Assistance After DoJ Moneypak Virus

[Cpete7]

I have recently gotten the "Department of Justice" moneypak virus.

Once it happened, I opened my computer in Safe Mode (because it would lock if started regularly) and ran multiple scans with Malwarebytes (quick and full), but nothing was found. After a day of scanning, i just left it alone until today, and when I restarted my computer I was able to get on regularly without my computer locking. I opened Malwarebytes again, updated the virus definitions and scanned again. After all of this my computer seems to be working fine (running for a few hours and hasn't locked up), but I'm just worried about lasting effects and was wondering if I could have help to make my computer as safe as possible from now on, and make sure everything was removed.

Thank you.

[MrCharlie]

Welcome to the forum.

1. Please download Farbar Recovery Scan Tool and save it to a flash drive.
   Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
   Plug the flash drive into the infected PC.
   
2. If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
   If you are using Vista or Windows 7 enter System Recovery Options.
   To enter System Recovery Options from the Advanced Boot Options:
   
   • Restart the computer.
     
   • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
     
   • Use the arrow keys to select the Repair your computer menu item.
     
   • Select US as the keyboard language settings, and then click Next.
     
   • Select the operating system you want to repair, and then click Next.
     
   • Select your user account an click Next.
     

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

To make a repair disk on Windows 7 consult: http://www.sevenforu...isc-create.html

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

• On the System Recovery Options menu you will get the following options:
  
  • 
    
    • 
      Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
      Select Command Prompt
      Once in the Command Prompt:
      

    [*]In the command window type in notepad and press Enter.

    [*]The notepad opens. Under File menu select Open.

    [*]Select "Computer" and find your flash drive letter and close the notepad.

    [*]In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

    [*]The tool will start to run.

    [*]When the tool opens click Yes to disclaimer.

    [*]Press Scan button.

    [*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

  MrC

[Cpete7]

Do I still follow these steps if the computer I'm on right now is the one that was infected? The DoJ screen was locking this computer I'm on now and it randomly stopped blocking it, I'm just afraid it may come up in the future or there are lingering effects.

If those steps are still what I should do, then I will, I'm just asking because I don't know since this computer I'm posting from was the one infected.

[MrCharlie]

Yes, run the scan with FRST and post the log, MrC

[Cpete7]

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-02-2013 01

Ran by PETERS37365 at 27-02-2013 22:27:10

Running from C:\Users\peters37365\Downloads

Service Pack 1 (X86) OS Language: English(US)

Attention: Could not load system hive.

ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.

==================== One Month Created Files and Folders ========

2013-02-27 22:26 - 2013-02-27 22:27 - 00000000 ____D C:\FRST

2013-02-27 22:26 - 2013-02-27 22:26 - 00909666 ____A (Farbar) C:\Users\peters37365\Downloads\FRST.exe

2013-02-27 18:46 - 2013-02-27 18:46 - 00000000 ____D C:\Users\peters37365\AppData\Local\Avg2013

2013-02-27 17:58 - 2013-02-27 17:58 - 00000000 ____D C:\Users\peters37365\AppData\Roaming\TuneUp Software

2013-02-27 17:55 - 2013-02-27 18:48 - 00000000 ____D C:\ProgramData\MFAData

2013-02-27 17:55 - 2013-02-27 17:55 - 00000000 ____D C:\Users\peters37365\AppData\Local\MFAData

2013-02-25 20:21 - 2013-02-25 20:21 - 00079872 ____A C:\Windows\winsta.dll

2013-02-24 19:04 - 2013-02-24 19:04 - 00131072 ____A C:\Windows\Minidump\022413-20716-01.dmp

2013-02-23 04:45 - 2013-02-23 04:57 - 00000000 ____D C:\Users\peters37365\AppData\Local\Paint.NET

2013-02-23 04:45 - 2013-02-23 04:45 - 00000000 ____D C:\Program Files\Paint.NET

2013-02-23 04:44 - 2011-10-07 17:06 - 03756544 ____A C:\Program Files\Paint.NET.3.5.10.Install.exe

2013-02-21 23:28 - 2013-02-21 23:28 - 00000000 ____D C:\ProgramData\APN

2013-02-21 22:25 - 2013-02-21 22:25 - 00000000 ____D C:\Program Files\7-Zip

2013-02-21 21:55 - 2013-02-21 21:55 - 00000000 ____D C:\Users\peters37365\New Folder

2013-02-21 21:46 - 2013-02-25 01:19 - 00000023 ____A C:\Windows\BlendSettings.ini

2013-02-21 21:13 - 2013-02-21 22:17 - 00000000 ____D C:\Users\peters37365\AppData\Local\Oblivion

2013-02-21 21:13 - 2008-10-27 10:04 - 00514384 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_3.dll

2013-02-21 21:13 - 2008-10-27 10:04 - 00235856 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_3.dll

2013-02-21 21:13 - 2008-10-27 10:04 - 00070992 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_2.dll

2013-02-21 21:13 - 2008-10-27 10:04 - 00023376 ____A (Microsoft Corporation) C:\Windows\System32\X3DAudio1_5.dll

2013-02-21 21:13 - 2008-10-10 04:52 - 04379984 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_40.dll

2013-02-21 21:13 - 2008-10-10 04:52 - 02036576 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_40.dll

2013-02-21 21:13 - 2008-07-30 06:20 - 00509448 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_2.dll

2013-02-21 21:13 - 2008-07-30 06:20 - 00238088 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_2.dll

