB

Available Pagefile: 5276.4 MB

Total Virtual: 8192 MB

Available Virtual: 8191.89 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:906.34 GB) (Free:863.72 GB) NTFS ==>[system with boot components (obtained from reading drive)]

2 Drive e: (AC) (CDROM) (Total:6.36 GB) (Free:0 GB) UDF

7 Drive j: (WHITEHEART) (Removable) (Total:29.92 GB) (Free:29.91 GB) FAT32

8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

9 Drive y: () (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 931 GB 0 B

Disk 1 No Media 0 B 0 B

Disk 2 No Media 0 B 0 B

Disk 3 No Media 0 B 0 B

Disk 4 No Media 0 B 0 B

Disk 5 Online 29 GB 0 B

Partitions of Disk 0:

===============

Disk ID: 7B4D476C

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 906 GB 101 MB

Partition 3 OEM 25 GB 906 GB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y NTFS Partition 100 MB Healthy

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 906 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 12

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 8 LENOVO_PART NTFS Partition 25 GB Healthy Hidden

=========================================================

Partitions of Disk 5:

===============

Disk ID: C3072E18

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 29 GB 16 KB

==================================================================================

Disk: 5

Partition 1

Type : 0C

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 7 J WHITEHEART FAT32 Removable 29 GB Healthy

=========================================================

Last Boot: 2013-01-09 19:08

==================== End Of Log =============================

Link to post
Share on other sites

Follow-up: McAfee pop up says "Your Computer Is At Risk" and gives me the option to "Check Status" or close. If I had my druthers, McAfee wouldn't be involved in the situation at all. ;)

By the time all is said and done, I hope to install and update Avast, Malwarebytes and SuperAntiSpyware, just so you know where I was headed. I will do whatever you suggest, however, since CLEARLY! you are the expert.

Jae C.

Link to post
Share on other sites

OK, lets run some scans............

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC

Link to post
Share on other sites

Awesome, thank you! I'm now at least posting from the offending computer. That's so much progress!

The MBAR file is downloading as we speak, and I will respond with the logs. If it looks like it's going to be a lengthy process scanning the computer (i.e. >30 minutes) I may leave the computer scanning and post back later. Unfortunately I'm allergic to more than one animal here, so I'm beginning to suffer. :o

Download completed, starting to unzip and install now.

Jae C.

Link to post
Share on other sites

I ran the program, and it says "Congratulations, no cleanup is required. Scan finished, no malware found."

I am attaching the two files to this post, and I while I know Internet Access is working properly (as I used it to download the MBAR file), I will check the other two Windows functions and report back.

Wonderful, so far, so good!

Jae C.

mbar-log-2013-01-27 (13-06-54).txt

system-log.txt

Link to post
Share on other sites

Windows Update is currently installing 1 of 2 "Critical Updates." Not sure if that means it is working properly, but at least it's working!

Windows Security Center is off, and when I try to start it, it says "Windows Security Center Service cannot be started."

When I try to check the firewall, it says that I should click for "recommended settings," but when I click to accept, I get a message that says "Windows Firewall can't change some of your settings. Error code 0x80070422."

So that's the update thus far.

Jae C.

Link to post
Share on other sites

OK...next >>>

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Allergy TILT. Here's the combofix report; my deepest apologies but I'm done for today. Tomorrow I'll return with some Benadryl and an even more positive attitude! Thanks for all you've done thus far.

Jae C.

(Also during the downtime between posts, I installed Malwarebytes and SuperAntiSpyware and Avast. We did partially run SuperAntiSpyware and it said that it found two Trojans and quarrantined them. I stopped them from scanning in order to disable them and run the ComboFix. Also, Windows Update seemed to download the updates properly earlier, but when the ComboFix restarted the system, the updates failed to install properly, and now it says there are 82 critical updates. Sigh.)

ComboFix.txt

Link to post
Share on other sites

Hi, Mr. C!

I do not know exactly when I will be able to spend more time over at my nephew's home. Please feel free to close this if that's what's best for threads that are in limbo.

I plan to have him (or my son, or myself) run through all the MB, SAS and Avast! scans, but know those take a bit to run and haven't had the time to invest over there.

I thank you again for all of your help - when I have opportunity to get over there should I post back, or just be thankful for everything you've already done?

Have a great week,

Jae C.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.