2013-02-21 21:13 - 2008-07-30 06:20 - 00068616 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_1.dll

2013-02-21 21:13 - 2008-07-10 11:01 - 00467984 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_39.dll

2013-02-21 21:13 - 2008-07-10 11:00 - 03851784 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_39.dll

2013-02-21 21:13 - 2008-07-10 11:00 - 01493528 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_39.dll

2013-02-21 21:13 - 2008-05-30 14:19 - 00507400 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_1.dll

2013-02-21 21:13 - 2008-05-30 14:18 - 00238088 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_1.dll

2013-02-21 21:13 - 2008-05-30 14:17 - 00065032 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_0.dll

2013-02-21 21:13 - 2008-05-30 14:17 - 00025608 ____A (Microsoft Corporation) C:\Windows\System32\X3DAudio1_4.dll

2013-02-21 21:13 - 2008-05-30 14:11 - 03850760 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_38.dll

2013-02-21 21:13 - 2008-05-30 14:11 - 01491992 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_38.dll

2013-02-21 21:13 - 2008-05-30 14:11 - 00467984 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_38.dll

2013-02-21 21:13 - 2008-03-05 16:03 - 00479752 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_0.dll

2013-02-21 21:13 - 2008-03-05 16:03 - 00238088 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_0.dll

2013-02-21 21:13 - 2008-03-05 16:00 - 00025608 ____A (Microsoft Corporation) C:\Windows\System32\X3DAudio1_3.dll

2013-02-21 21:13 - 2008-03-05 15:56 - 03786760 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_37.dll

2013-02-21 21:13 - 2008-03-05 15:56 - 01420824 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_37.dll

2013-02-21 21:13 - 2008-02-05 23:07 - 00462864 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_37.dll

2013-02-21 21:13 - 2007-10-22 03:39 - 00267272 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_10.dll

2013-02-21 21:13 - 2007-10-22 03:37 - 00017928 ____A (Microsoft Corporation) C:\Windows\System32\X3DAudio1_2.dll

2013-02-21 21:13 - 2007-10-12 15:14 - 03734536 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_36.dll

2013-02-21 21:13 - 2007-10-12 15:14 - 01374232 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_36.dll

2013-02-21 21:13 - 2007-10-02 09:56 - 00444776 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_36.dll

2013-02-21 21:13 - 2007-07-20 00:57 - 00267112 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_9.dll

2013-02-21 21:13 - 2007-07-19 18:14 - 03727720 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_35.dll

2013-02-21 21:13 - 2007-07-19 18:14 - 01358192 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_35.dll

2013-02-21 21:13 - 2007-07-19 18:14 - 00444776 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_35.dll

2013-02-21 21:13 - 2007-06-20 20:46 - 00266088 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_8.dll

2013-02-21 21:13 - 2007-05-16 16:45 - 03497832 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_34.dll

2013-02-21 21:13 - 2007-05-16 16:45 - 01124720 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_34.dll

2013-02-21 21:13 - 2007-05-16 16:45 - 00443752 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_34.dll

2013-02-21 21:13 - 2007-04-04 18:55 - 00261480 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_7.dll

2013-02-21 21:13 - 2007-04-04 18:53 - 00081768 ____A (Microsoft Corporation) C:\Windows\System32\xinput1_3.dll

2013-02-21 21:13 - 2007-03-15 16:57 - 00443752 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_33.dll

2013-02-21 21:13 - 2007-03-12 16:42 - 03495784 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_33.dll

2013-02-21 21:13 - 2007-03-12 16:42 - 01123696 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_33.dll

2013-02-21 21:13 - 2007-03-05 12:42 - 00015128 ____A (Microsoft Corporation) C:\Windows\System32\x3daudio1_1.dll

2013-02-21 21:13 - 2007-01-24 15:27 - 00255848 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_6.dll

2013-02-21 21:13 - 2006-12-08 12:02 - 00251672 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_5.dll

2013-02-21 21:13 - 2006-11-29 13:06 - 03426072 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_32.dll

2013-02-21 21:13 - 2006-11-29 13:06 - 00440080 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10.dll

2013-02-21 21:13 - 2006-09-28 16:05 - 02414360 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_31.dll

2013-02-21 21:13 - 2006-09-28 16:05 - 00237848 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_4.dll

2013-02-21 21:13 - 2006-07-28 09:30 - 00236824 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_3.dll

2013-02-21 21:13 - 2006-07-28 09:30 - 00062744 ____A (Microsoft Corporation) C:\Windows\System32\xinput1_2.dll

2013-02-21 21:13 - 2006-05-31 07:24 - 00230168 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_2.dll

2013-02-21 21:13 - 2006-03-31 12:40 - 02388176 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_30.dll

2013-02-21 21:13 - 2006-03-31 12:39 - 00229584 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_1.dll

2013-02-21 21:13 - 2006-03-31 12:39 - 00062672 ____A (Microsoft Corporation) C:\Windows\System32\xinput1_1.dll

2013-02-21 21:13 - 2006-02-03 08:43 - 02332368 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_29.dll

2013-02-21 21:13 - 2006-02-03 08:42 - 00230096 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_0.dll

2013-02-21 21:13 - 2006-02-03 08:41 - 00014032 ____A (Microsoft Corporation) C:\Windows\System32\x3daudio1_0.dll

2013-02-21 21:13 - 2005-12-05 18:09 - 02323664 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_28.dll

2013-02-21 21:13 - 2005-07-22 19:59 - 02319568 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_27.dll

2013-02-21 21:13 - 2005-05-26 15:34 - 02297552 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_26.dll

2013-02-21 21:13 - 2005-02-05 19:45 - 02222800 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_24.dll

2013-02-21 17:30 - 2013-02-27 22:01 - 00000000 ____D C:\Program Files\Mozilla Firefox

2013-02-21 17:30 - 2013-02-21 17:30 - 00000000 ____D C:\Users\peters37365\AppData\Local\Macromedia

2013-02-20 14:04 - 2013-02-20 14:04 - 00135216 ____A C:\Windows\Minidump\022013-32604-01.dmp

2013-02-19 08:47 - 2013-02-27 21:39 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-02-19 08:47 - 2013-02-27 19:39 - 00691568 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2013-02-14 13:33 - 2013-02-14 13:33 - 00135216 ____A C:\Windows\Minidump\021413-21933-01.dmp

2013-02-14 09:20 - 2013-02-14 09:20 - 00000000 ____D C:\peters37365

2013-02-14 09:19 - 2005-03-18 17:19 - 02337488 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_25.dll

2013-02-11 22:44 - 2013-02-11 22:44 - 00000055 ____A C:\Users\peters37365\infinity_cl_infinity724_LIVE.dat

2013-02-11 22:44 - 2013-02-11 22:44 - 00000000 ____D C:\Users\peters37365\infinitycache

2013-02-11 08:10 - 2013-02-11 08:10 - 00135216 ____A C:\Windows\Minidump\021113-17596-01.dmp

2013-02-05 21:56 - 2013-02-27 18:50 - 00000000 ____D C:\Program Files\Steam

2013-02-05 21:56 - 2013-02-05 21:56 - 00000875 ____A C:\Users\Public\Desktop\Steam.lnk

2013-02-05 21:56 - 2013-02-05 21:56 - 00000000 ____D C:\Program Files\Common Files\Steam

==================== One Month Modified Files and Folders ========

2013-02-27 22:26 - 2013-02-27 22:26 - 00909666 ____A (Farbar) C:\Users\peters37365\Downloads\FRST.exe

2013-02-27 22:15 - 2012-08-29 08:59 - 00000932 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-642300335-114021691-886301386-15581UA.job

2013-02-27 22:15 - 2012-08-29 08:59 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-642300335-114021691-886301386-15581Core.job

2013-02-27 22:04 - 2012-10-14 23:59 - 00000952 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-642300335-114021691-886301386-15581UA.job

2013-02-27 22:01 - 2013-02-21 17:30 - 00000000 ____D C:\Program Files\Mozilla Firefox

2013-02-27 21:39 - 2013-02-19 08:47 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-02-27 21:24 - 2009-07-13 23:34 - 00018000 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-02-27 21:24 - 2009-07-13 23:34 - 00018000 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-02-27 19:39 - 2013-02-19 08:47 - 00691568 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2013-02-27 19:39 - 2011-07-07 22:23 - 00071024 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2013-02-27 18:52 - 2012-08-28 12:09 - 01164000 ____A C:\Windows\WindowsUpdate.log

2013-02-27 18:51 - 2011-09-14 14:17 - 00815267 ____A C:\Windows\System32\AesAgent.log

2013-02-27 18:50 - 2013-02-05 21:56 - 00000000 ____D C:\Program Files\Steam

2013-02-27 18:49 - 2012-12-19 23:46 - 00009294 ____A C:\Windows\setupact.log

2013-02-27 18:49 - 2012-09-24 16:55 - 00000000 ____D C:\Users\peters37365\AppData\Local\CrashDumps

2013-02-27 18:49 - 2011-07-07 04:37 - 00000000 ____D C:\ProgramData\boost_interprocess

2013-02-27 18:49 - 2011-07-07 03:53 - 00026376 ____A C:\Windows\PFRO.log

2013-02-27 18:49 - 2009-07-13 23:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-02-27 18:48 - 2013-02-27 17:55 - 00000000 ____D C:\ProgramData\MFAData

2013-02-27 18:46 - 2013-02-27 18:46 - 00000000 ____D C:\Users\peters37365\AppData\Local\Avg2013

2013-02-27 17:58 - 2013-02-27 17:58 - 00000000 ____D C:\Users\peters37365\AppData\Roaming\TuneUp Software

2013-02-27 17:58 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\System32\DriverStore

2013-02-27 17:57 - 2009-07-13 21:37 - 00000000 ____D C:\Program Files\Common Files\microsoft shared

2013-02-27 17:55 - 2013-02-27 17:55 - 00000000 ____D C:\Users\peters37365\AppData\Local\MFAData

2013-02-25 20:21 - 2013-02-25 20:21 - 00079872 ____A C:\Windows\winsta.dll

2013-02-25 02:02 - 2012-11-01 06:37 - 00000000 ____D C:\Users\peters37365\AppData\Roaming\Spotify

2013-02-25 01:49 - 2012-11-01 06:38 - 00000000 ____D C:\Users\peters37365\AppData\Local\Spotify

2013-02-25 01:19 - 2013-02-21 21:46 - 00000023 ____A C:\Windows\BlendSettings.ini

2013-02-25 01:04 - 2012-10-14 23:59 - 00000930 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-642300335-114021691-886301386-15581Core.job

2013-02-24 19:04 - 2013-02-24 19:04 - 00131072 ____A C:\Windows\Minidump\022413-20716-01.dmp

2013-02-24 19:04 - 2013-01-16 22:52 - 235041229 ____A C:\Windows\MEMORY.DMP

2013-02-24 19:04 - 2011-07-07 15:09 - 00000000 ____D C:\Windows\Minidump

2013-02-23 05:40 - 2011-07-07 17:56 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2013-02-23 04:57 - 2013-02-23 04:45 - 00000000 ____D C:\Users\peters37365\AppData\Local\Paint.NET

2013-02-23 04:45 - 2013-02-23 04:45 - 00000000 ____D C:\Program Files\Paint.NET

2013-02-23 04:22 - 2012-08-29 09:01 - 00002396 ____A C:\Users\peters37365\Desktop\Google Chrome.lnk

2013-02-22 13:32 - 2012-12-01 01:28 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service

2013-02-21 23:28 - 2013-02-21 23:28 - 00000000 ____D C:\ProgramData\APN

2013-02-21 22:25 - 2013-02-21 22:25 - 00000000 ____D C:\Program Files\7-Zip

2013-02-21 22:17 - 2013-02-21 21:13 - 00000000 ____D C:\Users\peters37365\AppData\Local\Oblivion

2013-02-21 21:55 - 2013-02-21 21:55 - 00000000 ____D C:\Users\peters37365\New Folder

2013-02-21 21:55 - 2012-08-29 08:53 - 00000000 ____D C:\users\peters37365

2013-02-21 17:30 - 2013-02-21 17:30 - 00000000 ____D C:\Users\peters37365\AppData\Local\Macromedia

2013-02-21 17:29 - 2011-07-07 22:15 - 00000000 ____D C:\ProgramData\Adobe

2013-02-21 10:44 - 2011-07-08 01:27 - 00000232 ____A C:\Windows\System32\config\netlogon.ftl

2013-02-20 23:05 - 2012-08-31 16:05 - 00000024 ____A C:\Users\peters37365\random.dat

2013-02-20 23:02 - 2012-08-31 16:05 - 00000050 ____A C:\Users\peters37365\jagex_cl_runescape_LIVE.dat

2013-02-20 14:04 - 2013-02-20 14:04 - 00135216 ____A C:\Windows\Minidump\022013-32604-01.dmp

2013-02-14 13:33 - 2013-02-14 13:33 - 00135216 ____A C:\Windows\Minidump\021413-21933-01.dmp

2013-02-14 09:20 - 2013-02-14 09:20 - 00000000 ____D C:\peters37365

2013-02-14 09:19 - 2012-09-08 10:24 - 00042868 ____A C:\Windows\DirectX.log

2013-02-11 22:44 - 2013-02-11 22:44 - 00000055 ____A C:\Users\peters37365\infinity_cl_infinity724_LIVE.dat

2013-02-11 22:44 - 2013-02-11 22:44 - 00000000 ____D C:\Users\peters37365\infinitycache

2013-02-11 08:11 - 2012-08-29 08:53 - 00013800 _RASH C:\Users\peters37365\ntuser.pol

2013-02-11 08:10 - 2013-02-11 08:10 - 00135216 ____A C:\Windows\Minidump\021113-17596-01.dmp

2013-02-05 21:56 - 2013-02-05 21:56 - 00000875 ____A C:\Users\Public\Desktop\Steam.lnk

2013-02-05 21:56 - 2013-02-05 21:56 - 00000000 ____D C:\Program Files\Common Files\Steam

2013-01-30 05:53 - 2011-07-06 21:21 - 00232336 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Memory info ===========================

Percentage of memory in use: 47%

Total physical RAM: 2669.86 MB

Available physical RAM: 1392.77 MB

Total Pagefile: 5338 MB

Available Pagefile: 4017.61 MB

Total Virtual: 2047.88 MB

Available Virtual: 1927.04 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:258.79 GB) (Free:182.73 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

2 Drive d: () (Fixed) (Total:39.3 GB) (Free:31.12 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 298 GB 0 B

Partitions of Disk 0:

===============

Disk ID: 58FF54B5

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 258 GB 1024 KB

Partition 2 Primary 39 GB 258 GB

=========================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 0 C NTFS Partition 258 GB Healthy System (partition with boot components)

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 D NTFS Partition 39 GB Healthy

=========================================================

Last Boot: 2013-02-23 04:20

==================== End Of Log ============================

[Cpete7]

I don't believe I did that right.

Correct me if im wrong.

[MrCharlie]

No that's not right, try again and carefully follow the directions or if you can run a program on the system..

Run ComboFix:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[Cpete7]

Apparently because my computer is a laptop issued through my school, I cannot sign in as an administrator to enter the System Recovery options.

Is there something else I can do here, or should I go forward and run ComboFix?

[MrCharlie]

If you can run ComboFix, please do.

If not...do this:

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://www.itxassociates.com/OT-Tools/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

The scan will take about 10 minutes...depends on your hard drive size.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC (Be back in the AM)

[Cpete7]

Here's the ComboFix log;

ComboFix 13-02-26.01 - PETERS37365 02/28/2013 18:54:27.1.4 - x86

Running from: c:\users\peters37365\Desktop\ComboFix.exe

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\peters37365\AppData\Local\dealcabby

c:\users\peters37365\AppData\Local\dealcabby\license.txt

c:\users\peters37365\AppData\Local\dealcabby\sqlite3.exe

c:\users\peters37365\AppData\Local\dealcabby\uninst.exe

c:\windows\amcdr.dll

c:\windows\system32\install

c:\windows\vmdcr.dll

c:\windows\winsta.dll

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_Run

.

.

((((((((((((((((((((((((( Files Created from 2013-02-01 to 2013-03-01 )))))))))))))))))))))))))))))))

.

.

2013-02-28 23:59 . 2013-02-28 23:59 -------- d-----w- c:\users\user\AppData\Local\temp

2013-02-28 23:59 . 2013-02-28 23:59 -------- d-----w- c:\users\Tech\AppData\Local\temp

2013-02-28 23:59 . 2013-02-28 23:59 -------- d-----w- c:\users\mt\AppData\Local\temp

2013-02-28 23:39 . 2013-02-08 00:45 6954968 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AFC445C5-EF46-45C3-98C3-1FF663027359}\mpengine.dll

2013-02-28 23:32 . 2013-03-01 00:01 -------- d-----w- c:\programdata\boost_interprocess

2013-02-28 03:26 . 2013-02-28 03:27 -------- d-----w- C:\FRST

2013-02-27 23:46 . 2013-02-27 23:46 -------- d-----w- c:\users\peters37365\AppData\Local\Avg2013

2013-02-27 22:58 . 2013-02-27 22:58 -------- d-----w- c:\users\peters37365\AppData\Roaming\TuneUp Software

2013-02-27 22:55 . 2013-02-27 23:48 -------- d-----w- c:\programdata\MFAData

2013-02-27 22:55 . 2013-02-27 22:55 -------- d--h--w- c:\programdata\Common Files

2013-02-27 22:55 . 2013-02-27 22:55 -------- d-----w- c:\users\peters37365\AppData\Local\MFAData

2013-02-23 10:39 . 2013-02-23 10:39 -------- d-----w- c:\users\peters37365\AppData\Local\Programs

2013-02-23 09:45 . 2013-02-23 09:45 -------- d-----w- c:\program files\Paint.NET

2013-02-23 09:45 . 2013-02-23 09:57 -------- d-----w- c:\users\peters37365\AppData\Local\Paint.NET

2013-02-22 03:25 . 2013-02-22 03:25 -------- d-----w- c:\program files\7-Zip

2013-02-22 02:55 . 2013-02-22 02:55 -------- d-----w- c:\users\peters37365\New Folder

2013-02-21 22:30 . 2013-02-21 22:30 -------- d-----w- c:\users\peters37365\AppData\Local\Macromedia

2013-02-19 13:47 . 2013-02-28 00:39 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-02-14 14:20 . 2013-02-14 14:20 -------- d-----w- C:\peters37365

2013-02-12 03:44 . 2013-02-12 03:44 -------- d-----w- c:\users\peters37365\infinitycache

2013-02-06 02:56 . 2013-02-06 02:56 -------- d-----w- c:\program files\Common Files\Steam

2013-02-06 02:56 . 2013-02-28 23:32 -------- d-----w- c:\program files\Steam

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-02-28 00:39 . 2011-07-08 03:23 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-02-08 00:45 . 2013-01-18 04:37 6954968 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-01-30 10:53 . 2011-07-07 02:21 232336 ------w- c:\windows\system32\MpSigStub.exe

2013-01-12 08:30 . 2013-01-16 04:29 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-12-26 15:47 . 2012-08-30 03:21 859072 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-12-26 15:47 . 2012-08-30 03:21 779704 ----a-w- c:\windows\system32\deployJava1.dll

2012-12-14 21:49 . 2011-07-07 22:56 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-02-16 00:35 . 2013-02-21 22:30 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]

"Facebook Update"="c:\users\peters37365\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-10-15 138096]

"Spotify Web Helper"="c:\users\peters37365\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2013-02-18 1103768]

"Steam"="c:\program files\Steam\Steam.exe" [2013-02-25 1602984]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]

"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-01-12 283160]

"LManager"="c:\program files\Launch Manager\LManager.exe" [2011-01-17 1037904]

"Power Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2011-02-23 715368]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-01-13 2049320]

"ETDCtrl"="c:\program files\Elantech\ETDCtrl.exe" [2010-11-12 1812264]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-08 143384]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-08 176664]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-08 178200]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-11-29 151952]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableInstallerDetection"= 0 (0x0)

"EnableLUA"= 0 (0x0)

"EnableSecureUIAPaths"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]

"NoAutoUpdate"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-642300335-114021691-886301386-15581\Scripts\Logon\0\0]

"Script"=\\mvctc.com\SysVol\mvctc.com\scripts\scripts\Printer\SecGrpPrinters.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-642300335-114021691-886301386-15581\Scripts\Logon\1\0]

"Script"=\\mvctc.com\SysVol\mvctc.com\scripts\Laptop\3830T\DisableCam.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-642300335-114021691-886301386-15581\Scripts\Logon\2\0]

"Script"=\\mvctc.com\SysVol\mvctc.com\scripts\scripts\Drives\SecGrpDrives.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-642300335-114021691-886301386-15581\Scripts\Logon\3\0]

"Script"=\\mvctc.com\SysVol\mvctc.com\scripts\Laptop\3830T\DisableCam.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-642300335-114021691-886301386-15581\Scripts\Logon\4\0]

"Script"=\\mvctc.com\NETLOGON\scripts\other\KMS.bat

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-642300335-114021691-886301386-4264\Scripts\Logon\0\0]

"Script"=\\mvctc.com\SysVol\mvctc.com\scripts\scripts\Printer\SecGrpPrinters.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-642300335-114021691-886301386-4264\Scripts\Logon\1\0]

"Script"=\\mvctc.com\SysVol\mvctc.com\scripts\Files\rename.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-642300335-114021691-886301386-4264\Scripts\Logon\1\1]

"Script"=\\mvctc.com\SysVol\mvctc.com\scripts\Laptop\wireless.bat

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-642300335-114021691-886301386-4264\Scripts\Logon\1\2]

"Script"=\\mvctc.com\SysVol\mvctc.com\Files\audiodriver.bat

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-642300335-114021691-886301386-4264\Scripts\Logon\2\0]

"Script"=\\mvctc.com\SysVol\mvctc.com\scripts\scripts\Drives\SecGrpDrives.vbs

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R1 cjcuddml;cjcuddml;c:\windows\system32\drivers\cjcuddml.sys [x]

R1 elhpalql;elhpalql;c:\windows\system32\drivers\elhpalql.sys [x]

R1 idntkwic;idntkwic;c:\windows\system32\drivers\idntkwic.sys [x]

R1 ifqnlrve;ifqnlrve;c:\windows\system32\drivers\ifqnlrve.sys [x]

R1 jhungmdy;jhungmdy;c:\windows\system32\drivers\jhungmdy.sys [x]

R3 ATHDFU;Atheros Valkyrie USB BootROM;c:\windows\System32\Drivers\AthDfu.sys [x]

R3 BTATH_BUS;Atheros Bluetooth Bus;c:\windows\system32\drivers\btath_bus.sys [x]

R3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\drivers\btath_hcrp.sys [x]

R3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\drivers\btath_rcp.sys [x]

R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]

R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [x]

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

S2 AesAgent;AesAgent;c:\program files\AES\webTRAC\AesAgent.exe [x]

S2 DsiWMIService;Dritek WMI Service;c:\program files\Launch Manager\dsiwmis.exe [x]

S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [x]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]

S2 IconMan_R;IconMan_R;c:\program files\Realtek\Realtek PCIE Card Reader\RIconMan.exe [x]

S2 OrbisClient.Services;LabSim Configuration and Security;c:\program files\TestOut\Orbis\OrbisClient.Services.exe [x]

S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [x]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]

S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x86.sys [x]

S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [x]

S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]

S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]

S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2013-02-28 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-19 00:39]

.

2013-02-25 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-642300335-114021691-886301386-15581Core.job

- c:\users\peters37365\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-10-15 04:59]

.

2013-03-01 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-642300335-114021691-886301386-15581UA.job

- c:\users\peters37365\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-10-15 04:59]

.

2013-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-642300335-114021691-886301386-15581Core.job

- c:\users\peters37365\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-29 13:59]

.

2013-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-642300335-114021691-886301386-15581UA.job

- c:\users\peters37365\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-29 13:59]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.bing.com/#

mStart Page = hxxp://www.bing.com/#

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath -

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{b6ac5e3c-5ceb-4e72-b451-f0e1ba983c14} - (no file)

WebBrowser-{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14} - (no file)

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre7\bin\jusched.exe

AddRemove-DealCabby - c:\users\peters37365\AppData\Local\dealcabby\uninst.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe

c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

c:\windows\system32\taskhost.exe

c:\windows\system32\conhost.exe

c:\program files\Launch Manager\LMworker.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\igfxext.exe

c:\program files\Elantech\ETDCtrlHelper.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\windows\system32\sppsvc.exe

.

**************************************************************************

.

Completion time: 2013-02-28 19:04:41 - machine was rebooted

ComboFix-quarantined-files.txt 2013-03-01 00:04

.

Pre-Run: 195,989,794,816 bytes free

Post-Run: 195,823,353,856 bytes free

.

- - End Of File - - CE02A687AC06BAF397759340AC0FF4F6

[MrCharlie]

Please be connected to the internet while running ComboFix, it's going to upload some files.

--------------------

Using ComboFix......

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

http://forums.malwar...ndpost&p=651887

Collect::

c:\windows\system32\drivers\cjcuddml.sys

c:\windows\system32\drivers\elhpalql.sys

c:\windows\system32\drivers\idntkwic.sys

c:\windows\system32\drivers\ifqnlrve.sys

c:\windows\system32\drivers\jhungmdy.sys

Driver::

cjcuddml

elhpalql

idntkwic

ifqnlrve

jhungmdy

ClearJavaCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

[Cpete7]

My computer shutdown upon restart, and ComboFix never opened back up or gave me a log.

Should I drag the notepad into it and let it do it again?

[MrCharlie]

Yes, try it again...MrC

[Cpete7]

Quick question, do i copy the forum link into the notepad too?

Sorry, im new to this kind of stuff.

[MrCharlie]

I made it up and attached it for you. MrC

[Cpete7]

Here it is;

ComboFix 13-02-26.01 - PETERS37365 02/28/2013 19:48:52.3.4 - x86

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2670.1763 [GMT -5:00]

Running from: c:\users\peters37365\Desktop\ComboFix.exe

Command switches used :: c:\users\peters37365\Desktop\CFScript.txt

AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_cjcuddml

-------\Service_elhpalql

-------\Service_idntkwic

-------\Service_ifqnlrve

-------\Service_jhungmdy

.

.

((((((((((((((((((((((((( Files Created from 2013-02-01 to 2013-03-01 )))))))))))))))))))))))))))))))

.

.

2013-03-01 00:54 . 2013-03-01 00:54 -------- d-----w- c:\users\user\AppData\Local\temp

2013-03-01 00:54 . 2013-03-01 00:54 -------- d-----w- c:\users\Tech\AppData\Local\temp

2013-03-01 00:54 . 2013-03-01 00:54 -------- d-----w- c:\users\student\AppData\Local\temp

2013-03-01 00:54 . 2013-03-01 00:54 -------- d-----w- c:\users\mt\AppData\Local\temp

2013-03-01 00:54 . 2013-03-01 00:54 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-03-01 00:54 . 2013-03-01 00:54 -------- d-----w- c:\users\Default.old\AppData\Local\temp

2013-02-28 23:39 . 2013-02-08 00:45 6954968 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AFC445C5-EF46-45C3-98C3-1FF663027359}\mpengine.dll

2013-02-28 23:32 . 2013-03-01 01:07 -------- d-----w- c:\programdata\boost_interprocess

2013-02-28 03:26 . 2013-02-28 03:27 -------- d-----w- C:\FRST

2013-02-27 23:46 . 2013-02-27 23:46 -------- d-----w- c:\users\peters37365\AppData\Local\Avg2013

2013-02-27 22:58 . 2013-02-27 22:58 -------- d-----w- c:\users\peters37365\AppData\Roaming\TuneUp Software

2013-02-27 22:55 . 2013-02-27 23:48 -------- d-----w- c:\programdata\MFAData

2013-02-27 22:55 . 2013-02-27 22:55 -------- d--h--w- c:\programdata\Common Files

2013-02-27 22:55 . 2013-02-27 22:55 -------- d-----w- c:\users\peters37365\AppData\Local\MFAData

2013-02-23 10:39 . 2013-02-23 10:39 -------- d-----w- c:\users\peters37365\AppData\Local\Programs

2013-02-23 09:45 . 2013-02-23 09:45 -------- d-----w- c:\program files\Paint.NET

2013-02-23 09:45 . 2013-02-23 09:57 -------- d-----w- c:\users\peters37365\AppData\Local\Paint.NET

2013-02-22 03:25 . 2013-02-22 03:25 -------- d-----w- c:\program files\7-Zip

2013-02-22 02:55 . 2013-02-22 02:55 -------- d-----w- c:\users\peters37365\New Folder

2013-02-21 22:30 . 2013-02-21 22:30 -------- d-----w- c:\users\peters37365\AppData\Local\Macromedia

2013-02-19 13:47 . 2013-02-28 00:39 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-02-14 14:20 . 2013-02-14 14:20 -------- d-----w- C:\peters37365

2013-02-12 03:44 . 2013-02-12 03:44 -------- d-----w- c:\users\peters37365\infinitycache

2013-02-06 02:56 . 2013-02-06 02:56 -------- d-----w- c:\program files\Common Files\Steam

2013-02-06 02:56 . 2013-03-01 01:07 -------- d-----w- c:\program files\Steam

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-02-28 00:39 . 2011-07-08 03:23 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-02-08 00:45 . 2013-01-18 04:37 6954968 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-01-30 10:53 . 2011-07-07 02:21 232336 ------w- c:\windows\system32\MpSigStub.exe

2013-01-12 08:30 . 2013-01-16 04:29 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-12-26 15:47 . 2012-08-30 03:21 859072 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-12-26 15:47 . 2012-08-30 03:21 779704 ----a-w- c:\windows\system32\deployJava1.dll

2012-12-14 21:49 . 2011-07-07 22:56 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-02-16 00:35 . 2013-02-21 22:30 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]

"Facebook Update"="c:\users\peters37365\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-10-15 138096]

"Spotify Web Helper"="c:\users\peters37365\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2013-02-18 1103768]

"Steam"="c:\program files\Steam\Steam.exe" [2013-02-25 1602984]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]

"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-01-12 283160]

"LManager"="c:\program files\Launch Manager\LManager.exe" [2011-01-17 1037904]

"Power Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2011-02-23 715368]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-01-13 2049320]

"ETDCtrl"="c:\program files\Elantech\ETDCtrl.exe" [2010-11-12 1812264]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-08 143384]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-08 176664]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-08 178200]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-11-29 151952]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableInstallerDetection"= 0 (0x0)

"EnableLUA"= 0 (0x0)

"EnableSecureUIAPaths"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]

"NoAutoUpdate"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-642300335-114021691-886301386-15581\Scripts\Logon\0\0]

"Script"=\\mvctc.com\SysVol\mvctc.com\scripts\scripts\Printer\SecGrpPrinters.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-642300335-114021691-886301386-15581\Scripts\Logon\1\0]

"Script"=\\mvctc.com\SysVol\mvctc.com\scripts\Laptop\3830T\DisableCam.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-642300335-114021691-886301386-15581\Scripts\Logon\2\0]

"Script"=\\mvctc.com\SysVol\mvctc.com\scripts\scripts\Drives\SecGrpDrives.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-642300335-114021691-886301386-15581\Scripts\Logon\3\0]

"Script"=\\mvctc.com\SysVol\mvctc.com\scripts\Laptop\3830T\DisableCam.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-642300335-114021691-886301386-15581\Scripts\Logon\4\0]

"Script"=\\mvctc.com\NETLOGON\scripts\other\KMS.bat

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-642300335-114021691-886301386-4264\Scripts\Logon\0\0]

"Script"=\\mvctc.com\SysVol\mvctc.com\scripts\scripts\Printer\SecGrpPrinters.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-642300335-114021691-886301386-4264\Scripts\Logon\1\0]

"Script"=\\mvctc.com\SysVol\mvctc.com\scripts\Files\rename.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-642300335-114021691-886301386-4264\Scripts\Logon\1\1]

"Script"=\\mvctc.com\SysVol\mvctc.com\scripts\Laptop\wireless.bat

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-642300335-114021691-886301386-4264\Scripts\Logon\1\2]

"Script"=\\mvctc.com\SysVol\mvctc.com\Files\audiodriver.bat

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-642300335-114021691-886301386-4264\Scripts\Logon\2\0]

"Script"=\\mvctc.com\SysVol\mvctc.com\scripts\scripts\Drives\SecGrpDrives.vbs

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R3 ATHDFU;Atheros Valkyrie USB BootROM;c:\windows\System32\Drivers\AthDfu.sys [x]

R3 BTATH_BUS;Atheros Bluetooth Bus;c:\windows\system32\drivers\btath_bus.sys [x]

R3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\drivers\btath_hcrp.sys [x]

R3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\drivers\btath_rcp.sys [x]

R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]

R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [x]

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

S2 AesAgent;AesAgent;c:\program files\AES\webTRAC\AesAgent.exe [x]

S2 DsiWMIService;Dritek WMI Service;c:\program files\Launch Manager\dsiwmis.exe [x]

S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [x]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]

S2 IconMan_R;IconMan_R;c:\program files\Realtek\Realtek PCIE Card Reader\RIconMan.exe [x]

S2 OrbisClient.Services;LabSim Configuration and Security;c:\program files\TestOut\Orbis\OrbisClient.Services.exe [x]

S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [x]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]

S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x86.sys [x]

S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [x]

S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]

S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]

S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [x]

.

.

Contents of the 'Scheduled Tasks' folder

.

2013-03-01 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-19 00:39]

.

2013-02-25 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-642300335-114021691-886301386-15581Core.job

- c:\users\peters37365\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-10-15 04:59]

.

2013-03-01 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-642300335-114021691-886301386-15581UA.job

- c:\users\peters37365\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-10-15 04:59]

.

2013-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-642300335-114021691-886301386-15581Core.job

- c:\users\peters37365\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-29 13:59]

.

2013-03-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-642300335-114021691-886301386-15581UA.job

- c:\users\peters37365\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-29 13:59]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.bing.com/#

mStart Page = hxxp://www.bing.com/#

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath -

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe

c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

c:\windows\system32\taskhost.exe

c:\windows\system32\sppsvc.exe

c:\windows\system32\conhost.exe

c:\program files\Launch Manager\LMworker.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\igfxext.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Windows Media Player\wmpnetwk.exe

.

**************************************************************************

.

Completion time: 2013-02-28 20:08:58 - machine was rebooted

ComboFix-quarantined-files.txt 2013-03-01 01:08

ComboFix2.txt 2013-03-01 00:04

.

Pre-Run: 196,321,464,320 bytes free

Post-Run: 196,272,291,840 bytes free

.

- - End Of File - - 419ED071D5C21A2D442480F8B9DD6F82

[MrCharlie]

Looks Good, Did you get a notice that the files were uploaded??

How is it?? Any better??

--------------------------------

Next.............

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
  
• Open the folder where the contents were unzipped and run mbar.exe
  
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  
• Wait while the system shuts down and the cleanup process is performed.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
  

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC

[Cpete7]

I actually didn't see anything referring to updates; where should the notice have been?

[MrCharlie]

Don't worry about it, it looks OK.....continue on.....MrC

[Cpete7]

There were two mbar log texts, so I included them both.

mbar-log-2013-02-28 (20-31-51).txt

mbar-log-2013-02-28 (20-43-32).txt

system-log.txt

[MrCharlie]

How is it??? MrC

[Cpete7]

It's running much, much better.

Thank you very much for your help.

[Cpete7]

Should i remove ComboFix and mbar since I am done with them, or just go ahead and leave them?

[MrCharlie]

I'll give you clean-up instructions when we're done.

Would you like to check the system for any adware?

If so.......

Please download AdwCleaner from here and save it on your Desktop.

AdwCleaner is a reliable removal tool for Adware, Foistware, toolbars and potentially unwanted programs.

AdwCleaner is a tool that deletes :

· Adwares (software ads)

· PUP/LPI (Potentially Undesirable Program)

· Toolbars

· Hijacker (Hijack of the browser's homepage)

It works with a Search and Deletion methode. It can be easily uninstalled using the "Uninstall" mode.

1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
   
2. Now click on the Search tab.
   
3. Please post the contents of the log-file created in your next post.
   

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

Note:

Please look over what was found......especially any folders, we're going to permanently delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.

If not.......

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt.
  
• Please Post the contents of that document.
  
• Do Not Attach It!!!
  

MrC

[Cpete7]

# AdwCleaner v2.113 - Logfile created 02/28/2013 at 20:58:54

# Updated 23/02/2013 by Xplode

# Operating system : Windows 7 Professional Service Pack 1 (32 bits)

# User : PETERS37365 - 3830-14408

# Boot Mode : Normal

# Running from : C:\Users\peters37365\Desktop\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

Folder Found : C:\ProgramData\boost_interprocess

***** [Registry] *****

Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Scheduled Update for Ask Toolbar

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v19.0 (en-US)

File : C:\Users\peters37365\AppData\Roaming\Mozilla\Firefox\Profiles\4n170zg3.default-1362094016627\prefs.js

[OK] File is clean.

-\\ Google Chrome v25.0.1364.97

File : C:\Users\peters37365\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1018 octets] - [28/02/2013 20:58:54]

########## EOF - C:\AdwCleaner[R1].txt - [1078 octets] ##########